Company for Business logo

Anti-Money Laundering Policy

Company for Business OÜ is committed to the prevention of money laundering and terrorist financing and operates in full compliance with applicable Estonian and EU legislation.

1. Purpose and Scope

Company for Business OÜ (hereinafter: the Company) provides accounting, bookkeeping, and related financial administrative services to Estonian companies and entrepreneurs. As an obligated entity under Estonian law, the Company is committed to the prevention of money laundering and terrorist financing (AML/CTF) and operates in full compliance with applicable legislation.

This Anti-Money Laundering and Counter-Terrorism Financing Policy (the Policy) establishes the framework, principles, procedures, and responsibilities that govern the Company’s efforts to detect, prevent, and report activities related to money laundering and terrorist financing.

1.1 Legal Basis

This Policy is established in accordance with:

  • The Estonian Money Laundering and Terrorist Financing Prevention Act (Rahapesu ja terrorismi rahastamise tõkestamise seadus, MLTFPA)
  • Directive (EU) 2018/843 (5th Anti-Money Laundering Directive) and Directive (EU) 2015/849 (4th AMLD)
  • Regulation (EU) 2023/1113 on information accompanying transfers of funds
  • Guidelines issued by the Financial Intelligence Unit of Estonia (Rahapesu Andmebüroo, RAB)
  • Relevant guidance from the European Banking Authority (EBA)

1.2 Scope

This Policy applies to:

  • All employees, managers, and board members of Company for Business OÜ
  • All contractors and third parties acting on behalf of the Company
  • All business relationships and transactions, regardless of value or currency

2. Risk Assessment

The Company takes a risk-based approach (RBA) to AML/CTF, proportionate to the nature, scale, and complexity of its services. A formal Business-Wide Risk Assessment (BWRA) is conducted at least annually and updated whenever there are material changes to the Company’s business model, client base, or regulatory environment.

2.1 Risk Categories

The Company assesses risk across four primary dimensions:

  • Customer Risk — including PEPs, non-resident clients, clients from high-risk jurisdictions, complex ownership structures, and clients whose source of wealth is unclear.
  • Geographic Risk — clients, counterparties, or funds connected to countries listed by FATF, EU, or the Estonian Financial Intelligence Unit as high-risk or non-cooperative jurisdictions.
  • Product/Service Risk — accounting, payroll processing, tax filing, and financial advisory services that may be misused for layering or integration of criminal proceeds.
  • Delivery Channel Risk — remote onboarding without face-to-face verification presents elevated risk and requires compensatory controls.

2.2 Risk Rating Matrix

Each client is assigned a risk rating — Low, Medium, or High — based on the combined assessment of the above dimensions. The risk rating determines the level of due diligence applied and the frequency of ongoing monitoring.

Risk Level Due Diligence Level Review Frequency
Low Simplified Due Diligence (SDD) Every 3 years or on material change
Medium Standard CDD Annually
High Enhanced Due Diligence (EDD) Every 6 months or on material change

3. Customer Due Diligence (CDD)

The Company applies CDD measures before establishing a business relationship, before carrying out a transaction, and on an ongoing basis throughout the relationship. CDD measures are also applied when there is a suspicion of ML/TF or when the Company has doubts about the accuracy of previously obtained identification data.

3.1 Standard CDD — Required Information

For all new clients, the Company collects and verifies the following minimum information:

For natural persons (sole traders, contact persons):

  • Full legal name
  • Date and place of birth
  • Citizenship and country of residence
  • Valid government-issued photo ID (Estonian ID card, passport, or equivalent)
  • Personal identification number (isikukood) where applicable
  • Contact information (address, email, phone)
  • Source of income / source of funds where relevant

For legal entities (OÜ, AS, FIE, or foreign equivalents):

  • Company name, registry code, and registered address
  • Articles of association or equivalent constitutional documents
  • Verification via the Estonian Business Register (ariregister.rik.ee) or equivalent
  • Details of all beneficial owners (>25% ownership or effective control)
  • Details of authorised signatories and representatives
  • Nature of business activity, source of funds, and intended purpose of the relationship

3.2 Simplified Due Diligence (SDD)

SDD may be applied in lower-risk situations, such as when the client is a listed company, an Estonian state entity, or a financial institution supervised in an EEA member state. SDD still requires verification of identity but allows for reduced ongoing monitoring. SDD is not available where there are indications of ML/TF risk.

