Markets in Crypto-Assets Regulation (MiCA) – CASP License in EU

MiCA CASP LICENSE
WE'VE GOT YOU COVERED

Complium simplifies MiCA compliance for existing VASPs and new CASPs,
guiding you through the EU licensing process with confidence.

Book a 30-min FREE consultation

What’s the MiCA CASP license?

The new MiCA (Markets in Crypto-Assets) regulation introduces unified EU-wide requirements for crypto businesses. A Mica CASP license is recognised across all EU member states and it covers operations in any EU state (e.g. same as for an EMI license).

Under MiCA, companies currently classified as VASPs (Virtual Asset Service Providers) will be reclassified as CASPs (Crypto-Asset Service Providers) and must obtain the new license to operate legally in the EU. Expected to start on January 1st, 2025 (though the exact date might vary by jurisdiction), all existing VASPs must apply to secure their MiCA CASP license.

Who needs a MiCA CASP license?

Current VASP (virtual service provider) license holders
New crypto businesses who wish to operate in the EU
Companies providing crypto-asset services

At Complium, we simplify the MiCA CASP licensing process. Leveraging our strong connections, extensive experience, and proven success with EMI, PI, and crowdfunding licenses, we are well-equipped to navigate the new MiCA CASP regulations. Our expertise ensures a smooth transition for VASPs to achieve a pan-European MiCA CASP license.

Book your 30-minute free MiCA assessment today

How to get started

While MiCA CASP license applications are expected to officially open on January 1, 2025 (though the exact date might vary by jurisdiction), the transition to this new regulatory framework is complex and time-consuming. Existing VASPs will face a limited transition period, which varies depending on the jurisdiction. If a VASP does not apply for the CASP license within this transition period, their current VASP license will expire after six months. Additionally, the regulatory authority overseeing applications will change in our specialized areas.

To ensure a smooth transition, we recommend starting preparations now:

Draft necessary policy documents
Set up a local office
Assemble a team of experienced AML professionals

Thorough and timely preparation is crucial for a successful transition to MiCA compliance.

https://complium.eu/wp-content/uploads/outs3-320x320.jpg

READY-STEADY-GO

MiCA license key points and requirements
for existing and new CASPs

Existing VASP
holders

To ensure a seamless transition, current VASPs should align their operations with the MiCA regulations to prepare for the upcoming regulatory changes. For VASP license holders, we highlight three essential areas to focus on for a successful MiCA CASP license application:

Capital Requirements

MiCA mandates increased capital requirements, up to €150k, to ensure financial stability, protect customer interests, and establish market entry thresholds. We assist with capital injection procedures and provide banking advisory services for setting up an EU credit institution account.

AML Compliance and Internal Policies

MiCA necessitates robust internal policies for control mechanisms, risk assessment, confidentiality, and fund protection. Our expert lawyers are available to review and prepare all necessary legal documentation.

Local Presence

MiCA requires a physical office, EU-based management with at least one EU-resident director, and senior AML compliance roles such as CCO and MLRO. Regulatory expectations vary by jurisdiction. We offer team staffing and local management solutions to meet these requirements.

New CASP license
capital requirements

The MiCA regulation specifies different share capital class requirements depending on the type of CASP activities. To prevent administrative delays and issues, we strongly advise increasing your VASP company’s capital in the registry now.

Class 1 CASP

Requires €50,000 capital for crypto-asset services including:

Reception and transmission of orders on behalf of third parties; and/or
Providing advice on crypto-assets; and/or
Execution of orders for third parties; and/or
Placement of crypto-assets

Class 2 CASP

Requires EUR 125.000 capital for any crypto-asset services under Class 1 and:

exchange of crypto-assets for fiat currency that is legal tender;
exchange of crypto-assets for other crypto-assets;
operation of a trading platform for crypto-assets.

Class 3 CASP

Requires EUR 150.000 capital for any crypto-asset services under Class 2 and:

custody and administration of crypto-assets on behalf of third parties.

Please note: CASPs should also maintain at least one bank account with an EU-based credit institution (an EMI bank account does not qualify).

bt_bb_section_top_section_coverage_image

READY FOR TRANSITIONMiCA License application
process and timeline

The MiCA will come into effect for crypto exchanges in December 2024, and license applications expected to open on January 1, 2025. The EU Member States have the option to offer currently licensed VASPs an additional “transitional period” of up to 18 months, allowing them to continue operations without a MiCA license (“grandfathering clause”). This means existing VASPs could potentially operate until as late as July 1, 2026, although the exact deadline may vary depending on how each Member State’s jurisdiction applies these optional transitional measures under Article 143(3) of MiCA.

