AML Risk Assessment Report Approved by the Money Laundering Prevention Committee



The Estonian money laundering and terrorism financing prevention government committee approved at its scheduled meeting, on 28 April, the AML risk assessment (NRA) report. The government committee members also received an operational overview of the activities of the Financial Intelligence Unit, Financial Supervision Authority, Prosecutor’s Office and the Police and Border Guard Board, in the field of preventing money laundering, as well as preparations for the Moneyval evaluation.

The release of the AML risk assessment report is an important step in the fight against money laundering, according to the head of the government committee, Minister of Finance Keit Pentus-Rosimannus. “The cooperation of the public sector with entrepreneurs is important in mitigating the risks, established in the report. Virtual currencies, for example, that have been highlighted as with higher risk, require rapid regulatory changes, to better mitigate the risks. We must at the same time not entirely shut down the innovative sector in Estonia that is throughout the world developing very quickly. It is important to agree upon what kinds of crypto companies we want in Estonia, and which are undesired. The financial system of Estonia must be open to the law-abiding client and closed for violators of the law,” explained Keit Pentus-Rosimannus.

Below, we provide a brief summary made by RCA of the published risk assessment, focusing on the risks, problems, and possible solutions related to the virtual currencies and virtual assets that are mentioned in the report.

Summary of the Published AML Risk Assessment

  1. Under the leadership of the Ministry of Finance, a risk assessment of various sectors was conducted, which is the second time this has been done in Estonia and it covers the years 2017-2019. The risk assessment is a study aimed at highlighting the threats, vulnerabilities and risks related to money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction in Estonia, as well as the most common ways of money laundering or terrorist financing.
  1. The need for a AML risk assessment arose from a number of factors, in particular, due to past money laundering incidents at the Estonian branch of the Danish banking group Danske, but also from other banks. Put together, these cases have been a very serious lesson for Estonia and brought the field of anti-money laundering to the government’s attention.
  1. There are areas in Estonia where the risks related to money laundering and terrorist financing are higher than average. According to the AML risk assessment, the biggest threats and vulnerabilities of money laundering and terrorist financing are related to companies in the field of virtual currency with an Estonian activity licence. Up until 2019, the legislation regulating companies in the field of virtual currencies in Estonia was mild, and this facilitated the obtaining of activity licences also for those companies whose connection with Estonia was very small. Legislative changes that came into force in 2020 have helped to reorganize the sector, but urgent further steps are needed by the state to further mitigate the significant money laundering and terrorist financing risks associated with the sector.
  1. According to the AML risk assessment, the greatest threats to the Estonian financial sector are related to the movement of funds through Estonian virtual currency service providers and the activities of non-residents or e-Residents companies registered in Estonia that do not take place in Estonia.
  1. Among the fields, the providers of virtual currency services with the highest risk are those who have an Estonian activity licence, but whose actual business activities are minimally related to Estonia. They are at high risk for money laundering, terrorist financing and the financing of the proliferation of weapons of mass destruction. The stricter requirements for virtual currency providers that came into force in 2020 have not proved sufficient and there is still a lack of transparencies in the area.

Threats in the Sector of Virtual Currencies in Estonia

Estonia is specifically characterized by an exceptionally large number of subjects in the sector who have an activity licence issued in Estonia, but whose economic activities are directed outside Estonia, which is why the connection with the Estonian economy is very weak or completely non-existent. The Estonian state issues activity licences for virtual currencies without sufficient capacity to the subsequently verify compliance with the requirements of the activity licence and operational requirements (incl. due diligence obligations related to money laundering and terrorist financing). As a state, we take responsibility by “guaranteeing” the reliability of authorized companies, while without a real opportunity to prevent and manage the risks involved.

Virtual currency service providers in general are at the same time subject to many typologies, bearing the risks of money laundering, financing terrorists and weapons of mass destruction. Together with the aforementioned risk and the multitude of subjects, Estonia is currently exposing itself to high levels of financial crime and thus to a large risk of international reputation damage.

The virtual currencies field, combined with the possibilities of taking advantage of the Estonian e-Residency, creates a multi-layered anonymization scheme where the potential for terrorist financing is very high and due to the structure of the sector, this theoretical risk cannot be eliminated by other hedging mechanisms than by making significant changes in regulations and supervision.

