Estonia: Fintech

The main sources of law governing payments and securities settlement come from the European Union (the EU) and Estonian legislation. Directly applicable EU legislation (e.g., EU regulations) is not replicated in Estonian national law. The main sources of Estonian payments law are, at the national level, the Credit Institutions Act, the Law of Obligations Act, the Payment Institutions and E-money Institutions Act (the MERAS) and the Decree of the Governor of Eesti Pank on conditions for the acceptance of payment orders. Securities settlements are regulated in Estonian law by the Securities Market Act and the Securities Register Maintenance Act.

In addition to laws and decrees governing payments law, the competent supervisory authorities, in particular the European Banking Authority (the EBA) and the Estonian Financial Supervision and Resolution Authority (the EFSRA), also regularly publish guidelines in relation to this area.

In addition to credit institutions, including branches thereof, [1] and the European Central Bank and central banks of states which are contracting parties to the Agreement on the European Economic Area (the Contracting States) [2], payment services can also be provided by Contracting States or their regional or local governments when not performing their duties as state agencies, payment institutions, e-money institutions and postal service providers [3].

Acting as a payment institution or e-money institution is subject to the requirement to hold the relevant activity licence the provisions regarding the application for which are set out in the MERAS.

[1] Each within the meaning of Article 4(1)(1) and Article 4(1)(17), respectively, of Regulation (EU) No 575/2013 of the European Parliament and of the Council on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012.

[2] When not performing their duties as monetary authorities or other state agencies.

[3] When providing financial services within the meaning of section 36 of the Postal Act.

The most popular payment instrument in Estonia for both POS[1] and P2P[2] person transactions conducted in person is the payment card (47% and 49% of payments, respectively) followed by cash (48% and 41% of payments, respectively). Other payment instruments are used for 5% and 10% of transactions, respectively. [3]

The preferred payment instrument for remote payments made when performing online transactions is the payment card (47% of online transactions) followed by credit transfers (28%), e-payment solutions (16%), other payment instruments (8%) and cash (2%). [4]

When considering the value of the transactions, transactions made by way of credit transfers amount for 46% of the value of online transactions, followed by the use of the payment card (23%), e-payment solutions (15%), other methods (16%) and cash (ca 0%). [5]

Bill transactions are mostly made by way of credit transfers (81%), followed by payments made by cards (10%), using other payment methods (6%), cash (3%) and direct debits (0%). [6]

[1] POS (Point of Sale) is the place in which goods and services are sold and paid for, such as shops and restaurants as well as services outside the home.

[2] P2P (Person-to-person) includes all the payments made from a private individual to another private individual without intermediaries.

[3] European Central Bank, Study on the payment attitudes of consumers in the euro area (SPACE) (December 2020), Chart B.5.2 on p. 103. Available at https://www.ecb.europa.eu/pub/pdf/other/ecb.spacereport202012~bb2038bbb6.en.pdf

[4] Ibid., Chart B.5.3 on p. 104.

[5] Ibid.

[6] Ibid.

Open banking is mandated in Estonia under the PSD2 Directive [1] with the purpose of opening up and ordering the electronic payment instruments market. The directive has been adopted with amendments made to the MERAS, the Law of Obligations Act, and the Financial Supervision Authority Act. Open banking solutions are provided by 7 banks operating in Estonia.

The legal person willing to provide the payment service and/or account information service is required to hold the relevant activity licence granted by the EFSRA. The activity licences are divided into two: licence for an account information service providers (AISP) and licence for payment initiation service providers (PISP). Holding a foreign activity licence, the service provider is required to register their activity with the EFSRA. Thereafter, the legal person is required to develop an interface in accordance with the bank’s requirements and obtain the Qualified Website Authentication Certificate (QWAC).