CCO/MLRO Requirement
MiCA license application
MiCa policy documentation
Notes

We offer various solutions to meet regulatory substance requirements. For example, we can assist with establishing a local physical office and recruiting highly qualified professionals for key roles such as Chief Executive Officer (CEO), Chief Compliance Officer (CCO), and Money Laundering Reporting Officer (MLRO). Our services also include ongoing training and support with office and team management.

The responsibilities of a Chief Compliance Officer (CCO) include, but are not limited to:

Overseeing internal controls and ensuring proper data management.
Reporting to relevant agencies such as the statistics and data protection agencies.
Meeting local regulatory deadlines, including compliance with AML requirements, data protection, fraud prevention, IT security, and privacy procedures.

The duties of a Money Laundering Reporting Officer (MLRO) include, among others:

Supervising and monitoring compliance functions and handling reporting duties.
Managing customer communications for Enhanced Due Diligence (EDD), Customer Due Diligence (CDD), and Other Due Diligence (ODD) document collection.
Reviewing KYC (Know Your Customer), KYB (Know Your Business), and KYT (Know Your Transaction) reports and reporting to the CEO/CCO and to the authorities.

The required local substance and staffing levels will depend on your business model (inc. business plan) and trading volumes. We can provide tailored recommendations following a preliminary analysis.

For a CASP license application, we start with a detailed legal assessment of your business model, shareholding structure, policy documents, and AML compliance systems. From there, we create a tailored plan and manage every step of the licensing process. Below are some key requirements outlined in MiCA Article for the necessary application documentation.

Programme of Operations: This plan details the crypto-asset services the applicant aims to provide, including their marketing strategies and geographic reach. It includes a comprehensive three-year roadmap for both regulated and unregulated activities, outlines the target client demographics, and describes the outsourcing policy, covering intra-group arrangements and external service providers. Additionally, it provides financial forecasts and outlines plans for exchanges and other key activities.

Business Continuity Policy: This includes a disaster recovery plan, internal control mechanisms, and robust procedures for risk assessment. It outlines systems and protocols to protect the security, integrity, and confidentiality of information. CASPs must also implement systems to monitor and detect market abuse. Additionally, the policy must address outsourcing requirements and establish effective measures to prevent, identify, manage, and disclose conflicts of interest.

CASPs must establish strong measures to protect their clients’ assets, especially in case of insolvency, and to prevent the misuse of client funds for their own purposes. Client funds should be held in segregated accounts at an EU credit institution. Additionally, CASPs must secure adequate insurance coverage to protect against theft or loss of assets.

Below is a comprehensive list of the essential documentation, policies, and regulations required for the CASP license, each of which needs to be customized for the individual applicant. At Complium, we manage every aspect of the licensing process, ensuring a seamless and efficient application experience.Rest assured, we are here to support you every step of the way, so you can focus on your business while we handle the complexities of obtaining your CASP license.

Programme of Operations – article 17(1)(b)(i) of MiCA
Client Information and Best Interest Policy – Article 66 of MiCA
Insurance Policy – Article 67(4)(b) of MiCA
ICT Systems Security Policy – Article 68(7) of MiCA
Market Abuse Monitoring and Reporting Policy – Article 62 (2)(n) and 92 of MiCA
Client Crypto-Asset Safeguarding Policy – Article 70 of MiCA of MiCA
Client Complaint Handling Policy – Article 71 of MiCA
Conflict of Interest Policy – Article 72 of MiCA
The Outsourcing Management Policy – Article 73 of MiCA
Custody Policy – Article 75 of MiCA
Trading Platform Operating Rules – Article 76 of MiCA
Non-Discriminatory Commercial Policy – Article 60(7)(g) of MiCA
Order Execution Policy (if applicable) – Article 70 of MiCA
Governance Arrangements – Article 34(1) and 68 of MiCA
Internal Control Policy – Article 34(10) of MiCA
Business Continuity Policy – Article 34(9) and 62(2)(i) of MiCA
IT Systems and Security Arrangements Policy – Article 34(9) and 62(2)(j) of MiCA
Proof of Meeting Prudential Safeguards Documentation Policy – Article 62(2)(e) of MiCA
Client’s Crypto-Assets and Funds Segregation Procedures Policy – Article 37(6)(d) and 62(2)(k) of MiCA
Subsidiary Relationship Information Documentation – Article 55(4) of MiCA
Compliance Assessment Documentation – Article 55(5) of MiCA
Cross-Border Service Provision Information Documentation – Article 65 of MiCA
Notification of Cross-Border Activities Documentation – Article 65 of MiCA
AML Policy
Whistleblowing Policy

For the complete MiCA regulation, please visit: Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010 and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937 (Text with EEA relevance)

The MiCA CASP license may be terminated by the regulator for several reasons beyond just regulatory non-compliance. This includes situations where licensed activities have not started within 12 months of the license being granted or if crypto-asset services have not been provided for a span of 9 months.

