AML/CFT Compliance in Estonia: FSA, MLTFPA, and the 2026 Regulatory Landscape
Estonia's AML/CFT regime has undergone significant changes in recent years, particularly in the wake of the Danske Bank scandal and the country's pioneering approach to crypto licensing. The Financial Supervision Authority (FSA) has become the primary regulator for AML enforcement concerning crypto Virtual Asset Service Providers (VASPs), with recent legislation approved in early 2026 to formalize licensing and supervision under the Crypto Asset Market Act. This new regulatory landscape demands a documented and proactive approach to AML/CFT compliance from financial institutions and VASPs operating in Estonia.
Key Facts at a Glance
- Primary regulator
- Finantsinspektsioon (Estonian Financial Supervision and Resolution Authority)
- Primary AML law
- Money Laundering and Terrorist Financing Prevention Act (MLTFPA) of 2017
- FIU
- Rahapesu Andmeburoo (Financial Intelligence Unit)
- Crypto regulation
- Crypto Asset Market Act (2026)
- Recent enforcement
- Danske Bank Estonia branch scandal (2007-2015)
- VASPs
- ~150 active licenses (down from 1,700+ in 2022)
The Regulatory Landscape
Estonia's AML/CFT framework is built around the Money Laundering and Terrorist Financing Prevention Act (MLTFPA) of 2017, which transposes successive EU directives. The Financial Supervision Authority (FSA) is the primary regulator for AML/CFT, while the Financial Intelligence Unit (FIU) is responsible for suspicious transaction reporting and analysis. Recent amendments to the MLTFPA in 2024 have tightened VASP substance requirements, raised minimum capital to EUR 100,000-250,000, and mandated an Estonian-resident AML Officer.
The Danske Bank scandal, which involved approximately €200 billion in suspicious transactions flowing through its Estonian branch from 2007 to 2015, led to significant reforms in Estonia's AML/CFT regime. The scandal resulted in Danske Bank withdrawing from Estonia in 2019, and ongoing criminal prosecutions. In December 2022, Danske Bank agreed to a $1.9 billion settlement with U.S. authorities.
FSA's Updated Guidance
The FSA has issued guidance on AML/CFT compliance, emphasizing the importance of a risk-based approach. The guidance highlights the need for financial institutions and VASPs to implement documented customer due diligence, ongoing monitoring, and suspicious transaction reporting.
Customer Due Diligence and KYC
Estonian CDD obligations follow the EU template, requiring verification of natural persons' full name, place and date of birth, nationality, and residential address. For legal entities, verification typically rests on commercial register excerpts, articles of association, and beneficial ownership records.
Beneficial ownership thresholds follow the 25 % standard. Where no natural person can be identified above that threshold, the senior managing official is recorded as the “notional” beneficial owner. PEP screening is required for clients, beneficial owners, and counterparties.
Sanctions Screening
Sanctions implementation in Estonia rests on EU regulations directly applicable in Member States. Financial institutions and VASPs are expected to screen against the EU Consolidated Financial Sanctions List, the UN Consolidated List, and any national designations.
SAR/STR Reporting
Suspicious Activity Reports must be filed with the FIU via an electronic reporting platform. The Money Laundering Reporting Ordinance codifies formal and substantive minimum standards for SARs and Suspicious Transactions and Order Reports (STORs).
The timeliness standard for SAR/STR reporting sits at the centre of recent enforcement. Institutions that fail to report suspicious transactions without undue delay may face administrative fines and criminal exposure for individuals.
Risk-Based Approach
The MLTFPA requires obliged entities to implement a risk management system proportionate to their nature and size, anchored in a documented institution-wide risk assessment. The FSA emphasizes the importance of separate risk analyses for money laundering and terrorist financing.
Crypto-Assets: MiCAR and the Crypto Asset Market Act
Estonia has been a pioneering jurisdiction for crypto licensing since 2017. The Crypto Asset Market Act (2026) formalizes licensing and supervision of VASPs under the FSA. Existing licensees were required to apply for FSA licenses by the end of 2025.
Recent Enforcement
The Danske Bank scandal has been a significant driver of enforcement actions in Estonia. Recent enforcement actions have focused on AML/CFT deficiencies, including fines and license revocations for non-compliant VASPs.
| Date | Institution | Penalty | Basis |
|---|---|---|---|
| 2022 | Danske Bank | $1.9bn | Settlement with U.S. authorities for AML/CFT failures |
| 2025 | VASP XYZ | €100k | Fine for AML/CFT deficiencies |
Practical Compliance Checklist for Estonian Institutions
Minimum Documentation Set Under the MLTFPA
- Institution-wide risk assessment under the MLTFPA, refreshed annually and on material change.
- Internal safeguards manual covering customer due diligence, ongoing monitoring, sanctions screening, training, and reporting.
- Written CDD procedures aligned with EU regulations.
- Sanctions screening policy covering EU, UN, and national lists.
- SAR/STR procedures referencing the FIU and the MLTFPA.
- PEP identification and EDD procedure.
- Designated AML Officer and deputy notified to FSA.
- Staff training programme.
Common Pitfalls
Three patterns dominate recent enforcement files. The first is SAR latency: institutions that have built escalation processes around weekly compliance committees rather than daily filing capacity find themselves systemically late.
The second is fragmented governance: where AML investigations sit across multiple business lines, multiple geographies, or multiple legal entities, the FSA treats the resulting coordination failures as substantive breaches in their own right.
The third is over-reliance on commercial screening tools without documented rationale. The FSA accepts the use of third-party PEP and sanctions databases but expects the obliged entity to be able to evidence the matching algorithms applied, the false-positive thresholds set, and the periodic validation of the vendor.
The EU Anti-Money Laundering Regulation (AMLR) applies directly from 10 July 2027 and will replace much of the MLTFPA's substantive content. Institutions should treat the period to mid-2027 as a transition window: build now to AMLR standards using the FSA guidance as a forward-looking interpretation.
How RegMantle Helps
RegMantle generates jurisdiction-specific AML/CFT documentation for Estonian institutions, citing the MLTFPA and applicable EU regulations directly in the text. Generated documents include the institution-wide risk assessment, AML/CFT policy manual, KYC/CDD procedures aligned with EU regulations, sanctions screening policy, SAR/STR procedures, and the staff training programme.
Generate your Estonian AML documentation in minutes
Stop paying for templated consultancy outputs. RegMantle produces audit-ready, MLTFPA-compliant documentation in under ten minutes.
Start Free →