Mica Licence in Estonia

As of 30 December 2024, the Money Laundering Information Office will cease accepting and issuing new licences for activities related to virtual currencies. This authority will be transferred to the Estonian Financial Supervision and Resolution Authority, which will start issuing licences in Estonia. which will start issuing licences under the cryptoasset regulation under Regulation (EU) 2023/1114 (MiCA). The transition will be completed by 1 July 2026, after which the licences issued by Rahapesu Andmebüroo will become null and void. Service providers holding a valid licence issued before 30 December 2024 will retain the right to continue operating on the basis of that licence until the end of the transition period or until a new licence is granted in accordance with the established procedure. Until that date, such persons will continue to be supervised by the Bureau. Applicants must apply to the Financial Conduct Authority to obtain a MiCA compliant licence. Applications submitted to the Financial Conduct Authority before 30 December 2024 but not approved before that date will not be considered. All supporting documentation will be returned to applicants. At the same time, the Bureau will continue to accept applications only for amendments to the conditions of already issued licences until the end of the transition period on 1 July 2026. This transformation of institutional supervision is due to the transition from narrowly focused compliance control to a comprehensive financial regulation enshrined at the level of the European Union. The new legal model provides for enhanced supervision, comprehensive requirements for internal procedures, governance structure and capital adequacy.

However, virtual currency service providers remain subject to obligations to prevent money-laundering and terrorist financing. They are also subject to international sanctions legislation, which obliges them to report to the Republic of Estonia Financial Intelligence Unit within the scope of their competence. As of 5 December 2024, crypto companies in Estonia had 43 valid licences issued by the Bureau in accordance with the provisions of the Money Laundering and Terrorist Financing Prevention Act (MLPA), valid until 30 December 2024.

The term virtual currency related service refers to:

• Virtual currency wallet service – activities related to the creation and storage of encrypted keys on behalf of a customer necessary for the storage, possession and transfer of virtual currency.
• Virtual currency exchange service – an operation involving the exchange of fiat currency for virtual currency or between different types of virtual assets.
• Virtual currency transfer service – an activity in which a provider mediates the transfer of virtual currency between two parties, without providing storage or exchange services, by transferring ownership or control of an asset.
• Initial Coin Offering (ICO) – the issuance and offering of digital assets using blockchain technology, where tokens are offered in exchange for fiat funds or other crypto-assets, with the possibility of subsequent placement on the secondary market. Such offerings may fall under investment services regulation and, in individual cases, require separate authorisation from the Financial Services Authority.

The move to a single regulatory regime under MiCA is intended to ensure a uniform level of supervision, enhance the protection of cryptocurrency market participants and eliminate fragmented approaches at the national level. The licence to operate virtual currency services is personalised and cannot be transferred to third parties, which is expressly provided for in § 70(4) of the Financial Services Act. This means that the licence is tied exclusively to the entity in whose name it is issued and its alienation, assignment or transfer – regardless of the form – is not allowed. As of 30 December 2024, the AML Information Bureau has stopped issuing new licences in this category. The supervision and licensing of cryptoassets will henceforth be carried out by the Financial Conduct Authority as part of the gradual implementation of the provisions of Regulation (EU) 2023/1114 (MiCA). As part of the transitional period, the Office only retains the power to amend licences already issued until 1 July 2026. After this date, all licences issued under the old procedure will become null and void.

An application to amend the terms and conditions of an existing licence can only be made subject to compliance with legal requirements, including submission of the documentation package required by the Prevention of Money Laundering Act (RahaPTS) and the International Sanctions Act (MSÜS). These documents must adequately prove the compliance of the company with the established requirements for virtual currency service providers. All applications are dealt with in administrative proceedings, the procedure for which is set out in the Financial Intelligence Unit Act. The language of administrative proceedings shall be recognised exclusively as Estonian. Therefore, all documents submitted in a foreign language must be accompanied by a certified translation into Estonian, which is valid for the purposes of official proceedings. Failure to provide a translation or submission of an incomplete set of documents may be grounds for refusal of the application or suspension of the procedure.