Furthermore, MiCA outlines financial penalties that range from 3% to 12.5% of the entity’s total annual turnover, along with the option for periodic fines. The regulator also has the authority to suspend or withdraw the license and to prohibit individuals from holding managerial positions.

https://complium.eu/wp-content/uploads/Represantation.jpg

How long does it take to get the MiCA CASP license?

The MiCA license application process involves submitting the application to the regulator, who has up to 25 business days to review its completeness, providing a deadline if additional information is required. Once accepted, the regulator will evaluate the CASP license applicant’s compliance with the requirements within 3 months and issue a reasoned decision, notifying the applicant within 3 business days. Although the expected timeframe for licensing is about 4 months, based on prior experience with crowdfunding and EMI licenses, we anticipate the process may take twice as long.

STEP-BY-STEP GUIDE

Get ready for the MiCA CASP license
we’ve got you

With a proven track record of managing over 500 VASP licenses since the onset of EU crypto regulations and a team of more than 30 seasoned AML professionals and lawyers, we are ideally positioned to support your VASP company. Our expertise will ensure a successful MiCA CASP license application and thorough handling of all related legal documentation.

Obtaining MiCA CASP license
with Complium

For existing VASP license holders, we strongly advise a phased approach to MiCA compliance. This will help you secure top-tier specialists and manage their availability effectively as the deadline approaches.

Initial assessment

Stage 1

Enterprise Wide Risk Assessment (EWRA)

Objective: Thorough evaluation of your business plan, AML procedures, and IT infrastructure and your website.

Outcome: Comprehensive legal report identifying necessary improvements for MiCA licensing.

Budget: Approximately 50 hours of legal work

Documentation and preparation

Stage 2

MiCA Required Policy Documentation

Objective: Address and resolve any deficiencies identified in the EWRA analysis.

Outcome: Complete set of policies, procedures, and rules necessary for MiCA compliance.

Budget: Legal fees will be provided after Stage 1

MiCA CASP License

Stage 3

MiCA CASP License Application

Objective: Prepare and submit the CASP license application, including all necessary correspondence with the regulator.

Outcome: Obtain the MiCA CASP license to operate across the European Union.

Budget: Estimated legal work of 80 hours

The hourly rate for MiCA licensing includes both our partner attorney-at-law and a senior AML compliance specialist. All quotes are preliminary and subject to review and final confirmation; conditions may apply. Pricing for packages is indicative and will be finalized based on additional details provided. Additional fees may be incurred. We reserve the right to adjust pricing and package details at any time without prior notice. For a detailed, project-specific quote, please contact us directly.

On-Going Support

On-Going Support for VASPs (future CASPs)

At Complium, we don’t just help you obtain your MiCA CASP license—we provide comprehensive, ongoing support to ensure your business remains fully compliant with evolving regulations. Our services include:

Quarterly Statistical Reports: We assist in preparing and submitting required quarterly reports to regulatory authorities, keeping your business compliant at all times.
Over Threshold & Suspicious Transaction Reporting: We handle reporting on Suspicious Activity Reports (SARs) and high-value transactions over €15,000, ensuring transparency and adherence to AML requirements.
Expert Advisory Services: Our team of AML and regulatory specialists is available to provide ongoing guidance, helping you navigate any challenges or regulatory updates that may arise.

This allows you to focus on growing your business, knowing your compliance needs are taken care of.

bt_bb_section_bottom_section_coverage_image

WHY COMPLIUM? Get expert guidance
on MiCA CASP licensing

Complium operates in multiple European jurisdictions, giving us deep insight into the regulatory landscape across countries. With experience working in Poland, Lithuania, and other EU regions, we can compare laws and regulations to find the best solutions for your specific needs. We also have strong relationships with law enforcement and governmental authorities, ensuring smooth cooperation and compliance in any jurisdiction.

MiCA CASP
License Application

Quarterly Compliance
Reports

Local Presence
Support

AML Compliance &
Reporting

Transaction
Reporting

Ongoing Advisory
Services

CONTACT FORMBook your
FREE 30-min consultation

Our team will get back to you shortly!
Let our experts guide you through the process.

