As of 30 December 2024, the Money Laundering Information Office will cease accepting and issuing new licences for activities related to virtual currencies. This authority will be transferred to the Estonian Financial Supervision and Resolution Authority, which will start issuing licences in Estonia. which will start issuing licences under the cryptoasset regulation under Regulation (EU) 2023/1114 (MiCA). The transition will be completed by 1 July 2026, after which the licences issued by Rahapesu Andmebüroo will become null and void. Service providers holding a valid licence issued before 30 December 2024 will retain the right to continue operating on the basis of that licence until the end of the transition period or until a new licence is granted in accordance with the established procedure. Until that date, such persons will continue to be supervised by the Bureau. Applicants must apply to the Financial Conduct Authority to obtain a MiCA compliant licence. Applications submitted to the Financial Conduct Authority before 30 December 2024 but not approved before that date will not be considered. All supporting documentation will be returned to applicants. At the same time, the Bureau will continue to accept applications only for amendments to the conditions of already issued licences until the end of the transition period on 1 July 2026. This transformation of institutional supervision is due to the transition from narrowly focused compliance control to a comprehensive financial regulation enshrined at the level of the European Union. The new legal model provides for enhanced supervision, comprehensive requirements for internal procedures, governance structure and capital adequacy.
However, virtual currency service providers remain subject to obligations to prevent money-laundering and terrorist financing. They are also subject to international sanctions legislation, which obliges them to report to the Republic of Estonia Financial Intelligence Unit within the scope of their competence. As of 5 December 2024, crypto companies in Estonia had 43 valid licences issued by the Bureau in accordance with the provisions of the Money Laundering and Terrorist Financing Prevention Act (MLPA), valid until 30 December 2024.
The term virtual currency related service refers to:
- Virtual currency wallet service – activities related to the creation and storage of encrypted keys on behalf of a customer necessary for the storage, possession and transfer of virtual currency.
- Virtual currency exchange service – an operation involving the exchange of fiat currency for virtual currency or between different types of virtual assets.
- Virtual currency transfer service – an activity in which a provider mediates the transfer of virtual currency between two parties, without providing storage or exchange services, by transferring ownership or control of an asset.
- Initial Coin Offering (ICO) – the issuance and offering of digital assets using blockchain technology, where tokens are offered in exchange for fiat funds or other crypto-assets, with the possibility of subsequent placement on the secondary market. Such offerings may fall under investment services regulation and, in individual cases, require separate authorisation from the Financial Services Authority.
The move to a single regulatory regime under MiCA is intended to ensure a uniform level of supervision, enhance the protection of cryptocurrency market participants and eliminate fragmented approaches at the national level. The licence to operate virtual currency services is personalised and cannot be transferred to third parties, which is expressly provided for in § 70(4) of the Financial Services Act. This means that the licence is tied exclusively to the entity in whose name it is issued and its alienation, assignment or transfer – regardless of the form – is not allowed. As of 30 December 2024, the AML Information Bureau has stopped issuing new licences in this category. The supervision and licensing of cryptoassets will henceforth be carried out by the Financial Conduct Authority as part of the gradual implementation of the provisions of Regulation (EU) 2023/1114 (MiCA). As part of the transitional period, the Office only retains the power to amend licences already issued until 1 July 2026. After this date, all licences issued under the old procedure will become null and void.
An application to amend the terms and conditions of an existing licence can only be made subject to compliance with legal requirements, including submission of the documentation package required by the Prevention of Money Laundering Act (RahaPTS) and the International Sanctions Act (MSÜS). These documents must adequately prove the compliance of the company with the established requirements for virtual currency service providers. All applications are dealt with in administrative proceedings, the procedure for which is set out in the Financial Intelligence Unit Act. The language of administrative proceedings shall be recognised exclusively as Estonian. Therefore, all documents submitted in a foreign language must be accompanied by a certified translation into Estonian, which is valid for the purposes of official proceedings. Failure to provide a translation or submission of an incomplete set of documents may be grounds for refusal of the application or suspension of the procedure.
Documents required to apply for a MiCA licence in Estonia
- Address of the place where the service is provided, including the website address;
- The name and contact details of the person responsible for the provision of the service for all service locations specified in paragraph 1;
- If the legal person is not registered in the Estonian Commercial Register, the name, registration or personal code of the owner of the legal person or, if missing, the date of birth, place of residence or birth and address of residence, the name, personal code of its beneficiary or, if missing, the date of birth, place of birth and address of residence;
- Name, personal identification code, date of birth, place of birth and address of residence of a member of the governing body and an attorney of the service provider who is a legal person, if there is no such a person, if the service provider is not an entrepreneur registered in the Estonian Commercial Register;
- The rules of procedure and internal control rules developed pursuant to Articles 14 and 15 of the Financial Supervision Act and, in the case of persons with special obligations listed in Article 20 of the International Sanctions Act, the rules of procedure developed pursuant to Article 23 of the International Sanctions Act and the procedure for verifying compliance therewith;
- The name, personal identification number, date of birth, place of birth, nationality, residential address, title and contact details of the contact person designated under section 17 of the Financial Transactions Act;
- In accordance with subsection 20(3) of the International Sanctions Act, the name, personal identification number and, if not available, date of birth, place of birth, nationality, residential address, title and contact details of the person responsible for implementing the international financial sanction imposed on the undertaking;
- If the entrepreneur, a member of his management body, the prosecutor, the beneficial owner or the owner is a foreign national, a service provider established in a foreign country, or if the entrepreneur is a foreign service provider – a certificate of criminal record of the country of origin or an equivalent document issued by the competent judicial or administrative authority certifying the absence of punishment for an offence against public authority or for money laundering or other crime
- If the entrepreneur, member of his management body, prosecutor, beneficial owner or natural person-owner is a citizen of a foreign country, copies of identity documents for all countries of citizenship and documents certifying the absence of the penalty referred to in paragraph 8;
- Documents concerning the member of the management body and the trustee of the company, including the level of education, a complete list of the positions held and, in the case of a member of the management body, the scope of responsibility, as well as documents that the applicant considers necessary to submit to confirm the trustworthiness of the member of the management body or the trustee and the applicant’s impeccable business reputation. Note! Documents confirming education (diploma) must be submitted together with the application for amendments to the activity licence;
- A list of accounts opened in the name of the entrepreneur, indicating the unique identifier of each account and the name of the account holder.
All accounts opened in the name of the entrepreneur must be submitted together with the application for amendments to the licence to operate in the register of economic operators, to which must be attached a certificate from a credit institution, electronic money institution or payment institution confirming the existence of the account; - Information on what virtual currency-related service will be provided (Article 70(4) of the Money Market Law). The document describing the service must contain a detailed description of the content of the planned service;
- The amount of assets and authorised capital (EUR 250,000 or EUR 100,000 depending on the service to be provided) and documents proving its payment (Article 70(3)(2)(1) of the Financial Services Act.
- The applicant’s opening balance sheet and an overview of income, expenditure, profit and cash flow and the assumptions underlying them, or in the case of an operating company, the balance sheet and profit and loss account as at the end of the month preceding the application for an operating licence and, if available, the accounts for the last three financial years, unless they have been submitted and made available in databases maintained by the state (Section 70(3) and (2) of the Financial Services Act).
- A business plan that complies with the requirements of Section 70 of the Financial Services Act. There are no additional requirements for the formal structure of the business plan, but it must reflect all the circumstances specified in Section 70 of the Financial Services Act (Section 70(3) of the Financial Services Act).
- Documentation for risk appetite and risk assessment prepared in accordance with section 13 of the Financial Markets Act. The risk appetite and risk assessment must be consistent with the company’s planned business activities (section 70(3) and (4) of the Financial Markets Act).
- Data on information technology systems and other technological tools and systems required to provide the planned services, including a description of the security measures used to ensure continuity of service and protection of client assets, a description of the business continuity measures and the level of technical organisation of the business. Such documents include, for example, service contracts between the applicant and the service provider, confirmation from the service provider that the service has been provided, an additional explanatory document submitted by the applicant, or other document (§ 70 (3) and (5) of the Financial Services Act).
