KYC.IO

Global Regulations and Requirements for KYC Onboarding
(powered by KYC-Chain)

KYC to onboard domestic persons

nameidentity card

KYC to onboard international persons

nameidentity card

corporate requirements

legal personLegal persons registered in Estoniaregistration certificate

National ID card name

ID-kaart

National ID Photo

back of national id photo back

Does the country have Esignature Laws?

The Estonian ID Card and Digital Signature Concept

E-sig law files

The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf

What year did the relevant AML laws and regulations become effective?

2008

Further details on AML regime

2008 (initial legislation was adopted in 1999).

Who is the regulator for AML controls for Banking

The Estonian Financial Intelligence Unit is the main supervision unit And The Estonian Financial Supervision Authority also regulates banks, management companies etc.

Link to site

https://www.politsei.ee/en/organisatsioon/rahapesu-andmeburoo/

Other financial Services

N/A

Website of Regulator

N/A

Financial Sector regulator

N/A

Practical Guidance for AML

The Estonian Financial Intelligence Unit , The Estonian Financial Supervision Authority

Practical guidance PDF's

index.php

Is there a requirement to verify the identity of customers retroactively?

No.

Retroactive details

No.

Has the country been the subject of FATF mutal evaluation in the last 3 years?

Yes,

PDF of FATF review

moneyval

Are there minimum transaction thresholds (Y/N)

Yes

More details on minimum transaction thresholds.

Due diligence measures are always required upon establishment of a business relationship and upon suspicion of money laundering or terrorist financing (regardless of any limits provided by law). Otherwise, there is a EUR15,000 threshold for transactions (regardless of whether one or several related payments); EUR6,400 upon provision of currency exchange services; EUR2,000 for organisers of games of chance, regarding all persons who pay or receive more than that in a single transaction or several related transactions.

What are the requirements for customer identification information for individuals

An obligated person shall identify a natural person (face-to-face) and verify the person on the basi

Details to be Collected on Corporates

An obligated person shall identify a legal person and its passive legal capacity and verify the information obtained. Legal persons registered in Estonia and branches of foreign companies registered in Estonia shall be identified on the basis of an extract of a registry card of the relevant register. Foreign legal persons shall be identified on the basis of an extract of the relevant register or a transcript of the registration certificate or an equivalent document which has been issued by a competent authority or body not earlier than six months before submission thereof.

What are the high level requirements around beneficial ownership (identification and verification)?

Identification of the beneficial owner is a part of due diligence measures, it includes gathering information about the ownership and control structure of a legal person, trust, civil law partnership or other

What circumstances are enhanced customer due diligence measures required?

a) if the nature of a situation involves a high risk of money laundering or terrorist financing; b) if a person participating in a transaction, in a professional operation, or using a professional service; or a customer has been identified and verified without being present at the same place as the person or customer; c) if upon identification or verification of a person suspicion arises regarding the truthfulness of the data or authenticity of the documents submitted or regarding the identification of the beneficial owner or beneficial owners; and d) if a subject is a politically exposed person of a contracting state of the European Economic Area or a third country or their family member or close associate

How should FI's deal with Politically exposed persons

Upon establishment of a business relationship with or entry into a transaction with or performance of a professional operation for or provision of professional services

What enhanced due diligence must be performed for correspondent banking relationships?