[1] Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC

The framework for how data is processed has been harmonised at the level of EU legislation by way of adopting the General Data Protection Regulation (GDPR). Therefore, rules on data regulation remain largely uniform for all member states of EU. Protection of natural persons upon processing of personal data is further elaborated and supplemented in the Estonian Personal Data Protection Act. The Personal Data Protection Act further provides standards for implementation and transposition of GDPR, while also providing a procedure for exercise of state supervision and liability for the violation of the requirements for processing of personal data.

It is important to note that the Estonian legal system does not allow for administrative fines as set out in the GDPR, instead the penalties for violations of data protection requirements are imposed by the supervisory authority in the framework of a misdemeanour procedure.

Even though the provision of financial services entails processing of personal data as part of the main activities of the service provider, it has not been impacted by the transposition of the GDPR to a great degree. The GDPR does introduce new obligations on the service provider, e.g., a requirement to designate a Data Protection Officer, but most importantly additional restrictions apply on transferring data to third countries. However, market participants themselves report that from a data regulatory perspective, the biggest challenges for them are related to data retention for AML/CTF purposes.

There are some initiatives that encourage innovation in the financial sector. Current legal ecosystem allows sandboxes to be introduced, however due to the small interest of the market participants for it, the initiative is yet to materialise. The primary hurdle for adopting it was the principle that testing performed in the sandbox would still need to adhere to EU legislation and by extension, a regulated financial services provider is therefore still under an obligation to acquire an activity licence before they can start testing in the sandbox.

The strategy plan of the EFSRA for 2022-2025 includes plans to introduce a possibility to obtain a licence with additional conditions in order to encourage development of technologically innovative business models. The EFSRA has already adopted the initiative called Innovation Hub through which the EFSRA helps to communicate with companies applying innovation in the financial sector and offers them a chance to ask for advice and to find out about the financial supervisory positions and guidelines on using the solutions. [1]

[1] See further the Innovation Hub webpage at https://www.fi.ee/en/finantsinspektsioon/innovation-hub

The most immediate risks for the growth of the fintech market in Estonia are related to the regulators’ desire to further increase the regulatory oversight of market participants, and shortage of competent labour.

As a new development in 2022, virtual asset service providers (VASP) face more stringent requirements by the legislator as new amendments were made to the Estonian Money Laundering and Terrorist Financing Prevention Act in March 2022. The amendments have, amongst others, brought about a regulatory need for increase in the share capital that a VASP is required to have for the company to able to receive authorisation from the regulator, either at least 100,000 or 250,000 euros in the form of monetary contributions to share capital, depending on the type of virtual currency services provided. The activities of VASPs are now also subject to a mandatory obligation for auditing of annual accounts and heightened requirements in respect of the company’s seat, place of business, members of the management board and compliance officer.

Estonia does not provide specific tax incentives for fintech investment. However, as a way to encourage investments in general, companies only pay corporate income tax (20/80) when distributing profits as dividends or in other forms, on special benefits, gifts, donations, reception expenses, as well as expenses not related to business. Corporate income tax is not paid on retained earnings or profits re-invested into the activities of the company. Additionally, a lower tax rate (14/86) applies to regularly paid dividends or profits taken out of a permanent place of business in monetary or non-monetary form. If the recipient of a dividend taxed at such a lower rate is a natural person, the payer withholds 7% from the dividend payment.

Estonian fintechs have a particularly strong presence in providing digital payments, enterprise technology, WealthTech and digital capital raising solutions. The participants in the fintech market see the greatest potential for development in the area of open banking, followed by digital currencies and RegTech.

Fintech investments in Estonia can be seen in all different stages. Largest fintech companies have attracted investments in several levels. Most established and successful companies, who have plans for further development have attracted investments up to Series C level and even higher, while the main rounds of investment in Estonian jurisdiction tend to be Series A and equity crowdfunding, which is often used to generate capital as a part of Series A funding. These investment rounds are used by already partly successful fintechs which are seeking to grow and to turn their ideas into a profitable business.