Documents required to apply for a MiCA licence in Estonia

1. Address of the place where the service is provided, including the website address;
2. The name and contact details of the person responsible for the provision of the service for all service locations specified in paragraph 1;
3. If the legal person is not registered in the Estonian Commercial Register, the name, registration or personal code of the owner of the legal person or, if missing, the date of birth, place of residence or birth and address of residence, the name, personal code of its beneficiary or, if missing, the date of birth, place of birth and address of residence;
4. Name, personal identification code, date of birth, place of birth and address of residence of a member of the governing body and an attorney of the service provider who is a legal person, if there is no such a person, if the service provider is not an entrepreneur registered in the Estonian Commercial Register;
5. The rules of procedure and internal control rules developed pursuant to Articles 14 and 15 of the Financial Supervision Act and, in the case of persons with special obligations listed in Article 20 of the International Sanctions Act, the rules of procedure developed pursuant to Article 23 of the International Sanctions Act and the procedure for verifying compliance therewith;
6. The name, personal identification number, date of birth, place of birth, nationality, residential address, title and contact details of the contact person designated under section 17 of the Financial Transactions Act;
7. In accordance with subsection 20(3) of the International Sanctions Act, the name, personal identification number and, if not available, date of birth, place of birth, nationality, residential address, title and contact details of the person responsible for implementing the international financial sanction imposed on the undertaking;
8. If the entrepreneur, a member of his management body, the prosecutor, the beneficial owner or the owner is a foreign national, a service provider established in a foreign country, or if the entrepreneur is a foreign service provider – a certificate of criminal record of the country of origin or an equivalent document issued by the competent judicial or administrative authority certifying the absence of punishment for an offence against public authority or for money laundering or other crime
9. If the entrepreneur, member of his management body, prosecutor, beneficial owner or natural person-owner is a citizen of a foreign country, copies of identity documents for all countries of citizenship and documents certifying the absence of the penalty referred to in paragraph 8;
10. Documents concerning the member of the management body and the trustee of the company, including the level of education, a complete list of the positions held and, in the case of a member of the management body, the scope of responsibility, as well as documents that the applicant considers necessary to submit to confirm the trustworthiness of the member of the management body or the trustee and the applicant’s impeccable business reputation. Note! Documents confirming education (diploma) must be submitted together with the application for amendments to the activity licence;
11. A list of accounts opened in the name of the entrepreneur, indicating the unique identifier of each account and the name of the account holder.
    All accounts opened in the name of the entrepreneur must be submitted together with the application for amendments to the licence to operate in the register of economic operators, to which must be attached a certificate from a credit institution, electronic money institution or payment institution confirming the existence of the account;
12. Information on what virtual currency-related service will be provided (Article 70(4) of the Money Market Law). The document describing the service must contain a detailed description of the content of the planned service;
13. The amount of assets and authorised capital (EUR 250,000 or EUR 100,000 depending on the service to be provided) and documents proving its payment (Article 70(3)(2)(1) of the Financial Services Act.
14. The applicant’s opening balance sheet and an overview of income, expenditure, profit and cash flow and the assumptions underlying them, or in the case of an operating company, the balance sheet and profit and loss account as at the end of the month preceding the application for an operating licence and, if available, the accounts for the last three financial years, unless they have been submitted and made available in databases maintained by the state (Section 70(3) and (2) of the Financial Services Act).
15. A business plan that complies with the requirements of Section 70 of the Financial Services Act. There are no additional requirements for the formal structure of the business plan, but it must reflect all the circumstances specified in Section 70 of the Financial Services Act (Section 70(3) of the Financial Services Act).
16. Documentation for risk appetite and risk assessment prepared in accordance with section 13 of the Financial Markets Act. The risk appetite and risk assessment must be consistent with the company’s planned business activities (section 70(3) and (4) of the Financial Markets Act).
17. Data on information technology systems and other technological tools and systems required to provide the planned services, including a description of the security measures used to ensure continuity of service and protection of client assets, a description of the business continuity measures and the level of technical organisation of the business. Such documents include, for example, service contracts between the applicant and the service provider, confirmation from the service provider that the service has been provided, an additional explanatory document submitted by the applicant, or other document (§ 70 (3) and (5) of the Financial Services Act).
18. Information technology systems and other technological means used in the provision of scheduled services, by means of which the service provider ensures the transmission of the data referred to in subparagraphs 2.4 and 2.5 of the Financial Transactions Act, the identification of the customer and its beneficial owners, the assignment of a risk level to the customer, and the identification and monitoring of business transactions and customers in a manner that enables the fulfilment of the obligations under this Act and the special obligations under the Financial Transactions Act (Article 70 (3) (2) (6) of the Financial Transactions Act). The same is meant here by those information technological means that enable the fulfilment of the obligation of “rules of travel” in the company (Article 70 (3) (2) (6) of the Financial Transactions Act). Data must be provided on all information technology tools that an applicant for an operating licence or a company applying for a variation of an operating licence uses to comply with the obligations set out in both the Financial Transactions Act and the International Sanctions Act.
19. The number of shares or units and votes acquired or held by each shareholder, partner or member (Section 70(3) and (7) of the Financial Markets Act).
20. The data of the applicant’s audit firm and the data of the internal auditor, which include the name, residence or domicile, personal identification code or, in the absence thereof, date and place of birth or registration code (Section 70(3) and (8) of the Financial Supervision Act). The data must be submitted separately for both the audit firm and the internal auditor. The requirements for the audit control and internal auditor are set out in more detail in §§ 72 and 72 of the Financial Supervision Act. The external auditor and the person conducting the internal audit cannot be the same person/service provider.
21. Information on persons with a significant shareholding in the applicant, which includes name, personal identification number and, in the absence thereof, date of birth, place of birth, nationality, residential address, position and contact details (§ 70 (3) and (9) of the Financial Transactions Act).
22. Data on companies in which a member of the applicant’s management body or a person with a significant interest in the applicant holds more than 20 per cent, which data shall include the name, location, registration code of each company and the number of shares or parts and votes held by a member of the applicant’s management body or a person with a significant interest in the applicant (§ 70 (3) and (10) of the Financial Markets Act).
23. If an applicant for a licence for activities related to virtual currency wishes to use the licence also for the activities of a subsidiary company, in addition to what is provided for in the Act on the General Part of the Code of Economic Activities, the applicant shall submit in the application for a licence for activities all the information specified in § 70 (3) of the Financial Services Act and, if necessary, also in § 70 (3.2^{) (and)}4 of the Financial Services Act regarding the financial service or service related to virtual currency.

MiCA regulations in Estonia

The Money Laundering Information Bureau shall proceed with the assessment of the applicant’s compliance with the legal requirements only after receiving a complete and correctly executed set of documents stipulated in § 70 of the Prevention of of Laundering of Proceeds of Crime Act. Preliminary verification shall be initiated only after all information and supporting documents have been submitted properly and in accordance with the established norms. If a licence is requested for use within the activities of a subsidiary, the subsidiary must comply with the same requirements as the main applicant. This means that the subsidiary must undergo identical checks on all aspects covered by the regulatory assessment, including goodwill, transparency of ownership structure, internal control systems and compliance with anti-money laundering and sanctions obligations.