The regular due diligence measures shall be applied more frequently than usually. Additionally, the following requirements must be implemented: a) appropriate risk-based internal procedures for making a decision on establishment of a business relationship or entry into a transaction applied; b) the management board or a person or persons authorised by the management board shall decide on establishment of business relationships; and c) upon establishment of a business relationship and entry into a transaction, appropriate measures taken for identification of the origin of the money or other property used. Also at least one of the following enhanced due diligence measures shall be undertaken: a) identification and verification of a person on the basis of additional documents, data or information, which originates from a reliable and independent source or from a credit institution or a branch of a credit institution registered in the Estonian commercial register or from a credit institution which has been registered or has its place of business in a contracting state of the EEA or in a country where requirements equal to the Estonian legislation are in force, and if in such credit institution the person has been identified while being present at the same place as the person; b) application of additional measures for the purpose of verifying the authenticity of documents and the data contained therein, among other things, demanding that they be notarised or officially authenticated or confirmation of the correctness of the data by the credit institution which issued the document; and c) making the first payment relating to a transaction through an account opened in the name of a person or customer participating in the transaction in a credit institution which has its place of business in a contracting state of the EEA or in a country where requirements equal to those provided for in Estonian legislation are in force. Also enhanced due diligence measures shall be undertaken upon opening a correspondent account with a credit institution of a third country and during the period of validity of the respective contract, thereby regularly assessing the following: a) based on public information, the nature of the economic activities and the trustworthiness and reputation of the credit institution of the third country and the effectiveness of supervision exercised over the credit institution; and b) the control systems of the credit institution of the third country for prevention of money laundering and terrorist financing. The contract serving as the basis for opening a correspondent account or the rules of procedure of the credit institution shall contain the obligations of the parties: a) upon application of due diligence measures for prevention of money laundering and terrorist financing, including with regard to a customer having access to a payable-through account or another similar account; b) upon submission, on the basis of a query, of data gathered in the course of identification of customers and verification of submitted information; and c) upon preservation of data and upon performance of the notification obligation and application of other measures for prevention of money laundering and terrorist financing. Prior consent of the management board of the credit institution or financial institution or the person authorised by the management board is required for opening a correspondent account for a credit institution or a financial institution of a third country or for opening a correspondent account in a third country credit institution or financial institution or for signing the corresponding contract. Credit institutions and financial institutions are prohibited to open or hold a correspondent account in a credit institution, which meets at least one of the following conditions: a) the actual place of management or business of the credit institution is located outside its country of location and the credit institution is not part of the consolidation group or group of undertakings of a credit institution or financial institution that is subject to sufficient supervision; b) an account for a credit institution corresponding to the characteristics specified in clause 1) has been opened in the credit institution; and/or c) according to international standards or the circumstances provided for in this section, which are to be used as a basis for assessment, deficiencies become evident in the trustworthiness of the executives of the credit institution and in assessment of measures for prevention of money laundering and terrorist financing

Are relationships with banks who might be considered a 'shell' and without substance permitted?

No, Estonian law does not regulate such situations. However, every person must take all necessary steps to avoid money-laundering activities taking place.

In what circumstances is additional due diligence required for non face-to-face transactions and/or relationships?

Always, in the case of a person participating in a transaction, in a professional operation, or using a professional service; or a customer has been identified and verified without being present at the same place as the person or customer.

To whom are SAR's made? (suspicious activity reports)

Estonian Financial Intelligence Unit

Link to website of SAR reporting

https://www.politsei.ee/en/organisatsioon/rahapesu-andmeburoo/

Other Suspicious or unusual transactions obligations.

An obligated person, except a credit institution, shall immediately, but no later than within two working days of executing the transaction, notify the Financial Intelligence Unit of any transaction where a financial obligation exceeding EUR32,000 is performed in cash, regardless of whether the transaction made is a single payment or several related payments. A credit institution shall immediately, but no later than within two working days of executing the transaction, notify the Financial Intelligence Unit of any currency exchange transaction exceeding EUR32,000 in cash, unless the credit institution has a business relationship with the person participating in the transaction.

Are there any de-minimis thresholds below which transactions do not need to be reported?

No.

Are there any penalties for non compliance with reporting requirements e.g. tipping off?

Both failure to report suspicion of money laundering or terrorist financing and submission of incorrect information as well as unlawful notification of information submitted to the Financial Intelligence Unit are offences punishable by a fine up to EUR1,200 or detention (for individuals) or up to EUR32,000 (for legal persons).

Are there any requirements (legal or regulatory) to use automated Suspicious Transaction monitoring technology?

No.

Is there a requirement to obtain authority to proceed with a current/ongoing transaction that is identified as suspicious?

The obligated person has the right to refuse to enter into such a transaction, and they shall immediately, but no later than within two working days from identifying the act or circumstances, or from the rise of the suspicion, notify the Financial Intelligence Unit.

Does the local legislation allow transactions to be monitored outside the jurisdiction?

Is there a legal requirement for a bank’s external auditor/other external organisation to report on the bank’s AML systems and controls?

Yes. External auditors must inform the Estonian Financial Supervision Authority if they find out that a credit institution materially violates Estonian law.

If an external report on the bank’s AML systems and controls is required: a) how frequently must the report be provided?

N/A

To whom should the report on AML systems be submitted?