- Information technology systems and other technological means used in the provision of scheduled services, by means of which the service provider ensures the transmission of the data referred to in subparagraphs 2.4 and 2.5 of the Financial Transactions Act, the identification of the customer and its beneficial owners, the assignment of a risk level to the customer, and the identification and monitoring of business transactions and customers in a manner that enables the fulfilment of the obligations under this Act and the special obligations under the Financial Transactions Act (Article 70 (3) (2) (6) of the Financial Transactions Act). The same is meant here by those information technological means that enable the fulfilment of the obligation of “rules of travel” in the company (Article 70 (3) (2) (6) of the Financial Transactions Act). Data must be provided on all information technology tools that an applicant for an operating licence or a company applying for a variation of an operating licence uses to comply with the obligations set out in both the Financial Transactions Act and the International Sanctions Act.
- The number of shares or units and votes acquired or held by each shareholder, partner or member (Section 70(3) and (7) of the Financial Markets Act).
- The data of the applicant’s audit firm and the data of the internal auditor, which include the name, residence or domicile, personal identification code or, in the absence thereof, date and place of birth or registration code (Section 70(3) and (8) of the Financial Supervision Act). The data must be submitted separately for both the audit firm and the internal auditor. The requirements for the audit control and internal auditor are set out in more detail in §§ 72 and 72 of the Financial Supervision Act. The external auditor and the person conducting the internal audit cannot be the same person/service provider.
- Information on persons with a significant shareholding in the applicant, which includes name, personal identification number and, in the absence thereof, date of birth, place of birth, nationality, residential address, position and contact details (§ 70 (3) and (9) of the Financial Transactions Act).
- Data on companies in which a member of the applicant’s management body or a person with a significant interest in the applicant holds more than 20 per cent, which data shall include the name, location, registration code of each company and the number of shares or parts and votes held by a member of the applicant’s management body or a person with a significant interest in the applicant (§ 70 (3) and (10) of the Financial Markets Act).
- If an applicant for a licence for activities related to virtual currency wishes to use the licence also for the activities of a subsidiary company, in addition to what is provided for in the Act on the General Part of the Code of Economic Activities, the applicant shall submit in the application for a licence for activities all the information specified in § 70 (3) of the Financial Services Act and, if necessary, also in § 70 (3.2) (and)4 of the Financial Services Act regarding the financial service or service related to virtual currency.
MiCA regulations in Estonia
The Money Laundering Information Bureau shall proceed with the assessment of the applicant’s compliance with the legal requirements only after receiving a complete and correctly executed set of documents stipulated in § 70 of the Prevention of of Laundering of Proceeds of Crime Act. Preliminary verification shall be initiated only after all information and supporting documents have been submitted properly and in accordance with the established norms. If a licence is requested for use within the activities of a subsidiary, the subsidiary must comply with the same requirements as the main applicant. This means that the subsidiary must undergo identical checks on all aspects covered by the regulatory assessment, including goodwill, transparency of ownership structure, internal control systems and compliance with anti-money laundering and sanctions obligations.
Section 72(1)(1) of the Prevention of Money Laundering Act establishes a clear legal requirement: neither the company, nor members of its management body, nor trustees, nor beneficial owners, nor beneficial owners or beneficial owners may have a valid conviction for the following categories of offences:
- offences against public authority;
- money laundering offences;
- other offences committed intentionally
This condition serves as a barrier to the participation in regulated activities of persons with undermined legal reputation and is aimed at ensuring a high degree of confidence in financial market participants. When assessing the compliance of a registered entity with these criteria, current certificates of criminal record issued by the competent authorities of the countries of citizenship or registration of the above persons are subject to mandatory submission. In accordance with Article 72 (1) of the Financial Markets Law, every person associated with the applicant legal entity – whether it is the company itself, a member of its board, a trustee, a beneficial owner or the actual owner – must have an impeccable business reputation. This is a prerequisite for obtaining a licence to operate in the regulated financial sector, including the provision of services related to crypto assets.
The decision on the presence or absence of good business reputation is made by the licensing authority, taking into account the previous activities of the person and the surrounding circumstances. The Act establishes a presumption of impeccable goodwill until grounds for reasonable doubt are identified. Pursuant to § 72(2) of the Money Laundering Prevention Act, a person is deemed to lack goodwill if the Money Laundering Information Office identifies facts directly indicating the lack of goodwill. Such circumstances include, but are not limited to:
- Engaging in acts or omissions that led to the bankruptcy or revocation of the licence of a company under financial supervision;
- Committing a criminal offence of the first degree;
- The imposition of a business or professional ban by a court of law, including for violation of a previously imposed ban;
- Failure to ensure that the business is organised in such a way that the interests of clients and investors are adequately protected;
- Submission of false information or concealment of relevant information in co-operation with supervisory authorities;
- Prosecution for economic, professional or property offences, as well as for terrorism financing, provided that the criminal record is not expunged or there are no international sanctions.
It should be emphasised that the list of grounds set out in § 72(2) is not exhaustive. That is, other circumstances not expressly listed in the law but which create reasonable doubts as to the integrity, legal reliability and professional suitability of the person concerned may also be taken into account when assessing goodwill. Thus, the applicant must ensure that all persons with significant influence on the company’s business meet the criterion of business impeccability, including compliance with legal requirements, absence of regulatory and criminal offences, and experience to ensure responsible management of the company in the interests of clients and regulatory stability. Pursuant to Section 72 (1) (4) of the Money Market Act, in order to obtain a licence to provide virtual currency services, a legal person must ensure an actual presence in Estonia. This requirement can be fulfilled in one of two ways:
- The company’s registered office and place of business must be located in Estonia;
- In the case of a foreign applicant, the activities in Estonia must be carried out through a branch registered in the Estonian Commercial Register, and the actual place of business of the branch must also be in Estonia.
The place of business means the actual, permanent and continuous place of performance of economic or other activities that complies with Section 29 (2) of the General Part of the Civil Code Act. If the declared address does not provide conditions for the provision of cryptocurrency-related services or does not comply with the requirements laid down in the Money Market Act, it cannot be recognised as a valid place of business.
As an enhanced requirement set out in § 72⁵(7) of the Money Laundering Prevention Act, a company is obliged to:
- ensure that crypto services can be provided directly at the place of business;
- guarantee physical access by representatives of the FIU or other supervisory authorities to the documents collected and stored at the place of business at any time.
This means that the place of business should not be nominal, but functional – ensuring not only that employees and equipment are available, but also that AML/CTF requirements and other duties set out in the licence can be fulfilled at all times.
When reviewing an application, the FIU (Financial Intelligence Unit) assesses whether the place of business realistically fulfils its stated function. For example, the fictitious concentration of multiple cryptocurrency companies at a single address, as well as the provision of services in premises with objectively insufficient space (e.g. a 10m² office for two or more companies) are not permitted. Each application is subject to an individual assessment, taking into account the specifics of the services provided, staffing, management structure and level of technical equipment. Thus, ensuring an appropriate place of business is not only a formal but also an actual condition for obtaining a MiCA licence, which is verified by the supervisory authorities both at the time of application and during subsequent supervision.
In order to obtain a licence to provide virtual currency services in Estonia, a member of the management board of a company must meet a number of statutory requirements aimed at ensuring sustainable and controlled management of the regulated entity. First of all, pursuant to Section 72(1)(4) of the Exchange Control Act, the seat of the management board of the virtual currency service provider must be located in Estonia. If the applicant is a foreign company, it must operate through a branch registered in the Estonian Commercial Register, and the seat of the management board of this branch must also be located within the jurisdiction.
Higher requirements for a candidate for the position of a member of the Management Board are set out in Section 72⁵(1) of the Financial Supervision Act. The candidate must have completed higher education and at least two years of professional experience in one or more fields relevant to the company’s business. The law does not require specialisation in a specific field, but the degree of education must comply with the generally accepted classification (bachelor’s degree, applied higher education, master’s degree or doctorate). Secondary specialised or vocational education is not considered higher education in this context. Professional experience may be in finance, banking, law, accounting, public administration, financial regulation, information technology or academia. Both private and public sector experience is acceptable.