Demand and interest in virtual currency licences has not decreased, but on the contrary, it is on a growth trend again, despite the additional requirements for applying for licences that came into force in the summer of 2020. At the same time, the number of foreign inquiries has not decreased, which indicates that despite tightening the rules, suspicious transactions that attract the attention of foreign law enforcement authorities continue.

From be above, two conclusions can be drawn:

    1. Suspected fraudulent activities of companies with virtual currency licences are becoming active.
    2. The application for virtual currency licences is reactivating despite the stricter requirements, which, taking into account the growing number of supervised entities and the limited supervisory resources, makes it complicated for the state to take control of the field.

Although virtual currencies are a popular means of payment among money launderers, virtual currency service providers are able to identify and report such persons and transactions by implementing appropriate investments and mechanisms. Therefore, the risk assessors consider that there is still an overall risk of money laundering in the virtual currency sector, as the relevant investments, expertise, and motivation, excluding individual service providers, are still low in the sector as a whole. There are also shortcomings at the regulatory level, both nationally and globally.

As the regulation of virtual currencies differs from country to country, countries do not have the same overview or control capacity of the sector. For example, one party of a transaction is located in a country where the participants in the transaction are not identified or verified, and the transaction history related to a particular person cannot be provided or is weakly regulated, information is not available to the FIU, and cash flow monitoring becomes impossible. In a situation where the compliance program is too burdensome for the customer compared to the measures applied by competitors, the service provider’s business is not sustainable or profitable, leading to closures or less anti-money laundering and anti-terrorist financing measures.

Statistically, the risk assessment pointed out that most cases of money laundering offenses were related to predicate offences committed outside of Estonia, and generally the role of persons located in Estonia was to receive money transferred from abroad and transfer it to other persons. In essence, the share of crimes of so-called self-laundering and third-party laundering crimes were divided in half. While in the case of self-laundering, the predicate offenses were mostly computer crimes, scams, participation in a criminal organisation, in the case of third-party laundering, the offenses were computer crimes, scams and tax fraud.

It is generally considered that virtual currency service providers are able to identify and report suspicious transactions to supervisors when implementing appropriate investments and IT solutions. The necessary investment, competence and motivation in the field as a whole is rising, but its level is uneven. It is important to increase the risk awareness of companies operating in the field and their greater contribution to the management of the risks related to the field and to the development of appropriate regulations to ensure the legal functioning of the sector.

Activities related to virtual currencies are regulated in Estonia. At the same time, the level of market entry is relatively low and there are too many virtual currency service providers for a market of the size of Estonia (419 as of 31.12.2020). In addition, the fact that many companies with non-resident owners enter the service providers’ market to obtain a licence issued by a supervisory authority to demonstrate the controllability of their activities by a public authority and the legitimacy of their activities is problematic. However, the fact is explicit, as it is not possible to effectively supervise the activities of persons who are not located in the territory of the supervising state. It allows companies providing virtual currency services to operate as is convenient and convenient for their customers, notwithstanding the fact that they, as obligated parties, are subject to increased requirements in terms of preventing money laundering and terrorist financing.

The product offered with the service—the virtual currency—is by nature a rapidly evolving technology and changes owners digitally. Moving assets virtually is extremely fast and hiding traces is also easy using various asset mixers. Although the movement of virtual assets generally leaves a public trace, the wallet owners’ data is not public, and it is also difficult to trace the route of assets that have gone through mixers. In addition, it is easier to open virtual wallets, i.e., a pool of assets, than a credit institution’s account in different countries, which makes it a risk. Particularly, if the service provider has not applied appropriate due diligence measures to exclude persons with suspicious or criminal backgrounds from its customers and has not contributed to the establishment of effective monitoring systems to identify suspicious transactions.

The cryptocurrency is converted to different virtual currencies, and the final recipient’s virtual wallet number is usually hidden. It is possible to use various blockchain registers to monitor the movement of virtual currency, but since the address of the virtual number is not personalized, the efficiency of such registers is almost non-existent.

