Text size:

Money Laundering and Terrorist Financing Prevention Act

Back to wordings

Legend:
RedRemoved
GreenAdded

Issuer:Riigikogu
Type:act
In force from:10.09.2020
In force until:31.12.2020
Translation published:11.08.2020

Chapter 1 General Provisions 

Division 1 Purpose and Scope of Regulation of Act 

§ 1.  Purpose and scope of regulation of Act

 (1) The purpose of this Act is, by increasing the trustworthiness and transparency of the business environment, to prevent the use of the financial system and economic space of the Republic of Estonia for money laundering and terrorist financing.

 (2) This Act regulates:
 1) the principles of assessment, management and mitigation of risks related to money laundering and terrorist financing;
 2) the grounds of the activities of the Financial Intelligence Unit;
 3) supervision over obliged entities in complying with this Act;
 4) duties and obligations in relation to the collection and disclosure of information on beneficial owners;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) duties and obligations related to the collection and disclosure of information on liability account holders;
 6) the liability of obliged entities for a breach of the requirements arising from this Act.

 (3) The provisions of the Administrative Procedure Act apply to administrative proceedings prescribed in this Act, taking account of the variations provided for in this Act.

§ 2.  Application of Act

 (1) This Act applies to the economic, professional and official activities of the following persons:
 1) credit institutions;
 2) financial institutions;
 3) gambling operators, except for organisers of commercial lotteries;
 4) persons that mediate the purchase or sale of an immovable;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 41) persons that mediate transactions of use of an immovable whereby the usage fee agreed in the transaction amounts to no less than 10,000 euros per month;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) traders within the meaning of the Trading Act, where a cash payment of no less than 10 000 euros or an equal amount in another currency is made to or by the trader, regardless of whether the financial obligation is performed in the transaction in a lump sum or by way of several linked payments over a period of up to one year, unless otherwise provided by law;
 6) persons engaged in buying-in or wholesale of precious metals, precious metal articles or precious stones, except precious metals and precious metal articles used for production, scientific or medical purposes;
 7) certified auditors, upon provision of accounting services, and providers of accounting services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 8) providers of accounting or tax advice services;
 9) providers of trust and company services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 10) providers of a virtual currency service;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020
 11) [Repealed – RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 12) a central securities depository where it arranges the opening of securities accounts and provides services related to register entries without the mediation of an account operator;
 13) undertakings providing a cross-border cash and securities transportation service;
 14) pawnbrokers;
 15) dealers of works of art and persons that mediate works of art or store them in a customs free zone whereby a payment of no less than 10,000 euros is made to or by them in a lump sum or in multiple connected payments over a court of one year in connection therewith.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) This Act applies to the economic, professional or official activities of notaries, attorneys, enforcement officers, bankruptcy trustees, interim trustees and providers of other legal services where they act in the name and on account of a customer in a financial or real estate transaction. This Act also applies to the economic, professional or official activities of a said person where the person guides the planning or making of a transaction or makes an official operation or provides an official service related to:
 1) the purchase or sale of an immovable, business or shares of a company;
 2) the management of the customer’s money, securities or other property;
 3) the opening or management of payment accounts, deposit accounts or securities accounts;
 4) the acquisition of funds required for the foundation, operation or management of a company;
 5) the foundation, operation or management of a trust, company, foundation or legal arrangement.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) This Act applies to non-profit associations for the purposes of the Non-profit Associations Act and to other legal persons governed by the provisions of the Non-profit Associations Act as well as to foundations for the purposes of the Foundations Act where they are paid or they pay over 5000 euros in cash or an equal amount in another currency, regardless of whether it is paid in a lump sum or by way of several linked payments over a period of up to one year.

 (4) This Act applies to Eesti Pank where it removes from circulation or exchanges banknotes or coins worth of over 10 000 euros or an equal sum in another currency or where it is paid over 10 000 euros in cash or an equal sum in another currency for collector coins or other numismatic-bonistic products, regardless of whether it is paid in a lump sum or in several linked payments over a period of up to one year.

 (5) The provisions of this Act governing financial institutions apply to virtual currency service providers specified in clause 10 of subsection 1 of this section.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (6) Chapter 9 of this Act applies to all private legal persons and trustees.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Division 2 Definitions 

§ 3.  Definitions used in Act

  For the purposes of this Act, the following definitions apply:
 1) ‘cash’ means cash within the meaning of Article 2(2) of Regulation (EC) No 1889/2005 of the European Parliament and of the Council on controls of cash entering or leaving the Community (OJ L 309, 25.11.2005, pp 9–12);
 2) ‘property’ means any object as well as the right of ownership of such object or a document certifying the rights related to the object, including an electronic document, and the benefit received from such object;
 3) ‘obliged entity’ means a person specified in § 2 of this Act;
 4) ‘business relationship’ means a relationship that is established upon conclusion of a long-term contract by an obliged entity in economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration could be reasonably expected at the time of establishment of the contact and during which the obliged entity repeatedly makes separate transactions in the course of economic, professional or official activities while providing a service or official service, performing official operations or offering goods;
 5) ‘customer’ means a person who has a business relationship with an obliged entity;
 6) ‘precious stones’ means natural and artificial precious stones and semi-precious stones, their powder and dust, and natural and cultivated pearls;
 7) ‘precious metal’ means precious metal within the meaning of the Precious Metal Articles Act;
 8) ‘precious metal article’ means a precious metal article within the meaning of the Precious Metal Articles Act;
 9) ‘virtual currency’ means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp. 35–127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive;
 91) ‘virtual currency service’ means a service specified in clauses 10 and 101 of this subsection;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 10) ‘virtual currency wallet service’ means a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual currencies;
 101) ‘virtual currency exchange service’ means a service with the help of which a person exchanges a virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 11) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 12) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 13) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 14) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 15) ‘senior management of obliged entity’ means an officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the management board;
 16) ‘foreign exchange services’ means the exchanging of a valid currency against another valid currency by an undertaking in its economic or professional activities;
 17) ‘group’ means a group of undertakings which consists of a parent undertaking, its subsidiaries within the meaning of § 6 of the Commercial Code, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings that constitute a consolidation group for the purposes of subsection 3 of § 27 of the Accounting Act;
 18) ‘high-risk third country’ means a country specified in a delegated act adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141/73, 05.06.2015, pp 73–117).

§ 4.  Money laundering

 (1) ‘Money laundering’ means:
 1) the conversion or transfer of property derived from criminal activity or property obtained instead of such property for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;
 3) the concealment of the true nature, origin, location, manner of disposal, relocation or right of ownership of property acquired as a result of a criminal activity or property acquired instead of such property or the concealment of other rights related to such property.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Money laundering also means participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the activities referred to in subsection 1 of this section.

 (3) Money laundering is regarded as such also where a criminal activity which generated the property to be laundered was carried out in the territory of another country.

 (4) Knowledge, intent or purpose required as an element of the activities referred to in subsections 1–3 of this section may be inferred from objective facts.

 (5) Money laundering is regarded as such also where the details of a criminal activity which generated the property to be laundered have not been identified.

§ 5.  Terrorist financing

  ‘Terrorist financing’ means the financing and supporting of an act of terrorism and commissioning thereof as well as the financing and supporting of travel for the purpose of terrorism within the meaning of §§ 2373 and 2376 of the Penal Code.
[RT I, 04.01.2019, 12 – entry into force 14.01.2019]

§ 6.  Credit institution and financial institution

 (1) For the purposes of this Act, ‘credit institution’ means:
 1) a credit institution within the meaning of Article 4(1)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.06.2013, pp 1–337);
 2) the branch of a foreign credit institution registered in the Estonian commercial register.

 (2) For the purposes of this Act, ‘financial institution’ means:
 1) a foreign exchange service provider;
 2) a payment service provider within the meaning of the Payment Institutions and E-money Institutions Act, except for a payment initiation service provider and an account information service provider;
 3) an e-money institution within the meaning of the Payment Institutions and E-money Institutions Act;
 4) an insurance undertaking within the meaning of the Insurance Activities Act (hereinafter insurance undertaking) to the extent that it provides services related to life insurance, except for services related to mandatory funded pension insurance contracts within the meaning of the Funded Pensions Act;
 5) an insurance broker within the meaning of the Insurance Activities Act (hereinafter insurance broker) to the extent that it is engaged in marketing life insurance or provides other instrument-related services;
 6) a management company, except upon managing a mandatory pension fund within the meaning of the Funded Pensions Act, and an investment fund founded as a public limited company within the meaning of the Investment Funds Act;
 7) an investment firm within the meaning of the Securities Market Act;
 8) a creditor and a credit intermediary within the meaning of the Creditors and Credit Intermediaries Act;
 9) a savings and loan association within the meaning of the Savings and Loan Associations Act;
 10) a central contact point designated by an e-money institution or a payment service provider;
 11) another financial institution within the meaning of the Credit Institutions Act;
 12) the branch of a foreign service provider registered in the Estonian commercial register, which is a person specified in clauses 1–11 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 7.  Correspondent relationship

  For the purposes of this Act, ‘correspondent relationship’ means:
 1) the consistent and long-term provision of banking services by a credit institution (correspondent institution) to another credit institution (respondent institution), including providing a current account, liability account or other account service or other related services such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) the relationships between and among credit institutions and financial institutions, including where similar services are provided by a correspondent institution to a respondent institution for the purpose of servicing its customers, and including relationships established for securities transactions or funds transfers.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 71.  Trust

 (1) For the purposes of this Act, ‘trust’ means a legal relationship established on the basis of or arising from the law of the country recognising it, according to which trust property formed by a settlor is administered a trustee in the trustee’s own name but in the interests of beneficiaries or for another defined purpose, as well a legal arrangement specified in the consolidated list published the European Commission on the basis of Article 31(10) of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (2) The submission of information prescribed by this Act on a trust does not entail legal consequences other than those provided for in this Act.

 (3) A country that recognises trusts means a country that is party to the Hague Convention of 1 July 1985 on the Law Applicable to Trusts and on their Recognition.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 8.  Provider of trust and company services

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]
For the purposes of this Act, ‘provider of trust and company services’ means a natural person or a legal person who in its economic or professional activities provides a third party with at least one of the following services:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) foundation of a company or another legal person, including operations and steps related to the transfer of shareholding;
 2) acting as an officer or management board member in a company, as a partner in a general partnership or in such a position in another legal person, as well as arrangement of assumption of such position by another person;
 3) enabling use of the address of the seat or place of business, including granting the right to use the address as part of one’s contact details or for receiving mail as well as providing a company or another legal person, civil law partnership or a legal arrangement with services relating to the aforementioned;
 4) acting as a trustee or a representative of a civil law partnership, community or legal arrangement, or the appointment of another person to such position;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) acting as a representative of a shareholder of a public limited company or arrangement of the representation of a shareholder by another person, except in the case of companies whose securities have been listed in a regulated securities market and with respect to whom disclosure requirements complying with European Union legislation or equivalent international standards are applied.

§ 9.  Beneficial owner

 (1) For the purposes of this Act, ‘beneficial owner’ means a natural person:
 1) who, via ownership or other type of control, has the final dominant influence over a natural or legal person, or
 2) in whose interests, for the benefit of whom or in whose name a transaction or operation is made.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Where a beneficial owner cannot be identified in the manner specified in subsection 1 of this section, the beneficial owner of a company is a natural person whose direct or indirect shareholding or the total shareholding of all of the direct and indirect shareholdings in the company exceeds 25 per cent, including shareholdings in the form of bearer shares or otherwise.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) ‘Direct shareholding’ means that a natural person personally holds shares in a company. ‘Indirect shareholding’ means that a natural person holds shares in a company via one or multiple persons or a chain of persons.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Where, after all possible means of identification have been exhausted, the person specified in subsection 1 or 2 of this section cannot be identified and there is no ground for calling the existence of such person into doubt or where there are doubts as to whether the identified person is the beneficial owner, the natural person who holds the position of a senior managing official is deemed to be the beneficial owner.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (41) Where several persons meet the terms provided for in subsection 4 of this section, including where there are several senior managing officials, several senior management bodies or where another legal persons holds shares in a company via one or several persons or chains of persons, the person(s) who exercise(s) actual control over the company and make(s) strategic decisions in the company or, upon absence of such persons, perform(s) day-to-day and regular management is (are) considered the beneficial owner(s).
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (42) Where the beneficial owner of a company is a trustee, all of the persons specified in clauses 1–5 of subsection 6 of this section are considered beneficial owners.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) In the case of a trust or a legal arrangement, the beneficial owner is:
 1) the settlor of the trust or the establisher of the arrangement;
 2) the trustee;
 3) the person ensuring and controlling the preservation of property, where such person has been appointed;
 4) the beneficiary, or where the beneficiary or beneficiaries are yet to be determined, the class of persons in whose main interest such triste or arrangement has been set up or operates;
 5) any other person who in any way exercises ultimate control over the property of the trust or arrangement.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (7) In the case of a person or an association of persons not specified in subsections 2 and 6 of this section, the members of the management board or the chairman of the management board may be designated as the beneficial owner(s), taking into account clause 1 of subsection 1.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (8) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (9) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 91.  Politically exposed person

 (1) A politically exposed person for the purposes of this Act means a natural person who performs or has performed prominent public functions and with regard to whom related risks remain.

 (2) At least the following persons are deemed to perform prominent public functions:
 1) head of State or head of government;
 2) minister, deputy minister or assistant minister;
 3) member of a legislative body;
 4) member of a governing body of a political party;
 5) judge of the highest court of a country;
 6) auditor general or a member of the supervisory board or executive board of a central bank;
 7) ambassador, envoy or chargé d’affaires;
 8) high-ranking officer in the armed forces;
 9) member of an administrative, management or supervisory body of a state-owned enterprise;
 10) director, deputy director and member of a management body of an international organisation.

 (3) Regardless of subsection 2 of this section, middle-ranking or more junior officials are not considered politically exposed persons.

 (4) A person who, as per list published by the European Commission, is considered a performer of prominent public functions by a Member State of the European Union, the European Commission or an international organisation accredited on the territory of the European Union is deemed a politically exposed person.

 (5) A list of Estonian positions whose holders are considered politically exposed persons is established by a regulation of the minister responsible for the field.

 (6) An international organisation accredited in Estonia draws up a list of the positions of its organisation whose holders are considered politically exposed persons, keeps it up to date and informs the minister responsible for the field of changes made to the list.

 (7) For the purposes of this Act, ‘family member’ of a politically exposed person means their:
 1) spouse or a person considered to be equivalent to a spouse;
 2) parent;
 3) child;
 4) child’s spouse or a person considered to be equivalent to a spouse.

 (8) For the purposes of this Act, ‘person known to be close associates’ of a politically exposed person means a natural person who is:
 1) known to have joint beneficial ownership of a legal person or trust with a politically exposed person;
 2) known to have close business relations with a politically exposed person;
 3) the beneficial owner of a legal person or trust set up in the interests of a politically exposed person.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 10.  Risk appetite

 (1) ‘Risk appetite’ means the total of the exposure level and types of the obliged entity, which the obliged entity is prepared to assume for the purpose of its economic activities and attainment of its strategic goals, and which is established by the senior management of the obliged entity in writing.

 (2) Upon application of subsection 1 of this section, account must be taken of the risks that the obliged entity is prepared to assume or that the obliged entity wishes to avoid in connection with the economic activities as well as qualitative and quantitative compensation mechanisms such as the planned revenue, measures applied with the help of capital or other liquid funds, or other factors such as reputation risks as well as legal and risks arising from money laundering and terrorist financing or other unethical activities.

 (3) Upon application of subsection 1 of this section, the obliged entity determines at least the characteristics of the persons with whom the obliged entity wishes to avoid business relationships and with regard to which the obliged entity applies enhanced due diligence measures, and thereby the obliged entity assesses risks related to such persons and determines appropriate measures for mitigating these risks.

 (4) Upon application of subsection 1 of this section, the management board of a credit institution or financial institution also determines whether business relationships are established with persons non-EEA countries.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

Chapter 2 Management of Risks Relating to Money Laundering and Terrorist Financing 

Division 1 Assessment of Risks 

§ 11.  National risk assessment

 (1) The national risk assessment:
 1) provides for the needs of drafting and amending anti-money laundering and countering the financing of terrorism (hereinafter AML/CFT) legislation, other regulations of the field and related fields as well as guidelines of supervisory authorities;
 2) specifies, among other things, the sectors, fields, transaction amounts and types and, where necessary, countries or jurisdictions with regard to which obliged entities must apply enhanced due diligence measures and, where necessary, clarifies the measures;
 3) specifies, among other things, the sectors, fields, transaction amounts and types whereby the risk of money laundering and terrorist financing is smaller and where it is possible to apply simplified due diligence measures;
 4) gives instructions to the ministries and authorities in their area of government regarding allocation of resources and setting of priorities for AML/CFT purposes;
 5) reports on the institutional structure and broad procedures of the AML/CFT regime and on the human and financial resources allocated for such purpose.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Upon implementation of subsection 1 of this section, relevant information, statistics and analyses which have been published or made available to the ministries or authorities in their area of government, including relevant risk assessments, reports and recommendations of international organisations and the European Commission are taken into account and collected, thereby taking account of data protection requirements.

 (3) The generalised results of the national risk assessment are published on the website of the Ministry of Finance and immediately made available to obliged entities, the European Commission, European supervisory authorities and other Member States of the European Union.

 (4) Based on the national risk assessment, the minister responsible for the field may by a regulation establish limit amounts, requirements for monitoring a business relationship or other risk-based restrictions aimed at mitigating the risks of money laundering or terrorist financing.

 (5) In addition to the information specified in subsection 3 of this section, the Ministry of Finance publishes the aggregate statistics of the field of money laundering and terrorist financing on its website.

§ 12.  AML/CFT Committee

 (1) The AML/CFT Committee is a government committee whose function is to:
 1) coordinate the preparation and updating of the national risk assessment;
 2) prepare a plan of measures and activities mitigating the risks identified in the national risk assessment (hereinafter action plan), designating the authorities that apply the risk-mitigating measures and carry out the risk-mitigating activities as well as the time limits within which the measures must be applied and the activities must be carried out;
 3) organise and check the implementation of the action plan;
 4) based on clauses 1–3 of this subsection, develop AML/CFT policies and make legislative amendment proposals to the ministers responsible for the field and related fields;
 5) pursue national cooperation in AML/CFT and in countering proliferation.

 (2) The AML/CFT Committee consists of the minister responsible for the field, the secretary general and the secretaries general of the ministries responsible for the related fields, representatives of the Financial Intelligence Unit, Eesti Pank, Estonian Financial Supervision Authority, and representatives of other relevant bodies and governmental authorities.

 (3) The AML/CFT Committee establishes a committee of the representatives of obliged entities (hereinafter Market Participants Advisory Committee) whose purpose is to advise the government committee in connection with the performance of its functions. In addition, ad hoc working groups and standing working groups of representatives of obliged entities and other experts may be established for performing the functions of the government committee. The rules of procedure and functions of the Market Participants Advisory Committee, ad hoc working groups and standing working groups are established and members are appointed by a directive of the minister responsible for the field.

 (4) The number of the members and the rules of procedure of the AML/CFT Committee are established by a regulation of the Government of the Republic.

 (5) The work of the AML/CFT Committee is organised by the Ministry of Finance.

§ 13.  Management of risks arising from activities of obliged entity

 (1) For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to their activities, obliged entities prepare a risk assessment, taking account of at least the following risk categories:
 1) risks relating to customers;
 2) risks relating to countries, geographic areas or jurisdictions;
 3) risks relating to products, services or transactions;
 4) risk relating to communication, mediation or products, services, transactions or delivery channels between the obliged entity and customers.

 (2) The steps taken to identify, assess and analyse risks must be proportionate to the nature, size and level of complexity of the economic and professional activities of the obliged entity.

 (3) As a result of the risk assessment, the obliged entity establishes:
 1) fields of a lower and higher risk of money laundering and terrorist financing;
 2) the risk appetite, including the volume and scope of products and services provided in the course of business activities;
 3) the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.

 (4) The risk assessment specified in subsection 1 of this section and the establishment of the risk appetite specified in clause 2 of subsection 3 is documented, the documents are updated where necessary and based on the published results of the national risk assessment. At the request of the competent supervisory authority, the obliged entity submits the documents prepared on the basis of this section to the supervisory authority.

 (5) The competent supervisory authority exercising supervision over an obliged entity may, at the request of the obliged entity, except for an obliged entity subject to supervision by the Financial Supervision Authority, and in accordance with the national risk assessment decide that the preparation of a documented risk assessment is not mandatory where the specific risks of the field characteristic of the obliged entity are clear and understandable or where the risk assessment prepared by the competent supervisory authority or the national risk assessment has established the risks, risk appetite and risk management model of the field and the obliged entity implements these.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The duties provided for in this section do not apply to notaries, auditors or to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

Division 2 Risk Management System of Obliged Entity 

§ 14.  Rules of procedure and internal control rules

 (1) The obliged entity establishes rules of procedure that allow for effective mitigation and management of, inter alia, risks relating to money laundering and terrorist financing, which are identified in the risk assessment prepared in accordance with § 13 of this Act. To follow the rules of procedure, the obliged entity establishes internal control rules that describe the internal control system including the procedure for the implementation of internal audit and, where necessary, compliance control, which sets out, inter alia, the procedure for employee screening. The rules of procedure must contain at least the following:
 1) a procedure for the application of due diligence measures regarding a customer, including a procedure for the application of simplified due diligence measures specified in § 32 of this Act and of enhanced due diligence measures specified in § 36 of this Act;
 2) a model for identification and management of risks relating to a customer and its activities and the determination of the customer’s risk profile;
 3) the methodology and instructions where the obliged entity has a suspicion of money laundering and terrorist financing or an unusual transaction or circumstance is involved as well as instructions for performing the reporting obligation;
 4) the procedure for data retention and making data available;
 5) instructions for effectively identifying whether a person is a politically exposed person or a person subject to international sanctions or a person whose place of residence or seat is in a high-risk third country or country that meets the criteria specified in subsection 4 of § 37 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 6) the procedure for identification and management of risks relating to new and existing technologies, and services and products, including new or non-traditional sales channels and new or emerging technologies.

 (2) The obliged entity arranges adherence to and implementation of the rules of procedure and internal control rules by the employees of the obliged entity.

 (3) The rules of procedure and the internal control rules specified in subsection 1 of this section may be contained in a single document or in multiple documents, these must be proportionate to the nature, size and level of complexity of the economic and professional activities of the obliged entity and these must be established by the senior management of the obliged entity. The obliged entity must regularly check if the established rules of procedure and the internal control rules are up to date and, where necessary, establish new rules of procedure and internal control rules or make required modifications therein.

 (4) Upon performance of the obligation provided for in clause 2 of subsection 1 of this section the credit institution and the financial institution takes account of the contents of the relevant instructions of the competent supervisory authority, European supervisory authorities and data protection supervisory authority.

 (5) Where the obliged entity has the internal audit obligation, adherence to the rules of procedure and the internal control rules for the purposes of this Act must be checked in the course of an internal audit.

 (6) The management board of a legal person that is an obliged entity, the manager of a branch that is an obliged entity or, upon their absence, the obliged entity must ensure that the employees whose employment duties include the establishment of business relationships or the making of transactions are provided with training in the performance of the duties and obligations arising from this Act and such training must be provided when the employee commences performance of the specified employment duties, and thereafter regularly or when necessary. In training, information, inter alia, on the duties and obligations provided for in the rules of procedure, modern methods of money laundering and terrorist financing and the related risks, the personal data protection requirements, on how to recognise activities related to possible money laundering or terrorist financing, and instructions for acting in such situations must be given.

 (7) The obliged entity, except for a credit institution or financial institution, may apply to the competent supervisory authority for partial or full release from the obligation to prepared documented rules of procedure and internal control rules. Upon making a decision, the competent supervisory authority takes account of the national risk assessment, the nature, scope and level of complexity of the obliged entity and whether the specific risks related to the obliged entity are small or effectively managed in accordance with this Act, legislation adopted on the basis thereof and instructions of competent supervisory authorities.

 (8) The minister responsible for the field may, by a regulation, establish more detailed requirements for the rules of procedure established by credit institutions and financial institutions, the internal control rules of controlling adherence thereto and implementation thereof.

 (9) The duties and obligations provided for in this section do not apply to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

§ 15.  Management of risks in group

 (1) Upon application of § 14 of this Act it is expected that an obliged entity that is the parent undertaking of a group applies group-wide rules of procedure and the internal control rules for controlling adherence thereto regardless of whether all the undertakings of the group are located in one country or in different countries. This obligation includes, inter alia, the establishment of a group-wide procedure for exchanging information on AML/CFT and the establishment of similar rules for protection of personal data. The obliged entity ensures that group-wide rules of procedure and the internal control rules for controlling adherence thereto take to the appropriate extent account of the law of another Member State of the European Union which implements Directive (EU) 2015/849 of the European Parliament and of the Council, where the obliged entity has a representation, branch or majority-owned subsidiary in that Member State.

 (2) Where the obliged entity has a representation, branch or majority-owned subsidiary in a third country where the minimum requirements for AML/CFT are not equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council, the representation, branch and majority-owned subsidiary follow the rules of procedure and internal control rules complying with the requirements of this Act, including the requirements for protection of personal data, to the extent permitted by the law of the third country.

 (3) Where the obliged entity identifies a situation where the law of the third country does not allow for implementing rules of procedure or internal control rules complying with the requirements of this Act in its representation, branch or majority-owned subsidiary, the obliged entity informs the competent supervisory authority thereof. The competent supervisory authority notifies the Member States and, where relevant, the European supervisory authorities where it has become evident in accordance with the first sentence of this subsection that the law of the third country does not allow for applying rules of procedure or internal control rules complying with the requirements of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (4) In the case specified in subsection 3 of this section, the obliged entity ensures the application of additional measures in the representation, branch or majority-owned subsidiary so that the risks relating to money laundering or terrorist financing are effectively managed in another manner, informing the competent supervisory authority of the measures taken. In such an event the competent supervisory authority has the right to issue a precept demanding, inter alia, that the obliged entity or its representation, branch or majority-owned subsidiary:
 1) refrain from establishing new business relationships in the country;
 2) terminate the existing business relationships in the country;
 3) suspend the provision of the service in part or in full;
 4) wind itself up;
 5) apply other measures provided for in regulatory technical standards adopted by the European Commission on the basis of Article 45(7) of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (5) Within the group, information on a suspicion reported to the Financial Intelligence Unit is shared, unless the Financial Intelligence Unit has instructed otherwise.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) An e-money institution or a payment service provider that operates in Estonia in a form other than a branch and the headquarters of which are in another Member State appoints, on the basis of an order made by the competent supervisory authority and in accordance with regulatory technical standards established on the basis of Article 45(9) of Directive (EU) 2015/849 of the European Commission, a central contact point in Estonia whose function is to ensure in the name of the e-money institution or payment service provider compliance with the requirements of this Act and, at the request of the competent supervisory authority, submits documents and information on its activities.

 (7) Where a foreign service provider is an obliged entity and has a branch that has been registered in the Estonian commercial register or where a foreign service provider has a majority-owned subsidiary, it does not need to apply the group-wide rules of procedure or internal control rules to the extent that adherence thereto would be in conflict with the national risk assessment prepared on the basis of this Act or with requirements established in or on the basis of this Act.

§ 16.  Cooperation and exchange of information

 (1) Obliged entities may cooperate with one another for AML/CFT purposes, thereby communicating information available to them and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation.

 (2) Obliged entities may exchange information that one of them needs and the other has obtained for the application of a due diligence measure arising from clause 1, 3 or 5 of subsection 1 of § 20 of this Act, following the restrictions established in this Act and the principle of good faith, regardless of any banking, business, official, professional or other confidentiality obligation or restriction on sharing information provided for in any other Act.

 (3) Subsection 2 of this section does not apply where the obliged entity assesses a customer’s legal position, defends or represents the customer in court, intra-authority appeal or other such proceedings, including consults a customer regarding the institution or avoidance of proceedings, regardless of whether the information has been received before, during or after the proceedings.

 (4) Information obtained on the basis of subsection 2 of this section may be used solely for the performance of the duties and obligations arising from this Act, taking into account all of the requirements provided for in this Act, including the data collection, retention and protection rules. The scope and manner of communication or exchange of information between obligated entities is agreed on at least in a form reproducible in writing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 17.  Appointment of management board member in charge and compliance officer

 (1) Where the obliged entity has more than one management board member, the obliged entity appoints a management board member who is in charge of implementation of this Act and legislation and guidelines adopted on the basis thereof.

 (2) The management board or the manager of a branch of a credit institution, financial institution or obliged entity specified in subsection 1 of § 70 of this Act appoints a person to act as a contact person of the Financial Intelligence Unit (hereinafter compliance officer). The compliance officer reports directly to the management board of the obliged entity or to the manager of the branch and has the competence, means and access to relevant information across all of the structural units of the obliged entity.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A compliance officer may also be appointed by an obliged entity not specified in subsection 2 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) An employee or a structural unit may perform the duties of a compliance officer. Where a structural unit performs the duties of a compliance officer, the head of the respective structural unit is responsible for performance of the given duties. The Financial Intelligence Unit and the competent supervisory authority are informed of the appointment of a compliance officer.

 (5) Only a person who works permanently in Estonia and has the education, professional suitability, abilities, personal qualities, experience and impeccable reputation required for performance of the duties of a compliance officer may be appointed as a compliance officer. The appointment of a compliance officer is coordinated with the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The Financial Intelligence Unit has the right to receive information from a compliance officer or compliance office candidate, their employer and state databases for the purpose of verifying the suitability of the compliance officer or compliance officer candidate. Where, as a result of the check carried out by the Financial Intelligence Unit, it becomes evident that the person’s reliability is under suspicion due to their past acts or omissions, the person’s reputation cannot be considered impeccable and the obliged entity may extraordinarily terminate the compliance officer’s employment contract due to the loss of confidence. Where the duties of a compliance officer are performed by a structural unit, the provisions of this subsection are applied to each employee of the structural unit.

 (7) The duties of a compliance officer include, inter alia:
 1) organisation of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the obliged entity;
 2) reporting to the Financial Intelligence Unit in the event of suspicion of money laundering or terrorist financing;
 3) periodic submission of written statements on compliance with the requirements arising from this Act to the management board or branch manager of the obliged entity;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 4) performance of other duties and obligations related to compliance with the requirements of this Act.

 (8) A compliance officer has the right to:
 1) make proposals to the management board or branch manager of the obligated entity for amendment and modification of the rules of procedure containing AML/CFT requirements and organisation of training specified in subsection 6 of § 14 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) demand that a structural unit of the obliged entity eliminate within a reasonable time deficiencies identified in the implementation of the AML/CFT requirements;
 3) receive data and information required for performance of the duties of a compliance officer;
 4) make proposals for organisation of the process of submission of notifications of suspicious and unusual transactions;
 5) receive training in the field.

 (9) Where no compliance officer has been appointed, the duties of a compliance officer are performed by the management board of the legal person, a management board member appointed on the basis of subsection 1 of this section, the manager of the branch of the foreign company registered in the Estonian commercial register or a self-employed person.

 (10) The duties and obligations provided for in this section do not apply to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

§ 18.  Relationships with shell banks

 (1) ‘Shell bank’ means a credit institution or financial institution, or an institution that carries out activities equivalent to those carried out by credit institutions and financial institutions, incorporated in a jurisdiction in which it has no physical presence, involving meaningful mind and management, and which is unaffiliated with a regulated credit or financial group.

 (2) Credit institutions and financial institutions are not allowed to establish or continue correspondent relationships with shell banks and such credit institutions or financial institutions that knowingly allow shell banks use their accounts.

 (3) An agreement violating the prohibition specified in subsection 2 of this section is void.

Chapter 3 Due Diligence Measures 

Division 1 Grounds for Application of Due Diligence Measures 

§ 19.  Obligation to apply due diligence measures

 (1) The obliged entity applies due diligence measures:
 1) upon establishment of a business relationship;
 2) upon making or mediating occasional transactions outside a business relationship where a cash payment of over 15 000 euros or an equal amount in another currency is made, regardless of whether the financial obligation is performed in the transaction in a lump sum or in several related payments over a period of up to one year, unless otherwise provided by law;
 3) upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;
 4) upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in this Act.

 (2) A trader applies due diligence measures at least every time a payment of over 10 000 euros or an equal sum in another currency is made to or by the trader in cash, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one year.

 (21) A foundation, non-profit association or an entity to which the provisions of the Non-profit Associations Act apply applies due diligence measures at least every time when it is paid or it pays in cash an amount of over 5,000 euros in a lump sum or in several linked payments over a period of up to one year.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (22) A person who mediates real property usage transactions applies due diligence measures at least every time when the value of the usage fee agreed on in the transaction amounts to no less than 10,000 euros a month.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (23) A dealer of works of art and a person who mediates works of art or stores them in a customs free zone applies due diligence measures at least every time they are paid or they pay a sum with a value of at least 10,000 euros in a lump sum or in several linked payments over a period of one year.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A gambling operator applies due diligence measures at least upon payment of winnings, making of a bet or on both occasions where the sum given or receivable by the customer is at least 2000 euros or an equal sum in another currency, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one month.

 (4) A payment service provider providing both the payer and the payee with a payment service identifies the customer in the case of each transfer of funds that meets the description provided for in Article 3(9) of Regulation (EU) No 2015/847 of the European Parliament and of the Council on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 05.06.2015, pp 1–18) and whereby the sum of the pecuniary obligation exceeds 1000 euros, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one month.

 (5) The obliged entity applies the due diligence measures provided in clauses 1–5 of subsection1 of § 20 of this Act before the establishment of a business relationship or the making of a transaction outside a business relationship, unless otherwise provided for in this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (51) The auditor auditing an annual report or carrying out an inspection applies the due diligence measures specified in clause 3 of subsection 1 of § 20 of this Act during the audit or inspection, thereby examining the information gathered by the management board of the customer in accordance with subsection 2 of § 76.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) Where the duty to apply due diligence measures depends on the exceeding of a certain sum, the due diligence measures must be applied as soon as the exceeding of the sum becomes known or, where the exceeding of the sum depends on the making of several linked payments, as soon as the sum is exceeded.

