Issuer: Rahandusminister
Type: määrus
In force from: 28.05.2018
In force until: 31.12.2020
Publication notation: RT V, 09.01.2019, 3

Requirements and procedure for identification of persons and verification of person’s identity data with information technology means

Passed 23.05.2018 No. 25


The regulation is established on the basis of subsections 14 (8) and 31 (6) of the Money Laundering and Terrorist Financing Prevention Act.

1. chapter General provisions

§ 1. Scope of application

() The regulation establishes the requirements and procedure for identification of persons and verification of persons’ identity with information technology means, including the specification of the information disclosure requirements of credit institutions and financial institutions (hereinafter service provider), the rules of procedure applicable upon the establishment of a business relationship and to the occasional conclusion of transactions using information technology means, requirements for activities related to the declarations of intent of the parties to a transaction, the organisation of questionnaire surveys and mandatory real-time interviews held upon establishment of a business relationship, conditions of processing of the photo of a person, and requirements for the quality of the synchronised audio and video stream during the procedures as well as for recording and for the reproducibility of recordings.

§ 2. Preconditions of identification of a person and data verification

(1) A service provider who uses information technology means for the identification of a person and verification of the person’s identity must use highly reliable technical means, which guarantee truthful identification of a person and make it possible to prevent the alteration or misuse of the forwarded data.

(2) Upon the identification of a person and verification of person’s identity with information technology means, a natural person or the legal representative of a legal entity provided in subsections 31 (1) and (2) of the Money Laundering and Terrorist Financing Prevention Act, who wants to establish a business relationship and occasionally conclude a transaction, must use a document intended for the digital identification of a person and issued on the basis of the Identity Documents Act or other high-confidence e-identification system, which has been added to the list published in the Official Journal of the European Union based on Article 9 of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73–114), and an information technology means, which has a working camera, microphone, the hardware and software required for digital identification and an internet connection of adequate quality.

(3) Upon the identification of a person and verification of person’s identity, the service provider may use such information technology means that allow to compare biometric data.

(4) A natural person or the legal representative of a legal entity identifies themselves when entering the information system specified by the service provider and confirms upon the establishment of a business relationship and the conclusion of a transaction on occasional basis that they have read the information about the use of information technology mean s on the service provider’s website or in the specified information system and agree to the conditions of identification of a person and verification of person’s identity with information technology means.

(5) A natural person or the legal representative of a legal entity confirms with upon the establishment of a business relationship and the conclusion of a transaction on occasional basis that:
1) he or she carries out the procedures specified in the regulation personally, except for the cases stipulated in subsections 10 (3) and 11 (3);
2) the data submitted by him or her in the identification questionnaire specified in section 10 and in the course of the interview specified in section 11 are true and complete, and he or she is aware of the consequences associated with the submission of incorrect, misleading or incomplete information upon the establishment of a business relationship;
3) he or she meets the conditions established by the service provider for the establishment of business relationships and the conclusion of transactions on occasional basis.

(6) In addition to the obligations set out in subsection (5), a natural person or legal representative of a legal entity who uses the e-resident’s digital identity card or other high-confidence e-identification system provided in subsection (2) must also:
1) agree with the application of Estonian law;
2) show to the service provider in front of the camera the personal data page of the valid travel document issued by the foreign country.

§ 3. Unsuccessful identification of a person and verification of person’s identity data

(1) The identification of a person and verification of person’s identity with the help of information technology means upon the establishment of a business relationship is considered unsuccessful if:
1) the natural person or the legal representative of a legal entity has intentionally submitted data that do not correspond to the identification data entered in the identity documents database or do not coincide with the information or data obtained with other procedures;
2) the session expires or is interrupted during the identification of a person, the identification questionnaire or the interview, or the information flow that transmits synchronised sound and image does not comply with the requirements set out in section 5;
3) the natural person or the legal representative of a legal entity has not given the confirmations stipulated in subsections 2 (4) to (6);
4) the natural person or the legal representative of a legal entity refuses to comply with the service provider’s instructions specified in subsections 7 (2) and (3);
5) the natural person or the legal representative of a legal entity uses the assistance of another person without the service provider’s permission;
6) there are circumstances that give rise to suspicions of money laundering or terrorist financing.

