Just before Midsummer Day, the Riigikogu passed amendments to the Anti-Money Laundering Act. The flood of commentary that followed has included several misleading claims, ranging from accusations of rushing the process to suggestions of mass surveillance of the entire population.

This is a complex issue and misunderstandings are easy to come by. Even this opinion piece only scratches the surface. One thing is clear, however: as a society, we must decide whether and with what tools we are willing to confront a phenomenon that does us serious harm — money laundering.

In 2022, the Ministry of the Interior published a publicly available study which estimated that in 2020, criminal proceeds generated by offenses committed in Estonia amounted to an average of €458 million. This figure refers specifically to crimes committed within Estonia. In addition, there are sums laundered through Estonia that originate from crimes committed in other countries. In the case of the Danske Bank money laundering scandal, which affected us all, Estonia was primarily a conduit for laundering crimes committed elsewhere. In any case, we are talking about hundreds and hundreds of millions of euros being cleaned through Estonia's financial system each year.

Doing things by hand will get us nowhere

Last year, the Estonian state confiscated about €4 million — meaning we are recovering only about 1 percent of criminal proceeds. This low figure is mainly due to the fact that we often detect these crimes too late, by which point the illicit assets are already on the other side of the world and nearly impossible to recover. Secondly, the very purpose of money laundering is to conceal the origins of criminal proceeds. And when those funds are hidden across jurisdictions and service providers, uncovering the crime becomes extremely difficult — if not impossible.

In one recent case, it took us a full year to unravel a laundering scheme involving just a few hundred thousand euros. Within a massive web of accounts, companies and transactions, we had to identify just 14 relevant transfers. So it's simply not accurate to say the problem doesn't exist. We cannot solve this with manual labor alone.

The number of problems that arise when a state fails to tackle money laundering is countless. Many of us have likely noticed the recent surge in fraud cases, where individuals are tricked out of their money through increasingly complex schemes. This is just one example of criminal activity gravitating toward environments with a lower risk of getting caught — and therefore a higher chance of retaining illicit profits. We know that money laundering also moves funds derived from very serious crimes, such as drug trafficking, human trafficking and child pornography — things we all want to protect ourselves and our loved ones from.

When hundreds of millions in dirty money enter the national economy unchecked, prices rise, driven by increased demand for apartments, cars and more. Allowing money laundering exposes us to reputational damage, which ultimately affects the volume of foreign investment we attract, the interest rates our country faces on financial markets and even the ease with which citizens can access financial services abroad. And if the state doesn't do its part in uncovering money laundering crimes, the burden inevitably shifts to the private sector, where payment processors are keen to avoid angry customers who have lost their funds — or reputational harm if a money laundering case comes to light.

The result is a situation where we're asked even more questions at the bank — even if we've done nothing wrong. In short, the problem is very real: hundreds of millions of euros are laundered through Estonia each year, we recover a disgracefully small share of it and the consequences for society are negative across the board. The more powerless we are, the more the problem will grow.

Estonia will not go down the police state path

The idea behind the bill in question — and the powers it would grant to the Financial Intelligence Unit (FIU) — did not emerge overnight. In fact, it stems from the lessons learned in the 2019 Danske Bank case. An analysis report presented to the government at the time highlighted the need for improved strategic analysis. This ultimately led to the government's 2020 decision to establish the FIU as an independent agency and to apply for funding from the European Union's Recovery and Resilience Facility. The bill currently under discussion is the result of those earlier decisions, and its core aim remains unchanged: to ensure that cases like Danske Bank never happen again and to protect our economic system from the damaging effects of money laundering.

As is fitting in a democratic country, the discussions over the past five years have led to various adjustments, including refinements in what data should be analyzed and how. To build knowledge in this area, a technical assistance project was carried out from 2021 to 2023 by the European Commission and the Council of Europe. Preparation of the bill began in early 2024, with input from the Data Protection Inspectorate and the Ministry of Justice's data protection unit to ensure that personal data handling would align with the norms agreed upon in our society. The draft legislation entered its first public consultation round in October 2024 and was open to comment from all. Although society has evolved significantly in these five years — and expectations around draft laws and safeguards have increased — it is not accurate to claim that the bill was rushed through.