Section 72(1)(1) of the Prevention of Money Laundering Act establishes a clear legal requirement: neither the company, nor members of its management body, nor trustees, nor beneficial owners, nor beneficial owners or beneficial owners may have a valid conviction for the following categories of offences:

• offences against public authority;
• money laundering offences;
• other offences committed intentionally

This condition serves as a barrier to the participation in regulated activities of persons with undermined legal reputation and is aimed at ensuring a high degree of confidence in financial market participants. When assessing the compliance of a registered entity with these criteria, current certificates of criminal record issued by the competent authorities of the countries of citizenship or registration of the above persons are subject to mandatory submission. In accordance with Article 72 (1) of the Financial Markets Law, every person associated with the applicant legal entity – whether it is the company itself, a member of its board, a trustee, a beneficial owner or the actual owner – must have an impeccable business reputation. This is a prerequisite for obtaining a licence to operate in the regulated financial sector, including the provision of services related to crypto assets.

The decision on the presence or absence of good business reputation is made by the licensing authority, taking into account the previous activities of the person and the surrounding circumstances. The Act establishes a presumption of impeccable goodwill until grounds for reasonable doubt are identified. Pursuant to § 72(2) of the Money Laundering Prevention Act, a person is deemed to lack goodwill if the Money Laundering Information Office identifies facts directly indicating the lack of goodwill. Such circumstances include, but are not limited to:

1. Engaging in acts or omissions that led to the bankruptcy or revocation of the licence of a company under financial supervision;
2. Committing a criminal offence of the first degree;
3. The imposition of a business or professional ban by a court of law, including for violation of a previously imposed ban;
4. Failure to ensure that the business is organised in such a way that the interests of clients and investors are adequately protected;
5. Submission of false information or concealment of relevant information in co-operation with supervisory authorities;
6. Prosecution for economic, professional or property offences, as well as for terrorism financing, provided that the criminal record is not expunged or there are no international sanctions.

It should be emphasised that the list of grounds set out in § 72(2) is not exhaustive. That is, other circumstances not expressly listed in the law but which create reasonable doubts as to the integrity, legal reliability and professional suitability of the person concerned may also be taken into account when assessing goodwill. Thus, the applicant must ensure that all persons with significant influence on the company’s business meet the criterion of business impeccability, including compliance with legal requirements, absence of regulatory and criminal offences, and experience to ensure responsible management of the company in the interests of clients and regulatory stability. Pursuant to Section 72 (1) (4) of the Money Market Act, in order to obtain a licence to provide virtual currency services, a legal person must ensure an actual presence in Estonia. This requirement can be fulfilled in one of two ways:

1. The company’s registered office and place of business must be located in Estonia;
2. In the case of a foreign applicant, the activities in Estonia must be carried out through a branch registered in the Estonian Commercial Register, and the actual place of business of the branch must also be in Estonia.

The place of business means the actual, permanent and continuous place of performance of economic or other activities that complies with Section 29 (2) of the General Part of the Civil Code Act. If the declared address does not provide conditions for the provision of cryptocurrency-related services or does not comply with the requirements laid down in the Money Market Act, it cannot be recognised as a valid place of business.

As an enhanced requirement set out in § 72⁵(7) of the Money Laundering Prevention Act, a company is obliged to:

• ensure that crypto services can be provided directly at the place of business;
• guarantee physical access by representatives of the FIU or other supervisory authorities to the documents collected and stored at the place of business at any time.

This means that the place of business should not be nominal, but functional – ensuring not only that employees and equipment are available, but also that AML/CTF requirements and other duties set out in the licence can be fulfilled at all times.

When reviewing an application, the FIU (Financial Intelligence Unit) assesses whether the place of business realistically fulfils its stated function. For example, the fictitious concentration of multiple cryptocurrency companies at a single address, as well as the provision of services in premises with objectively insufficient space (e.g. a 10m² office for two or more companies) are not permitted. Each application is subject to an individual assessment, taking into account the specifics of the services provided, staffing, management structure and level of technical equipment. Thus, ensuring an appropriate place of business is not only a formal but also an actual condition for obtaining a MiCA licence, which is verified by the supervisory authorities both at the time of application and during subsequent supervision.

In order to obtain a licence to provide virtual currency services in Estonia, a member of the management board of a company must meet a number of statutory requirements aimed at ensuring sustainable and controlled management of the regulated entity. First of all, pursuant to Section 72(1)(4) of the Exchange Control Act, the seat of the management board of the virtual currency service provider must be located in Estonia. If the applicant is a foreign company, it must operate through a branch registered in the Estonian Commercial Register, and the seat of the management board of this branch must also be located within the jurisdiction.

Higher requirements for a candidate for the position of a member of the Management Board are set out in Section 72⁵(1) of the Financial Supervision Act. The candidate must have completed higher education and at least two years of professional experience in one or more fields relevant to the company’s business. The law does not require specialisation in a specific field, but the degree of education must comply with the generally accepted classification (bachelor’s degree, applied higher education, master’s degree or doctorate). Secondary specialised or vocational education is not considered higher education in this context. Professional experience may be in finance, banking, law, accounting, public administration, financial regulation, information technology or academia. Both private and public sector experience is acceptable.

The legislation also sets quantitative restrictions: one person may not be on the board of more than two virtual currency service providers at the same time. An exception is provided if the positions are held by the same group of companies or if the provider owns a significant stake in another company – such positions are considered to be one. This clarification is provided for in Article 72⁵(3) of the Financial Services Act. In individual cases, the Financial Services Authority may authorise a board member to take up an additional, third position if a justified application with a digital signature is submitted. When considering such an application, both the scope of duties and the person’s ability to ensure the quality of management functions in each of the structures are assessed.

