top of page

Corporate compliance: key observations from regulatory survey

Corporate compliance in Estonia

Recently, the Estonian Financial Intelligence Unit (FIU) conducted a survey of corporate service providers in Estonia to assess their compliance with anti-money laundering and anti-terrorism regulations. The regulator has identified several deficiencies in the risk assessment and policy documents of these obligated parties.


It is important to note that the general principles and requirements regarding risk assessment are the same for all licensed companies, including corporate service providers. Therefore, the observations made by the FIU are similar to those identified during the supervision of other licensed entities such as crypto service providers, who should start to operate under the CASP license stipulated in MiCA.


All licensed companies, including corporate service providers, are required to prepare a risk assessment and policy following the relevant regulations. The identified shortcomings in the risk assessment and policy documents highlight the importance of taking compliance seriously and seeking professional assistance when necessary.


Key observations of the survey


The risk assessment must be commensurate with the size of the company, the nature and scope of its activities, and the level of risk appetite. It should also reflect changes in the company and the associated risks. All risk assessment documents and appendices should be up-to-date and current.


FIU found that not all risks related to service provision were hedged. In some cases, it was found that risks associated with the communication channels used by the company were not included in the risk assessment, even though the company offered services through different channels.

Therefore, the risk assessment must be customized to reflect all the company's risk indicators that exist in reality. Additionally, it should include measures to mitigate identified risks.


A flawed risk assessment can impact the quality of the risk proposal. One of the deficiencies identified by RAB is that companies have failed to determine the quantitative level of risks they are willing to take in their business activities.

This means that companies have not quantified how many clients they are willing to serve with a specific risk. For example, a company may state that it serves clients from high-risk areas, but it does not specify how many such clients can be served or the enhanced due diligence measures required to mitigate the risks of money laundering and terrorist financing.


Risk assessment and risk appetite should be subject to regular updates. If the company's customer base, transaction volume, or number of employees increases, or it expands its services to a new geographical area or field, the risks should be reassessed accordingly.

The greater the risk associated with a client, the more comprehensive the measures needed to understand the client's risk profile and to verify whether the client's transactions or business relationships are consistent with their actual activities, abilities, and needs.


bottom of page