One of the biggest advantages of operating in Estonia is the ease with which both informal and formal communication happens in Estonia. This means that market participants know each other personally and it is also easy to connect with the public sector.

Estonia’s information and communications technology (ICT) infrastructure is also very well developed. The adoption of the ID-card is very wide-spread. Most communication with the government is possible without needing to leave from behind the computer. Estonia’s digital governance solutions can also be utilised by those who are not residents of Estonia and have applied for an e-residency. As an e-resident, it is possible for entrepreneurs to make use of all the advantages of the ID-card that can be enjoyed by a regular resident.

Estonia has also widely accepted the use of English as a business language both when communicating with the state and when used at the office. This allows for the creation of international work teams and also the establishment of a company with little time spent on the process.

Estonia has also given rise to multiple globally known fintech unicorns which is a sign that the fintech ecosystem encourages the emergence of new actors in the field while having the necessary know-how on how to support the international growth of fintech companies. Estonia fosters a strongly favourable business environment, having long taken the stance that innovation, especially in the domain of ICT, is what can help Estonia grow economically.

The Estonian Aliens Act sets out an immigration quota which limits the number of aliens who can settle in Estonia. The annual immigration quota specifies a quota for aliens immigrating to Estonia, which shall not exceed 0.1 per cent of the permanent population of Estonia annually. The immigration quota is established by a regulation of the Government of the Republic.

However, Estonia has, generally, taken a strong stance in supporting the arrival of aliens as residents of Estonia if they study here or take on employment as a specialist. This means that persons not included in calculating the fulfilment of the immigration quota include those who have been granted a residence permit for study and those who have previously been granted a residence permit for study if they apply for a residence permit on any basis. Additionally, the immigration quota also does not include those who apply for a residence permit for employment in the field of ICT, in a start-up company, in business related to start-up business, in enterprise as a large investor or as a top specialist.

A risk for the growth of the fintech market in Estonia relates to the fact that Estonia is experiencing a general labour scarcity for skilled workers. This is emphasized in the field of ICT, where even though there are many people with an ICT background in Estonia, the sector still faces both a lack of top specialists in the field but also a lack of people who would be ready to perform somewhat simpler tasks in the ICT field. As a new trend, the Estonian Unemployment Insurance Fund has noted that Estonia is also experiencing a shortage of both top executives, and sales and marketing executives. This is due to an increased interest for entrepreneurship with the downside being that companies face a shortage of top executives to employ.

The government is actively seeking to solve this issue both by way of inviting Estonians living abroad back to Estonia and by way of providing incentives for companies to hire skilled workers from abroad and keep foreign students working in Estonia. Estonia considers this to be a top priority for ensuring continued economic growth.

Estonian law provides various rights for fintechs to protect their intellectual property. First and foremost, it is important to note that computer software is protected as literary works with protection applying to any form of an expression as a computer program, as specified in the Estonian Copyright Act. Collections of works and information, including databases are protected separately under the Estonian Copyright Act.

Depending on the specific nature of the fintech company concerned, it may rely on various intellectual property rights existing under Estonian law. Fintechs are also able to protect their trademark rights both under an Estonian and a European trademark. Such protection can be obtained by way of registering the trademark with the Nice Classification used for the classification of goods and services.

The business name of the company itself is protected on the principle of first use. A trademark cannot be used as a business name in Estonia without the consent of the owner of the trademark unless the company is engaged in an area of activity in respect of which the trademark is not protected. A business name may not be misleading with regard to the legal form, area of activity or scope of activity of the undertaking nor is it allowed to be contrary to good morals.

Cryptocurrency is treated as property under Estonian Law. [1] Therefore, tax obligations may arise for natural persons in three instances when making a profit: converting cryptocurrency against a regular currency, exchanging a cryptocurrency for another cryptocurrency, or when using cryptocurrency as a payment instrument for goods or services. Each cryptocurrency transaction is subject to separate evaluation as taxed are only such transactions that a profit is made from.

