1. Initial Coin Offerings in Estonia
The hype of Initial Coin Offerings (“ICOs”) and Token Generation Events (“TGEs”) has permeated Estonia, and requests for legal support on the matter have created challenges not only for the authorities but also for advisors to ICOs. The amount of money raised via ICOs in the first quarter of 2018 numbers has already surpassed 2017 entire-year numbers.1 According to an Ernst & Young report,2 as of December 2017 only USD $63 million had been raised by Estonian entities. Yet relatively speaking, the number of companies registered in Estonia for ICO is considerable. According to statistics from the law firm NJORD,3 as of May 2018 there were already at least 49 companies registered in Estonia raising funds through ICOs, and they had raised a total of USD $335 million.
ICOs took Estonia by a storm from summer of 2017. The exact point in history can be traced to the U.S. Securities and Exchange Commission’s issuance of an investigative report on Decentralized Autonomous Organization (“DAO”) tokens and their qualification as securities.4 The ICO “gold rush” was strongly encouraged by a blog post in August 2017 by Kaspar Korjus, the managing director of Estonia’s E-residency programme, who stated that Estonia was considering the creation of a national “estcoin” and aiming to be the first country to launch its own ICO.5 Korjus followed up with another blog post later in December 2017, around the height of bitcoin’s price, entitling it “We’re planning to launch estcoin — and that’s only the start.”6
The Chinese government’s ban of ICOs in early September 2017 also created a further influx of Asian ICO projects to Estonia.
The overall reaction to ICOs in Europe was comparatively much slower, and the European Securities and Markets Authority (“ESMA”) issued a statement only on November 13, 20177 to warn about risks related to ICOs, which was followed by a reiteration of the statement on February 12, 2018 and March 20, 2018.8
The Estonian Financial Supervisory Authority (“FSA”) reacted more quickly, and by June 2017 it had already issued its first warning to Polybius Foundation OÜ, characterizing the company’s ICO as an initial public offering of securities. By that time Estonia had already been the site of its first Bitcoin & Blockchain Conference organized by the Russian company Smile Expo, where Polybius Foundation OÜ had actively promoted the credit institution planned with ICO-raised funds.
Following its first warning, the FSA quite surprisingly took a supportive stand and merely issued an explanation on ICOs on its website in August 20179 followed by a recommendation to consult with legal advisors prior to initiating an ICO in September 2017,10 and a use case analysis for users of virtual currencies or organizers of ICOs in March 2018.11
A second warning was issued by the FSA in January 2018 regarding an ICO by CryptoFinance OÜ, which the FSA had characterized as an initial public offering of securities.12 As of May 2018 there is no public information on whether Polybius Foundation OÜ or CryptoFinance OÜ were ultimately prosecuted or fined for any illegal activity.
Beyond national and regional laws, lawyers consulting businesses on ICO launches in Estonia have had to contend with a number of factors, including: (1) Estonia´s reputation as a blockchain country and its E-Residency Project; (2) the Otto Albert de Voogd case;13 and (3) public procurements by the European Bank for Reconstruction and Development (“EBRD”) and the Ministry of Finance. One must also consider two other timely events—(1) in the summer of 2017, Estonia had just begun its Presidency of the Council of European Union,14 and most of high-ranking officials were occupied with this development; and (2) the EU was preparing for Brexit, and all Member States were looking for ways to gain advantages in the process. Both Brexit and the EU Presidency were pressure points for Estonia; the Presidency created a further marketing bubble within the EU as Estonia was on everyone’s radar, while Brexit created opportunities and competition among Member States seeking to become the next financial capitals of the EU in the UK’s wake.
2.1.1 Estonia as a Blockchain Country
In March 2017, Wired UK named Estonia as the “most advanced digital society in the world,”15 inviting UK residents at the eve of Brexit to become e-residents of Estonia. The legend of e-Estonia,16 the digital nation, has been promoted by the state for years. What is true is that the Estonian state took its first steps towards immutability and securing the integrity of ledgers soon after cyber attacks against Estonia in 2007. These attacks led the Estonian government to begin testing a technology then called “timestamping,” and now referred to as Keyless Signature Infrastructure (“KSI”), developed by Guardtime. Among the fundamental concepts behind Bitcoin protocol is that of linked timestamping. Two cryptographers on the Guardtime team, Ahto Buldas and Märt Saarepera, were the first to provide scientific evidence in 2003 regarding the hash-functions and data structures needed for formal security proofing. Operationally, the timestamping technology was first employed in official state-maintained registries as soon as 2012.17
2.1.2 E-Residency Project
The E-Residency Project pre-phase started in 2014 as state officials Taavi Kotka, Ruth Annus and Siim Sikkut submitted a proposal to the Estonian Development Fund’s idea competition. The proposal was named “10 million e-Estonians by 2025” and won the competition prize, a monthly stipend for one year that enabled hiring towards the development of the concept of issuing identity cards to foreigners who were also non-residents.
