21 Analytics logo
Request a Demo
inner blogEstonia

The FATF’s Travel Rule in Estonia

04 Oct, 2022

Estonia has joined the list of countries that have implemented the Financial Action Task Force’s (FATF’s) Travel Rule

Estonia’s Ministry of Interior Affairs first began issuing crypto licenses in 2017. In 2020, this responsibility shifted to the Ministry of Finance’s Financial Intelligence Unit (FIU). 

On 15 March 2022, Estonia announced they would implement the Travel Rule (Recommendation 16). This implementation was one of the speediest to date; Estonian virtual asset service providers (VASPs) had a mere 3 months to get their organisations in order.  

Estonia has modelled their Travel Rule in line with the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers with some significant differences; there is no de minimis threshold, and VASPs are not required to collect and transmit any personal info about the beneficiary person in the transaction.  

Below we will go into further detail as to the main aspects of Estonia’s Travel Rule. 

Please note: The Money Laundering and Terrorist Financing Prevention Act uses the following terms in favour of the FATF’s choice of terms.

For the purpose of this article, we have followed the terms used by the FATF. 

Estonia’s Money Laundering & Terrorist Financing Prevention Act Financial Action Task Force (FATF)
Provider Originator
Recipient Beneficiary
Virtual currency service provider Virtual asset service provider

What Does This Mean for VASPs; Foreign and Local? 

Estonia’s Travel Rule amendments target VASPs operating and registered in Estonia. 

Foreign VASPs wishing to provide services in Estonia will need to register their company in Estonia to operate. 

Examples of VASPs include: 

  • Crypto exchanges.

  • Crypto transfer providers.

  • Any services related to the issuance of virtual currency.

Initially, Estonia offered 2 different licences to crypto exchanges depending on their functions (the Virtual Currency Exchange Service License and the Virtual Currency Wallet Service License). This process has now fallen away, and only one license is issued: the Estonian Cryptocurrency Exchange License. 

In order to apply for the Estonian Cryptocurrency Exchange License, VASPs are to meet more stringent requirements; a full list is available in Chapter 8 of the Money Laundering and Terrorist Financing Prevention Act. However, below is a non-exhaustive list of relevant items in the Act: 

  • The Company is to be registered in Estonia.

  • In the Company’s business plan (§ 70.1);  intended business activities need to be stipulated along with operational procedures as well as the expected spending for each area of activities.  

  • A description of the information technological system and any other technical system that will be used to operate the business.

  • A clear outline of their intended security measures to ensure protection of the customer’s assets. 

  • Information on the business’ assigned audit firm. The provided document should include the name and the internal auditor’s personal identity code or personally identifiable information (PII). 

  • A share capital of at least EUR 100,000 for virtual currency exchange services and EUR 250,000 for virtual currency transfer services (§ 72.1). 

What FATF Travel Rule Information Needs to Be Exchanged in Estonia?

Estonia is following the FATF’s Travel Rule list of information to be exchanged, with one exception: it does not require VASPs to collect and transmit any personal information about the beneficiary customer (§ 25) in certain circumstances.  

When performing a transaction, the VASP is to collect and retain the following information from the originator customer

  • Full name,  

  • Unique transaction identifier (a combination of letters, numbers or symbols assigned by the virtual currency service provider), 

  • Identifier of payment account or virtual currency wallet,

  • Identity number, as per identity document, 

  • Address or date of birth. 

In normal circumstances, the VASP will be required to collect and retain the following information from the beneficiary customer: 

  • Unique transaction identifier, 

  • Identifier of payment account or virtual currency wallet.

As per the terms stipulated within the Money Laundering and Terrorist Financing Prevention Act, when the beneficiary’s VASP is unable to receive or process the required information, or if the beneficiary uses an unhosted wallet (self-hosted wallet), the obligation will fall upon the originator VASP (§2.7). 

Additionally, the originator VASP will need to prove that they have used an appropriate technical solution to monitor the transaction in real-time and that a thorough risk analysis has been conducted (§25. 2.8). 

The Estonian Ministry of Finance reiterates that personal data collected along with the transaction shall be protected under the Estonian Personal Data Protection Act and Europe’s General Data Protection Regulation.

READ: GDPR and Privacy with the FATF Travel Rule

What Does This Mean for Unhosted Wallets in Estonia? 

As mentioned above, if a beneficiary uses an unhosted wallet, PII will not need to be requested. It is expected from the originator VASP that it performs a risk-based assessment (as per the FATF’s guidelines) of the transaction before proceeding. 

If the transfer takes place from an unhosted wallet to a VASP, regardless if the originator and beneficiary are one and the same, the VASP will be required to request PII from the originator (§10.2).

If the transaction to or from that client's unhosted wallet takes place regularly or if the value is high, flags may be raised, and PII can be requested from the beneficiary. 

Which Estonian Regulation Body Is Responsible? 

Estonia will rely on more than one regulatory body to regulate crypto companies, as various Estonian agencies regulate different cryptocurrency activities. A list of responsible parties includes: 

Check out our Travel Regulations Page for further information on the global implementation of the Travel Rule. 

Written by:
21Author (3)
The Content Team
Cookies are used to collect information about how you interact with our website and allow us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, see our Privacy Policy.