N/A

Is an AML system part of the financial statement audit?

N/A

What are the requirements for the content of this external report on a bank’s AML systems and controls? Does it require: a) sample testing of KYC files? b) sample testing of SAR reports? c) examination of risk assessments?

N/A

Data Protection Laws And Personal Data

yes

Data Protection for Corporate Data

Data protection for "sensitive Data" and additional protections.

yes, sensitive personal data is: a. data revealing political opinions or religious or philosophical beliefs, except data relating to being a member of a legal person in private law registered pursuant to the procedure provided by law; b. data revealing ethnic or racial origin; c. data on the state of health or disability; d. data on genetic information; e. biometric data (above all fingerprints, palm prints, eye iris images and genetic data); f. information on sex life; g. information on trade union membership; and h. information concerning commission of an offence or falling victim to an offence before a public court hearing, or making of a decision in the matter of the offence or termination of the court proceeding in the matter

Do any restrictions on the transfer of credit reports exist?

There is a general principle that the processing of personal data is permitted only with the consent of the data subject unless otherwise provided by law. The consent shall clearly determine the data for the processing of which permission is given, the purpose of the processing of the data and the persons to whom communication of the data is permitted, the conditions for communicating the data to third persons and the rights of the data subject concerning further processing of his or her personal data. Silence or inactivity shall not be deemed to be consent. Consent may be partial and conditional: a) in such case the person communicating personal data has to establish the legitimate interest of the third person, verify the accuracy of the data to be communicated and register the data transmission; b) written consent of the data subject needs to be obtained; and c) written consent of the data subject needs to be obtained.

Regulator Acronym

FIU, EFSA

Year of last FATF mutual evaluation

2016

National ID card details

Compulsory by law, but there is no penalty for not having one.

Compulsory?

National ID source

https://en.wikipedia.org/wiki/Estonian_ID_card

Passport Photo

practical Guidance yes / no

Is there a risk based approach

Legal Requirement

Yes

Requirement to proceed

Yes

requirement to use automated suspicious transaction tools

Who are SARS made to?

EFIU

shell banks

EDD for correspondent banking

Yes

PDF of case law

Minimum transactions

EUR 15,000

Min transaction USD

16394

Personal Data protection

Personal Data Protection Act

http://workspace.unpan.org/sites/internet/Documents/UNPAN041922.pdf

If the AML laws and/or regulations became effective in the last 2 years, what were the requirements of the previous AML regime?

N/A

Non financial sector (e.g. casinos, high value goods etc.)

N/A

Does the country have a risk based approach?

Yes

Where copies of identification documentation are provided, what are the requirements around independent verification or authentication?

A copy shall be made of the page of an identity document submitted for identification which contains the personal data and a photograph. In addition, upon identification and verification the following personal data shall be registered: a) the name and the representative’s name; b) the personal identification code or, upon absence of a personal identification code, the date and place of birth; c) the name and number of the document used upon identification and verification of persons, and its date of issue and the name of the agency which issued the document; and d) the name of the document used upon identification and verification of the right of representation, and its date of issue and the name of the issuer. In certain cases the address of the place of residence and the profession or area of activity of the person shall be registered. A representative of a legal person of a foreign country shall, at the request of an obligated person, submit a document certifying his or her powers, which has been notarised or authenticated pursuant to an equal procedure and legalised or authenticated by a certificate substituting for legalisation (apostille), unless otherwise prescribed by an international agreement.

Is there case law, other constitutional law or any other laws or regulations that may impact upon the transfer of information to this jurisdiction?

List of case law, constitutional law or any other laws or regulations that may impact upon the transfer of information.

Yes, under Article 88 of the Credit Institution Act generally all data and assessments which are known to a credit institution concerning the clients of the credit institution or other credit institutions are deemed to be information subject to banking secrecy. However, the following data are not deemed to be information subject to banking secrecy: a) data which are public or available from other sources to persons with a legitimate interest; b) consolidated data on the basis of which data relating to a single client or the identities of persons included in the set of persons referred to in the consolidated data cannot be ascertained; c) a list of the founders and shareholders or members of a credit institution and data relating to the sizes of their holdings in the share capital of the credit institution, regardless of whether or not they are clients of the credit institution; and d) information relating to the correctness of the performance of a client’s obligations to a credit institution.