Company for Business logo

AML/KYC NOTICE

1. Purpose and Scope of This Notice

This AML/KYC Notice (“Notice”) explains the obligations of Company for Business OÜ (“we”, “us”, “our”, or the “Company”) under Estonian and European Union anti-money laundering and counter-terrorism financing legislation, and sets out what information and documentation we are required to collect from our clients as part of our legal compliance programme.

This Notice applies to all prospective and existing clients of the Company, including legal persons (companies, partnerships, foundations, and other entities) and, where applicable, their representatives, beneficial owners, and associated natural persons. As our services are provided exclusively to business clients (B2B), the obligations described in this Notice apply primarily to corporate and commercial relationships.

The purpose of this Notice is to:

  • Inform clients of our legal obligations under the Money Laundering and Terrorist Financing Prevention Act (RahaPTS) and related legislation;
  • Explain what information and documentation we are required to collect, verify, and retain;
  • Describe the circumstances in which we may be required to apply enhanced measures or to decline or terminate a business relationship;
  • Inform clients of their own obligations to cooperate with our compliance procedures;
  • Provide transparency about how we handle information collected for AML/KYC purposes.

This Notice is not a substitute for legal advice. Clients who have specific questions about their own AML/CTF obligations should consult a qualified legal professional.

2. Legal Framework

The Company is classified as an “obligated entity” (kohustatud isik) under § 2 of the Money Laundering and Terrorist Financing Prevention Act of Estonia (Rahapesu ja terrorismi rahastamise tõkestamise seadus, “RahaPTS”) (RT I, 17.11.2017, 2, as amended). Specifically, the Company falls within the category of accountants and tax advisors providing services to third parties, which is a designated category of obligated entity under both the RahaPTS and the EU’s Fourth and Fifth Anti-Money Laundering Directives (Directives 2015/849/EU and 2018/843/EU), as transposed into Estonian law.

As an obligated entity, the Company is required to implement a risk-based approach to AML/CTF compliance in accordance with the following legislative and regulatory framework:

  • The Money Laundering and Terrorist Financing Prevention Act (Rahapesu ja terrorismi rahastamise tõkestamise seadus, RahaPTS) (RT I, 17.11.2017, 2), the primary Estonian statute governing AML/CTF obligations;
  • Directive (EU) 2015/849 of the European Parliament and of the Council (Fourth Anti-Money Laundering Directive, AMLD4), as amended by Directive (EU) 2018/843 (AMLD5) and Directive (EU) 2024/1640 (AMLD6);
  • Regulation (EU) 2015/847 on information accompanying transfers of funds, and Regulation (EU) 2023/1113 (its recast), where applicable;
  • Guidelines issued by the Financial Intelligence Unit of Estonia (Rahapesu andmebüroo, “RAB” or “FIU”) on the application of AML/CTF measures;
  • Guidelines and opinions issued by the European Banking Authority (EBA) on risk-based supervision and customer due diligence;
  • The Council of the European Union’s list of high-risk third countries and the FATF (Financial Action Task Force) lists of high-risk and monitored jurisdictions, which are taken into account in our risk assessments;
  • Regulation (EU) 2016/679 (GDPR) and the Personal Data Protection Act (IKS), which govern the processing of personal data collected for AML/KYC purposes.

The Company maintains an internal AML/CTF compliance programme, including written internal policies and procedures, a risk assessment, employee training, and appointment of a responsible person for AML/CTF compliance, as required by §§ 14–14(5) of the RahaPTS.

3. Risk-Based Approach

In accordance with § 13 of the RahaPTS and the FATF’s risk-based approach methodology, the Company assesses the money laundering and terrorist financing risks associated with each client relationship and applies due diligence measures that are proportionate to the identified risk level. This means that the extent and intensity of the information and documentation we collect from a client depends on the risk profile of that client and the nature of the services to be provided.