As of May 2018, the statistics show that 33,438 individuals have applied to become e-residents of Estonia from 154 different countries.18 Much of the E-Residency Project has been a massive marketing campaign to invite foreign non-residents to apply for the Estonian ID-card. In many respects, the entire e-service sector and its marketing both in public and private have seen many changes since the start of the E-Residency Project.
According to a recent study by Deloitte: “The e-residency program has brought Estonia an estimated €14.4 million in income, including €1.4 million in net income and €13 million in net indirect socio-economic benefits.”19 It is estimated “the program may bring an estimated €31 million in net income and €194 million in net indirect socio-economic benefits by 2021.”20 According to a media monitoring study, E-Residency is one of the most reported topics regarding Estonia and the most popular topics regarding Estonia in social media.21
Next, Kaspar Korjus proposed the “Estcoin”:
... estcoins were proposed as a way to raise money and support for the development of our digital nation from more people around the world. We would also want to structure the tokens so that they help build our e-resident community and incentivise our own key objective, which is to increase the number of companies started in Estonia through e-Residency.22
Estcoin remains in the conceptual phase. Its marketing hype re-triggered strong global interest in ICO launches in Estonia. The E-Residency Project has continued tying its marketing efforts to blockchain technology and building Estonia’s reputation not only as a digital nation, but a blockchain nation, stirring a further influx of related corporate activity.23
2.2 Otto Albert de Voogd Case
Culminating in an Estonian Supreme Court decision24 was the case of a Dutch citizen residing in Estonia, Otto Albert de Voogd, who had registered the domain name btc.ee and in early 2014 offered the possibility to buy or sell bitcoins on the site. The site stated that the office of the operator was registered in Tallinn, Estonia. Nowadays the site depicts the legal battles of de Voogd and all of his communications with the authorities, court documentation, speeches at hearings, and rulings of several instances up to the final decision of the respective authority to close its investigation on him.
The case began on February 13, 201425 when the Financial Intelligence Unit of the Estonian Police and Border Guard (“FIU”) contacted de Voogd, characterizing his activities of selling and buying of bitcoins as the provision of alternative means of payment service under the Estonian Money Laundering and Terrorist Financing Prevention Act (“MLPA”). This meant that de Voogd fell under the supervisory authority of the FIU, and the FIU sought “Know Your Customer” (“KYC”) documentation. On March 24, 2014 the FIU issued a precept against de Voogd, in response to which he filed a complaint to administrative court. It generally stated that the dispute was over whether the MLPA norms were in line with EU law, sufficiently clear, and/or applicable at all.
De Voogd lost the complaint at the highest court of Estonia on April 11, 2016 and on April 21, 2016 the FIU dropped the investigation and pursuit to obtain the KYC documentation for the following reasons: (i) de Voogd had suspended his activities, (ii) he had left Estonia permanently, and last but not least (iii) he had understood the content and effect of the MLPA.26 Throughout the case, de Voogd refused to provide any data on the grounds of the self-incrimination defense.27
The legal dispute centered around Section 6 subparagraph 4 of the MLPA, which defines an alternative means of payment service provider as:
a person who in its economic or professional activities through communications, transfer or clearing system buys, sells or mediates means of monetary value by which financial obligations can be performed or which can be exchanged for an official currency who is not a [credit institution] or a financial institution for the purposes of the Credit Institutions Act.28
Under the MLPA, in case a person was identified under the law as an alternative means of payment service provider, and if the value of the transactions of the customer of the obligated person exceeded 1,000 euros per calendar month, the obligated person needed to identify and verify each customer while being present at the same place as the customer (face-to-face identification).29
Yet under section 12 (2) and 15 (1) of the MLPA, the foreign currency exchange service providers were also obliged to comply with enhanced due diligence measures on the basis of face-to-face meetings, but only starting from 15,000 euros for cash transactions. This meant that foreign currency exchange services and virtual currency exchange service providers were treated differently, and virtual currency operators faced discrimination. However, this issue received little attention during the dispute.
