The Ministry of Finance published a draft regulation, which establishes requirements for virtual currency service providers. The draft is used to make the proposal that the supervision of all service providers, established in Estonia, connected with virtual currencies, be placed under the competency of the Financial Supervision Authority.
Currently, the virtual currency service provider must receive an activity licence from the Financial Intelligence Unit, but supervision of their business activities is done to a very limited extent.
Below is a simplified overview of the main amendments which are presented in the draft of the legal act. All entities who are holders of an activity licence or who are applying for an activity licence based on the current regulation should be ready for the upcoming amendments (provided that the adopted legal act will have the same wording as the draft).
Authority exercising supervision
The Estonian Financial Supervisory Authority (at the moment the Financial Intelligence Unit)
Scope of the activity licence for virtual currency service
At the moment, a virtual currency service is the following
- virtual currency wallet service;
- virtual currency exchange service;
- a service for organizing a commercial platform (a new type of service)
Requirements for share capital and own resources
Share capital must be at least EUR 25,000 (the contribution must be monetary or non-monetary, except when the service provider shall be founded as a new company – in that case, it can only be monetary)
In the case of a private limited company, the shares must be registered with the Estonian Central Register of Securities
Requirements for own resources:
- must be the highest of the following two - EUR 25,000 minimum or
¼ of the permanent general costs incurred during the last financial year (must be reviewed each year)
Requirements for executives
The management board must have at least 2 members.
The members of the management body must:
- comply with the terms of the financial market, depending on the specific position – knowledge, skills, experience, education, business reputation, must have enough time for the tasks, etc
Requirements for the structure of the organisation
- the structure of the organisation must be based on three lines of defence
- structure of internal compliance, including regulatory compliance
- risk management functions
- internal audit functions
- external audit (financial audit)
Requirements for the storage of the clients’ property
The following obligations apply:
- submit the bank account details;
- submit the indicator of the virtual currency wallet service or another tool that the service provider is using to accept money/monetary Resources from the client or to store these Resources
- security policy
- policy for information on security incidents
- principles for the storage and protection of the clients’ property
- must abide by the principle of separation of assets
- must inform the client about the requirements related to the storage of property (including the property storage services offered by a third party)
- store data, manage registries and carry out accounting, to distinguish between the different assets of the client without undue delay;
- separate clients’ assets from the company’s own assets
Requirements for internal rules
A business plan for at least three years must be presented. The business plan must give information about at least the following:
- estimation of the financial success of the service provider;
- management structure;
- level of technical operations.
The internal rules must contain the following:
- rules for the internal handling of information and documents;
- conditions for the provision of the service;
- rules for managing conflicts of interest (depending on the aspects related to a specific service/activity, methods for solving the issues, rules for informing the clients);
- rules for handling breaches of obligations, giving notifications of these breaches, resolving consequences;
- rules for carrying out transactions and activities on behalf of the service provider and the clients;
- work assignments of employees;
- rules for subcontracting the activities related to the service;
- rules for managing the register, databases and handling of data;
- rules for IT systems, management of the systems of the client’s assets, including risk management rules;
- internal audits;
- rules for compliance (a person determined by the management board with whom an appropriate contract will be signed);
- procedures for the obligations arising from anti-money-laundering and terrorist financing laws;
- procedures for ensuring the security of sensitive data;
- overview of how the organisation intends to secure its continuous functioning without interruptions;
- internal procedures for accounting;
- procedures for handling the clients’ complaints, published on the website along with the template for the complaint (fast, reasonable, transparent, free of charge); in addition, the website must contain references to the Estonian Consumer Protection and Technical Regulatory Authority and the Financial Supervisory Authority.
Depending on the nature of the services provided by the company, the following topics may also be necessary in the internal policies:
- in the case of branches, the rules for ensuring compliance;
- if the service constitutes Exchange of virtual currency into money, then the company must disclose the price or the method which is used to determine the price;
- in the case of virtual currency service, the company must disclose to its clients (regularly) information about the orders and transactions, including information about the amount and price of the virtual currency which is the object of the transaction.
The service providers can hand the activities related to the offering of the service over to third parties if:
- it is not a case in which the members of management bodies are handing over their responsibilities and the interests of clients are not affected in a negative way;
- this does not have a negative impact on the activities of the service provider and the quality of the service does not suffer;
- the relevant third party has the necessary knowledge, skills and abilities;
- the relationship between the service provider and the clients, as well as the obligations towards the clients are not affected.
Accounting (audits) and the reports submitted to the Financial Supervisory Authority
Accounting and audits
- the accounting of the service provider must comply with the main conditions of accounting (Accounting Act, section 4) and it must be subject to audits;
- the audit company may be a member of the union of sworn auditors or it may be a sworn auditor acting as a self-employed person, who has been appointed to carry out a single audit or who has been appointed for a specific term (a maximum of 5 years, without the right to be appointed again).
The following information must be submitted to the Financial Supervisory Authority:
- annual report;
- copy of the report by the sworn auditor;
- suggestion and decision regarding the distribution of profit or the compensation for loss, as well as the minutes of the general assembly regarding the decision of confirmation/declining of the annual report (within 2 weeks following the general assembly of the shareholders)
- once in a quarter the balance report, profit report, report about own Resources, a report regarding the clients’ assets, report for transactions (NB! the documents serving as the basis for the reports must be retained at least 5 years).
The service provider must determine the storage period for the personal data (right to store the personal data until the termination of the service agreement or until the expiration of the deadline stipulated in the law)
The information about the processing of personal data must be made available on the website (notification obligation arising from the General Data Protection Regulation)
The service provider’s employees, shareholders, managers who have access to personal data must keep the personal data confidential without a specified term.
The supervision fee comprises the following:
1) fixed part of the capital (i.e. 1% of capital);
2) revenue created (determined as a percentage for a calendar year according to the regulation by the Ministry of Finance – 15 days after the confirmation of the budget by the Financial Supervisory authority).
The percentage intervals have been stipulated for different virtual currency service providers:
1) the percentage interval for a virtual wallet provider is 0,001-0,1 and the percentage will be calculated from the value of the virtual currency belonging to the client which is possessed by the service provider (e.g, if EUR 1,000,000 is possessed, then the supervision fee will be from EUR 1,000 to EUR 100,000);
2) the provider of a virtual currency exchange service has a percentage interval of 0,001-0,1 and the percentage will be calculated from the annual revenue of the provided service);
3) etc …
Termination of business activities, termination of the service provider
Upon commencing of activities, the service provider must develop and disclose the activity plan for the termination of business. This activity plan must be reviewed and updated at least once a year.
The termination of the service provider will take place only upon the consent of the Financial Supervisory Authority.