3.3 Enhanced Due Diligence (EDD)

EDD is mandatory for the following categories of clients and situations:

  • Politically Exposed Persons (PEPs) and their family members or close associates
  • Clients from or connected to FATF high-risk or non-cooperative jurisdictions
  • Complex or unusual ownership structures, particularly with nominee shareholders or bearer shares
  • Clients whose source of wealth or funds cannot be satisfactorily explained
  • Non-resident clients or clients whose transactions exhibit no apparent business rationale
  • Clients flagged by EU or UN sanctions lists

EDD measures include, but are not limited to:

  • Obtaining senior management approval before establishing the relationship
  • Collecting additional documentation on source of wealth and source of funds
  • Conducting enhanced ongoing monitoring with increased frequency of transaction review
  • Verifying information through independent and reliable sources

3.4 Sanctions Screening

All clients, beneficial owners, and counterparties are screened against:

  • EU consolidated sanctions list
  • UN Security Council sanctions lists
  • OFAC (Office of Foreign Assets Control) SDN list
  • Estonian domestic sanctions imposed by the Ministry of Foreign Affairs

Screening is conducted at onboarding and repeated on a risk-based basis, but no less than annually. Any match must be escalated immediately to the MLRO.

4. Ongoing Monitoring

Establishing a business relationship is not a one-time event. The Company continuously monitors existing clients and transactions to ensure they remain consistent with the known risk profile and declared business purpose.

4.1 Transaction Monitoring

The Company reviews the financial transactions processed on behalf of clients for unusual patterns, including:

  • Transactions that appear inconsistent with the client’s known business activity or typical transaction volumes
  • Unusual cash transactions or transfers involving jurisdictions with high ML/TF risk
  • Rapid movement of large sums between accounts with no apparent business justification
  • Round-sum transactions or structuring patterns designed to avoid reporting thresholds
  • Payments to or from third parties unrelated to the declared business purpose

4.2 Periodic Review

Client files are reviewed periodically in accordance with their risk rating (see Section 2.2). Reviews assess whether the client’s profile, ownership structure, or transaction behaviour has materially changed and whether the applied level of due diligence remains appropriate.

4.3 Triggers for Immediate Review

An immediate out-of-cycle review is triggered by:

  • Any change in the client’s beneficial ownership or management
  • Client entering into business in a new or high-risk jurisdiction
  • Detection of transactions that appear to have no economic rationale
  • Media reports or law-enforcement information linking the client to financial crime
  • Client’s appearance on a sanctions or PEP list

5. Suspicious Activity Reporting

5.1 Internal Reporting

Any employee who knows or suspects that a client or transaction involves ML/TF must report their suspicion immediately to the MLRO using the Company’s internal Suspicious Activity Report (iSAR) form. No employee shall attempt to investigate a suspicion independently or alert the client to the existence of a report (tipping-off prohibition).

5.2 MLRO Review

Upon receiving an internal report, the MLRO will:

  1. Acknowledge receipt of the report within 24 hours.
  2. Conduct a confidential initial assessment within 5 working days.
  3. If reasonable grounds for suspicion exist, submit a Suspicious Transaction Report (STR) to the Financial Intelligence Unit (Rahapesu Andmebüroo — RAB) via the RAB online reporting portal.
  4. If no reasonable grounds exist, document the reasoning for not filing and retain the record for at least 5 years.

5.3 Tipping-Off Prohibition

It is a criminal offence to disclose to a client or any third party that an STR has been or may be submitted, or that an investigation is being conducted. Employees must not discuss suspicion reports with anyone other than the MLRO or competent authorities.

5.4 Reporting Thresholds

The Company reports to RAB:

  • All transactions of EUR 32,000 or more in cash or cash equivalents, regardless of suspicion
  • All suspicious transactions, regardless of amount
  • All cases where a client refuses to provide required CDD information

6. Record Keeping

The Company maintains the following records for a minimum of five (5) years from the end of the business relationship or the date of the occasional transaction:

  • Copies of all identification and verification documents collected during CDD
  • Records of all transactions processed on behalf of clients
  • Internal and external suspicious activity reports and supporting analysis
  • Risk assessments for each client and for the business as a whole
  • Records of training attended by employees
  • Correspondence with competent authorities

Records are stored securely, with access restricted to authorised personnel. Records must be retrievable within a reasonable timeframe upon request by competent authorities.