The risk factors we take into account include, but are not limited to:

  • The nature, legal form, and ownership structure of the client entity;
  • The country or jurisdiction of incorporation, operation, or residence of the client and its beneficial owners, having regard to FATF and EU lists of high-risk jurisdictions and country-specific risk assessments;
  • The nature, purpose, and expected pattern of the business relationship;
  • The industry or sector in which the client operates, and any sector-specific risk factors;
  • Whether the client or its beneficial owners are politically exposed persons (PEPs) or are associated with PEPs;
  • Whether the client is subject to any sanctions, export control measures, or adverse media coverage;
  • The source of funds and source of wealth of the client and its beneficial owners, where relevant;
  • Any unusual or complex transaction patterns, or transactions without apparent economic purpose.

Based on this assessment, clients are assigned a risk level (standard, elevated, or high), which determines the due diligence measures applied. Risk assessments are reviewed periodically and whenever there is a material change in the client’s circumstances or the regulatory environment.

4. Customer Due Diligence (CDD) Measures

4.1 Standard Customer Due Diligence

In accordance with §§ 20–26 of the RahaPTS, we are required to apply standard customer due diligence (CDD) measures before establishing a business relationship with a new client. Standard CDD includes:

  • Identifying the client and verifying its identity on the basis of reliable and independent source documents, data, or information;
  • Identifying the beneficial owner(s) of the client and taking reasonable measures to verify their identity;
  • Understanding the purpose and intended nature of the business relationship;
  • Conducting ongoing monitoring of the business relationship, including scrutiny of transactions and regular updating of client information.

For legal persons (companies, foundations, etc.), identification and verification includes establishing and verifying the following:

  • Full legal name, legal form, and registration number;
  • Registered address and, if different, principal place of business;
  • Country of incorporation and applicable law;
  • Ownership structure and control structure, including a description of the chain of ownership;
  • The identity of the legal representatives and persons authorised to act on behalf of the client;
  • The identity and, to the extent required, verification of the identity of beneficial owners (as defined in Section 5 below).

4.2 Simplified Customer Due Diligence

Under § 33 of the RahaPTS, simplified customer due diligence (SDD) may be applied where the client, the business relationship, or the relevant transaction presents a lower risk of money laundering or terrorist financing, and where no high-risk factors are present. Simplified due diligence does not mean no due diligence — the Company still identifies and verifies the client, but may apply less intensive ongoing monitoring.

Simplified due diligence may be considered for clients that are, for example, publicly listed companies on regulated markets in the EU or EEA, or public bodies subject to public oversight and transparency requirements. The application of simplified due diligence is always subject to the Company’s own risk assessment and is not applied automatically.

4.3 Enhanced Customer Due Diligence

Under §§ 34–38 of the RahaPTS, enhanced customer due diligence (EDD) must be applied in higher-risk situations, including where:

  • The client, its beneficial owners, or associated persons are politically exposed persons (PEPs), or are family members or close associates of PEPs, as defined in § 36 of the RahaPTS;
  • The client or transaction involves a high-risk third country as designated by the European Commission under Article 9 of AMLD4, or a jurisdiction on the FATF list of high-risk or monitored jurisdictions;
  • The business relationship or transaction is complex, unusually large, conducted in an unusual pattern, or has no apparent legitimate economic or lawful purpose;
  • The client has provided incomplete, inconsistent, or potentially false information during the standard CDD process;
  • The Company’s internal risk assessment identifies other specific high-risk factors warranting enhanced scrutiny.

Enhanced due diligence may include, in addition to standard CDD measures:

  • Obtaining senior management approval before establishing or continuing the business relationship;
  • Obtaining additional documentation on the source of funds and source of wealth of the client and its beneficial owners;
  • Conducting more frequent and intensive ongoing monitoring of the business relationship and transactions;
  • Requesting additional information on the purpose and nature of the business relationship;
  • Consulting publicly available and commercial databases for adverse media, sanctions, and PEP screening.

5. Beneficial Ownership

A key requirement of the RahaPTS and the EU AML Directives is the identification of the beneficial owner(s) of a client entity. The beneficial owner (tegelik kasusaaja) is defined in § 9 of the RahaPTS as the natural person(s) who ultimately own or control the client, or on whose behalf a transaction or activity is being conducted.