Digitally, the movement of monetary values is increasingly about the use of cryptocurrencies. In Estonia, as elsewhere in the world, criminals have increasingly used this opportunity to legalize their money using virtual currencies. There is less transparency about the owners of cryptocurrency wallets, and although the transactions are technically open to everyone, the people behind it remain anonymous. Blurring measures are used to hide transactions, which do not allow the movement of assets to be monitored. When cryptocurrency is transformed into so-called regular money (FIAT currency), the payer is usually an intermediary, and it may not be possible to see who the owner of the asset actually is. It is difficult for credit institutions and other financial service providers to verify the origin of assets if a company providing virtual currency brokerage has not properly complied with due diligence measures.

New digital services for electronic payments are constantly being added, such as virtual currency services, which are not regulated at the legislative level, and which make the supervisory activities of the responsible authority resource-intensive and complex. Therefore, there is also no complete assurance that their activities are controllable and transparent. As the location of many service providers as well as their activities have moved outside of the country, it would be necessary to find solutions here as well.

E-Residency allows foreigners to use Estonia for not recommended business activities, which allows them to hide the real content and purpose of the company’s activities and the beneficiaries. The use of e-Residency by third country nationals as part of immigration schemes has been observed in an attempt to make migrants more credible in the residence permit or visa process.

If Estonian credit institutions and payment service providers refuse to make cross-border payments, the person may use cross-border financial service providers for money laundering.

There are real cases where obligated persons give up the provision of services in Estonia because the requirements for identification hinder the provision of the service. This is a serious threat to Estonia’s competitiveness, but it allows the use of services from unregulated companies even more, i.e., it pushes the provision of the services “underground”. In the light of the above, the national risk assessment concluded that the identification requirements should be comprehensively reviewed to avoid unnecessary complexity, while at the same time properly managing the risks with a solution that may realistically be able to identify and manage risks.

A major problem is the issue of determining the status of a member of the management board. The law stipulates, and it is clear from the explanatory memorandum that the location is determined by the importance of the duties of a member of the board, i.e., the management board is located where substantive management takes place: important decisions are made and members of the management board performing support tasks may also be located abroad. In practice, it is difficult to determine how the areas of work and responsibilities of the members of the management board are really divided, as only explanations and documents that the members of the management board can produce can distort reality. In conclusion, there is a high risk that, for example, if a company has two members of the management board, the member of the management board located in Estonia is a front man for whom evidence has been submitted as a responsible member of the management board. According to the information received by the Estonian Police and Boarder Board, Estonian persons who are not actually involved in the company’s activities have been written on the management boards. In addition to the above, specific issues related to the status of a member of the management board, a contact person or an AML contact person have also been discussed:

A) A representative of the board as a front man. The same person is a member of the management board in several virtual currency companies, i.e., more companies are created, but it is not clear why one person needs so many of them. From this, there is a suspicion that the member of the board may be a front man. Based on the current practice, an activity pattern emerges, where company service providers and law firms submit proper documentation when applying for an activity licence and after that they withdraw from the company’s management, often change the management body, introduce a board member who does not have substantive access to data.

B) Contact person as a front man. The contact person has been declared as a contact person in several companies, so it is not possible to ensure confidentiality in communication with supervisory and law enforcement authorities. There have also been cases where the contact person is a front man who does not know anything about the company’s activities. When a check is made, the person must always ask someone for more information, to which they should have direct access due to their employment.

C) The AML contact person of the virtual currency company does not have substantive access to the transaction information and does not have AML knowledge. The service of a law firm is often used, which has helped to apply for a licence, but which has no connection with day-to-day activities. The AML contact person is a front man with a minimum fee who does not have AML knowledge nor real access to the data.

