First, they will measure you, weigh you, take photos and then it turns out that something is still missing.

For some people, the above may be a description of experiences related to onboarding on the exchange, so starting a business relationship before starting trading. This does not only apply to our platform, generally on websites where one registers without physical contact with a service representative, the entire financial sector or simply non-banking but giving the possibility of introducing money into the financial system has certain obligations specified by law1 that have to be realized. The following entry is aimed at increasing the awareness of exchange users in a light and accessible way possible without the statutory nomenclature and paragraphs (more interestingly, they will undoubtedlybe able to find references to specific provisions or guidelines on their own2), indicate where all these restrictions and frills come from. It is absolutely obvious that the safety of users and the comfort of using the platform (user experience) is a very important, almost the most important guideline, nevertheless the main goal of conducting any activity in the private sector is to obtain the highest possible income, it is a basic principle from an economic point of view. If we were to rely solely on such assumptions, the crypto exchanges would function like a few years ago, only an email address and account password would be enough to be able to use the exchange (which was one of the assumptions when the crypto market was starting to crystallize!) - we know that such entities still operate, but this is not the subject of this entry. Observing the growing popularity of cryptocurrencies in the world, their potential and, most importantly, the risks associated with the uncontrolled transfer of financial values, regulators of individual countries, intergovernmental and international organizations, such as FATF or the EU, have decided to legally impose certain obligations on crypto market entities3. Depending on the geographic location, the restrictions are more or less similar to the conventional financial market, but the basics are almost always the same in every location. Currently, there is a tendency to impose ever more restrictive obligations related to running a business in the cryptocurrency sector. So, ending this lengthy introduction, let's move on to the aforementioned obligations.


1 From the perspective of BitBay, in this context, these are, firstly, regulations related to counteracting money laundering and financing of terrorism, therefore, due to the jurisdiction, the Estonian Anti-Money Laundering and Terrorist Financing Act of October 26, 2017, as amended.
2 Nevertheless, some relevant information closely related to the legal bases will be found in the footnotes.
3 For the first time, crypto entities have been directly covered by AML regulations in Directive (EU) 2018/843 of the European Parliament and of the Council of May 30, 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for money laundering or terrorist financing and amending Directives 2009/138 / EC and 2013/36 / EU (Text with EEA relevance). So far, threats related to cryptocurrencies have been signaled, for example, in the FATF guidelines.

The best point of reference for starting user awareness will be to pay attention to regulations of international importance. These will be EU directives, guidelines and recommendations of intergovernmental organizations - e.g. FATF recommendations - or in the case of the United States of America, regulations from the Bank Secrecy Act. These regulations are generally related to preventing money laundering and financing of terrorism (AML / CFT - Anti Money Laundering / Combating Financing of Terrorism). Due to the mentioned relatively easy-to-achieve anonymity, cryptocurrencies have at some point become a very attractive tool for quickly and cheaply transferring funds from crime or, despite originating from a fully legal source, allocating them for financing terrorism. This was one of the main reasons that influenced the decisions to regulate the cryptocurrency market (we deliberately omit the impact of taxes on the state treasury because it is a very individual issue both in the context of regulators and people subject to these regulations). Therefore, knowing the reasons for the attempts - more or less successful - to regulate the market, we can move on to obligations. It is impossible not to mention that the basic assumptions are mirrored in relation to the "conventional" financial market4.This means more or less when applying the AML-related legal provisions and introducing appropriate procedures and practical solutions, one should first adopt an approach based on evidence and risk assessment.

In terms of evidence, there is not much to explain, in the simplest terms, if you get some information from the client, get evidence confirming this information as well. It is important that this obligation rests with the obligated institution and not with the client. But if it is not possible to establish and confirm certain information, you have to engage the client (but more on that later in the text)5.
In terms of risk, the matter is getting a bit more complicated.Both for the client and the entity with which the client wants to establish a business relationship. The risk in AML / CFT is multidimensional, almost like the Marvel or DC universe. Generally, the point is to see risk in various aspects of contact with the client: once due to the geographical area with which the client is associated, two due to the instruments with what the client uses and how he uses them, what's more, whether the client's behaviour complies with the general scheme, whether the client's organizational structure is excessively complex, whether the client is a politically exposed person, is he present on sanctions lists, and many other aspects that may generate AML / CFT risk6. All these factors are a kind of partial client risk assessment. Mainly, for this reason, the customer is asked all these questions in the KYC survey. After the risk is estimated, the client is assigned to one of 3, and in principle 4, risk classes. The three standard classes are low, normal, and high risk, and the fourth is an unacceptable risk. According to the regulations, the higher the risk, the more intensively financial security measures are applied7. At the highest risk - unacceptable - the business relationship is not established, and the existing one is terminated. The risk class can change in any direction during the course of the business relationship. Know Your Customer - get to know your customer, measure him, weigh him, estimate the risk and think if you need anything else.


4 § 2 clause 6 of the Estonian AML Act
5 § 20 clause 5 of the Estonian AML Act
6 § 13 of the Estonian AML Act
7 § 32 clause 1, § 36 sec. 1, § 38 sec. 1 of the Estonian AML Act

Since the evidence and risk assessment approach has been outlined - this is not the place to write down the details of the AML procedure and try to get one from the Bank - then we can move to a more practical application of AML regulations. Another pillar will be the use of financial security measures in the form of: identifying the customer, verifying his identity, understanding the purpose of the business relationship, monitoring business relationships and identifying and verifying real beneficiaries8 - this is to simplify it because the individual financial security measures listed above are issues for at least one a large paragraph, and this text has a slightly different leitmotif. It is worth focusing on the issue of verification, however. For this text's purposes and easier understanding of responsibilities, the next part will be described using the example of a business relationship with an individual. Well, from the regulator's perspective, the matter is as follows: Before entering into a business relationship, obligated institutions have to identify the client, verify his identity, understand the purpose of the business relationship and monitor it9.

