Estonia AML Compliance — FIU Requirements, KYC & Transaction Monitoring
FIU Estonia AML requirements, KYC programs for VASP and payment firms, ongoing transaction monitoring obligations under the Estonian Money Laundering and Terrorist Financing Prevention Act.
What Compliance & AML includes in Estonia
What you receive
How it works
Where to register and how we differ
Compliance & AML in Estonia — frequently asked questions
All Estonian companies are subject to the Money Laundering and Terrorist Financing Prevention Act. Obligations include maintaining a written AML risk assessment, implementing a customer due diligence (CDD) policy, appointing a compliance officer (mandatory for obliged entities), and keeping transaction records for at least 5 years. Companies providing financial services, virtual currency services, or acting as company formation agents are designated obliged entities with enhanced requirements.
The FIU (Rahapesu Andmebüroo) requires obliged entities to file suspicious transaction reports (STRs), submit annual compliance reports, register with the FIU's information system, and undergo on-site inspections. Since 2022, the FIU has significantly increased enforcement activity, resulting in licence revocations and administrative fines reaching €400,000 per violation. VASP operators face the strictest scrutiny, with minimum capital requirements of €250,000 and mandatory substance requirements.
Estonian law requires all OÜs to register their ultimate beneficial owners (UBOs) — individuals owning or controlling more than 25% — in the e-Business Register. This information is publicly accessible. UBO data must be kept current; failure to update triggers fines. For complex ownership structures involving trusts or nominee arrangements, a declaration of indirect UBO is required. INNOVA verifies UBO compliance as part of its annual compliance review.
Estonian AML rules require EDD for: politically exposed persons (PEPs) and their associates, high-risk third countries as listed by the EU, non-face-to-face customer relationships, complex or unusually large transactions, and correspondent banking relationships. For VASP-licensed entities, blockchain analytics (e.g., Chainalysis or Elliptic) is increasingly required by the FIU during inspections to demonstrate transaction monitoring capability.
Non-compliance can result in FIU-issued precepts (corrective orders), administrative fines up to €400,000, suspension or revocation of regulated licences (VASP, EMI, PI), and in severe cases referral to the public prosecutor for criminal liability. The FIU publishes enforcement decisions publicly. Between 2022 and 2024, the FIU revoked more than 1,000 VASP licences following its compliance sweep. INNOVA provides annual AML audits to pre-empt regulatory issues.