The legislation also sets quantitative restrictions: one person may not be on the board of more than two virtual currency service providers at the same time. An exception is provided if the positions are held by the same group of companies or if the provider owns a significant stake in another company – such positions are considered to be one. This clarification is provided for in Article 72⁵(3) of the Financial Services Act. In individual cases, the Financial Services Authority may authorise a board member to take up an additional, third position if a justified application with a digital signature is submitted. When considering such an application, both the scope of duties and the person’s ability to ensure the quality of management functions in each of the structures are assessed.
Thus, when forming the composition of the management board of a company intending to obtain a MiCA licence in Estonia, it is important to consider not only the educational and experience requirements, but also the limitations regarding the number of management positions and the need to ensure the actual presence of the management board in the country. The contact person appointed by the virtual currency service provider under Section 17 of the Financial Supervision Act must fulfil a number of qualification and legal criteria to ensure that he or she is suitable for fulfilment of the duties within the framework of the interaction with the Financial Intelligence Unit (FIU). This person plays a key role in ensuring proper compliance with AML/CFT regulations and in the implementation of sanctions compliance.
The appointee must possess the necessary education, professional suitability, experience, skills and personal qualities. The candidate must have an impeccable reputation as evidenced through a compliance review. An important structural requirement is that the contact person may only fulfil the relevant functions in one company and only with a direct employment contract. Temporary staff or an outsourcing model where the employee is employed by another organisation should not be used. The contact person’s employment must be recorded in the national employment register. This excludes situations where the company is unable to terminate the employment relationship with the contact person on its own in the event of non-compliance with the requirements, including if there are reasons to doubt the contact person’s reputation.
In addition, if the same person is a board member of two virtual currency service providers, he or she may only be a contact person for one of them. This requirement precludes a contact person from serving as a contact person for more than one entity, even if he or she is a board member of both. When assessing suitability, FIU considers the existence of an employment contract and actual employment in Estonia, including supporting records. Particular attention is paid to the level of education: higher education in law, economics or finance is preferred, while relevant professional experience is also assessed. A complete lack of experience does not preclude appointment, but requires a compensating factor – e.g. specialised training and a proven level of knowledge beyond the basic AML/CTF requirements.
The contact person must demonstrate stress tolerance, ability to analyse and make decisions, knowledge of the legal and regulatory framework (including RahaPTS, RSanS), and familiarity with the company’s structure and internal procedures. Of particular importance is the ability to communicate effectively with regulators. Personal characteristics – honesty, accuracy, reliability, integrity and co-operation – are considered an integral part of the assessment. Thus, the contact person must not only be a formalised employee of the company, but also possess the necessary level of qualifications, reputation and willingness to fulfil a complex and responsible function within the Estonian model of supervision of cryptocurrency service providers.
A company applying for a licence to carry out activities related to virtual currency must have an open payment account that complies with the legal requirements. Pursuant to Section 72 (1) (5) of the Financial Supervision Act, such an account must be opened in a credit organisation, electronic money institution or payment institution registered in Estonia or in another member state of the European Economic Area. At the same time, the organisation where the account is opened must have the right to provide cross-border payment services in Estonia or have a branch in Estonia.
When applying for a licence, information about the payment account must be submitted as part of the documentation submitted to the Register of Economic Activities. The application shall be accompanied by a confirmation issued by the relevant financial institution certifying that the account has been opened. If the applicant already has a valid licence and is applying, for example, for amendments to the terms and conditions of the licence, a list of payment accounts must also be submitted. It is important for the payer to check in advance whether the selected institution holds a licence allowing the provision of services in Estonia and meets the criteria set by the supervisory authorities. Such information can be checked on the official website of the Estonian Financial Supervision Authority. Using an unsuitable payment institution or providing incomplete account information may result in suspension of the application or refusal to issue a licence.
Pursuant to Section 72¹ of the Financial Markets Act, a service provider operating with virtual currencies is obliged to ensure the minimum amount of share capital required to obtain a licence to carry out regulated activities in Estonia. The specific amount of capital depends on the nature of the services provided. If a company provides virtual asset storage services (wallet services), exchanges between virtual currencies or between virtual and fiat currencies, or issues virtual currencies, the minimum amount of its authorised capital must be at least EUR 100,000. If the company plans to provide virtual currency transfer services, including customer-to-customer transactions, the minimum capital is increased to €250,000.
When registering a new legal entity for the purpose of obtaining a MiCA licence, the contribution to the share capital can only be made in cash. This condition is aimed at confirming the solvency of the company at the initial stage. Subsequently, when changes are made to the licence (e.g. expansion of the range of services), the capital contribution may be made in non-monetary form, but the applicant must document that the statutory amount of the share capital has been fully complied with. When assessing capital adequacy, the supervisory authority (FIU) may require relevant accounting documents, statements of accounts, proof of payment and certificates certifying the sources of funds. Failure to meet the minimum capitalisation requirements may be grounds for refusing to issue or renew a licence, or for applying restrictions to existing activities.
According to Article 72² of the Money Market Law, a service provider operating with virtual currencies is required to ensure that it has and maintains a sufficient level of its own funds to comply with licensing and supervisory requirements. These funds play a key role in assessing the financial strength of the company and serve as a mechanism to protect the interests of customers and market stability. Own funds may not be lower than the minimum amount stipulated by law for the relevant type of activity. In particular, a virtual currency service provider must maintain own funds at least at the level of authorised capital – €100,000 in the case of providing wallet services, exchanging or issuing virtual currencies, and €250,000 in the case of making virtual currency transfers on behalf of customers. This amount is considered to be the absolute minimum threshold.
However, in certain cases, an alternative calculation is used: the amount of own funds may also be determined according to a methodology based on overheads or transaction volume. In this case, the legislation requires that the highest value of the three possible values – fixed amount, overhead or transaction volume calculation – be used. Thus, the minimum amount of own funds must not be lower than the highest of these amounts. The structure of own funds must comply with the requirements of European banking legislation and include the components stipulated in Regulation (EU) No 575/2013, namely Common Equity Tier 1 (CET1). This means that only those assets that have the maximum capacity to cover potential losses and are not subject to withdrawal are included in equity, which guarantees sufficient liquidity and stability of the company.
For licensing purposes, information on own funds is subject to mandatory disclosure in the register of business activities (MTR) with attachment of documents confirming their existence and structure. The supplier is obliged to ensure continuous compliance with the requirements, including through regular internal monitoring of the level of own funds. Failure to comply with this condition may result in denial or revocation of licence, as well as other measures by the supervisory authority. Pursuant to Section 72³ of the Financial Services Act, all virtual currency service providers are required to have their annual financial statements audited. This requirement is aimed at ensuring the reliability of financial data for both supervisory purposes and for publication in public registers. The audit also includes a separate assessment of the company’s compliance with the statutory own funds requirements. Such an opinion must be provided annually both to the service provider itself and to the supervisory authority.
The statutory audit provisions apply to accounting periods from 10 March 2022 onwards. Accordingly, they do not apply retrospectively to financial periods before that date, including reports for 2021. If a company fails to indicate in its licence or in its accounts details of the auditing firm engaged, the Financial Supervision Authority may oblige the company to appoint an auditor. Only those persons may be engaged who fulfil the requirements set out in the Auditing Act, in particular Part 7, Sub-paragraph 2, Paragraph 2 of the said Act. The criteria for assessing the audit firm may be based on the provisions of Article 39, Part 3 of the same law, including professional experience, independence, resources and impeccable business reputation.
The obligation to audit the financial statements arises if the company exceeds the thresholds set out in Section 91 of the Audit Act in terms of revenue, assets or number of employees. Regardless of these thresholds, however, all service providers operating in the cryptocurrency sector are subject to a mandatory audit, at least in the form of a limited audit or confirmatory procedure. At the same time, the business may choose, on its own initiative, to opt for a more stringent form of verification in the form of a full audit. The verification of the adequacy of own funds is treated as a separate statutory engagement that is not formally part of the standard financial audit, although for reasons of efficiency both procedures may be assigned to the same audit firm. This enhances the integrity of the assessment and simplifies communication with the regulator.
