The Estonian money laundering and terrorism financing prevention government committee approved at its scheduled meeting, on 28 April, the AML risk assessment (NRA) report. The government committee members also received an operational overview of the activities of the Financial Intelligence Unit, Financial Supervision Authority, Prosecutor’s Office and the Police and Border Guard Board, in the field of preventing money laundering, as well as preparations for the Moneyval evaluation.
The release of the AML risk assessment report is an important step in the fight against money laundering, according to the head of the government committee, Minister of Finance Keit Pentus-Rosimannus. “The cooperation of the public sector with entrepreneurs is important in mitigating the risks, established in the report. Virtual currencies, for example, that have been highlighted as with higher risk, require rapid regulatory changes, to better mitigate the risks. We must at the same time not entirely shut down the innovative sector in Estonia that is throughout the world developing very quickly. It is important to agree upon what kinds of crypto companies we want in Estonia, and which are undesired. The financial system of Estonia must be open to the law-abiding client and closed for violators of the law,” explained Keit Pentus-Rosimannus.
Below, we provide a brief summary made by RCA of the published risk assessment, focusing on the risks, problems, and possible solutions related to the virtual currencies and virtual assets that are mentioned in the report.
Estonia is specifically characterised by an exceptionally large number of subjects in the sector who have an activity licence issued in Estonia, but whose economic activities are directed outside Estonia, which is why the connection with the Estonian economy is very weak or completely non-existent. The Estonian state issues activity licences for virtual currencies without sufficient capacity to the subsequently verify compliance with the requirements of the activity licence and operational requirements (incl. due diligence obligations related to money laundering and terrorist financing). As a state, we take responsibility by “guaranteeing” the reliability of authorised companies, while without a real opportunity to prevent and manage the risks involved.
Virtual currency service providers in general are at the same time subject to many typologies, bearing the risks of money laundering, financing terrorists and weapons of mass destruction. Together with the aforementioned risk and the multitude of subjects, Estonia is currently exposing itself to high levels of financial crime and thus to a large risk of international reputation damage.
The virtual currencies field, combined with the possibilities of taking advantage of the Estonian e-Residency, creates a multi-layered anonymisation scheme where the potential for terrorist financing is very high and due to the structure of the sector, this theoretical risk cannot be eliminated by other hedging mechanisms than by making significant changes in regulations and supervision.
Demand and interest in virtual currency licences has not decreased, but on the contrary, it is on a growth trend again, despite the additional requirements for applying for licences that came into force in the summer of 2020. At the same time, the number of foreign inquiries has not decreased, which indicates that despite tightening the rules, suspicious transactions that attract the attention of foreign law enforcement authorities continue.
From be above, two conclusions can be drawn:
Although virtual currencies are a popular means of payment among money launderers, virtual currency service providers are able to identify and report such persons and transactions by implementing appropriate investments and mechanisms. Therefore, the risk assessors consider that there is still an overall risk of money laundering in the virtual currency sector, as the relevant investments, expertise, and motivation, excluding individual service providers, are still low in the sector as a whole. There are also shortcomings at the regulatory level, both nationally and globally.
As the regulation of virtual currencies differs from country to country, countries do not have the same overview or control capacity of the sector. For example, one party of a transaction is located in a country where the participants in the transaction are not identified or verified, and the transaction history related to a particular person cannot be provided or is weakly regulated, information is not available to the FIU, and cash flow monitoring becomes impossible. In a situation where the compliance program is too burdensome for the customer compared to the measures applied by competitors, the service provider’s business is not sustainable or profitable, leading to closures or less anti-money laundering and anti-terrorist financing measures.
Statistically, the risk assessment pointed out that most cases of money laundering offenses were related to predicate offences committed outside of Estonia, and generally the role of persons located in Estonia was to receive money transferred from abroad and transfer it to other persons. In essence, the share of crimes of so-called self-laundering and third-party laundering crimes were divided in half. While in the case of self-laundering, the predicate offenses were mostly computer crimes, scams, participation in a criminal organisation, in the case of third-party laundering, the offenses were computer crimes, scams and tax fraud.
It is generally considered that virtual currency service providers are able to identify and report suspicious transactions to supervisors when implementing appropriate investments and IT solutions. The necessary investment, competence and motivation in the field as a whole is rising, but its level is uneven. It is important to increase the risk awareness of companies operating in the field and their greater contribution to the management of the risks related to the field and to the development of appropriate regulations to ensure the legal functioning of the sector.
Activities related to virtual currencies are regulated in Estonia. At the same time, the level of market entry is relatively low and there are too many virtual currency service providers for a market of the size of Estonia (419 as of 31.12.2020). In addition, the fact that many companies with non-resident owners enter the service providers’ market to obtain a licence issued by a supervisory authority to demonstrate the controllability of their activities by a public authority and the legitimacy of their activities is problematic. However, the fact is explicit, as it is not possible to effectively supervise the activities of persons who are not located in the territory of the supervising state. It allows companies providing virtual currency services to operate as is convenient and convenient for their customers, notwithstanding the fact that they, as obligated parties, are subject to increased requirements in terms of preventing money laundering and terrorist financing.
