Compliance with Estonian AML rules among licenced crypto companies
NJORD Law Firm’s Regulatory team has compiled a summary of the annual report from the FIU that gives an overview of the statistics regarding AML-reports submitted last year and feedback to the licenced companies.
The Estonian Financial Intelligence Unit (FIU) has again compiled an overview of the reports sent to the FIU, this time for the year 2020 by virtual currency service providers (crypto exchanges and e-wallet providers).
Reports submitted in 2020
In 2020, virtual currency service providers sent a total of 530 reports to the FIU. During last year, there were around 370 licenced companies with a virtual currency service licence in Estonia, compared to 2019 when there were more than 1000 licenced companies and the FIU received 405 reports.
It is noteworthy that only 45 companies have submitted the 530 reports. This means that more than 300 companies have found nothing to report to the FIU during a full year.
Out of all the reports submitted, the reports concerning suspicious transactions for money laundering were the highest in numbers. These reports were followed by reports of unusual transactions and reports of unusual activities. There were a low number of reports regarding suspicion of terrorism financing, and most of these reports were related to high-risk countries. For the first time, reports concerning breach of international sanctions were submitted.
Most reports were submitted regarding the suspicion of the accuracy of data provided. The second most common reason for reporting was suspicion of an unusual transaction since it was not possible to perform the mandatory due diligence measures.
How did the FIU handle the reports submitted?
Only 2% of the reports were directed to an in-depth analysis by the FIU since, in most cases, the reports had no connection with Estonia. 9% of the reports were forwarded to different investigative bodies, which is a higher number than earlier years. 3% of the reports were shared with foreign institutions.
The FIU considers that knowledge of the reporting form and the content of the reports have improved. Sometimes a report has been mistakenly submitted with a “High Importance” tag. This is unnecessary if the transaction has already taken place or if no client agreement was ever made. The FIU emphasises that all reports must be submitted via their web form or via the X-road service. Roughly 10% of the reports were still submitted via e-mail. E-mailed reports are no longer accepted.
Feedback to the licenced companies – trends and what to improve
The FIU said that while fulfilling the reporting obligation has improved, the due diligence performed by the service providers is still weak, especially regarding the identification of the source of funds and the in-depth analysis of transactions.
The FIU expects all virtual currency service providers to monitor transactions related to dark web environments, as some of the virtual currency service providers already do.
The FIU points out that a new trend in the market is the emergence of persons who specialise in money laundering. Another trend is the use of virtual currency ATMs, which are often used in money laundering schemes.
The supervision by the FIU found that too many obliged entities do not use independent sources correctly when identifying the persons involved in a transaction. It should also be noted that when remotely identifying a person, a minimum of two sources must be used. In addition, there are shortcomings in identifying PEPs, their family members, or close associates. For that, reliable databases must be used. The FIU also notes that an efficient method that is too rarely used is interviewing the client.
There are also problems with data retention. Copies of documents used for personal identification must be retained, and this also applies to the correspondence with the client in the course of due diligence.
Another important issue is the proper monitoring of the business relationships over time and ensuring that rules of procedural and internal rules are legitimate and correspond with the actual activities of the licenced entity. Too many companies have procedures and rules in place that are not a good match with their actual business activities. It should be noted that the compliance officer needs to be competent and fit for the job. For example, there have been problems with communication between the FIU and the compliance officers since some of them do not speaks neither Estonian nor English at an acceptable level.
Source: “RAB tagasiside virtuaalvääringu teenuse pakkujatele - Ülevaade teadetest, mille Eesti virtuaalvääringu teenuse pakkujad aastal 2020 RAB-le saatsid, ja nende kasutamisest RAB poolt”, April 2021