Failure to appoint an auditor, despite formal instructions from the Financial Supervisory Authority, may be regarded as a material breach of licence conditions. In such a case, the supervisory authority has the right to initiate the revocation of the company’s licence. Thus, compliance with audit requirements is not a formality, but a key element of the prudential control system and reliability of cryptocurrency service providers in Estonia. Pursuant to § 72⁴ of the Money Market Act, every company providing services related to virtual currency is obliged to ensure the existence of an internal control function, including the appointment of an internal auditor. This requirement applies to all companies operating under a licence and is an integral element of the corporate governance and risk management system.
The internal control function covers control procedures, oversight of operational and management processes, and includes internal audit. The main purpose of the internal auditor is to independently monitor key processes and systems and to prepare opinions and recommendations aimed at improving the efficiency and reliability of the company’s operations. Internal audit should provide an objective assessment of internal control systems and provide internal assurance to help improve the sustainability of the business. At the same time, the internal auditor should not be involved in the design and implementation of the processes or rules that he or she will subsequently evaluate. This requirement is intended to eliminate conflicts of interest and minimise the risk of self-control. For example, a person who develops an internal risk management procedure cannot then act as an evaluator of its effectiveness.
Although the law does not oblige a company to employ an internal auditor on a permanent basis (external engagement under a service contract is possible), such a professional must act independently of other management and control functions. It is important to emphasise that the internal auditor and the external auditor cannot be the same person or organisation, as this would create a clear conflict of interest incompatible with the objectives of both functions. Having an independent internal audit function allows for the timely detection of irregularities, deviations from established rules and risks of non-compliance with legislation. It also demonstrates to supervisory authorities that the company has a mature internal management and control structure, which is particularly important in the context of MiCA Regulation and increased attention to the financial stability of cryptoasset market participants.
Under the provisions of the legislation governing virtual currency service providers, there is a certain deadline for processing licence applications as well as applications for licence amendments. The Anti-Money Laundering Bureau, which acts as the supervisory authority, considers applications for a licence to operate within 60 calendar days. At the same time, the period of time does not start from the moment of submission of the application, but from the date on which the applicant has submitted to the MLB the entire set of required data and documents drawn up in accordance with § 70 of the Financial Services Act. Only from that moment the application is considered to be duly filed and may be accepted for processing. In exceptional cases, MLB has the right to extend the review period up to 120 days, if the nature of the circumstances under review requires additional time to assess the subject of supervision. If the review reveals deficiencies or inconsistencies in the materials submitted, MLB may return the application to the applicant for revision at . In this case, the review period is suspended while the deficiencies are corrected, but not more than 30 calendar days at a time. The possibility of multiple 30-day extensions is not excluded, but each suspension must be justified and recorded separately. If the applicant fails to provide all required information, or if the information provided is incorrect, incomplete or misleading, the Financial Services Authority reserves the right to refuse to process the application. In such a case, it shall not be assessed on its merits and shall be returned without starting the administrative procedure. Thus, for efficient and timely processing of the application, the applicant should ensure in advance that all documentation is complete and accurate, and be prepared to promptly address possible comments from the regulator.
MiCA licence changes in Estonia
Under the MiCA legal regime in Estonia, there are clear rules for cryptoasset service providers regarding both the procedure for amending a licence and the grounds for its cancellation. If changes occur in a company that affect the circumstances that were the basis for obtaining a licence, the organisation must notify the Financial Intelligence Unit (FIU) at least 30 days before the proposed changes. In cases where the change is outside the company’s will, and where other information previously declared on the licence is affected, the relevant notice must be given within 5 working days of the occurrence of the event. Failure to comply with these deadlines may be considered a breach of licence conditions.
As for the cancellation of a licence, the law provides for a broad list of grounds on which a licence may be invalidated or revoked by a decision of the Financial Supervision Authority. In particular, a licence is subject to revocation if, when submitting the application, the company knowingly provided false information on which a positive decision depended, or if the entrepreneur has ceased business activities – including failure to comply with the obligation to submit an annual report or regular notification of changes to the licence conditions. A similar consequence occurs if an injunction has been imposed on the business or it has been licensed by another regulatory authority. In addition, a licence may be revoked in cases of systematic non-compliance with FIU regulations, failure to commence operations within six months of obtaining a licence, or complete inactivity for two years. Substantial violations of licence conditions, activities that threaten public order, failure to meet the criteria established at the time of issuing the permit, as well as misleading the supervisory authorities or violating sanctions legislation also entail revocation.
Particular attention is paid to the reputation and legal integrity of persons associated with the company. If a board member, beneficiary, prosecutor or owner of the company has been prosecuted for economic, property or professional offences, or for actions related to money laundering or terrorist financing, and this data has not been removed from the criminal record, the licence may also be revoked. The same applies to violations of international sanctions. Thus, the legal regime in Estonia sets not only high entry requirements for obtaining a MiCA licence, but also implies strict ongoing compliance with regulatory conditions, under the threat of licence revocation in case of non-compliance. Within the framework of the Estonian MiCA regulation, additional restrictions and grounds for refusal to issue or amend a licence are established for service providers related to virtual currency, aimed at ensuring the sustainability of the cryptocurrency market, proper supervision and risk minimisation.
First of all, according to § 72⁶ of the Money Market Act, a virtual currency service provider is not entitled to submit a notice of temporary suspension of economic activities. This means that it is not possible to suspend activities without revoking the licence – in case of actual cessation of operations, the licence is subject to revocation in accordance with the established procedure. In addition, Section 72 (3) of the Financial Supervision Act establishes a two-year prohibition on submitting a new licence application if the applicant, a member of its board or a person with a substantial share in the company has previously been refused a licence or the licence has been revoked. This restriction also applies to applications to amend a previously granted licence. Exceptions apply only in cases where the revocation of a licence was caused by voluntary cessation of operations, non-start of operations, transfer under the supervision of another authority or corporate reorganisation.
The grounds for refusal to issue or amend a licence are separately regulated. According to § 72(1¹) of the Financial Supervision Act, refusal is mandatory in cases where the company does not fulfil the basic requirements for the applicant. Additional grounds give the FIU the right to take a discretionary decision:
- Significant connection with other persons that prevents proper supervision, especially if such connection is mediated through jurisdictions where the necessary level of co-operation cannot be ensured.
- Lack of real economic connection with Estonia, despite having a legal address and the seat of the management board in the country. The regulator assesses not only formal criteria, but also actual presence and economic activity.
- Insufficient internal procedures and policies. Internal rules should be adapted to the real specifics and risks of the applicant, rather than being a compilation of general legal provisions.
- Inadequate IT infrastructure. Technology resources should ensure full compliance with AML/CFT requirements, be appropriate for the scale and complexity of operations, and be capable of maintaining control over client transactions.
- Doubts about the legitimacy of the origin of capital. If necessary, FIU has the right to request additional evidence to confirm the transparency and legality of the sources of funding.
- Previous revocation of a licence, either by the company itself or by a related person, if the revocation was for specific reasons expressly provided for in the law (e.g. cessation of operations, breach of licence conditions, actions that threaten public order).
These measures are aimed at limiting access to the cryptocurrency market to persons with high regulatory or legal risk, as well as preventing re-registration attempts by companies or persons who have already violated obligations to the financial system. Thus, the supervisory system in Estonia not only provides for high starting requirements for obtaining a MiCA licence, but also introduces severe consequences for violations, including bans on re-application and cancellation of licences without the possibility of reinstatement for a significant period of time.
Reporting of Estonian crypto companies under MiCA licence
Service providers operating in the field of virtual currencies were notified in advance of the introduction of the regular reporting obligation in writing and informed through two clarification sessions, one of which was held jointly with the Bank of Estonia and the Digital Asset Association. In the initial period of implementation of this regulatory obligation, the interest from market participants was limited: in January 2024, no more than ten providers used the test environment of the reporting portal, but by April the number had increased to about twenty. As the reporting deadline for the first reporting period (Q1 2024) approached, there was an increase in the interaction with the regulatory authorities: service providers or their audit consultants sent about ten technical enquiries to the Bank of Estonia, and the Money Laundering Prevention Data Bureau received about fifty substantive enquiries regarding the interpretation and fulfilment of the requirements.
Although there were individual cases of late fulfilment of the reporting obligation, in general, market participants ensured compliance with the requirements of the regulation of the Minister of Finance and successfully integrated the regular reporting procedure into their operations. The provision of correspondent services to virtual currency service providers is one of the most significant risk factors in the context of money laundering and terrorist financing (ML/TF) compliance. In professional practice, this type of interaction is often referred to as the provision of “nested” or “intermediated” services.
