The bill recognizes potential risks such as data leaks and incorrect conclusions but emphasizes controls to protect privacy and limit data personalization. The bill's authors call the risk of these potential negative effects "moderate."

The bill passed its first reading at the Riigikogu last month, and allows the Financial Intelligence Unit (FIU) to consolidate data from various registers about individuals and companies into a single data warehouse readable by artificial intelligence to filter out unusual patterns indicating possible money laundering.
This has also raised concerns over an inherent risk of data leaks and incorrect conclusions.

Amending the existing Anti-Money Laundering and Terrorist Financing Prevention Act, the bill does not grant the FIU access to new data, but does give it the right to process existing datasets in combination and on computer. It also grants the FIU the right to use various data analytics methods, including text processing and data mining tools. Data may only be processed in a pseudonymized form.

According to the bill's explanatory memorandum, processing data in the FIU's database helps guarantee societal safety and helps combat crime more effectively. However, the bill's authors also conceded that the likelihood of negative effects, such as data leaks and incorrect conclusions based on inaccurate data, is "moderate" rather than "low."

To mitigate this risk, internal procedures, control mechanisms, monitoring, and quality metrics are being planned.

According to the draft bill, the FIU will also create an EU-funded analysis program to detect money laundering more quickly and efficiently. The FIU will receive anonymized data from various registers, while the amendment will define when this data may be personalized to detect crime.

Bill passed first reading in May

The bill passed its first reading in the Riigikogu on May 20.

Presenting the bill, Finance Minister Jürgen Ligi (Reform) said current law grants the FIU access to all data needed to prevent money laundering, including its own data and that of the Tax and Customs (MTA).

Ligi said at the time: "They have still relied solely on data provided by the banks themselves and in that sense were quite powerless in the past," adding that once bulk data reaches the FIU, it is not personally identifiable.

Ligi said behavioral patterns and how these may correspond to the hallmarks of money laundering are more important than who an individual is.

Data can only be personalized if money laundering is suspected, with approval from two independent individuals, including the FIU's data protection specialist. Ligi said anonymizing data was considered but would prevent personal identification.

"Such a right would infringe more on individuals' rights because upon the appearance of suspicion, we would have to search for specific behavior while processing the data of individuals not involved," Ligi said.

FIU head Matis Mäeker noted in early May, when presenting the bill to the Riigikogu's Finance Committee, that the bill covers how personal data will be processed, as well as its nature, and who it will affect.

"The changes made by the bill affect individuals listed in the registers referred to in the bill to which the FIU submits queries. The data warehouse will be integrated with 11 registers," he said.

The most important thing is to identify and analyze behavioral patterns which may indicate suspected money laundering, related crimes, or terrorism financing. Through these patterns, risks can be discovered and preventive measures implemented, he said.

FIU chief: Authority will not have access to bank databases, client communications, transactions.

According to Mäeker, the FIU will get suspicion reports from banks but will not request or collect further data to carry out the bill's goals, such as mass data processing. If anomalies are found in that mass data, banks can be asked for more details in specific cases. The FIU will not have access to bank databases, client communications, or transactions.

The amendment allows machine-processing of datasets—such as large payments by non-residents—after the law takes effect. These are pseudonymized and analyzed machine-to-machine, without needing more data from banks.

According to Mäeker, the amendment will not allow the preventive use of systems, as data is pseudonymized before reaching the FIU and can only be linked to individuals if there's prior suspicion of money laundering.

Mäeker gave as an example of a company with €100,000 in transactions and VAT liability but no matching VAT declarations, suggesting a lack of economic activity. If machine analysis shows no recorded trade with Russia or employee numbers that don't match activity levels, a contradiction is revealed.

"If the system analyzes these various parameters—like bank account movements, customs data, and other reports or information submitted to the state—and finds that they don't align, it can conclude that this may indicate a money laundering situation, since experience shows that criminals often behave in a similar way," Mäeker said, noting that this would be machine-flagged as a situation which may require further inspection or explanation," Mäeker explained.

The FIU needs authorization to download, pseudonymize, and store data in its existing warehouse to model criminal behavior patterns and compare payment and trade data with Statistics Estonia. Mäeker said access to multiple national registers is needed because individual bank reports alone are not informative without broader data context.

No intention-to-develop memorandum was prepared for the bill, with the explanatory memorandum citing a tight timeline due to the anti-money laundering reform deadline in the fourth quarter of last year.

"The law amendment's delay by a few months still allows for the achievement of the reform's outcome," the explanatory memorandum states, and parts of the law are planned to take effect already on July 1.

The Riigikogu's Finance Committee is set to continue reviewing the bill in Tuesday's session, to prepare it for the second reading.

--

Follow ERR News on Facebook, Bluesky and X and never miss an update!