On our Clients’ request, through our network of trusted partners, we can offer additional services such as GDPR compliance and accounting, providing a complete package of services. With everything handled through one entity, there’s no need for clients to seek out multiple advisors—Complium covers all your needs under one roof.

https://complium.eu/wp-content/uploads/about-us-320x320.jpg

KEY FACTS

MiCA CASP License FAQs

MiCA is expected to come into effect for crypto exchanges in December 2024, with license applications expected to open on January 1, 2025

Is MiCA compliance mandatory for all existing VASPs in the EU?

Yes, MiCA compliance is mandatory for all existing Virtual Asset Service Providers (VASPs) operating in the European Union. Under MiCA, VASPs will be reclassified as Crypto-Asset Service Providers (CASPs) and must obtain the new license to operate legally in the EU.

Who are exempt from MiCA legislation?

Some entities are exempt from MiCA, including the European Central Bank, national central banks, and public authorities. Public international organizations and persons who provide crypto-asset services exclusively for their parent companies, for their own subsidiaries or for other subsidiaries of their parent companies

When do VASPs need to be compliant with MiCA?

MiCA is expected to come into effect for crypto exchanges in December 2024, with license applications expected to open on January 1, 2025 (though this may vary by jurisdiction). Existing VASPs will have a limited transition period, which also varies depending on the jurisdiction. If a VASP doesn’t apply for the CASP license within this period, their current VASP license will expire after six months.

What are the key requirements under MiCA for existing VASPs?

Under MiCA, existing Virtual Asset Service Providers (VASPs) must meet several key requirements to continue operating legally within the EU:

Reclassification: Existing VASPs must transition to Crypto-Asset Service Providers (CASPs) by obtaining the MiCA CASP license.
AML Compliance: VASPs need to maintain robust Anti-Money Laundering (AML) procedures and internal control systems to meet the new standards.
Capital Requirements: VASPs must meet updated capital thresholds based on their services.
Reporting & Transparency: Enhanced transparency, record-keeping, and reporting obligations must be adhered to, particularly for customer information and financial data.
Local Presence: VASPs are required to establish a physical presence in the EU, including local management and compliance officers.
Consumer Protection: There are new measures to ensure better protection for customers and secure handling of assets.

What are the key capital requirements for new CASPs?

MiCA outlines different capital requirements for new CASPs (Crypto-Asset Service Providers) based on the services they provide:

Class 1 CASP: Requires €50,000 in capital for services like advising on and executing crypto-asset orders.
Class 2 CASP: Requires €125,000 for additional services, including exchanging crypto-assets for fiat or other crypto-assets, and operating a trading platform.
Class 3 CASP: Requires €150,000 for services that involve custody and administration of crypto-assets on behalf of third parties.

Additionally, CASPs must maintain at least one bank account with an EU-based credit institution, ensuring proper financial oversight and stability.

How can Complium help my business obtain a MiCA license?

Complium provides comprehensive legal and compliance services to assist businesses in obtaining and maintaining MiCA CASP licenses. Our services include:

Initial Assessment: We conduct a thorough evaluation of your current operations to identify areas requiring attention for MiCA compliance.

Documentation Preparation: Our legal team prepares all necessary documentation, including policy papers and procedural guidelines, tailored to your specific business model.

License Application Support: We manage the entire application process, handling all communications with regulatory authorities to ensure an efficient licensing procedure.

Ongoing Compliance Assistance: We provide continuous support to help maintain compliance as regulations evolve.

AML Expertise: Our AML specialists develop robust policies and procedures to ensure your operations meet all anti-money laundering requirements.

Staffing and Local Presence Solutions: We assist in recruiting qualified professionals for key roles and help establish the necessary local presence to meet regulatory requirements.

With extensive experience in crypto regulations, Complium is well-positioned to guide your business through the MiCA compliance process efficiently and effectively.

What happens if my business doesn’t comply with MiCA?

If your business does not comply with the MiCA regulation, it may face several consequences, including:

Fines and Penalties: Non-compliance can result in financial penalties ranging from 3% to 12.5% of your business’s annual turnover, depending on the severity of the breach.
License Revocation: Failure to comply with MiCA requirements may lead to the suspension or revocation of your CASP license, preventing your business from operating within the EU.
Reputational Damage: Non-compliance can harm your business’s reputation, reducing trust from customers and investors.
Ban from Management Positions: Individuals in managerial positions may be banned from holding similar roles if found responsible for significant non-compliance issues.
Restricted Operations: Without proper compliance, your business may be restricted from offering certain services or expanding within the EU market.

Ensuring compliance with MiCA is critical to avoid these risks and continue operating within the EU’s regulatory framework.

How long does the MiCA licensing process take?