Thus, when forming the composition of the management board of a company intending to obtain a MiCA licence in Estonia, it is important to consider not only the educational and experience requirements, but also the limitations regarding the number of management positions and the need to ensure the actual presence of the management board in the country. The contact person appointed by the virtual currency service provider under Section 17 of the Financial Supervision Act must fulfil a number of qualification and legal criteria to ensure that he or she is suitable for fulfilment of the duties within the framework of the interaction with the Financial Intelligence Unit (FIU). This person plays a key role in ensuring proper compliance with AML/CFT regulations and in the implementation of sanctions compliance.

The appointee must possess the necessary education, professional suitability, experience, skills and personal qualities. The candidate must have an impeccable reputation as evidenced through a compliance review. An important structural requirement is that the contact person may only fulfil the relevant functions in one company and only with a direct employment contract. Temporary staff or an outsourcing model where the employee is employed by another organisation should not be used. The contact person’s employment must be recorded in the national employment register. This excludes situations where the company is unable to terminate the employment relationship with the contact person on its own in the event of non-compliance with the requirements, including if there are reasons to doubt the contact person’s reputation.

In addition, if the same person is a board member of two virtual currency service providers, he or she may only be a contact person for one of them. This requirement precludes a contact person from serving as a contact person for more than one entity, even if he or she is a board member of both. When assessing suitability, FIU considers the existence of an employment contract and actual employment in Estonia, including supporting records. Particular attention is paid to the level of education: higher education in law, economics or finance is preferred, while relevant professional experience is also assessed. A complete lack of experience does not preclude appointment, but requires a compensating factor – e.g. specialised training and a proven level of knowledge beyond the basic AML/CTF requirements.

The contact person must demonstrate stress tolerance, ability to analyse and make decisions, knowledge of the legal and regulatory framework (including RahaPTS, RSanS), and familiarity with the company’s structure and internal procedures. Of particular importance is the ability to communicate effectively with regulators. Personal characteristics – honesty, accuracy, reliability, integrity and co-operation – are considered an integral part of the assessment. Thus, the contact person must not only be a formalised employee of the company, but also possess the necessary level of qualifications, reputation and willingness to fulfil a complex and responsible function within the Estonian model of supervision of cryptocurrency service providers.

A company applying for a licence to carry out activities related to virtual currency must have an open payment account that complies with the legal requirements. Pursuant to Section 72 (1) (5) of the Financial Supervision Act, such an account must be opened in a credit organisation, electronic money institution or payment institution registered in Estonia or in another member state of the European Economic Area. At the same time, the organisation where the account is opened must have the right to provide cross-border payment services in Estonia or have a branch in Estonia.

When applying for a licence, information about the payment account must be submitted as part of the documentation submitted to the Register of Economic Activities. The application shall be accompanied by a confirmation issued by the relevant financial institution certifying that the account has been opened. If the applicant already has a valid licence and is applying, for example, for amendments to the terms and conditions of the licence, a list of payment accounts must also be submitted. It is important for the payer to check in advance whether the selected institution holds a licence allowing the provision of services in Estonia and meets the criteria set by the supervisory authorities. Such information can be checked on the official website of the Estonian Financial Supervision Authority. Using an unsuitable payment institution or providing incomplete account information may result in suspension of the application or refusal to issue a licence.

Pursuant to Section 72¹ of the Financial Markets Act, a service provider operating with virtual currencies is obliged to ensure the minimum amount of share capital required to obtain a licence to carry out regulated activities in Estonia. The specific amount of capital depends on the nature of the services provided. If a company provides virtual asset storage services (wallet services), exchanges between virtual currencies or between virtual and fiat currencies, or issues virtual currencies, the minimum amount of its authorised capital must be at least EUR 100,000. If the company plans to provide virtual currency transfer services, including customer-to-customer transactions, the minimum capital is increased to €250,000.

When registering a new legal entity for the purpose of obtaining a MiCA licence, the contribution to the share capital can only be made in cash. This condition is aimed at confirming the solvency of the company at the initial stage. Subsequently, when changes are made to the licence (e.g. expansion of the range of services), the capital contribution may be made in non-monetary form, but the applicant must document that the statutory amount of the share capital has been fully complied with. When assessing capital adequacy, the supervisory authority (FIU) may require relevant accounting documents, statements of accounts, proof of payment and certificates certifying the sources of funds. Failure to meet the minimum capitalisation requirements may be grounds for refusing to issue or renew a licence, or for applying restrictions to existing activities.

According to Article 72² of the Money Market Law, a service provider operating with virtual currencies is required to ensure that it has and maintains a sufficient level of its own funds to comply with licensing and supervisory requirements. These funds play a key role in assessing the financial strength of the company and serve as a mechanism to protect the interests of customers and market stability. Own funds may not be lower than the minimum amount stipulated by law for the relevant type of activity. In particular, a virtual currency service provider must maintain own funds at least at the level of authorised capital – €100,000 in the case of providing wallet services, exchanging or issuing virtual currencies, and €250,000 in the case of making virtual currency transfers on behalf of customers. This amount is considered to be the absolute minimum threshold.

However, in certain cases, an alternative calculation is used: the amount of own funds may also be determined according to a methodology based on overheads or transaction volume. In this case, the legislation requires that the highest value of the three possible values – fixed amount, overhead or transaction volume calculation – be used. Thus, the minimum amount of own funds must not be lower than the highest of these amounts. The structure of own funds must comply with the requirements of European banking legislation and include the components stipulated in Regulation (EU) No 575/2013, namely Common Equity Tier 1 (CET1). This means that only those assets that have the maximum capacity to cover potential losses and are not subject to withdrawal are included in equity, which guarantees sufficient liquidity and stability of the company.

