One of the main topics yesterday and today has been the so-called "viewing of bank accounts without legal basis." The debate has culminated in editorials and articles whose tone and content call for clarification from the Financial Intelligence Unit (FIU). I'm speaking from FIU's perspective in an attempt to look beyond the headlines and into the subject matter. I am not in a position to comment on the actions of the police or the tax authority.

FIU operates under the Credit Institutions Act, which grants FIU clear and undisputed legal authority to access banking information, including bank accounts, when it is necessary for the prevention of money laundering or terrorist financing. This authority is established by law and has never been in dispute. The Credit Institutions Act names FIU — immediately after the supervisory authority — as the first (note: first!) competent body with such rights. Nevertheless, claims and speculation in public discourse have created a misleading impression that FIU lacks the authority to access most banking data, including bank account statements.

It's important to explain what banking secrecy means. It's not just information about the existence of an account or its transactions — it includes all data collected about a person when an account is opened and used. This type of information is precisely what enables the evaluation of the legality of transactions and helps identify suspicious patterns that may indicate money laundering. In other words, a significant portion of this data is collected specifically for the purpose of preventing money laundering.

The real issue, then, is not whether FIU has the right to request access to bank accounts — this right is granted by law — but rather through which channel such information may be requested and obtained. The state has created and required banks to join the enforcement register system, which is secured via the X-Road platform and is intended, among other things, to ensure faster, safer and more transparent information exchange between competent authorities and banks. In this context, it is simply a channel for data exchange. Each query made by FIU is internally logged along with an explanation of why the information is being requested — what the suspicion of money laundering or terrorist financing is that we are investigating.

While the law specifies certain data points that banks must share with FIU via the register, that list is not exhaustive. The law establishes a minimum by using the word "at least" before listing these data points. Although bank accounts are not explicitly named as a separate data point in that list, treating them as such is consistent with the legislature's intent to keep the system flexible and needs-based. The ongoing debate concerns whether the legislature indeed intended for such information to be exchanged swiftly, or whether the right to request information as sensitive as bank account data — given the significant impact on fundamental rights — should be explicitly and unambiguously listed.

That's why it is misleading to claim that FIU has "spied on people without a legal basis." The discussion should focus instead on whether the law ought to more clearly define the boundaries of the channels through which information exchange occurs. Although FIU has decided, for the time being, to stop requesting account data via the enforcement register, we maintain that such use was lawful.

As it stands now, FIU will begin requesting account data manually. This means encrypted email requests to banks, requiring considerable manual effort on the part of both the banks and FIU. The data travels through cloud-based services, whose servers are not always located in Estonia. In contrast, the enforcement register is part of the Estonian state's infrastructure — secure and efficient. Whereas previously it took about one day on average to obtain information, it will now take a week or more, depending on the situation and banks' workloads.

Imagine a case where someone falls victim to fraud: money moves from their account at Bank A to Bank B and from there to yet another account. Identifying a transaction chain involving three accounts and two transfers may now take several weeks. Previously, our faster system enabled us to stop further transfers of a victim's money — going forward, that likelihood is significantly reduced. Time is critical, especially when there's a suspicion of terrorist financing. It is absolutely essential that we can detect such transactions quickly.

At this point, it must be acknowledged that public expectations have developed which are at times contradictory. We increasingly see that legal norms written in the past with a clear purpose in mind become overly general a few years later. There is a desire on the one hand for regulatory simplicity, and on the other hand for extremely precise and specific rules for every possible scenario. Legislation must remain sufficiently concrete, while also allowing room for flexibility, which the handling of complex crimes requires. It's easy to say in one breath that no one should look at my bank account, and in the next breath to ask — when you're the victim — why no one did anything.

To speak in numbers: FIU made 1,854 requests for bank account data via the Compliance Register over a 14-month period, which amounts to about 132 requests per month. At the same time, Estonian banks have approximately three million clients, and in May 2025 alone, there were 74.6 million payment transactions totaling €49.2 billion. The actual proportions are vastly different and claims of mass surveillance or data abuse are not supported by reality.

FIU operates within the boundaries of the law and the public interest. Our goal is not to violate anyone's privacy, but to protect society from crime.

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!