 (7) The provisions of this Chapter regarding cash are also applicable to the performance of pecuniary obligations using a precious metal which is measured in bars or other units.

§ 20.  Due diligence measures

 (1) The obliged entity applies the following due diligence measures:
 1) identification of a customer or a person participating in an occasional transaction and verification of the submitted information based on information obtained from a reliable and independent source, including using means of electronic identification and of trust services for electronic transactions;
 2) identification and verification of a customer or a person participating in an occasional transaction and their right of representation;
 3) identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows the obliged entity to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the customer or of the person participating in an occasional transaction;
 4) understanding of business relationships, an occasional transaction or operation and, where relevant, gathering information thereon;
 5) gathering information on whether a person is a politically exposed person, their family member or a person known to be close associate;
 6) monitoring of a business relationship.

 (2) Upon implementation of clause 4 of subsection 1 of this section, the obliged entity must understand the purpose of the business relationship or the purpose of the occasional transaction, identifying, inter alia, the permanent seat, place of business or place of residence, profession or field of activity, main contracting partners, payment habits, whether they act for or on behalf of another and, in the case of a legal person, also the experience of the customer or person participating in the occasional transaction.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (21) Where the obliged entity establishes a business relationship with a customer whose information on beneficial owners must, in accordance with the statutes of a Member State of the European Union, be submitted to the state or be registered there, the obliged entity must obtain a relevant registration certificate or registry extract upon application of clause 3 of subsection 1 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) In the case of an occasional transaction made outside of a business relationship, the obliged entity gathers information on the origin of the property used in the transaction, instead of applying clause 4 of subsection 1 of this section.

 (4) Where relevant, the obliged entity also gathers information on the origin of the customer’s wealth.

 (5) The person participating in a transaction made in economic or professional activities, the person participating in a professional operation or the person using a professional service or the customer submits, at the request of the obliged entity, documents required for the application of the due diligence measures and provides relevant information. The person participating in a transaction made in economic or professional activities, the person participating in an official operation or the person using an official service or the customer certifies by signature, at the request of the obliged entity, the correctness of the submitted information and documents submitted for the application of the due diligence measures.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The obliged entity applies all the due diligence measures specified in subsection 1 of this section with regard to a customer, but determines the scope and exact manner of their application and the need specified in subsections 3 and 4 of this section based on previously assessed risks of money laundering and terrorist financing or those relating to a specific business relationship or to an occasional transaction, operation or person. Upon assessment of the application of the due diligence measures of the obliged entity, the principle of reasonableness provided for in the Law of Obligations Act is taken into account.

 (7) Upon assessment of specific risks related to a customer specified in subsection 6 of this section, the obliged entity determines, based on clause 2 of subsection 1 of § 14 of this Act, the risk profile of the customer or person participating in the transaction, taking account of the risk assessment drawn up on the basis of § 13 of this Act and at least the following factors:
 1) information gathered by the obliged entity upon implementation of clause 4 of subsection 1 of this section;
 2) the volume of the property deposited by the customer or the proprietary volume of the transaction or of transactions made in the course of an official operation;
 3) the estimated duration of the business relationship.

 (8) The obliged entity ensures that the due diligence measures applied by it, which are specified in its rules of procedure, comply with its risk assessment and that the obliged entity is prepared to explain them to the competent supervisory authority, including to the data protection supervisory authority.

§ 21.  Identification of natural person, documents serving as basis thereof and data collected on customer

 (1) The obliged entity identifies the customer and, where relevant, their representative and retains the following data on the person and, where relevant, their representative:
 1) name;
 2) personal identification code or, where none, the date of birth and the place of residence or seat;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) information on the identification and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for the right of representation, the date of issue, and the name of the issuer.

 (2) The obliged entity verifies the correctness of the data specified in clauses 1 and 2 of subsection 1 of this section, using information originating from a credible and independent source for that purpose.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity identifies a natural person based on the following documents:
 1) a document specified in subsection 2 of § 2 of the Identity Documents Act;
 2) a valid travel document issued in a foreign country;
 3) a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act, or
 4) a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.

 (4) Where the original document specified in subsection 3 of this section is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

 (5) The two sources requirement specified in subsection 4 of this section does not need to be followed with regard to a customer who has limited active legal capacity and in the name of whom a business relationship is established or a transaction is made by their representative.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 22.  Identification of legal person, documents serving as basis thereof and data collected on customer

 (1) The obliged entity identifies a legal person registered in Estonia, the branch of a foreign company registered in Estonia and a foreign legal person and retains the following details on the legal person:
 1) the name or business name of the legal person;
 2) the registry code or registration number and the date of registration;
 3) the names of the director, members of the management board or other body replacing the management board, and their authorisation in representing the legal person;
 4) the details of the telecommunications of the legal person.

 (2) The obliged entity verifies the correctness of the data specified in clauses 1 and 2 of subsection 1 of this section, using information originating from a credible and independent source for that purpose. Where the obliged entity has access to the commercial register, register of non-profit associations and foundations or the data of the relevant registers of a foreign country, the submission of the documents specified in subsection 3 of this section does not need to be demanded from the customer.

 (3) The obliged entity identifies a legal person based on the following documents:
 1) the registry card of the relevant register;
 2) the registration certificate of the relevant register, or
 3) a document equal to the document specified in clause 1 or 3 of this section.

 (4) Where the original document specified in subsection 3 of this section is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

 (5) A representative of a legal person of a foreign country must, at the request of the obliged entity, submit a document certifying his or her powers, which has been authenticated by a notary or in accordance with an equal procedure and legalised or certified by a certificate replacing legalisation (apostille), unless otherwise provided for in an international agreement.

§ 23.  Monitoring of business relationship

 (1) The obliged entity establishes principles for monitoring a business relationship established in economic, professional or official activities (hereinafter monitoring of business relationship) upon application of § 14 of this Act.

 (2) The monitoring of a business relationship must include at least the following:
 1) checking of transactions made in a business relationship in order ensure that the transactions are in concert with the obliged entity’s knowledge of the customer, its activities and risk profile;
 2) regular updating of relevant documents, data or information gathered in the course of application of due diligence measures;
 3) identifying the source and origin of the funds used in a transaction;
 4) in economic, professional or official activities, paying more attention to transactions made in the business relationship, the activities of the customer and circumstances that refer to a criminal activity, money laundering or terrorist financing or that a likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual transactions and transaction patterns that do not have a reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics;
 5) in economic, professional or official activities, paying more attention to the business relationship or transaction whereby the customer is from a high-risk third country or a country or territory specified in subsection 4 of § 37 of this Act or whereby the customer is a citizen of such country or whereby the customer’s place of residence or seat or the seat of the payment service provider of the payee is in such country or territory.

 (3) Upon performance of the duty provided for in clause 4 of subsection 2 of this section, inter alia, the nature, reason and background of the transactions as well as other information that allows for understanding the substance of the transactions must be identified and more attention must be paid to these transactions.

Division 2 Variations of Application of Due Diligence Measures 

§ 24.  Reliance on data gathered by other person and outsourcing of application of due diligence measures

 (1) The obliged entity may, in the event of the partial or full performance of one or several of the duties provided for in subsection 1 of § 20 of this Act, rely on data and documents gathered by another person, where all the following criteria are met:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) the obliged entity gathers from the other person at least information on who is the person establishing the business relationship or making the transaction, their representative and the beneficial owner, as well as what is the purpose and nature of the business relationship or transaction;
 2) the obliged entity has ensured that, where necessary, it is able to immediately obtain all the data and documents whereby it relied on data gathered by another person;
 3) the obliged entity has established that the other person who is relied on is required to comply and actually complies with requirements equal to those established by Directive (EU) 2015/849 of the European Parliament and of the Council, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and is under or is prepared to be under state supervision regarding compliance with the requirements;
 4) the obliged entity takes sufficient measures to ensure compliance with the criteria provided for in clause 3 of this subsection.

 (2) In addition to subsection 1 of this section, the obliged entity may also outsource an activity related to the implementation of clauses 1–5 of subsection 1 of § 20 of this Act to:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) another obliged entity;
 2) an organisation, association or union whose members are obliged entities, or
 3) another person who applies the due diligence measures and data retention requirements provided for in this Act and who is subject to or is prepared to be subject to AML supervision or financial supervision in a contracting state of the European Economic Area regarding compliance with requirements.

 (3) To outsource an activity, the obliged entity concludes a written contract with a person specified in subsection 2 of this section. The contract ensures that:
 1) the outsourcing of the activity does not impede the activities of the obliged entity or performance of the duties and obligations provided in this Act;
 2) the third party performs all the duties of the obliged entity relating to the outsourcing of the activity;
 3) the outsourcing of the activity does not impede exercising supervision over the obliged entity;
 4) the competent authority can exercise supervision over the person carrying out the outsourced activity via the obliged entity, including by way of an on-site inspection or another supervisory measure;
 5) the person specified in subsection 2 of this section has the required knowledge and skills and the ability to comply with the requirements provided for in this Act;
 6) the obliged entity has the right to, without limitations, inspect compliance with the requirements provided for in this Act;
 7) documents and data gathered for compliance with the requirements arising from this Act are retained and, at the request of the obliged entity, copies of documents relating to the identification of a customer and its beneficial owner or copies of other relevant documents are handed over or submitted to the competent authority immediately.

 (4) Information on the conclusion and termination of an outsourcing contract is made available to the competent supervisory authority in advance. Upon submission of information, the obliged entity indicates, among other things, the scope of the outsourced activity. At the request of the competent supervisory authority, the obliged entity submits the contract of outsourcing of the activity.

 (5) In a situation where the obliged entity relies on or outsources an activity to a person belonging to the same group, which has been established in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council apply, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and where group-based supervision is exercised over the group, the requirements provided for in clause 3 of subsection 1 and in clause 5 of subsection 3 of this section do not need to be applied.

 (6) The obliged entity is not allowed to rely on or outsource activities to a person who has been established in a high-risk third country.

 (7) The obliged entity who relies on data gathered by another person or who has outsourced an activity to another person is responsible for compliance with requirements arising from this Act.

§ 25.  Variations of due diligence measures applied by credit institution, financial institution, virtual currency service provider and Eesti Pank

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) A credit institution and a financial institution is not allowed to provide services that can be used without identifying the person participating in the transaction and without verifying the submitted information, except in the events specified in § 27 of this Act. Credit institutions and financial institutions are required to open an account and keep an account only in the name of the account holder.

 (11) Credit institutions and financial institutions must, when making or mediating occasional transactions outside business relationships where a transaction of over 1,000 euros or an equal amount in another currency is made, apply due diligence measures regardless of whether the financial obligation is performed in the transaction in a lump sum or by way of several linked payments over a period of up to one month.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) The currency exchange service may be provided without identifying the person participating in the transaction of the value of the amount exchanged in cash in a one-off transactions or in linked transactions does not exceed 1,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Credit institutions and financial institutions are not allowed to conclude a contract or make a decision to open an anonymous account, savings book or safe-deposit box. A transaction violating the prohibition is void.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Eesti Pank applies the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Eesti Pank applies the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Ac always when there is doubt as to the sufficiency or truthfulness of documents or data previously gathered in the course of identification of a person, verification of submitted information or updating the relevant details as well as in the event of suspicion of money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 26.  Due diligence measures applicable to life insurance

 (1) In the case of life insurance, a credit institution and a financial institution applies the due diligence measures specified in § 20 of this Act with the following variations:
 1) the name of the beneficiary determined in the insurance contract is identified immediately after the determination of the person or after learning of the person;
 2) where the beneficiary is not determined by name, but based on certain characteristics or in another manner, sufficient data must be gathered on the circle of persons determined in such a manner so that it is proven that the identity of the beneficiary can be established at the time of making a payment.

 (2) In the case of subsection 1 of this section, the identity of the beneficiary is verified at the time of making a payment.

 (3) Where, by agreement with the obliged entity, a policyholder assigns their rights and obligations under a life insurance contract to a third party, the obliged entity must identify the assignee of the contract at the moment of assignment of the contract.

§ 27.  Due diligence measures applicable to limited-use accounts

 (1) By way of exception, a credit institution, financial institution or central securities depositor can open an account, including a securities account, before the application of the due diligence measures specified in clauses 1–3 of subsection 1 of § 20 of this Act where transactions cannot be made by the customer or in the name of the customer with the property held on the account until the full application of the due diligence measures specified in clauses 1–3 of subsection 1 of § 20 of this Act, thereby applying the due diligence measures as soon as reasonably possible.

 (2) In accordance with the procedure established on the basis of clause 1 of subsection 4 of § 67 of the Commercial Code, a credit institution can, on the basis of personal data automatically verified by the registrar via the computer network or via a notary authorised on the basis of subsection 4 of § 520 of the Commercial Code, open an account for a company that is being founded, provided that a contribution to the share capital is made to the account via an account opened in a credit institution operating in a contracting state of the European Economic Area or in the branch of a foreign credit institution established in a contracting state of the European Economic Area and the account is not debited before the company has been registered in the Estonian commercial register and before the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act have been taken. Representatives of the company must allow the credit institution to apply the due diligence measures and conclude a settlement agreement within six months following the opening of the account.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 28.  Due diligence measures applicable to trust fund and legal arrangement

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]
In addition to the due diligence measures specified in subsection 1 of § 21 of this Act, the credit institution or financial institution gathers enough information on the beneficiaries of a trust fund or legal arrangement, which has been determined based on certain characteristics or type, in order to be certain that it is able to definitely identify the beneficiary at the time of making a payment or once the beneficiary exercises their rights.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 29.  Due diligence measures applied by non-profit association and foundation

 (1) The persons specified in subsection 3 of § 2 of this Act apply the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The persons specified in subsection 3 of § 2 of this Act apply the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Ac always when there is doubt as to the sufficiency or truthfulness of documents or data previously gathered in the course of identification of a person, verification of submitted information or updating the relevant details as well as in the event of suspicion of money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 30.  Variations of due diligence measures applied by legal service provider

 (1) Where a notary identifies a person and applies other due diligence measures, the Notarisation Act and the Notaries Act are followed, taking account of the variations provided for in this Act.

 (2) A notary, enforcement officer, bankruptcy trustee, auditor, attorney or another legal service provider may identify and verify the identity of a customer or a person participating in a transaction and a beneficial owner while establishing a business relationship or entering into a transaction, provided that it is necessary for the purpose of not interrupting the ordinary course of the professional activities and the risk of money laundering or terrorist financing is low.

 (3) In the event specified in subsection 2 of this section, the application of due diligence measures must be completed within a reasonable time after the first contact and before making binding operations.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 31.  Identification of person and verification of data using information technology means

 (1) A credit institution and a financial institution must identify a person and verify data with using information technology means where the application of the due diligence measures in establishing a business relationship does not take place in the physical presence of the person and where:
 1) the customer is from a non-EEA country or their place of residence or seat is in such a country, or
 2) the total amount of outgoing payments related to the transaction or service contract per calendar month exceeds 15,000 euros in the case of a customer who is a natural person or 25,000 euros in the case of a customer who is a legal person.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (2) [Repealed – RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (3) A document issued by the Republic of Estonia for digital identification of a person or another means of electronic identification of a high assurance level, which is specified in the regulation established on the basis of subsection 6 of this section, is used for identifying a person and verifying data using information technology means.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (4) Where a person is a foreign national, the identity document issued by the competent authority of the foreign country must be used for the identification of the person and verification of data in addition to the means specified in subsection 3 of this section.

 (5) Additionally, information originating from a credible and independent source is used for identifying a person and verifying data. To identify a person and verify data, credit institutions and financial institutions has the right to use personal identification data entered in the database of identity documents.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (6) The technical requirements of and procedure for identification of persons and verification of data using information technology means are established by a regulation of the minister responsible for the field.

 (61) The procedure provided for in a regulation established on the basis of subsection 1 of § 31 of the Notaries Act is applied where the identity of a person is established and information is verified using information technology means in the official activities of a notary.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (7) The regulation specified in subsection 6 of this section sets out in greater detail at least the requirements for disclosure of information, rules of procedure applicable to the establishment of a business relationship and to the making of an occasional transaction, requirements for activities related to the declarations of intent of the parties to a transaction, organisation of questionnaire surveys and mandatory real-time interviews held upon establishment of a business relationship, conditions of processing of the photograph of a person, and requirements for the quality of the synchronised audio and video stream during the aforementioned procedures as well as for recording and for the reproducibility of recordings, and, based on the national risk assessment specified in § 11 of this Act, the regulation may establish limits different from the ones specified in clause 2 of subsection 1 of this section to situations where the provisions of this section do not need to be applied.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

Division 3 Simplified Due Diligence Measures 

§ 32.  Application of simplified due diligence measures

 (1) The obliged entity may apply simplified due diligence measures where a risk assessment prepared on the basis of subsection 7 of § 20 and §§ 11, 13 and 34 of this Act identifies that, in the case of the economic or professional activity, field or circumstances, the risk of money laundering or terrorist financing is lower than usual.

 (2) Before the application of simplified due diligence measures to a customer, the obliged entity establishes that the business relationship, transaction or operation is of a lower risk and the credit institution and financial institution attribute to the transaction, operation or customer a lower degree of risk.

 (3) The application of simplified due diligence measures is permitted to the extent that the obliged entity ensures sufficient monitoring of transactions, operations and business relationships, so that it would be possible to identify unusual transactions and allow for notifying of suspicious transactions in accordance with the procedure established in § 49 of this Act.

§ 33.  Conditions of application of simplified due diligence measures

 (1) Upon simplified implementation of clauses 1 and 2 of subsection 1 of § 20 of this Act, the identity of a customer or of the customer’s representative may be verified on the basis of information obtained from a credible and independent source also at the time of establishment of the business relationship, provided that it is necessary for not disturbing the ordinary course of business. In such an event the verification of identity must be carried out as quickly as possible and before the taking of binding measures.

 (2) Upon implementation of clauses 3–5 of subsection 1 of § 20 of this Act, the obliged entity may choose the extent of performance of the duty and the need to verify the information and data used therefore with the help of a credible and independent source.

 (3) Clause 6 of subsection 1 of § 20 of this Act may be applied in accordance with the simplified procedure, provided that a factor characterising a lower risk has been established and at least the following criteria are met:
 1) a long-term contract has been concluded with the customer in writing, electronically or in a form reproducible in writing;
 2) payments accrue to the obliged entity in the framework of the business relationship only via an account held in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council;
 3) a limit has been set to the total value of incoming and outgoing payments in transactions.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 34.  Factors characterising lower risk

 (1) Before the application of simplified due diligence measures, factors referring to a lower risks are taken into account and the obliged entity determines whether these factors will be implemented on the whole, in part or as separate grounds.

 (2) Upon assessment of factors referring to a lower risk in accordance with subsection 1 of this section, the following is deemed a situation reducing risks relating to the customer type:
 1) the customer is a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
 2) the customer is a legal person governed by public law established in Estonia;
 3) the customer is a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
 4) the customer is an institution of the European Union;
 5) the customer is a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equal to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
 6) a person who is a resident of a country or geographic area having the characteristics specified in clauses 1–4 of subsection 3 of this section.

 (3) Upon assessment of factors referring to a lower risk in accordance with subsection 1 of this section, at least the following situations where the customer is from or the customer’s place of residence or seat is in, may be deemed a factor reducing geographic risks:
 1) a contracting state of the European Economic Area;
 2) a third country that has effective AML/CFT systems;
 3) a third country where, according to credible sources, the level of corruption and other criminal activity is low;
 4) a third country where, according to credible sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force (FATF), and where the requirements are effectively implemented.

§ 35.  Variations of application of simplified due diligence measures by credit institution and financial institution

 (1) Upon identifying factors characterising a smaller risk and choosing simplified due diligence measures, credit institutions and financial institutions take into account the guidelines of the European supervisory authorities regarding risk factors.

 (2) Under subsection 1 of § 34 of this Act, at least the following factors may be deemed factors reducing risks relating to the product, service, transaction or delivery channels upon assessment of factors referring to a lower risk:
 1) a life insurance contract with a small insurance premium;
 2) an insurance policy for a pension scheme where there is no early surrender option and the policy cannot be used as collateral;
 3) a pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member’s interest under the scheme;
 4) financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes;
 5) products where the risks of money laundering and terrorist financing are managed by other factors such as pecuniary limits or transparency-enhancing measures;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 6) basic payment services relating to a liability account.

Division 4 Enhanced Due Diligence Measures 

§ 36.  Application of enhanced due diligence measures

 (1) The obliged entity applies enhanced due diligence measures in order to adequately manage and mitigate a higher-than-usual risk of money laundering and terrorist financing.

 (2) Enhanced due diligence measures are applied always when:
 1) upon identification of a person or verification of submitted information, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
 2) the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service or the customer is a politically exposed person, except in the event specified in subsection 5 of § 38 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service or the customer is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;
 4) the customer or the person participating in a transaction or the person using an official service is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory.

 (3) The obliged entity applies enhanced due diligence measures also where a risk assessment prepared on the basis of subsection 6 of § 20 and §§ 11, 13 and 37 of this Act identifies that, in the case of the economic or professional activity, field or factors, the risk of money laundering or terrorist financing is higher than usual.

 (4) Enhanced due diligence measures do not need to be applied regarding the branch of an obliged entity established in a contracting state of the European Economic Area or a majority-owned subsidiary seated in a high-risk third country, provided that the branch and the majority-owned subsidiary fully comply with the group-wide procedures in accordance with § 15 of this Act and the obliged entity assesses that the waiver to apply enhanced due diligence measures does not entail major additional risks of money laundering and terrorist financing.

§ 37.  Factors characterising higher risk

 (1) In addition to the events specified in subsection 2 of § 36 of this Act, at least the factors referring to a higher risk of money laundering and terrorist financing specified in subsections 2–4 of this section are taken into account upon application of enhanced due diligence measures. The obliged entity determines in rules of procedure whether it will apply the factors on the whole, in part or as separate grounds for the purpose of application of enhanced due diligence measures.

 (2) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, the following is deemed a situation increasing risks related to the customer as a person:
 1) the business relationship foundations based on unusual factors, including in the event of complex and unusually large transactions and unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
 2) the customer is a resident of a higher-risk geographic area listed in subsection 4 of this section;
 3) the customer is a legal person or a legal arrangement, which is engaged in holding personal assets;
 4) the customer is a cash-intensive business;
 5) the customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
 6) the ownership structure of the customer company appears unusual or excessively complex, given the nature of the company’s business;
 7) the customer is a third country national who applies for residence rights or citizenship in Estonia in exchange of capital transfers, purchase of property or government bonds, or investment in corporate entities in Estonia.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, in particular the following is deemed a situation increasing risks related to the product, service, transaction or delivery channel:
 1) private banking;
 2) provision of a product or making or mediating of a transaction that might favour anonymity;
 3) payments received from unknown or unassociated third parties;
 4) a business relationship or transaction that is established or initiated in a manner whereby the customer, the customer’s representative or party to the transaction is not met physically in the same place and whereby § 31 of this Act is not applied as a safeguard measure;
 5) new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products;
 6) a transaction related to oil, arms, precious metals, precious metal products or tobacco products;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 7) a transaction related to cultural artefacts or other items of archaeological, historical, cultural and religious importance, or of rare scientific value;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 8) a transaction related to ivory or protected species.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, in particular as situation where the customer, a person involved in the transaction or the transaction itself is connected with a following country or jurisdiction is deemed a factor increasing the geographical risk:
 1) that, according to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT systems;
 2) that, according to credible sources, has significant levels of corruption or other criminal activity;
 3) that is subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations;
 4) that provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as identified by the European Union or the United Nations.

 (5) Upon selection of enhanced due diligence measures, a credit institution and a financial institution takes into account, in addition to subsections 2–4 of this section, relevant guidelines of the European supervisory authorities regarding risk factors.

§ 38.  Additional due diligence measures

 (1) The obliged entity chooses additional due diligence measures in order to manage and mitigate an established risk of money laundering and terrorist financing that is higher than usual.

 (2) To perform the duties provided for in subsection 1 of this section, the obliged entity may, among other things, apply one or several of the following due diligence measures:
 1) verification of information additionally submitted upon identification of the person based on additional documents, data or information originating from a credible and independent source;
 2) gathering additional information on the purpose and nature of the business relationship, transaction or operation and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;
 3) gathering additional information and documents regarding the actual execution of transactions made in the business relationship in order to rule out the ostensibility of the transactions;
 4) gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the business relationship in order to rule out the ostensibility of the transactions;
 5) the making of the first payment related to a transaction via an account that has been opened in the name of the person or customer participating in the transaction in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force;
 6) the application of due diligence measures regarding the person or their representative while being at the same place as the person or their representative.

 (3) Upon application of enhanced due diligence measures, the obliged entity must apply the monitoring of a business relationship more frequently than usually, including reassess the customer’s risk profile not later than six months after the establishment of the business relationship.

 (4) In addition to the provisions of this section, credit institutions and financial institutions take into account the guidelines of the European supervisory authorities upon selection of due diligence measures.

 (5) In addition to the measures provided for in this section, the measures provided for in § 41 of this Act also apply to a politically exposed person, their family member or a person known to be their close associate. Where there is a factor that refers to a lower risk specified in clause 1 of subsection 3 of § 34 of this Act regarding the aforementioned person, the application of the aforementioned measures is required only where there is a factor referring to a higher risk.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 39.  Enhanced due diligence measures applied to transaction made with natural and legal persons operating in high-risk third country

 (1) Where the obliged entity comes in contact with a high-risk third country via a person participating in a transaction made in the obliged entity’s economic or professional activities, via a person participating in an official operation, via a person using an official service or via a customer, the obliged entity applies the following due diligence measures:
 1) gathering additional information about the customer and its beneficial owner;
 2) gathering additional information on the planned substance of the business relationship;
 3) gathering information on the origin of the funds and wealth of the customer and its beneficial owner;
 4) gathering information on the underlying reasons of planned or executed transactions;
 5) receiving permission from the senior management to establish or continue a business relationship;
 6) improving the monitoring of a business relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators or transaction patterns that are additionally verified;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) In addition to subsection 1 of this section, the obliged entity may demand that a customer make a payment from an account held in the customer’s name in a credit institution of a contracting state of the European Economic Area or in a third country that implements requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (3) In addition to subsection 1 of this section, a credit institution or a financial institution applies one or several of the following due diligence measures:
 1) winding up its branch or representation in a high-risk third country;
 2) carrying out a special audit in a subsidiary or branch of the credit institution or financial institution in a high-risk third country;
 3) assessing and, where necessary, terminating a correspondent relationship with an obliged entity of a high-risk third country.

§ 40.  Duties and obligations of correspondent institution

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) In the case of a cross-border correspondent relationship with a respondent institution of a third country or a respondent institution whereby the risk of money laundering or terrorist financing is higher, the credit institution or the financial institution takes, in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act, the following due diligence measures:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) gathering sufficient information on the respondent institution in order to fully understand the nature of the activities of the respondent institution and, based on publicly available information, make a decision on the reputation and supervision quality of the relevant institution, including by researching whether any proceedings have been initiated against the institution in connection with violation of AML/CFT legislation;
 2) assessment of AML/CFT control systems implemented in the respondent institution;
 3) receiving prior approval from the senior management to establish a new correspondent relationship;
 4) documentation of the relevant duties and obligations of both institutions;
 5) in the case of payable-through accounts, making certain that the respondent institution has verified the identity of the customers who have direct access to the accounts of the correspondent institution, applies due diligence measures to them at all times and, upon request is able to present the relevant due diligence measures applied to the customer.

 (2) A credit institution or a financial institution as an obliged entity who renders a service to another credit institution or financial institution in a correspondent relationship provided for in § 7 of this Act where the customers of the credit institution or financial institution receiving the service benefit from the service (hereinafter beneficial customer) does not need to apply the due diligence measures provided for in § 20 of this Act with regard to the beneficial customers where the obliged entity:
 1) has established that the credit institution or financial institution who is a customer is itself required to apply and actually applies measures equal to the requirements provided for in this Act, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and is under financial supervision;
 2) is aware of the risk structure of the beneficial customers and makes certain that the related risk is in accordance with the risk appetite of the obliged entity;
 3) has ensured by a contract that, where necessary, it is able to immediately obtain all data and documents in order to identify the person who ultimately benefits from the transaction;
 4) takes sufficient measures to ensure compliance with the criteria provided for in clause 1 of this subsection.

 (3) The obliged entity is prohibited to apply subsection 2 of this section where the credit institution or financial institution who is a customer has been established in a high-risk third country.

 (4) The obliged entity applying subsection 2 of this section is responsible for compliance with the requirements arising from this Act.

§ 41.  Transactions with politically exposed person

 (1) In a situation where the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service, the customer or their beneficial owner is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the obliged entity applies the following due diligence measures in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act:
 1) obtains approval from the senior management to establish or continue a business relationship with the person;
 2) applies measures to establish the origin of the wealth of the person and the sources of the funds that are used in the business relationship or upon making occasional transactions;
 3) monitors the business relationship in an enhanced manner.

 (2) In addition to the application of the due diligence measures specified in § 26 of this Act, the obliged entity establishes not later than upon making a payment whether the beneficiary of the life insurance policy or the beneficial owner of the beneficiary is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person. Upon assignment of a life insurance contract in accordance with subsection 3 of § 26 of this Act, the obliged entity identifies the aforementioned facts regarding the assignee of the contract and their beneficial owner at the moment of assignment of the contract. Where the obliged entity identifies a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the obliged entity applies the following due diligence measures in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act:
 1) informing the senior management before making payments under the insurance policy;
 2) checking the entire business relationship in detail.

 (3) Where a politically exposed person no longer performs important public functions placed upon them, the obliged entity must at least within 12 months take into account the risks that remain related to the person and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of politically exposed persons no longer exist in the case of the person.

 (4) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Division 5 Consequences of Failure to Apply Due Diligence Measures 

§ 42.  Prohibition on making transactions and establishing business relationships

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The obliged entity is not allowed to establish a business relationship or enable the making of an occasional transaction or the making of a transaction in a business relationship where at least one of the following circumstances occurs:
 1) the obliged entity is unable to apply the due diligence measures required under this Act;
 2) the obliged entity suspects money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The obliged entity is prohibited to establish a business relationship or make a transaction with a person of whose capital consists of bearer shares or other bearer securities to the extent of more than 10 per cent.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A payment service provider is prohibited to follow the customer’s payment instruction or make funds available where the payment service provider is unable to comply with the duty provided for in subsection 4 of § 19 or subsection 11 of § 25 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Where the obliged entity has a business relationship with a customer in a situation provided for in subsections 1–3 of this section, the refusal by the customer to provide information or documents required for the application of due diligence measures is deemed a fundamental breach of the contract and the obliged entity has the obligation to extraordinarily terminate the long-term contract serving as the basis for the business relationship and to notify the Financial Intelligence Unit of the suspicious transaction relating to the customer in accordance with § 49 of this Act. The business relationship is deemed terminated as of the submission of a termination notice to the customer after which the obliged entity makes the services completely unavailable to the customer.

 (5) An agreement violating the prohibition specified in subsections 1–3 of this section is void.

 (6) The provisions of subsections 1–5 are not applied where the obliged entity has notified the Financial Intelligence Unit of the establishment of a business relationship, transaction or an attempted transaction in accordance with the procedure provided for in § 49 of this Act and received from the Financial Intelligence Unit a specific instruction to continue the business relationship, the establishment of the business relationship or the transaction.

 (7) Subsections 1–5 of this section do not apply to an auditor that provides a customer with a certainty-giving or related auditor service or accounting revision service and that has reported the occurrence of the circumstances specified in subsection 1 or 2 to the Financial Intelligence Unit in accordance with the procedure provided for in § 49 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 43.  Right to postpone transactions and terminate business relationships

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The obliged entity has the right to postpone the making of a transaction until the person participating in the transaction or official operation, a person using an official service or a customer has submitted the documents and information required for the application of due diligence measures, including for certifying the origin of the subject-matter of the transaction or for monitoring the business relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The obliged entity has the right to extraordinarily and without advance notification terminate the long-term contract serving as the basis for a business relationship:
 1) upon refusal to issue an e-resident’s digital identity card or where its validity is suspended or where it is declared invalid on the ground provided for in subsection 2 or 3 of § 206 of the Identity Documents Act;
 2) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Where, on the conditions described in subsection 1 or 2 of this section, the omission of a transaction would be impossible or where the omission of a transaction or termination of a business relationship might impede efforts made to catch persons benefiting from a suspicious transaction, the obliged entity may still make the transaction or continue the business relationship, informing the Financial Intelligence Unit thereof immediately after making the transaction or deciding to continue the business relationship in accordance with the procedure provided for in § 49 of this Act.

§ 44.  Restrictions on transfer of customer’s property

 (1) Upon implementation of the provisions of this Division, the obliged entity may transfer the customers property only to an account opened in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force. By way of exception, the property may be transferred to an account other than the customer’s account, notifying the Financial Intelligence Unit thereof at least seven working days in advance and provided that the Financial Intelligence Unit does not establish the restriction specified in § 57 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Upon opening an account to a company established in the manner provided for in subsection2 of §27 of this Act, subsection 1 of this section is applied, unless the Financial Intelligence Unit has established a different procedure by a precept made on the basis of §55 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 45.  Variations upon provision of legal service

  The provisions of this Division do not apply to a notary, enforcement officer, bankruptcy trustee, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation where the person is involved in assessing the customers legal status or in performing duties as the customers defence counsel or representative in court proceedings or in connection therewith, including in connection with giving advance on the initiation or avoidance of proceedings.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 4 Gathering, Retaining and Protecting Data 

§ 46.  Registration of data

 (1) The obliged entity registers the transaction date or period and a description of the substance of the transaction.

