ESTONIA Law and Practice Contributed by: Yuliya Barabash, Ivan Nevzorov, Daria Lysenko and Nikita Prokopenko, SBSB FinTech Lawyers
2.9 Gatekeeper Liability Fintech companies can be considered gatekeep - ers but everything will depend on the nature of their services and their role in the infrastructure. In other words, a functional approach to their activities must be considered. Companies subject to licensing are required by regulatory requirements to monitor trans - actions, implement KYC and AML procedures, prevent abuse, etc, which effectively places them in the role of controllers of the legality of operations on platforms. At the same time, fintech companies are often not fully responsible for the activities of users if they act as technology or infrastructure providers. That is, if a business on the platform plays an active role in con - ducting transactions or storing assets, etc, the regu - lator may require a higher level of control for the pur - pose of risk management and consumer protection. 2.10 Significant Enforcement Actions It should be noted that Finantsinspektsioon ‘s approach to regulated companies is not only to ensure strict and consistent compliance, which can be achieved through the imposition of fines, but also to exert sig - nificant supervisory pressure. The regulator expects companies to strictly adhere to applicable principles, which are primarily aimed at protecting users, ensur - ing accessibility and managing risk. Equally important is the emphasis on AML and sanctions compliance. Here, the regulator notes that, in addition to a general approach, filtering approaches should also be applied for implementation in a specific business – ie, general approaches may not be sufficient. The gradual implementation of MiCA in Estonia also leads to increased regulatory pressure and the cleans - ing of the market of companies that cannot meet the requirements. Thus, the regulator does not so much punish as weed out businesses, leaving only those that are able to operate within the specified frame - work. 2.11 Implications of Additional, Non- Financial Services Regulations It is clear that, in addition to the direct requirements imposed on fintech businesses by direct regulation depending on the type of activity, other non-special - ised regulations also apply to them, in particular Esto -
nian national legislation and implemented EU legisla - tion. Fintech businesses in Estonia must strictly adhere to the principles of user confidentiality in accordance with the GDPR – ie, all verification procedures must have a proper legal basis, transparent notifications, etc. In other words, there are no exceptions for fintech businesses, and the Estonian Data Protection Inspec - torate oversees compliance. The DORA regime, with its own requirements, has had the greatest impact on cybersecurity this year and last year. This is the main difference from other areas; even a fintech start-up must comply with a clear and strict regime similar to that applied to banks. Regarding the regulation of content on social networks, compa - nies must comply with the requirements of the Digital Services Act, which imposes obligations regarding notice-and-action, transparency, handling of illegal content and, depending on the role of the service, requirements for online interfaces and advertising. In addition, for companies developing their own soft - ware, the Cyber Resilience Act (CRA) is important, as it sets relevant requirements and often shifts part of the regulatory burden to software development. Fintech businesses cannot limit themselves to licens - ing requirements, but must take into account a broad - er field in accordance with their activities. 2.12 Review of Industry Participants by Parties Other Than Regulators Estonian fintech companies are subject not only to industry regulation in accordance with licensed activi - ties. The companies are also subject to financial, technical and industry supervision. First and fore - most, these are auditing and accounting partners, as a licensed company (eg, EMI or CASP) must submit annual audited financial statements in accordance with standards. Auditors check financial statements, internal compliance controls and risk management. Technology and compliance service providers that provide KYC/AML solutions, payment infrastructure, etc also play an important role. Since they are subject to applicable regulations, fintech businesses are also
246 CHAMBERS.COM
Powered by FlippingBook