Behind the curtains: our licensing process

Behind the curtains: our licensing process

Behind the curtains: our licensing process

Edit September 2018: The application to obtain a Payment Institution license from Estonian Financial Supervision Authority was submitted 17.09.2018. The processing and due diligence process will take between 5-6 months.

Why do we need a license at all, what does a payment institution license mean, why we’re applying in Estonia, why can we provide services only in the EEA, and why we’ve been rather quiet regarding this topic are all questions we hope to answer with this blog post.

Our goal has always been to do things right. Whether it’s hiring an engineering team or providing our services, we make decisions for the long term. Sometimes this means saying no to quick business opportunities or spending time on setting up clear procedures, but only this will enable us to be a trustworthy partner to our customers for years and decades to come.

Currently Change is licensed to provide a cryptocurrency wallet and exchange service from Estonia to the most of the European Economic Area countries. But to truly bridge the gap between cryptocurrencies and traditional finance we need to get into the high league — this means obtaining a license to provide financial services under full conduct and prudential supervision regime.

In autumn 2018 we will submit our application to the EFSA (Estonian Financial Supervision Authority — basically the local version of UK FCA, German BaFin) to obtain a payment institution license. This license will enable us to provide almost the same products and services as banks, except investment services, accepting deposits and giving out credit on top of these deposits.

Why do we need a license in the first place?

Today there is a lot of competition in the cryptocurrency industry — new players are entering the field daily and old players are expanding fast, backed with vast resources and large teams. The industry is new and just reaching the “mainstream” market, so the opportunities (and demand) for new services and business models is growing exponentially.

To stand out in such a rapidly changing industry and build a product that offers most value to millions of people, you need to experiment. A lot and very fast. As we’ve previously described in our engineering principles post, iteration speed is a crucial metric for our success — you cannot build a great product without constant feedback from real users. Build, measure, learn, and repeat.

Lean methodology principles. Source:

In many industries, your time-to-market speed depends mostly on your team delivering. Now in finance another very important player is introduced- regulation. In any regulated field, is it medicine or finance, you are handling assets most important to people like their health or hard-earned money, so having an authorization to provide these services is an obvious pre-condition.

Many crypto-companies have decided to find the grey areas within current regulation or go blank-point against the law. We want to do things differently. We believe to become a truly trustworthy partner for our customers, not just today but for the next decades to come, we have to “play by the rules” and where possible push the envelope.

The reputation and trustworthiness of companies operating with cryptocurrencies has definitely improved during last year but there is still a long way to go — for example there are not that many banks willing to partner with crypto-companies. But being supervised by the same competent authorities as banks and having a proper license will open new avenues of partnership and enable to negotiate much better terms.

Of course we can influence the current and upcoming rules and regulation through local and global lobbying efforts, educating policymakers, creating and advocating success cases etc, but the results will take time. For now to be able to operate with traditional currencies and bringing products to market often and fast means obtaining a financial institution license.

It is a lengthy undertaking, but we want to ensure all our customers we are in it for the long term. Even when the bubbles burst and hype will blow over, Change will be standing here for you with your assets protected by us and competent authorities.

Long story short: Get licensed. Bring better products to market. Iterate fast. Change finance.

A what license?

In our preparation process we were considering three different licenses:
1) Credit institution (i.e. banking) license (like N26, solarisBank, Klarna)
2) Money remittance license (like Western Union, MoneyGram, WorldPay)
3) E-money and payment institution license (like TransferWise, Revolut, Circle).

Quickly we realized the previously planned banking license is unnecessary for our goals — the only difference with other options is taking in deposits and giving out loans from these resources. A business model we have never wanted to pursue.

This left us with two options which are governed by the same law and only differences here are the payment account and right to issue e-money.

Becoming a fully regulated financial institution

1. Choose jurisdiction

Licenses can only be obtained to provide services in specific regions. We have decided to start close from home and apply for our license in Estonia for many reasons. Most important of them:

1) A large market — enables us to passport our license to provide services across the huge market of European Union — 500M customers geographically close and culturally similar to what we know;

2) Well known legislation — we are most familiar with the legal frameworks in Estonia and the EU. More in-house expertise and less money spent on lawyers;

3) Tough entry barrier — Estonia and EU in general is known as a strict legal environment, especially regarding the financial industry. Where most would want to avoid harsh rules, we believe that once validated here, we will be able to expand easily across the world. If you were compliant enough in a conservative European country, you’ll be more than fine elsewhere. This means we will be very well positioned for the fast scale-up phase, contrary to some of our competitors.

