Crypto license in Estonia 2023
New Requirements for Virtual Currency Service Providers
The amendments to the Money Laundering and Terrorist Financing Prevention Act (hereinafter the Act) that entered into force on 15 March 202 significantly increased the capital adequacy requirement for providers of virtual currency services, introduced the obligation to conduct an audit of the annual report and internal audit, and made a number of other changes.
Virtual currency providers that already held a valid activity license were given a deadline until 15 June 2022 to align their operations with the new requirements. This article discusses the most important amendments.
New types of virtual currency services
To the two existing types of virtual currency services – virtual currency wallet services and virtual currency exchange services – two new types of virtual currency services have been added:
- virtual currency transfer service and
- organization of an offer or sale in connection with the emission of a virtual currency.
These two activities are not yet regulated by law. Thus, under the new Act, providers of virtual currency services who were not previously required to hold an activity license are now required to analyse and clarify whether their activities fall under the two added types of virtual currency services.
In virtual currency transfer service, the service provider concludes on behalf of the transaction’s initiator (user) a transaction through which the virtual currency is transferred to the virtual wallet or to the recipient’s account. This includes services that allow the user to make transactions between their wallets or accounts. Such a service is also considered to be the case when several service providers are involved in the provision of the service at the same time and the transaction is carried out by each service provider separately or jointly with several service providers.
In the case of a service related to the issuance of a virtual currency, the service provider acts for or on behalf of the issuer and arranges for a public or directed offer or sale or provides a related financial service. An example of this service is the organization of an ICO (initial coin offering) and the provision of related services, if this is carried out for or on behalf of the issuer of the virtual currency.
Increase in the requirement for the statutory capital of the Estonian company
Capital adequacy requirements will increase significantly in the interest of greater reliability of service providers and better protection of creditors. The unit capital or share capital of the virtual currency service provider that previously was EUR 12,000 must now be at least EUR 100,000 if a wallet service, exchange service or a virtual currency-related public or targeted offer or sale is provided.
Since the role of the service provider in the case of a virtual currency translation service is similar to that of an electronic money institution, the capital adequacy requirement for such a service is the same as the EUR 250,000 requirement for an electronic money institution. In this case, the contribution to the unit or share capital of the provider of the virtual currency service can only be monetary.
Requirements for the own funds of the virtual currency service provider are also added as an innovation. The virtual currency provider’s own funds shall at all times correspond to one of the following, whichever is greater:
- the amount of the unit capital or share capital established in the Money Laundering and Terrorist Financing Prevention Act, or
- the amount of own funds calculated according to the calculation method established in Part 3 or Part 6 of Article 72² of the Act.
The virtual currency service provider’s own funds consist of Tier 1 fixed assets as set out in Articles 26 to 30 of Regulation (EU) No 575/2013 of the European Parliament and of the Council of the EU, together with the deductions provided for in Article 36, and the deductions are not subject to the exemptions related to the threshold set out in Articles 46 and 48 of the Regulation.
Obligation to audit the annual report and internal audit
According to the changes in the law, the audit of the annual report of the virtual currency service provider’s will become mandatory, and it must be carried out by an audit firm, which is appointed for no more than 5 years.
The audit firm verifies, as at the reporting date, that the virtual currency service provider has fulfilled the requirements set for its own funds and provides an opinion to the virtual currency service provider and the Financial Intelligence Unit by the due date of the submission of the report for the economic year of the service provider.
In the future, providers of virtual currency services should develop and implement adequate internal controls that cover all levels of management and operations. To this end, the supervisory board of the service provider or, in the absence of a supervisory board, the management board of the service provider appoints an internal auditor to carry out the tasks of the internal control department, who will verify the compliance of the activities of the service provider, its managers and employees with legal acts, regulations of the Financial Intelligence Unit, decisions of the governing bodies, internal regulations, contracts concluded by the service provider and good tradition.
If the internal auditor becomes aware of information that indicates a violation of the law or harm to the interests of clients, he/she must immediately transmit such information to the heads of the virtual currency service provider and the Financial Intelligence Unit.
More information about the initiator of the transaction
Further, when identifying, the service provider must request at least his phone number and e-mail address as the customer’s contact information. When performing a virtual currency exchange and transfer operation, a requirement similar to the so-called travel rule requirement is applied to payment services. According to this requirement, the following data should be collected about the virtual currency transfer initiator:
- unique transaction identifier
- ID code of the payment account or virtual currency wallet
- personal identification code, name and number of the identity document or date of birth, place of birth and address of residence.
