Estonia -- Sanctions Compliance Regulatory Overview

Estonia regulates cryptocurrency primarily through the Money Laundering and Terrorist Financing Prevention Act (AML Act), supplemented by the EU's Markets in Crypto-Assets (MiCA) regulation and the national Crypto Asset Market Act (CMA or Crypto Markets Act), with VASPs (Virtual Asset Service Providers) required to comply with OFAC, EU, and UN sanctions as part of AML/CFT obligations. All VASPs must obtain licenses from the Financial Intelligence Unit (FIU) until July 1, 2026, after which MiCA-compliant authorization from the Estonian Financial Supervision and Resolution Authority (EFSRA, also referred to as Finantsinspektsioon or Estonian FSA) becomes mandatory, treating crypto firms similarly to financial institutions.[1][2][3][5]

OFAC/EU/UN Sanctions Compliance for VASPs

VASPs must implement a risk-based approach including continuous transaction monitoring and screening against UN and EU sanctions lists (no explicit mention of OFAC in Estonian sources, but EU membership implies alignment with international standards via EU lists).[1][3] This involves customer due diligence (CDD/KYC), identifying customers, and reporting suspicious activities to the FIU within two working days, plus reporting cash transactions over €32,000.[1][2]

Sanctioned Entity Screening Obligations

• Firms must screen customers and transactions against UN and EU sanctions lists, tailoring controls to risk profiles.[1]
• Appoint an AML officer with financial sector experience and ensure at least one management board member is an Estonian resident.[2]
• VASPs provide services like virtual currency exchange or wallet services and must maintain internal controls, annual financial reports, and independent audits.[2][4]

Geographic Restrictions

No explicit geographic restrictions on crypto activities are detailed beyond prohibiting dealings with sanctioned entities under EU/UN lists; operations require a physical headquarters in Estonia for licensing.[1][4] Crypto-assets are not legal tender but treated as property/digital assets.[1][3]

Penalties for Violations

The Crypto Asset Market Act (Chapter 8: Liability; Chapter 7: Supervision) and MiCA establish significant penalties for breaches, including non-compliance with AML/CFT, licensing, or sanctions screening; specific fine amounts are not quantified in sources, but enforcement includes license revocation (e.g., over 1,000 licenses revoked in 2020).[3][4][5] Supervision by FIU (AML) and EFSRA (MiCA from 2025) includes investigations and compliance checks.[1][2]

Country-Specific Sanctions Lists for Crypto

Estonia relies on EU and UN sanctions lists integrated into AML Act requirements, with no unique national crypto-specific sanctions lists identified; screening is mandatory for VASPs under FIU/EFSRA oversight.[1]

Key Legal References (official Estonian sources not directly provided in results; summaries based on available data):

• Money Laundering and Terrorist Financing Prevention Act (AML Act): Primary AML/CFT framework.[1][3][4]
• Crypto Asset Market Act (CMA): Implements MiCA, penalties in Chapters 7-8; full transition by July 1, 2026.[5]
• EU MiCA Regulation: Overarching for crypto services.[1][5] For primary texts, consult Estonian FIU/EFSRA or EU portals (e.g., eur-lex.europa.eu for MiCA), as secondary sources confirm these without direct URLs.[1][5] Regulations have evolved, with tightened licensing since 2017-2020.[3][4]