For legal persons, the beneficial owner is generally:

  • Any natural person who, directly or indirectly, holds more than 25% of the shares or voting rights in the legal person;
  • Any natural person who, directly or indirectly, exercises control over the legal person through other means, including through the right to appoint or remove the majority of the management or supervisory board;
  • Where no natural person can be identified on the above basis, or where there is doubt as to whether the person identified is the beneficial owner, the natural person(s) who hold the position of senior managing official(s) in the legal person.

For trusts, foundations, and similar legal arrangements, the beneficial owners include the settlor, trustee(s), protector(s), beneficiaries or class of beneficiaries, and any other natural person exercising effective ultimate control.

Clients are required to provide accurate and complete information on their beneficial ownership structure and to promptly notify the Company of any changes. Where the beneficial ownership structure is complex or involves multiple layers of ownership, the Company may request additional documentation or information to establish the ultimate beneficial owner(s) to its satisfaction.

Beneficial ownership information collected by the Company is cross-referenced, where appropriate, with information held in the Estonian Business Register (äriregister), which maintains a beneficial ownership register as required by § 72(1) of the RahaPTS and the Commercial Code (ÄS).

6. Politically Exposed Persons (PEPs)

The Company is required under §§ 36–38 of the RahaPTS to identify whether a client, its beneficial owners, or persons acting on its behalf are politically exposed persons (PEPs), or are family members or known close associates of PEPs.

A politically exposed person is defined in § 36(1) of the RahaPTS as a natural person who is or has been entrusted with a prominent public function, including:

  • Heads of state, heads of government, ministers, and deputy or assistant ministers;
  • Members of parliament or similar legislative bodies;
  • Members of the governing bodies of political parties;
  • Members of supreme courts, constitutional courts, or other high-level judicial bodies whose decisions are not subject to further appeal;
  • Members of courts of auditors or the boards of central banks;
  • Ambassadors, chargés d’affaires, and high-ranking officers in the armed forces;
  • Members of the administrative, management, or supervisory bodies of state-owned enterprises;
  • Directors, deputy directors, and members of the board or equivalent function of an international organisation.

Family members of a PEP include spouses or partners, children and their spouses or partners, and parents. Close associates include natural persons known to have joint beneficial ownership of legal entities or arrangements with a PEP, or who maintain a close business relationship with a PEP.

Where a client or its beneficial owner is identified as a PEP, the Company will apply enhanced customer due diligence as described in Section 4.3, obtain senior management approval before establishing or continuing the business relationship, and conduct enhanced ongoing monitoring for the duration of the relationship. A person who ceases to be a PEP remains subject to enhanced measures for at least 12 months following the end of their public function, during which time the Company assesses whether the risk associated with that person has sufficiently diminished to revert to standard measures.

7. Sanctions Screening

The Company conducts screening of clients and their beneficial owners against applicable sanctions lists as part of its customer due diligence and ongoing monitoring obligations. Sanctions screening is carried out at the onboarding stage and on a periodic and event-driven basis thereafter.

The sanctions lists and regimes against which screening is conducted include:

  • EU restrictive measures (sanctions) as published in the Official Journal of the European Union, administered by the European External Action Service (EEAS);
  • UN Security Council sanctions lists, as implemented in the EU by Council Regulations;
  • OFAC (Office of Foreign Assets Control) SDN (Specially Designated Nationals) list, where relevant to the client’s jurisdictional exposure;
  • HM Treasury (UK) Consolidated List of Financial Sanctions Targets, where relevant;
  • Estonian national sanctions as may be adopted pursuant to applicable Estonian law.

If a client, its beneficial owner, or a person acting on its behalf is identified on a sanctions list, or if there are reasonable grounds to believe that a transaction may involve a sanctioned person, entity, or jurisdiction, the Company will immediately suspend the transaction or business relationship and take the steps required by applicable law, which may include reporting to the competent authority and refusing or terminating the business relationship.

Clients are under an obligation to notify the Company immediately if they become aware that they, their beneficial owners, or any persons associated with the business relationship become subject to any sanctions.