In addition, the service provider must ensure that the data is stored in a way that responds to requests from the Financial Intelligence Unit or law enforcement authorities. Data and documents related to the client must be kept for five years after the end of the business relationship.
Requirements for members of the management board
A member of the management board of a virtual currency service provider may not be a member of the management board of more than two virtual currency service providers at the same time. However, in certain cases, exceptions are possible – if the positions of a board member are in the same concern or commercial partnerships in which the virtual currency service provider has a significant participation. In justified cases, the Financial Intelligence Unit may exceptionally authorize one additional board member position.
It also adds the requirement that a board member must have had at least two years of higher education and professional experience. Areas that should be considered professional include banking and finance, economics, law, accounting, auditing, public administration, financial regulation, information technology, among others. Experience can be gained in both the private and the public sector, and may consist, for example, in supervision or training, ”notes the explanatory note to the bill amending the Money Laundering and Terrorist Financing Prevention Act and other laws.
The new version of the Prevention of Money Laundering and Terrorism Financing Act also supplements the grounds for refusing to issue a licence to operate. An important innovation is that the Financial Intelligence Unit may refuse to issue a licence to operate if sufficient supervision of the applicant is prevented by a substantial link between the entrepreneur and another person, or if it is found that the entrepreneur does not intend to operate in Estonia, that his activities are not related to Estonia or that the origin of his share or share capital is questionable.
Preparation for auditing a virtual currency service provider
Since 2023, all undertakings licensed to provide virtual currency services will be subject to mandatory audit of their financial statements and the adequacy of their own funds.
In order for the company’s management and accountants to successfully complete the audit, it is necessary to prepare the software and to establish the methods for storing and presenting the data in advance, so that the auditor can gather sufficient relevant evidence during the audit, which in turn will give him the opportunity to express an opinion on the financial statements.
There are four specific areas of virtual currency accounting where auditors may have more questions than usual:
- confirmation of balances and transactions in virtual currency;
- confirmation of liabilities in virtual currencies;
- accounting and periodization of sales revenue;
- accounting for revaluation of the cost of virtual currencies.
If virtual currencies are stored on a third-party platform, it is relatively easy to confirm their existence, since some platforms (Kraken, Binance) allow to confirm the balances at the end of the year, on other platforms one can view the asset balance retrospectively or reach them through extracts from the transaction history, viewing the current state and returning from there to the state as of December 31. However, the auditor will require the platform administrator to formally sign off on the balances or, if this is not possible, the auditor must be present at the entrance to the platform and verify for himself the existence and accuracy of the balances.
If virtual currencies are stored on the undertaking’s computer, the situation is more complicated. The auditor will request for a list of all wallets (public wallet addresses) where virtual currencies were stored as of December 31.
The wallet balance can be checked using various websites of the blockchain explorer (for example, ethscan.io, which can be used to check the balances and transactions of various ERC20 – Ethereum virtual currency platform – wallets), and the wallet belonging to the entrepreneur using test records or signing using a wallet. It is also possible that the wallet allegedly used by the client as of 31 December was empty because the assets were in a different wallet. The reason may be, for example, that the client sent the assets to another wallet on December 31, the transaction was completed and reflected in the public data on the blockchain, but not in the client’s own system as of that date. Also, errors made by people who made a list of wallets may be the cause, if this is not an automatic statement from the client’s system.
It is also important to verify the recording of inventory values in the books using the year-end market price and comparing the value recorded in the books with the market price. If an undertaking has its own trading platform, it is more likely that it will store its customers’ virtual currencies on its platform. In such a case, the undertaking accounts for this liability in euros in the same way as inventories, and it is necessary to check whether the monetary value of the liabilities was correctly calculated using the market price as at 31 December.
Reaffirmation of obligations
The standard approach to confirming obligation is to reconcile them with third parties. A random sample of customers and the largest customers is made, and the undertaking conducts a procedure with them to confirm the balance under the control of the auditor. Undertakings are also often the largest customers, and the likelihood of receiving confirmation of the balance from them is higher than from an individual whose counterobligation is relatively small. If the number of customers is very large and it can be difficult to obtain confirmations, then automation of this process should be provided during the development of the platform. Kraken, for example, checks wallet balances, asks users of the platform for confirmation when logging in, and the data is passed to the auditors.
