What does the enforcement of the MICA regulation bring to cryptocurrency service providers in Estonia?

According to the draft of the new Cryptocurrency Market Act, the Financial Supervision Authority (Finantsinspektsioon) will become the supervisory authority, and the administrative burden on market participants will increase.

VASPs (Virtual Asset Service Providers) with existing licenses cannot apply for a license in a simplified procedure, and the Financial Supervision Authority will conduct a new licensing procedure among all market participants. Cryptocurrency service providers can operate under the MLTFPA (Money Laundering and Terrorist Financing Prevention Act) license until July 1, 2025.

On August 21, the Ministry of Finance submitted the draft of the Cryptocurrency Market Act (CryptoMA) for consultation and commenting. The draft regulates operations and supervision over participants in the cryptocurrency market. The requirements aimed at the provision of cryptocurrency services and the application for offering or trading cryptocurrencies are regulated at the EU level by the European Parliament and Council Regulation MICA[1] (Markets in Crypto-assets Regulation).

The aim of the MICA regulation is to promote innovation and ensure fair competition, as well as to protect investors and enhance the reliability of cryptocurrency markets. MICA allows cryptocurrency service providers to operate under uniform rules in all member states.

Member State Options in the MICA Regulation

The purpose of the draft is to implement the MICA, TFR[2], and DORA[3] regulations at the national level. This will impact both existing and new participants in the cryptocurrency market. Below, we highlight the member state options described in the explanatory memorandum of the draft law during the implementation of the MICA regulation.

1. Appointment of the Competent Authority

According to the MICA regulation, each member state must designate a supervisory authority to ensure compliance with the requirements of the regulation. While a member state can designate multiple such authorities, one of them must be chosen as the central contact point. The draft law deliberated on the appointment of two authorities, The Estonian Financial Intelligence Unit (FIU) and the Financial Supervision Authority, for this role.

While currently, FIU oversees the activities of VASPs (Virtual Asset Service Provider), the competent authority according to the draft law will be the Financial Supervision Authority. The reasons for choosing the Financial Supervision Authority were as follows:

• The requirements of the MICA regulation are similar to other EU financial sector regulations, especially MiFID. According to the interpretation of the MICA regulation, the provision of cryptocurrency services and the issuance of cryptocurrencies are intrinsically very close to the provision of financial services (particularly investment services). FIU does not currently deal with such supervision or control.
  
  Cryptocurrency issuance and sale, as well as the provision of cryptocurrency services, can be carried out by, among others, credit institutions, investment firms, and other financial sector market participants that are currently under the supervision of the Financial Supervision Authority. Assigning partial supervision to FIU in such a situation could lead to fragmentation of the supervisory model.
  
  
• The MICA regulation recommends that supervision over e-money token issuers should be carried out by authorities that already monitor traditional e-money issuers. In the case of Estonia, this is the Financial Supervision Authority.
  
  
• With the MICA regulation come various reporting and cooperation obligations with EU financial supervisory authorities, and currently in Estonia, the Financial Supervision Authority is their primary contact point.
  
  
• Although the current impact of crypto service on financial stability is marginal, the growth of their volume might lead to negative consequences. According to the MICA regulation, the widespread use of cryptocurrency can pose problems in several areas - hence, the competent authority may refuse to grant an operating license if it threatens financial stability or payment systems. Additionally, the authority can suspend the redemption of asset-based tokens. However, providing assessments in such matters is not within the competence of FIU.
  
  
• For all other financial institutions, the competent authority for DORA is either the Financial Supervision Authority or the European Central Bank. If the FIU were the competent authority regarding MICA, they would also need to supervise the requirements of the DORA regulation, which would require them to establish an additional area of expertise, while the Financial Supervision Authority already has the relevant competence.

Additionally, the Financial Supervision Authority already partially supervises certain institutions for money laundering, so it would be logical for crypto service providers to fall under the same arrangement.

2. Simplified Procedure for Applying for a License

According to the MICA regulation, member states can implement a simplified licensing procedure for companies who have submitted an application within 18 months after the regulation comes into force and who have already provided crypto services based on national laws. In Estonia, this refers to those who already provided crypto services based on MLTFPA (VASPs). However, before granting a license through a simplified procedure, the competent authority must verify that certain requirements of the MICA[4] regulation have been met.

According to the draft Estonian law, it is not possible to apply for a license through a simplified procedure because the licensing authorities have changed (FIU is the issuer of the license under current law, Financial Supervision Authority is the issuer of the new license). Therefore, it is not possible to ensure that the new competent authority, the Financial Supervision Authority, has a comprehensive overview of all the circumstances and risks associated with the subject, which could affect the licensing decision. Hence, the Financial Supervision Authority will conduct a full new procedure with regard to participants in the crypto market.

3. Public disclosure of inside information

Inside information is undisclosed information related to certain individuals or crypto assets, the disclosure of which would likely have a significant effect on the prices of these crypto or crypto related assets (Article 87).

Under Article 88 of the MICA regulation, crypto asset issuers and other parties are allowed to delay the disclosure of inside information under certain conditions. If they decide to do so, they have an obligation to notify the competent authority and, after the information is disclosed, provide a written explanation for the delay. While member states can decide whether such an explanation should be submitted only upon request by the competent authority, Estonia has decided not to use this option. Instead, companies in Estonia must provide a written explanation immediately after the information is disclosed. This approach is also consistent with the Market Abuse Regulation (EU 596/2014), under which issuers must notify the competent authority themselves of a delay in disclosing inside information.

The draft technical standards regulating the disclosure of inside information are expected to be completed by the summer of 2024 at the latest, but the existing draft law § 39 outlines substantial fines that can be imposed for breaches of the inside information disclosure requirements.

4. Transition to MICA

According to the MICA regulation, crypto asset service providers that have operated under previous legislation before the implementation of MICA (in Estonia VASPs under the MLTFPA) can continue to provide services based on their existing license for up to 18 months or until they are issued a new license under the MICA regulation. However, each member state can decide whether to use this exception or shorten its duration, especially if national regulation before the implementation of MICA was more lenient than MICA. Considering that the Estonian MLTFPA is somewhat more lenient than the MICA regulation, Estonia has decided that crypto asset service providers can operate under the MLTFPA license only until July 1, 2025.

As of July 25 this year, 78 companies have an operational license issued by Estonian Financial Intelligence Unit to provide virtual currency services. Of these companies, about 17 have successfully completed the license renewal process in the past six months.  However, since the validity of the MLTFPA licenses expires in less than two years, these companies will soon have to go through the licensing process again.

The draft of the cryptocurrency market law is available, along with its explanatory memorandum, through the electronic coordination system EIS at http://eelnoud.valitsus.ee/.

The implementation of the draft law will bring changes to both current and new participants in the crypto market, increasing their administrative burden and altering their management structure (e.g. according to § 6 (2) of the draft, a new requirement is the existence of a three-member board even for a limited liability company participant in the crypto market). 

[1] https://eur-lex.europa.eu/legal-content/ET/TXT/?uri=CELEX:32023R1114

[2] https://eur-lex.europa.eu/legal-content/ET/TXT/?uri=CELEX:32023R1113&qid=1689227448452

[3] https://eur-lex.europa.eu/legal-content/ET/TXT/?uri=CELEX:32022R2554    

[4] Requirements set out in Section V, Chapters 2 and 3 of the MICA regulation