 (2) In addition to the data specified in subsection 1, the obliged entity registers:
 1) information on the circumstance of the obliged entity’s refusal to establish a business relationship or make an occasional transaction;
 2) the circumstances of a waiver to establish a business relationship or make a transaction, including an occasional transaction, on the initiative of the person participating in the transaction or official operation, the person using an official service or the customer where the waiver is related to the application of due diligence measures by the obliged entity;
 21) information on all of the operations made for the purpose of establishing the identity of a person participating in a transaction or official operation, a person using an official service or a customer;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) information according to which it is not possible to take the due diligence measures provided for in subsection 1 of § 20 of this Act using information technology means;
 4) information on the circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures;
 5) information serving as the basis for the duty to report under § 49 of this Act;
 6) upon making transactions with the representative of a civil law partnership, community or another legal arrangement or with a trust or trustee, the fact that the person has such status, an extract of the registry card or a certificate of the registrar of the register where the legal arrangement has been registered.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) In addition to the information provided for in subsection 1 of this section, a credit institution, financial institution and central securities depository register the following data regarding a transaction:
 1) upon opening an account, the account type, number, currency and significant characteristics of the securities or other property;
 2) upon acceptance of property for depositing, the deposition number and the market price of the property on the date of deposition or a detailed description of the property where the market price of the property cannot be determined;
 3) upon renting or using a safe-deposit box or a safe in a bank, the number of the safe-deposit box or safe;
 4) upon making a payment relating to shares, bonds or other securities, the type of the securities, the monetary value of the transaction, the currency and the account number;
 5) upon conclusion of a life insurance policy, the account number debited to the extent of the first insurance premium;
 6) upon making a disbursement under a life insurance policy, the account number that was credited to the extent of the disbursement amount;
 7) in the case of payment intermediation, the details the communication of which is mandatory under Regulation (EU) No 2015/847 of the European Parliament and of the Council;
 8) in the case of another transaction, the transaction amount, the currency and the account number.

§ 47.  Preservation of data

 (1) For the purpose of identification of persons and verification of submitted information, the obliged entity must retain the originals or copies of the documents specified in subsection 21 of § 20 and §§ 21, 22 and 46 of this Act, information registered in accordance with § 46 and the documents serving as the basis for the establishment of a business relationship for no less than five years after the termination of the business relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The obliged entity does not have to retain the originals or copies of the documents serving as a basis for the identification of persons and verification of submitted information where:
 1) the person was identified using e-identification and trust services for e-transactions, or
 2) the document is available to the obliged entity in an electronic database of the state throughout the period specified in subsection 1 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) During the period specified in subsection 1 of this section, the obliged entity must also retain the entire correspondence relating to the performance of the duties and obligations arising from this Act and all the data and documents gathered in the course of monitoring the business relationship or occasional transactions as well as data on suspicious or unusual transactions or circumstances which were not reported to the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity must retain the documents prepared with regard to a transaction on any data medium and the documents and data serving as the basis for the notification obligations specified in § 49 of this Act for no less than five years after making the transaction or performing the duty to report.

 (4) The obliged entity must retain the documents and data specified in subsections 1, 2 and 3 of this section in a manner that allows for exhaustively and immediately replying to the enquiries of the Financial Intelligence Unit or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether the obliged entity has or has had in the preceding five years a business relationship with the given person and what is or was the nature of the relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) Where the obliged entity makes, for the purpose of identifying a person, an enquiry with a database that is part of the state information system, the duties provided for in this subsection will be deemed performed where information on the making of an electronic enquiry to the register is reproducible over a period of five years after termination of the business relationship or making of the transaction.

 (6) Upon implementation of § 31 of this Act, the obliged entity retains the data of the document prescribed for the digital identification of a person, information on making an electronic enquiry to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person’s identity for at least five years after termination of the business relationship.

 (7) The obliged entity deletes the data retained on the basis of this section after the expiry of the time limits specified in subsections 1–6 of this section, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a precept of the competent supervisory authority, data of importance for prevention, detection or investigation of money laundering or terrorist financing may be retained for a longer period, but not for more than five years after the expiry of the first time limit.

§ 48.  Protection of personal data

 (1) The obliged entity implements all rules of protection of personal data upon application of the requirements arising from this Act, unless otherwise provided by this Act.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]

 (2) The obliged entity is allowed to process personal data gathered upon implementation of this Act only for the purpose of preventing money laundering and terrorist financing, which is considered a matter of public interest for the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, pp 1–88), and such data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (21) The following rights of the data subject may be limited with regard to personal data processed by the obliged entity based on § 16 of this Act:
 1) to demand the restriction of the processing of their personal data;
 2) to demand the portability of their personal data;
 3) to object to the processing of their personal data.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (22) On the basis of subsection 21 of this section the rights of the data subject may be restricted where the non-restriction may harm the ability of the processor or another obliged entity to comply with the requirements of this Act, including to apply due diligence measures.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity submits information concerning the processing of personal data before establishing a business relationship or making an occasional transaction with them. General information on the duties and obligations of the obliged entity upon processing personal data for AML/CFT purposes is given among this information.

Chapter 5 Conduct in Case of Suspicion of Money Laundering and Terrorist Financing 

§ 49.  Duty to report in case of suspicion of money laundering and terrorist financing

 (1) Where the obliged entity identifies in economic or professional activities, an official operation or provision of an official service an activity or facts whose characteristics refer to the use of criminal proceeds or terrorist financing or to the commission of related offences or an attempt thereof or with regard to which the obliged entity suspects or knows that it constitutes money laundering or terrorist financing or the commission of related offences, the obliged entity must report it to the Financial Intelligence Unit immediately, but not later than within two working days after identifying the activity or facts or after getting the suspicion.

 (2) Subsection 1 of this section also applies where a business relationship is not established, a transaction or operation is not made or a service is not provided, and the application thereof is considered also in the event of the circumstances specified in §§ 42 and 43 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity, except for a credit institution, immediately but not later than two working days after the making of the transaction, notifies the Financial Intelligence Unit of each learned transaction whereby a pecuniary obligation of over 32 000 euros or an equal sum in another currency is performed in cash, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to one year. The credit institution notifies the Financial Intelligence Unit immediately, but not later than two working days after the making of the transaction about each foreign exchange transaction of over 32 000 euros made in cash where the credit institution does not have a business relationship with the person participating in the transaction.

 (31) The auditor who, in the course of whose professional activities, learns of a transaction which another obliged entity should have reported to the Financial Intelligence Unit under subsection 3 of this section, reports it to the Financial Intelligence Unit not later than within two working days after receiving the information.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) The obliged entity immediately submits to the Financial Intelligence Unit all the information available to the obliged entity, which the Financial Intelligence Unit requested in its enquiry.

 (5) The duty to report, which arises from subsections 1–4 of this section, does not apply to a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation where they assess the customer’s legal situation, defend to represent the customer in court, intra-authority or other such proceedings, including where they advise the customer in a matter of initiation or prevention of proceedings, regardless of whether the information has been obtained before, during or after the proceedings.

 (6) Where the obliged entity suspects or knows that terrorist financing or money laundering or related criminal offences are being committed, the making of the transaction or official operation or the provision of the official service must be postponed until the submission of a report based on subsection 1 of this section. Where the postponement of the transaction may cause considerable harm, it is not possible to omit the transaction or it may impede catching the person who committed possible money laundering or terrorist financing, the transaction or official operation will be performed out or the official service will be provided and a report will be submitted to the Financial Intelligence Unit thereafter.

 (7) Where relevant, the Financial Intelligence Unit gives obliged entities feedback on their performance of the duty to report and on the use of the received information.

§ 50.  Place and form of performance of duty to report

 (1) A report is submitted to the Financial Intelligence Unit of the contracting state of the European Economic Area on whose territory the obliged entity has been established.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) A report is submitted via the online form of the Financial Intelligence Unit or via the X-road service.

 (3) The data used for identifying the person and verifying the submitted information and, if any, copies of the documents are added to the report.

 (4) Requirements for the contents and form of a notice submitted to the Financial Intelligence Unit and the guidelines for the submission of a report are established by a regulation of the minister responsible for the field.

§ 51.  Confidentiality of report

 (1) The obliged entity, a structural unit of the obliged legal entity, a member of a management body and an employee is prohibited to inform a person, its beneficial owner, representative or third party about a report submitted on them to the Financial Intelligence Unit, a plan to submit such a report or the occurrence of reporting as well as about a precept made by the Financial Intelligence Unit based on §§ 57 and 58 of this Act or about the commencement of criminal proceedings. After a precept made by the Financial Intelligence Unit has been complied with, the obliged entity may inform a person that the Financial Intelligence Unit has restricted the use of the person’s account or that another restriction has been imposed.

 (2) The prohibition provided for in subsection 1 of this section is not applied upon submission of information to:
 1) competent supervisory authorities and law enforcement agencies;
 2) credit institutions and financial institutions in between themselves where they are part of the same group;
 3) institutions and branches that are part of the same group as the person specified in subsection 2 of this section where the group applies group-wide procedural rules and principles in accordance with § 15 of this Act;
 4) a third party who operates in the same legal person or structure as an obliged entity who is a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation and whereby the legal person or structure has the same owners and management system where joint compliance is practiced.

 (3) The prohibition provided for in subsection 1 of this section does not apply to the exchange of information in a situation where it concerns the same person and the same transaction that involves two or more obliged entities that are credit institutions, financial institutions, enforcement officers, bankruptcy trustees, auditors, attorneys or other legal service providers, providers of accounting services or providers of advisory services in the field of accounting or taxation located in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force, act in the same field of profession and requirements equal to those in force in Estonia are implemented for keeping their official secrets and protecting personal data.

 (4) Where a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation convinces a customer to refrain from unlawful acts, it is not deemed violation of the prohibition provided for in subsection 1 of this section.

 (5) For AML/CFT purposes, credit institutions and financial institutions may between themselves exchange information on high-risk customers and transactions suspected of a criminal offence.

 (6) The exchange of information regulated in this section must be retained in writing or in a form reproducible in writing for the next five years and information is submitted to the competent supervisory authority at its request.

§ 52.  Discharge of liability

 (1) The obliged entity, its employee, representative and the person who acted on its behalf is not liable for damage caused to a person or customer participating in a transaction made in economic or professional activities, in performing an official operation or in the provision of an official service:
 1) upon performance of duties and obligations arising from this Act in good faith, from failing to make the transaction or from failing to make the transaction within the prescribed time limit;
 2) in connection with the performance of the duty to report provided for in § 49 of this Act in good faith;
 3) by implementing §§ 16 and 18 of this Act in good faith.

 (2) The performance of the duty to report arising from § 49 of this Act and submission of information by the obliged entity is not deemed breach of the confidentiality requirement arising from law or contract and the statutory or contractual liability for the disclosure of the information is not applied to the person who performed the duty to report. An agreement derogating from this provision is void.

 (3) Upon releasing to the Financial Intelligence Unit data and documents relating to the professional activities of a notary on the basis of a precept of the Financial Intelligence Unit specified in § 55 of this Act or upon performance of the duty to report specified in § 49, the notary is discharged from the confidentiality duty provided for in § 3 of the Notaries Act.

 (4) Taking into account its size and nature of activities, the obliged entity establishes an appropriate system of measures ensuring that the employees and representatives of the obliged entity who report of a suspicion of money laundering or terrorist financing or of a violation of this Act within the obliged entity are able to do so anonymously and are protected from being exposed to threats or hostile action by other employees, management body members or customers of the obliged entity, in particular from adverse or discriminatory employment actions.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 521.  Protection of originator of report

 (1) The Financial Intelligence Unit and the Financial Supervision Authority ensure the confidentiality of the fact of reporting of a violation of this Act as well as of a factor the reporting specified in § 49 of this Act and this fact may be disclosed only with the written consent of the natural person who filed the report.

 (2) The fact of reporting may be disclosed to the prosecutor’s office and the investigation body where there is a suspicion that the person who filed the report has violated the reporting obligation or committed a criminal offence.

 (3) If the natural person who filed a report is involved in offence proceedings as a witness, the provisions of the offence proceedings apply without compromising the confidentiality of the fact of reporting.

 (4) The employer is not allowed to treat an employee unequally because of a report specified in subsection 1 of this section.

 (5) The court or the labour dispute committee applies a shared burden of proof for the purpose of protection of the natural person who filed the report. The claimant or petitioner submits in the claim or petition the facts based on which it can be concluded that they have been treated unequally. Where the person against who the claim or petition has been filed does not prove otherwise, it is presumed that the originator of the report was treated unequally due to reporting. An agreement deviating from this subsection is void.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 6 Financial Intelligence Unit 

§ 53.  Financial Intelligence Unit

 (1) The Financial Intelligence Unit is an independent structural unit of the Police and Border Guard Board. The Financial Intelligence Unit performs its duties arising from this Act independently and makes decisions concerning the actions provided for in this Act independently.

 (2) The Director General of the Police and Border Guard Board appoints the head of the Financial Intelligence Unit on a proposal of the Deputy Director General in the field of intelligence management and investigation for a term of five years.

 (3) The Police and Border Guard Board ensures the provision of the Financial Intelligence Unit with funds, technical equipment and staff required for performance of the duties prescribed by law.

§ 54.  Duties of Financial Intelligence Unit

 (1) The duties of the Financial Intelligence Unit:
 1) gathering, registration, processing and analysis of information referring to money laundering and terrorist financing;
 2) strategic analysis that covers the risks, threats, trends and ways of operation of money laundering and terrorist financing;
 3) tracing criminal proceeds and application of the enforcement powers of the state on the grounds and within the scope provided by law;
 4) supervision over the activities of obliged entities in complying with this Act, unless otherwise provided by law;
 5) informing the public about the prevention and identification of money laundering and terrorist financing, and preparing and publishing an aggregate overview at least once a year;
 6) AML/CFT cooperation with obliged entities, competent supervisory authorities and investigative bodies;
 7) training obliged entities’ staff, investigative bodies, prosecutors and judges in AML/CFT matters;
 8) organisation of international communication and exchange of information in accordance with § 63 of this Act;
 9) performance of duties arising from the International Sanctions Act;
 10) conducting misdemeanour proceedings provided for in this Act;
 11) processing applications for authorisations, suspending or prohibiting business activities or suspending or revoking an authorisation in accordance with the procedure set out in the General Part of the Economic Activities Code Act, taking account of the variations of this Act.

 (2) Upon application of clause 1 of subsection 1 of this section, it is verified whether the data submitted to the Financial Intelligence Unit is important for countering, identifying or pre-litigation investigation of money laundering, related criminal offences and terrorist financing.

 (3) The Financial Intelligence Units analyses and verifies information about suspicions of money laundering and terrorist financing, takes measures for preservation of property where necessary and immediately forwards materials to the competent authorities upon identification of elements of a criminal offence. The competent authority immediately notifies the Financial Intelligence Unit of the seizure, non-seizure and release of seized property in accordance with the procedure established in the Code of Criminal Procedure.

§ 541.  Reports submitted to Financial Intelligence Unit

 (1) Credit and financial institutions and persons subject to supervision exercised by the Financial Intelligence Unit under subsection 1 of § 64 of this Act submit to the Financial Intelligence Unit reports containing information necessary for the performance of the statutory functions.

 (2) The collection and submission of the information specified in subsection 1 of this Act may also be organised with the help of governmental authorities, state authorities and public legal persons. The principle of the single submission of information must be adhered to regarding the obliged entity.

 (3) The requirements for the content and originator of reports submitted to the Financial Intelligence Unit and the procedure for submission are established by a regulation of the minister responsible for the field.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 55.  Administrative decisions of Financial Intelligence Unit

 (1) The Financial Intelligence Unit issues precepts and other administrative decisions in order to perform the duties arising from law.

 (2) A precept made on the basis of § 57 of this Act, which is aimed at stopping a transaction or restricting the use of an account or other property as well as a precept aimed at obtaining information on circumstances, transactions and persons related to a suspicion of money laundering or terrorist financing does not set out its factual grounds. The facts on the basis of which the precept is issued are set out in a separate document.

 (3) The person whose transaction was stopped or the use of whose account or other property was restricted by a precept has the right to examine the document setting out the facts. The Financial Intelligence Unit has the right to refuse to grant access to the document where:
 1) it would impede AML/CFT efforts;
 2) the disclosure of the information contained in the document is against the law or international agreements, including restrictions established in international cooperation;
 3) it would jeopardise the establishment of the truth in criminal proceedings.

 (4) An administrative decision of the Financial Intelligence Unit is signed by the head or deputy head of the Financial Intelligence Unit or by an official authorised by the head of the Financial Intelligence Unit. Upon signature by an authorised official, the number and date of the document granting the right of signature and the place where the document can be accessed are indicated next to the signature.

 (5) A claim against an administrative decision or step of the Financial Intelligence Unit is filed with the administrative court. Upon contesting a precept specified in subsection 2 of this section, the Financial Intelligence Unit submits to the administrative court a separate document setting out the facts, which gives the reasons for making the precept, establishing relevant restrictions thereto.

§ 56.  Guidelines of Financial Intelligence Unit

 (1) The Financial Intelligence Unit has the right to issue advisory guidelines to explain AML/CFT legislation.

 (2) The Financial Intelligence Unit issues guidelines regarding the characteristics of suspicious transactions.

 (3) The Financial Intelligence Unit issues guidelines regarding the characteristics of transactions suspected of terrorist financing. The guidelines are coordinated with the Estonian Internal Security Service beforehand.

 (4) The guidelines of the Financial Intelligence Unit are published on its website.

§ 57.  Stopping of transaction, restriction of disposal of property and transfer of property to state ownership

 (1) In the event of suspicion of money laundering or terrorist financing, the Financial Intelligence Unit may issue a precept to stop a criminal activity or, at the request of the financial intelligence unit of another country, to suspend a transaction or impose restrictions on the disposal of property on an account, property kept on an account or property constituting the object of the transaction, official operation or official service or other property suspected of being associated with money laundering or terrorist financing for up to 30 calendar days as of the delivery of the precept. In the event property registered in the land register, ship register, central securities depository, motor register, register of construction works or another state register, the Financial Intelligence Unit may, in the event of justified suspicion, restrict the disposal of the property for the purpose of ensuring its preservation for up to 30 calendar days.

 (2) Before expiry of the period specified in subsection 1, a transaction may be made or the restriction of disposal of an account or other property may be derogated from only with the written consent of the Financial Intelligence Unit.

 (3) On the basis of a precept, the Financial Intelligence Unit may, in addition to the period specified in subsection 1 of this section, restrict the disposal of property for the purpose of ensuring its preservation for additional 60 calendar days where:
 1) upon verification of the origin of the property in the event of suspicion of money laundering, the possessor or owner of the property fails to prove to the Financial Intelligence Unit the legal origin of the property within 30 calendar days following the suspension of the transaction or the establishment of the restriction on use of the account or on disposal of other property;
 2) there is suspicion that the property is used for terrorist financing.

 (4) In enforcement or bankruptcy proceedings it is prohibited to transfer property on which a restriction has been imposed by the Financial Intelligence Unit or which has been seized during the validity of the restriction in accordance with the procedure provided for in the Code of Criminal Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) Where property has been seized in accordance with the Code of Criminal Procedure, the Financial Intelligence Unit is required to immediately lift the restrictions on the disposal of the property after a court order on the seizure of the property has entered into force.

 (6) Where the owner of the property or, in the event of property held on the account, also the beneficial owner of the property has not been established, the Financial Intelligence Unit may ask the administrative court for permission to restrict the disposal of the property until the owner or beneficial owner of the property has been established and the Financial Intelligence Unit may ask the same also upon termination of criminal proceedings, but not for more than one year.

 (7) Where, within one year following the imposing of restrictions on the use of the property, the owner of the property or the beneficial owner of the property held on the account has not been identified or where the possessor of the property informs the Financial Intelligence Unit or the Prosecutor’s Office of the desire to give up the property, the Financial Intelligence Unit or the Prosecutor’s Office may ask the administrative court for permission to transfer the property to state ownership. The property is sold in accordance with the procedure provided for in the Code of Enforcement Procedure and the sum earned from the sale is transferred to state revenue. The owner of the property has the right to recover the sum transferred to the state revenue within a period of three years following the day on which the property was transferred to the state revenue.

 (8) In the case of property held on an account, the account holder is deemed to be the possessor of the property upon implementation of subsections 6 and 7 of this section and their right of ownership is not presumed.

 (9) The restriction of the disposal of property registered in the land register, ship register, central securities depository, motor register, register of construction works and in other state register is ensured by the registrars in the first order of priority and immediately, without any additional steps taken by the Financial Intelligence Unit.

 (10) Where the legal origin of the property in the case of suspicion of money laundering or the absence of a link between the property and terrorist financing in the case of suspicion of terrorist financing is proven before the expiry of the time limit specified in subsection 1, 3 or 6 of this section, the Financial Intelligence Unit will be required to immediately terminate the restrictions of use of the property.

§ 58.  Requesting information

 (1) To perform the duties arising from law, the Financial Intelligence Unit has the right to receive information from the competent supervisory authorities, other state authorities and local authority agencies and, based on a precept, from obliged entities and third parties by the deadline set by the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) To perform the functions arising from this Act, the Financial Intelligence Unit has the right to receive the information specified in subsections 11–15 of § 81 of this Act via the electronic seizure system specified in § 631 of the Code of Enforcement Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The addressee of a precept is required to comply with the precept and to submit the requested information, including any information subject to banking or business secrecy, within the time limit set in the precept. The information is submitted in writing or in a form reproducible in writing.

 (3) In order to prevent money laundering, the Financial Intelligence Unit has the right to obtain, pursuant to the procedure provided by legislation, relevant information, including information collected by surveillance, from any surveillance agency by the deadline set by the Financial Intelligence Unit. Where the Financial Intelligence Unit wishes to forward information collected by way of surveillance to other authorities, the Financial Intelligence Unit must obtain written consent from the agency that provided the information.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) This section does not apply to an attorney, unless the attorney provides the services specified in subsection 2 of § 2 of this Act or a report given by the attorney to the Financial Intelligence Unit does not meet the established requirements, is not accompanied by the required documents or is accompanied by documents that do not meet the requirements.

§ 59.  Interbase cross-usage of data

  In order to perform the duties arising from law, the Financial Intelligence Unit has the right to make enquiries to and to receive data from state and local government databases and databases maintained by persons in public law, in accordance with the procedure provided by law.

§ 60.  Restrictions on use of data

 (1) Only an official of the Financial Intelligence Unit has access to and the right to process the information in the Financial Intelligence Unit database. On the basis of this Act, the head of the Financial Intelligence Unit may establish restrictions on access to information, classifying information as information for internal use. The staff of the Financial Intelligence Unit and other persons who have access to the information contained in the database of the Financial Intelligence Unit are required to keep information known to them about money laundering or terrorist financing confidential for an unspecified period of time.

 (2) To prevent or identify money laundering or terrorist financing or criminal offences related thereto and to facilitate pre-litigation investigation thereof, the Financial Intelligence Unit must forward significant information, including information subject to tax and banking secrecy to the Prosecutor’s Office, the investigative body and the court.

 (3) Data registered in the Financial Intelligence Unit is only forwarded to the authority engaged in the pre-litigation proceedings, the prosecutor and the court in connection with criminal proceedings or on the initiative of the Financial Intelligence Unit where it is necessary for the prevention, identification and investigation of money laundering or terrorist financing and criminal offences relating thereto as well as in administrative court proceedings where a request of the Financial Intelligence Unit or a claim or protest filed against a step or administrative decision of the Financial Intelligence Unit is decided.

 (4) The Financial Intelligence Unit may notify the competent supervisory authority of the breach of the requirements of this Act by an obliged entity or, based on a relevant request, forward data registered in the Financial Intelligence Unit, analyses and assessments to the extent that does not violate restrictions established by law, an international agreement or in international cooperation, where it is necessary for AML/CFT or related criminal offences, performance of the statutory duties of the competent supervisory authority or attainment of the purposes of this Act.

 (5) The Financial Intelligence Unit has the right to forward the information specified in subsection 4 of this section to the Tax and Customs Board for proceedings related to a gambling activity licence.

 (6) With the permission of the head of the Financial Intelligence Unit persons whose involvement is required to perform the duties of the Financial Intelligence Unit may be granted temporary access to data required for performing the duty to the sufficient extent. The provisions of subsections 1–5 of this section and § 61 of this Act applicable to an official of the Financial Intelligence Unit apply to the rights and competences of a person who has obtained the permission.

 (7) In an individual case, the Financial Intelligence Unit may forward to the compliance officer of the obliged entity the data registered in the Financial Intelligence Unit to the required and sufficient extent for the purpose of taking joint AML/CFT measures or measures for prevention of related criminal offences.

 (8) The Financial Intelligence Unit has the right to establish restrictions on the use of forwarded data and the user of the data must follow the restrictions.

 (9) The documents and records of the Financial Intelligence Unit, which are to be handed over to the National Archives in accordance with the law, are handed over after the passing of 30 years and thereafter the documents and records will be deleted from the database of the Financial Intelligence Unit. Until handing over to the National Archives, documents and records are kept in the Financial Intelligence Unit.

 (10) The procedure for registration and processing of data gathered by the Financial Intelligence Unit is established by a regulation of the minister responsible for the field.

§ 61.  Requirements for official of Financial Intelligence Unit

 (1) Only a person with impeccable reputation, the required experience, abilities, education and high moral qualities may be appointed as an official of the Financial Intelligence Unit.

 (2) An official of the Financial Intelligence Unit is required to maintain the confidentiality of information made known to them in connection with their official duties, including information subject to banking secrecy, even after the performance of their official duties or the termination of a service relationship connected with the processing or use of the information.

§ 62.  Cooperation between Financial Intelligence Unit and Internal Security Service

 (1) The Financial Intelligence Unit and the Security Police Board cooperate in investigation of transactions suspected of terrorist financing through mutual official assistance and exchange of information.

 (2) The Director General of the Security Police Board appoints a compliance officer who has the right to receive information of any and all reports of suspicion of terrorist financing equally to an official of the Financial Intelligence Unit and to make proposals for requesting additional information, where necessary.

 (3) The compliance officer of the Internal Security Service is involved in performing the duties provided for in clauses 1, 4, 6 and 7 of subsection 1 of § 54 of this Act and their rights and competence are regulated by the provisions of subsections 1–5 of § 60 and § 61 of this Act, which are applicable to an official of the Financial Intelligence Unit.

 (4) The compliance officer of the Internal Security Service has the right to exercise the supervision provided for in this Act jointly with an official of the Financial Intelligence Unit.

§ 63.  International exchange of information

 (1) The Financial Intelligence Unit has the right to exchange information and conclude cooperation agreements with a foreign authority that performs the duties of a financial intelligence unit (hereinafter other financial intelligence unit) or a foreign law enforcement or supervisory agency as well as with an international organisation or institution.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The Financial Intelligence Unit appoints an employee who is responsible for accepting requests for information sent by financial intelligence units located in other contracting states of the European Economic Area.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The Financial Intelligence Unit has the right, on its own initiative or at request, to send and receive to and from another financial intelligence unit any information that the other financial intelligence unit may need in AML/CFT efforts and in processing or analysing information relating to natural or legal persons involved in money laundering or terrorist financing.

 (3) A request for information sent to a foreign financial intelligence unit by the Financial Intelligence Unit contains the circumstances of requesting the information, a description of the background, the reasons for the request and information on how they intend to use the requested information.

 (4) Upon implementation of subsections 2 and 3 of this section, the Financial Intelligence Unit may use secure communication channels.

 (5) When the Financial Intelligence Unit receives a report on persons and connections of another contracting state of the European Economic Area on the basis of subsections 1 and 2 of § 49 of this Act, the Financial Intelligence Unit immediately forwards the information thereon to the financial intelligence unit of the respective contracting state.

 (51) If responding to a request for information received from the financial intelligence unit located in another contracting state of the European Economic Area calls for the acquisition of additional information from an obliged entity, the Financial Intelligence Unit acquires the information immediately.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) When exchanging the information provided for in this section, the Financial Information Unit may, upon communication of information, establish restrictions on and conditions of the use of information and the recipient of the information must follow the established restrictions.

 (7) The Financial Intelligence Union may refuse to exchange information only in exceptional cases where the exchange of information is clearly outside the aims of AML/CFT, might harm criminal proceedings, clearly and disproportionately harms the legitimate interests of a natural or legal person or the Financial Intelligence Unit, is otherwise in conflict with the general principles of national law or does not contain the circumstances of requesting the information, a description of the background, the reasons for the request or information on how the requested information is to be used.

 (71) The Financial Intelligence Union may refuse to forward information to the financial intelligence unit of another contracting state of the European Economic Area only where the exchange of information is clearly outside the aims of AML/CFT or it might harm criminal proceedings or where the unit requesting information has not clarified the circumstances of requesting the information, a description of the background, the reasons for the request or information on how the requested information is to be used.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (8) The Financial Intelligence Unit ensures the use of information received from another financial intelligence unit on the basis of a request in accordance with the restrictions established by the other unit, asking for the other unit’s prior consent to using the information in another manner, where necessary.

 (9) The Financial Intelligence Unit ensures that the consent to disseminate the information communicated based on a request is granted immediately and to the highest extent possible. The Financial Intelligence Unit that has received a request may refuse to grant consent to the dissemination of the information to the requested extent where it is clearly outside the aims of AML/CFT, might harm criminal proceedings, clearly and disproportionately harms the legitimate interests of a natural or legal person or the Financial Intelligence Unit or is otherwise in conflict with the general principles of national law. The restriction of dissemination of information is explained.

 (10) The Financial Intelligence Unit immediately grants the financial intelligence unit of another contracting state of the European Economic Area permission to disseminate the information communicated on the basis of the request to other competent authorities of the respective state. The permission may be refuses where the dissemination of information is clearly outside the AML/CFT aims or it would have criminal proceedings. The restriction of the dissemination of information is explained.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 7 Supervision 

§ 64.  Supervisory authorities

 (1) The Police and Border Guard Board or the Financial Intelligence Unit exercises state supervision over compliance with this Act and legislation adopted on the basis thereof, unless otherwise provided for in this section.

 (2) The Financial Supervision Authority exercises supervision over compliance with this Act and legislation adopted on the basis thereof by credit institutions and financial institutions that are subject to its supervision under the Financial Supervision Authority Act and in accordance with the legislation of the European Union. The Financial Supervision Authority exercises supervision in accordance with the procedure provided for in the Financial Supervision Authority Act, taking account of the variations provided for in this Act. The Financial Supervision Authority exercises supervision over the credit institutions and financial institutions specified in the first sentence of this subsection in all the fields of activity specified in § 2 of this Act and in the provision of the services specified in § 6.

 (3) The board of the Estonian Bar Association (hereinafter Bar Association) exercises supervision over compliance with this Act and legislation adopted on the basis thereof by the members of the Bar Association on the basis of the Bar Association Act, taking account of the provisions of this Act.

 (4) The Ministry of Justice exercises supervision over compliance with this Act and legislation adopted on the basis thereof by notaries on the basis of the Notaries Act, taking account of the provisions of this Act. The Ministry of Justice may delegate supervision to the Chamber of Notaries.

 (5) The Financial Supervision Authority, the board of the Bar Association, the Ministry of Justice and the Chamber of Notaries cooperate with the Financial Intelligence Unit based on the purposes of this Act.

 (6) The supervisory authorities have the right to exchange information and cooperate with the supervisory authorities of other countries based on the duties provided for in this Act.

 (7) A supervisory authority has the right to involve experts, interpreters and advisors in exercising supervision, provided that the compliance of such person with the requirements specified in subsection 1 of § 61 of this Act is ensured.

§ 65.  Application of state supervisory measures and imposition of penalty payment

 (1) To exercise state supervision provided for in this Act, the Police and Border Guard Board and the Financial Intelligence Unit may apply the special measures of state supervision provided for in §§ 30–32, 35, 50 and 51 of the Law Enforcement Act, taking account of the variations provided for in this Act and in the Financial Supervision Authority Act.

 (2) Where the obliged entity is a credit institution or financial institution, the maximum penalty payment in the event of failure to comply or improper compliance with an administrative decision is:
 1) in the case of a natural person, up to 5000 euros the first time and up to 50 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than 5 000 000 euros in total;
 2) in the case of a legal person, up to 32 000 euros the first time and up to 100 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than the higher of 5 000 000 euros or 10 per cent of the total annual turnover of the legal person according to the latest available annual accounts approved by its management body.

 (3) Where the legal person specified in clause 2 of subsection 2 of this section is a parent undertaking or a subsidiary of such parent undertaking who must prepare consolidated annual accounts, either the annual turnover or the total turnover of the field of the breach that served as the basis for the given administrative decision or precept according to the latest available consolidated annual accounts approved by the highest-level management body of the parent undertaking is considered the legal person’s total annual turnover.

 (4) Where persons not specified in subsections 2 and 3 of this section fail to comply with an administrative decision or improperly comply therewith, the maximum penalty payment is:
 1) 5,000 euros in the case of a natural person;
 2) up to 32,000 euros in the case of a legal person.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 66.  Rights of administrative supervision authority

 (1) The administrative supervision authority has the right to inspect the seat or the place of business of obliged entities. The supervisory authority has the right to enter a building and a room that is in the possession of the obliged entity in the presence of a representative of the inspected person.

 (2) In the event of on-site inspection, the administrative supervision authority has the right to:
 1) without limitations examine the required documents and data media, make extracts, transcripts and copies thereof, receive explanations regarding them from the obliged entity, and monitor the work processes;
 2) receive oral and written explanations from the inspected obliged entity, members of its management body and employees.

 (3) The administrative supervision authority has the right to demand that an obliged entity submit information required for inspection also without carrying out an on-site inspection.