4) Everyone across the street — strong relationship and close contact with the supervisory authorities, governmental entities, policy makers etc. Estonia is jokingly known as the “country of one degree separation” (instead of the usual six). Nowhere else can you as an average citizen get a lunch with the Prime Minister for next month.

Overall this means we can get the license sooner and with less resources than starting from zero in a country we’re not operating in.

Two weeks ago we had our first official meeting with the EFSA, introducing our business plan, management and supervisory board. A neutral welcome at this meeting was also the reason why we haven’t been announcing any plans regarding our licensing process — we wanted to make the first impression face-to-face. This week we’ll have the next one.

2. Get the application package ready

As you can imagine, the process for obtaining a license to operate a financial institution is rather long and complex.

The application process is lead by our Head of Risk and Control Marek, who has luckily for us worked 10 years on the other side of the table as a financial regulator. In total we have 2 people working on it full time, but most of the team included as the application package needs input from every angle of our business.

Currently we’re about 4 months in and estimate another 2 months to go with the preparation of all necessary documents and other activities.

6 months?? Yes, we know. Just to give you a taste of what this process looks like, some examples what we’ve been busy with:

  • Appointing the internal auditors and financial auditors — interviewing all Big Four companies to understand their expertise and risk tolerance regarding cryptocurrencies, separately for financial and internal auditors;
  • Vetting potential supervisory board members — putting together a strong banking and fintech background supervisory board, where each candidate must be thoroughly vetted beforehand to be fully compliant with all requirements and expectations of the ESFA;
  • Writing our internal rules and processes — about 15 sets of procedures covering every single activity and move made in Change, from our internal control system to accounting principles and rules for logging into our computers;
  • Financial estimations — detailed financial predictions, balance sheets, income statements, cash flow statements, own funds reports, CAPEX etc for EVERY month until year 2022;
  • Pre-application meetings with EFSA and their specialists — building a trustworthy relationship and eliminating as many potential bottlenecks from the application package beforehand as possible.

To summarize, a lot of meetings, writing legal texts, exceling, writing some more legal texts in between some more meetings. And then scratching your head figuring out how to describe “lean principles” or “flat organisation” to a traditional supervisory authority.

Jokes aside, there is still a lot of work ahead, but we’re 2/3rds through and working every day to get this in the bag.

3. Hold your horses, answer queries and hope for the best

Once we’ve submitted the application in autumn, the EFSA has up to 6 months to review the application. During this time we can expect a great amount of detailed questions, instructions for necessary changes, extensive vetting and “fit & proper” tests to the management and supervisory board members etc. While not responding to queries, you just chew your nails off waiting for that final yes or no.

We have also considered the chance of receiving a no — we are definitely rather unique example with our orientation to cryptocurrencies compared to the traditional financial institutions here, so you’ll never know for sure. In that case, we have a plan B (and plan C) in place as well.

Why EEA?

Our vision has always been to build a global financial service platform. Unfortunately, like quite often in life, you cannot have it all at once if you want to do things right.

As mentioned above, you need to obtain separate licenses in every country you want to operate in (EU being the exception). Aiming for all of them at once, means an army of country-specific compliance officers, lawyers, lobbyists etc. We want to put the main focus on building a product that provides real value to our customers instead — hiring engineers, product people, UI/UX designers and putting all our effort into creating something beneficial for the mankind.


We have witnessed this strategy work very well with TransferWise, Klarna and iZettle among the others.

So the plan is to validate the product on the market we have an easy and (rather) quick access to and only then start expanding once we’re sure we’re expanding the right thing. Crystallize our value proposition and find a strong product-market fit, then we can open the marketing taps, scale, and expand to new markets.

We haven’t forgotten our dreams and promises to be available for everyone in the world, we just need to take it step by step to offer most value to all of you.

In the next compliance post we will offer more insight into the plans we have with CAG token. This is quite closely related to the topic covered in this post as with a proper license we will have maximum legal certainty with CAG token’s utility case.

AFTERNOTE: If it’s any consolation, you’re not the only ones taken aback by the news — here’s how our Card Product owner Gustav has looked like since we realized we’re limited to EEA for a while.

Sad Gustav

Download the Change App to buy and sell Bitcoin commission-free and order your crypto-friendly debit card. Available in Europe for iOS and Android.