Interestingly the final ruling in de Voogd case came on April 11, 2016, while on July 16, 201630 the deletion of the face-to-face requirement entered into force by amendments of the MLPA lobbied by the E-Residency Project to alleviate the opening of bank accounts by e-residents. Furthermore, the entire legal act and the legal norm that was the source for the de Voogd case was repealed, and an entirely new MLPA (New MLPA)31 based on the 4th AML Directive32 as well as proposals to amend it entered into force on November 27, 2017. With this New MLPA, Estonia introduced two new licenses for crypto-business:
(i) providing services of exchanging a virtual currency against a fiat currency;
(ii) providing “virtual currency wallet service,” which means the service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual currencies.
The norms on virtual currency were based on the European Commission´s proposal33 to amend the 4th AML Directive (“Proposal”). The Proposal is aimed at designating virtual currency exchange platforms as obliged entities34 for the first time under EU law, stating surprisingly that:
Virtual currency transfers are currently not monitored in any way by public authorities within the EU, as no specific binding rules have been laid down, neither at Union level nor by the individual Member States, to set out conditions for such monitoring.
The Proposal confirms that virtual currency exchange platforms and custodial wallet providers were previously not under the scope of the AML Directive35 and to the knowledge of the Commission also none of the Member States had ever addressed any regulation to these entities prior to this Proposal.
2.3 Initiatives from the E-Residency Project and Estonian Ministry of Finance
Prior to the Global Festival, the E-Residency Project, the Ministry of Finance (“MOF”) and FinanceEstonia had separately organized a few meetings to discuss what applies to ICOs and possible ICO regulation. FinanceEstonia had invited among its member organizations interested companies, and the MOF had handpicked a few law firms, NASDAQ and FSA representatives, along with one fintech startup representative from Funderbeam36 and one ICO organizing company representative from Agrello. The E-Residency Project included its community leaders and supporters in this discussion in addition to law firms.
Along with these initiatives, the MOF applied for funding from the Structural Reform Supportive Service (“SRSS”) of the European Commission and the EBRD to organize public procurements on related topics. One procurement launched on the first week of March 2018 by the MOF was related to the Estonian capital market diagnostics. According to a MOF press release, the procurement winners “will conduct an overall Estonian capital market diagnostic covering all aspects of capital markets including debt, equity, money markets, derivatives, capital market infrastructure, investor base, and financial intermediaries as well as the general legal and regulatory environment.”37 The aim of the project was to assess the ecosystem (also legal and regulatory frameworks) and identify barriers for development as well as possible improvement avenues. The project is motivated by the Estonian government’s wish “to improve the efficiency and the attractiveness of its financial markets even further by using innovative approach so that the end-users, such as SMEs, can access to the capital markets easily and directly.”
The second procurement was not yet published prior to the Global Festival, but an invitation to the Discuss Track stated:
On 6th of December 2017 the Ministry of Finance and Financial Supervisory Authority (FSA) brainstormed on ICOs on the basis of European Commission Structural Reform Support the Ministry of Finance applied for funding of a project, “Opening Estonian Regulatory Framework for Innovative Technical Solutions,” which is targeted to developing a favorable legal framework for crowdfunding and alternative infrastructure. The Commission granted the funds for the project appointing EBRD as the main service provider. EBRD will procure publicly for the required financial technology experts and legal experts. The aim of the procurement will be to analyze and submit ideas, suggestions and proposals to amend the legal acts.
Topics covered in the above mentioned project have a potential overlap with the need to bring legal certainty to ICOs, and consequently, these initiatives should be coordinated. As the next step it is foreseen that relevant stakeholders should take the lead in drafting Best Practices for ICOs based on international standards. This could be followed by FSA’s guidelines and the Ministry of Finance leading the process of amending the relevant legal acts.38
The second procurement was published on June 5, 2018 and is very fintech-oriented, stating:
Estonia has been focused on promoting innovation for many years through its “e-Estonia” movement, growing from the public sector and now into the private sector. The country is now trying to improve the efficiency and accessibility of its financial markets through the implementation of innovative technological solutions or FinTech.39
The second procurement also is aimed at analyzing the Estonian legal and regulatory framework, but for the purpose of identifying the barriers to implementing innovative technology, and is much more focused on creating a “live testing environment or ‘sandbox’ to test the technology and FinTech companies against regulation.”40
3. Discuss Track Discussion
The following private sector initiatives for managing risks related to ICOs were discussed at the Legal Hackers Computational Law and Blockchain Global Festival on March 15, 2018 in Tallinn, Estonia.
3.1 Smart Contracts and Protocol
One proposed idea involved leaving the domain of the ICOs to be merely regulated by distributed ledger technology-based smart contracts or private regulatory framework of the network, which is built into the protocol. This idea builds on the lex cryptographica concept41 coined by Primavera de Filippi and Aaron Wright, of allowing the protocol itself to be the regulation of these transactions.