Summary of Hazards

  • Cross-border transactions allow transactions from high-risk areas or high-risk customers that cannot be identified.
  • Virtual assets are easy to transfer to different countries and there are no uniform control and prevention measures at the global level. Criminals use systems of virtual assets, including currencies systems, to transfer value or buy products anonymously.
  • The decentralization of virtual currencies (internationalization and cross-border activity) does not allow for effective supervision and confiscation of assets.
  • The complexity of international cooperation.
  • Blockchain technology does not allow for effective monitoring of transactions and detection of suspicious transactions, which reduces the ability of law enforcement agencies to track criminal proceeds. The transactions are complex in terms of IT.
  • Pseudo-anonymity, opacity, and speed of transactions without disclosing the owner of the assets.
  • Blurring transactions, i.e., burring the link between the crime and the proceeds, giving the impression that the money is legally earned.
  • Online and cross-border services are offered at a higher risk (including dark web transactions, virtual assets, or cash transactions).
  • Virtual currency “mixing services” allow for greater privacy (e.g., illegally obtained virtual currency is mixed with legitimate, which makes it much more difficult, if not impossible, to track asset movements), faster transactions, lower transfer fees and less price volatility.
  • Virtual currencies can be acquired in cash or with money transferred by third parties, so the origin of the money cannot be properly established.
  • Virtual assets, including currencies, allow you to access money anonymously, hide the history of transfers, have private keys, withdraw cash from ATMs.
  • Decentralized service delivery channels (incl. ATMs).
  • Decentralized platforms that cannot interfere with customer transactions.
  • There is also a risk of virtual currency service providers who do not store private keys on behalf of customers but offer so-called tools that allow the customer to store their own private keys and, as a result, the service provider may not have access to the wallet.
  • Anonymity and opacity of transactions also fascinate criminals who see the possibility of legalizing their money through virtual currencies. There is less transparency about the owners of virtual currency wallets, and although the transactions are technically public, the people behind it may remain and will remain largely anonymous. For example, obscuration measures are used to hide transactions, which do not allow the movement of assets to be monitored. When crypto assets are converted into FIAT money, the payer is usually an intermediary, so it may not be clear who actually owns the assets. It is difficult for service providers to verify the origin of assets if the due diligence measures have not been done properly by the virtual currency brokerage service provider.
  • Opacity of transactions helps criminals to move monetary values quickly, especially through unregulated financial sector service providers. Virtual currency services are also in their focus. The lack of control makes it possible to “launder” the proceeds of crime. This is also facilitated by complex ownership structures and related party transactions. In the case of smaller service providers, such transactions may go unnoticed, among other things, due to a lack of competent human resources.
  • Virtual currencies can also be acquired by cash, which is anonymous in nature and therefore a risk of exploiting the financial system. Proceeds of crime may also be withdrawn in cash to break the link between the proceeds of crime and the user.

Risks Related to Virtual Currencies in the Activities of Small Fund Management Companies, Co-financing Platforms, and Gambling Operators

  1. The main problem with customer due diligence measures by unauthorized small management companies is the identification of the clientele to which due diligence measures should be applied in the first place. There is a perception in the sector that clients are small fund investors rather than portfolio companies which receive investments. As a result, several AML measures remain inapplicable to many individuals (i.e., portfolio companies) who should be subject to due diligence and the applicable due diligence is not applied knowingly. At the same time, very thorough knowledge is obtained about every portfolio company, including a thorough high-quality analysis of the portfolio company’s business model, which means an informal and procedure-based approach is chosen when applying due diligence measures, only an approach based on getting to know the client’s substance.
  1. On the 15th of January 2021, a bill on co-financing and other investment instruments and virtual currencies was published. The draft of the Bill seeks to regulate innovative ways of raising capital, in particular with a view to ensure greater investor protection.

The draft proposes to establish operational requirements and supervision in Estonia for:

  • co-financing platforms;
  • companies providing crypto assets, including virtual currency service providers;
  • other companies that offer so-called alternative investment opportunities but are not yet supervised.


As a public consultation of the draft took take place in the first half of 2021, it is currently unknown what the final text of the adopted law will be.

We wrote about these topics in our previous post.

  1. In the case of gambling, the risks related to virtual currencies are topical, as various virtual currencies are gaining more and more widespread handling, and as of December 2020, the Estonian Tax and Customs Board has also received several inquiries regarding the use of virtual currencies in the gambling sector. Different virtual currencies have different levels of anonymity, and their use can make it difficult or impossible to trace the origin of funds. The AML risk assessment has also analyzed the need to open a further discussion on the possibilities for gambling operators to use virtual currencies. There is currently no regulation as to whether gambling operators can allow players to use virtual currencies. According to the current Gambling Act, the gambling operator must identify the person who owns the bank account, which has been interpreted in practice by the regulatory authority as necessary to identify who owns the virtual currency wallet and may not make payments from anyone else’s wallet. However, when analyzing the issue, the fact that different currencies have varying degrees of anonymity and that, in some cases, the owner of the wallet cannot be identified or verified must be considered.