§ 67.  Duties of supervisory authority

 (1) Where the Financial Supervision Authority, the Police and Border Guard Board, the board of the Bar Association, the Ministry of Justice or the Chamber of Notaries, upon exercising supervision, identifies a situation whose characteristics refer to a suspicion of money laundering or terrorist financing, it will immediate notify the Financial Intelligence Unit thereof based on § 49 of this Act.

 (11) If the Financial Supervision Authority has, based on information or materials gathered in the course of financial supervision, above all, when assessing the organisation of the management, business model or activities of a credit institution or an investment firm, reasonable grounds to suspect that money has been or is being laundered or terrorism has been or is being financed in the credit institution or investment firm or that the credit institution or investment firm is involved in money laundering or terrorist financing or has committed an attempt thereof or there is a heightened risk of money laundering or terrorist financing in the credit institution or investment firm, the Financial Supervision Authority immediately informs the Financial Intelligence Unit and the European Banking Authority thereof.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) In the event provided for in subsection 1 of this section, the Financial Supervision Authority and the Financial Intelligence Unit cooperate to attend to the possible heightened risk of money laundering or terrorist financing and notify the European Banking Authority of their joint assessment without delay.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The Financial Supervision Authority, the board of the Bar Association and the Ministry of Justice must submit to the Financial Intelligence Unit by 15 April information about:
 1) the number of supervisory proceedings carried out in the preceding calendar year and the number of obliged entities covered by supervision based on the types of entities;
 2) the number of breaches detected upon exercising supervision in the preceding calendar year, the number of persons against whom misdemeanour proceedings were initiated or other measures were applied, and the legal grounds per obliged entity.

 (3) The Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority publish on their websites the final decision made in a misdemeanour case provided for in Chapter 10 of this Act or an administrative decision, precept or decision to impose a penalty payment made in accordance with the procedure established in this Chapter immediately after it has entered into force. At least the type and nature of the breach, the details of the person responsible for the breach and information on appealing against and annulment of the decision or precept is given on the website. The entire information must remain available on the website for at least five years.

 (4) Upon assessment of the facts, the Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority has the right to postpone the publication of the final decision in a misdemeanour case or a relevant administrative decision or not to disclose the identity of the offender for the purpose of protection of personal data as long as at least one of the following criteria is met:
 1) the publication of the data jeopardises the stability of financial markets or pending proceedings;
 2) the disclosure of the person responsible for the misdemeanour would be disproportionate to the imposed penalty.

 (5) Upon assessment of the facts, the Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority has the right not to publish the final decision made in the misdemeanour case or the relevant administrative decision where the options specified in subsection 4 of this section are deemed insufficient to ensure the stability of financial markets or the publishing of the decisions would be disproportionate in the case of a measure considered less important.

§ 68.  Reporting of inspection results

 (1) The Financial Supervision Authority must prepare a report on the inspection results, which is communicated to the inspected person within the time limit provided for in the Act regulating the activities of the credit institution or financial institution. Another administrative supervision authority must prepare a report on the inspection results, which is communicated to the inspected person within one month after the inspection.

 (2) The report must contain the following details:
 1) the name of the inspection;
 2) the job title and given name and surname of the author of the inspection report;
 3) the place and date of preparation of the report;
 4) reference to the provision serving as the basis for the inspection;
 5) the given name and surname and the job title of the representative of the inspected person or the possessor of the building or room who attended the inspection;
 6) the given name and surname and the job title of another person who attended the inspection;
 7) the start and end time and the conditions of the inspection;
 8) the process and results of the inspection with the required level of detail.

 (3) The report is signed by its author. The report remains with the administrative supervision authority and a copy thereof to the inspected person or its representative.

 (4) The inspected person has the right to submit written explanations within seven days as of the receipt of the report.

§ 69.  Supervision over activities of Financial Intelligence Unit

 (1) The Data Protection Inspectorate exercises supervision over the legality of the processing of information registered in the Financial Intelligence Unit.

 (2) To assess the Financial Intelligence Unit’s personal data processing process, the Data Protection Inspectorate has the right to access the guidelines and procedures of the Financial Intelligence Unit and receive written and oral clarifications. In the course of deciding a complaint filed by a data subject, the Data Protection Inspectorate has the right to receive data from the Financial Intelligence Unit to the extent required for making a decision on the complaint.

 (3) Supervisory control over the lawfulness of the activities of the Financial Intelligence Unit is exercised by the Police and Border Guard Board.

 (4) The Director General of the Police and Border Guard Board and an official authorised by them has the right to access data registered in the Financial Intelligence Unit for the purpose of exercising supervisory control to the required extent.

 (5) The provisions of subsections 1–5 of § 60 and § 61 of this Act regarding an official of the Financial Intelligence Unit apply to an official exercising supervisory control.

Chapter 8 Authorisation and Prohibition to Provide Services 
[RT I, 10.07.2020, 1 - entry into force 20.07.2020]

§ 70.  Authorisation obligation

 (1) An undertaking is required to have authorisation for operating in the following areas of activity:
 1) operating as a financial institution;
 2) providers of trust and company services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) providing pawnbroking services;
 4) providing a virtual currency service;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 5) [Repealed – RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 6) buying-in or wholesale of precious metals, precious metal articles or precious stones, except precious metals and precious metal articles used for production, scientific or medical purposes.

 (2) A person who holds the following is not subject to the authorisation obligation:
 1) authorisation granted by the Financial Supervision Authority;
 2) obligation to apply for the Financial Supervision Authority’s authorisation under another Act;
 3) authorisation granted by the financial supervision authority of a contracting state of the European Economic Area based on which the person is authorised to operate in Estonia via a branch or across borders, provided that the Financial Supervision Authority has been notified of such operations, or
 4) who provides the services specified in subsection 1 of this section within the group.

 (3) In addition to the information required in the General Part of the Economic Activities Code Act, an application for authorisation must contain the following data and documents:
 1) the address of the place of provision of the service, including the website address;
 2) the name and contact details of the person in charge of provision of the service with regard to all the places of provision of the service specified in clause 1 of this subsection;
 3) where the undertaking that is a legal person has not been registered in the Estonian commercial register: the name of the owner of the undertaking, the owner’s registry code or personal identification code (upon absence thereof, the date of birth), the seat or place of residence; the beneficial owner’s name, personal identification code (upon absence thereof, the date of birth), the place of birth, and the address of the place of residence;
 4) the name, personal identification code (upon absence thereof, the date of birth), place of birth and the address of the place of residence of a member of the management body or a procurator of the service provider who is a legal person, unless the service provider is an undertaking registered in the Estonian commercial register;
 5) the rules of procedure and internal control rules drawn up in accordance with §§ 14 and 15 of this Act and, in the case of persons having specific duties listed in § 20 of the International Sanctions Act, the rules of procedure and the procedure for verifying adherence thereto drawn up in accordance with § 23 of the International Sanctions Act;
[RT I, 19.03.2019, 11 – entry into force 01.01.2020]
 6) the name, personal identification code (upon absence thereof, the date of birth), place of birth, citizenship, address of the place of residence, position, and contact details of the compliance officer appointed in accordance with § 17 of this Act;
 7) the name, personal identification code (upon absence thereof, the date of birth), place of birth, citizenship, the address of the place of residence, position and contact details of the person who is in charge of imposing the international financial sanction and who has been appointed by the undertaking in accordance with subsection 3 of § 20 of the International Sanctions Act;
[RT I, 19.03.2019, 11 – entry into force 01.01.2020]
 8) where the undertaking, a member of its management body, procurator, beneficial owner or owner is a foreign national or where the undertaking is a foreign service provider, a certificate of the criminal records database or an equal document issued by a competent judicial or administrative body of its country of origin, which certifies the absence of a penalty for an offence against the authority of the state or a money laundering offence or another wilfully committed criminal offence and has been issued no more than three months ago and has been authenticated by a notary or certified in accordance with an equivalent procedure and legalised or certified with a certificate replacing legalisation (apostille), unless otherwise provided by an international agreement;
 9) where the undertaking, a member of its management body, procurator, beneficial owner or individual owner is a foreign citizen, copies of all of the identity documents of all of their countries of citizenship and the documents certifying the absence of the convictions, which are specified in clause 8 of this section;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020
 10) regarding a member of a management body and a procurator of the undertaking, documents indicating the level of education, a full list of the employers and jobs and, in the case of a member of a management body, also the field of responsibility, also documents that the applicant considers important to submit to prove the trustworthiness of the member of the management body or procurator and the fact that the applicant has good business reputation;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 11) the list of payment accounts kept in the name of the undertaking, along with each payment account’s unique feature and the account manager’s name.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (31) Where the documents issued by the country specified in clause 8 or 9 of subsection 3 of this section do not prove the absence of a conviction to the required extent, the documents must be accompanied by a statement given under oath by the person the absence of whose conviction needs to be proven.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (4) In the case of an application for authorisation in a field specified in clause 1 or 4 of subsection1 of this section, the details specified in subsection 3 of this section must be accompanied by information on which financial service or virtual currency service will be provided.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (5) Where the undertaking would like to use the authorisation also for the activities of a subsidiary, the undertaking must, in addition to the information required in the General Part of the Economic Activities Code Act, submit all the information regarding the subsidiary, which is specified in subsection 3 of this section and, where necessary, also the information specified in subsection 4 of this section.

 (6) The undertaking submits the applications, requests and notices related to the authorisation specified in subsection 1 of this section only via the Estonian information gateway or a notary in accordance with the single contact point principle.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 71.  Granting of authorisation and refusal to grant authorisation

  [RT I, 31.12.2019, 2 – entry into force 10.03.2020]
An authorisation application is decided by the Financial Intelligence Unit by way of granting or refusing to grant authorisation not later than within 60 working days following the date of submission of the application. By a decision of the Financial Intelligence Unit, the time limit of granting the authorisation may be extended to up to 120 days.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 72.  Object of inspection of authorisation

 (1) Authorisation is granted to an undertaking where:
 1) the undertaking, a member of its management body, procurator, beneficial owner and owner do not have any unexpired conviction for a criminal offence against the authority of the state, offence relating to money laundering or other wilfully committed criminal offence;
 11) the persons specified in clause 1 of this subsection have good business reputation;
 2) the compliance officer appointed by the undertaking on the basis of § 17 of this Act meets the requirements provided for in this Act;
 3) the undertaking’s subsidiary whose activities the authorisation sought in the name of the undertaking is to be used for meets the requirements specified in clauses 1 and 2 of this section;
 4) the registered seat, the seat of the management board and place of business of the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act is in Estonia or a foreign company operates in Estonia via a branch that is registered in the commercial register and the place of business and the seat of the head of which is Estonia;
 5) a payment account has been opened for the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act in a credit institution, e-money institution or payment institution that has been established in Estonia or in a contracting state of the European Economic Area and provides cross-border services in Estonia or has established a branch in Estonia;
 6) the share capital of the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act is at least 12,000 euros and has been contributed in full.

 (2) Whether the business reputation is good is assessed by the issuer of the authorisation, taking into account the person’s prior activities and related circumstances. The existence of good business reputation is presumed where circumstances calling into doubt are absent.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 73.  Obligation to enclose documents with notice of intention to change business activity

  Where an undertaking submits a notice of intention to change its business activity regarding itself, a member of its management body, procurator, beneficial owner or owner, the document specified in clause 8 of subsection 3 of § 70 of this Act must be enclosed with the notice where the undertaking is a foreign service provider or the member of its management body, procurator, beneficial owner or owner is a foreign national.

§ 74.  Obligation to notify of change of circumstances relating to business activities

  In a notice of the intention to change the business activity and in a notice of the change of the business activity the undertaking describes which circumstances that form a part of the object of inspection of the authorisation or relate to the secondary conditions of the authorisation have changed or are to be changed or the undertaking submits, regarding its subsidiary that will commence economic activities within the object of regulation of the authorisation, all the information specified in subsection 3 of § 70 of this Act and the information specified in clauses 1–3, 5 and 6 of subsection 1 of § 15 of the General Part of the Economic Activities Code Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 75.  Revocation of authorisation

  In addition to the grounds provided for in subsection 1 of § 37 of the General Part of the Economic Activities Code Act, the Financial Intelligence Unit will revoke authorisation specified in subsection 1 of § 70 of this Act where:
 1) the Financial Supervision Authority has granted authorisation to the undertaking;
 2) the undertaking repeatedly fails to follow the precepts of the supervisory authority;
 3) the undertaking has not commenced operation in the requested field of activity within six months from the issue of the authorisation;
 4) the undertaking does not comply with the effective conditions of granting an authorisation and the non-compliance has not been eliminated within the time limit granted for such purpose by a precept and thereby the time limit must not be shorter than 30 days.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 751.  Prohibition to provide services

  An undertaking that has or the supervisory board or management board member or beneficial owner of which has an unexpired conviction for an economic criminal offence or a criminal offence against property, the state or public trust is prohibited to provide a service in the fields specified in clauses 4, 41, 7 and 8 of § 2 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 9 DATA OF BENEFICIAL OWNER OF LEGAL PERSON AND LIABILITY ACCOUNT 

§ 76.  Duty to keep data of beneficial owner

 (1) A legal person in private law gathers and retains data on its beneficial owner, including information on its right of ownership or manners of exercising control. The data of the beneficial owner is kept in the commercial register by the management board of the private legal person.

 (2) To enable the performance of the duty specified in subsection 1 of this section, the shareholders or members of a private legal person must provide the management board of the legal person with all the information known to them about the beneficial owner, including information on its right of ownership or manners of exercising control.

 (3) The duty specified in subsection 1 of this section does not apply to:
 1) an apartment association provided for in the Apartment Ownership and Apartment Associations Act;
[RT I, 17.11.2017, 2 – entry into force 01.01.2018]
 2) a building association provided for in the Building Association Act;
 3) a company listed on a regulated market;
 4) a foundation provided for in the Foundations Act the purpose of whose economic activities is the keeping or accumulating of the property of the beneficiaries or the circle of beneficiaries specified in the articles of association and who has no other economic activities;
 5) a branch.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 77.  Submission of data

 (1) Based on subsections 2–4 of § 9 and § 76 of this Act, a general partnership, limited partnership, private limited company, public limited company or commercial association submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held.

 (2) Based on subsection 7 of § 9 of this Act, a non-profit association submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held.

 (3) Based on subsection 7 of § 9 of this Act, a foundation submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held;
 3) the list of beneficiaries within the meaning of § 9 of the Foundations Act, which contains each beneficiary’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence, where such persons have been specified in the articles of association of the foundation.

 (4) A company, non-profit association or foundation must submit the data of the beneficial owner along with the application for registration in the commercial register.

 (5) Where the submitted data changes, the company, non-profit association or foundation submits new data via the commercial register information system not later than within 30 days after learning of the changes in the data.

 (6) Where the data of the beneficial owner has not changed, the company, non-profit association or foundation certifies the correctness of the data upon submission of the annual report.

§ 78.  Publication of data

 (1) The data of the beneficial owner are made public in the commercial register information system.

 (2) The fees for issuing the data of a beneficial owner are established by a regulation of the minister responsible for the field.

 (3) The data of the beneficial owner is issued free of charge to the obliged entity, a government agency, the Financial Supervision Authority and to a court.

§ 79.  Beneficial owner’s right to demand correction of submitted data

 (1) The person indicated as the beneficial owner or their legal or contractual representative has the right to request that the management board of the legal person correct incorrect data.

 (2) Where the management board of the legal person has without reason refused to correct the incorrect data as requested on the basis of subsection 1 of this section, the person indicated as the beneficial owner may demand that the legal person compensate for damage caused by making incorrect data public.

§ 80.  Deletion of data

  The data of the beneficial owner is deleted automatically five years after deleting the legal person from the register.

§ 81.  Mandatoriness of automated communication of liability account information

 (1) A credit institution or a financial institution that has opened for a customer a payment account (hereinafter account) that has an International Bank Account Number (IBAN) or let a safe-deposit box must ensure that at least the details specified in subsections 11–15 of this section are available via the electronic seizure system specified in § 631 of the Code of Enforcement Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The following is made available regarding an account holder and a safe-deposit box lessee:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth or the registry code;
 3) postal address.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) The following is made available on a person authorised to use an account:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth;
 3) postal address;
 4) the date of the beginning and end of the authorisation and the substance of the right of use.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (13) The following is made available regarding the beneficial owner of an account holder:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth;
 3) the country of residence.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (14) The following is made available regarding an account:
 1) IBAN;
 2) the date of opening the account;
 3) the date of closing the account.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (15) The following details of a contract of use of a safe-deposit box are made available in the case of a safe-deposit box:
 1) number;
 2) date of conclusion;
 3) date of termination.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) For the purposes of this section, IBAN (International Bank Account Number) means an international account feature that complies with the EVS 876:2016 standard and whose elements have been determined by the International Organization for Standardization and that uniquely identifies an individual account in a Member State.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The availability of the details specified in subsections 11, 14 and 15 is ensured regarding an existing account and a valid safe-deposit box contract as well as an account closed and a contract of use of a safe-deposit box terminated during a five-year period preceding the receipt of an inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) The availability of the details specified in subsection 12 of this section is in the case of an existing account ensured regarding a five-year period preceding the receipt of an inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) The availability of the details specified in subsection 13 of this section is in the case of an existing account ensured as of the moment of responding to the inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 10 LIABILITY 

§ 82.  Giving of order not to implement money laundering and terrorist financing due diligence measures, risk assessment, procedural rules and internal control rules

 (1) The penalty for giving an order by a management board member of the obliged entity not to implement due diligence measures, the risk assessment specified in § 13 of this Act, procedural rules or the internal control rules is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 83.  Opening of anonymous account or savings book or safe-deposit box

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The penalty for making a decision to open an anonymous account or a savings book or a safe-deposit box for concluding a respective contract, whereby the obliged entity was a credit or financial institution, is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 84.  Failure to perform duty to identify person and verify person’s identity

 (1) The penalty for a breach by an obliged entity, its management board member or employee of the duty provided for in this Act to identify and verify the identity of a customer or a person participating in an occasional transaction or the representative of a person is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 85.  Breach of duty to identify beneficial owner

 (1) The penalty for a breach by an obliged entity or its management board member or an employee of the duty provided for in this Act to identify the beneficial owner and verify their identity is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 86.  Breach of requirements for gathering and assessing information

 (1) The penalty for a breach of the requirements for gathering information on the purpose and nature of a business relationship or an occasional transaction by an obliged entity, its management board member or employee is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 87.  Breach of requirements for making of transaction with politically exposed person

 (1) The penalty for a breach of the requirements for making a transaction with a politically exposed person by an obliged entity, its management board member or employee is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 88.  Violation of prohibition to establish business relationship and make occasional transaction

 (1) The penalty for violation by an obliged entity, its management board member or employee of the prohibition to establish a business relationship and make an occasional transaction is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 89.  Breach of duty to monitor business relationship

 (1) The penalty for a breach by an obliged entity, its management board member or employee of the duty provided for in this Act to monitor a business relationship is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 90.  Violation of prohibition to outsource activity

 (1) The penalty for outsourcing an activity by an obliged entity or its management board member to a person established in a high-risk third country is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 91.  Breach of correspondent communication requirements

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The penalty for establishing a correspondent relationship by breaching the requirements provided for in this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 92.  Breach of duty to report suspicion of money laundering or terrorist financing

 (1) The penalty for a breach of the duty to notify the Financial Intelligence Unit of a suspicion of money laundering or terrorist financing, a foreign exchange transaction or another transaction where a pecuniary obligation exceeding 32 000 euros or an equal amount in another currency is performed in cash is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 93.  Illegal notification of data forwarded to Financial Intelligence Unit

 (1) The penalty for illegal notification of a person, their representative, the person’s beneficial owner or the public by the obliged entity, its management board member, compliance officer or employee or by an employee of a supervisory authority about a report or data submitted to the Financial Intelligence Unit regarding them or about a precept made by the Financial Intelligence Unit regarding them or about the commencement of criminal proceedings instituted against them is a fine of up to 300 fine units or a short-term custodial sentence.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 94.  Breach of requirement to register and retain data

 (1) The penalty for a breach of the requirement to register and retain data provided for in this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 941.  Violation of obligation to notify of change of circumstances relating to economic activities and termination of economic activities

 (1) The penalty for a breach of the obligation to notify of a change of the circumstances relating to the object of inspection or the secondary conditions of the authorisation specified in subsection 1 of § 70 of this Act, the obligation of advance notification of the intention to change the aforementioned circumstance or the obligation to notify of the termination of the activities of a service provider is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 942.  Violation of prohibition to provide services

 (1) The penalty for violation of the prohibition to provide a service specified in § 751 of this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 943.  Violation of reporting obligation

 (1) The penalty for violation of the reporting obligation established on the basis of § 541 of this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 95.  Failure to submit data of beneficial owner or submission of false data

 (1) The penalty for failure by a shareholder or member of a private legal person or a trustee to submit the details of the beneficial owner or for failure to report on a change of the details or for knowingly submitting false information, where it has caused a situation where the obliged entity cannot apply the due diligence measure provided for in clause 3 of subsection 1 of § 20 of this Act has been caused, is a fine of up to 300 fine units.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The penalty for the same act committed by a legal person is a fine of up to 32,000 euros.

§ 96.  Breach of duties of payment service provider

 (1) The penalty for failure by an executive or employee of a payment service provider or by an executive or employee of a paying agent or a natural person paying agent to identify, verify or information relating to a payer as well as for a breach of the duties of a payment service provider established in Regulation (EU) No 2015/847 of the European Parliament and of the Council is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 97.  Proceedings

  Extrajudicial proceedings of misdemeanours specified in this Chapter are the Police and Border Guard Board and the Financial Supervision Authority.

Chapter 11 IMPLEMENTING PROVISIONS 

§ 98.  Follow-up analysis of implementation of Act

  By 31 December 2018, the Ministry of Finance will analyse the practicality and purposefulness of implementation of the real-time interview requirement regarding the establishment of a business relationship and the sufficiency of the provisions regulating the submission of the information of beneficial owners and, where necessary, submit proposals for amendment of legislation to the Finance Committee of the Riigikogu.

§ 981.  Transitional provisions concerning transformation of Financial Intelligence Unit into governmental authority

 (1) As of 1 January 2021, the functions, rights and competence of the Financial Intelligence Unit which has operated as a structural unit of the Police and Border Guard Board (hereinafter in this section PBGB FIU) and those of its officials transfer to the Financial Intelligence Unit and its officials in the area of government of the Ministry of Finance.

 (2) The legal succession specified in subsection 1 of this section also applies to participation in international organisations, cooperation agreements as well as to the access that the Financial Intelligence Unit and its officials have to all of the national registers, databases and information systems.

 (3) Until 1 January 2021, the PBGB FIU continues to perform its functions, including to represent the Financial Intelligence Unit in international organisations, cooperation agreements, domestic organisations and proceedings.

 (4) The information, case files, databases and data media at the disposal of and held by the PBGB FIU are handed over to the Financial Intelligence Unit in the area of government of the Ministry of Finance not later than on 1 January 2021.

 (5) Administrative proceedings and supervision operations instituted on the basis of this Act or the International Sanctions Act before 1 January 2021, which continue after 1 January 2021 are completed by the Financial Intelligence Unit in the area of government of the Ministry of Finance.

 (6) In the case of misdemeanour proceedings initiated by the PBGB FIU before 1 January 2021 on the basis of this Act and the International Sanctions Act, the out-of-court proceedings authority is, as of 1 January 2021, the Financial Intelligence Unit in the area of government of the Ministry of Finance.

 (7) In the case of a complaint against an administrative decision or operation of the PBGB FIU filed with an administrative court before 1 January 2021 the Financial Intelligence Unit in the area of government of the Ministry of Finance is the party to the proceedings instead of the PBGB FIU as of 1 January 2021.

 (8) The officials of the PBGB FIU whose functions and position do not change are transferred for an unspecified period to a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance as of 1 January 2021 on the basis of clause 1 of subsection 1 of § 98 of the Civil Service Act.

 (9) The police officers of the PBGB FIU whose functions and position do not change are, based on their written consent, released from police service and transferred for an unspecified period to a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance as of 1 January 2021 on the basis of clause 1 of subsection 1 of § 98 of the Civil Service Act, taking into account the specifics of this section.

 (10) As of 1 January 2021, the head of the PBGB FIU is transferred to the position of the head of the Financial Intelligence Unit in the area of government of the Ministry of Finance until the expiry of the time limit arising from a decree of the Director General of the Police and Border Guard Board by which they were appointed to office, applying the provisions of the Police and Border Guard Act. A public competition specified in subsection 2 of § 53 of the version of this Act that enters into force of 1 January 2021 for the appointment of the head of the Financial Intelligence Unit will be carried out by 15 October 2020.

 (11) Upon transfer of a police officer based on subsections 9 and 10 of this section, the counting of their length of police service continues and they retain the right to the police officer’s superannuated pension in accordance with § 1111 of the Police and Board Guard Act, provided that they hold a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance or in the police service.

 (12) The right of a police officer to the police officer’s superannuated pension specified in subsection 11 of this Act does not depend on the length of the police service immediately preceding the attainment of the retirement age or on retirement from the police service.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 99.  Variation of application of due diligence measures by gambling operator

  Until 31 August 2018, a gambling operator applies due diligence measures at least in the case of payment of winnings, making of bets or both where the amount given or received by a customer is at least 2000 euros or an equal sum in another currency.

§ 100.  Duty to re-apply provisions to existing customer relationships

  Where necessary, the obliged entity applies the due diligence measures specified in Chapter 3 of this Act to the existing customers over a period of one year from the entry into force of the Act. Upon assessment of the need to apply the due diligence measures, the obliged entity relies on, inter alia, the importance of the customer and the risk profile as well as the time that has passed from the previous application of the due diligence measures or the scope of their application.

§ 1001.  Verification of details of beneficial owner

  Obliged entities apply the due diligence measure specified in subsection 21 of § 20 of this Act to customers with whom they have established a lasting business relationship before the entry into force of this section, within one year after the entry into force of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 101.  Deadline of updating risk assessment and procedural rules

 (1) The obliged entity must bring its activity into compliance with the requirements of this Act within one year as of the entry into force of this Act.

 (2) A person subject to the authorisation obligation specified in subsection 1 of § 70 of this Act submits to the Police and Border Guard Board a risk assessment specified in § 13 of this Act and the corresponding rules of procedure and the internal control rules within one year from the entry into force of this Act.

§ 102.  Information on existing outsourcing contract

  The obliged entity submits to the competent supervisory authority informational on an outsourcing contract in force at the time of entry into force of this Act in accordance with the procedure provided for in subsection 4 of § 24 of this Act within five months from the entry into force of this Act and notifies the competent supervisory authority about amendment of the contract for the purpose of bringing it into compliance with the requirements of this Act.

§ 103.  Authorisation of provider of service of alternative means of payment

 (1) Within eight months following the entry into force of this Act, an undertaking holding the authorisation of a provider of a service of an alternative means of payment notifies the Police and Border Guard Board about whether it wishes to change its authorisation to that of a provider of the service of exchanging virtual currency against a fiat currency. Upon receipt of a relevant notification, the Police and Border Guard Board makes, within 30 working days following the day of submission of the application, a decision to grant the authorisation without the obligation to pay the state fee and without additionally verifying the facts falling within the object of inspection of the authorisation.

 (2) The authorisation of a provider of a service of alternative means of payment becomes invalid nine months after the entry into force of this Act.

§ 104.  Duty to report of legal person registered in commercial register or in register of non-profit associations and foundations

  The management board of a legal person registered in the commercial register or the register of non-profit associations and foundations before the entry into force of this Act declares to the commercial register the data of the beneficial owner within 60 days following the entry into force of this provision.

§ 1041.  Application of prohibition to provide services

  A person specified in § 751 of this Act who started providing the services specified in the same section before the entry into force of the section brings their activities into compliance with the requirements of the section not later than by 31 December 2020.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 1042.  Ensuring access to data via electronic seizure system

  Credit and financial institutions must perform the obligations specified in subsections 1, 3, 4 and 5 of § 81 of this Act as of 10 September 2020.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 105.  Form of performance of duty to report

  Until 30 June 2018, a report specified in subsection 2 of § 50 of this Act is submitted orally, in writing or in a form reproducible in writing. Where a report was submitted orally, it will be repeated the next working day in writing or in a form reproducible in writing.

§ 106. – § 111. [Omitted from this text.]

§ 112.  Repeal of Money Laundering and Terrorist Financing Prevention Act

  The Money Laundering and Terrorist Financing Prevention Act (RT I 2008, 3, 21) is repealed.

§ 113.  Amendment of Money Laundering and Terrorist Financing Prevention Act

  In clause 2 of subsection 9 of § 9 and in clause 1 of subsection 3 of § 76 of the Money Laundering and Terrorist Financing Prevention Act, the words ‘Apartment Association Act’ are replaced with the words ‘Apartment Ownership and Apartment Associations Act.’

§ 114. – § 118. [Omitted from this text.]

§ 1181.  Equivalence of authorisation of provider of virtual currency service

  The authorisation of a provider of a service of exchanging a virtual currency against a fiat currency and the authorisation of a virtual currency wallet service provider granted on the basis of this Act is considered equivalent to the authorisation of a virtual currency service provider.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 1182.  Brining operations of undertaking holding valid authorisation into compliance with version of this Act adopted on 11 December 2019

 (1) An undertaking that has been granted authorisation on the basis of this Act is required to bring its operations and documents into compliance with the requirements provided for in clauses 9–11 of subsection 3 of § 70 and clauses 11, 4, 5 and 6 of subsection 1 of § 72 of the version of this Act adopted on 11 December 2019 not later than by 1 July 2020.

 (2) If an undertaking fails to bring its operations into compliance with the law within the time limit set in subsection 1 and to submit the documents, the Financial Intelligence Unit will revoke the undertaking’s authorisation.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 119.  Entry into force of Act

 (1) Subsection 3 of § 19 and §§ 76–80 of this Act enter into force on 1 September 2018.

 (2) Section 113 of this Act enters into force on 1 January 2018.

 (3) Sections 81 and 95 of this Act enter into force on 1 January 2019.

Issuer:Riigikogu
Type:act
In force from:10.09.2020
In force until:31.12.2020
Translation published:11.08.2020

Chapter 1 General Provisions 

Division 1 Purpose and Scope of Regulation of Act 

§ 1.  Purpose and scope of regulation of Act

 (1) The purpose of this Act is, by increasing the trustworthiness and transparency of the business environment, to prevent the use of the financial system and economic space of the Republic of Estonia for money laundering and terrorist financing.

 (2) This Act regulates:
 1) the principles of assessment, management and mitigation of risks related to money laundering and terrorist financing;
 2) the grounds of the activities of the Financial Intelligence Unit;
 3) supervision over obliged entities in complying with this Act;
 4) duties and obligations in relation to the collection and disclosure of information on beneficial owners;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) duties and obligations related to the collection and disclosure of information on liability account holders;
 6) the liability of obliged entities for a breach of the requirements arising from this Act.

 (3) The provisions of the Administrative Procedure Act apply to administrative proceedings prescribed in this Act, taking account of the variations provided for in this Act.

§ 2.  Application of Act

 (1) This Act applies to the economic, professional and official activities of the following persons:
 1) credit institutions;
 2) financial institutions;
 3) gambling operators, except for organisers of commercial lotteries;
 4) persons that mediate the purchase or sale of an immovable;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 41) persons that mediate transactions of use of an immovable whereby the usage fee agreed in the transaction amounts to no less than 10,000 euros per month;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) traders within the meaning of the Trading Act, where a cash payment of no less than 10 000 euros or an equal amount in another currency is made to or by the trader, regardless of whether the financial obligation is performed in the transaction in a lump sum or by way of several linked payments over a period of up to one year, unless otherwise provided by law;
 6) persons engaged in buying-in or wholesale of precious metals, precious metal articles or precious stones, except precious metals and precious metal articles used for production, scientific or medical purposes;
 7) certified auditors, upon provision of accounting services, and providers of accounting services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 8) providers of accounting or tax advice services;
 9) providers of trust and company services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 10) providers of a virtual currency service;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020
 11) [Repealed – RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 12) a central securities depository where it arranges the opening of securities accounts and provides services related to register entries without the mediation of an account operator;
 13) undertakings providing a cross-border cash and securities transportation service;
 14) pawnbrokers;
 15) dealers of works of art and persons that mediate works of art or store them in a customs free zone whereby a payment of no less than 10,000 euros is made to or by them in a lump sum or in multiple connected payments over a court of one year in connection therewith.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) This Act applies to the economic, professional or official activities of notaries, attorneys, enforcement officers, bankruptcy trustees, interim trustees and providers of other legal services where they act in the name and on account of a customer in a financial or real estate transaction. This Act also applies to the economic, professional or official activities of a said person where the person guides the planning or making of a transaction or makes an official operation or provides an official service related to:
 1) the purchase or sale of an immovable, business or shares of a company;
 2) the management of the customer’s money, securities or other property;
 3) the opening or management of payment accounts, deposit accounts or securities accounts;
 4) the acquisition of funds required for the foundation, operation or management of a company;
 5) the foundation, operation or management of a trust, company, foundation or legal arrangement.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) This Act applies to non-profit associations for the purposes of the Non-profit Associations Act and to other legal persons governed by the provisions of the Non-profit Associations Act as well as to foundations for the purposes of the Foundations Act where they are paid or they pay over 5000 euros in cash or an equal amount in another currency, regardless of whether it is paid in a lump sum or by way of several linked payments over a period of up to one year.

 (4) This Act applies to Eesti Pank where it removes from circulation or exchanges banknotes or coins worth of over 10 000 euros or an equal sum in another currency or where it is paid over 10 000 euros in cash or an equal sum in another currency for collector coins or other numismatic-bonistic products, regardless of whether it is paid in a lump sum or in several linked payments over a period of up to one year.

