What happened?
Large Scandinavian banks were caught laundering money through their Estonian branches—this included Danske Bank and Swedbank. The Danske allegations trace all the way back to 2013 when a whistleblower attempted to bring to light what would become the largest money-laundering scandal ever recorded in human history.
What does this have to do with crypto, the FIU VASP licenses, and the cancelation of a swath of those licenses in June 2019? ABSOLUTELY nothing.
What types of stakeholders will be impacted by this?
Potentially all businesses holding or looking to acquire a VASP license in Estonia.
By the actual cancellations, which were carried out due to non-compliance of license holders as per the changes to the license requirements in line with AMLD5, only those entities that had not complied by the July 1st deadline.
Why does this matter?
It matters for a few reasons.
One, Estonia, the first country in Europe to create a new license regime for Virtual Asset Service Providers, as stipulated under one of the earlier AMLD5 drafts way back in 2017, did a self assessment and came to the realization that more stringent rules needed to be in place—and they did something about it.
(Incidentally, CoinMetro played a role here, as we held an event in our Tallinn-based offices in late 2018 where we urged the Finance Minister’s office to take action to raise the bar on its VASP licensees. In fact, we even helped with rewriting the applicable law.)
Two, more structure should mean more oversight, which should mean that banks in Estonia begin to re-examine the sector and potentially change their own internal risk policies, allowing them to actually service VASP businesses.
Three, it will clean up the crypto sector in Estonia which issued some 2,000 VASP licenses since its inception in November 2017.
Does this create new opportunities for stakeholders? If so, what might they be?
My estimation would be that 90% or more of the licensees that obtained their licenses prior to the new requirements coming into effect will lose them. These losses may be due to the fact that they are no longer needed given the clarifications to what businesses actually need to apply, due to non-compliance, or due to a voluntary renunciation.
What does this mean in practice? It means that companies who stay in or come to Estonia that are actually compliant will have the potential to thrive. The shift toward DLT, blockchain, and digital money is in motion and stories like this–like Danske–helped pave the way. In fact, legislative and regulatory bodies around the world have already started to change their perspectives towards VASPs.
When it comes to Danske and the monstrous money laundering scandal, we are once again being shown that many of the legislators, regulators, and the public may still believe the mistruth that crypto is mostly used to obfuscate nefarious money flows when in reality, it is actually a tool to stop money laundering…not enable it.
Does this change create new risks for industry stakeholders? If so, what should they be looking out for?
Yes and no. Risks were there for the ones trying to do the right thing. Attempting to gain market share in a regulated industry against a competitor that can simply do whatever they want is a difficult task; however, as the market becomes more regulated and as it matures, the risks will start to shift onto the companies that attempt to skirt or evade the law.
Having said that, the more compliant the market becomes, the more costs are involved to maintain compliance…which can put a large burden on entities of all sizes that may not have had these costs included in their own financial projections.
The bottom line is that unregulated financial products and markets that have large growth potential do not stay unregulated for long. If you are or plan to get into this market, you should look to other regulated markets to understand the costs and requirements that will be part of this industry in the near future.
How does this impact compliance teams, and what can they do to stay ahead of the regulatory requirements?
Compliance teams in crypto need to step up their game. There has been a lot of talk about AML and KYC and KYT, but this is just the tip of the iceberg. Crypto entities are slowly being asked to do the same level of compliance as their traditional counterparties, with the addition of proper on-chain transaction monitoring.
The thing is that the regulators, banks, and financial intermediaries are not up to speed on what that even means, they just know to ask if you are doing it. This means not only do you need to be running on-chain monitoring of all incoming and outgoing transactions, as well as creating policies and risk matrices in accordance with your own internal risk policies, but you also need to be proficient enough in the actual monitoring, flagging, and reporting of crypto transactions that you can teach the regulators, banks, or financial intermediaries how it’s done.
What can management teams or boards of directors do to stay ahead of these changes?
Make sure to keep up with the current rules and regulations—and adhere to them. If you are working in this industry, hire someone to take on this task as it is a full-time gig on its own.
Collaboration between the private and public sectors is the key to the long-term sustainability of the industry. When in doubt, consult a professional. Not knowing the law is never an excuse, and in the end, you will always be held responsible.
What can service providers do to help their clients stay ahead of these changes?
Service providers need to be honest with their clients. No sugar-coating, no looking for the easy way out—help them get compliant and help them improve the industry from the inside out.
Consultants need to stay informed and make sure they keep their clients informed as well. One thing is for sure: participation at the public sector level is and should be a focal point.
Service providers have a wide berth of clients and thus can share those clients’ needs and questions directly with legislators and regulators that govern and help shape this industry. It is in their and their clients’ best interests that they participate in the discussion to ensure that both sides understand each other. Everyone in a regulated industry likes to blame the regulators, but if you do not take part in the process, you too are to blame.