(2) The session specified in clause (1) 2) expires when the natural person or the legal representative of the legal entity has not completed any activities in the service provider’s information system during a period of 15 minutes.

(3) In the event of the circumstances set out in subsection (1) the service provider rejects the application of the natural person or the legal representative of a legal entity for opening an account or conclusion of a transaction.

(4) In the event of the circumstances set out in clauses (1) 1) and 6) the service provider sends a notice to the Financial Intelligence Unit.

§ 4. Publication of information about the use of information technology means

() The service provider must publish information about the technical conditions for the identification of a person and verification of person’s identity with information technology means on its website or in the specified information system. At least the following facts must be presented in the published information:
1) a reference to the applicable legislative provisions;
2) the information that the identification of a person and verification of person’s identity with information technology means take place according to the procedure set out in section 31 of the Money Laundering and Terrorist Financing Prevention Act;
3) a warning that the identification of a person and verification of person’s identity does not oblige the service provider to establish a business relationship or guarantee the accessibility of services;
4) the conditions in the event of which the identification of a person and verification of person’s identity with information technology means is considered unsuccessful.

2. chapter Technical requirements for the information system of service provider

§ 5. Minimum requirements for the quality of information flow transmitting synchronised sound and image

(1) The information system of the service provider must allow for digital identification of a person and digital signing.

(2) The service provider must verify the quality of its own and, if possible, the client’s information flow and ensure that the transmission of clear, recordable and reproducible synchronised sound and image, which is sufficient to understand the transmitted content unambiguously and reliably, is guaranteed.

§ 6. Requirements for recording and reproducibility of recording

(1) The information flow containing image and sound is recorded in such a manner that allows for it to be reproduced with a quality equal to the initial transmission of synchronised sound and image.

(2) The information flow that contains image and sound must be recorded with the time stamp, the client’s IP address, the personal identification code of the person to be identified, if there is no personal identification code, then the birth date and place and country of residence, whilst the time stamp must be tied to the data concerning it in such a manner that any later changes in data, the person who made the changes, and the time, manner and reason thereof can be identified.

(3) The service provider is obliged to record the data collected with identification questionnaires and the following procedures in the manner specified in subsection (2):
1) the identification of the person;
2) the unsuccessful identification of a person and verification of person’s identity data as set out in section 3;
3) the carrying out of the mandatory real-time interview.

(4) The recording starts with the identification of the person and ends when the data specified in subsection (3) have been collected and the procedures specified in the same subsection have been carried out.

(5) The recordings containing the data and procedures specified in subsection (3) must be reproducible within five years of the end of the business relationship.

(6) The service provider has the right to record the identification questionnaire specified in section 10 as data stream containing image and sound.

§ 7. Requirements for framing the face and document of a person

(1) Upon identification of a person and verification of person’s identity data with information technology means, the person’s head and shoulders must be visible and framed. (1) The face must be clear of shadows and uncovered, and clearly distinguishable from the background and other objects, and recognisable.

(2) The service provider may instruct the person to change his or her body position and place themselves and the document in the frame to make it possible to identify the person and verify person´s identity, including to view the data or images on the document.

(3) The service provider has the right to require the removal of items covering the head or face and glasses or compliance with any other instructions of the service provider given in order to guarantee the identification of a person and verification of person’s identity data.

3. chapter Rules of procedure applicable upon the establishment of business relationship and occasional conclusion of a transaction

§ 8. Rules of procedure applicable upon the establishment of business relationship and occasional conclusion of a transaction

(1) Based on the service risks and following the procedural rules established on the basis of section 14 of the Money Laundering and Terrorist Financing Prevention Act, the service provider prepares the activity guidelines for the application of due diligence measures upon the establishment of a business relationship and the occasional conclusion of a transaction, and implements them.