  • Customer identification10 is the identification of specific personal data, this is done when completing the KYC form.
  • Identity verification11 is a clash of data from the previous point with documents confirming identity and address.
  • Purpose of the business relationship12: determining for what purpose the client opens an account - KYC survey.
  • Monitoring the relationship13, and here begins the litany in the listings:
    • It takes place through the analysis of customer activity (e.g. transaction monitoring)
    • Regular updating of certain customer related data and documents
    • Determining the source of funds paid into the stock exchange - we will devote a separate paragraph to this issue.
    • Paying particular attention to behaviour that is not logically or economically justified.

All financial security measures must be applied. There are no exceptions. In the current legal state, it is possible to manipulate the scope and intensity of their application14. In practice, this means, for example, that the identity verification can be carried out based on two identity documents instead of one, or the client will be asked to provide additional information on the source of funds paid to the exchange. Address data can be verified based on a utility bill and with the help of a verification transfer.


8 § 19 - § 23 of the Estonian AML Act
9 § 20 clause 1 points 1-6 of the Estonian AML Act
10 § 21 clause 1 points 1-3 of the Estonian AML Act
11 § 21 clause 2 of the Estonian AML Act
12 § 20 clause 2 of the Estonian AML Act
13 § 23 of the Estonian AML Act
14 § 20 clause 6 of the Estonian AML Act

"I have been verified, and you are still verifying me. You even want my account statement!" This is everyday life in the department responsible for AML ... At this point, it is worth paying special attention to 2 different financial security measures:

  • identity verification commonly referred to as "verification", this part takes place at the beginning of the adventure with the obligated institution
  • research on the source of funds paid into the stock exchange15, which is most often in the form of a declaration that must be documented, as we wrote earlier.

This documentation is nothing more than verifying what the customer has declared. This word "verification" is used in this context, introduces a little confusion because "... after all, I have already been verified...".

While identity verification must take place at the beginning of the business relationship, it is not necessary to investigate the source of the funds paid to the stock exchange. If the client has not paid anything yet or the payments were of low value (e.g. they can be covered with the client's current remuneration), it's nothing to study. If, on the other hand, the client's account begins to receive more extensive deposits, then the application of this financial security measure becomes justified. Now, taking into account the above, plus the previously mentioned evidence-based approach, it becomes more understandable why the declaration of the source of the funds paid to us requires confirmation, e.g. by providing a bank statement. Unfortunately, the crypto exchange is not a bank. We, as an institution, do not see current transactions on the client's bank account, so we do not know the source of the funds, so please share this information16. Moreover, based on specific regulations, banks may exchange such information with each other without informing their clients each time. We are not interested in the fact that the customer purchases in a red drugstore and a yellow large-area store. Moreover, we often allow hiding some of the data if they are not related to the verification carried out. What is more, it is not in our interest to prevent customers from accessing the account. How the client trades, the stock market earns, we never concealed it. Here it is also worth mentioning the GDPR - AML correlation. In this context, the provisions of the AML Act indicate it is in the public interest to obtain specific information. To apply the AML provisions, the obligated institution has the right to request the presentation of particular documents. The information obtained in this way cannot be used for purposes other than those provided for regulations - e.g. for marketing17.

What is happening when one of the financial security measures cannot be implemented? If certain financial security measures cannot be applied, a business relationship is not established, and and the existing one is terminated (e.g. no possibility of identifying and verifying identity18). If the client refuses to provide the documents necessary to implement these measures during the existing business relationship, this is considered as the basis for the termination of the contract and the reporting of suspicious behaviour to the Financial Intelligence Unit (FIU) - this is the regulator's SWAT). The execution of the transaction, access to the trade service may be stopped until the provision of appropriate documentation clearly showing the origin of the funds used on the stock exchange or documenting another aspect of the business relationship. Have you noticed the regular data updates above? Therefore, the above activities do not have to be one-off during the duration of the business relationship19.


15 § 23 clause 2 points 3, § 38 clause 2 points 2 of the Estonian AML Act
16 § 38 clause 2 points 2 of the Estonian AML Act
17 § 48 clause 2 – 22 of the Estonian AML Act
18 § 42 clause 1 of the Estonian AML Act
19 § 43 clause 1 of the Estonian AML Ac

Summarizing the above: apart from detailed paragraphs (you usually have the legal basis in your correspondence from us), cases of evident money laundering or terrorist financing, all these difficulties in accessing cryptocurrencies result from regulatory restrictions and the need to ensure a greater level of security in a much wider context than the regional approach. It is worth knowing that the stock exchange applies financial security measures dictated by the act because it simply has to, and this is not an invention of AML analysts. The evidence-based and risk-based approach requires that financial security measures be applied in a manner that allows for this to be documented and the risk identified. In certain cases, the inability to apply financial security measures may result in reporting to the FIU and termination of the service contract. Generally, if you have nothing to hide, do not be afraid of another verification. The more willingly you cooperate, the shorter and less noticeable the process. If you have something to hide, go elsewhere.

Curtain.