ESTONIA Trends and Developments Contributed by: Yuliya Barabash, Ivan Nevzorov, Daria Lysenko and Nikita Prokopenko, SBSB FinTech Lawyers
• Prudential capital standards – Minimum share capital must be fully paid-up and maintained at levels of EUR50,000 to EUR150,000, depending on the specific services offered (custody, exchange or transfers). • Substance and local nexus – The regulator (EFSA) requires a verifiable presence, including a function - al physical office in Estonia and local staff. • Fit and proper management – The management board of a CASP shall have at least two members. The management board must include local resi - dents who possess the necessary expertise and a clean professional record. In addition, a CASP that is a private limited company shall have a supervi - sory board of at least three members. (A CASP that is a private limited company shall not have a super - visory board unless it provides custody and admin - istration of crypto-assets on behalf of clients.) • Risk management framework – Companies must implement comprehensive AML/CFT protocols, overseen by a dedicated local compliance officer and verified by an internal auditor. • Travel rule – The CASP shall comply with the requirements set out in Regulation (EU) 2023/1113 of the European Parliament and of the Council on information to be transmitted in connection with transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849. • Policies and procedures – Detailed policies are required, specifying the company’s business activ - ity, such as programme of operations; custody and administration policy; segregation of clients’ crypto-assets policy; pricing and commercial policy; outsourcing policy; operating rules for trad - ing platform, etc. • IT and security requirements – While MiCA focuses on the operational and regulatory framework for crypto-asset providers, DORA (Regulation (EU) 2022/2554) adds a layer of compliance that is essential for ensuring digital operational resilience, by imposing strict requirements on ICT risk man - agement, incident handling, third-party oversight, and digital resilience testing. Procedure The regulatory roadmap for securing a licence is divid - ed into several critical phases.
1. Corporate structuring – Incorporation of an Esto - nian legal entity and the initial deposit of the required share capital. 2. Compliance engineering – Development of custom - ised internal policies, including a detailed two-year business plan (programme of operations), IT security audits and data protection manuals. 3. Formal filing – Submission of the application pack - age to the EFSA. 4. Regulatory scrutiny – An assessment period of approximately four to six months, during which the EFSA evaluates the “fitness and propriety” of the own - ers and the resilience of the business model. In prac - tice, it could take up to 12 months. 5. Final authorisation – Upon approval, the firm is granted CASP status and can commence operations across the EU (cross-border provision of services). Timeline According to MiCA requirements, the following dead - lines apply, during which EFSA is supposed to review the application and make a decision. For ARTs , the EFSA review process is as follows: • 25 business days to assess completeness of the application; and • 60 business days to assess whether requirements are met. The procedure may be paused for up to 20 business days if additional questions arise. For other crypto-asset services (CASP), the process allows: • 25 business days to assess completeness; and • 40 business days to assess compliance with MiCA and MCAA. The time limit may be paused for up to 20 business days.
262 CHAMBERS.COM
Powered by FlippingBook