The product offered with the service – the virtual currency – is by nature a rapidly evolving technology and changes owners digitally. Moving assets virtually is extremely fast and hiding traces is also easy using various asset mixers. Although the movement of virtual assets generally leaves a public trace, the wallet owners’ data is not public, and it is also difficult to trace the route of assets that have gone through mixers. In addition, it is easier to open virtual wallets, i.e., a pool of assets, than a credit institution’s account in different countries, which makes it a risk. Particularly, if the service provider has not applied appropriate due diligence measures to exclude persons with suspicious or criminal backgrounds from its customers and has not contributed to the establishment of effective monitoring systems to identify suspicious transactions.
The cryptocurrency is converted to different virtual currencies, and the final recipient’s virtual wallet number is usually hidden. It is possible to use various blockchain registers to monitor the movement of virtual currency, but since the address of the virtual number is not personalised, the efficiency of such registers is almost non-existent.
Digitally, the movement of monetary values is increasingly about the use of cryptocurrencies. In Estonia, as elsewhere in the world, criminals have increasingly used this opportunity to legalise their money using virtual currencies. There is less transparency about the owners of cryptocurrency wallets, and although the transactions are technically open to everyone, the people behind it remain anonymous. Blurring measures are used to hide transactions, which do not allow the movement of assets to be monitored. When cryptocurrency is transformed into so-called regular money (FIAT currency), the payer is usually an intermediary, and it may not be possible to see who the owner of the asset actually is. It is difficult for credit institutions and other financial service providers to verify the origin of assets if a company providing virtual currency brokerage has not properly complied with due diligence measures.
New digital services for electronic payments are constantly being added, such as virtual currency services, which are not regulated at the legislative level, and which make the supervisory activities of the responsible authority resource-intensive and complex. Therefore, there is also no complete assurance that their activities are controllable and transparent. As the location of many service providers as well as their activities have moved outside of the country, it would be necessary to find solutions here as well.
E-Residency allows foreigners to use Estonia for not recommended business activities, which allows them to hide the real content and purpose of the company’s activities and the beneficiaries. The use of e-Residency by third country nationals as part of immigration schemes has been observed in an attempt to make migrants more credible in the residence permit or visa process.
If Estonian credit institutions and payment service providers refuse to make cross-border payments, the person may use cross-border financial service providers for money laundering.
There are real cases where obligated persons give up the provision of services in Estonia because the requirements for identification hinder the provision of the service. This is a serious threat to Estonia’s competitiveness, but it allows the use of services from unregulated companies even more, i.e., it pushes the provision of the services “underground”. In the light of the above, the national risk assessment concluded that the identification requirements should be comprehensively reviewed to avoid unnecessary complexity, while at the same time properly managing the risks with a solution that may realistically be able to identify and manage risks.
A major problem is the issue of determining the status of a member of the management board. The law stipulates, and it is clear from the explanatory memorandum that the location is determined by the importance of the duties of a member of the board, i.e., the management board is located where substantive management takes place: important decisions are made and members of the management board performing support tasks may also be located abroad. In practice, it is difficult to determine how the areas of work and responsibilities of the members of the management board are really divided, as only explanations and documents that the members of the management board can produce can distort reality. In conclusion, there is a high risk that, for example, if a company has two members of the management board, the member of the management board located in Estonia is a front man for whom evidence has been submitted as a responsible member of the management board. According to the information received by the Estonian Police and Boarder Board, Estonian persons who are not actually involved in the company’s activities have been written on the management boards. In addition to the above, specific issues related to the status of a member of the management board, a contact person or an AML contact person have also been discussed:
A) A representative of the board as front man. The same person is a member of the management board in several virtual currency companies, i.e., more companies are created, but it is not clear why one person needs so many of them. From this, there is a suspicion that the member of the board may be a front man. Based on the current practice, an activity pattern emerges, where company service providers and law firms submit proper documentation when applying for an activity licence and after that they withdraw from the company’s management, often change the management body, introduce a board member who does not have substantive access to data.
B) Contact person as a front man. The contact person has been declared as a contact person in several companies, so it is not possible to ensure confidentiality in communication with supervisory and law enforcement authorities. There have also been cases where the contact person is a front man who does not know anything about the company’s activities. When a check is made, the person must always ask someone for more information, to which they should have direct access due to their employment.
C) The AML contact person of the virtual currency company does not have substantive access to the transaction information and does not have AML knowledge. The service of a law firm is often used, which has helped to apply for a licence, but which has no connection with day-to-day activities. The AML contact person is a front man with a minimum fee who does not have AML knowledge nor real access to the data.
The draft proposes to establish operational requirements and supervision in Estonia for:
As a public consultation of the draft took take place in the first half of 2021, it is currently unknown what the final text of the adopted law will be.
We wrote about these topics in our previous post.
In preparing the AML risk assessment, the following proposals, among others, were made to streamline the regulation related to virtual currencies and activities related to virtual assets:
The proposals and the solutions proposed are still too recent for us to set out a timetable for their specific implementation. However, we can be sure that the pressure from the state to increase the transparency of activities related to virtual currencies and to prevent money laundering and terrorism is growing. This, in turn, leads to the reorganisation of the market and increases the demand for high-quality legal services in the implementation of compliance functions in companies located in Estonia.
RCA offers its current and future customers a comprehensive list of AML and compliance services that ensure that the companies are staying between the legal boundaries of the Estonian law. Please feel free to reach out to us if you have any questions or inquiries related to the article or our services.