The essence of a correspondent relationship is that one financial institution (the correspondent) provides another institution (the respondent) with access to its financial infrastructure, including settlement accounts, payment systems or other services. This creates the possibility for an unlimited number of end clients acting through the respondent to access financial channels, while there is usually no direct contractual relationship between the correspondent and the end beneficiary.
This arrangement carries significant risks because:
– the correspondent institution usually does not have full information about the identity of the ultimate beneficial owners, the purpose and nature of their transactions;
– the functions of identification and verification of ultimate customers are entrusted to respondent, the efficiency of the internal control and risk assessment system of which may be insufficient;
– transparency of the source of origin of assets and beneficial ownership is significantly reduced, especially in cases of multi-level interaction scheme;
– each additional link in the transaction chain reduces the ability of supervisory authorities and organisations to detect suspicious activity and hinders effective monitoring of compliance with international sanctions regimes and ML/TF requirements.
In practice, in the virtual asset sector, the third party in a correspondent relationship is often another virtual currency service provider or financial institution operating outside of an effectively regulated jurisdiction. In such cases, transactions may be structured with the intention of concealing the source of funds, the true beneficiaries and the actual economic substance of the transactions. This creates opportunities for:
– integrating illicit funds into the financial system (money laundering);
– financing terrorist activities or armed conflicts;
– circumvention or violation of international sanctions, including sanctions related to the financing of weapons of mass destruction.
Given these risks, strict due diligence standards, including requirements to identify respondents, monitor correspondent activity and document the sources of origin of assets, are essential elements of an effective risk management framework for virtual currency service providers.
Supervision of crypto companies in Estonia
Although supervision of cryptoasset-related services will gradually come under the purview of the Financial Conduct Authority in the future, under current legislation, the RAB will continue to issue operating licences and supervise virtual currency-related service providers until the end of this year. In the long term, the European Union’s MiCA cryptoasset regulation that came into force will change the rules of the game.
The cryptoasset market has long been an enticing unregulated lure, offering investors both great opportunities and significant risks. The replacement of the term “virtual currency” with “cryptoasset” in the legislation well characterises the development of this market and explains why regulation of this area is expanding.
The list of controlled virtual currency services is growing.
Until now, cryptocurrency companies have been operating in different countries on the basis of local legislation. However, on 31 May last year, the European Union adopted the MiCA (Markets in Crypto-Assets Regulation) on crypto-assets, which establishes financial supervision over a significant part of crypto-assets and services related to crypto-assets. The supervision will apply not only to services that previously qualified as virtual currency services in Estonia, but also to many others. While the Prevention of Money Laundering and Terrorist Financing Act (RahaPTS) names four types of services as virtual currency services, according to MiCA, there are ten such services. Some of these overlap in content with existing virtual currency services, but the rest relate to services that are not yet regulated. The list of services that require authorisation to operate includes, for example, executing cryptoasset-related orders on behalf of a client, accepting and transmitting orders on behalf of a client, providing cryptoasset advice and managing a portfolio of cryptoassets.
Investors are more protected
The MiCA Act places additional requirements on service providers who, in addition to monitoring money laundering risks, are increasingly focused on investor protection. For example, service providers that store or provide access to customers’ cryptoassets are required to begin implementing measures to help protect investors’ cryptoassets from third-party attacks. Service providers will also be responsible for monitoring the market, being required to inform the financial supervisory authority of any suspicious transactions that may constitute an attempt to manipulate the market. As a significant change, MiCA requirements also apply to the issuance, offering or applying for admission to trading of certain types of cryptoassets. Previously, these cryptoasset-related activities were completely unregulated. As a result, stricter requirements are being introduced for two types of cryptoassets: e-money tokens and asset-based tokens, known in the industry as “stablecoins” and henceforth offered on the European Union markets only by banks, in the case of e-money tokens also by institutions operating in this field, and in the case of asset-based tokens by companies that have obtained a separate licence to operate.
Some cryptoassets remain unregulated
The third type of cryptoasset is all other cryptoassets that are not e-money or asset-based tokens. However, these cryptoassets are primarily subject to requirements that increase the transparency of the assets offered, such as the obligation to publish a white paper describing the nature of the asset and restrictions on the content of promotional communications. Investors should therefore be vigilant when purchasing cryptoassets, as the offering of tokens classified as other cryptoassets does not require prior approval from the financial supervisory authority. Certain types of cryptoassets offered on the market (e.g. NFTs) are also completely exempt from MiCA. Cryptoasset service providers, however, should note that in the case of cryptoassets to which MiCA applies, they may not allow clients to trade cryptoassets that do not meet the MiCA requirements applicable to them. It should also be noted that certain crypto-assets may also qualify as securities and that stricter investment laws than MiCA have been and will continue to be applied to them and that it is unlawful to provide services relating to such crypto-assets without an appropriate licence.
MiCA will be implemented gradually
MiCA regulation will be applied to different types of assets and services in a phased manner. In Estonia, MiCA is also complemented by the Cryptoasset Market Act, which provides for a transitional period for compliance in certain cases. From 30 June this year, all operations related to the issuance, offering and provision of trading in electronic money and asset-based tokens must comply with MiCA, and from 30 December, MiCA will also apply to other cryptoassets that are not electronic money or asset-based tokens, as well as several cryptoasset-related services. Virtual currency service providers with an existing RAB operating licence issued before 30 December will retain the right to operate under their existing licence until 1 July 2026. Until that time, the RAB will continue to supervise these service providers. Institutions without a previous FIA licence must apply for a licence from the Financial Conduct Authority (FIA) to provide services under MiCA from 30 December and will be supervised by the Financial Conduct Authority. A company that chooses to apply for and obtain a licence from the Financial Supervisory Authority may provide cryptoasset-related services throughout the European Union. A company providing cryptoasset-related services is not required to have a physical presence in all Member States. Cryptoasset-related service providers that do not hold a licence from the FIA, the Financial Supervisory Authority or other supervisory authority of a Member State of the European Union as of 30 December this year are acting illegally.
Investors and consumers need to be particularly vigilant during the transition period.
While in the long term the transition to MiCA will provide investors and customers of cryptoasset services with better protection, it is worth being vigilant in the coming years when choosing a service provider. From 30 December this year to 1 July 2026, a situation will arise where companies licensed by both the Financial Conduct Authority and the Financial Conduct Authority will be able to provide similar services in parallel, but only the latter will be required to implement additional MiCA investor protections. More information on obtaining a Financial Supervisory Authority licence can be found here. The volume of transactions involving crypto-assets has grown significantly, and without proper controls, it is easy to become entangled in a web of opaque or unscrupulous schemes in this area. Either lose your assets to poorly managed intermediaries or face market manipulation that jeopardises both investors’ assets and the financial system as a whole. While the transition to MiCA will take some time, and ultimately every investment should be an informed risk for the investor, the new regulation in place at the European Union level will reduce the risks associated with crypto assets to a certain extent. It will also help investors to obtain more transparent information about the assets they purchase, and intermediaries operating in the cryptoasset sector to monitor and evaluate their activities more closely, ensuring greater transparency and client protection.
Regulation of cryptocurrencies and cryptoasset market in Estonia
In 2024, a specialised cryptoasset law, Krüptovaraturu seadus (KrüTS), came into force in Estonia, which fundamentally changes the approach to regulating crypto market participants. The new law harmonises the Estonian regulatory environment with the European MiCA Regulation and strengthens the supervision of companies dealing with virtual assets. Below is a detailed analysis of the KrüTS provisions, key responsibilities of market participants and new regulatory requirements.
Transition from FIU licences to full FSA regulation
Previously, all cryptocurrency companies in Estonia were licensed by the Financial Intelligence Unit (FIU). However, as of 1 July 2024, the supervision of the cryptoasset market has been transferred to the Financial Supervisory Authority (FSA). This means that a new regulatory system is in place from that date: FIU licences remain valid only for a transitional period, which will last until 1 July 2026. After this period, only those crypto companies that receive a corresponding authorisation from the FSA will be able to continue to operate legally in Estonia.