 (5) The provisions of this Act governing financial institutions apply to virtual currency service providers specified in clause 10 of subsection 1 of this section.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (6) Chapter 9 of this Act applies to all private legal persons and trustees.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Division 2 Definitions 

§ 3.  Definitions used in Act

  For the purposes of this Act, the following definitions apply:
 1) ‘cash’ means cash within the meaning of Article 2(2) of Regulation (EC) No 1889/2005 of the European Parliament and of the Council on controls of cash entering or leaving the Community (OJ L 309, 25.11.2005, pp 9–12);
 2) ‘property’ means any object as well as the right of ownership of such object or a document certifying the rights related to the object, including an electronic document, and the benefit received from such object;
 3) ‘obliged entity’ means a person specified in § 2 of this Act;
 4) ‘business relationship’ means a relationship that is established upon conclusion of a long-term contract by an obliged entity in economic or professional activities for the purpose of provision of a service or sale of goods or distribution thereof in another manner or that is not based on a long-term contract, but whereby a certain duration could be reasonably expected at the time of establishment of the contact and during which the obliged entity repeatedly makes separate transactions in the course of economic, professional or official activities while providing a service or official service, performing official operations or offering goods;
 5) ‘customer’ means a person who has a business relationship with an obliged entity;
 6) ‘precious stones’ means natural and artificial precious stones and semi-precious stones, their powder and dust, and natural and cultivated pearls;
 7) ‘precious metal’ means precious metal within the meaning of the Precious Metal Articles Act;
 8) ‘precious metal article’ means a precious metal article within the meaning of the Precious Metal Articles Act;
 9) ‘virtual currency’ means a value represented in the digital form, which is digitally transferable, preservable or tradable and which natural persons or legal persons accept as a payment instrument, but that is not the legal tender of any country or funds for the purposes of Article 4(25) of Directive (EU) 2015/2366 of the European Parliament and of the Council on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ L 337, 23.12.2015, pp. 35–127) or a payment transaction for the purposes of points (k) and (l) of Article 3 of the same Directive;
 91) ‘virtual currency service’ means a service specified in clauses 10 and 101 of this subsection;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 10) ‘virtual currency wallet service’ means a service in the framework of which keys are generated for customers or customers’ encrypted keys are kept, which can be used for the purpose of keeping, storing and transferring virtual currencies;
 101) ‘virtual currency exchange service’ means a service with the help of which a person exchanges a virtual currency against a fiat currency or a fiat currency against a virtual currency or a virtual currency against another virtual currency;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 11) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 12) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 13) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 14) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 15) ‘senior management of obliged entity’ means an officer or employee with sufficient knowledge of the institution’s money laundering and terrorist financing risk exposure and sufficient seniority to take decisions affecting its risk exposure, and need not, in all cases, be a member of the management board;
 16) ‘foreign exchange services’ means the exchanging of a valid currency against another valid currency by an undertaking in its economic or professional activities;
 17) ‘group’ means a group of undertakings which consists of a parent undertaking, its subsidiaries within the meaning of § 6 of the Commercial Code, and the entities in which the parent undertaking or its subsidiaries hold a participation, as well as undertakings that constitute a consolidation group for the purposes of subsection 3 of § 27 of the Accounting Act;
 18) ‘high-risk third country’ means a country specified in a delegated act adopted on the basis of Article 9(2) of Directive (EU) 2015/849 of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (OJ L 141/73, 05.06.2015, pp 73–117).

§ 4.  Money laundering

 (1) ‘Money laundering’ means:
 1) the conversion or transfer of property derived from criminal activity or property obtained instead of such property for the purpose of concealing or disguising the illicit origin of the property or of assisting any person who is involved in the commission of such an activity to evade the legal consequences of that person’s actions;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) the acquisition, possession or use of property derived from criminal activity or property obtained instead of such property, knowing, at the time of receipt, that such property was derived from criminal activity or from an act of participation therein;
 3) the concealment of the true nature, origin, location, manner of disposal, relocation or right of ownership of property acquired as a result of a criminal activity or property acquired instead of such property or the concealment of other rights related to such property.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Money laundering also means participation in, association to commit, attempts to commit and aiding, abetting, facilitating and counselling the commission of any of the activities referred to in subsection 1 of this section.

 (3) Money laundering is regarded as such also where a criminal activity which generated the property to be laundered was carried out in the territory of another country.

 (4) Knowledge, intent or purpose required as an element of the activities referred to in subsections 1–3 of this section may be inferred from objective facts.

 (5) Money laundering is regarded as such also where the details of a criminal activity which generated the property to be laundered have not been identified.

§ 5.  Terrorist financing

  ‘Terrorist financing’ means the financing and supporting of an act of terrorism and commissioning thereof as well as the financing and supporting of travel for the purpose of terrorism within the meaning of §§ 2373 and 2376 of the Penal Code.
[RT I, 04.01.2019, 12 – entry into force 14.01.2019]

§ 6.  Credit institution and financial institution

 (1) For the purposes of this Act, ‘credit institution’ means:
 1) a credit institution within the meaning of Article 4(1)(1) of Regulation (EU) No 575/2013 of the European Parliament and of the Council on prudential requirements for credit institutions and investment firms and amending Regulation (EU) No 648/2012 (OJ L 176, 27.06.2013, pp 1–337);
 2) the branch of a foreign credit institution registered in the Estonian commercial register.

 (2) For the purposes of this Act, ‘financial institution’ means:
 1) a foreign exchange service provider;
 2) a payment service provider within the meaning of the Payment Institutions and E-money Institutions Act, except for a payment initiation service provider and an account information service provider;
 3) an e-money institution within the meaning of the Payment Institutions and E-money Institutions Act;
 4) an insurance undertaking within the meaning of the Insurance Activities Act (hereinafter insurance undertaking) to the extent that it provides services related to life insurance, except for services related to mandatory funded pension insurance contracts within the meaning of the Funded Pensions Act;
 5) an insurance broker within the meaning of the Insurance Activities Act (hereinafter insurance broker) to the extent that it is engaged in marketing life insurance or provides other instrument-related services;
 6) a management company, except upon managing a mandatory pension fund within the meaning of the Funded Pensions Act, and an investment fund founded as a public limited company within the meaning of the Investment Funds Act;
 7) an investment firm within the meaning of the Securities Market Act;
 8) a creditor and a credit intermediary within the meaning of the Creditors and Credit Intermediaries Act;
 9) a savings and loan association within the meaning of the Savings and Loan Associations Act;
 10) a central contact point designated by an e-money institution or a payment service provider;
 11) another financial institution within the meaning of the Credit Institutions Act;
 12) the branch of a foreign service provider registered in the Estonian commercial register, which is a person specified in clauses 1–11 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 7.  Correspondent relationship

  For the purposes of this Act, ‘correspondent relationship’ means:
 1) the consistent and long-term provision of banking services by a credit institution (correspondent institution) to another credit institution (respondent institution), including providing a current account, liability account or other account service or other related services such as cash management, international funds transfers, cheque clearing, payable-through accounts and foreign exchange services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) the relationships between and among credit institutions and financial institutions, including where similar services are provided by a correspondent institution to a respondent institution for the purpose of servicing its customers, and including relationships established for securities transactions or funds transfers.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 71.  Trust

 (1) For the purposes of this Act, ‘trust’ means a legal relationship established on the basis of or arising from the law of the country recognising it, according to which trust property formed by a settlor is administered a trustee in the trustee’s own name but in the interests of beneficiaries or for another defined purpose, as well a legal arrangement specified in the consolidated list published the European Commission on the basis of Article 31(10) of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (2) The submission of information prescribed by this Act on a trust does not entail legal consequences other than those provided for in this Act.

 (3) A country that recognises trusts means a country that is party to the Hague Convention of 1 July 1985 on the Law Applicable to Trusts and on their Recognition.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 8.  Provider of trust and company services

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]
For the purposes of this Act, ‘provider of trust and company services’ means a natural person or a legal person who in its economic or professional activities provides a third party with at least one of the following services:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) foundation of a company or another legal person, including operations and steps related to the transfer of shareholding;
 2) acting as an officer or management board member in a company, as a partner in a general partnership or in such a position in another legal person, as well as arrangement of assumption of such position by another person;
 3) enabling use of the address of the seat or place of business, including granting the right to use the address as part of one’s contact details or for receiving mail as well as providing a company or another legal person, civil law partnership or a legal arrangement with services relating to the aforementioned;
 4) acting as a trustee or a representative of a civil law partnership, community or legal arrangement, or the appointment of another person to such position;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 5) acting as a representative of a shareholder of a public limited company or arrangement of the representation of a shareholder by another person, except in the case of companies whose securities have been listed in a regulated securities market and with respect to whom disclosure requirements complying with European Union legislation or equivalent international standards are applied.

§ 9.  Beneficial owner

 (1) For the purposes of this Act, ‘beneficial owner’ means a natural person:
 1) who, via ownership or other type of control, has the final dominant influence over a natural or legal person, or
 2) in whose interests, for the benefit of whom or in whose name a transaction or operation is made.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Where a beneficial owner cannot be identified in the manner specified in subsection 1 of this section, the beneficial owner of a company is a natural person whose direct or indirect shareholding or the total shareholding of all of the direct and indirect shareholdings in the company exceeds 25 per cent, including shareholdings in the form of bearer shares or otherwise.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) ‘Direct shareholding’ means that a natural person personally holds shares in a company. ‘Indirect shareholding’ means that a natural person holds shares in a company via one or multiple persons or a chain of persons.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Where, after all possible means of identification have been exhausted, the person specified in subsection 1 or 2 of this section cannot be identified and there is no ground for calling the existence of such person into doubt or where there are doubts as to whether the identified person is the beneficial owner, the natural person who holds the position of a senior managing official is deemed to be the beneficial owner.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (41) Where several persons meet the terms provided for in subsection 4 of this section, including where there are several senior managing officials, several senior management bodies or where another legal persons holds shares in a company via one or several persons or chains of persons, the person(s) who exercise(s) actual control over the company and make(s) strategic decisions in the company or, upon absence of such persons, perform(s) day-to-day and regular management is (are) considered the beneficial owner(s).
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (42) Where the beneficial owner of a company is a trustee, all of the persons specified in clauses 1–5 of subsection 6 of this section are considered beneficial owners.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) In the case of a trust or a legal arrangement, the beneficial owner is:
 1) the settlor of the trust or the establisher of the arrangement;
 2) the trustee;
 3) the person ensuring and controlling the preservation of property, where such person has been appointed;
 4) the beneficiary, or where the beneficiary or beneficiaries are yet to be determined, the class of persons in whose main interest such triste or arrangement has been set up or operates;
 5) any other person who in any way exercises ultimate control over the property of the trust or arrangement.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (7) In the case of a person or an association of persons not specified in subsections 2 and 6 of this section, the members of the management board or the chairman of the management board may be designated as the beneficial owner(s), taking into account clause 1 of subsection 1.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (8) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (9) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 91.  Politically exposed person

 (1) A politically exposed person for the purposes of this Act means a natural person who performs or has performed prominent public functions and with regard to whom related risks remain.

 (2) At least the following persons are deemed to perform prominent public functions:
 1) head of State or head of government;
 2) minister, deputy minister or assistant minister;
 3) member of a legislative body;
 4) member of a governing body of a political party;
 5) judge of the highest court of a country;
 6) auditor general or a member of the supervisory board or executive board of a central bank;
 7) ambassador, envoy or chargé d’affaires;
 8) high-ranking officer in the armed forces;
 9) member of an administrative, management or supervisory body of a state-owned enterprise;
 10) director, deputy director and member of a management body of an international organisation.

 (3) Regardless of subsection 2 of this section, middle-ranking or more junior officials are not considered politically exposed persons.

 (4) A person who, as per list published by the European Commission, is considered a performer of prominent public functions by a Member State of the European Union, the European Commission or an international organisation accredited on the territory of the European Union is deemed a politically exposed person.

 (5) A list of Estonian positions whose holders are considered politically exposed persons is established by a regulation of the minister responsible for the field.

 (6) An international organisation accredited in Estonia draws up a list of the positions of its organisation whose holders are considered politically exposed persons, keeps it up to date and informs the minister responsible for the field of changes made to the list.

 (7) For the purposes of this Act, ‘family member’ of a politically exposed person means their:
 1) spouse or a person considered to be equivalent to a spouse;
 2) parent;
 3) child;
 4) child’s spouse or a person considered to be equivalent to a spouse.

 (8) For the purposes of this Act, ‘person known to be close associates’ of a politically exposed person means a natural person who is:
 1) known to have joint beneficial ownership of a legal person or trust with a politically exposed person;
 2) known to have close business relations with a politically exposed person;
 3) the beneficial owner of a legal person or trust set up in the interests of a politically exposed person.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 10.  Risk appetite

 (1) ‘Risk appetite’ means the total of the exposure level and types of the obliged entity, which the obliged entity is prepared to assume for the purpose of its economic activities and attainment of its strategic goals, and which is established by the senior management of the obliged entity in writing.

 (2) Upon application of subsection 1 of this section, account must be taken of the risks that the obliged entity is prepared to assume or that the obliged entity wishes to avoid in connection with the economic activities as well as qualitative and quantitative compensation mechanisms such as the planned revenue, measures applied with the help of capital or other liquid funds, or other factors such as reputation risks as well as legal and risks arising from money laundering and terrorist financing or other unethical activities.

 (3) Upon application of subsection 1 of this section, the obliged entity determines at least the characteristics of the persons with whom the obliged entity wishes to avoid business relationships and with regard to which the obliged entity applies enhanced due diligence measures, and thereby the obliged entity assesses risks related to such persons and determines appropriate measures for mitigating these risks.

 (4) Upon application of subsection 1 of this section, the management board of a credit institution or financial institution also determines whether business relationships are established with persons non-EEA countries.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

Chapter 2 Management of Risks Relating to Money Laundering and Terrorist Financing 

Division 1 Assessment of Risks 

§ 11.  National risk assessment

 (1) The national risk assessment:
 1) provides for the needs of drafting and amending anti-money laundering and countering the financing of terrorism (hereinafter AML/CFT) legislation, other regulations of the field and related fields as well as guidelines of supervisory authorities;
 2) specifies, among other things, the sectors, fields, transaction amounts and types and, where necessary, countries or jurisdictions with regard to which obliged entities must apply enhanced due diligence measures and, where necessary, clarifies the measures;
 3) specifies, among other things, the sectors, fields, transaction amounts and types whereby the risk of money laundering and terrorist financing is smaller and where it is possible to apply simplified due diligence measures;
 4) gives instructions to the ministries and authorities in their area of government regarding allocation of resources and setting of priorities for AML/CFT purposes;
 5) reports on the institutional structure and broad procedures of the AML/CFT regime and on the human and financial resources allocated for such purpose.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Upon implementation of subsection 1 of this section, relevant information, statistics and analyses which have been published or made available to the ministries or authorities in their area of government, including relevant risk assessments, reports and recommendations of international organisations and the European Commission are taken into account and collected, thereby taking account of data protection requirements.

 (3) The generalised results of the national risk assessment are published on the website of the Ministry of Finance and immediately made available to obliged entities, the European Commission, European supervisory authorities and other Member States of the European Union.

 (4) Based on the national risk assessment, the minister responsible for the field may by a regulation establish limit amounts, requirements for monitoring a business relationship or other risk-based restrictions aimed at mitigating the risks of money laundering or terrorist financing.

 (5) In addition to the information specified in subsection 3 of this section, the Ministry of Finance publishes the aggregate statistics of the field of money laundering and terrorist financing on its website.

§ 12.  AML/CFT Committee

 (1) The AML/CFT Committee is a government committee whose function is to:
 1) coordinate the preparation and updating of the national risk assessment;
 2) prepare a plan of measures and activities mitigating the risks identified in the national risk assessment (hereinafter action plan), designating the authorities that apply the risk-mitigating measures and carry out the risk-mitigating activities as well as the time limits within which the measures must be applied and the activities must be carried out;
 3) organise and check the implementation of the action plan;
 4) based on clauses 1–3 of this subsection, develop AML/CFT policies and make legislative amendment proposals to the ministers responsible for the field and related fields;
 5) pursue national cooperation in AML/CFT and in countering proliferation.

 (2) The AML/CFT Committee consists of the minister responsible for the field, the secretary general and the secretaries general of the ministries responsible for the related fields, representatives of the Financial Intelligence Unit, Eesti Pank, Estonian Financial Supervision Authority, and representatives of other relevant bodies and governmental authorities.

 (3) The AML/CFT Committee establishes a committee of the representatives of obliged entities (hereinafter Market Participants Advisory Committee) whose purpose is to advise the government committee in connection with the performance of its functions. In addition, ad hoc working groups and standing working groups of representatives of obliged entities and other experts may be established for performing the functions of the government committee. The rules of procedure and functions of the Market Participants Advisory Committee, ad hoc working groups and standing working groups are established and members are appointed by a directive of the minister responsible for the field.

 (4) The number of the members and the rules of procedure of the AML/CFT Committee are established by a regulation of the Government of the Republic.

 (5) The work of the AML/CFT Committee is organised by the Ministry of Finance.

§ 13.  Management of risks arising from activities of obliged entity

 (1) For the purpose of identification, assessment and analysis of risks of money laundering and terrorist financing related to their activities, obliged entities prepare a risk assessment, taking account of at least the following risk categories:
 1) risks relating to customers;
 2) risks relating to countries, geographic areas or jurisdictions;
 3) risks relating to products, services or transactions;
 4) risk relating to communication, mediation or products, services, transactions or delivery channels between the obliged entity and customers.

 (2) The steps taken to identify, assess and analyse risks must be proportionate to the nature, size and level of complexity of the economic and professional activities of the obliged entity.

 (3) As a result of the risk assessment, the obliged entity establishes:
 1) fields of a lower and higher risk of money laundering and terrorist financing;
 2) the risk appetite, including the volume and scope of products and services provided in the course of business activities;
 3) the risk management model, including simplified and enhanced due diligence measures, in order to mitigate identified risks.

 (4) The risk assessment specified in subsection 1 of this section and the establishment of the risk appetite specified in clause 2 of subsection 3 is documented, the documents are updated where necessary and based on the published results of the national risk assessment. At the request of the competent supervisory authority, the obliged entity submits the documents prepared on the basis of this section to the supervisory authority.

 (5) The competent supervisory authority exercising supervision over an obliged entity may, at the request of the obliged entity, except for an obliged entity subject to supervision by the Financial Supervision Authority, and in accordance with the national risk assessment decide that the preparation of a documented risk assessment is not mandatory where the specific risks of the field characteristic of the obliged entity are clear and understandable or where the risk assessment prepared by the competent supervisory authority or the national risk assessment has established the risks, risk appetite and risk management model of the field and the obliged entity implements these.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The duties provided for in this section do not apply to notaries, auditors or to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

Division 2 Risk Management System of Obliged Entity 

§ 14.  Rules of procedure and internal control rules

 (1) The obliged entity establishes rules of procedure that allow for effective mitigation and management of, inter alia, risks relating to money laundering and terrorist financing, which are identified in the risk assessment prepared in accordance with § 13 of this Act. To follow the rules of procedure, the obliged entity establishes internal control rules that describe the internal control system including the procedure for the implementation of internal audit and, where necessary, compliance control, which sets out, inter alia, the procedure for employee screening. The rules of procedure must contain at least the following:
 1) a procedure for the application of due diligence measures regarding a customer, including a procedure for the application of simplified due diligence measures specified in § 32 of this Act and of enhanced due diligence measures specified in § 36 of this Act;
 2) a model for identification and management of risks relating to a customer and its activities and the determination of the customer’s risk profile;
 3) the methodology and instructions where the obliged entity has a suspicion of money laundering and terrorist financing or an unusual transaction or circumstance is involved as well as instructions for performing the reporting obligation;
 4) the procedure for data retention and making data available;
 5) instructions for effectively identifying whether a person is a politically exposed person or a person subject to international sanctions or a person whose place of residence or seat is in a high-risk third country or country that meets the criteria specified in subsection 4 of § 37 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 6) the procedure for identification and management of risks relating to new and existing technologies, and services and products, including new or non-traditional sales channels and new or emerging technologies.

 (2) The obliged entity arranges adherence to and implementation of the rules of procedure and internal control rules by the employees of the obliged entity.

 (3) The rules of procedure and the internal control rules specified in subsection 1 of this section may be contained in a single document or in multiple documents, these must be proportionate to the nature, size and level of complexity of the economic and professional activities of the obliged entity and these must be established by the senior management of the obliged entity. The obliged entity must regularly check if the established rules of procedure and the internal control rules are up to date and, where necessary, establish new rules of procedure and internal control rules or make required modifications therein.

 (4) Upon performance of the obligation provided for in clause 2 of subsection 1 of this section the credit institution and the financial institution takes account of the contents of the relevant instructions of the competent supervisory authority, European supervisory authorities and data protection supervisory authority.

 (5) Where the obliged entity has the internal audit obligation, adherence to the rules of procedure and the internal control rules for the purposes of this Act must be checked in the course of an internal audit.

 (6) The management board of a legal person that is an obliged entity, the manager of a branch that is an obliged entity or, upon their absence, the obliged entity must ensure that the employees whose employment duties include the establishment of business relationships or the making of transactions are provided with training in the performance of the duties and obligations arising from this Act and such training must be provided when the employee commences performance of the specified employment duties, and thereafter regularly or when necessary. In training, information, inter alia, on the duties and obligations provided for in the rules of procedure, modern methods of money laundering and terrorist financing and the related risks, the personal data protection requirements, on how to recognise activities related to possible money laundering or terrorist financing, and instructions for acting in such situations must be given.

 (7) The obliged entity, except for a credit institution or financial institution, may apply to the competent supervisory authority for partial or full release from the obligation to prepared documented rules of procedure and internal control rules. Upon making a decision, the competent supervisory authority takes account of the national risk assessment, the nature, scope and level of complexity of the obliged entity and whether the specific risks related to the obliged entity are small or effectively managed in accordance with this Act, legislation adopted on the basis thereof and instructions of competent supervisory authorities.

 (8) The minister responsible for the field may, by a regulation, establish more detailed requirements for the rules of procedure established by credit institutions and financial institutions, the internal control rules of controlling adherence thereto and implementation thereof.

 (9) The duties and obligations provided for in this section do not apply to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

§ 15.  Management of risks in group

 (1) Upon application of § 14 of this Act it is expected that an obliged entity that is the parent undertaking of a group applies group-wide rules of procedure and the internal control rules for controlling adherence thereto regardless of whether all the undertakings of the group are located in one country or in different countries. This obligation includes, inter alia, the establishment of a group-wide procedure for exchanging information on AML/CFT and the establishment of similar rules for protection of personal data. The obliged entity ensures that group-wide rules of procedure and the internal control rules for controlling adherence thereto take to the appropriate extent account of the law of another Member State of the European Union which implements Directive (EU) 2015/849 of the European Parliament and of the Council, where the obliged entity has a representation, branch or majority-owned subsidiary in that Member State.

 (2) Where the obliged entity has a representation, branch or majority-owned subsidiary in a third country where the minimum requirements for AML/CFT are not equivalent to those of Directive (EU) 2015/849 of the European Parliament and of the Council, the representation, branch and majority-owned subsidiary follow the rules of procedure and internal control rules complying with the requirements of this Act, including the requirements for protection of personal data, to the extent permitted by the law of the third country.

 (3) Where the obliged entity identifies a situation where the law of the third country does not allow for implementing rules of procedure or internal control rules complying with the requirements of this Act in its representation, branch or majority-owned subsidiary, the obliged entity informs the competent supervisory authority thereof. The competent supervisory authority notifies the Member States and, where relevant, the European supervisory authorities where it has become evident in accordance with the first sentence of this subsection that the law of the third country does not allow for applying rules of procedure or internal control rules complying with the requirements of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (4) In the case specified in subsection 3 of this section, the obliged entity ensures the application of additional measures in the representation, branch or majority-owned subsidiary so that the risks relating to money laundering or terrorist financing are effectively managed in another manner, informing the competent supervisory authority of the measures taken. In such an event the competent supervisory authority has the right to issue a precept demanding, inter alia, that the obliged entity or its representation, branch or majority-owned subsidiary:
 1) refrain from establishing new business relationships in the country;
 2) terminate the existing business relationships in the country;
 3) suspend the provision of the service in part or in full;
 4) wind itself up;
 5) apply other measures provided for in regulatory technical standards adopted by the European Commission on the basis of Article 45(7) of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (5) Within the group, information on a suspicion reported to the Financial Intelligence Unit is shared, unless the Financial Intelligence Unit has instructed otherwise.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) An e-money institution or a payment service provider that operates in Estonia in a form other than a branch and the headquarters of which are in another Member State appoints, on the basis of an order made by the competent supervisory authority and in accordance with regulatory technical standards established on the basis of Article 45(9) of Directive (EU) 2015/849 of the European Commission, a central contact point in Estonia whose function is to ensure in the name of the e-money institution or payment service provider compliance with the requirements of this Act and, at the request of the competent supervisory authority, submits documents and information on its activities.

 (7) Where a foreign service provider is an obliged entity and has a branch that has been registered in the Estonian commercial register or where a foreign service provider has a majority-owned subsidiary, it does not need to apply the group-wide rules of procedure or internal control rules to the extent that adherence thereto would be in conflict with the national risk assessment prepared on the basis of this Act or with requirements established in or on the basis of this Act.

§ 16.  Cooperation and exchange of information

 (1) Obliged entities may cooperate with one another for AML/CFT purposes, thereby communicating information available to them and replying to queries within a reasonable time, following the duties, obligations and restrictions arising from legislation.

 (2) Obliged entities may exchange information that one of them needs and the other has obtained for the application of a due diligence measure arising from clause 1, 3 or 5 of subsection 1 of § 20 of this Act, following the restrictions established in this Act and the principle of good faith, regardless of any banking, business, official, professional or other confidentiality obligation or restriction on sharing information provided for in any other Act.

 (3) Subsection 2 of this section does not apply where the obliged entity assesses a customer’s legal position, defends or represents the customer in court, intra-authority appeal or other such proceedings, including consults a customer regarding the institution or avoidance of proceedings, regardless of whether the information has been received before, during or after the proceedings.

 (4) Information obtained on the basis of subsection 2 of this section may be used solely for the performance of the duties and obligations arising from this Act, taking into account all of the requirements provided for in this Act, including the data collection, retention and protection rules. The scope and manner of communication or exchange of information between obligated entities is agreed on at least in a form reproducible in writing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 17.  Appointment of management board member in charge and compliance officer

 (1) Where the obliged entity has more than one management board member, the obliged entity appoints a management board member who is in charge of implementation of this Act and legislation and guidelines adopted on the basis thereof.

 (2) The management board or the manager of a branch of a credit institution, financial institution or obliged entity specified in subsection 1 of § 70 of this Act appoints a person to act as a contact person of the Financial Intelligence Unit (hereinafter compliance officer). The compliance officer reports directly to the management board of the obliged entity or to the manager of the branch and has the competence, means and access to relevant information across all of the structural units of the obliged entity.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A compliance officer may also be appointed by an obliged entity not specified in subsection 2 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) An employee or a structural unit may perform the duties of a compliance officer. Where a structural unit performs the duties of a compliance officer, the head of the respective structural unit is responsible for performance of the given duties. The Financial Intelligence Unit and the competent supervisory authority are informed of the appointment of a compliance officer.

 (5) Only a person who works permanently in Estonia and has the education, professional suitability, abilities, personal qualities, experience and impeccable reputation required for performance of the duties of a compliance officer may be appointed as a compliance officer. The appointment of a compliance officer is coordinated with the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The Financial Intelligence Unit has the right to receive information from a compliance officer or compliance office candidate, their employer and state databases for the purpose of verifying the suitability of the compliance officer or compliance officer candidate. Where, as a result of the check carried out by the Financial Intelligence Unit, it becomes evident that the person’s reliability is under suspicion due to their past acts or omissions, the person’s reputation cannot be considered impeccable and the obliged entity may extraordinarily terminate the compliance officer’s employment contract due to the loss of confidence. Where the duties of a compliance officer are performed by a structural unit, the provisions of this subsection are applied to each employee of the structural unit.

 (7) The duties of a compliance officer include, inter alia:
 1) organisation of the collection and analysis of information referring to unusual transactions or transactions or circumstances suspected of money laundering or terrorist financing, which have become evident in the activities of the obliged entity;
 2) reporting to the Financial Intelligence Unit in the event of suspicion of money laundering or terrorist financing;
 3) periodic submission of written statements on compliance with the requirements arising from this Act to the management board or branch manager of the obliged entity;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 4) performance of other duties and obligations related to compliance with the requirements of this Act.

 (8) A compliance officer has the right to:
 1) make proposals to the management board or branch manager of the obligated entity for amendment and modification of the rules of procedure containing AML/CFT requirements and organisation of training specified in subsection 6 of § 14 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 2) demand that a structural unit of the obliged entity eliminate within a reasonable time deficiencies identified in the implementation of the AML/CFT requirements;
 3) receive data and information required for performance of the duties of a compliance officer;
 4) make proposals for organisation of the process of submission of notifications of suspicious and unusual transactions;
 5) receive training in the field.

 (9) Where no compliance officer has been appointed, the duties of a compliance officer are performed by the management board of the legal person, a management board member appointed on the basis of subsection 1 of this section, the manager of the branch of the foreign company registered in the Estonian commercial register or a self-employed person.

 (10) The duties and obligations provided for in this section do not apply to the obliged entities specified in subsections 3 and 4 of § 2 of this Act.

§ 18.  Relationships with shell banks

 (1) ‘Shell bank’ means a credit institution or financial institution, or an institution that carries out activities equivalent to those carried out by credit institutions and financial institutions, incorporated in a jurisdiction in which it has no physical presence, involving meaningful mind and management, and which is unaffiliated with a regulated credit or financial group.

 (2) Credit institutions and financial institutions are not allowed to establish or continue correspondent relationships with shell banks and such credit institutions or financial institutions that knowingly allow shell banks use their accounts.

 (3) An agreement violating the prohibition specified in subsection 2 of this section is void.

Chapter 3 Due Diligence Measures 

Division 1 Grounds for Application of Due Diligence Measures 

§ 19.  Obligation to apply due diligence measures

 (1) The obliged entity applies due diligence measures:
 1) upon establishment of a business relationship;
 2) upon making or mediating occasional transactions outside a business relationship where a cash payment of over 15 000 euros or an equal amount in another currency is made, regardless of whether the financial obligation is performed in the transaction in a lump sum or in several related payments over a period of up to one year, unless otherwise provided by law;
 3) upon verification of information gathered while applying due diligence measures or in the case of doubts as to the sufficiency or truthfulness of the documents or data gathered earlier while updating the relevant data;
 4) upon suspicion of money laundering or terrorist financing, regardless of any derogations, exceptions or limits provided for in this Act.

 (2) A trader applies due diligence measures at least every time a payment of over 10 000 euros or an equal sum in another currency is made to or by the trader in cash, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one year.

 (21) A foundation, non-profit association or an entity to which the provisions of the Non-profit Associations Act apply applies due diligence measures at least every time when it is paid or it pays in cash an amount of over 5,000 euros in a lump sum or in several linked payments over a period of up to one year.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (22) A person who mediates real property usage transactions applies due diligence measures at least every time when the value of the usage fee agreed on in the transaction amounts to no less than 10,000 euros a month.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (23) A dealer of works of art and a person who mediates works of art or stores them in a customs free zone applies due diligence measures at least every time they are paid or they pay a sum with a value of at least 10,000 euros in a lump sum or in several linked payments over a period of one year.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A gambling operator applies due diligence measures at least upon payment of winnings, making of a bet or on both occasions where the sum given or receivable by the customer is at least 2000 euros or an equal sum in another currency, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one month.

 (4) A payment service provider providing both the payer and the payee with a payment service identifies the customer in the case of each transfer of funds that meets the description provided for in Article 3(9) of Regulation (EU) No 2015/847 of the European Parliament and of the Council on information accompanying transfers of funds and repealing Regulation (EC) No 1781/2006 (OJ L 141, 05.06.2015, pp 1–18) and whereby the sum of the pecuniary obligation exceeds 1000 euros, regardless of whether the pecuniary obligation is performed in a lump sum or by way of several linked payments over a period of up to one month.

 (5) The obliged entity applies the due diligence measures provided in clauses 1–5 of subsection1 of § 20 of this Act before the establishment of a business relationship or the making of a transaction outside a business relationship, unless otherwise provided for in this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (51) The auditor auditing an annual report or carrying out an inspection applies the due diligence measures specified in clause 3 of subsection 1 of § 20 of this Act during the audit or inspection, thereby examining the information gathered by the management board of the customer in accordance with subsection 2 of § 76.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) Where the duty to apply due diligence measures depends on the exceeding of a certain sum, the due diligence measures must be applied as soon as the exceeding of the sum becomes known or, where the exceeding of the sum depends on the making of several linked payments, as soon as the sum is exceeded.

 (7) The provisions of this Chapter regarding cash are also applicable to the performance of pecuniary obligations using a precious metal which is measured in bars or other units.

§ 20.  Due diligence measures

 (1) The obliged entity applies the following due diligence measures:
 1) identification of a customer or a person participating in an occasional transaction and verification of the submitted information based on information obtained from a reliable and independent source, including using means of electronic identification and of trust services for electronic transactions;
 2) identification and verification of a customer or a person participating in an occasional transaction and their right of representation;
 3) identification of the beneficial owner and, for the purpose of verifying their identity, taking measures to the extent that allows the obliged entity to make certain that it knows who the beneficial owner is, and understands the ownership and control structure of the customer or of the person participating in an occasional transaction;
 4) understanding of business relationships, an occasional transaction or operation and, where relevant, gathering information thereon;
 5) gathering information on whether a person is a politically exposed person, their family member or a person known to be close associate;
 6) monitoring of a business relationship.