The MiCA licensing process typically takes around 4 months, although it may take longer depending on the complexity of the application and the jurisdiction. After submitting the application, the regulator has 25 business days to review its completeness. Once the application is deemed complete, the regulator has 3 months to issue a decision.

What documentation is required for the MiCA license application?

Some of the most important documentation includes (see above to see the full list of documents needed):

Programme of Operations (detailing services and operations)
AML and risk management policies
Business continuity and internal control policies
Proof of capital requirements
IT and data security policies
Client asset safeguarding and insurance policies
Outsourcing policies, if applicable
Corporate governance and management structure documentation Each document must align with MiCA regulations and be tailored to your specific business operations.

Will my business need to update its compliance policies to meet MiCA requirements?

Yes, most businesses will need to update their compliance policies. MiCA requires enhanced AML procedures, robust risk management, secure IT systems, and comprehensive client asset protection measures. Additionally, businesses must align their governance structures with MiCA requirements, including having EU-based management and compliance officers.

What are the benefits of being MiCA-compliant?

Being MiCA-compliant offers several advantages:

Pan-EU operations: A MiCA CASP license allows you to operate legally across all EU member states.
Increased market trust: Compliance with unified regulations builds trust among clients and investors.
Operational clarity: MiCA provides clear rules for crypto businesses, reducing uncertainty.
Regulatory alignment: MiCA compliance ensures that your business meets stringent AML and security standards, protecting against penalties and legal risks.

OUR ANNOUNCEMENTS

Latest MiCA News

Navigating AML Compliance: The Key to Safeguarding Your Business

In today’s increasingly complex regulatory landscape, Anti-Money Laundering (AML) compliance has become an indispensable part of doing business. Whether you operate in fintech, crypto, or financial institutions, ensuring robust AML measures protects your business from financial crimes, regulatory penalties, and reputational damage. But how do you navigate these challenges efficiently? This guide will walk you...

Understanding SAR Compliance for VASPs and CASPs Across the EU: A Polish Example

In today’s digital financial ecosystem, Virtual Asset Service Providers (VASPs) and Crypto-Asset Service Providers (CASPs) play a crucial role in ensuring security and transparency. Across the EU, compliance with anti-money laundering (AML) regulations is essential for both businesses and regulators. A key component of this compliance framework is the Suspicious Activity Report (SAR). Filing SARs...

What Happens If Your Business Fails to Comply with MiCA Regulations?

As the Markets in Crypto-Assets (MiCA) regulation reshapes the European crypto landscape, it’s crucial for businesses—both existing and new—to understand the serious implications of non-compliance. MiCA is designed to provide a unified regulatory framework for crypto-asset service providers (CASPs) across the EU, introducing significant changes for companies operating in this space. With the MiCA CASP...

Why Existing VASPs Must Act Now: Transitioning to MiCA CASP Licensing

As the cryptocurrency sector in Europe evolves, so does the regulatory landscape. Many existing Virtual Asset Service Providers (VASPs) may not realize that under the new Markets in Crypto-Assets (MiCA) regulation, they must obtain a Crypto-Asset Service Provider (CASP) license to continue operating legally in the EU. Starting from January 1st, 2025 (with potential variations...

Read all News

FREE 30-min Consultation

MICA CASP LICENSE
WE'VE GOT YOU COVERED

Don’t worry about your MiCA license! Together we get it done.

Book Your FREE 30-min MiCA Consultation

OFFICE DETAILSOffice

Poland office: +48 222 085 280
Estonian office: +372 5874 6380
office@complium.eu

COMPANY DETAILSCOMPLIUM LLC

Registry code: 14996517
VAT number: EE102267505
Office: Tornimäe 3//5//7, Tallinn, 10145, Estonia

PRIVACY POLICY OF COMPLIUM OÜ

INTRODUCTION

Complium OÜ is a legal entity with registry code 14996517, registered office at Narva mnt 7d, Tallinn 10117, Republic of Estonia. Complium OÜ was founded in Tallinn in 2020 and has developed into a recognised company in Estonia in the field of preventing money laundering and terrorist financing.

In the course of our activities, we collect and use your personal data in order to provide you with the best service, advice, and solutions, and to fulfil our contracts with you.

We protect your data and privacy in all ways provided by applicable law.

In order to ensure the secure processing of the aforementioned personal data, Complium OÜ has established processing rules, administrative regulations and other organisational, IT and physical data protection measures.

Secure personal data processing measures extend to all information systems and human activity processes used, including employees, suppliers, customers, service providers and other third parties who have access to personal data processed by Complium OÜ.

The information contained in this Privacy Policy applies to the personal data of natural persons, but not to the data of companies or other legal entities or institutions. The information also applies to the personal data of all natural persons engaged in vocational and professional activities (e.g. employees of a company or organisation). If you communicate with us as a person related to a Business Customer, we will also register and use your personal data.