For licensing purposes, information on own funds is subject to mandatory disclosure in the register of business activities (MTR) with attachment of documents confirming their existence and structure. The supplier is obliged to ensure continuous compliance with the requirements, including through regular internal monitoring of the level of own funds. Failure to comply with this condition may result in denial or revocation of licence, as well as other measures by the supervisory authority. Pursuant to Section 72³ of the Financial Services Act, all virtual currency service providers are required to have their annual financial statements audited. This requirement is aimed at ensuring the reliability of financial data for both supervisory purposes and for publication in public registers. The audit also includes a separate assessment of the company’s compliance with the statutory own funds requirements. Such an opinion must be provided annually both to the service provider itself and to the supervisory authority.

The statutory audit provisions apply to accounting periods from 10 March 2022 onwards. Accordingly, they do not apply retrospectively to financial periods before that date, including reports for 2021. If a company fails to indicate in its licence or in its accounts details of the auditing firm engaged, the Financial Supervision Authority may oblige the company to appoint an auditor. Only those persons may be engaged who fulfil the requirements set out in the Auditing Act, in particular Part 7, Sub-paragraph 2, Paragraph 2 of the said Act. The criteria for assessing the audit firm may be based on the provisions of Article 39, Part 3 of the same law, including professional experience, independence, resources and impeccable business reputation.

The obligation to audit the financial statements arises if the company exceeds the thresholds set out in Section 91 of the Audit Act in terms of revenue, assets or number of employees. Regardless of these thresholds, however, all service providers operating in the cryptocurrency sector are subject to a mandatory audit, at least in the form of a limited audit or confirmatory procedure. At the same time, the business may choose, on its own initiative, to opt for a more stringent form of verification in the form of a full audit. The verification of the adequacy of own funds is treated as a separate statutory engagement that is not formally part of the standard financial audit, although for reasons of efficiency both procedures may be assigned to the same audit firm. This enhances the integrity of the assessment and simplifies communication with the regulator.

Failure to appoint an auditor, despite formal instructions from the Financial Supervisory Authority, may be regarded as a material breach of licence conditions. In such a case, the supervisory authority has the right to initiate the revocation of the company’s licence. Thus, compliance with audit requirements is not a formality, but a key element of the prudential control system and reliability of cryptocurrency service providers in Estonia. Pursuant to § 72⁴ of the Money Market Act, every company providing services related to virtual currency is obliged to ensure the existence of an internal control function, including the appointment of an internal auditor. This requirement applies to all companies operating under a licence and is an integral element of the corporate governance and risk management system.

The internal control function covers control procedures, oversight of operational and management processes, and includes internal audit. The main purpose of the internal auditor is to independently monitor key processes and systems and to prepare opinions and recommendations aimed at improving the efficiency and reliability of the company’s operations. Internal audit should provide an objective assessment of internal control systems and provide internal assurance to help improve the sustainability of the business. At the same time, the internal auditor should not be involved in the design and implementation of the processes or rules that he or she will subsequently evaluate. This requirement is intended to eliminate conflicts of interest and minimise the risk of self-control. For example, a person who develops an internal risk management procedure cannot then act as an evaluator of its effectiveness.

Although the law does not oblige a company to employ an internal auditor on a permanent basis (external engagement under a service contract is possible), such a professional must act independently of other management and control functions. It is important to emphasise that the internal auditor and the external auditor cannot be the same person or organisation, as this would create a clear conflict of interest incompatible with the objectives of both functions. Having an independent internal audit function allows for the timely detection of irregularities, deviations from established rules and risks of non-compliance with legislation. It also demonstrates to supervisory authorities that the company has a mature internal management and control structure, which is particularly important in the context of MiCA Regulation and increased attention to the financial stability of cryptoasset market participants.

Under the provisions of the legislation governing virtual currency service providers, there is a certain deadline for processing licence applications as well as applications for licence amendments. The Anti-Money Laundering Bureau, which acts as the supervisory authority, considers applications for a licence to operate within 60 calendar days. At the same time, the period of time does not start from the moment of submission of the application, but from the date on which the applicant has submitted to the MLB the entire set of required data and documents drawn up in accordance with § 70 of the Financial Services Act. Only from that moment the application is considered to be duly filed and may be accepted for processing. In exceptional cases, MLB has the right to extend the review period up to 120 days, if the nature of the circumstances under review requires additional time to assess the subject of supervision. If the review reveals deficiencies or inconsistencies in the materials submitted, MLB may return the application to the applicant for revision at . In this case, the review period is suspended while the deficiencies are corrected, but not more than 30 calendar days at a time. The possibility of multiple 30-day extensions is not excluded, but each suspension must be justified and recorded separately. If the applicant fails to provide all required information, or if the information provided is incorrect, incomplete or misleading, the Financial Services Authority reserves the right to refuse to process the application. In such a case, it shall not be assessed on its merits and shall be returned without starting the administrative procedure. Thus, for efficient and timely processing of the application, the applicant should ensure in advance that all documentation is complete and accurate, and be prepared to promptly address possible comments from the regulator.

MiCA licence changes in Estonia

Under the MiCA legal regime in Estonia, there are clear rules for cryptoasset service providers regarding both the procedure for amending a licence and the grounds for its cancellation. If changes occur in a company that affect the circumstances that were the basis for obtaining a licence, the organisation must notify the Financial Intelligence Unit (FIU) at least 30 days before the proposed changes. In cases where the change is outside the company’s will, and where other information previously declared on the licence is affected, the relevant notice must be given within 5 working days of the occurrence of the event. Failure to comply with these deadlines may be considered a breach of licence conditions.