The new licence from the FSA is granted for an unlimited period of time, it is non-transferable and requires a registered legal address and management structure in Estonia. The company must have either the form of a private limited liability company (OÜ) or a public limited company (AS). In some cases, there is a requirement to have a supervisory board, especially if the activity is systemically important.
Companies and activities subject to regulation
The new law covers a wide range of activities related to virtual assets. In particular, the following categories of persons and companies fall under regulation:
- Platforms and organisations issuing or offering cryptoassets (including utility tokens, steblecoins and electronic money tokens).
- Companies providing services for exchanging virtual assets to and from fiat currencies.
- Custodial services that store cryptoassets or manage customer keys.
- Platforms that allow cryptoassets to be traded or organise their circulation on secondary markets.
- Persons providing cryptoasset advice, performing asset transfers, and administering user accounts.
The regulation applies not only to Estonian residents, but also to foreign companies that purposefully provide services to users located in Estonia.
Licensing: requirements, structure, capital
To obtain a licence, a cryptocurrency company must submit a full set of documents to the Financial Inspectorate, including a business plan, description of the corporate governance structure, internal control scheme, AML/KYC policy and information security mechanisms.
The minimum amount of authorised capital depends on the nature of the services provided:
- For companies providing exchange and wallet services, the minimum capital is set at €100,000.
- Custodial platforms and asset transfer services require a minimum capital of €250,000.
In addition, there are requirements for the management team: the management board must have at least two qualified members, each of whom must have a specialised education and at least two years of experience. The number of management positions that the same person can hold simultaneously in several licensed organisations is also regulated.
Operational responsibilities and internal controls
The new rules oblige licensed companies to ensure a sustainable internal structure that guarantees the protection of clients’ rights and compliance with European anti-money laundering and counter-terrorist financing requirements. Mandatory elements of operational discipline include:
- Full identification of customers with verification of the source of origin of funds.
- Continuous monitoring of transactions and the use of automated systems to detect suspicious activity.
- Mandatory implementation of the so-called Travel Rule – a mechanism for transferring information between providers when making transfers.
- Appointment of a compliance officer and ongoing reporting to the supervisory authority.
- Preparing procedures for customer complaints, internal investigations and personal data protection.
- Regular reporting to the regulator, including financial, operational, customer and counterparty information.
It is important to note that all CASPs (crypto-asset service providers) are required not only to implement these procedures on paper, but also to confirm their actual implementation during supervisory reviews.
Administrative oversight, sanctions and enforcement action
The FSA has broad powers in terms of supervising the activities of cryptocurrency companies. The regulator has the power to:
- Request any documents from licensees, including financial statements, internal policies and contracts.
- Appoint on-site inspections, including inspections of IT infrastructure and risk management systems.
- Temporarily suspend a company’s activities or restrict certain types of operations.
- Revoke a licence in case of serious violations or systemic non-compliance with the law.
The law provides for the possibility of imposing fines, restrictions on the disposal of client assets, and mandatory administrative orders.
Transition period and adaptation of existing companies
Existing cryptocurrency companies holding a licence issued before 1 July 2024 are required to adapt to the new requirements and apply for a licence from the FSA within two years. At the end of the transition period (1 July 2026), only those entities that have been re-licensed will retain the right to operate. Clarifications, technical guidance and the possibility of phasing in the requirements are provided to ease the transition. However, companies that fail to submit documents on time or do not fulfil the new criteria will be removed from the register and will lose the right to operate legally. The adoption of the KrüTS Act marks Estonia’s transition from formal licensing to comprehensive regulation of the crypto market. The country is orientated towards European Union standards, creating a transparent, accountable and secure environment for cryptoasset operators. Market participants should not only legally comply with the new requirements, but also build sustainable mechanisms of internal control, transparency and customer protection. This creates a basis for long-term development of the industry, investment attractiveness and strengthening the trust in Estonia as a reliable jurisdiction in the field of digital finance.
FREQUENTLY ASKED QUESTIONS
Who is considered a high-risk client?
High-risk customers are determined by the service provider based on its own risk assessment procedures developed in accordance with Section 37 of the Money Laundering and Terrorist Financing Prevention Act (MLPA). This regulation stipulates that each company is obliged to implement internal rules and methods to identify characteristics that indicate a potentially high risk. This means that the obliged person independently classifies customers as high risk based on a combination of identified factors and internal assessment methodology.
Who is considered an active customer?
An active customer is a person with whom the service provider currently has an active business relationship. This is understood to mean the existence of regular or ongoing transactions in which the client actually uses the services provided. Such customers are subject to ongoing monitoring and evaluation by the provider in order to comply with the requirements of the legislation on prevention of money laundering and terrorist financing.
What are linked transactions?
Linked transactions are transactions that are artificially divided into several parts in order to avoid a threshold above which the service provider is obliged to identify the customer and/or report to the Anti-Money Laundering Bureau. This practice is known as "smurfing" and is a common form of concealing the actual volume of transactions. To make it difficult to identify the relationship between transactions, attackers may use a variety of schemes, such as conducting transactions over time, through different institutions (e.g., money exchangers or banks), or involving different individuals. Such actions can make it difficult to establish the real structure of the transaction and the origin of the funds. Therefore, the service provider's staff should have the appropriate knowledge and skills to recognise the signs of linked transactions and should immediately inform the company's responsible person authorised for financial monitoring in case of reasonable suspicion.
Do I need to confirm my identity for each currency transaction?
Yes, identification is mandatory for every transaction. According to § 6(2)(1) and § 25 of the Money Market Act, foreign exchange service providers are financial institutions and may not provide services without prior identification of the customer and verification of the submitted data. The previously valid threshold of EUR 6,400, above which identification was required, is no longer applicable. This means that any person, regardless of the amount of the transaction, must be identified when providing currency exchange services, and the provider is obliged to verify the accuracy of the information provided prior to the start of the service.
What should be considered when dealing with high-risk countries?
When establishing or monitoring a business relationship, the service provider must verify whether the customer is linked to a third country classified as a high-risk jurisdiction. This connection may be in the form of the customer's nationality, residence or place of business, or the fact that the counterparty's or payment intermediary's business activities take place in such a country. The same approach applies to customers utilising services through such jurisdictions. The lists of high-risk countries are published, including in the current version of the European Commission (EU) Delegated Regulation (EU) 2016/1675, as well as on the basis of analyses of the implementation of the FATF recommendations and the lists of countries with a high risk of terrorist financing. If a customer or transaction is directly or indirectly linked to such a jurisdiction, enhanced due diligence measures set out in Article 39 of the Financial Services Act must be applied. These include:
- Gathering additional information about the client and its beneficial owner
- Clarifying the nature and purpose of the proposed business relationship
- Obtaining information on the origin of funds and financial sources of the client
- Analysing the economic or legal basis of transactions
- Mandatory senior management approval of the establishment or continuation of the business relationship
- Enhanced monitoring, which involves increased frequency and detail of monitoring, including spot checks on specific transactions.
The purpose of applying these measures is to minimise the risk of the company's involvement in a money laundering or terrorist financing scheme and to ensure proper compliance with the requirements arising from EU law and obligations under international sanctions regimes.
When does the obligation to notify the FIU of a transaction over EUR 32,000 arise?
Pursuant to Section 49(3) of the Money Laundering and Terrorist Financing Prevention Act, an obliged person (other than a credit institution) must mandatorily notify the Money Laundering Office (FIU) of any transaction in which the cash settlement amount exceeds EUR 32,000, or the equivalent in another currency. This rule applies both to one-off payments and to interrelated transactions made within the same calendar year under the same obligation to a single customer. Credit organisations, in their turn, are obliged to send such a notification only in case of currency exchange in excess of EUR 32,000, if no business relationship has been established with the customer.
The essence of the obligation is as follows: if a client's financial obligation (e.g. payment under a contract of sale, lease, loan, etc.) is executed in cash and its amount exceeds the legal limit, the obliged person is obliged to send a notification to the FIU, even if the payments are split into several parts. In such cases, the following shall be taken into account:
- the total amount of the obligation under one contract;
- the relationship between the transactions (e.g. time, purpose, parties);
- the method of fulfilment - cash only.