 (2) Upon implementation of clause 4 of subsection 1 of this section, the obliged entity must understand the purpose of the business relationship or the purpose of the occasional transaction, identifying, inter alia, the permanent seat, place of business or place of residence, profession or field of activity, main contracting partners, payment habits, whether they act for or on behalf of another and, in the case of a legal person, also the experience of the customer or person participating in the occasional transaction.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (21) Where the obliged entity establishes a business relationship with a customer whose information on beneficial owners must, in accordance with the statutes of a Member State of the European Union, be submitted to the state or be registered there, the obliged entity must obtain a relevant registration certificate or registry extract upon application of clause 3 of subsection 1 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) In the case of an occasional transaction made outside of a business relationship, the obliged entity gathers information on the origin of the property used in the transaction, instead of applying clause 4 of subsection 1 of this section.

 (4) Where relevant, the obliged entity also gathers information on the origin of the customer’s wealth.

 (5) The person participating in a transaction made in economic or professional activities, the person participating in a professional operation or the person using a professional service or the customer submits, at the request of the obliged entity, documents required for the application of the due diligence measures and provides relevant information. The person participating in a transaction made in economic or professional activities, the person participating in an official operation or the person using an official service or the customer certifies by signature, at the request of the obliged entity, the correctness of the submitted information and documents submitted for the application of the due diligence measures.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) The obliged entity applies all the due diligence measures specified in subsection 1 of this section with regard to a customer, but determines the scope and exact manner of their application and the need specified in subsections 3 and 4 of this section based on previously assessed risks of money laundering and terrorist financing or those relating to a specific business relationship or to an occasional transaction, operation or person. Upon assessment of the application of the due diligence measures of the obliged entity, the principle of reasonableness provided for in the Law of Obligations Act is taken into account.

 (7) Upon assessment of specific risks related to a customer specified in subsection 6 of this section, the obliged entity determines, based on clause 2 of subsection 1 of § 14 of this Act, the risk profile of the customer or person participating in the transaction, taking account of the risk assessment drawn up on the basis of § 13 of this Act and at least the following factors:
 1) information gathered by the obliged entity upon implementation of clause 4 of subsection 1 of this section;
 2) the volume of the property deposited by the customer or the proprietary volume of the transaction or of transactions made in the course of an official operation;
 3) the estimated duration of the business relationship.

 (8) The obliged entity ensures that the due diligence measures applied by it, which are specified in its rules of procedure, comply with its risk assessment and that the obliged entity is prepared to explain them to the competent supervisory authority, including to the data protection supervisory authority.

§ 21.  Identification of natural person, documents serving as basis thereof and data collected on customer

 (1) The obliged entity identifies the customer and, where relevant, their representative and retains the following data on the person and, where relevant, their representative:
 1) name;
 2) personal identification code or, where none, the date of birth and the place of residence or seat;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) information on the identification and verification of the right of representation and scope thereof and, where the right of representation does not arise from law, the name of the document serving as the basis for the right of representation, the date of issue, and the name of the issuer.

 (2) The obliged entity verifies the correctness of the data specified in clauses 1 and 2 of subsection 1 of this section, using information originating from a credible and independent source for that purpose.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity identifies a natural person based on the following documents:
 1) a document specified in subsection 2 of § 2 of the Identity Documents Act;
 2) a valid travel document issued in a foreign country;
 3) a driving licence that meets the requirements provided for in subsection 1 of § 4 of the Identity Documents Act, or
 4) a birth certificate specified in § 30 of the Vital Statistics Registration Act in the case of a person below the age of seven years.

 (4) Where the original document specified in subsection 3 of this section is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

 (5) The two sources requirement specified in subsection 4 of this section does not need to be followed with regard to a customer who has limited active legal capacity and in the name of whom a business relationship is established or a transaction is made by their representative.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 22.  Identification of legal person, documents serving as basis thereof and data collected on customer

 (1) The obliged entity identifies a legal person registered in Estonia, the branch of a foreign company registered in Estonia and a foreign legal person and retains the following details on the legal person:
 1) the name or business name of the legal person;
 2) the registry code or registration number and the date of registration;
 3) the names of the director, members of the management board or other body replacing the management board, and their authorisation in representing the legal person;
 4) the details of the telecommunications of the legal person.

 (2) The obliged entity verifies the correctness of the data specified in clauses 1 and 2 of subsection 1 of this section, using information originating from a credible and independent source for that purpose. Where the obliged entity has access to the commercial register, register of non-profit associations and foundations or the data of the relevant registers of a foreign country, the submission of the documents specified in subsection 3 of this section does not need to be demanded from the customer.

 (3) The obliged entity identifies a legal person based on the following documents:
 1) the registry card of the relevant register;
 2) the registration certificate of the relevant register, or
 3) a document equal to the document specified in clause 1 or 3 of this section.

 (4) Where the original document specified in subsection 3 of this section is not available, the identity can be verified on the basis of a document specified in subsection 3, which has been authenticated by a notary or certified by a notary or officially, or on the basis of other information originating from a credible and independent source, including means of electronic identification and trust services for electronic transactions, thereby using at least two different sources for verification of data in such an event.

 (5) A representative of a legal person of a foreign country must, at the request of the obliged entity, submit a document certifying his or her powers, which has been authenticated by a notary or in accordance with an equal procedure and legalised or certified by a certificate replacing legalisation (apostille), unless otherwise provided for in an international agreement.

§ 23.  Monitoring of business relationship

 (1) The obliged entity establishes principles for monitoring a business relationship established in economic, professional or official activities (hereinafter monitoring of business relationship) upon application of § 14 of this Act.

 (2) The monitoring of a business relationship must include at least the following:
 1) checking of transactions made in a business relationship in order ensure that the transactions are in concert with the obliged entity’s knowledge of the customer, its activities and risk profile;
 2) regular updating of relevant documents, data or information gathered in the course of application of due diligence measures;
 3) identifying the source and origin of the funds used in a transaction;
 4) in economic, professional or official activities, paying more attention to transactions made in the business relationship, the activities of the customer and circumstances that refer to a criminal activity, money laundering or terrorist financing or that a likely to be linked with money laundering or terrorist financing, including to complex, high-value and unusual transactions and transaction patterns that do not have a reasonable or visible economic or lawful purpose or that are not characteristic of the given business specifics;
 5) in economic, professional or official activities, paying more attention to the business relationship or transaction whereby the customer is from a high-risk third country or a country or territory specified in subsection 4 of § 37 of this Act or whereby the customer is a citizen of such country or whereby the customer’s place of residence or seat or the seat of the payment service provider of the payee is in such country or territory.

 (3) Upon performance of the duty provided for in clause 4 of subsection 2 of this section, inter alia, the nature, reason and background of the transactions as well as other information that allows for understanding the substance of the transactions must be identified and more attention must be paid to these transactions.

Division 2 Variations of Application of Due Diligence Measures 

§ 24.  Reliance on data gathered by other person and outsourcing of application of due diligence measures

 (1) The obliged entity may, in the event of the partial or full performance of one or several of the duties provided for in subsection 1 of § 20 of this Act, rely on data and documents gathered by another person, where all the following criteria are met:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) the obliged entity gathers from the other person at least information on who is the person establishing the business relationship or making the transaction, their representative and the beneficial owner, as well as what is the purpose and nature of the business relationship or transaction;
 2) the obliged entity has ensured that, where necessary, it is able to immediately obtain all the data and documents whereby it relied on data gathered by another person;
 3) the obliged entity has established that the other person who is relied on is required to comply and actually complies with requirements equal to those established by Directive (EU) 2015/849 of the European Parliament and of the Council, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and is under or is prepared to be under state supervision regarding compliance with the requirements;
 4) the obliged entity takes sufficient measures to ensure compliance with the criteria provided for in clause 3 of this subsection.

 (2) In addition to subsection 1 of this section, the obliged entity may also outsource an activity related to the implementation of clauses 1–5 of subsection 1 of § 20 of this Act to:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) another obliged entity;
 2) an organisation, association or union whose members are obliged entities, or
 3) another person who applies the due diligence measures and data retention requirements provided for in this Act and who is subject to or is prepared to be subject to AML supervision or financial supervision in a contracting state of the European Economic Area regarding compliance with requirements.

 (3) To outsource an activity, the obliged entity concludes a written contract with a person specified in subsection 2 of this section. The contract ensures that:
 1) the outsourcing of the activity does not impede the activities of the obliged entity or performance of the duties and obligations provided in this Act;
 2) the third party performs all the duties of the obliged entity relating to the outsourcing of the activity;
 3) the outsourcing of the activity does not impede exercising supervision over the obliged entity;
 4) the competent authority can exercise supervision over the person carrying out the outsourced activity via the obliged entity, including by way of an on-site inspection or another supervisory measure;
 5) the person specified in subsection 2 of this section has the required knowledge and skills and the ability to comply with the requirements provided for in this Act;
 6) the obliged entity has the right to, without limitations, inspect compliance with the requirements provided for in this Act;
 7) documents and data gathered for compliance with the requirements arising from this Act are retained and, at the request of the obliged entity, copies of documents relating to the identification of a customer and its beneficial owner or copies of other relevant documents are handed over or submitted to the competent authority immediately.

 (4) Information on the conclusion and termination of an outsourcing contract is made available to the competent supervisory authority in advance. Upon submission of information, the obliged entity indicates, among other things, the scope of the outsourced activity. At the request of the competent supervisory authority, the obliged entity submits the contract of outsourcing of the activity.

 (5) In a situation where the obliged entity relies on or outsources an activity to a person belonging to the same group, which has been established in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council apply, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and where group-based supervision is exercised over the group, the requirements provided for in clause 3 of subsection 1 and in clause 5 of subsection 3 of this section do not need to be applied.

 (6) The obliged entity is not allowed to rely on or outsource activities to a person who has been established in a high-risk third country.

 (7) The obliged entity who relies on data gathered by another person or who has outsourced an activity to another person is responsible for compliance with requirements arising from this Act.

§ 25.  Variations of due diligence measures applied by credit institution, financial institution, virtual currency service provider and Eesti Pank

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) A credit institution and a financial institution is not allowed to provide services that can be used without identifying the person participating in the transaction and without verifying the submitted information, except in the events specified in § 27 of this Act. Credit institutions and financial institutions are required to open an account and keep an account only in the name of the account holder.

 (11) Credit institutions and financial institutions must, when making or mediating occasional transactions outside business relationships where a transaction of over 1,000 euros or an equal amount in another currency is made, apply due diligence measures regardless of whether the financial obligation is performed in the transaction in a lump sum or by way of several linked payments over a period of up to one month.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) The currency exchange service may be provided without identifying the person participating in the transaction of the value of the amount exchanged in cash in a one-off transactions or in linked transactions does not exceed 1,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Credit institutions and financial institutions are not allowed to conclude a contract or make a decision to open an anonymous account, savings book or safe-deposit box. A transaction violating the prohibition is void.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Eesti Pank applies the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Eesti Pank applies the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Ac always when there is doubt as to the sufficiency or truthfulness of documents or data previously gathered in the course of identification of a person, verification of submitted information or updating the relevant details as well as in the event of suspicion of money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 26.  Due diligence measures applicable to life insurance

 (1) In the case of life insurance, a credit institution and a financial institution applies the due diligence measures specified in § 20 of this Act with the following variations:
 1) the name of the beneficiary determined in the insurance contract is identified immediately after the determination of the person or after learning of the person;
 2) where the beneficiary is not determined by name, but based on certain characteristics or in another manner, sufficient data must be gathered on the circle of persons determined in such a manner so that it is proven that the identity of the beneficiary can be established at the time of making a payment.

 (2) In the case of subsection 1 of this section, the identity of the beneficiary is verified at the time of making a payment.

 (3) Where, by agreement with the obliged entity, a policyholder assigns their rights and obligations under a life insurance contract to a third party, the obliged entity must identify the assignee of the contract at the moment of assignment of the contract.

§ 27.  Due diligence measures applicable to limited-use accounts

 (1) By way of exception, a credit institution, financial institution or central securities depositor can open an account, including a securities account, before the application of the due diligence measures specified in clauses 1–3 of subsection 1 of § 20 of this Act where transactions cannot be made by the customer or in the name of the customer with the property held on the account until the full application of the due diligence measures specified in clauses 1–3 of subsection 1 of § 20 of this Act, thereby applying the due diligence measures as soon as reasonably possible.

 (2) In accordance with the procedure established on the basis of clause 1 of subsection 4 of § 67 of the Commercial Code, a credit institution can, on the basis of personal data automatically verified by the registrar via the computer network or via a notary authorised on the basis of subsection 4 of § 520 of the Commercial Code, open an account for a company that is being founded, provided that a contribution to the share capital is made to the account via an account opened in a credit institution operating in a contracting state of the European Economic Area or in the branch of a foreign credit institution established in a contracting state of the European Economic Area and the account is not debited before the company has been registered in the Estonian commercial register and before the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act have been taken. Representatives of the company must allow the credit institution to apply the due diligence measures and conclude a settlement agreement within six months following the opening of the account.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 28.  Due diligence measures applicable to trust fund and legal arrangement

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]
In addition to the due diligence measures specified in subsection 1 of § 21 of this Act, the credit institution or financial institution gathers enough information on the beneficiaries of a trust fund or legal arrangement, which has been determined based on certain characteristics or type, in order to be certain that it is able to definitely identify the beneficiary at the time of making a payment or once the beneficiary exercises their rights.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 29.  Due diligence measures applied by non-profit association and foundation

 (1) The persons specified in subsection 3 of § 2 of this Act apply the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The persons specified in subsection 3 of § 2 of this Act apply the due diligence measures specified in clauses 1–5 of subsection 1 of § 20 of this Ac always when there is doubt as to the sufficiency or truthfulness of documents or data previously gathered in the course of identification of a person, verification of submitted information or updating the relevant details as well as in the event of suspicion of money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 30.  Variations of due diligence measures applied by legal service provider

 (1) Where a notary identifies a person and applies other due diligence measures, the Notarisation Act and the Notaries Act are followed, taking account of the variations provided for in this Act.

 (2) A notary, enforcement officer, bankruptcy trustee, auditor, attorney or another legal service provider may identify and verify the identity of a customer or a person participating in a transaction and a beneficial owner while establishing a business relationship or entering into a transaction, provided that it is necessary for the purpose of not interrupting the ordinary course of the professional activities and the risk of money laundering or terrorist financing is low.

 (3) In the event specified in subsection 2 of this section, the application of due diligence measures must be completed within a reasonable time after the first contact and before making binding operations.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 31.  Identification of person and verification of data using information technology means

 (1) A credit institution and a financial institution must identify a person and verify data with using information technology means where the application of the due diligence measures in establishing a business relationship does not take place in the physical presence of the person and where:
 1) the customer is from a non-EEA country or their place of residence or seat is in such a country, or
 2) the total amount of outgoing payments related to the transaction or service contract per calendar month exceeds 15,000 euros in the case of a customer who is a natural person or 25,000 euros in the case of a customer who is a legal person.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (2) [Repealed – RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (3) A document issued by the Republic of Estonia for digital identification of a person or another means of electronic identification of a high assurance level, which is specified in the regulation established on the basis of subsection 6 of this section, is used for identifying a person and verifying data using information technology means.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (4) Where a person is a foreign national, the identity document issued by the competent authority of the foreign country must be used for the identification of the person and verification of data in addition to the means specified in subsection 3 of this section.

 (5) Additionally, information originating from a credible and independent source is used for identifying a person and verifying data. To identify a person and verify data, credit institutions and financial institutions has the right to use personal identification data entered in the database of identity documents.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

 (6) The technical requirements of and procedure for identification of persons and verification of data using information technology means are established by a regulation of the minister responsible for the field.

 (61) The procedure provided for in a regulation established on the basis of subsection 1 of § 31 of the Notaries Act is applied where the identity of a person is established and information is verified using information technology means in the official activities of a notary.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (7) The regulation specified in subsection 6 of this section sets out in greater detail at least the requirements for disclosure of information, rules of procedure applicable to the establishment of a business relationship and to the making of an occasional transaction, requirements for activities related to the declarations of intent of the parties to a transaction, organisation of questionnaire surveys and mandatory real-time interviews held upon establishment of a business relationship, conditions of processing of the photograph of a person, and requirements for the quality of the synchronised audio and video stream during the aforementioned procedures as well as for recording and for the reproducibility of recordings, and, based on the national risk assessment specified in § 11 of this Act, the regulation may establish limits different from the ones specified in clause 2 of subsection 1 of this section to situations where the provisions of this section do not need to be applied.
[RT I, 10.07.2020, 1 – entry into force 10.09.2020]

Division 3 Simplified Due Diligence Measures 

§ 32.  Application of simplified due diligence measures

 (1) The obliged entity may apply simplified due diligence measures where a risk assessment prepared on the basis of subsection 7 of § 20 and §§ 11, 13 and 34 of this Act identifies that, in the case of the economic or professional activity, field or circumstances, the risk of money laundering or terrorist financing is lower than usual.

 (2) Before the application of simplified due diligence measures to a customer, the obliged entity establishes that the business relationship, transaction or operation is of a lower risk and the credit institution and financial institution attribute to the transaction, operation or customer a lower degree of risk.

 (3) The application of simplified due diligence measures is permitted to the extent that the obliged entity ensures sufficient monitoring of transactions, operations and business relationships, so that it would be possible to identify unusual transactions and allow for notifying of suspicious transactions in accordance with the procedure established in § 49 of this Act.

§ 33.  Conditions of application of simplified due diligence measures

 (1) Upon simplified implementation of clauses 1 and 2 of subsection 1 of § 20 of this Act, the identity of a customer or of the customer’s representative may be verified on the basis of information obtained from a credible and independent source also at the time of establishment of the business relationship, provided that it is necessary for not disturbing the ordinary course of business. In such an event the verification of identity must be carried out as quickly as possible and before the taking of binding measures.

 (2) Upon implementation of clauses 3–5 of subsection 1 of § 20 of this Act, the obliged entity may choose the extent of performance of the duty and the need to verify the information and data used therefore with the help of a credible and independent source.

 (3) Clause 6 of subsection 1 of § 20 of this Act may be applied in accordance with the simplified procedure, provided that a factor characterising a lower risk has been established and at least the following criteria are met:
 1) a long-term contract has been concluded with the customer in writing, electronically or in a form reproducible in writing;
 2) payments accrue to the obliged entity in the framework of the business relationship only via an account held in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution established or having its place of business in a contracting state of the European Economic Area or in a country that applies requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council;
 3) a limit has been set to the total value of incoming and outgoing payments in transactions.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 34.  Factors characterising lower risk

 (1) Before the application of simplified due diligence measures, factors referring to a lower risks are taken into account and the obliged entity determines whether these factors will be implemented on the whole, in part or as separate grounds.

 (2) Upon assessment of factors referring to a lower risk in accordance with subsection 1 of this section, the following is deemed a situation reducing risks relating to the customer type:
 1) the customer is a company listed on a regulated market, which is subject to disclosure obligations that establish requirements for ensuring sufficient transparency regarding the beneficial owner;
 2) the customer is a legal person governed by public law established in Estonia;
 3) the customer is a governmental authority or another authority performing public functions in Estonia or a contracting state of the European Economic Area;
 4) the customer is an institution of the European Union;
 5) the customer is a credit institution or financial institution acting on its own behalf or a credit institution or financial institution located in a contracting state of the European Economic Area or a third country, which in its country of location is subject to requirements equal to those established in Directive (EU) 2015/849 of the European Parliament and of the Council and subject to state supervision;
 6) a person who is a resident of a country or geographic area having the characteristics specified in clauses 1–4 of subsection 3 of this section.

 (3) Upon assessment of factors referring to a lower risk in accordance with subsection 1 of this section, at least the following situations where the customer is from or the customer’s place of residence or seat is in, may be deemed a factor reducing geographic risks:
 1) a contracting state of the European Economic Area;
 2) a third country that has effective AML/CFT systems;
 3) a third country where, according to credible sources, the level of corruption and other criminal activity is low;
 4) a third country where, according to credible sources such as mutual evaluations, reports or published follow-up reports, AML/CFT requirements that are in accordance with the updated recommendations of the Financial Action Task Force (FATF), and where the requirements are effectively implemented.

§ 35.  Variations of application of simplified due diligence measures by credit institution and financial institution

 (1) Upon identifying factors characterising a smaller risk and choosing simplified due diligence measures, credit institutions and financial institutions take into account the guidelines of the European supervisory authorities regarding risk factors.

 (2) Under subsection 1 of § 34 of this Act, at least the following factors may be deemed factors reducing risks relating to the product, service, transaction or delivery channels upon assessment of factors referring to a lower risk:
 1) a life insurance contract with a small insurance premium;
 2) an insurance policy for a pension scheme where there is no early surrender option and the policy cannot be used as collateral;
 3) a pension, superannuation or similar scheme that provides retirement benefits to employees, where contributions are made by way of deduction from wages, and the scheme rules do not permit the assignment of a member’s interest under the scheme;
 4) financial products or services that provide appropriately defined and limited services to certain types of customers, so as to increase access for financial inclusion purposes;
 5) products where the risks of money laundering and terrorist financing are managed by other factors such as pecuniary limits or transparency-enhancing measures;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 6) basic payment services relating to a liability account.

Division 4 Enhanced Due Diligence Measures 

§ 36.  Application of enhanced due diligence measures

 (1) The obliged entity applies enhanced due diligence measures in order to adequately manage and mitigate a higher-than-usual risk of money laundering and terrorist financing.

 (2) Enhanced due diligence measures are applied always when:
 1) upon identification of a person or verification of submitted information, there are doubts as to the truthfulness of the submitted data, authenticity of the documents or identification of the beneficial owner;
 2) the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service or the customer is a politically exposed person, except in the event specified in subsection 5 of § 38 of this Act;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service or the customer is from a high-risk third country or their place of residence or seat or the seat of the payment service provider of the payee is in a high-risk third country;
 4) the customer or the person participating in a transaction or the person using an official service is from such country or territory or their place of residence or seat or the seat of the payment service provider of the payee is in a country or territory that, according to credible sources such as mutual evaluations, reports or published follow-up reports, has not established effective AML/CFT systems that are in accordance with the recommendations of the Financial Action Task Force, or that is considered a low tax rate territory.

 (3) The obliged entity applies enhanced due diligence measures also where a risk assessment prepared on the basis of subsection 6 of § 20 and §§ 11, 13 and 37 of this Act identifies that, in the case of the economic or professional activity, field or factors, the risk of money laundering or terrorist financing is higher than usual.

 (4) Enhanced due diligence measures do not need to be applied regarding the branch of an obliged entity established in a contracting state of the European Economic Area or a majority-owned subsidiary seated in a high-risk third country, provided that the branch and the majority-owned subsidiary fully comply with the group-wide procedures in accordance with § 15 of this Act and the obliged entity assesses that the waiver to apply enhanced due diligence measures does not entail major additional risks of money laundering and terrorist financing.

§ 37.  Factors characterising higher risk

 (1) In addition to the events specified in subsection 2 of § 36 of this Act, at least the factors referring to a higher risk of money laundering and terrorist financing specified in subsections 2–4 of this section are taken into account upon application of enhanced due diligence measures. The obliged entity determines in rules of procedure whether it will apply the factors on the whole, in part or as separate grounds for the purpose of application of enhanced due diligence measures.

 (2) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, the following is deemed a situation increasing risks related to the customer as a person:
 1) the business relationship foundations based on unusual factors, including in the event of complex and unusually large transactions and unusual transaction patterns that do not have a reasonable, clear economic or lawful purpose or that are not characteristic of the given business specifics;
 2) the customer is a resident of a higher-risk geographic area listed in subsection 4 of this section;
 3) the customer is a legal person or a legal arrangement, which is engaged in holding personal assets;
 4) the customer is a cash-intensive business;
 5) the customer is a company that has nominee shareholders or bearer shares or a company whose affiliate has nominee shareholders or bearer shares;
 6) the ownership structure of the customer company appears unusual or excessively complex, given the nature of the company’s business;
 7) the customer is a third country national who applies for residence rights or citizenship in Estonia in exchange of capital transfers, purchase of property or government bonds, or investment in corporate entities in Estonia.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, in particular the following is deemed a situation increasing risks related to the product, service, transaction or delivery channel:
 1) private banking;
 2) provision of a product or making or mediating of a transaction that might favour anonymity;
 3) payments received from unknown or unassociated third parties;
 4) a business relationship or transaction that is established or initiated in a manner whereby the customer, the customer’s representative or party to the transaction is not met physically in the same place and whereby § 31 of this Act is not applied as a safeguard measure;
 5) new products and new business practices, including new delivery mechanism, and the use of new or developing technologies for both new and pre-existing products;
 6) a transaction related to oil, arms, precious metals, precious metal products or tobacco products;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 7) a transaction related to cultural artefacts or other items of archaeological, historical, cultural and religious importance, or of rare scientific value;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 8) a transaction related to ivory or protected species.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Upon assessment of factors referring to a higher risk in accordance with subsection 1 of this section, in particular as situation where the customer, a person involved in the transaction or the transaction itself is connected with a following country or jurisdiction is deemed a factor increasing the geographical risk:
 1) that, according to credible sources such as mutual evaluations, detailed evaluation reports or published follow-up reports, has not established effective AML/CFT systems;
 2) that, according to credible sources, has significant levels of corruption or other criminal activity;
 3) that is subject to sanctions, embargos or similar measures issued by, for example, the European Union or the United Nations;
 4) that provides funding or support for terrorist activities, or that has designated terrorist organisations operating within their country, as identified by the European Union or the United Nations.

 (5) Upon selection of enhanced due diligence measures, a credit institution and a financial institution takes into account, in addition to subsections 2–4 of this section, relevant guidelines of the European supervisory authorities regarding risk factors.

§ 38.  Additional due diligence measures

 (1) The obliged entity chooses additional due diligence measures in order to manage and mitigate an established risk of money laundering and terrorist financing that is higher than usual.

 (2) To perform the duties provided for in subsection 1 of this section, the obliged entity may, among other things, apply one or several of the following due diligence measures:
 1) verification of information additionally submitted upon identification of the person based on additional documents, data or information originating from a credible and independent source;
 2) gathering additional information on the purpose and nature of the business relationship, transaction or operation and verifying the submitted information based on additional documents, data or information that originates from a reliable and independent source;
 3) gathering additional information and documents regarding the actual execution of transactions made in the business relationship in order to rule out the ostensibility of the transactions;
 4) gathering additional information and documents for the purpose of identifying the source and origin of the funds used in a transaction made in the business relationship in order to rule out the ostensibility of the transactions;
 5) the making of the first payment related to a transaction via an account that has been opened in the name of the person or customer participating in the transaction in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force;
 6) the application of due diligence measures regarding the person or their representative while being at the same place as the person or their representative.

 (3) Upon application of enhanced due diligence measures, the obliged entity must apply the monitoring of a business relationship more frequently than usually, including reassess the customer’s risk profile not later than six months after the establishment of the business relationship.

 (4) In addition to the provisions of this section, credit institutions and financial institutions take into account the guidelines of the European supervisory authorities upon selection of due diligence measures.

 (5) In addition to the measures provided for in this section, the measures provided for in § 41 of this Act also apply to a politically exposed person, their family member or a person known to be their close associate. Where there is a factor that refers to a lower risk specified in clause 1 of subsection 3 of § 34 of this Act regarding the aforementioned person, the application of the aforementioned measures is required only where there is a factor referring to a higher risk.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 39.  Enhanced due diligence measures applied to transaction made with natural and legal persons operating in high-risk third country

 (1) Where the obliged entity comes in contact with a high-risk third country via a person participating in a transaction made in the obliged entity’s economic or professional activities, via a person participating in an official operation, via a person using an official service or via a customer, the obliged entity applies the following due diligence measures:
 1) gathering additional information about the customer and its beneficial owner;
 2) gathering additional information on the planned substance of the business relationship;
 3) gathering information on the origin of the funds and wealth of the customer and its beneficial owner;
 4) gathering information on the underlying reasons of planned or executed transactions;
 5) receiving permission from the senior management to establish or continue a business relationship;
 6) improving the monitoring of a business relationship by increasing the number and frequency of the applied control measures and by choosing transaction indicators or transaction patterns that are additionally verified;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) In addition to subsection 1 of this section, the obliged entity may demand that a customer make a payment from an account held in the customer’s name in a credit institution of a contracting state of the European Economic Area or in a third country that implements requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council.

 (3) In addition to subsection 1 of this section, a credit institution or a financial institution applies one or several of the following due diligence measures:
 1) winding up its branch or representation in a high-risk third country;
 2) carrying out a special audit in a subsidiary or branch of the credit institution or financial institution in a high-risk third country;
 3) assessing and, where necessary, terminating a correspondent relationship with an obliged entity of a high-risk third country.

§ 40.  Duties and obligations of correspondent institution

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) In the case of a cross-border correspondent relationship with a respondent institution of a third country or a respondent institution whereby the risk of money laundering or terrorist financing is higher, the credit institution or the financial institution takes, in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act, the following due diligence measures:
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 1) gathering sufficient information on the respondent institution in order to fully understand the nature of the activities of the respondent institution and, based on publicly available information, make a decision on the reputation and supervision quality of the relevant institution, including by researching whether any proceedings have been initiated against the institution in connection with violation of AML/CFT legislation;
 2) assessment of AML/CFT control systems implemented in the respondent institution;
 3) receiving prior approval from the senior management to establish a new correspondent relationship;
 4) documentation of the relevant duties and obligations of both institutions;
 5) in the case of payable-through accounts, making certain that the respondent institution has verified the identity of the customers who have direct access to the accounts of the correspondent institution, applies due diligence measures to them at all times and, upon request is able to present the relevant due diligence measures applied to the customer.

 (2) A credit institution or a financial institution as an obliged entity who renders a service to another credit institution or financial institution in a correspondent relationship provided for in § 7 of this Act where the customers of the credit institution or financial institution receiving the service benefit from the service (hereinafter beneficial customer) does not need to apply the due diligence measures provided for in § 20 of this Act with regard to the beneficial customers where the obliged entity:
 1) has established that the credit institution or financial institution who is a customer is itself required to apply and actually applies measures equal to the requirements provided for in this Act, including requirements for the application of due diligence measures, identification of politically exposed persons and data retention, and is under financial supervision;
 2) is aware of the risk structure of the beneficial customers and makes certain that the related risk is in accordance with the risk appetite of the obliged entity;
 3) has ensured by a contract that, where necessary, it is able to immediately obtain all data and documents in order to identify the person who ultimately benefits from the transaction;
 4) takes sufficient measures to ensure compliance with the criteria provided for in clause 1 of this subsection.

 (3) The obliged entity is prohibited to apply subsection 2 of this section where the credit institution or financial institution who is a customer has been established in a high-risk third country.

 (4) The obliged entity applying subsection 2 of this section is responsible for compliance with the requirements arising from this Act.

§ 41.  Transactions with politically exposed person

 (1) In a situation where the person participating in a transaction made in economic or professional activities, the person participating in an official operation, the person using an official service, the customer or their beneficial owner is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the obliged entity applies the following due diligence measures in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act:
 1) obtains approval from the senior management to establish or continue a business relationship with the person;
 2) applies measures to establish the origin of the wealth of the person and the sources of the funds that are used in the business relationship or upon making occasional transactions;
 3) monitors the business relationship in an enhanced manner.

 (2) In addition to the application of the due diligence measures specified in § 26 of this Act, the obliged entity establishes not later than upon making a payment whether the beneficiary of the life insurance policy or the beneficial owner of the beneficiary is a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person. Upon assignment of a life insurance contract in accordance with subsection 3 of § 26 of this Act, the obliged entity identifies the aforementioned facts regarding the assignee of the contract and their beneficial owner at the moment of assignment of the contract. Where the obliged entity identifies a politically exposed person, a family member of a politically exposed person or a person known to be a close associate of a politically exposed person, the obliged entity applies the following due diligence measures in addition to the due diligence measures provided for in subsection 1 of § 20 of this Act:
 1) informing the senior management before making payments under the insurance policy;
 2) checking the entire business relationship in detail.

 (3) Where a politically exposed person no longer performs important public functions placed upon them, the obliged entity must at least within 12 months take into account the risks that remain related to the person and apply relevant and risk sensitivity-based measures as long as it is certain that the risks characteristic of politically exposed persons no longer exist in the case of the person.

 (4) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Division 5 Consequences of Failure to Apply Due Diligence Measures 

§ 42.  Prohibition on making transactions and establishing business relationships

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The obliged entity is not allowed to establish a business relationship or enable the making of an occasional transaction or the making of a transaction in a business relationship where at least one of the following circumstances occurs:
 1) the obliged entity is unable to apply the due diligence measures required under this Act;
 2) the obliged entity suspects money laundering or terrorist financing.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The obliged entity is prohibited to establish a business relationship or make a transaction with a person of whose capital consists of bearer shares or other bearer securities to the extent of more than 10 per cent.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) A payment service provider is prohibited to follow the customer’s payment instruction or make funds available where the payment service provider is unable to comply with the duty provided for in subsection 4 of § 19 or subsection 11 of § 25 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) Where the obliged entity has a business relationship with a customer in a situation provided for in subsections 1–3 of this section, the refusal by the customer to provide information or documents required for the application of due diligence measures is deemed a fundamental breach of the contract and the obliged entity has the obligation to extraordinarily terminate the long-term contract serving as the basis for the business relationship and to notify the Financial Intelligence Unit of the suspicious transaction relating to the customer in accordance with § 49 of this Act. The business relationship is deemed terminated as of the submission of a termination notice to the customer after which the obliged entity makes the services completely unavailable to the customer.

 (5) An agreement violating the prohibition specified in subsections 1–3 of this section is void.

 (6) The provisions of subsections 1–5 are not applied where the obliged entity has notified the Financial Intelligence Unit of the establishment of a business relationship, transaction or an attempted transaction in accordance with the procedure provided for in § 49 of this Act and received from the Financial Intelligence Unit a specific instruction to continue the business relationship, the establishment of the business relationship or the transaction.