(2) The fulfilment of the preconditions of identification of a person and verification of person’s identity data specified in sections 2 and 10 and the identification questionnaire are carried out by an employee of the service provider, a partner of the service provider or an automated system.

(3) The service provider is obliged to take measures in order to prevent the risks of the automated system being manipulated.

§ 9. Determination of the client profile and risk profile

(1) The service provider prepares the client profile and the risk profile as a part thereof on the basis of the activity guidelines and procedural rules specified in subsection 8 (1) and the identification questionnaire, interview and other accessible information, and the systematised collection and analysis of data and clarification of facts.

(2) The service provider prepares the client profile and risk profile in a format that can be reproduced in writing.

§ 10. Identification questionnaire

(1) The identification questionnaire is used to ascertain a natural person’s residential address, activity profile, area of activity, purpose and nature of establishment of a business relationship, connection of the person’s economic or family interests with Estonia, expected volumes of the services used by the person in appropriate cases, the beneficial owner, whether the person is a politically exposed person and other important information.

(2) The identification questionnaire is used to ascertain the legal entity’s business name, registry code, location and places of operation, including branches located in foreign countries, the entity’s legal form, legal capacity, lawful and contractual representatives, beneficial owner(s) and, if appropriate, whether the beneficial owner is a politically exposed person, economic connections with Estonia, contracting states of the European Economic Area and third countries, most important business partners, the legal entity’s activity profile, main and secondary areas of activity, purpose and nature of establishment of a business relationship and other important information.

(3) With the service provider’s permission, the natural person or the legal representative of a legal entity may use the assistance of another person to eliminate any technical problems when the identification questionnaire is carried out.

(4) The employee of the service provider must assess the answers given in the identification questionnaire and record his or her opinion and the circumstances that are the basis thereof in the client profile and risk profile specified in section 9.

(5) The service provider may waive a separate identification questionnaire if the information specified in subsections (1) and (2) is collected and the requirements specified in subsection (4) are complied with in the course of the interview. The service provider must establish the conditions for waiver of the separate identification questionnaire in the rules of procedure of the service provider to be prepared according to section 12.

§ 11. Interview

(1) In order to collect and verify the information and data required for the determination of the client profile, the employee of the service provider carries out an interview, during which the employee of the service provider asks partly structured questions, proceeding from the results of the identification questionnaire.

(2) The employee of the service provider must carry on the interview that is mandatory for the establishment of a business relationship in real time.

(3) With the service provider’s permission, the natural person or the legal representative of a legal entity may use the assistance of another person to eliminate any technical problems when the interview is carried out.

(4) The employee of the service provider must assess the client’s reaction during the interview, the reliability of the obtained information and data and compliance with the information and data obtained with other procedures, and record his or her opinion and the circumstances that are the basis thereof in the client profile and risk profile specified in section 9.

§ 12. Procedural rules for identification of persons and verification of person’s identity data with information technology means

(1) The service provider must establish procedural rules for identification of a person and verification of person’s identity data with information technology means, which contain at least the following:
1) the guidelines for carrying out the procedure of identification of a person with information technology mean s, including requirements for identification of a person and verification of the submitted data;
2) the guidelines for preparation of the identification questionnaire;
3) the guidelines for the service provider for preparation of the questions of the mandatory real-time interview and for carrying out the interview;
4) technical requirements for the quality of the information flow transmit ting synchronised sound and image, and for the inspection thereof;
5) requirements for the collection and updating of submitted data and preservation of data and recordings;
6) measures for inspecting the performance of the guidelines specified in clauses 1) to 5).

(2) The employee of the service provider must give an opinion of the results of the procedures specified in sections 2, 10 and 11 and make a proposal about the regime of monitoring business relationships to be applied to the client. The opinion of the employee of the service provider is the basis on which the decision to establish a business relationship is made.

Toomas Tõniste
Minister of Finance

Veiko Tali
Secretary General