8. Documents and Information We Require

8.1 From Legal Persons (Companies and Other Entities)

When establishing a business relationship with a legal person, the Company will typically require the following documents and information. The specific requirements may vary depending on the client’s risk profile, legal form, and jurisdiction of incorporation:

  • A current extract from the relevant business or companies register (e.g. Estonian Business Register extract, or equivalent from the jurisdiction of incorporation), dated no more than three months before submission;
  • Articles of association or equivalent constitutional documents;
  • A list of shareholders and their ownership percentages, and a description of the ownership and control structure, including any intermediate holding entities;
  • Beneficial ownership information as described in Section 5, supported by documentary evidence where required;
  • Identification documents (government-issued photo ID) for each beneficial owner who is a natural person, including full name, date of birth, nationality, and document number;
  • Identification documents and authorisation documents (e.g. power of attorney or board resolution) for any natural person acting as the authorised representative of the client;
  • A description of the client’s principal business activities, the industry in which it operates, and its main business partners or markets;
  • Information on the intended purpose and expected nature of the business relationship, including the types of services to be provided and the expected volume and nature of transactions;
  • Where relevant, information on the source of funds to be used in connection with the services;
  • Any licences, permits, or authorisations required for the client’s regulated activities, where applicable.

8.2 Additional Documents for High-Risk Clients

For clients assigned a high-risk classification, or where enhanced due diligence applies, the Company may additionally require:

  • Audited financial statements for the most recent financial year;
  • Bank statements or other evidence of the source of funds and source of wealth;
  • Detailed corporate structure charts showing all intermediate entities up to the ultimate beneficial owner level;
  • Confirmation from the client’s bank or other regulated financial institution regarding the business relationship;
  • Additional references or background information from credible and independent sources;
  • A written explanation of the purpose of any specific transactions or activities that the Company considers unusual or complex.

8.3 Document Standards and Verification

All documents submitted for CDD purposes must be:

  • Provided in Estonian or English, or accompanied by a certified translation into Estonian or English;
  • Valid and current at the time of submission (time-sensitivity requirements apply as set out in the Company’s internal procedures);
  • Submitted as clear, legible copies, either in electronic format (PDF or equivalent) or as certified copies of originals, as required by the Company;
  • Certified or apostilled where required, particularly for documents issued in non-EU/EEA jurisdictions.

The Company reserves the right to verify information provided by clients against publicly available sources, commercial databases, and official registers. The Company may also seek confirmation from third parties where permitted and appropriate under applicable law.

9. Ongoing Monitoring

Customer due diligence is not a one-time exercise. Under § 15 of the RahaPTS, the Company is required to conduct ongoing monitoring of its business relationships. Ongoing monitoring includes:

  • Scrutinising transactions and activities to ensure that they are consistent with the Company’s knowledge of the client, its business, its risk profile, and its source of funds;
  • Keeping documents, data, and information collected during customer due diligence up to date by periodically reviewing and refreshing client files;
  • Identifying and investigating any transactions or activities that appear unusual, complex, or inconsistent with the expected pattern of the business relationship;
  • Re-assessing the client’s risk level whenever there is a material change in the client’s business, ownership structure, beneficial ownership, jurisdictional exposure, or other relevant circumstances;
  • Updating screening against sanctions and PEP lists on a periodic and event-driven basis.

Clients are therefore required to notify the Company promptly of any changes in their company structure, ownership, beneficial ownership, principal business activities, or other information previously provided for CDD purposes. The Company may periodically request updated documentation and information from clients to fulfil its ongoing monitoring obligations.

The frequency and intensity of ongoing monitoring reviews is determined by the client’s assigned risk level. High-risk clients are subject to more frequent and intensive monitoring than standard-risk clients.

10. Suspicious Transactions and Reporting Obligations

The Company has a statutory obligation under § 49 of the RahaPTS to report to the Estonian Financial Intelligence Unit (Rahapesu andmebüroo, “RAB”) if it knows, suspects, or has reasonable grounds to suspect that:

  • A transaction, activity, or funds involved in or connected with the business relationship are related to money laundering or terrorist financing;
  • An attempted transaction is related to money laundering or terrorist financing, regardless of whether the transaction is ultimately completed;
  • A client has provided false or misleading information during the CDD process, or has refused to provide required information without a legitimate explanation.