 (7) Subsections 1–5 of this section do not apply to an auditor that provides a customer with a certainty-giving or related auditor service or accounting revision service and that has reported the occurrence of the circumstances specified in subsection 1 or 2 to the Financial Intelligence Unit in accordance with the procedure provided for in § 49 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 43.  Right to postpone transactions and terminate business relationships

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The obliged entity has the right to postpone the making of a transaction until the person participating in the transaction or official operation, a person using an official service or a customer has submitted the documents and information required for the application of due diligence measures, including for certifying the origin of the subject-matter of the transaction or for monitoring the business relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The obliged entity has the right to extraordinarily and without advance notification terminate the long-term contract serving as the basis for a business relationship:
 1) upon refusal to issue an e-resident’s digital identity card or where its validity is suspended or where it is declared invalid on the ground provided for in subsection 2 or 3 of § 206 of the Identity Documents Act;
 2) [Repealed – RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) Where, on the conditions described in subsection 1 or 2 of this section, the omission of a transaction would be impossible or where the omission of a transaction or termination of a business relationship might impede efforts made to catch persons benefiting from a suspicious transaction, the obliged entity may still make the transaction or continue the business relationship, informing the Financial Intelligence Unit thereof immediately after making the transaction or deciding to continue the business relationship in accordance with the procedure provided for in § 49 of this Act.

§ 44.  Restrictions on transfer of customer’s property

 (1) Upon implementation of the provisions of this Division, the obliged entity may transfer the customers property only to an account opened in a credit institution or the branch of a foreign credit institution registered in the Estonian commercial register or in a credit institution registered or having its place of business in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force. By way of exception, the property may be transferred to an account other than the customer’s account, notifying the Financial Intelligence Unit thereof at least seven working days in advance and provided that the Financial Intelligence Unit does not establish the restriction specified in § 57 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) Upon opening an account to a company established in the manner provided for in subsection2 of §27 of this Act, subsection 1 of this section is applied, unless the Financial Intelligence Unit has established a different procedure by a precept made on the basis of §55 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 45.  Variations upon provision of legal service

  The provisions of this Division do not apply to a notary, enforcement officer, bankruptcy trustee, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation where the person is involved in assessing the customers legal status or in performing duties as the customers defence counsel or representative in court proceedings or in connection therewith, including in connection with giving advance on the initiation or avoidance of proceedings.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 4 Gathering, Retaining and Protecting Data 

§ 46.  Registration of data

 (1) The obliged entity registers the transaction date or period and a description of the substance of the transaction.

 (2) In addition to the data specified in subsection 1, the obliged entity registers:
 1) information on the circumstance of the obliged entity’s refusal to establish a business relationship or make an occasional transaction;
 2) the circumstances of a waiver to establish a business relationship or make a transaction, including an occasional transaction, on the initiative of the person participating in the transaction or official operation, the person using an official service or the customer where the waiver is related to the application of due diligence measures by the obliged entity;
 21) information on all of the operations made for the purpose of establishing the identity of a person participating in a transaction or official operation, a person using an official service or a customer;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) information according to which it is not possible to take the due diligence measures provided for in subsection 1 of § 20 of this Act using information technology means;
 4) information on the circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures;
 5) information serving as the basis for the duty to report under § 49 of this Act;
 6) upon making transactions with the representative of a civil law partnership, community or another legal arrangement or with a trust or trustee, the fact that the person has such status, an extract of the registry card or a certificate of the registrar of the register where the legal arrangement has been registered.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) In addition to the information provided for in subsection 1 of this section, a credit institution, financial institution and central securities depository register the following data regarding a transaction:
 1) upon opening an account, the account type, number, currency and significant characteristics of the securities or other property;
 2) upon acceptance of property for depositing, the deposition number and the market price of the property on the date of deposition or a detailed description of the property where the market price of the property cannot be determined;
 3) upon renting or using a safe-deposit box or a safe in a bank, the number of the safe-deposit box or safe;
 4) upon making a payment relating to shares, bonds or other securities, the type of the securities, the monetary value of the transaction, the currency and the account number;
 5) upon conclusion of a life insurance policy, the account number debited to the extent of the first insurance premium;
 6) upon making a disbursement under a life insurance policy, the account number that was credited to the extent of the disbursement amount;
 7) in the case of payment intermediation, the details the communication of which is mandatory under Regulation (EU) No 2015/847 of the European Parliament and of the Council;
 8) in the case of another transaction, the transaction amount, the currency and the account number.

§ 47.  Preservation of data

 (1) For the purpose of identification of persons and verification of submitted information, the obliged entity must retain the originals or copies of the documents specified in subsection 21 of § 20 and §§ 21, 22 and 46 of this Act, information registered in accordance with § 46 and the documents serving as the basis for the establishment of a business relationship for no less than five years after the termination of the business relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The obliged entity does not have to retain the originals or copies of the documents serving as a basis for the identification of persons and verification of submitted information where:
 1) the person was identified using e-identification and trust services for e-transactions, or
 2) the document is available to the obliged entity in an electronic database of the state throughout the period specified in subsection 1 of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) During the period specified in subsection 1 of this section, the obliged entity must also retain the entire correspondence relating to the performance of the duties and obligations arising from this Act and all the data and documents gathered in the course of monitoring the business relationship or occasional transactions as well as data on suspicious or unusual transactions or circumstances which were not reported to the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity must retain the documents prepared with regard to a transaction on any data medium and the documents and data serving as the basis for the notification obligations specified in § 49 of this Act for no less than five years after making the transaction or performing the duty to report.

 (4) The obliged entity must retain the documents and data specified in subsections 1, 2 and 3 of this section in a manner that allows for exhaustively and immediately replying to the enquiries of the Financial Intelligence Unit or, in accordance with legislation, those of other supervisory authorities, investigative bodies or courts, inter alia, regarding whether the obliged entity has or has had in the preceding five years a business relationship with the given person and what is or was the nature of the relationship.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) Where the obliged entity makes, for the purpose of identifying a person, an enquiry with a database that is part of the state information system, the duties provided for in this subsection will be deemed performed where information on the making of an electronic enquiry to the register is reproducible over a period of five years after termination of the business relationship or making of the transaction.

 (6) Upon implementation of § 31 of this Act, the obliged entity retains the data of the document prescribed for the digital identification of a person, information on making an electronic enquiry to the identity documents database, and the audio and video recording of the procedure of identifying the person and verifying the person’s identity for at least five years after termination of the business relationship.

 (7) The obliged entity deletes the data retained on the basis of this section after the expiry of the time limits specified in subsections 1–6 of this section, unless the legislation regulating the relevant field establishes a different procedure. On the basis of a precept of the competent supervisory authority, data of importance for prevention, detection or investigation of money laundering or terrorist financing may be retained for a longer period, but not for more than five years after the expiry of the first time limit.

§ 48.  Protection of personal data

 (1) The obliged entity implements all rules of protection of personal data upon application of the requirements arising from this Act, unless otherwise provided by this Act.
[RT I, 13.03.2019, 2 – entry into force 15.03.2019]

 (2) The obliged entity is allowed to process personal data gathered upon implementation of this Act only for the purpose of preventing money laundering and terrorist financing, which is considered a matter of public interest for the purposes of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 04.05.2016, pp 1–88), and such data must not be additionally processed in a manner that does not meet the purpose, for instance, for marketing purposes.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (21) The following rights of the data subject may be limited with regard to personal data processed by the obliged entity based on § 16 of this Act:
 1) to demand the restriction of the processing of their personal data;
 2) to demand the portability of their personal data;
 3) to object to the processing of their personal data.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (22) On the basis of subsection 21 of this section the rights of the data subject may be restricted where the non-restriction may harm the ability of the processor or another obliged entity to comply with the requirements of this Act, including to apply due diligence measures.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity submits information concerning the processing of personal data before establishing a business relationship or making an occasional transaction with them. General information on the duties and obligations of the obliged entity upon processing personal data for AML/CFT purposes is given among this information.

Chapter 5 Conduct in Case of Suspicion of Money Laundering and Terrorist Financing 

§ 49.  Duty to report in case of suspicion of money laundering and terrorist financing

 (1) Where the obliged entity identifies in economic or professional activities, an official operation or provision of an official service an activity or facts whose characteristics refer to the use of criminal proceeds or terrorist financing or to the commission of related offences or an attempt thereof or with regard to which the obliged entity suspects or knows that it constitutes money laundering or terrorist financing or the commission of related offences, the obliged entity must report it to the Financial Intelligence Unit immediately, but not later than within two working days after identifying the activity or facts or after getting the suspicion.

 (2) Subsection 1 of this section also applies where a business relationship is not established, a transaction or operation is not made or a service is not provided, and the application thereof is considered also in the event of the circumstances specified in §§ 42 and 43 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The obliged entity, except for a credit institution, immediately but not later than two working days after the making of the transaction, notifies the Financial Intelligence Unit of each learned transaction whereby a pecuniary obligation of over 32 000 euros or an equal sum in another currency is performed in cash, regardless of whether the transaction is made in a single payment or in several linked payments over a period of up to one year. The credit institution notifies the Financial Intelligence Unit immediately, but not later than two working days after the making of the transaction about each foreign exchange transaction of over 32 000 euros made in cash where the credit institution does not have a business relationship with the person participating in the transaction.

 (31) The auditor who, in the course of whose professional activities, learns of a transaction which another obliged entity should have reported to the Financial Intelligence Unit under subsection 3 of this section, reports it to the Financial Intelligence Unit not later than within two working days after receiving the information.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) The obliged entity immediately submits to the Financial Intelligence Unit all the information available to the obliged entity, which the Financial Intelligence Unit requested in its enquiry.

 (5) The duty to report, which arises from subsections 1–4 of this section, does not apply to a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation where they assess the customer’s legal situation, defend to represent the customer in court, intra-authority or other such proceedings, including where they advise the customer in a matter of initiation or prevention of proceedings, regardless of whether the information has been obtained before, during or after the proceedings.

 (6) Where the obliged entity suspects or knows that terrorist financing or money laundering or related criminal offences are being committed, the making of the transaction or official operation or the provision of the official service must be postponed until the submission of a report based on subsection 1 of this section. Where the postponement of the transaction may cause considerable harm, it is not possible to omit the transaction or it may impede catching the person who committed possible money laundering or terrorist financing, the transaction or official operation will be performed out or the official service will be provided and a report will be submitted to the Financial Intelligence Unit thereafter.

 (7) Where relevant, the Financial Intelligence Unit gives obliged entities feedback on their performance of the duty to report and on the use of the received information.

§ 50.  Place and form of performance of duty to report

 (1) A report is submitted to the Financial Intelligence Unit of the contracting state of the European Economic Area on whose territory the obliged entity has been established.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) A report is submitted via the online form of the Financial Intelligence Unit or via the X-road service.

 (3) The data used for identifying the person and verifying the submitted information and, if any, copies of the documents are added to the report.

 (4) Requirements for the contents and form of a notice submitted to the Financial Intelligence Unit and the guidelines for the submission of a report are established by a regulation of the minister responsible for the field.

§ 51.  Confidentiality of report

 (1) The obliged entity, a structural unit of the obliged legal entity, a member of a management body and an employee is prohibited to inform a person, its beneficial owner, representative or third party about a report submitted on them to the Financial Intelligence Unit, a plan to submit such a report or the occurrence of reporting as well as about a precept made by the Financial Intelligence Unit based on §§ 57 and 58 of this Act or about the commencement of criminal proceedings. After a precept made by the Financial Intelligence Unit has been complied with, the obliged entity may inform a person that the Financial Intelligence Unit has restricted the use of the person’s account or that another restriction has been imposed.

 (2) The prohibition provided for in subsection 1 of this section is not applied upon submission of information to:
 1) competent supervisory authorities and law enforcement agencies;
 2) credit institutions and financial institutions in between themselves where they are part of the same group;
 3) institutions and branches that are part of the same group as the person specified in subsection 2 of this section where the group applies group-wide procedural rules and principles in accordance with § 15 of this Act;
 4) a third party who operates in the same legal person or structure as an obliged entity who is a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation and whereby the legal person or structure has the same owners and management system where joint compliance is practiced.

 (3) The prohibition provided for in subsection 1 of this section does not apply to the exchange of information in a situation where it concerns the same person and the same transaction that involves two or more obliged entities that are credit institutions, financial institutions, enforcement officers, bankruptcy trustees, auditors, attorneys or other legal service providers, providers of accounting services or providers of advisory services in the field of accounting or taxation located in a contracting state of the European Economic Area or in a country where requirements equal to those of Directive (EU) 2015/849 of the European Parliament and of the Council are in force, act in the same field of profession and requirements equal to those in force in Estonia are implemented for keeping their official secrets and protecting personal data.

 (4) Where a notary, enforcement officer, bankruptcy trustee, auditor, attorney or other legal service provider, provider of accounting services or provider of advisory services in the field of accounting or taxation convinces a customer to refrain from unlawful acts, it is not deemed violation of the prohibition provided for in subsection 1 of this section.

 (5) For AML/CFT purposes, credit institutions and financial institutions may between themselves exchange information on high-risk customers and transactions suspected of a criminal offence.

 (6) The exchange of information regulated in this section must be retained in writing or in a form reproducible in writing for the next five years and information is submitted to the competent supervisory authority at its request.

§ 52.  Discharge of liability

 (1) The obliged entity, its employee, representative and the person who acted on its behalf is not liable for damage caused to a person or customer participating in a transaction made in economic or professional activities, in performing an official operation or in the provision of an official service:
 1) upon performance of duties and obligations arising from this Act in good faith, from failing to make the transaction or from failing to make the transaction within the prescribed time limit;
 2) in connection with the performance of the duty to report provided for in § 49 of this Act in good faith;
 3) by implementing §§ 16 and 18 of this Act in good faith.

 (2) The performance of the duty to report arising from § 49 of this Act and submission of information by the obliged entity is not deemed breach of the confidentiality requirement arising from law or contract and the statutory or contractual liability for the disclosure of the information is not applied to the person who performed the duty to report. An agreement derogating from this provision is void.

 (3) Upon releasing to the Financial Intelligence Unit data and documents relating to the professional activities of a notary on the basis of a precept of the Financial Intelligence Unit specified in § 55 of this Act or upon performance of the duty to report specified in § 49, the notary is discharged from the confidentiality duty provided for in § 3 of the Notaries Act.

 (4) Taking into account its size and nature of activities, the obliged entity establishes an appropriate system of measures ensuring that the employees and representatives of the obliged entity who report of a suspicion of money laundering or terrorist financing or of a violation of this Act within the obliged entity are able to do so anonymously and are protected from being exposed to threats or hostile action by other employees, management body members or customers of the obliged entity, in particular from adverse or discriminatory employment actions.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 521.  Protection of originator of report

 (1) The Financial Intelligence Unit and the Financial Supervision Authority ensure the confidentiality of the fact of reporting of a violation of this Act as well as of a factor the reporting specified in § 49 of this Act and this fact may be disclosed only with the written consent of the natural person who filed the report.

 (2) The fact of reporting may be disclosed to the prosecutor’s office and the investigation body where there is a suspicion that the person who filed the report has violated the reporting obligation or committed a criminal offence.

 (3) If the natural person who filed a report is involved in offence proceedings as a witness, the provisions of the offence proceedings apply without compromising the confidentiality of the fact of reporting.

 (4) The employer is not allowed to treat an employee unequally because of a report specified in subsection 1 of this section.

 (5) The court or the labour dispute committee applies a shared burden of proof for the purpose of protection of the natural person who filed the report. The claimant or petitioner submits in the claim or petition the facts based on which it can be concluded that they have been treated unequally. Where the person against who the claim or petition has been filed does not prove otherwise, it is presumed that the originator of the report was treated unequally due to reporting. An agreement deviating from this subsection is void.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 6 Financial Intelligence Unit 

§ 53.  Financial Intelligence Unit

 (1) The Financial Intelligence Unit is an independent structural unit of the Police and Border Guard Board. The Financial Intelligence Unit performs its duties arising from this Act independently and makes decisions concerning the actions provided for in this Act independently.

 (2) The Director General of the Police and Border Guard Board appoints the head of the Financial Intelligence Unit on a proposal of the Deputy Director General in the field of intelligence management and investigation for a term of five years.

 (3) The Police and Border Guard Board ensures the provision of the Financial Intelligence Unit with funds, technical equipment and staff required for performance of the duties prescribed by law.

§ 54.  Duties of Financial Intelligence Unit

 (1) The duties of the Financial Intelligence Unit:
 1) gathering, registration, processing and analysis of information referring to money laundering and terrorist financing;
 2) strategic analysis that covers the risks, threats, trends and ways of operation of money laundering and terrorist financing;
 3) tracing criminal proceeds and application of the enforcement powers of the state on the grounds and within the scope provided by law;
 4) supervision over the activities of obliged entities in complying with this Act, unless otherwise provided by law;
 5) informing the public about the prevention and identification of money laundering and terrorist financing, and preparing and publishing an aggregate overview at least once a year;
 6) AML/CFT cooperation with obliged entities, competent supervisory authorities and investigative bodies;
 7) training obliged entities’ staff, investigative bodies, prosecutors and judges in AML/CFT matters;
 8) organisation of international communication and exchange of information in accordance with § 63 of this Act;
 9) performance of duties arising from the International Sanctions Act;
 10) conducting misdemeanour proceedings provided for in this Act;
 11) processing applications for authorisations, suspending or prohibiting business activities or suspending or revoking an authorisation in accordance with the procedure set out in the General Part of the Economic Activities Code Act, taking account of the variations of this Act.

 (2) Upon application of clause 1 of subsection 1 of this section, it is verified whether the data submitted to the Financial Intelligence Unit is important for countering, identifying or pre-litigation investigation of money laundering, related criminal offences and terrorist financing.

 (3) The Financial Intelligence Units analyses and verifies information about suspicions of money laundering and terrorist financing, takes measures for preservation of property where necessary and immediately forwards materials to the competent authorities upon identification of elements of a criminal offence. The competent authority immediately notifies the Financial Intelligence Unit of the seizure, non-seizure and release of seized property in accordance with the procedure established in the Code of Criminal Procedure.

§ 541.  Reports submitted to Financial Intelligence Unit

 (1) Credit and financial institutions and persons subject to supervision exercised by the Financial Intelligence Unit under subsection 1 of § 64 of this Act submit to the Financial Intelligence Unit reports containing information necessary for the performance of the statutory functions.

 (2) The collection and submission of the information specified in subsection 1 of this Act may also be organised with the help of governmental authorities, state authorities and public legal persons. The principle of the single submission of information must be adhered to regarding the obliged entity.

 (3) The requirements for the content and originator of reports submitted to the Financial Intelligence Unit and the procedure for submission are established by a regulation of the minister responsible for the field.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 55.  Administrative decisions of Financial Intelligence Unit

 (1) The Financial Intelligence Unit issues precepts and other administrative decisions in order to perform the duties arising from law.

 (2) A precept made on the basis of § 57 of this Act, which is aimed at stopping a transaction or restricting the use of an account or other property as well as a precept aimed at obtaining information on circumstances, transactions and persons related to a suspicion of money laundering or terrorist financing does not set out its factual grounds. The facts on the basis of which the precept is issued are set out in a separate document.

 (3) The person whose transaction was stopped or the use of whose account or other property was restricted by a precept has the right to examine the document setting out the facts. The Financial Intelligence Unit has the right to refuse to grant access to the document where:
 1) it would impede AML/CFT efforts;
 2) the disclosure of the information contained in the document is against the law or international agreements, including restrictions established in international cooperation;
 3) it would jeopardise the establishment of the truth in criminal proceedings.

 (4) An administrative decision of the Financial Intelligence Unit is signed by the head or deputy head of the Financial Intelligence Unit or by an official authorised by the head of the Financial Intelligence Unit. Upon signature by an authorised official, the number and date of the document granting the right of signature and the place where the document can be accessed are indicated next to the signature.

 (5) A claim against an administrative decision or step of the Financial Intelligence Unit is filed with the administrative court. Upon contesting a precept specified in subsection 2 of this section, the Financial Intelligence Unit submits to the administrative court a separate document setting out the facts, which gives the reasons for making the precept, establishing relevant restrictions thereto.

§ 56.  Guidelines of Financial Intelligence Unit

 (1) The Financial Intelligence Unit has the right to issue advisory guidelines to explain AML/CFT legislation.

 (2) The Financial Intelligence Unit issues guidelines regarding the characteristics of suspicious transactions.

 (3) The Financial Intelligence Unit issues guidelines regarding the characteristics of transactions suspected of terrorist financing. The guidelines are coordinated with the Estonian Internal Security Service beforehand.

 (4) The guidelines of the Financial Intelligence Unit are published on its website.

§ 57.  Stopping of transaction, restriction of disposal of property and transfer of property to state ownership

 (1) In the event of suspicion of money laundering or terrorist financing, the Financial Intelligence Unit may issue a precept to stop a criminal activity or, at the request of the financial intelligence unit of another country, to suspend a transaction or impose restrictions on the disposal of property on an account, property kept on an account or property constituting the object of the transaction, official operation or official service or other property suspected of being associated with money laundering or terrorist financing for up to 30 calendar days as of the delivery of the precept. In the event property registered in the land register, ship register, central securities depository, motor register, register of construction works or another state register, the Financial Intelligence Unit may, in the event of justified suspicion, restrict the disposal of the property for the purpose of ensuring its preservation for up to 30 calendar days.

 (2) Before expiry of the period specified in subsection 1, a transaction may be made or the restriction of disposal of an account or other property may be derogated from only with the written consent of the Financial Intelligence Unit.

 (3) On the basis of a precept, the Financial Intelligence Unit may, in addition to the period specified in subsection 1 of this section, restrict the disposal of property for the purpose of ensuring its preservation for additional 60 calendar days where:
 1) upon verification of the origin of the property in the event of suspicion of money laundering, the possessor or owner of the property fails to prove to the Financial Intelligence Unit the legal origin of the property within 30 calendar days following the suspension of the transaction or the establishment of the restriction on use of the account or on disposal of other property;
 2) there is suspicion that the property is used for terrorist financing.

 (4) In enforcement or bankruptcy proceedings it is prohibited to transfer property on which a restriction has been imposed by the Financial Intelligence Unit or which has been seized during the validity of the restriction in accordance with the procedure provided for in the Code of Criminal Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) Where property has been seized in accordance with the Code of Criminal Procedure, the Financial Intelligence Unit is required to immediately lift the restrictions on the disposal of the property after a court order on the seizure of the property has entered into force.

 (6) Where the owner of the property or, in the event of property held on the account, also the beneficial owner of the property has not been established, the Financial Intelligence Unit may ask the administrative court for permission to restrict the disposal of the property until the owner or beneficial owner of the property has been established and the Financial Intelligence Unit may ask the same also upon termination of criminal proceedings, but not for more than one year.

 (7) Where, within one year following the imposing of restrictions on the use of the property, the owner of the property or the beneficial owner of the property held on the account has not been identified or where the possessor of the property informs the Financial Intelligence Unit or the Prosecutor’s Office of the desire to give up the property, the Financial Intelligence Unit or the Prosecutor’s Office may ask the administrative court for permission to transfer the property to state ownership. The property is sold in accordance with the procedure provided for in the Code of Enforcement Procedure and the sum earned from the sale is transferred to state revenue. The owner of the property has the right to recover the sum transferred to the state revenue within a period of three years following the day on which the property was transferred to the state revenue.

 (8) In the case of property held on an account, the account holder is deemed to be the possessor of the property upon implementation of subsections 6 and 7 of this section and their right of ownership is not presumed.

 (9) The restriction of the disposal of property registered in the land register, ship register, central securities depository, motor register, register of construction works and in other state register is ensured by the registrars in the first order of priority and immediately, without any additional steps taken by the Financial Intelligence Unit.

 (10) Where the legal origin of the property in the case of suspicion of money laundering or the absence of a link between the property and terrorist financing in the case of suspicion of terrorist financing is proven before the expiry of the time limit specified in subsection 1, 3 or 6 of this section, the Financial Intelligence Unit will be required to immediately terminate the restrictions of use of the property.

§ 58.  Requesting information

 (1) To perform the duties arising from law, the Financial Intelligence Unit has the right to receive information from the competent supervisory authorities, other state authorities and local authority agencies and, based on a precept, from obliged entities and third parties by the deadline set by the Financial Intelligence Unit.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) To perform the functions arising from this Act, the Financial Intelligence Unit has the right to receive the information specified in subsections 11–15 of § 81 of this Act via the electronic seizure system specified in § 631 of the Code of Enforcement Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The addressee of a precept is required to comply with the precept and to submit the requested information, including any information subject to banking or business secrecy, within the time limit set in the precept. The information is submitted in writing or in a form reproducible in writing.

 (3) In order to prevent money laundering, the Financial Intelligence Unit has the right to obtain, pursuant to the procedure provided by legislation, relevant information, including information collected by surveillance, from any surveillance agency by the deadline set by the Financial Intelligence Unit. Where the Financial Intelligence Unit wishes to forward information collected by way of surveillance to other authorities, the Financial Intelligence Unit must obtain written consent from the agency that provided the information.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) This section does not apply to an attorney, unless the attorney provides the services specified in subsection 2 of § 2 of this Act or a report given by the attorney to the Financial Intelligence Unit does not meet the established requirements, is not accompanied by the required documents or is accompanied by documents that do not meet the requirements.

§ 59.  Interbase cross-usage of data

  In order to perform the duties arising from law, the Financial Intelligence Unit has the right to make enquiries to and to receive data from state and local government databases and databases maintained by persons in public law, in accordance with the procedure provided by law.

§ 60.  Restrictions on use of data

 (1) Only an official of the Financial Intelligence Unit has access to and the right to process the information in the Financial Intelligence Unit database. On the basis of this Act, the head of the Financial Intelligence Unit may establish restrictions on access to information, classifying information as information for internal use. The staff of the Financial Intelligence Unit and other persons who have access to the information contained in the database of the Financial Intelligence Unit are required to keep information known to them about money laundering or terrorist financing confidential for an unspecified period of time.

 (2) To prevent or identify money laundering or terrorist financing or criminal offences related thereto and to facilitate pre-litigation investigation thereof, the Financial Intelligence Unit must forward significant information, including information subject to tax and banking secrecy to the Prosecutor’s Office, the investigative body and the court.

 (3) Data registered in the Financial Intelligence Unit is only forwarded to the authority engaged in the pre-litigation proceedings, the prosecutor and the court in connection with criminal proceedings or on the initiative of the Financial Intelligence Unit where it is necessary for the prevention, identification and investigation of money laundering or terrorist financing and criminal offences relating thereto as well as in administrative court proceedings where a request of the Financial Intelligence Unit or a claim or protest filed against a step or administrative decision of the Financial Intelligence Unit is decided.

 (4) The Financial Intelligence Unit may notify the competent supervisory authority of the breach of the requirements of this Act by an obliged entity or, based on a relevant request, forward data registered in the Financial Intelligence Unit, analyses and assessments to the extent that does not violate restrictions established by law, an international agreement or in international cooperation, where it is necessary for AML/CFT or related criminal offences, performance of the statutory duties of the competent supervisory authority or attainment of the purposes of this Act.

 (5) The Financial Intelligence Unit has the right to forward the information specified in subsection 4 of this section to the Tax and Customs Board for proceedings related to a gambling activity licence.

 (6) With the permission of the head of the Financial Intelligence Unit persons whose involvement is required to perform the duties of the Financial Intelligence Unit may be granted temporary access to data required for performing the duty to the sufficient extent. The provisions of subsections 1–5 of this section and § 61 of this Act applicable to an official of the Financial Intelligence Unit apply to the rights and competences of a person who has obtained the permission.

 (7) In an individual case, the Financial Intelligence Unit may forward to the compliance officer of the obliged entity the data registered in the Financial Intelligence Unit to the required and sufficient extent for the purpose of taking joint AML/CFT measures or measures for prevention of related criminal offences.

 (8) The Financial Intelligence Unit has the right to establish restrictions on the use of forwarded data and the user of the data must follow the restrictions.

 (9) The documents and records of the Financial Intelligence Unit, which are to be handed over to the National Archives in accordance with the law, are handed over after the passing of 30 years and thereafter the documents and records will be deleted from the database of the Financial Intelligence Unit. Until handing over to the National Archives, documents and records are kept in the Financial Intelligence Unit.

 (10) The procedure for registration and processing of data gathered by the Financial Intelligence Unit is established by a regulation of the minister responsible for the field.

§ 61.  Requirements for official of Financial Intelligence Unit

 (1) Only a person with impeccable reputation, the required experience, abilities, education and high moral qualities may be appointed as an official of the Financial Intelligence Unit.

 (2) An official of the Financial Intelligence Unit is required to maintain the confidentiality of information made known to them in connection with their official duties, including information subject to banking secrecy, even after the performance of their official duties or the termination of a service relationship connected with the processing or use of the information.

§ 62.  Cooperation between Financial Intelligence Unit and Internal Security Service

 (1) The Financial Intelligence Unit and the Security Police Board cooperate in investigation of transactions suspected of terrorist financing through mutual official assistance and exchange of information.

 (2) The Director General of the Security Police Board appoints a compliance officer who has the right to receive information of any and all reports of suspicion of terrorist financing equally to an official of the Financial Intelligence Unit and to make proposals for requesting additional information, where necessary.

 (3) The compliance officer of the Internal Security Service is involved in performing the duties provided for in clauses 1, 4, 6 and 7 of subsection 1 of § 54 of this Act and their rights and competence are regulated by the provisions of subsections 1–5 of § 60 and § 61 of this Act, which are applicable to an official of the Financial Intelligence Unit.

 (4) The compliance officer of the Internal Security Service has the right to exercise the supervision provided for in this Act jointly with an official of the Financial Intelligence Unit.

§ 63.  International exchange of information

 (1) The Financial Intelligence Unit has the right to exchange information and conclude cooperation agreements with a foreign authority that performs the duties of a financial intelligence unit (hereinafter other financial intelligence unit) or a foreign law enforcement or supervisory agency as well as with an international organisation or institution.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The Financial Intelligence Unit appoints an employee who is responsible for accepting requests for information sent by financial intelligence units located in other contracting states of the European Economic Area.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The Financial Intelligence Unit has the right, on its own initiative or at request, to send and receive to and from another financial intelligence unit any information that the other financial intelligence unit may need in AML/CFT efforts and in processing or analysing information relating to natural or legal persons involved in money laundering or terrorist financing.

 (3) A request for information sent to a foreign financial intelligence unit by the Financial Intelligence Unit contains the circumstances of requesting the information, a description of the background, the reasons for the request and information on how they intend to use the requested information.

 (4) Upon implementation of subsections 2 and 3 of this section, the Financial Intelligence Unit may use secure communication channels.

 (5) When the Financial Intelligence Unit receives a report on persons and connections of another contracting state of the European Economic Area on the basis of subsections 1 and 2 of § 49 of this Act, the Financial Intelligence Unit immediately forwards the information thereon to the financial intelligence unit of the respective contracting state.

 (51) If responding to a request for information received from the financial intelligence unit located in another contracting state of the European Economic Area calls for the acquisition of additional information from an obliged entity, the Financial Intelligence Unit acquires the information immediately.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (6) When exchanging the information provided for in this section, the Financial Information Unit may, upon communication of information, establish restrictions on and conditions of the use of information and the recipient of the information must follow the established restrictions.

 (7) The Financial Intelligence Union may refuse to exchange information only in exceptional cases where the exchange of information is clearly outside the aims of AML/CFT, might harm criminal proceedings, clearly and disproportionately harms the legitimate interests of a natural or legal person or the Financial Intelligence Unit, is otherwise in conflict with the general principles of national law or does not contain the circumstances of requesting the information, a description of the background, the reasons for the request or information on how the requested information is to be used.

 (71) The Financial Intelligence Union may refuse to forward information to the financial intelligence unit of another contracting state of the European Economic Area only where the exchange of information is clearly outside the aims of AML/CFT or it might harm criminal proceedings or where the unit requesting information has not clarified the circumstances of requesting the information, a description of the background, the reasons for the request or information on how the requested information is to be used.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (8) The Financial Intelligence Unit ensures the use of information received from another financial intelligence unit on the basis of a request in accordance with the restrictions established by the other unit, asking for the other unit’s prior consent to using the information in another manner, where necessary.

 (9) The Financial Intelligence Unit ensures that the consent to disseminate the information communicated based on a request is granted immediately and to the highest extent possible. The Financial Intelligence Unit that has received a request may refuse to grant consent to the dissemination of the information to the requested extent where it is clearly outside the aims of AML/CFT, might harm criminal proceedings, clearly and disproportionately harms the legitimate interests of a natural or legal person or the Financial Intelligence Unit or is otherwise in conflict with the general principles of national law. The restriction of dissemination of information is explained.

 (10) The Financial Intelligence Unit immediately grants the financial intelligence unit of another contracting state of the European Economic Area permission to disseminate the information communicated on the basis of the request to other competent authorities of the respective state. The permission may be refuses where the dissemination of information is clearly outside the AML/CFT aims or it would have criminal proceedings. The restriction of the dissemination of information is explained.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 7 Supervision 

§ 64.  Supervisory authorities

 (1) The Police and Border Guard Board or the Financial Intelligence Unit exercises state supervision over compliance with this Act and legislation adopted on the basis thereof, unless otherwise provided for in this section.

 (2) The Financial Supervision Authority exercises supervision over compliance with this Act and legislation adopted on the basis thereof by credit institutions and financial institutions that are subject to its supervision under the Financial Supervision Authority Act and in accordance with the legislation of the European Union. The Financial Supervision Authority exercises supervision in accordance with the procedure provided for in the Financial Supervision Authority Act, taking account of the variations provided for in this Act. The Financial Supervision Authority exercises supervision over the credit institutions and financial institutions specified in the first sentence of this subsection in all the fields of activity specified in § 2 of this Act and in the provision of the services specified in § 6.

 (3) The board of the Estonian Bar Association (hereinafter Bar Association) exercises supervision over compliance with this Act and legislation adopted on the basis thereof by the members of the Bar Association on the basis of the Bar Association Act, taking account of the provisions of this Act.