As for the cancellation of a licence, the law provides for a broad list of grounds on which a licence may be invalidated or revoked by a decision of the Financial Supervision Authority. In particular, a licence is subject to revocation if, when submitting the application, the company knowingly provided false information on which a positive decision depended, or if the entrepreneur has ceased business activities – including failure to comply with the obligation to submit an annual report or regular notification of changes to the licence conditions. A similar consequence occurs if an injunction has been imposed on the business or it has been licensed by another regulatory authority. In addition, a licence may be revoked in cases of systematic non-compliance with FIU regulations, failure to commence operations within six months of obtaining a licence, or complete inactivity for two years. Substantial violations of licence conditions, activities that threaten public order, failure to meet the criteria established at the time of issuing the permit, as well as misleading the supervisory authorities or violating sanctions legislation also entail revocation.

Particular attention is paid to the reputation and legal integrity of persons associated with the company. If a board member, beneficiary, prosecutor or owner of the company has been prosecuted for economic, property or professional offences, or for actions related to money laundering or terrorist financing, and this data has not been removed from the criminal record, the licence may also be revoked. The same applies to violations of international sanctions. Thus, the legal regime in Estonia sets not only high entry requirements for obtaining a MiCA licence, but also implies strict ongoing compliance with regulatory conditions, under the threat of licence revocation in case of non-compliance. Within the framework of the Estonian MiCA regulation, additional restrictions and grounds for refusal to issue or amend a licence are established for service providers related to virtual currency, aimed at ensuring the sustainability of the cryptocurrency market, proper supervision and risk minimisation.

First of all, according to § 72⁶ of the Money Market Act, a virtual currency service provider is not entitled to submit a notice of temporary suspension of economic activities. This means that it is not possible to suspend activities without revoking the licence – in case of actual cessation of operations, the licence is subject to revocation in accordance with the established procedure. In addition, Section 72 (3) of the Financial Supervision Act establishes a two-year prohibition on submitting a new licence application if the applicant, a member of its board or a person with a substantial share in the company has previously been refused a licence or the licence has been revoked. This restriction also applies to applications to amend a previously granted licence. Exceptions apply only in cases where the revocation of a licence was caused by voluntary cessation of operations, non-start of operations, transfer under the supervision of another authority or corporate reorganisation.

The grounds for refusal to issue or amend a licence are separately regulated. According to § 72(1¹) of the Financial Supervision Act, refusal is mandatory in cases where the company does not fulfil the basic requirements for the applicant. Additional grounds give the FIU the right to take a discretionary decision:

1. Significant connection with other persons that prevents proper supervision, especially if such connection is mediated through jurisdictions where the necessary level of co-operation cannot be ensured.
2. Lack of real economic connection with Estonia, despite having a legal address and the seat of the management board in the country. The regulator assesses not only formal criteria, but also actual presence and economic activity.
3. Insufficient internal procedures and policies. Internal rules should be adapted to the real specifics and risks of the applicant, rather than being a compilation of general legal provisions.
4. Inadequate IT infrastructure. Technology resources should ensure full compliance with AML/CFT requirements, be appropriate for the scale and complexity of operations, and be capable of maintaining control over client transactions.
5. Doubts about the legitimacy of the origin of capital. If necessary, FIU has the right to request additional evidence to confirm the transparency and legality of the sources of funding.
6. Previous revocation of a licence, either by the company itself or by a related person, if the revocation was for specific reasons expressly provided for in the law (e.g. cessation of operations, breach of licence conditions, actions that threaten public order).

These measures are aimed at limiting access to the cryptocurrency market to persons with high regulatory or legal risk, as well as preventing re-registration attempts by companies or persons who have already violated obligations to the financial system. Thus, the supervisory system in Estonia not only provides for high starting requirements for obtaining a MiCA licence, but also introduces severe consequences for violations, including bans on re-application and cancellation of licences without the possibility of reinstatement for a significant period of time.

Reporting of Estonian crypto companies under MiCA licence

Service providers operating in the field of virtual currencies were notified in advance of the introduction of the regular reporting obligation in writing and informed through two clarification sessions, one of which was held jointly with the Bank of Estonia and the Digital Asset Association. In the initial period of implementation of this regulatory obligation, the interest from market participants was limited: in January 2024, no more than ten providers used the test environment of the reporting portal, but by April the number had increased to about twenty. As the reporting deadline for the first reporting period (Q1 2024) approached, there was an increase in the interaction with the regulatory authorities: service providers or their audit consultants sent about ten technical enquiries to the Bank of Estonia, and the Money Laundering Prevention Data Bureau received about fifty substantive enquiries regarding the interpretation and fulfilment of the requirements.

Although there were individual cases of late fulfilment of the reporting obligation, in general, market participants ensured compliance with the requirements of the regulation of the Minister of Finance and successfully integrated the regular reporting procedure into their operations. The provision of correspondent services to virtual currency service providers is one of the most significant risk factors in the context of money laundering and terrorist financing (ML/TF) compliance. In professional practice, this type of interaction is often referred to as the provision of “nested” or “intermediated” services.
The essence of a correspondent relationship is that one financial institution (the correspondent) provides another institution (the respondent) with access to its financial infrastructure, including settlement accounts, payment systems or other services. This creates the possibility for an unlimited number of end clients acting through the respondent to access financial channels, while there is usually no direct contractual relationship between the correspondent and the end beneficiary.

This arrangement carries significant risks because:

– the correspondent institution usually does not have full information about the identity of the ultimate beneficial owners, the purpose and nature of their transactions;
– the functions of identification and verification of ultimate customers are entrusted to respondent, the efficiency of the internal control and risk assessment system of which may be insufficient;
– transparency of the source of origin of assets and beneficial ownership is significantly reduced, especially in cases of multi-level interaction scheme;
– each additional link in the transaction chain reduces the ability of supervisory authorities and organisations to detect suspicious activity and hinders effective monitoring of compliance with international sanctions regimes and ML/TF requirements.

