The new law is characterized by risk assessment. Risk assessment takes place both at the national level and within the company. The national risk assessment provides precise guidelines, develops regulations that specify the law, and among other things, determines sectors, fields, transaction volumes and types, as well as countries or jurisdictions where obliged persons must apply simplified or enhanced due diligence measures.
Obliged persons, including accountants and members of the management board according to the law, must constantly consider, observe, and analyze whether the client, the client's business sector, activity area, and specific transaction are safe. Or are there risks that require a response, additional information collection, and documentation? Therefore, in the context of the new law, risk analysis has become the most important internal document for a company.
The risk assessment must include at least the following categories:
- Risks related to the client
- Risks associated with geographical areas or jurisdictions
- Risks related to products, services, or transactions
- Risks associated with communication or intermediary channels between obliged persons and clients or related to the transmission channels of products, services, or transactions
Internal risk analysis within a company must be consistent with the national risk assessment and always correspond to the nature of the obliged person’s activities and risks. As a result of this analysis, the obliged person determines the money laundering and terrorism financing risks (risk areas) associated with their activities and classifies clients into risk categories.
In addition to risk assessment, obliged persons must establish procedural rules to effectively mitigate and manage risks identified in the risk assessment related to money laundering and terrorism financing. Among other things, these rules should describe due diligence measures and their implementation within the company. For accounting firms, this could become part of internal accounting regulations so that each accountant understands their responsibilities given the large volume of information in this field and can pay attention accordingly. When necessary, they can request additional information or documentation from clients.
Due diligence measures are divided into general measures, simplified measures, and additional measures. The choice of whether to apply simplified or additional due diligence depends on which risk category a particular client belongs to. General due diligence measures include verifying the identity of a client or involved person in a transaction and checking provided information against reliable and independent sources; understanding the nature of business relationships or specific transactions; and collecting additional information if necessary.
As an accounting firm, you have a legal right under law to request more information and documents from clients for better insight into transactions or partners. As a result of applying due diligence measures, it should be possible to determine the client’s risk profile. Based on this profile, further monitoring regimes for ongoing business relationships are defined as part of due diligence.
One of the most significant changes introduced by the new law is also the obligation to disclose data about beneficial owners. This is solely an obligation for members of management boards; since September 1st, 2018, all companies registered in Estonia must disclose data about their actual beneficial owners at the Business Register. For legal entities, an actual beneficial owner is considered a natural person who directly or indirectly owns more than 25% of shares or ownership rights in a company. Indirect ownership occurs when another company under control by a natural person owns more than 25% of shares or ownership rights in that company.
If during their economic or professional activities an obliged person detects circumstances indicating possible use of proceeds from criminal activity, financing of terrorism or related crimes; if they suspect or know that money laundering or terrorism financing is involved; or if they have doubts about such activities—then they are obliged to report this without delay but no later than two working days after discovering such circumstances—to Money Laundering Data Bureau (Rahapesu Andmebüroo). If it is impossible to identify a person involved (the actual owner), or if capital is formed from bearer shares/securities where establishing an ongoing business relationship is prohibited—such cases must also be reported.
The new law also modifies liability provisions regarding violations of obligations set out in RAHPTS (the Estonian Financial Intelligence Unit). The maximum administrative fine for non-compliance with directives by obliged persons who are not credit institutions or financial institutions is up to twice the profit gained from violations if such profit can be determined; otherwise at least €1 million. Additionally, penalties for legal entities have been increased—from €32,000 up to €400,000.
In summary: continuous monitoring of business relationships remains one of the best tools for both accountants and management board members. When necessary—and it is important—to properly request additional information and documentation. As an obliged person yourself, you should develop and implement procedures into your daily routine so that they become part of your professional or business mechanism—ensuring nothing slips through unnoticed.