 (4) The Ministry of Justice exercises supervision over compliance with this Act and legislation adopted on the basis thereof by notaries on the basis of the Notaries Act, taking account of the provisions of this Act. The Ministry of Justice may delegate supervision to the Chamber of Notaries.

 (5) The Financial Supervision Authority, the board of the Bar Association, the Ministry of Justice and the Chamber of Notaries cooperate with the Financial Intelligence Unit based on the purposes of this Act.

 (6) The supervisory authorities have the right to exchange information and cooperate with the supervisory authorities of other countries based on the duties provided for in this Act.

 (7) A supervisory authority has the right to involve experts, interpreters and advisors in exercising supervision, provided that the compliance of such person with the requirements specified in subsection 1 of § 61 of this Act is ensured.

§ 65.  Application of state supervisory measures and imposition of penalty payment

 (1) To exercise state supervision provided for in this Act, the Police and Border Guard Board and the Financial Intelligence Unit may apply the special measures of state supervision provided for in §§ 30–32, 35, 50 and 51 of the Law Enforcement Act, taking account of the variations provided for in this Act and in the Financial Supervision Authority Act.

 (2) Where the obliged entity is a credit institution or financial institution, the maximum penalty payment in the event of failure to comply or improper compliance with an administrative decision is:
 1) in the case of a natural person, up to 5000 euros the first time and up to 50 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than 5 000 000 euros in total;
 2) in the case of a legal person, up to 32 000 euros the first time and up to 100 000 euros any next time in order to force the person to perform one and the same duty or obligation, but not more than the higher of 5 000 000 euros or 10 per cent of the total annual turnover of the legal person according to the latest available annual accounts approved by its management body.

 (3) Where the legal person specified in clause 2 of subsection 2 of this section is a parent undertaking or a subsidiary of such parent undertaking who must prepare consolidated annual accounts, either the annual turnover or the total turnover of the field of the breach that served as the basis for the given administrative decision or precept according to the latest available consolidated annual accounts approved by the highest-level management body of the parent undertaking is considered the legal person’s total annual turnover.

 (4) Where persons not specified in subsections 2 and 3 of this section fail to comply with an administrative decision or improperly comply therewith, the maximum penalty payment is:
 1) 5,000 euros in the case of a natural person;
 2) up to 32,000 euros in the case of a legal person.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 66.  Rights of administrative supervision authority

 (1) The administrative supervision authority has the right to inspect the seat or the place of business of obliged entities. The supervisory authority has the right to enter a building and a room that is in the possession of the obliged entity in the presence of a representative of the inspected person.

 (2) In the event of on-site inspection, the administrative supervision authority has the right to:
 1) without limitations examine the required documents and data media, make extracts, transcripts and copies thereof, receive explanations regarding them from the obliged entity, and monitor the work processes;
 2) receive oral and written explanations from the inspected obliged entity, members of its management body and employees.

 (3) The administrative supervision authority has the right to demand that an obliged entity submit information required for inspection also without carrying out an on-site inspection.

§ 67.  Duties of supervisory authority

 (1) Where the Financial Supervision Authority, the Police and Border Guard Board, the board of the Bar Association, the Ministry of Justice or the Chamber of Notaries, upon exercising supervision, identifies a situation whose characteristics refer to a suspicion of money laundering or terrorist financing, it will immediate notify the Financial Intelligence Unit thereof based on § 49 of this Act.

 (11) If the Financial Supervision Authority has, based on information or materials gathered in the course of financial supervision, above all, when assessing the organisation of the management, business model or activities of a credit institution or an investment firm, reasonable grounds to suspect that money has been or is being laundered or terrorism has been or is being financed in the credit institution or investment firm or that the credit institution or investment firm is involved in money laundering or terrorist financing or has committed an attempt thereof or there is a heightened risk of money laundering or terrorist financing in the credit institution or investment firm, the Financial Supervision Authority immediately informs the Financial Intelligence Unit and the European Banking Authority thereof.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) In the event provided for in subsection 1 of this section, the Financial Supervision Authority and the Financial Intelligence Unit cooperate to attend to the possible heightened risk of money laundering or terrorist financing and notify the European Banking Authority of their joint assessment without delay.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The Financial Supervision Authority, the board of the Bar Association and the Ministry of Justice must submit to the Financial Intelligence Unit by 15 April information about:
 1) the number of supervisory proceedings carried out in the preceding calendar year and the number of obliged entities covered by supervision based on the types of entities;
 2) the number of breaches detected upon exercising supervision in the preceding calendar year, the number of persons against whom misdemeanour proceedings were initiated or other measures were applied, and the legal grounds per obliged entity.

 (3) The Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority publish on their websites the final decision made in a misdemeanour case provided for in Chapter 10 of this Act or an administrative decision, precept or decision to impose a penalty payment made in accordance with the procedure established in this Chapter immediately after it has entered into force. At least the type and nature of the breach, the details of the person responsible for the breach and information on appealing against and annulment of the decision or precept is given on the website. The entire information must remain available on the website for at least five years.

 (4) Upon assessment of the facts, the Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority has the right to postpone the publication of the final decision in a misdemeanour case or a relevant administrative decision or not to disclose the identity of the offender for the purpose of protection of personal data as long as at least one of the following criteria is met:
 1) the publication of the data jeopardises the stability of financial markets or pending proceedings;
 2) the disclosure of the person responsible for the misdemeanour would be disproportionate to the imposed penalty.

 (5) Upon assessment of the facts, the Police and Border Guard Board, the Financial Intelligence Unit and the Financial Supervision Authority has the right not to publish the final decision made in the misdemeanour case or the relevant administrative decision where the options specified in subsection 4 of this section are deemed insufficient to ensure the stability of financial markets or the publishing of the decisions would be disproportionate in the case of a measure considered less important.

§ 68.  Reporting of inspection results

 (1) The Financial Supervision Authority must prepare a report on the inspection results, which is communicated to the inspected person within the time limit provided for in the Act regulating the activities of the credit institution or financial institution. Another administrative supervision authority must prepare a report on the inspection results, which is communicated to the inspected person within one month after the inspection.

 (2) The report must contain the following details:
 1) the name of the inspection;
 2) the job title and given name and surname of the author of the inspection report;
 3) the place and date of preparation of the report;
 4) reference to the provision serving as the basis for the inspection;
 5) the given name and surname and the job title of the representative of the inspected person or the possessor of the building or room who attended the inspection;
 6) the given name and surname and the job title of another person who attended the inspection;
 7) the start and end time and the conditions of the inspection;
 8) the process and results of the inspection with the required level of detail.

 (3) The report is signed by its author. The report remains with the administrative supervision authority and a copy thereof to the inspected person or its representative.

 (4) The inspected person has the right to submit written explanations within seven days as of the receipt of the report.

§ 69.  Supervision over activities of Financial Intelligence Unit

 (1) The Data Protection Inspectorate exercises supervision over the legality of the processing of information registered in the Financial Intelligence Unit.

 (2) To assess the Financial Intelligence Unit’s personal data processing process, the Data Protection Inspectorate has the right to access the guidelines and procedures of the Financial Intelligence Unit and receive written and oral clarifications. In the course of deciding a complaint filed by a data subject, the Data Protection Inspectorate has the right to receive data from the Financial Intelligence Unit to the extent required for making a decision on the complaint.

 (3) Supervisory control over the lawfulness of the activities of the Financial Intelligence Unit is exercised by the Police and Border Guard Board.

 (4) The Director General of the Police and Border Guard Board and an official authorised by them has the right to access data registered in the Financial Intelligence Unit for the purpose of exercising supervisory control to the required extent.

 (5) The provisions of subsections 1–5 of § 60 and § 61 of this Act regarding an official of the Financial Intelligence Unit apply to an official exercising supervisory control.

Chapter 8 Authorisation and Prohibition to Provide Services 
[RT I, 10.07.2020, 1 - entry into force 20.07.2020]

§ 70.  Authorisation obligation

 (1) An undertaking is required to have authorisation for operating in the following areas of activity:
 1) operating as a financial institution;
 2) providers of trust and company services;
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]
 3) providing pawnbroking services;
 4) providing a virtual currency service;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 5) [Repealed – RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 6) buying-in or wholesale of precious metals, precious metal articles or precious stones, except precious metals and precious metal articles used for production, scientific or medical purposes.

 (2) A person who holds the following is not subject to the authorisation obligation:
 1) authorisation granted by the Financial Supervision Authority;
 2) obligation to apply for the Financial Supervision Authority’s authorisation under another Act;
 3) authorisation granted by the financial supervision authority of a contracting state of the European Economic Area based on which the person is authorised to operate in Estonia via a branch or across borders, provided that the Financial Supervision Authority has been notified of such operations, or
 4) who provides the services specified in subsection 1 of this section within the group.

 (3) In addition to the information required in the General Part of the Economic Activities Code Act, an application for authorisation must contain the following data and documents:
 1) the address of the place of provision of the service, including the website address;
 2) the name and contact details of the person in charge of provision of the service with regard to all the places of provision of the service specified in clause 1 of this subsection;
 3) where the undertaking that is a legal person has not been registered in the Estonian commercial register: the name of the owner of the undertaking, the owner’s registry code or personal identification code (upon absence thereof, the date of birth), the seat or place of residence; the beneficial owner’s name, personal identification code (upon absence thereof, the date of birth), the place of birth, and the address of the place of residence;
 4) the name, personal identification code (upon absence thereof, the date of birth), place of birth and the address of the place of residence of a member of the management body or a procurator of the service provider who is a legal person, unless the service provider is an undertaking registered in the Estonian commercial register;
 5) the rules of procedure and internal control rules drawn up in accordance with §§ 14 and 15 of this Act and, in the case of persons having specific duties listed in § 20 of the International Sanctions Act, the rules of procedure and the procedure for verifying adherence thereto drawn up in accordance with § 23 of the International Sanctions Act;
[RT I, 19.03.2019, 11 – entry into force 01.01.2020]
 6) the name, personal identification code (upon absence thereof, the date of birth), place of birth, citizenship, address of the place of residence, position, and contact details of the compliance officer appointed in accordance with § 17 of this Act;
 7) the name, personal identification code (upon absence thereof, the date of birth), place of birth, citizenship, the address of the place of residence, position and contact details of the person who is in charge of imposing the international financial sanction and who has been appointed by the undertaking in accordance with subsection 3 of § 20 of the International Sanctions Act;
[RT I, 19.03.2019, 11 – entry into force 01.01.2020]
 8) where the undertaking, a member of its management body, procurator, beneficial owner or owner is a foreign national or where the undertaking is a foreign service provider, a certificate of the criminal records database or an equal document issued by a competent judicial or administrative body of its country of origin, which certifies the absence of a penalty for an offence against the authority of the state or a money laundering offence or another wilfully committed criminal offence and has been issued no more than three months ago and has been authenticated by a notary or certified in accordance with an equivalent procedure and legalised or certified with a certificate replacing legalisation (apostille), unless otherwise provided by an international agreement;
 9) where the undertaking, a member of its management body, procurator, beneficial owner or individual owner is a foreign citizen, copies of all of the identity documents of all of their countries of citizenship and the documents certifying the absence of the convictions, which are specified in clause 8 of this section;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020
 10) regarding a member of a management body and a procurator of the undertaking, documents indicating the level of education, a full list of the employers and jobs and, in the case of a member of a management body, also the field of responsibility, also documents that the applicant considers important to submit to prove the trustworthiness of the member of the management body or procurator and the fact that the applicant has good business reputation;
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]
 11) the list of payment accounts kept in the name of the undertaking, along with each payment account’s unique feature and the account manager’s name.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (31) Where the documents issued by the country specified in clause 8 or 9 of subsection 3 of this section do not prove the absence of a conviction to the required extent, the documents must be accompanied by a statement given under oath by the person the absence of whose conviction needs to be proven.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (4) In the case of an application for authorisation in a field specified in clause 1 or 4 of subsection1 of this section, the details specified in subsection 3 of this section must be accompanied by information on which financial service or virtual currency service will be provided.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

 (5) Where the undertaking would like to use the authorisation also for the activities of a subsidiary, the undertaking must, in addition to the information required in the General Part of the Economic Activities Code Act, submit all the information regarding the subsidiary, which is specified in subsection 3 of this section and, where necessary, also the information specified in subsection 4 of this section.

 (6) The undertaking submits the applications, requests and notices related to the authorisation specified in subsection 1 of this section only via the Estonian information gateway or a notary in accordance with the single contact point principle.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 71.  Granting of authorisation and refusal to grant authorisation

  [RT I, 31.12.2019, 2 – entry into force 10.03.2020]
An authorisation application is decided by the Financial Intelligence Unit by way of granting or refusing to grant authorisation not later than within 60 working days following the date of submission of the application. By a decision of the Financial Intelligence Unit, the time limit of granting the authorisation may be extended to up to 120 days.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 72.  Object of inspection of authorisation

 (1) Authorisation is granted to an undertaking where:
 1) the undertaking, a member of its management body, procurator, beneficial owner and owner do not have any unexpired conviction for a criminal offence against the authority of the state, offence relating to money laundering or other wilfully committed criminal offence;
 11) the persons specified in clause 1 of this subsection have good business reputation;
 2) the compliance officer appointed by the undertaking on the basis of § 17 of this Act meets the requirements provided for in this Act;
 3) the undertaking’s subsidiary whose activities the authorisation sought in the name of the undertaking is to be used for meets the requirements specified in clauses 1 and 2 of this section;
 4) the registered seat, the seat of the management board and place of business of the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act is in Estonia or a foreign company operates in Estonia via a branch that is registered in the commercial register and the place of business and the seat of the head of which is Estonia;
 5) a payment account has been opened for the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act in a credit institution, e-money institution or payment institution that has been established in Estonia or in a contracting state of the European Economic Area and provides cross-border services in Estonia or has established a branch in Estonia;
 6) the share capital of the undertaking applying for authorisation in the field of activity specified in clause 4 of subsection 1 of § 70 of this Act is at least 12,000 euros and has been contributed in full.

 (2) Whether the business reputation is good is assessed by the issuer of the authorisation, taking into account the person’s prior activities and related circumstances. The existence of good business reputation is presumed where circumstances calling into doubt are absent.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 73.  Obligation to enclose documents with notice of intention to change business activity

  Where an undertaking submits a notice of intention to change its business activity regarding itself, a member of its management body, procurator, beneficial owner or owner, the document specified in clause 8 of subsection 3 of § 70 of this Act must be enclosed with the notice where the undertaking is a foreign service provider or the member of its management body, procurator, beneficial owner or owner is a foreign national.

§ 74.  Obligation to notify of change of circumstances relating to business activities

  In a notice of the intention to change the business activity and in a notice of the change of the business activity the undertaking describes which circumstances that form a part of the object of inspection of the authorisation or relate to the secondary conditions of the authorisation have changed or are to be changed or the undertaking submits, regarding its subsidiary that will commence economic activities within the object of regulation of the authorisation, all the information specified in subsection 3 of § 70 of this Act and the information specified in clauses 1–3, 5 and 6 of subsection 1 of § 15 of the General Part of the Economic Activities Code Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 75.  Revocation of authorisation

  In addition to the grounds provided for in subsection 1 of § 37 of the General Part of the Economic Activities Code Act, the Financial Intelligence Unit will revoke authorisation specified in subsection 1 of § 70 of this Act where:
 1) the Financial Supervision Authority has granted authorisation to the undertaking;
 2) the undertaking repeatedly fails to follow the precepts of the supervisory authority;
 3) the undertaking has not commenced operation in the requested field of activity within six months from the issue of the authorisation;
 4) the undertaking does not comply with the effective conditions of granting an authorisation and the non-compliance has not been eliminated within the time limit granted for such purpose by a precept and thereby the time limit must not be shorter than 30 days.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 751.  Prohibition to provide services

  An undertaking that has or the supervisory board or management board member or beneficial owner of which has an unexpired conviction for an economic criminal offence or a criminal offence against property, the state or public trust is prohibited to provide a service in the fields specified in clauses 4, 41, 7 and 8 of § 2 of this Act.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 9 DATA OF BENEFICIAL OWNER OF LEGAL PERSON AND LIABILITY ACCOUNT 

§ 76.  Duty to keep data of beneficial owner

 (1) A legal person in private law gathers and retains data on its beneficial owner, including information on its right of ownership or manners of exercising control. The data of the beneficial owner is kept in the commercial register by the management board of the private legal person.

 (2) To enable the performance of the duty specified in subsection 1 of this section, the shareholders or members of a private legal person must provide the management board of the legal person with all the information known to them about the beneficial owner, including information on its right of ownership or manners of exercising control.

 (3) The duty specified in subsection 1 of this section does not apply to:
 1) an apartment association provided for in the Apartment Ownership and Apartment Associations Act;
[RT I, 17.11.2017, 2 – entry into force 01.01.2018]
 2) a building association provided for in the Building Association Act;
 3) a company listed on a regulated market;
 4) a foundation provided for in the Foundations Act the purpose of whose economic activities is the keeping or accumulating of the property of the beneficiaries or the circle of beneficiaries specified in the articles of association and who has no other economic activities;
 5) a branch.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 77.  Submission of data

 (1) Based on subsections 2–4 of § 9 and § 76 of this Act, a general partnership, limited partnership, private limited company, public limited company or commercial association submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held.

 (2) Based on subsection 7 of § 9 of this Act, a non-profit association submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held.

 (3) Based on subsection 7 of § 9 of this Act, a foundation submits via the commercial register information system the following data on its beneficial owner:
 1) the person’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence;
 2) nature of the beneficial interest held;
 3) the list of beneficiaries within the meaning of § 9 of the Foundations Act, which contains each beneficiary’s name, personal identification code and the country of the personal identification code (upon absence of a personal identification code, the date and place of birth), and the country of residence, where such persons have been specified in the articles of association of the foundation.

 (4) A company, non-profit association or foundation must submit the data of the beneficial owner along with the application for registration in the commercial register.

 (5) Where the submitted data changes, the company, non-profit association or foundation submits new data via the commercial register information system not later than within 30 days after learning of the changes in the data.

 (6) Where the data of the beneficial owner has not changed, the company, non-profit association or foundation certifies the correctness of the data upon submission of the annual report.

§ 78.  Publication of data

 (1) The data of the beneficial owner are made public in the commercial register information system.

 (2) The fees for issuing the data of a beneficial owner are established by a regulation of the minister responsible for the field.

 (3) The data of the beneficial owner is issued free of charge to the obliged entity, a government agency, the Financial Supervision Authority and to a court.

§ 79.  Beneficial owner’s right to demand correction of submitted data

 (1) The person indicated as the beneficial owner or their legal or contractual representative has the right to request that the management board of the legal person correct incorrect data.

 (2) Where the management board of the legal person has without reason refused to correct the incorrect data as requested on the basis of subsection 1 of this section, the person indicated as the beneficial owner may demand that the legal person compensate for damage caused by making incorrect data public.

§ 80.  Deletion of data

  The data of the beneficial owner is deleted automatically five years after deleting the legal person from the register.

§ 81.  Mandatoriness of automated communication of liability account information

 (1) A credit institution or a financial institution that has opened for a customer a payment account (hereinafter account) that has an International Bank Account Number (IBAN) or let a safe-deposit box must ensure that at least the details specified in subsections 11–15 of this section are available via the electronic seizure system specified in § 631 of the Code of Enforcement Procedure.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (11) The following is made available regarding an account holder and a safe-deposit box lessee:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth or the registry code;
 3) postal address.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (12) The following is made available on a person authorised to use an account:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth;
 3) postal address;
 4) the date of the beginning and end of the authorisation and the substance of the right of use.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (13) The following is made available regarding the beneficial owner of an account holder:
 1) name;
 2) personal identification code and the state that issued it or, upon absence thereof, the date and state of birth;
 3) the country of residence.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (14) The following is made available regarding an account:
 1) IBAN;
 2) the date of opening the account;
 3) the date of closing the account.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (15) The following details of a contract of use of a safe-deposit box are made available in the case of a safe-deposit box:
 1) number;
 2) date of conclusion;
 3) date of termination.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) For the purposes of this section, IBAN (International Bank Account Number) means an international account feature that complies with the EVS 876:2016 standard and whose elements have been determined by the International Organization for Standardization and that uniquely identifies an individual account in a Member State.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (3) The availability of the details specified in subsections 11, 14 and 15 is ensured regarding an existing account and a valid safe-deposit box contract as well as an account closed and a contract of use of a safe-deposit box terminated during a five-year period preceding the receipt of an inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (4) The availability of the details specified in subsection 12 of this section is in the case of an existing account ensured regarding a five-year period preceding the receipt of an inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (5) The availability of the details specified in subsection 13 of this section is in the case of an existing account ensured as of the moment of responding to the inquiry.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

Chapter 10 LIABILITY 

§ 82.  Giving of order not to implement money laundering and terrorist financing due diligence measures, risk assessment, procedural rules and internal control rules

 (1) The penalty for giving an order by a management board member of the obliged entity not to implement due diligence measures, the risk assessment specified in § 13 of this Act, procedural rules or the internal control rules is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 83.  Opening of anonymous account or savings book or safe-deposit box

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The penalty for making a decision to open an anonymous account or a savings book or a safe-deposit box for concluding a respective contract, whereby the obliged entity was a credit or financial institution, is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 84.  Failure to perform duty to identify person and verify person’s identity

 (1) The penalty for a breach by an obliged entity, its management board member or employee of the duty provided for in this Act to identify and verify the identity of a customer or a person participating in an occasional transaction or the representative of a person is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 85.  Breach of duty to identify beneficial owner

 (1) The penalty for a breach by an obliged entity or its management board member or an employee of the duty provided for in this Act to identify the beneficial owner and verify their identity is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 86.  Breach of requirements for gathering and assessing information

 (1) The penalty for a breach of the requirements for gathering information on the purpose and nature of a business relationship or an occasional transaction by an obliged entity, its management board member or employee is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 87.  Breach of requirements for making of transaction with politically exposed person

 (1) The penalty for a breach of the requirements for making a transaction with a politically exposed person by an obliged entity, its management board member or employee is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 88.  Violation of prohibition to establish business relationship and make occasional transaction

 (1) The penalty for violation by an obliged entity, its management board member or employee of the prohibition to establish a business relationship and make an occasional transaction is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 89.  Breach of duty to monitor business relationship

 (1) The penalty for a breach by an obliged entity, its management board member or employee of the duty provided for in this Act to monitor a business relationship is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 90.  Violation of prohibition to outsource activity

 (1) The penalty for outsourcing an activity by an obliged entity or its management board member to a person established in a high-risk third country is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 91.  Breach of correspondent communication requirements

  [RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (1) The penalty for establishing a correspondent relationship by breaching the requirements provided for in this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 92.  Breach of duty to report suspicion of money laundering or terrorist financing

 (1) The penalty for a breach of the duty to notify the Financial Intelligence Unit of a suspicion of money laundering or terrorist financing, a foreign exchange transaction or another transaction where a pecuniary obligation exceeding 32 000 euros or an equal amount in another currency is performed in cash is a fine of up to 300 fine units or detention.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 93.  Illegal notification of data forwarded to Financial Intelligence Unit

 (1) The penalty for illegal notification of a person, their representative, the person’s beneficial owner or the public by the obliged entity, its management board member, compliance officer or employee or by an employee of a supervisory authority about a report or data submitted to the Financial Intelligence Unit regarding them or about a precept made by the Financial Intelligence Unit regarding them or about the commencement of criminal proceedings instituted against them is a fine of up to 300 fine units or a short-term custodial sentence.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 94.  Breach of requirement to register and retain data

 (1) The penalty for a breach of the requirement to register and retain data provided for in this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 941.  Violation of obligation to notify of change of circumstances relating to economic activities and termination of economic activities

 (1) The penalty for a breach of the obligation to notify of a change of the circumstances relating to the object of inspection or the secondary conditions of the authorisation specified in subsection 1 of § 70 of this Act, the obligation of advance notification of the intention to change the aforementioned circumstance or the obligation to notify of the termination of the activities of a service provider is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 942.  Violation of prohibition to provide services

 (1) The penalty for violation of the prohibition to provide a service specified in § 751 of this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 943.  Violation of reporting obligation

 (1) The penalty for violation of the reporting obligation established on the basis of § 541 of this Act is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400,000 euros.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 95.  Failure to submit data of beneficial owner or submission of false data

 (1) The penalty for failure by a shareholder or member of a private legal person or a trustee to submit the details of the beneficial owner or for failure to report on a change of the details or for knowingly submitting false information, where it has caused a situation where the obliged entity cannot apply the due diligence measure provided for in clause 3 of subsection 1 of § 20 of this Act has been caused, is a fine of up to 300 fine units.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

 (2) The penalty for the same act committed by a legal person is a fine of up to 32,000 euros.

§ 96.  Breach of duties of payment service provider

 (1) The penalty for failure by an executive or employee of a payment service provider or by an executive or employee of a paying agent or a natural person paying agent to identify, verify or information relating to a payer as well as for a breach of the duties of a payment service provider established in Regulation (EU) No 2015/847 of the European Parliament and of the Council is a fine of up to 300 fine units.

 (2) The penalty for the same act committed by a legal person is a fine of up to 400 000 euros.

§ 97.  Proceedings

  Extrajudicial proceedings of misdemeanours specified in this Chapter are the Police and Border Guard Board and the Financial Supervision Authority.

Chapter 11 IMPLEMENTING PROVISIONS 

§ 98.  Follow-up analysis of implementation of Act

  By 31 December 2018, the Ministry of Finance will analyse the practicality and purposefulness of implementation of the real-time interview requirement regarding the establishment of a business relationship and the sufficiency of the provisions regulating the submission of the information of beneficial owners and, where necessary, submit proposals for amendment of legislation to the Finance Committee of the Riigikogu.

§ 981.  Transitional provisions concerning transformation of Financial Intelligence Unit into governmental authority

 (1) As of 1 January 2021, the functions, rights and competence of the Financial Intelligence Unit which has operated as a structural unit of the Police and Border Guard Board (hereinafter in this section PBGB FIU) and those of its officials transfer to the Financial Intelligence Unit and its officials in the area of government of the Ministry of Finance.

 (2) The legal succession specified in subsection 1 of this section also applies to participation in international organisations, cooperation agreements as well as to the access that the Financial Intelligence Unit and its officials have to all of the national registers, databases and information systems.

 (3) Until 1 January 2021, the PBGB FIU continues to perform its functions, including to represent the Financial Intelligence Unit in international organisations, cooperation agreements, domestic organisations and proceedings.

 (4) The information, case files, databases and data media at the disposal of and held by the PBGB FIU are handed over to the Financial Intelligence Unit in the area of government of the Ministry of Finance not later than on 1 January 2021.

 (5) Administrative proceedings and supervision operations instituted on the basis of this Act or the International Sanctions Act before 1 January 2021, which continue after 1 January 2021 are completed by the Financial Intelligence Unit in the area of government of the Ministry of Finance.

 (6) In the case of misdemeanour proceedings initiated by the PBGB FIU before 1 January 2021 on the basis of this Act and the International Sanctions Act, the out-of-court proceedings authority is, as of 1 January 2021, the Financial Intelligence Unit in the area of government of the Ministry of Finance.

 (7) In the case of a complaint against an administrative decision or operation of the PBGB FIU filed with an administrative court before 1 January 2021 the Financial Intelligence Unit in the area of government of the Ministry of Finance is the party to the proceedings instead of the PBGB FIU as of 1 January 2021.

 (8) The officials of the PBGB FIU whose functions and position do not change are transferred for an unspecified period to a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance as of 1 January 2021 on the basis of clause 1 of subsection 1 of § 98 of the Civil Service Act.

 (9) The police officers of the PBGB FIU whose functions and position do not change are, based on their written consent, released from police service and transferred for an unspecified period to a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance as of 1 January 2021 on the basis of clause 1 of subsection 1 of § 98 of the Civil Service Act, taking into account the specifics of this section.

 (10) As of 1 January 2021, the head of the PBGB FIU is transferred to the position of the head of the Financial Intelligence Unit in the area of government of the Ministry of Finance until the expiry of the time limit arising from a decree of the Director General of the Police and Border Guard Board by which they were appointed to office, applying the provisions of the Police and Border Guard Act. A public competition specified in subsection 2 of § 53 of the version of this Act that enters into force of 1 January 2021 for the appointment of the head of the Financial Intelligence Unit will be carried out by 15 October 2020.

 (11) Upon transfer of a police officer based on subsections 9 and 10 of this section, the counting of their length of police service continues and they retain the right to the police officer’s superannuated pension in accordance with § 1111 of the Police and Board Guard Act, provided that they hold a position in the Financial Intelligence Unit in the area of government of the Ministry of Finance or in the police service.

 (12) The right of a police officer to the police officer’s superannuated pension specified in subsection 11 of this Act does not depend on the length of the police service immediately preceding the attainment of the retirement age or on retirement from the police service.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 99.  Variation of application of due diligence measures by gambling operator

  Until 31 August 2018, a gambling operator applies due diligence measures at least in the case of payment of winnings, making of bets or both where the amount given or received by a customer is at least 2000 euros or an equal sum in another currency.

§ 100.  Duty to re-apply provisions to existing customer relationships

  Where necessary, the obliged entity applies the due diligence measures specified in Chapter 3 of this Act to the existing customers over a period of one year from the entry into force of the Act. Upon assessment of the need to apply the due diligence measures, the obliged entity relies on, inter alia, the importance of the customer and the risk profile as well as the time that has passed from the previous application of the due diligence measures or the scope of their application.

§ 1001.  Verification of details of beneficial owner

  Obliged entities apply the due diligence measure specified in subsection 21 of § 20 of this Act to customers with whom they have established a lasting business relationship before the entry into force of this section, within one year after the entry into force of this section.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 101.  Deadline of updating risk assessment and procedural rules

 (1) The obliged entity must bring its activity into compliance with the requirements of this Act within one year as of the entry into force of this Act.

 (2) A person subject to the authorisation obligation specified in subsection 1 of § 70 of this Act submits to the Police and Border Guard Board a risk assessment specified in § 13 of this Act and the corresponding rules of procedure and the internal control rules within one year from the entry into force of this Act.

§ 102.  Information on existing outsourcing contract

  The obliged entity submits to the competent supervisory authority informational on an outsourcing contract in force at the time of entry into force of this Act in accordance with the procedure provided for in subsection 4 of § 24 of this Act within five months from the entry into force of this Act and notifies the competent supervisory authority about amendment of the contract for the purpose of bringing it into compliance with the requirements of this Act.

§ 103.  Authorisation of provider of service of alternative means of payment

 (1) Within eight months following the entry into force of this Act, an undertaking holding the authorisation of a provider of a service of an alternative means of payment notifies the Police and Border Guard Board about whether it wishes to change its authorisation to that of a provider of the service of exchanging virtual currency against a fiat currency. Upon receipt of a relevant notification, the Police and Border Guard Board makes, within 30 working days following the day of submission of the application, a decision to grant the authorisation without the obligation to pay the state fee and without additionally verifying the facts falling within the object of inspection of the authorisation.

 (2) The authorisation of a provider of a service of alternative means of payment becomes invalid nine months after the entry into force of this Act.

§ 104.  Duty to report of legal person registered in commercial register or in register of non-profit associations and foundations

  The management board of a legal person registered in the commercial register or the register of non-profit associations and foundations before the entry into force of this Act declares to the commercial register the data of the beneficial owner within 60 days following the entry into force of this provision.

§ 1041.  Application of prohibition to provide services

  A person specified in § 751 of this Act who started providing the services specified in the same section before the entry into force of the section brings their activities into compliance with the requirements of the section not later than by 31 December 2020.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 1042.  Ensuring access to data via electronic seizure system

  Credit and financial institutions must perform the obligations specified in subsections 1, 3, 4 and 5 of § 81 of this Act as of 10 September 2020.
[RT I, 10.07.2020, 1 – entry into force 20.07.2020]

§ 105.  Form of performance of duty to report

  Until 30 June 2018, a report specified in subsection 2 of § 50 of this Act is submitted orally, in writing or in a form reproducible in writing. Where a report was submitted orally, it will be repeated the next working day in writing or in a form reproducible in writing.

§ 106. – § 111. [Omitted from this text.]

§ 112.  Repeal of Money Laundering and Terrorist Financing Prevention Act

  The Money Laundering and Terrorist Financing Prevention Act (RT I 2008, 3, 21) is repealed.

§ 113.  Amendment of Money Laundering and Terrorist Financing Prevention Act

  In clause 2 of subsection 9 of § 9 and in clause 1 of subsection 3 of § 76 of the Money Laundering and Terrorist Financing Prevention Act, the words ‘Apartment Association Act’ are replaced with the words ‘Apartment Ownership and Apartment Associations Act.’

§ 114. – § 118. [Omitted from this text.]

§ 1181.  Equivalence of authorisation of provider of virtual currency service

  The authorisation of a provider of a service of exchanging a virtual currency against a fiat currency and the authorisation of a virtual currency wallet service provider granted on the basis of this Act is considered equivalent to the authorisation of a virtual currency service provider.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 1182.  Brining operations of undertaking holding valid authorisation into compliance with version of this Act adopted on 11 December 2019

 (1) An undertaking that has been granted authorisation on the basis of this Act is required to bring its operations and documents into compliance with the requirements provided for in clauses 9–11 of subsection 3 of § 70 and clauses 11, 4, 5 and 6 of subsection 1 of § 72 of the version of this Act adopted on 11 December 2019 not later than by 1 July 2020.

 (2) If an undertaking fails to bring its operations into compliance with the law within the time limit set in subsection 1 and to submit the documents, the Financial Intelligence Unit will revoke the undertaking’s authorisation.
[RT I, 31.12.2019, 2 – entry into force 10.03.2020]

§ 119.  Entry into force of Act

 (1) Subsection 3 of § 19 and §§ 76–80 of this Act enter into force on 1 September 2018.

 (2) Section 113 of this Act enters into force on 1 January 2018.

 (3) Sections 81 and 95 of this Act enter into force on 1 January 2019.

/otsingu_soovitused.json