The mining of cryptocurrencies is not a field of activity subject to the supervision of the EFSRA. However, the purchase and sales of cryptocurrencies may be subject to anti-money laundering regulation. Accordingly, authorisation by the Financial Intelligence Unit (FIU) is required for operating in the area of providing a virtual currency service (including virtual currency wallet, virtual currency exchange, virtual currency transfer services, and virtual currency issuance) are subject to the requirement to obtain an activity licence for the provision of such services. Authorisation by the FIU is not required if the person already holds a separate activity licence issued by the EFSRA, a member-state of the European Economic Area with a right to operate in Estonia (either as a branch or by providing the service on a cross-border basis) and the EFSRA has been notified of the person’s activities or if the person is providing intra-group services subject to authorisation obligation pursuant to the Money Laundering and Terrorist Financing Prevention Act.

[1] Within the meaning of the Estonian General Part of the Civil Code Act.

Treatment of initial coin offerings is subject to differing requirements based on the token offered as part of the initial coin offering (ICO). First and foremost, it must be determined whether the token may be a security token. To assess this, it must be analysed whether the token holder receives rights or obligations akin to those received for securities as specified within section 2 of the Estonian Securities Market Act. In case that the token is deemed to qualify as a security, the provisions of the Estonian Securities Market Act concerning the offering of securities and the provision of investment services apply. If the ICO is public, a Prospectus Regulation [1] compliant prospectus must be drafted for the offering and be registered with the EFSRA.

Additionally, the token issuer may be subject to the requirements of the Credit Institutions Act and will need to apply for the relevant activity licence. This is so if the company’s economic activity is the issuance and provision of loans, and this activity is financed with repayable financial resources obtained from the public as part of the ICO. This activity may also require the issuer to obtain an activity licence from the EFSRA under the Credit Institutions Act.

Depending on the structure and purpose of the ICO, it may also be subject to the requirements stipulated in the Investment Funds Act, for example, if the ICO is used to invest the resources for the benefit of the investors in their joint interests in accordance with a defined investment policy. In this case, the person acting as the fund manager is required to hold an activity licence or register its activities with the EFSRA per the requirements specified in the Investment Funds Act.

Changes to the current regime of ICOs are expected as a result of the approval of the proposed MiCA regulation [2] by the European Union.

[1] Regulation (EU) 2017/1129 of the European Parliament and of the Council of 14 June 2017 on the prospectus to be published when securities are offered to the public or admitted to trading on a regulated market, and repealing Directive 2003/71/ECText with EEA relevance.

[2] Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on Markets in Crypto-assets, and amending Directive (EU) 2019/1937

Blockchain has been in production use in Estonia since 2012 with development for its use beginning in 2008 with the aim of creating a zero-trust system for use by the Estonian government. The Estonian state uses blockchain technology to ensure the integrity of government data and systems. The blockchain technology used by Estonia is Guardtime’s KSI Blockchain that is now used by NATO, the US Department of Defense, the European Union IT Agency, Lockheed Martin as well as many others. State agencies gain access to the state blockchain network via the X-road infrastructure.

Estonia has also given rise to multiple blockchain-based start-ups and companies with varying use-cases for the blockchain in use by them. Tokens are used in multiple different innovative ways to provide new products suitable for the new internet.

The Estonian Ministry of Economic Affairs and Communications has adopted a revised artificial intelligence (AI) strategy for 2022-2023. Therein, it is described that during the implementation of the AI strategy for 2019-2021, use of AI has grown at a quick pace with it becoming an important and inevitable part of the digital state. The Estonian regulation is envisaged to tackle specific issues which require regulative addressing despite the measures taken by the EU in accordance with their on-going initiative to implement a harmonised AI regulation in the form of the AI Act.

While AI is a buzz-word in Estonia, its use-cases are still fairly limited in the financial sector. Financial sector companies in Estonia mostly tend to use AI in order to optimise their processes. The use-cases vary from basic analysis of client data provided in different loan or client applications and use of chatbots for streamlined customer experience to analysis of pictures. For example, in the case of analysing pictures taken by users for verification purposes or to ensure that pictures taken are relevant for automated decision-making in settling insurance claims.