Suspicion may arise from a wide range of indicators, including but not limited to: unusual or complex transaction structures with no apparent legitimate purpose; transactions inconsistent with the client’s stated business; requests to process transactions through multiple unrelated accounts; involvement of high-risk jurisdictions; discrepancies between stated and actual business activities; or any other circumstances that, based on professional judgment, give rise to concern.

The Company is subject to a statutory prohibition on “tipping off” under § 57 of the RahaPTS. This means that once a suspicious transaction report (STR) has been filed with the RAB, or once the Company has decided to file such a report, the Company is legally prohibited from disclosing to the client or any associated person that a report has been made, that an investigation is ongoing, or that the Company has taken any related action. The Company cannot inform you if it has filed or is considering filing a report about you or your transactions.

This prohibition applies regardless of the outcome of any investigation and regardless of whether the suspicion is ultimately confirmed. The Company’s employees and representatives are legally protected from civil liability for reports made in good faith to the RAB, in accordance with § 58 of the RahaPTS.

11. Consequences of Non-Cooperation

The Company’s ability to establish and maintain a business relationship with a client is strictly contingent on the client’s cooperation with our AML/KYC compliance procedures. Specifically, the Company is required by law to decline to establish, or to terminate, a business relationship where:

  • The client refuses or fails to provide the information and documentation required for customer due diligence within a reasonable time;
  • The Company is unable to verify the identity of the client or its beneficial owners to its satisfaction;
  • The client provides information that is false, inconsistent, or that cannot be corroborated against available sources;
  • The client’s beneficial ownership structure is so complex or opaque that the Company cannot identify the ultimate beneficial owner(s) with reasonable confidence;
  • The client is, or its beneficial owners are, on a sanctions list or are otherwise subject to restrictions that prevent the Company from providing services;
  • The Company identifies circumstances that, in its professional judgment, give rise to an unacceptable risk of facilitating money laundering, terrorist financing, or other financial crime.

In the event that the Company declines to establish or decides to terminate a business relationship on AML/KYC grounds, the Company is not required to and, where the tipping-off prohibition applies, may not be able to disclose the specific reason for its decision. The Company’s decision in such matters is final and is made in good faith in accordance with its legal obligations.

Termination of a business relationship on AML/KYC grounds does not give rise to any claim against the Company for losses, damages, or expenses incurred by the client as a result of such termination.

12. Data Retention

In accordance with § 47 of the RahaPTS, the Company is required to retain all documents, data, and information collected in the course of customer due diligence and transaction monitoring for a minimum period of five (5) years following the end of the business relationship or the completion of an occasional transaction. This retention obligation applies regardless of whether a suspicious transaction report was filed.

The five-year retention period may be extended to ten (10) years where required by applicable law, a binding order of a competent authority, or ongoing legal proceedings.

Documents and information retained for AML/KYC purposes include:

  • Copies of identification and verification documents for the client and its beneficial owners;
  • Records of customer due diligence measures applied, including the basis for risk classification;
  • Copies of transaction-related documents;
  • Records of any suspicious transaction reports filed with the RAB;
  • Records of any decisions made in connection with the business relationship, including decisions to apply enhanced due diligence or to decline or terminate a relationship;
  • Correspondence and records relating to AML/KYC compliance for the relevant business relationship.

All personal data retained for AML/KYC purposes is processed in accordance with the GDPR and the IKS. The retention of such data is based on a legal obligation (GDPR Article 6(1)(c)) and, in certain cases, on the legitimate interests of the Company in defending against legal claims (GDPR Article 6(1)(f)). Further information about the processing of personal data is set out in our Privacy Policy.

Upon expiry of the applicable retention period, personal data collected for AML/KYC purposes will be securely deleted or anonymised in accordance with the Company’s data retention procedures.