WHY DO WE COLLECT AND USE YOUR PERSONAL DATA?

We collect and use your data to provide you with the best advice and solutions, to fulfil our agreements with you, and to comply with our legal obligations regarding the collection and retention of personal data.

This means that we collect and use your personal data if:

You have concluded a contract with us or are considering concluding one;
You have given us your consent to use your personal data;
This is our legal obligation, which may arise from, for example, the following legal acts:
- Law of Obligations Act;
- Taxation Act;
- Tax Information Exchange Act;
- Accounting Act;
- Money Laundering and Terrorist Financing Prevention Act;
It is necessary for the legitimate interests of Complium OÜ, including to prevent legal violations or damage, to strengthen the security of IT systems or payments, or for direct marketing purposes. We will only do this if our respective interest clearly outweighs your interest not to process your personal data;
If you communicate with us as a person related to our Business Customer, then depending on the content and scope of our communication, we may process your personal data for the following purposes:
- to perform our contractual obligations and to provide services to the Customers;
- to comply with the applicable legislation;
- for administrative purposes, including securing, supporting and maintaining our systems, platforms and other digital applications;
- to ensure adequate security while visiting our premises;
- to carry out the necessary checks to prevent crimes.

WHAT PERSONAL DATA DO WE COLLECT AND USE?

In its daily business, Complium OÜ processes various personal data, including:

employee data (data of existing, past and future employees);
customer data;
website visitor data;
subscriber data;
shareholder data.

If we are obliged to verify the correctness of personal data pursuant to the anti-money laundering regulations, Complium OÜ will check the personal data received from the Data Subject from state registers and other reliable sources. If necessary, the personal data received from the Data Subject will be supplemented and amended.

If Complium OÜ is an obligated person according to the anti-money laundering regulation, Complium OÜ is required to assess the risk of money laundering and terrorist financing. In this case, we process the personal data of the Data Subject (taking into account, for example, the Data Subject’s place of residence, field of activity, whether the Data Subject is a politically exposed person; in the case of a legal person represented by the Data Subject – its location, field of activity, management bodies and ownership structure) and the nature of the transaction. Based on the above, Complium OÜ applies due diligence measures either in a simplified or enhanced manner.

Special categories of personal data

In its economic activities, Complium OÜ does not collect personal data such as racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, genetic data, biometric data used for the unique identification of a natural person, health data or data about a natural person’s sexual life and sexual orientation.

Complium OÜ collects special categories of personal data in its economic activities only if we need them in order to provide you with service-related advice or to provide you with a service. For the processing of special categories of personal data, we will ask for your explicit consent, unless the law gives us the right to process special categories of personal data without your consent (e.g. to legally enforce our claims).

We may also collect other personal information if it is necessary to provide you with specific services or if required to do so by law.

Our ability to advise you and provide you with the best solutions depends to a large extent on how well we know you. Therefore, it is important that you provide us with correct and accurate information and keep us informed of any changes.

WHAT DO WE COLLECT AND USE YOUR PERSONAL DATA FOR?

Complium OÜ processes personal data in order to:

enter into contracts, provide services to persons and ensure the fulfilment of obligations;
clarify under which conditions to provide services and sell goods;
make Customer-oriented offers;
conduct customer satisfaction surveys;
provide convenience services to the customer and deliver announcements;
comply with legal obligations;
to ensure the realisation of a legitimate interest that complies with the data protection rules established in the European Union (EU).

We also collect and use data for other activities related to the provision of services, including the following activities:

customer management, consulting and administration;
assessment of creditworthiness;
development and management of our services and operations;
marketing of services;
identification and verification of identity;
debt collection;
protecting you and Complium OÜ against fraud;
responding to the legal requirements of third parties and complying with them.

We collect data directly from you or by monitoring your activities, such as when you:

fill out applications or other forms to receive services;
submit documents to us on paper or via electronic correspondence.

We will only retain your data for as long as it is necessary for the purpose for which we collected and used your data, unless otherwise provided by applicable law, or as follows:

We retain the personal data for up to three years from the beginning of the year following the end of your communication thread;
We retain accounting data for up to 7 years from the end of the financial year when the transaction was recorded in our accounting system.

After the expiry of the Personal Data retention period, we may retain your Personal Data for longer than is necessary to comply with a legal obligation or requirement, to resolve legal disputes, or to ensure the performance of a contract with us.