In addition to the balance confirmations, the entrepreneur must also provide the auditor with an opportunity to check the undertaking’s internal control system with respect to the obligations in order to gain an understanding of how the obligations have been accounted for and how the undertaking itself is satisfied that its accounting is correct.
Accounting and periodization of sales revenue
If an entrepreneur uses a third-party platform for trading, he or she can rely on the transaction statement and compare it with what is reflected in the accounting. If an entrepreneur has an internally created platform on which he trades, then a database of all transactions is also necessary. The extract or database must contain all transaction details, including the transaction ID that can be used with the blockchain explorer, the technical details of the transactions (between which wallets and when virtual currencies were moved, what is the fee for the transaction in the network, etc.).
It is also important to self-check the conversion of sales revenue from virtual currency to money before submitting data to the auditor. Transaction fees are usually charged on the currency used in the transaction, and if the transaction used virtual currency, the resulting income must be converted into money. Whether the sales revenue is converted to cash at the time of the transaction or once a day/week/month can significantly change the reported sales revenue, and when the revenue is converted to cash, it may not be immediately clear from the company’s data. Virtual currency market prices can fluctuate significantly even during the week or day, and with large transaction volumes, small differences with market prices can lead to significant differences.
Data downloading and processing may also be difficult to check for sales revenue due to the volume of transactions. If the company is small and trades virtual currency for itself, or if the number of customers is limited, then manual verification of transactions using programs such as Excel is still possible. If the undertaking has thousands of customers and hundreds of thousands or even millions of transactions per year, it becomes more difficult to verify them, this amount is no longer covered by Excel, and the auditor can use other programs designed for large-scale databases. On the other hand, the entrepreneur must ensure that the data is accessible and transferable, which would allow the auditor to analyse and control the entire volume of transactions.
Accounting for the revaluation of the value of virtual currencies
Income or expenditure may result from changes in the market price of the virtual currency during the year, and this change in the market price affects the carrying amount of inventories. It may be that in accounting of the undertaking it is recorded by one record on December 31 as the sum of the income or expenditure, and more detailed information on that consists of this sum, isn’t present.
The auditor asks the accountants how this was calculated and will want to verify this calculation, including what market prices and exchange rates were used and whether they were used correctly. However, it is not always possible to explain the process of calculating these indicators and prove their correctness if the platforms or accounting did not have the appropriate settings.
All providers of virtual currency services are obliged to ensure that their own funds do not fall below the criteria set out in article 72² of the Money Laundering and Terrorist Financing Prevention Act and in the activity licence. The auditors shall verify and confirm the accounting of the virtual currency service providers’ own funds with the Financial Intelligence Unit (Rahapesu Andmebüroo, hereinafter referred to as FIU) once a year on the due date of the annual report, i.e. 6 months after the end of the reporting year. The first own funds’ report shall be submitted depending on when the license of the virtual currency service provider was obtained.
Persons who had a valid license to operate before 15 March 2022 must submit the audited calculation of their own funds on the basis of the balance sheet drawn up at the end of the last reporting period no later than 1 January 2023. Management should take into account that it is practically impossible to conduct an audit for one day, and agree to conduct an audit on the balance sheet day of the last reporting period or another earlier balance sheet day.
In the case of licenses for activities that were issued after the changes in the law, it should be assumed that the audit firm should verify the fulfillment of the requirements established for the own funds of the virtual currency service provider as of the balance sheet date (should be between 15 March 2022 – 1 January 2023), and submit the corresponding conclusion by the deadline for submission of the report for the business year of the virtual currency service provider to the virtual currency service provider itself and to the FIU.
To verify the own funds of the virtual currency service providers, the auditor must verify the correctness of the volume of transactions, assets and liabilities, as well as when auditing or inspecting the annual report, as well as the correctness of the calculation of own funds, based on the instructions published by the FIU and the Ministry of Finance.
Based on the instruction of the FIU, assets in virtual currency in the calculation of own funds are considered intangible assets subject to deduction. Own funds also do not include virtual currencies and fiat money owned by customers or other intangible property (for example, the cost of developing platforms for trading virtual assets or providing wallet services). The procedures for controlling own funds in terms of virtual currencies can be simplified or, under certain conditions, not applied, if they do not affect the correctness of the calculation of own funds.