500 Estonian Crypto Companies Lose Permits After $220B Scandal: Expert Review
Kevin Murcko of CoinMetro reviews the major money-laundering scandal of Scandanavian banks and how Estonia crypto and VASPs have been affected
What happened?
Large Scandinavian banks were caught laundering money through their Estonian branches—this included Danske Bank and Swedbank. The Danske allegations trace all the way back to 2013 when a whistleblower attempted to bring to light what would become the largest money-laundering scandal ever recorded in human history.
What does this have to do with crypto, the FIU VASP licenses, and the cancelation of a swath of those licenses in June 2019? ABSOLUTELY nothing.
What types of stakeholders will be impacted by this?
Potentially all businesses holding or looking to acquire a VASP license in Estonia.
By the actual cancellations, which were carried out due to non-compliance of license holders as per the changes to the license requirements in line with AMLD5, only those entities that had not complied by the July 1st deadline.
Why does this matter?
It matters for a few reasons.
One, Estonia, the first country in Europe to create a new license regime for Virtual Asset Service Providers, as stipulated under one of the earlier AMLD5 drafts way back in 2017, did a self assessment and came to the realization that more stringent rules needed to be in place—and they did something about it.
(Incidentally, CoinMetro played a role here, as we held an event in our Tallinn-based offices in late 2018 where we urged the Finance Minister’s office to take action to raise the bar on its VASP licensees. In fact, we even helped with rewriting the applicable law.)
Two, more structure should mean more oversight, which should mean that banks in Estonia begin to re-examine the sector and potentially change their own internal risk policies, allowing them to actually service VASP businesses.
Three, it will clean up the crypto sector in Estonia which issued some 2,000 VASP licenses since its inception in November 2017.
Does this create new opportunities for stakeholders? If so, what might they be?
My estimation would be that 90% or more of the licensees that obtained their licenses prior to the new requirements coming into effect will lose them. These losses may be due to the fact that they are no longer needed given the clarifications to what businesses actually need to apply, due to non-compliance, or due to a voluntary renunciation.
What does this mean in practice? It means that companies who stay in or come to Estonia that are actually compliant will have the potential to thrive. The shift toward DLT, blockchain, and digital money is in motion and stories like this–like Danske–helped pave the way. In fact, legislative and regulatory bodies around the world have already started to change their perspectives towards VASPs.
When it comes to Danske and the monstrous money laundering scandal, we are once again being shown that many of the legislators, regulators, and the public may still believe the mistruth that crypto is mostly used to obfuscate nefarious money flows when in reality, it is actually a tool to stop money laundering…not enable it.
Does this change create new risks for industry stakeholders? If so, what should they be looking out for?
Yes and no. Risks were there for the ones trying to do the right thing. Attempting to gain market share in a regulated industry against a competitor that can simply do whatever they want is a difficult task; however, as the market becomes more regulated and as it matures, the risks will start to shift onto the companies that attempt to skirt or evade the law.
Having said that, the more compliant the market becomes, the more costs are involved to maintain compliance…which can put a large burden on entities of all sizes that may not have had these costs included in their own financial projections.
The bottom line is that unregulated financial products and markets that have large growth potential do not stay unregulated for long. If you are or plan to get into this market, you should look to other regulated markets to understand the costs and requirements that will be part of this industry in the near future.
How does this impact compliance teams, and what can they do to stay ahead of the regulatory requirements?
Compliance teams in crypto need to step up their game. There has been a lot of talk about AML and KYC and KYT, but this is just the tip of the iceberg. Crypto entities are slowly being asked to do the same level of compliance as their traditional counterparties, with the addition of proper on-chain transaction monitoring.
The thing is that the regulators, banks, and financial intermediaries are not up to speed on what that even means, they just know to ask if you are doing it. This means not only do you need to be running on-chain monitoring of all incoming and outgoing transactions, as well as creating policies and risk matrices in accordance with your own internal risk policies, but you also need to be proficient enough in the actual monitoring, flagging, and reporting of crypto transactions that you can teach the regulators, banks, or financial intermediaries how it’s done.
What can management teams or boards of directors do to stay ahead of these changes?
Make sure to keep up with the current rules and regulations—and adhere to them. If you are working in this industry, hire someone to take on this task as it is a full-time gig on its own.
Collaboration between the private and public sectors is the key to the long-term sustainability of the industry. When in doubt, consult a professional. Not knowing the law is never an excuse, and in the end, you will always be held responsible.
What can service providers do to help their clients stay ahead of these changes?
Service providers need to be honest with their clients. No sugar-coating, no looking for the easy way out—help them get compliant and help them improve the industry from the inside out.
Consultants need to stay informed and make sure they keep their clients informed as well. One thing is for sure: participation at the public sector level is and should be a focal point.
Service providers have a wide berth of clients and thus can share those clients’ needs and questions directly with legislators and regulators that govern and help shape this industry. It is in their and their clients’ best interests that they participate in the discussion to ensure that both sides understand each other. Everyone in a regulated industry likes to blame the regulators, but if you do not take part in the process, you too are to blame.
Author — KEVIN MURCKO
Kevin Murcko is the Founder & CEO of CoinMetro and widely considered a thought leader in FX, crypto, blockchain, and financial regulation that focuses on removing barriers and bringing substantive change to capital markets globally. Kevin does not just talk the talk, he actually walks the walk, frequently advising regulators and government bodies on matters relating to applying current regulations to new financial markets and instruments, regulatory sandboxes, and related topics.
learn more
Is your AML compliance too expensive, time-consuming, or ineffective?
iComply enables financial services providers to reduce costs, risk, and complexity and improve staff capacity, effectiveness, and customer experience.
Request a demo today.
GDPR and Your Verification Solutions: Ensuring Compliance and Data Security
GDPR and Your Verification Solutions: Ensuring Compliance and Data Security The General Data Protection Regulation (GDPR) has significant implications for how financial and legal service providers handle personal data during client onboarding. While KYC/AML...
Ensuring Data Privacy in KYC Compliance: Key Steps and Best Practices
Data privacy compliance is a critical aspect of operating in today's digital landscape. Protecting personal data and adhering to regulatory requirements helps build trust with customers and avoid legal repercussions. Implementing...
Understanding the General Data Protection Regulation (GDPR) for Business Compliance
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that impacts businesses operating within the European Union (EU) and those handling EU citizens' data. Ensuring compliance with GDPR is crucial...