At the end of the personal data retention period or if the legal basis related to the purpose of processing personal data ceases to exist, we may retain materials containing your Personal Data in backup systems, from which they will be deleted at the end of the backup cycle. During the backup period, we implement appropriate measures to ensure the security of backed up materials. Backed up materials are decommissioned, not processed for any purpose, and erased as soon as possible, i.e. at the end of the backup cycle.

THIRD PARTIES AND YOUR PERSONAL DATA

Personal data received from third parties

We register and use personal data obtained from third parties, such as:

from a national register, such as the business register, the population register or another public source or register. We collect and use this data, for example, to verify the accuracy of the data;
from credit agencies and payment default registers. We collect and use this data to assess creditworthiness. We update the data regularly;
From the business partners of Complium OÜ, if we have your consent or if it is permitted by legislation.

Third parties to whom we disclose your personal data

In certain cases, we may disclose your personal data to third parties if:

you have asked us to do so;
it is required or permitted by law;
you have given your prior consent;
we disclose your personal data to credit rating agencies and registries after you fail to fulfil your obligations to Complium OÜ;
it is necessary for the development, maintenance and continuity of IT systems.

With your consent, when transferring personal data to data processors located in third countries (i.e. outside the European Union and the European Economic Area), we ensure the protection of your rights and that, in the event of such data transfer, your personal data is maintained at a level of protection that meets the conditions approved by the European Commission.

PROFILING AND AUTOMATED DECISIONS

Profiling

Complium OÜ does not perform automated processing of your personal data, the purpose of which would be to evaluate, analyse and forecast certain personal aspects related to a natural person, in particular such aspects related to the relevant natural person’s work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movement.

Automated decision-making

Complium OÜ does not perform automated processing of your personal data, the purpose of which would be to evaluate your personal data in order to take decisions that may restrict your rights and freedoms.

YOUR RIGHTS

Accessing your personal data

You can access the personal data collected and used about you, the sources thereof and the purposes of their use. You will be able to obtain information about how long we retain your data and to whom and to what extent we transmit it. Your right to access your personal data may be limited by applicable legislation, the rights of others to ensure their privacy, and the needs of our operations. Our know-how, trade secrets, internal assessments and materials may also be part of the information that cannot be accessed.

Right to state objections

You have the right to raise objections to the processing of your personal data, including if we rely on our legitimate interests in processing the data.

You also have the right to object to the use of your personal data for direct marketing.

Rectification or erasure of data

If your data is incorrect, incomplete or irrelevant, you have the right to request the rectification or erasure of the data, taking into account the restrictions arising from applicable legislation and the rights related to data processing.

Restriction of data use

If you find that the information we have collected about you is incorrect, or if you have objected to the use of the data, you may request that we restrict the use of the data to retention only. The use is limited to retention only until it is possible to establish the accuracy of the data or to verify that our legitimate interests outweigh your interests.

If you have the right to request the erasure of data, you can instead request that we limit our use of the data to the retention only. If we need the data we collect about you only to enforce or defend legal claims, you may request that the data not be used for purposes other than retaining. However, we may have the right to use the data in a different way if this is necessary to enforce the claims or if you have given your consent.

Withdrawal of consent

If the use of data requires your consent, you can withdraw this consent at any time. Please note that if you withdraw your consent, we may not be able to provide you with certain services. We will also continue to use your personal data, for example, to perform a contract with you or in accordance with legal requirements.

Data portability

If we use the data on the basis of your consent or agreement and the data processing is automated, you have the right to receive a copy of the data you have provided in an electronic machine-readable format.

Time of realisation of the rights, summarised in a table

Rights	Realisation
Right to consent to data processing	Consent is requested immediately upon data collection (if the data is collected directly from you) or within one month (if the data is collected from a third party)
Right to withdraw consent to data processing	Instantly, without unreasonable delay
Right to access data	Within one month of the application
Right to rectification of data	Within one month of the application
Right to erasure of data, “to be forgotten”	Instantly, without unreasonable delay
Right to restriction of data processing	Instantly, without unreasonable delay
Right to data portability	According to the submitted application
Right to state objections	Proceedings shall be initiated on receipt of an objection
Rights related to automated processing or profiling.	According to the submitted application

USE OF COOKIES

Complium OÜ uses cookies on its websites. Cookies are small text files that are downloaded to your device when you visit our website.

By continuing to use our website, you consent to the use of cookies in accordance with the rules of these terms and conditions.

If you do not agree to the use of cookies, you have the option to configure your browser so that your computer does not store cookies. In this case, however, we cannot guarantee that all functions on our site will work correctly for you. More information on managing and disabling cookies can be found on the website http://www.allaboutcookies.org/

With the help of cookies, we can improve the quality of services. We use cookies to collect statistical data, to remember the preferences of the visitor of the page, to serve advertisements.