Proposals to Improve AML Measures in Estonia

In preparing the AML risk assessment, the following proposals, among others, were made to streamline the regulation related to virtual currencies and activities related to virtual assets:

  1. Creation of a database of persons with a governmental background;
  2. The intervention/supervision of the FIU must be strengthened for market participants operating under the licence of the FIU;
  3. Organizing information of beneficial owners (100% of beneficial owners exist), control (data corresponding to reality) and tightening of corresponding penalties (change of legislation), updating.
  4. Linking the shareholding to the beneficial owner;
  5. In the longer term, the data needed to implement due diligence measures could be available from a single portal;
  6. Carrying out full-scale monitoring of the customer bases of virtual currency service providers on a periodic basis and/or creating a customer database (customer’s personal and contact details), informing credit and payment institutions.
  7. Implement enhanced due diligence measures in the virtual currency sector.
  8. It is crucial to harmonize the legal framework applicable to virtual currency service providers, at least at on the EU level, to ensure an equal playing field for obligated persons, to mitigate AML risks across the EU in a proportionate manner and to prevent customers to easily override the due diligence of the obligated person by creating a new account with another service provider immediately when applying the due diligence measures.
  9. The obligation for virtual currency service providers to establish or assign a Money-Laundering Reporting Officer (MLRO) function, including a fit & proper test, would reduce the risk for the industry as a whole, market participants and their client portfolios, and increase management awareness and commitment. This could lead to an increase in the quality of investment in compliance control systems and the due diligence framework.
  10. Consider that the sector of virtual currency service provider is a sector where it is necessary to implement enhanced due diligence measures.
  11. Complement the mandatory enhanced due diligence obligations for the virtual currency service providers sector with:
    1. Enforcement of the “Travel rule”. Extend the same standards to virtual currencies t as for the information to be collected and transmitted by the payer and the payee in the case of money transfers.
    2. All persons who have established a customer relationship and/or use the platform for the transaction must be identified.
    3. The customer can only be identified based on an identity document accompanied by a so-called profile photo.
    4. Enhance KYC automated systems.
    5. Require human participation in the identification process of a client from a “high risk” country.
    6. Upon identification, a valid mobile phone number and e-mail address must be included, the validity of which is checked every six months (sending control codes).
    7. If several wallets are owned by the same person, they must be interconnected.
    8. PEP status check ensured upon establishment of a customer relationship, requesting the customer’s first payment through the bank of an EEA credit institution.
    9. Control and enforcement of international sanctions.
    10. Supplement the list of requirements for the contact person: Additional requirements for the position of the contact person, including the restriction in how many companies can one contact person work at.
    11. Supplement the list of requirements for the AML representative of virtual currency service providers: An AML employee with sufficient knowledge and a physical location in Estonia who has real access to transaction information. Knowledge and physical location are checked before a licence is issued. Periodic reporting requirement. Law firms in the activities of AML must be excluded, as the AML representative must be an employee of the company.
    12. Establish additional place of business requirements: Establish substantive additional place of business requirements. Physical access to data must also be guaranteed in Estonia. Requirement to keep copies of documents, profile photos and contact numbers of persons who have established a customer relationship with.
  12. Do not allow anonymous virtual currencies on Estonian licenced platforms.
  13. Include an annual monitoring fee based on assets and payments in the virtual currency service providers’ sector.

The proposals and the solutions proposed are still too recent for us to set out a timetable for their specific implementation. However, we can be sure that the pressure from the state to increase the transparency of activities related to virtual currencies and to prevent money laundering and terrorism is growing. This, in turn, leads to the reorganization of the market and increases the demand for high-quality legal services in the implementation of compliance functions in companies located in Estonia.

RCA offers its current and future customers a comprehensive list of AML and compliance services that ensure that the companies are staying between the legal boundaries of the Estonian law. Please feel free to reach out to us if you have any questions or inquiries related to the article or our services.

Share on