Estonia’s new e-residency security focus: ‘You can’t launder money with a digital ID’

  • Post author:
  • Post category:News

Instead of the goal of gaining 10 million e-residents by 2025, Estonia is now focusing on security and usability.

By Kalev Aasmae for Estonia Uncovered | July 9, 2019 — 11:01 GMT (12:01 BST) | Topic: Innovation

In the four and a half years since launching its e-residency program, Estonia has spent around €8m ($9m) on the scheme but earned over €18m ($20m) from it in taxes and fees. The country has now 55,000 e-residents, who have founded over 6,500 companies in Estonia.

While the e-residency balance sheet shows a decent return, the numbers fall far short of its ambitious initial goal: to have 10 million e-residents by 2025.

Also, a new goal, introduced in 2017, of 20,000 companies founded by e-residents by 2020, does not look achievable.

SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report) | Download the report as a PDF (TechRepublic)

According to Ott Vatter, who has been at the helm since the program’s first director, Kaspar Korjus, left it in January 2019, these goals have been reviewed and the focus has shifted.

In December 2018, four years after the initial launch, an e-residency 2.0 white paper was published, to improve the quality of the service and ecosystem around it.

This white paper contains proposals from about 50 of Estonia’s top entrepreneurs and state officials. Vatter views it as a nationwide vision describing technological, legal, business, and community-building innovations.

He thinks implementation will make the e-residency program more secure, user-friendly, and transparent.

“For instance, we know that access to banking services remains an issue for e-residents. As a first step, we’ve already amended the Estonian Commercial Code to enable e-residents to use any bank or any fintech company from EEA [European Economic Area] to execute any business operation, including the payment of their share capital,” Vatter tells ZDNet.

“In addition, we’ve improved the delivery of digital ID cards to e-residents in cities where Estonia lacks a consulate or where the consulate is too busy. This year, additional pickup locations have been set up in Tokyo and San Francisco. Other new locations are also being planned.”

During the four and a half years, there have been incidents when e-residency has been used to run scams.

For example, one e-resident from India created a fake university in Estonia to grant bogus diplomas, and one e-resident from the Philippines turned out to be on the management board of almost 60 Estonian companies that were in difficulty.

According to Vatter, compared with the number of e-residents and their companies, incidents such as these are rare, and the program is now taking steps to tighten security.

“Prevention of fraud is a priority within all the Estonian institutions, although we must always bear in mind that in the business world the zero risk does not exist,” he says.

“E-residency in itself has not created any new risks, but risk mitigation should always be improved. That is why monitoring applicants before and after granting them e-residency needs to be risk-based.”

That policy means the program is looking for ways to improve the efficiency of the background checks for e-residents.

“As it’s become clear that most e-residents wish to visit Estonia at some point, it’s reasonable during the process of applying for the digital ID to check for any circumstances that would lead to a visa denial,” Vatter says.

As with migration procedures, the e-resident digital ID procedure is based on an identity proven by an internationally recognized travel document issued by the country of origin.

“Improvements to background checks are closely linked to the creation of the automated biometric identification system (ABIS), which will, among other things, help to solve any identity conflicts that may arise,” Vatter says.

This biometric identification system will be created by the Estonian Police and Border Guard Board. Although Vatter did not yet disclose any technical details, he stressed that automatically checking and comparing biometric and biographical data will help improve the security and reliability of identification, making the use of forgeries and false identities practically impossible.

Vatter says that recent money-laundering scandals linked to Scandinavian banks’ Estonian branches have not had any direct impact on the e-residency program, nor has any money been laundered using this service.

“E-residency means a person is offered a digital identity in the form of the digital ID document. You cannot launder money with a digital ID,” he argues.

“Furthermore, e-residency in its current form did not yet exist when the money-laundering cases happened. To open a bank account, e-residents are treated as non-residents, and the banks have the same obligations in terms of compliance with KYC and AML rules.”

In addition to security, usability is another focus for improvements in the e-residency program.

“Our objective under e-residency 2.0 is to offer e-residents better support in creating and growing their companies, which should also trigger higher revenue for the state. Doubling the revenue is not a goal in itself. What matters most is the growth of an average e-resident company value,” he says.

“We need to take into account that establishing and starting a company takes at least one to two years. That’s why new e-resident entrepreneurs must be given as much initial support as possible, to keep them motivated and help them through the rough spots.”

SEE: IT pro’s guide to GDPR compliance (free PDF)

As a result, the pool of providers offering start-ups high-quality advice and other services and products has to increase.

The state is also analyzing possibilities for an alternative means of authentication and digital signing for e-residents, including a mobile system or use of the home country’s digital identity with the highest qualification under the eIDAS EU electronic transaction standards.

“Since we are offering e-residents access to the Estonian business environment, our authentication solution must be one that the state would not hesitate to offer under its name,” says Vatter.

“Considering global trends like the spread, priority, and ever-wider use of smart devices, we see a need to offer e-residents an alternative authentication and signing tool, akin to the mobile-ID available to Estonian citizens and residents.”