The notification must contain information about the customer, his representative (if any), the amount of the transaction and its characteristics. Failure to comply with this requirement is regarded as a violation of the law and may entail administrative or even criminal liability in case of aggravating circumstances.
How should a situation be assessed where an authorised person waives the right to sign while remaining the sole signatory?
Such a situation raises reasonable doubts as to whether due diligence has been performed and may indicate an attempt to circumvent the identification procedures typical of high-risk transactions. Pursuant to § 187 of the German Commercial Code, a member of the Management Board is fully responsible for the company's activities during the exercise of his authority. If he or she, who remains in fact the only person with control over the corporate account, waives formal signature rights at the bank, this does not absolve him or her of legal responsibility, but creates a legal and operational imbalance that prevents proper verification of the source and destination of the funds. From the perspective of money laundering prevention legislation, such a structure - where no one formally has the right to handle the account, but access is actually retained - indicates a breach of the requirements for continuous customer identification and transparency of business transactions. In such a situation:
- the bank's obligation to suspend operations on the account until the person actually managing the account and in respect of whom enhanced due diligence measures should be applied, personally confirms his role and provides all required documents;
- the bank's obligation to report the suspicious transaction to the Anti-Money Laundering Data Bureau (AML), as the waiver of signature rights in the actual control may indicate an attempt to conceal the actual user or beneficiary of the funds.
This behaviour is therefore subject to legal assessment as a breach of transparency of transactions and in the context of AML/CFT legislation may qualify as grounds for suspicion of an attempt to circumvent the enhanced identification requirements.
Is it legal to register a company in one's own name and transfer control to a third party? What risks does it entail?
This way of making money is illegal and carries serious criminal consequences. Registering a company in your own name and then transferring access to bank accounts, including internet banking and payment instruments, to a third party directly violates the terms and conditions of banking services, anti-money laundering legislation and may be considered as aiding and abetting an offence. Technically, you remain solely responsible for all transactions conducted through the company's account, even if you do not personally manage them. If questionable transactions occur through the account (e.g. transfers from fraudulent schemes, financing of illegal activities, tax evasion, conversion of stolen funds), you will be recognised as the owner of the funds and responsible for these actions.
This means:
- financial and criminal liability in the event of unlawful transactions being detected;
- blocking of accounts and assets, both personal and corporate;
- the possibility of being charged as an accessory to money laundering, tax evasion or other criminal activity;
- damage to business and banking reputation, including prohibition to do business and refusal to open accounts in the future.
Thus, an offer to transfer control of a company and an account is not "additional income", but a scheme to engage in criminal activity, the consequences of which can be extremely serious. It is recommended that you immediately refuse to participate in such activities and, if necessary, notify the competent authorities of the attempted involvement.
Where can I check if a company has a licence?
Information on the existence of a business licence can be checked at the Estonian Economic Activities Register (MTR). This is an official state resource that publishes data on all authorisations issued to companies for regulated activities. To check, go to https://mtr.ttja.ee/tegevusluba?m=97, select the relevant service category (e.g. "virtual currencies" or "financial services"), enter the name or registration code of the company and view information on valid licences. The register is maintained by the Consumer Protection and Technical Inspection Department (TTJA) and is updated on an ongoing basis. Using this resource allows you to verify the legality of your organisation's operations before you start working with them.
How do I determine if my company needs a licence to operate?
Before engaging in activities that may be subject to regulation, an entrepreneur should initiate a legal analysis to determine whether their business is subject to licensing. It is recommended that this analysis be entrusted to a professional law firm with expertise in financial regulation and licensing. If the analysis leaves doubts as to whether a licence is required, the entrepreneur may send the results of the analysis to the Financial Intelligence Unit (FIU) for an assessment. However, it is important to understand that the FIU does not perform legal analyses at the applicant's initiative and does not clarify the law individually (§ 54 of the Financial Markets Act). FIU's assessment can only be made on the basis of an already conducted and documented legal opinion. Thus, the obligation to determine whether licensing requirements exist lies with the entrepreneur, and obtaining a professional opinion is a reasonable and lawful practice before starting activities in the regulated field.
Is it necessary to submit documents to the FIU in Estonian?
Yes, the documents submitted to the FIU shall be submitted in Estonian in accordance with the requirements of Section 20(1) of the Food and Drug Administration Act of the Republic of Estonia.
If a member of the Management Board has changed and the application for change is submitted to the commercial register, can the representative in the commercial register be changed sooner than 30 days later?
No, no change should be made to the trade register until the RAB completes its assessment of the new management board member's suitability for the legal requirements, which is carried out by the RAB after the application has been submitted.
What is external monitoring?
External monitoring is a form of supervisory activity carried out by the RAB to monitor compliance with the requirements of the Money Laundering and Terrorist Financing Act. Such supervision may take the form of both remote checks and on-site inspections. It is aimed at ensuring that reporting entities fulfil their obligations to identify customers, assess risks and report suspicious transactions. Supervision is carried out on a risk assessment basis, prioritising those areas of business where the threat level is highest.
Is it possible to send a response to an injunction in encrypted form?
Yes, such a possibility is provided. To obtain technical instructions and encryption parameters, please send a request to the Money Laundering Prevention Bureau by email to [email protected].
Do I need to resubmit a criminal record certificate for an existing company?
If the composition of the responsible persons listed in section 72(1) of the Financial Intelligence Unit Act remains unchanged, the criminal record certificate does not need to be resubmitted. However, when considering an application to amend the operating licences, the FIU may request up-to-date information, including new certificates, if it deems it necessary. At the same time, the validity of the provided certificate must not exceed three months from the date of issue.
I plan to manage a small investment fund and I intend to apply for a financial institution licence from the Money Laundering Data Bureau. At what point should I start the registration procedure with the Financial Supervision Authority?
Registration as a small fund manager with the Financial Supervisory Authority is a mandatory preliminary step before applying for a professional licence. It is not permitted to provide the relevant services without completing this registration, even if you have a valid licence. It is recommended to first complete the registration procedure as a manager before initiating the licence application.
Is it necessary to resubmit the business plan along with the application for amendment of the operating licence even if the previously submitted business plan has not been amended?
Yes, in accordance with the provisions of the Money Market Act, the submission of a business plan is mandatory for all virtual currency service providers, including those already holding a licence. The Financial Supervision Authority assesses the business plan to ensure that it complies with the requirements of Article 70 of the said law. If the previously submitted document was drafted significantly earlier, the applicant is advised to review its relevance and, if necessary, submit an updated version.
What format should the business plan, IT system descriptions, financial data, etc. be in?
There is no set standard for the formatting of these documents. However, when preparing them, it is necessary to ensure that the content is complete and accurate, reflecting the real structure, nature of the company's activities and the list of services provided. The documents should be drafted in such a way that they can be used to objectively assess the applicant's compliance with the established regulatory requirements.
Can a document describing IT systems be included in the business plan?
Yes, a description of the IT systems used can be included in the business plan. However, the relevant section must contain detailed information that meets the requirements of Article 70(3)(5) of the Financial Services Act. The description should cover the architecture, functionality, security measures and applicability of the IT infrastructure in the context of the financial services provided.
Can an individual entrepreneur act as a contact person for the FIA?
Formally, such a possibility is not excluded, provided there is no conflict of interest. However, in practice, the appointment of an individual entrepreneur as a contact person for the FIA is extremely difficult, given the requirements for independence, competence and sustainability of such a representative.
Can one virtual currency service provider have two points of contact?
Yes, the legislation allows for two points of contact for a single virtual currency service provider. In such a case, both representatives must fulfil the requirements set out in Article 17 of the Financial Services Law, including competence, integrity and reliability. The allocation of responsibilities and internal functions between contact persons is a matter of corporate governance and is determined by the company itself.
Should the internal auditor of an Estonian cryptocurrency company be certified?
The internal auditor is subject to the qualification and professional requirements set out in the Auditing Act and § 72⁴(2) of the Financial Services Act. The auditor must have the status of a certified internal auditor, which implies successful completion of the special part of of the professional examination conducted within the framework of the certification system and obtaining the relevant recognition of qualification by a decision of the competent minister. It is allowed to engage an internal auditor who is a citizen of another EU Member State or who carries out activities outside Estonia, provided that all the requirements laid down in § 72⁴ of the Financial Services Act are met. The main criteria include professional qualifications, independence, appropriate level of competence and the ability to objectively assess the company's internal processes.