In practice, in the virtual asset sector, the third party in a correspondent relationship is often another virtual currency service provider or financial institution operating outside of an effectively regulated jurisdiction. In such cases, transactions may be structured with the intention of concealing the source of funds, the true beneficiaries and the actual economic substance of the transactions. This creates opportunities for:

– integrating illicit funds into the financial system (money laundering);
– financing terrorist activities or armed conflicts;
– circumvention or violation of international sanctions, including sanctions related to the financing of weapons of mass destruction.

Given these risks, strict due diligence standards, including requirements to identify respondents, monitor correspondent activity and document the sources of origin of assets, are essential elements of an effective risk management framework for virtual currency service providers.

Supervision of crypto companies in Estonia

Although supervision of cryptoasset-related services will gradually come under the purview of the Financial Conduct Authority in the future, under current legislation, the RAB will continue to issue operating licences and supervise virtual currency-related service providers until the end of this year. In the long term, the European Union’s MiCA cryptoasset regulation that came into force will change the rules of the game.

The cryptoasset market has long been an enticing unregulated lure, offering investors both great opportunities and significant risks. The replacement of the term “virtual currency” with “cryptoasset” in the legislation well characterises the development of this market and explains why regulation of this area is expanding.

The list of controlled virtual currency services is growing.

Until now, cryptocurrency companies have been operating in different countries on the basis of local legislation. However, on 31 May last year, the European Union adopted the MiCA (Markets in Crypto-Assets Regulation) on crypto-assets, which establishes financial supervision over a significant part of crypto-assets and services related to crypto-assets. The supervision will apply not only to services that previously qualified as virtual currency services in Estonia, but also to many others. While the Prevention of Money Laundering and Terrorist Financing Act (RahaPTS) names four types of services as virtual currency services, according to MiCA, there are ten such services. Some of these overlap in content with existing virtual currency services, but the rest relate to services that are not yet regulated. The list of services that require authorisation to operate includes, for example, executing cryptoasset-related orders on behalf of a client, accepting and transmitting orders on behalf of a client, providing cryptoasset advice and managing a portfolio of cryptoassets.

Investors are more protected

The MiCA Act places additional requirements on service providers who, in addition to monitoring money laundering risks, are increasingly focused on investor protection. For example, service providers that store or provide access to customers’ cryptoassets are required to begin implementing measures to help protect investors’ cryptoassets from third-party attacks. Service providers will also be responsible for monitoring the market, being required to inform the financial supervisory authority of any suspicious transactions that may constitute an attempt to manipulate the market. As a significant change, MiCA requirements also apply to the issuance, offering or applying for admission to trading of certain types of cryptoassets. Previously, these cryptoasset-related activities were completely unregulated. As a result, stricter requirements are being introduced for two types of cryptoassets: e-money tokens and asset-based tokens, known in the industry as “stablecoins” and henceforth offered on the European Union markets only by banks, in the case of e-money tokens also by institutions operating in this field, and in the case of asset-based tokens by companies that have obtained a separate licence to operate.

Some cryptoassets remain unregulated

The third type of cryptoasset is all other cryptoassets that are not e-money or asset-based tokens. However, these cryptoassets are primarily subject to requirements that increase the transparency of the assets offered, such as the obligation to publish a white paper describing the nature of the asset and restrictions on the content of promotional communications. Investors should therefore be vigilant when purchasing cryptoassets, as the offering of tokens classified as other cryptoassets does not require prior approval from the financial supervisory authority. Certain types of cryptoassets offered on the market (e.g. NFTs) are also completely exempt from MiCA. Cryptoasset service providers, however, should note that in the case of cryptoassets to which MiCA applies, they may not allow clients to trade cryptoassets that do not meet the MiCA requirements applicable to them. It should also be noted that certain crypto-assets may also qualify as securities and that stricter investment laws than MiCA have been and will continue to be applied to them and that it is unlawful to provide services relating to such crypto-assets without an appropriate licence.

MiCA will be implemented gradually

MiCA regulation will be applied to different types of assets and services in a phased manner. In Estonia, MiCA is also complemented by the Cryptoasset Market Act, which provides for a transitional period for compliance in certain cases. From 30 June this year, all operations related to the issuance, offering and provision of trading in electronic money and asset-based tokens must comply with MiCA, and from 30 December, MiCA will also apply to other cryptoassets that are not electronic money or asset-based tokens, as well as several cryptoasset-related services. Virtual currency service providers with an existing RAB operating licence issued before 30 December will retain the right to operate under their existing licence until 1 July 2026. Until that time, the RAB will continue to supervise these service providers. Institutions without a previous FIA licence must apply for a licence from the Financial Conduct Authority (FIA) to provide services under MiCA from 30 December and will be supervised by the Financial Conduct Authority. A company that chooses to apply for and obtain a licence from the Financial Supervisory Authority may provide cryptoasset-related services throughout the European Union. A company providing cryptoasset-related services is not required to have a physical presence in all Member States. Cryptoasset-related service providers that do not hold a licence from the FIA, the Financial Supervisory Authority or other supervisory authority of a Member State of the European Union as of 30 December this year are acting illegally.

Investors and consumers need to be particularly vigilant during the transition period.