Insurance sector tends to be rather conservative due to its relatively strict regulation and desire to focus on their core business. This tends to explain why insurtech seems to be lagging behind other areas of fintech. Despite this, most consumers would like to have a better and digital experience when using insurance services. This perspective is shared by insurance companies who can make improved insurance decisions with better data available to them.

Therefore, due to the relatively high restrictions on entry into the insurance market and the relatively small size of the Estonian insurance market, the local insurtech companies tend to solve specific insurance-related issues by way of improving the data available to insurance companies.

However, the Estonian insurtech space can also boast of the fintech unicorn, Zego, which describes itself as being able to gain more data on their customers than any other insurance provider, thereby being able to provide clients with suitable services thanks to better knowing the risks related to them.

Based on the above and due to the fact that insurance is heavily data-driven, then improving the datasets behind the insurance decisions seems to be the very key for insurtech companies to increase their operations on the insurance markets.

Fintechs seem to be well-established in multiple areas of activity in Estonia. Estonia has to date three fintech unicorns, Wise, Veriff and Zego. These companies respectively provide remittance and banking solutions, digital identity/verification solutions to financial institutions, and insurance.

Multiple scalable and successful products are also offered in the peer-to-peer lending and crowdfunding area of activity, while there is also a lot of innovation going on in the sphere of blockchain and cryptocurrency activities as well. Many of these products could be described as providing natural persons in Estonia with new and innovative ways to invest.

Participants in the fintech sector have indicated that while there is co-operation between fintechs and incumbent financial institutions, this could further be improved upon. The key issue that is often cited is that banks could be more flexible in choosing who to onboard as their customers and generally hold a more open approach towards co-operation with fintechs. At the same time, banks already collaborate with fintechs in adopting verification, AML/KYC and risk management solutions provided by fintechs with an aim to improve the speed and quality of the service they provide.

As an example of collaboration, the Bank of Estonia has also taken the initiative in researching a digital cash, payment and settlement platform KSI Cash together with Guardtime to meet the scalability, reliability, and security requirements of critical financial infrastructures. While multiple fintechs offer verification services in collaboration with banks, enabling clients to open a bank account through video verification and without physically needing to visit the bank’s office.

While fintechs have indicated that they would expect more co-operation from incumbent financial institutions, multiple banks already have their own initiatives to support development of the fintech sector, among which are solutions provided by banks to help fintech businesses with their needs. Multiple banks also offer tailor-made flexible services to fintechs.

Banks in Estonia often carry out their own fintech development and create their own innovation programmes. Nearly all banks and incumbent financial institutions provide online banking services and different types of contactless payments. Additionally, some Estonian banks also offer cryptocurrency trading services. Banks and other incumbent financial institutions have rather well-developed online services with minimum disruptions to their operation.

Leading banks in the market tend to have their own innovation centres for collaboration with fintech companies. This can take both the form of the provision of working space but also the provision of practical and technical advice to fintechs with a view to improving collaboration between the banks and new fintech companies. Banks also provide internship programmes specifically for people with IT background to focus and finalize development projects which later the institution itself could use to offer innovative services.

Estonia has seen relatively extensive disruption by fintech companies over the past few years, not least due to increased use of online shopping/payment solutions and the need by incumbent financial institutions to move an increasing part of their operations to the online arena.

For example, many e-shops are using the solutions of different fintech businesses as their payment solution to mediate payments, speed up the payment process and reduce transaction fees. Often times, the services provided by such fintech businesses are preferrable for the business instead of those provided by incumbent financial institutions, due to the convenience provided in terms of ease of verification, price, and provision of more types of payment methods.

Fintechs tend also to be more willing to provide new and innovative investment products for both legal and natural persons.