Is the auditor's consent sufficient or must a contract be provided?
The virtual currency service provider must have an agreement with the auditor in place at the time of the change application. Whilst a signed contract is desirable, in exceptional cases it is acceptable to provide other evidence, such as the auditor's written consent to co-operate. However, in the absence of a signed contract, the applicant must be prepared to provide the FIA with documentation demonstrating that all reasonable and good faith efforts have been made to seek and agree terms with the auditor.
Does the external auditor have to be registered in Estonia or can such services be provided by a foreign specialist?
The provision of audit services in Estonia is regulated by Articles 81 et seq. of the Auditing Act. An auditor may represent either an Estonian or a foreign company, however, in order to perform activities in Estonia, a legal entity must have a relevant licence. At the same time, only a sworn auditor who has obtained qualification in Estonia in accordance with the procedure laid down in Section 28 of the Act or a specialist whose professional qualification has been recognised in accordance with Section 30 may directly provide audit services on behalf of such a company. Thus, the participation of foreign specialists is possible, but only if the conditions set out in Estonian law are met.
How to determine the amount of equity of an Estonian cryptocurrency company?
The equity of a cryptocurrency company in Estonia is formed from the authorised capital, share premium, retained earnings and equity reserves. When applying for a licence, a virtual asset service provider is obliged to ensure the level of own funds exceeding the minimum threshold. The amount of such funds should be sufficient to cover potential financial losses during the initial operational phase, as well as to continuously meet solvency requirements after the licence is granted. The reserve should take into account potential risks associated with the implementation of the business model, including delays in the launch of services, deviations from the projected growth of the client base or increased administrative costs. Thus, the calculation of the required amount of own funds requires a comprehensive assessment of the applicant's financial stability and the realism of its business plan.
Can the authorised capital be increased when applying for a MiCA licence?
Yes, an increase in the share capital is allowed and can be done as part of the preparation of the licence application in accordance with the MiCA Regulations. Moreover, in order to comply with the minimum equity requirements of Estonian legislation for token issuers and cryptocurrency service providers, the company is obliged to deposit cash proving that it has sufficient capital. Increasing the authorised capital serves as one way to ensure the required financial level and reliability of the applicant.
If the authorised capital has already been changed and the information about it has been entered in the commercial register, do I need to provide an additional bank certificate about its deposit?
Yes, despite the entry of changes in the commercial register, the applicant is obliged to submit documents confirming the actual contribution of the authorised capital. Pursuant to Section 70³²(1) of the Financial Services Act, both information on the amount and structure of the authorised capital and proof of its formation, including a bank transfer confirmation or a certificate from a credit institution, are required. The registration record in itself does not release from the obligation to document the financial investments.
What should be the size of the authorised capital of an Estonian VASP company if it intends to provide both custody (wallet) and transfer services of virtual assets?
If a company intends to provide both cryptoasset custody services on behalf of customers and virtual asset transfers at the same time, the minimum size of its authorised capital must be at least EUR 250,000. This requirement is imposed pursuant to Section 72¹ (2) (1) (2) of the Financial Services Act and reflects the higher level of risks inherent in the combined activities in these categories of cryptocurrency services.
Can the paid-up authorised capital be used for transactions or must the funds remain in the account at the same amount?
It is not prohibited to use the paid-up authorised capital to finance the company's operating activities. Once the company has been incorporated and the payment of the authorised capital has been confirmed, the funds may be used for business activities, provided that the minimum equity requirements set out in the applicable regulations are met. There is no obligation to "freeze" the authorised capital in a bank account under the applicable legislation.
If the authorised capital is increased from retained earnings and the relevant changes have already been registered in the commercial register, how can the contribution be confirmed?
In such a situation, in addition to the data contained in the commercial register, the applicant must submit accounting documents confirming the fact that undistributed profit was used to increase the authorised capital. Such documents may include profit distribution reports, balance sheets, minutes of decisions of the governing body and other financial confirmations. Each case is considered individually and, if necessary, the regulator has the right to request additional materials confirming compliance with the requirements of the legislation.
Is it sufficient to include an extract from the commercial register in the application if it indicates the existence of share capital?
The submission of an extract from the commercial register confirming the registered amount of share capital may be accepted as one of the supporting documents. However, the final decision on the sufficiency of the submitted material is made on an individual basis for each application. If necessary, the responsible officer is authorised to request additional documents confirming the formation and contribution of capital in accordance with legal requirements.
If a client transfers funds from his/her personal wallet on his/her own, does the company need a share capital of EUR 250,000?
The obligation to comply with the minimum authorised capital requirement of €250,000 does not depend on the fact of the transfer per se, but on the company's role in the transaction process. If a cryptocurrency company directly initiates or executes the transfer of virtual currency on behalf of a customer - whether between different persons or between wallets belonging to the same customer - such activity qualifies as a virtual asset transfer service.
Even if the actual transfer of assets is done through an interface provided to the user, but the control of the transaction or the disposal of the assets at some stage is carried out by the company, it is recognised as a participant in the transfer service. In this case, compliance is required, including having a share capital of at least €250,000 as stipulated in the financial services legislation. If, however, the company does not participate in the transfer, does not dispose of assets, does not execute orders and does not have access to the customer's keys or funds, and the transfer is carried out solely by the user, such activities do not fall within the definition of a transfer service and, accordingly, the higher share capital threshold may not apply. However, the final qualification depends on the assessment of the specific business model.
Is the required equity of a virtual currency transfer service provider calculated based on the transaction volumes of the previous calendar year or the previous 12 current months? And how often is the calculation recalculated - annually or monthly?
The amount of own funds required under § 72² (6-7) of the Money Market Act is calculated on the basis of the volume of transactions carried out in the previous calendar year. The calculation is based on the average monthly transaction volume: the total amount of exchange and transfer transactions carried out during the year is divided by twelve. If a cryptocurrency service provider has been operating for less than 12 months, the volume of transactions is calculated in proportion to the actual number of months of operation - the sum of transactions for the period is divided by the number of months of actual activity during the past calendar year. Thus, the calculation methodology does not involve monthly updates based on a rolling 12-month period. The recalculation of own funds is usually carried out at the beginning of the calendar year based on the totals of the full previous year.
What is virtual currency wallet turnover?
The RAB (Money Laundering Prevention Bureau) defines virtual currency wallet turnover as the total amount of virtual currency that has passed through a given wallet during a given period. This includes all receipts and debits, regardless of the nature of the transactions - i.e. turnover reflects the full movement of assets through the wallet, not just the balance or net difference between incoming and outgoing transactions.
What are transactions within a provider?
Intra-service provider transactions are transactions in virtual currency or fiat funds that occur between accounts controlled by the same service provider. Such transactions do not extend beyond the infrastructure of a particular platform and are either between customer accounts within the system or between customers and the provider itself. RAB qualifies such transactions as internal, as the movement of funds takes place solely within the technological and legal environment of a single entity.
RUE customer support team

“Hi, if you are looking to start your project, or you still have some concerns, you can definitely reach out to me for comprehensive assistance. Contact me and let’s start your business venture.”
“Hello, I’m Sheyla, ready to help with your business ventures in Europe and beyond. Whether in international markets or exploring opportunities abroad, I offer guidance and support. Feel free to contact me!”


“Hello, my name is Diana and I specialise in assisting clients in many questions. Contact me and I will be able to provide you efficient support in your request.”
“Hello, my name is Polina. I will be happy to provide you with the necessary information to launch your project in the chosen jurisdiction – contact me for more information!”

CONTACT US
At the moment, the main services of our company are legal and compliance solutions for FinTech projects. Our offices are located in Vilnius, Prague, and Warsaw. The legal team can assist with legal analysis, project structuring, and legal regulation.
Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perštýně 342/1, Staré Město, 110 00 Prague
Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25 – 702, 7th floor, Vilnius,
09320, Lithuania
Sp. z o.o
Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, 15th floor, Warsaw, 00-824, Poland
Europe OÜ
Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia