AML/CTF Compliance in Estonia [Guide]

In the past decade, Estonia has become an attractive choice for fintech startups and financial institutions aiming to broaden their operations in Europe. However, this “rising star” title burdens companies to stay compliant with the ever-evolving AML/CTF compliance requirements, which we explore in this in-depth article.

To counter and prevent financial crimes, Estonia relies on the “Anti-Money Laundering and Terrorist Financing Prevention Act,” which was established in 2008 as a foundational measure against criminal activities. This framework applies not only to financial entities but also to non-financial businesses. These regulations in Estonia align with the standards set by the Financial Action Task Force (FATF) and the European Union.

Facts to remember:

  • The Financial Intelligence Unit (FIU) is tasked with investigating and scrutinizing potentially suspicious transactions that could be linked to terrorist financing or money laundering.
  • The Estonian finance ministry holds the responsibility for regulating financial institutions and establishing new policies to combat financial crimes. 
  • Both financial organizations and virtual asset service providers are mandated to conduct risk assessments and submit reports on suspicious transactions to the FIU.

Reporting to the Financial Intelligence Unit (FIU) of Estonia

The Financial Intelligence Unit of Estonia is responsible for receiving and analyzing AML-related reports. It plays a crucial role in identifying and preventing money laundering and terrorist financing activities.

If, in the course of economic or professional activity or the provision of professional services, the obliged person identifies activities or circumstances, including:
  • The characteristics of which point to the use of proceeds from criminal activities;
  • The financing of terrorism-related activities;
  • Related crimes and the attempt of such activities;
  • Activities in which they suspect or know that it is money laundering, terrorism financing, or the commission of related crimes.

In all of these cases, they are obliged to report this to the Financial Intelligence Bureau immediately but no later than two working days after the activity or circumstances have been identified or suspicion has arisen.

Entities are required to report large currency transactions to the FIU. These reports provide information about transactions involving a specified amount of currency or other monetary instruments.

Cash Transaction Reporting Obligations

The obliged person, with the exception of a credit institution, must notify the Financial Intelligence Unit immediately, but no later than two working days after the transaction, of any transaction that becomes known where a financial obligation exceeding 32,000 euros or an equivalent amount in another currency is settled in cash, regardless of whether the transaction made as one payment or as several interconnected payments within a period of up to one year. 

Credit Institution Reporting Obligations

The credit institution must notify the FIU immediately, but no later than two working days after the transaction, of each currency exchange transaction in cash in the amount of more than 32,000 euros if the credit institution does not have a business relationship with the person participating in the transaction.

Estonia's Regulatory Authorities

Country-Specific AML Compliance Requirements

In Estonia, alongside the anti-money laundering directives of the European Union, the central regulation addressing money laundering is the Money Laundering and Terrorist Financing Prevention Act, enacted in 2017.

In January 2020, this act underwent amendments to encompass virtual currency service providers, subjecting them to the same regulations as traditional financial institutions.

Consequently, cryptocurrency firms are now obligated to:

  • Ensure the enhancement of internal anti-money laundering protocols.
  • Designate a compliance officer to oversee AML measures. 
  • Conduct an assessment to verify the competence and qualifications of the firm’s management through a ‘fit and proper test.’
  • Declare Estonia as the primary location of the firm’s operations. 
  • Secure a payment account with an institution that is registered within Estonia or the European Union.

Financial institutions and other entities subject to AML regulations are required to perform customer due diligence (CDD) to verify the identity of their customers. This involves collecting and verifying information about the customer’s identity and the purpose of the business relationship.

The obligated person does not have to keep the originals or copies of the documents that are the basis for identifying the identity and verifying the information provided if:

  • The identity was established using the means of e-identification and e-transactions trust services;
  • The document is available to the obligated person in the state’s electronic database.
Overview of Estonia's AML Landscape

Which Companies Must Follow AML Requirements in Estonia?

The Estonian Financial Intelligence Unit (FIU) is the main regulator, determining that the following institutions are responsible for ensuring compliance with AML laws and regulations:

  • Credit institutions
  • Financial institutions
  • Cryptocurrency exchanges
  • Organizers of gambling, except for commercial lotteries
  • Persons who mediate the purchase or sale of real estate
  • Persons who mediate real estate usage transactions, if the usage fee to be agreed upon in the transaction is at least 10,000 euros per month

It’s worth mentioning that AML laws in Estonia are applied not only to crypto exchanges and digital wallets. This includes cryptocurrency transfer services and trading platforms, in line with FATF’s recommended Risk-based Approach (RBA). 

That means all digital asset service providers must comply with AML/CFT regulations, including registration or licensing and implementing strong suspicious transaction monitoring systems.

Estonian AML Act for Virtual Currencies
Related: A Definitive Guide on Crypto KYC

What are the Penalties for Non-Compliance in Estonia?

In the case of a natural person, up to 5000 euros the first time and up to 50 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than 5 000 000 euros in total.

In the case of a legal person, up to 32 000 euros the first time and up to 100 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than the higher of 5 000 000 euros or 10% of the total annual turnover of the legal person according to the latest available annual accounts approved by its management body

What is the Mandatory Time Frame for Storing Data?

The obliged person must keep the originals or copies of the documents specified in § 20 subsection 2 1 and § 21, 22, and 46 of this Act, the information registered in accordance with § 46, and the documents that form the basis of the establishment of a business relationship for five years after the end of the business relationship.

How do You Stay Compliant with AML Laws in Estonia?

Entities subject to AML regulations must maintain records of customer identification, transaction history, and other relevant information for a specified period. This helps ensure compliance and facilitate investigations.

Entities must also establish and maintain internal controls, risk assessment procedures, and employee training programs to prevent money laundering and terrorist financing.

Compliance teams must thoroughly examine and comprehend Estonia’s regulatory framework, particularly focusing on the Money Laundering and Terrorist Financing Prevention Act. They should then align their risk-based strategies to align with the country’s specific mandates.

Below, we explain in more detail the main steps to perform identity verification, including information about required documents, data storing time, verification methods, and other technical requirements:

1. Using Technically Reliable Means

The service provider must use technical means with a high level of reliability when identifying and verifying personal identity using information technology means, which ensures reliable identification of personal identity and makes it possible to prevent the alteration or misuse of transmitted data.

2. Establishing a Business Relationship

When identifying and verifying identity using information technology, a natural person or a legal representative of a legal entity who wishes to establish a business relationship and conduct an occasional transaction, as specified in subsections 1 and 2 of § 31 of the Money Laundering and Terrorist Financing Prevention Act, must use:

  • A digital identification document issued on the basis of the Identity Documents Act in advance seen document or another e-identification system with a high level of reliability, which is included in Regulation (EU) No. 910/2014 of the European Parliament and of the Council on trust services necessary for e-identification and e-transactions in the internal market and which repeals Directive 1999/93/EC (ELT L 257, 28.08.2014, pp. 73–114) based on Article 9 of the list published in the Official Journal of the European Union.
  • An information technology device with a working camera, a microphone, and the necessary hardware and software for digital identification and an internet connection of sufficient quality.

3. Using Biometric Verification

When identifying and verifying identity, the service provider may use an information technology tool that enables the comparison of biometric data.

4. Being Aware of the Implemented Solution and its Capabilities

A natural person or a legal representative of a legal entity identifies himself when entering the information system designated by the service provider and, upon establishing a business relationship and making a transaction, must confirm that they:

  • Have familiarized themselves with information on the use of information technology tools on the website of the service provider or in the designated information system and;
  • Agree to the conditions for identification and verification of identity using information technology tools.

A natural person or a legal representative of a legal entity using an e-resident’s digital identity card or another e-identification system with a high level of reliability is obliged to: 

  • Agree to the application of Estonian legal regulations;
  • Show the personal data page of a valid travel document issued by a foreign country to the service provider in front of the camera.

The obliged person must establish the identity of the customer and, in the relevant case, their representative, and must keep the following information about the person and, in the relevant case, their representative:

  • Name;
  • Personal identification number, if it is not available, date of birth and residence or place of residence;

Information on the identification and verification of the right of representation and its extent, and if the right of representation does not derive from the law, the name of the document on which the right of representation is based, the date of issue, and the name or title of the publisher.

The obliged person verifies the correctness of the data using information from a reliable and independent source. The obliged person also establishes the identity of the natural person on the basis of the following documents:

  • The document specified in § 2 subsection 2 of the Identity Documents Act;
  • A valid travel document issued in a foreign country;
  • A driver’s license that meets the conditions set forth in § 4 subsection 1 of the Identity Documents Act or;
  • In the case of a person under the age of 7, a birth certificate, as specified in § 30 of the Civil Status Act.

If it is impossible to see the original government-issued document, a notarized or officially approved document or other information from a reliable and independent source, including e-identification and e-transaction trust service tools, may be used to verify identity. In this case, using at least two different sources to verify the data is mandatory.

iDenfy’s Solutions for Estonia

Get started here.

Save costs by onboarding more verified users

Join hundreds of businesses that successfully integrated iDenfy in their processes and saved money on failed verifications.