Estonia has no intention — and is not heading down the path — of becoming a so-called police state that spies on all its citizens. One of the most persistent public misunderstandings is the notion that the bill would allow the FIU to create a super-database filled with information on all natural and legal persons, pulled from numerous public registries and processed by artificial intelligence.

Let's start with this: modern requirements from competent data protection authorities now demand that all types of data processed within a database be described in the law by category. This new standard creates confusion in the public because it transparently outlines what may be, or already is, included in the FIU's database. But the FIU is not going to start mass-compiling data on everyone from all registries. Even today, the FIU may receive bank statements of both individuals and legal entities, covering short or extended time periods. These statements may contain unrelated data, such as payments for medical treatment — which qualify as health data. That kind of information is not needed by the FIU, but data protection regulations require that all potential data categories that might reach the database be disclosed. The FIU uses, and will continue to use, only the data necessary for investigating money laundering. In individual cases, it may indeed be necessary to gather data from different registries. This is laid out in European Union legislation and is essential if we want to effectively combat money laundering.

FIU code used instead of AI

Under the amendments to the law that were passed, we also clarified — not just what data may be contained in the database — but what types of data can be collected for specific tasks. This was done to enhance openness and transparency, but it has created the impression that the FIU received new powers, which is simply not the case. The FIU was authorized to process data from six different databases, primarily related to legal entities and the individuals behind them.

It's worth noting that, aside from the FIU's own database, the majority of this data is publicly accessible to anyone — in other words, it's open data. Anyone can look up information about legal entities in the Business Register or the Land Register, and even turnover data from the Tax and Customs Board can be requested. Still, from the outset, we aimed to ensure that the data processing would occur in a pseudonymized form, because the goal is not to create personal profiles, but to identify transaction patterns characteristic of money laundering. The FIU cannot simply query the database for a specific individual or individuals to retrieve a so-called full profile. Those kinds of profiles are typically found in commercial databases that generate credit scores or payment indexes — and, incidentally, aggregate data from public registries far more extensively.

Full anonymization was ruled out because, in the event of a suspected money laundering case, we would have to retrieve the original data again from the registries. That could also flag individuals who were never under suspicion. Furthermore, we do not run artificial intelligence on pseudonymized data. Instead, at the FIU, we write our own code to help analytics software recognize behavior patterns indicative of money laundering — similar to how private sector actors develop their systems. The key difference is that private entities are unable to detect cross-border schemes.

It is always a person — a public servant at the FIU — who validates suspected money laundering and decides whether to pursue the case further. No "machine" makes decisions about individuals. False positives are deleted and the data is re-encrypted. All systems are logged and subject to oversight.

By having legally authorized capabilities to process such data in aggregate, the FIU can also be a more effective partner to obligated entities, such as banks. For instance, the FIU can issue up-to-date typologies to help institutions know what to look for. Investigative agencies, in turn, would receive more relevant and actionable cases, rather than being overwhelmed by a flood of fragmented, often false-positive information. In this way, the state can finally begin to achieve meaningful results in identifying, seizing and confiscating criminal assets — beyond the paltry 1 percent currently recovered from illicit proceeds flowing through our economy.

In summary, Estonia has chosen a pragmatic path that respects personal data to the greatest extent possible, while still targeting risk effectively and strengthening our ability to prevent criminal money from infiltrating the national financial system and economy. Every system carries risks, and those risks must be carefully weighed. The FIU and the Ministry of Finance have been transparent and open about their intentions. As mentioned, discussions with various stakeholders began as early as the start of 2024, with analyses conducted well before that. As a society, we must decide what tools we are willing to use in the fight against crime. But we cannot, at the same time, demand effective action against the consequences of money laundering while insisting that it be done with our hands, feet and eyes tied.

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!