When visiting Complium OÜ websites, our data analysis and advertising partners (Google Analytics, Facebook, YouTube, etc.) can also store cookies on your device.

SECURITY OF PERSONAL DATA PROCESSING

Complium OÜ stores personal data only for the strictly minimum necessary time. Personal data with an expired retention period will be destroyed using best practices.

Complium OÜ ensures the protection and appropriate security of personal data, including against unauthorised or illegal processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Access to personal data is granted only to processors who have the necessary right to do so and only to the extent necessary to achieve the purpose arising from the legitimate interest.

Complium OÜ confirms that it complies with the requirements in force in the EU regarding the protection of personal data. Complium OÜ makes every effort to protect personal data. We process personal data only for specific and legitimate purposes and only to the extent necessary for such purpose. We also demand the same values and adherence to our personal data processing rules from our cooperation partners.

In the event of any incident involving personal data, Complium OÜ will take all necessary measures to alleviate the consequences and to mitigate similar risks in the future.

TERMS OF USE OF NOTIFICATIONS

Notifications are offers sent to the subscribers through communication channels that, in the opinion of Complium OÜ, may be of interest to the subscribers.

You can opt out of notifications at any time. To unsubscribe from the newsletter, you can click on the link at the end of the letter. To opt out of other notifications, please contact office@complium.eu.

By subscribing to the newsletter, you consent to the retention and processing of your personal data in accordance with our rules. Personal data will not be shared with third parties.

Complium OÜ processes your personal data in accordance with EU data protection and other personal data protection legislation.

If you have any questions, please contact office@complium.eu.

CONTACT INFORMATION AND SUBMISSION OF COMPLAINTS

If you have any questions regarding your rights in relation to the processing of your personal data, or if you have any questions about how we collect and use personal data or if you are not satisfied with the way we process your personal data, please contact us:

Complium OÜ

Address: Narva mnt 7d, Tallinn 10117, Republic of Estonia

Phone: +372 587 46 380

Email: office@complium.eu

If your data protection contact with Complium OÜ has not produced a satisfactory result, you have the right to submit a relevant dispute with Complium OÜ or file a complaint with a supervisory authority:

Data Protection Inspectorate

Tatari 39, Tallinn 10134

phone: +372 5620 2341

Email: info@aki.ee

website: www.aki.ee

Last updated 05.01.2023

Subject:	Advanced Training of Anti-Money Laundering and Countering Terrorism Financing (AML/CFT) for Virtual Currency Service Providers

Target Group:	Members of the Board, Money Laundering Reporting Officers for the Financial Intelligence Unit, Anti-Money Laundering service providers and employees who are responsible and/or manage and/or organize the prevention of money laundering and terrorist financing in virtual currency service providing companies.

Objective:	To ensure that the virtual currency service provider is prepared to implement anti-money laundering requirements, to map its risks (i.e. “vulnerability” in the context of money laundering), determine its risk appetite, prepare a risk assessment, develop a risk management methodology and approve risk mitigation rules. In addition, to prepare the Rules of Procedure, implement the due diligence measures and monitor its compliance according to the Internal Control Rules. The aim of this advanced training is to provide additional knowledge from the perspective of the regulator, to present essential nuances in legal regulation of money laundering prevention, documentation requirements and solutions to most common problems in the application of procedural rules. Also, to introduce the most common problems related to the due diligence, the nuances of KYC and KYT procedures and relevant case studies.

Description of the Subject Content:	1. A more in-depth overview of the legal regulations preventing money laundering. Expectations from the regulator. What lies behind the field terms and definitions. Requirements for identification of persons. 2. Responsibility of the Member of the Board for preventing money laundering; obligations of the MLRO. 3. Risk assessment and Risk Appetite (exercises based on a specific company’s business plan). 4. Mitigating KYC and KYT risks regarding persons, documents, transactions and implementation of proper due diligence measures. 5. Case analysis.	3 h 1 h 4 h 6 h 3 h

Learning Outcome:	Learner who has completed the training: – knows the professional legal space, – knows the established requirements for virtual currency handlers, – knows the tasks and responsibilities of the: 1st line of defense, of the 2nd line of defense and of the 3rd line of defense, – can adapt and implement due diligence measures to prevent money laundering in the company, if necessary, – knows and is able to recognize possible frauds when carrying out KYC and KYT procedures.

Study form:	Online lecture and independent exercises.

Requirements for graduation	Passing the exam

Evaluation method	The exam threshold is 70% correct answers in the written test.	1 h

Document to be issued	Certificate.

Volume of study:	Total 18 hours.