While in the long term the transition to MiCA will provide investors and customers of cryptoasset services with better protection, it is worth being vigilant in the coming years when choosing a service provider. From 30 December this year to 1 July 2026, a situation will arise where companies licensed by both the Financial Conduct Authority and the Financial Conduct Authority will be able to provide similar services in parallel, but only the latter will be required to implement additional MiCA investor protections. More information on obtaining a Financial Supervisory Authority licence can be found here. The volume of transactions involving crypto-assets has grown significantly, and without proper controls, it is easy to become entangled in a web of opaque or unscrupulous schemes in this area. Either lose your assets to poorly managed intermediaries or face market manipulation that jeopardises both investors’ assets and the financial system as a whole. While the transition to MiCA will take some time, and ultimately every investment should be an informed risk for the investor, the new regulation in place at the European Union level will reduce the risks associated with crypto assets to a certain extent. It will also help investors to obtain more transparent information about the assets they purchase, and intermediaries operating in the cryptoasset sector to monitor and evaluate their activities more closely, ensuring greater transparency and client protection.

Regulation of cryptocurrencies and cryptoasset market in Estonia

In 2024, a specialised cryptoasset law, Krüptovaraturu seadus (KrüTS), came into force in Estonia, which fundamentally changes the approach to regulating crypto market participants. The new law harmonises the Estonian regulatory environment with the European MiCA Regulation and strengthens the supervision of companies dealing with virtual assets. Below is a detailed analysis of the KrüTS provisions, key responsibilities of market participants and new regulatory requirements.

Transition from FIU licences to full FSA regulation

Previously, all cryptocurrency companies in Estonia were licensed by the Financial Intelligence Unit (FIU). However, as of 1 July 2024, the supervision of the cryptoasset market has been transferred to the Financial Supervisory Authority (FSA). This means that a new regulatory system is in place from that date: FIU licences remain valid only for a transitional period, which will last until 1 July 2026. After this period, only those crypto companies that receive a corresponding authorisation from the FSA will be able to continue to operate legally in Estonia.

The new licence from the FSA is granted for an unlimited period of time, it is non-transferable and requires a registered legal address and management structure in Estonia. The company must have either the form of a private limited liability company (OÜ) or a public limited company (AS). In some cases, there is a requirement to have a supervisory board, especially if the activity is systemically important.

Companies and activities subject to regulation

The new law covers a wide range of activities related to virtual assets. In particular, the following categories of persons and companies fall under regulation:

• Platforms and organisations issuing or offering cryptoassets (including utility tokens, steblecoins and electronic money tokens).
• Companies providing services for exchanging virtual assets to and from fiat currencies.
• Custodial services that store cryptoassets or manage customer keys.
• Platforms that allow cryptoassets to be traded or organise their circulation on secondary markets.
• Persons providing cryptoasset advice, performing asset transfers, and administering user accounts.

The regulation applies not only to Estonian residents, but also to foreign companies that purposefully provide services to users located in Estonia.

Licensing: requirements, structure, capital

To obtain a licence, a cryptocurrency company must submit a full set of documents to the Financial Inspectorate, including a business plan, description of the corporate governance structure, internal control scheme, AML/KYC policy and information security mechanisms.

The minimum amount of authorised capital depends on the nature of the services provided:

• For companies providing exchange and wallet services, the minimum capital is set at €100,000.
• Custodial platforms and asset transfer services require a minimum capital of €250,000.

In addition, there are requirements for the management team: the management board must have at least two qualified members, each of whom must have a specialised education and at least two years of experience. The number of management positions that the same person can hold simultaneously in several licensed organisations is also regulated.

Operational responsibilities and internal controls

The new rules oblige licensed companies to ensure a sustainable internal structure that guarantees the protection of clients’ rights and compliance with European anti-money laundering and counter-terrorist financing requirements. Mandatory elements of operational discipline include:

• Full identification of customers with verification of the source of origin of funds.
• Continuous monitoring of transactions and the use of automated systems to detect suspicious activity.
• Mandatory implementation of the so-called Travel Rule – a mechanism for transferring information between providers when making transfers.
• Appointment of a compliance officer and ongoing reporting to the supervisory authority.
• Preparing procedures for customer complaints, internal investigations and personal data protection.
• Regular reporting to the regulator, including financial, operational, customer and counterparty information.

It is important to note that all CASPs (crypto-asset service providers) are required not only to implement these procedures on paper, but also to confirm their actual implementation during supervisory reviews.

Administrative oversight, sanctions and enforcement action

The FSA has broad powers in terms of supervising the activities of cryptocurrency companies. The regulator has the power to:

• Request any documents from licensees, including financial statements, internal policies and contracts.
• Appoint on-site inspections, including inspections of IT infrastructure and risk management systems.
• Temporarily suspend a company’s activities or restrict certain types of operations.
• Revoke a licence in case of serious violations or systemic non-compliance with the law.

The law provides for the possibility of imposing fines, restrictions on the disposal of client assets, and mandatory administrative orders.

Transition period and adaptation of existing companies

Existing cryptocurrency companies holding a licence issued before 1 July 2024 are required to adapt to the new requirements and apply for a licence from the FSA within two years. At the end of the transition period (1 July 2026), only those entities that have been re-licensed will retain the right to operate. Clarifications, technical guidance and the possibility of phasing in the requirements are provided to ease the transition. However, companies that fail to submit documents on time or do not fulfil the new criteria will be removed from the register and will lose the right to operate legally. The adoption of the KrüTS Act marks Estonia’s transition from formal licensing to comprehensive regulation of the crypto market. The country is orientated towards European Union standards, creating a transparent, accountable and secure environment for cryptoasset operators. Market participants should not only legally comply with the new requirements, but also build sustainable mechanisms of internal control, transparency and customer protection. This creates a basis for long-term development of the industry, investment attractiveness and strengthening the trust in Estonia as a reliable jurisdiction in the field of digital finance.