3.2 ICO Best Practices and SRO
The least intrusive alternative and maintaining the most flexibility in the approach would be to let to industry self-regulate.
One option for Estonia is to follow the same example as was adopted in crowdfunding. FinanceEstonia was active in drafting Best Practice Guidelines for Crowdfunding, with the context of crowdfunding as a sort of self-regulating organization on the market, issuing annual Best Practice Guidelines adherence badges.
Consequently, an alternative is to develop ICO best practice guidelines within the private sector and see to their adoption as a market standard by the government body of FinanceEstonia. FinanceEstonia then would act as a self-regulating organization, issuing adherence badges to ICOs meeting the requirements stated in the ICO Best Practices. This idea requires further development and resource planning.
As an aside, the FSA referenced the Crowdfunding Best Practice Guideline to develop a draft law for crowdfunding, but this draft has not yet made it to Parliament and probably will not be pursued further.42
3.3 FSA Guidelines (similar to FINMA in Switzerland and MFSA in Malta)
Despite its hesitancy to market its approachability and facilitate market development, the FSA has already shown initiative in issuing general guidelines in relation to ICOs and securities market regulation, there exists the possibility of taking a few more steps to produce guidelines similar to those issued by FINMA43 in Switzerland and MFSA44 in Malta. As also described above, the FSA in the past has issued guidelines in line with EU law, but contradicting an incorrectly transposed norm in Estonian law.
There are multiple alternatives the FSA could consider, such as:
(i) the FSA most likely will not be interested in creating a favourable tool for facilitating the market of ICOs, but would most likely merely introduce a guideline similar to Good Corporate Governance Rules45 to reinforce already existing rules as once introduced for companies listed on stock exchange in Estonia;
(ii) alternatively or additionally, the FSA could introduce a Good Communication Rules, attempting to streamline market contacts and the expected responses from the FSA, similar to the FINMA guidelines;
(iii) alternatively or additionally, the FSA could continue down the path already selected by it—issuing general guidelines for identifying when tokens are securities, similar to MFSA in Malta.
3.4 Regulatory Convergence, Standardisation and Regulating the Protocol
Regulatory convergence refers to a process that is not the harmonisation of laws, but an alignment of regulatory requirements across jurisdictions through standards, technical guidance documents, and similar practices, principles, and mechanisms.46
The International Organization for Standardization (“ISO”) is currently working on blockchain and distributed ledger technology standards.47 The need to address the technical risks might create a need to set standards for the protocol used. Also ongoing is development to introduce law in the form of code and place it directly into the protocol.48
3.5 Dynamic Information Sharing
These alternative means to mitigate and manage risks require a thorough risk analysis prior to their development, but as can be seen from the experience of Northern Trust,49 a compliance layer can be built to allow, for example, the regulator or supervisor direct access to an application to identify and fetch data needed for supervision.
3.6 Introducing a Safe Harbour Clause
In the case of recent amendments to the Investment Funds Act, Estonia used the option to adopt an innovative concept of safe harbour from U.S. law into Estonian law. This option is best achievable through FSA’s adoption of guidelines (possibly similar to the MFSA guidelines with respect to the token-as-a-security test), or a lengthier process would resemble the process behind the Investment Funds Act—introducing relevant regulation.
3.7 Modifying Relevant National Legal Acts
Quite possibly the highest level of legal certainty can be achieved either by amending existing legal acts or introducing new ex post regulation. Yet this is also most likely the longest alternative process other than introducing regional legislation and will most likely from start to end take years to complete. Considering that the Ministry of Finance has initiated public procurements to research how to proceed with innovation of the regulatory framework, it can be reasonably expected that the process of introducing respective regulation will most likely last a few years.50 According to the Collingridge dilemma, “if regulators want to achieve results, they should act early, but then the full range of risks and benefits is unknown, and if they wait until the risks and benefits are clear, the situation solidifies in a manner that makes it difficult and expensive to introduce regulatory changes,”51 However, in the “early stages of technological development, there is insufficient information regarding potential harms and benefits.”52
3.8 Waiting for EU Legislation
As can be seen in many legislative drafting processes in Estonia, the given regulation is transposed to the Estonian legal system only after it has been tested within the EU, and on the basis (usually of the most conservative approach)53 of EU legislation. The same approach already has been taken in regards to crowdfunding as discussed above. This, however, also means that Estonia will not be an active participant with a voice and a positive experience in drafting the EU law, as its authorities have most likely not been in the relevant discussions with market participants, have not learned from actual use cases, have not identified the real risks on the local market, nor tried to contextualize the advantages the country could obtain if it were to participate in a “battle of jurisdictions.”
The Author’s footnoting style is retained for this Discussion Report.