7. Roles and Responsibilities

7.1 Board of Directors / Management

Senior management bears ultimate responsibility for the Company’s AML/CTF compliance. Their obligations include:

  • Approving and annually reviewing this Policy
  • Allocating sufficient resources for compliance functions
  • Approving the onboarding of high-risk clients
  • Maintaining a culture of compliance throughout the organisation

7.2 Money Laundering Reporting Officer (MLRO)

The MLRO is a senior employee appointed by the Board who acts as the primary point of contact for all AML/CTF matters. The MLRO is responsible for:

  • Receiving and assessing internal suspicious activity reports
  • Submitting STRs to RAB where required
  • Maintaining and updating AML/CTF policies and procedures
  • Providing AML training and awareness to staff
  • Liaising with competent authorities and responding to information requests
  • Maintaining the AML risk register and conducting periodic reviews

The MLRO must be notified of the appointment in writing to RAB. The contact details of the current MLRO are maintained in a separate internal document.

7.3 All Employees

Every employee of the Company, regardless of seniority, is required to:

  • Understand and comply with this Policy and associated procedures
  • Complete mandatory AML training upon joining and at least annually thereafter
  • Report any suspicions of ML/TF to the MLRO without delay
  • Never attempt to investigate suspicions independently or alert clients
  • Maintain the confidentiality of all reports and investigations

8. Training and Awareness

The Company ensures that all relevant employees receive adequate AML/CTF training that is appropriate to their role and updated to reflect changes in law and typologies.

Training programme includes:

  • Induction training for all new employees covering the basics of ML/TF, the Company’s obligations, and internal procedures
  • Annual refresher training covering regulatory updates, new typologies, and case studies
  • Role-specific training for the MLRO and staff involved in client onboarding and transaction monitoring
  • Records of training completion are maintained and available for inspection

9. Consequences of Non-Compliance

Failure to comply with this Policy and applicable AML/CTF legislation may result in:

  • Disciplinary action up to and including termination of employment
  • Civil liability and reputational damage to the Company
  • Administrative sanctions and fines imposed by supervisory authorities
  • Criminal prosecution of the individual and/or the Company
The Company will not permit or tolerate retaliation against any employee who, in good faith, reports a suspicion of ML/TF.

10. Policy Review and Updates

This Policy is reviewed at least annually by the MLRO and presented to the Board for approval. An unscheduled review will be triggered by:

  • Material changes to applicable legislation or regulatory guidance
  • Significant changes to the Company’s business model, services, or client base
  • Identification of material gaps or failures in the current framework
  • Supervisory inspection findings or enforcement actions

All revisions are documented in the version history maintained by the MLRO.

Appendix A — Red Flags and Suspicious Indicators

The following non-exhaustive list of indicators should prompt employees to consider whether a suspicion report to the MLRO is warranted:

Client Behaviour

  • Client is reluctant or refuses to provide required CDD documentation
  • Client provides documents that appear false, inconsistent, or difficult to verify
  • Client is unusually secretive about the nature or purpose of their business
  • Client presents a business with no clear economic rationale or physical presence
  • Client requests services that appear inconsistent with their stated business

Transaction Indicators

  • Large cash payments or requests for cash disbursements
  • Transactions involving multiple jurisdictions with no apparent business reason
  • Payments to or from unrelated third parties
  • Structuring: breaking up transactions to avoid reporting thresholds
  • Rapid cycling of funds through multiple accounts
  • Round-sum or unusually precise transactions with no explanation

Ownership Structure Indicators

  • Complex layered ownership structures involving offshore jurisdictions
  • Use of nominee directors, nominee shareholders, or bearer shares
  • Inability or refusal to identify the ultimate beneficial owner
  • Frequent changes in beneficial ownership or management without business rationale

Appendix B — High-Risk Jurisdictions

The Company treats any connection to the following jurisdictions as an elevated risk indicator requiring enhanced scrutiny. This list is updated regularly in line with FATF, EU, and RAB publications:

  • Jurisdictions on the FATF High-Risk Jurisdictions subject to a Call for Action (‘black list’)
  • Jurisdictions on the FATF Jurisdictions Under Increased Monitoring (‘grey list’)
  • Jurisdictions subject to EU asset-freeze or arms embargo
  • Jurisdictions identified by RAB or the Estonian Ministry of Foreign Affairs as presenting elevated ML/TF risk
Employees must check the current lists via the FATF website (fatf-gafi.org), the EU Official Journal, and the RAB website (rahapesuandmeburoo.ee) before onboarding any client with connections to a jurisdiction not commonly served by the Company.