According to Kiisel, the procedure for bank secrecy inquiries needs to be legally resolved at the national level. Kiisel gave an interview to ERR which follows.

You informed the FIU of a 247 million euro contractual penalty claim, referring to the Chancellor of Justice's opinion on bank confidentiality and the fact that the FIU had, over five years, unlawfully accessed various data in banks through the enforcement register, including transactions and bank account statements. Do you plan to actually submit this claim?

We are utilizing our legal options. When we learned from the Chancellor of Justice's work, or her conclusions, that in this case various agencies may not have been using our data lawfully, then of course we had to do something. The issues the Chancellor highlighted were highly substantive and important. It seems to me that, for the protection of our own clients and for ourselves, this is the only correct step.

To preserve our rights to claim a contractual penalty of this kind, we must legally notify the other party, within a reasonable time frame from learning about that right. In this case, that is what we have done. The extent and scope to which we plan to pursue this claim is still open. At this point, we are going to carry out that analysis ourselves.

How long might analysis like that take to complete?

I'm not a legal expert myself, but it transpires that Estonian law provides for a three-year period for this. As of now, we just took that first step. And I think the main purpose is still just one: To motivate the parties to the agreement to take their obligations seriously. We really want someone to take responsibility, to fix this whole systemic issue, plus breaches of contract, even by government agencies, are not acceptable. In this case, we pointed out that since the Chancellor of Justice indicated that the FIU had not acted lawfully in obtaining the data, it seems to us that the FIU has also breached the contract that regulates the register's operation. So this is purely a process.

How realistic and of what amount do you consider submitting the claim?

That is very difficult to say as of today. We are at the starting point. Our message is still mainly directed towards the state. In parallel, we have also made an appeal to the Ministry of Justice, where we have asked for a full audit, to determine in which cases data has been wrongly requested, and for that data to be deleted. In this particular case, the Chancellor of Justice has very clearly pointed out that the FIU had clearly made such requests unlawfully, so this is an additional step we've taken to raise seriousness and attention. This issue is key. The data of all clients used by various state institutions — in this case, the FIU — without sufficient basis, is at stake, because all those clients want those answers as well. And that has been the main reason why we've taken this step.

Have your clients also contacted you to ask whether their data was accessed and what have you told them?

Clients have indeed been contacting us. We have our answers prepared and we try to explain things as best we can. But our options are limited, as we can't see the entire picture. We are still very much expecting that clear instructions will come from the state, and that the system will be put right. The body responsible for managing this system—namely the Ministry of Justice—should carry out an adequate audit to determine to what extent data has been used wrongly. And that data must be deleted. That is the first step that needs to be taken very quickly.

Your main expectation is that this will be fully discussed and clarified in Estonia?

Absolutely. This is vital. When we talk about the use of mass data as a whole, we're talking about the use of very sensitive information as a whole, then it must be clearly defined in which cases, when, and who has the right to use what data. So far, unfortunately, it has not been possible for us to share information too easily, either via the enforcement register or through separate manual queries. We simply couldn't do that. So this legal clarity has to be established — and quickly. Because the goal of banks and LHV is certainly not to obstruct work. But now it's time to roll up our sleeves and make a proper effort to create those concrete guidelines.

If you've been in contact with colleagues from other banks, do other banks also plan to send this type of letter, as you have?

I don't know exactly about this type of letter — each bank decides this for itself. But within the banking association, we also have cross-bank joint actions, where we maintain the seriousness, direction, and focus. And we have made appeals as well. It is very important to us that this issue doesn't fade away. It needs to be fully discussed. If the state wants to use bank data, it must be unambiguously and clearly understood. By all credit institutions that provide that data, and by all clients whose data is used. So in this case, we are mainly defending the interests of the client. We have received a kind of message that our clients' data has been misused, and of course we must respond. And this is one possible legal measure we can take today.

A report by Chancellor of Justice Ülle Madise issued at the start of this month found the FIU had accessed confidential banking data over 10,000 times over a five-year period.

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!