13. Client Rights Regarding AML/KYC Data

Personal data collected and processed for AML/KYC purposes is subject to the GDPR and the IKS. As a data subject, you have the following rights in relation to such data, subject to certain limitations imposed by the RahaPTS and other applicable law:

  • Right of access (GDPR Article 15): You have the right to request a copy of the personal data we hold about you for AML/KYC purposes, subject to exceptions where disclosure would prejudice the prevention or detection of financial crime.
  • Right to rectification (GDPR Article 16): You have the right to have inaccurate personal data corrected. We encourage clients to promptly notify us of any changes to previously provided information.
  • Right to erasure (GDPR Article 17): This right is limited in the context of AML/KYC data, as we are legally obliged to retain such data for the mandatory retention period under § 47 of the RahaPTS. We cannot erase data before the end of this period.
  • Right to restriction of processing (GDPR Article 18): You may have the right to request restriction of processing in certain circumstances, subject to the legal obligations that require us to retain and process AML/KYC data.
  • Right to object (GDPR Article 21): Where processing is based on legitimate interests, you may have the right to object. This right does not apply where processing is required by law.

It is important to note that the tipping-off prohibition under § 57 of the RahaPTS may limit our ability to respond fully to data access requests where doing so would reveal that a suspicious transaction report has been filed or that an investigation is ongoing. In such cases, we may withhold specific information from the access response as required by law.

To exercise any of your data rights in relation to AML/KYC data, please contact us using the details in Section 15. We will respond to your request within the timeframes prescribed by the GDPR.

14. Internal Compliance Programme

As required by §§ 14–14(5) of the RahaPTS, the Company maintains a formal internal AML/CTF compliance programme, which includes the following elements:

  • A written risk assessment identifying and evaluating the money laundering and terrorist financing risks to which the Company is exposed in the course of its activities, updated at least every two years or whenever there is a material change in the Company’s risk environment;
  • Written internal AML/CTF policies, controls, and procedures that are proportionate to the nature, scale, and complexity of the Company’s business, and that are approved by senior management;
  • Designation of a responsible person (AML/CTF compliance officer) with sufficient authority and resources to implement and monitor the compliance programme;
  • Regular training of employees and management on AML/CTF obligations, recognition of suspicious activity, and the Company’s internal procedures;
  • Procedures for independent internal review or audit of the compliance programme to assess its effectiveness;
  • Procedures for screening of new and existing employees against sanctions and PEP lists, and for assessing the suitability of employees to handle AML/CTF compliance functions;
  • A whistleblower channel allowing employees to report concerns about potential AML/CTF breaches through a confidential internal mechanism.

The Company’s AML/CTF compliance programme is subject to the oversight of the Estonian Financial Intelligence Unit (RAB), which has supervisory authority over obligated entities in the accounting and tax advisory sector. The Company cooperates fully with the RAB and other competent authorities in the performance of their supervisory and investigative functions.

15. Contact Information

If you have any questions about this AML/KYC Notice, about the documents or information we require, or about how your personal data is processed in connection with our AML/KYC compliance obligations, please contact us:

  • Company: Company for Business OÜ
  • Registration number: 14589114
  • Address: Tartu mnt 83-407, Kesklinna linnaosa, 10115 Tallinn, Harju maakond, Estonia
  • Website: www.companyforbusiness.ee

For data protection enquiries specifically, please also refer to our Privacy Policy.

The competent supervisory authority for AML/CTF matters in Estonia is the Financial Intelligence Unit (Rahapesu andmebüroo, RAB):

  • Address: Narva mnt 6, 15183 Tallinn, Estonia
  • Telephone: +372 612 3900
  • Email: [email protected]
  • Website: www.politsei.ee/rahapesu

16. Updates to This Notice

We reserve the right to update this AML/KYC Notice at any time to reflect changes in applicable law, regulatory guidance, or our internal compliance procedures. Updates will be published on the Website with a revised effective date. Where changes are material and affect existing client relationships, we will notify affected clients in writing.

Clients are encouraged to review this Notice periodically. Continued engagement with the Company following any update constitutes acknowledgement of the revised Notice.

This AML/KYC Notice has been prepared in accordance with the Money Laundering and Terrorist Financing Prevention Act (RahaPTS), EU Anti-Money Laundering Directives (AMLD4/5/6), the GDPR, and related Estonian legislation. This document does not constitute legal advice. Company for Business OÜ, registration number 14589114.