Renewed AML Rules for Estonian Companies in 2026: Checklist for Founders

TL;DR

• Estonia’s AML framework tightened significantly in 2025–2026 under AMLA, 6AMLD, and MiCA — banks and service providers now ask for detailed info.
• Crypto companies in Estonia must transition from VASP to CASP license by July 1, 2026 — after that, legacy licenses are revoked with no grace period.
• If your Estonian OÜ was registered via e-Residency and hasn’t been reviewed since incorporation, the compliance gap is likely bigger than you think.

Estonia tightened its AML framework significantly in 2025–2026 — and the changes go far beyond crypto. If you run an Estonian OÜ for consulting, IT, fintech, or B2B services, banks and service providers are now asking more specific questions: who are your clients, where do they come from, and where does the money originate.

From 2026 onwards, control over AML compliance across the EU transfers to the newly established European Anti-Money Laundering Agency (AMLA), which coordinates national supervisors and can step in directly for high-risk entities — even in smaller jurisdictions like Estonia. Combined with 6AMLD and the new EU Single Rulebook, the compliance bar for Estonian companies has moved materially.

Estonia — already known for strict AML enforcement after the banking scandals of the late 2010s — has proactively applied these standards. For founders using e-Residency to run international businesses through an Estonian OÜ, the implications are direct and immediate.

The best way to approach AML riles is earlier

You apply to open a bank account. Or your existing bank sends a review notice. Or your accountant asks for documentation before filing. And suddenly you are being asked: who are your clients? Where are they based? What do they do?

If your Estonian company was set up as a vehicle for international business — which is exactly why most founders use e-Residency — these questions are not optional. The Estonian FIU requires companies to have genuine business connections with Estonia. A registered address and a digital signature are no longer sufficient.

For clients from high-risk jurisdictions or large transactions, Enhanced Due Diligence (EDD) applies: in-depth verification of source of funds, ownership structure, and links to politically exposed persons. The gap between “easy to register via e-Residency” and “ready for a bank review” is exactly where most founders get caught.

2026 AML Checklist for Estonian OÜ Founders

Section 1: Know Your Own Structure

• Can you clearly explain what your company does and who its clients are?
• Is the Ultimate Beneficial Owner (UBO) correctly registered in the Estonian Business Register?
• Can you trace the full ownership chain to a natural person?
• Does your EMTAK code match what the company actually does?

Section 2: Client Origin and Source of Funds

This is the area that has tightened most. Banks now ask systematically about client origin — not just who they are, but where they are based and what their business involves.

• Can you provide a client list with country of incorporation and business description?
• Do you have Enhanced Due Diligence documentation for clients in high-risk FATF jurisdictions?
• Does each inflow correspond to a contract or invoice?
• Are your client contracts stored and accessible?
• Can you document business relationships for funds from non-EU countries?

Section 3: Substance and Real Operations

• Does the company have a real registered address — not a virtual office from a provider no longer operating?
• Is there an active website and corporate email domain?
• Is there documented evidence of activity — contracts, invoices, correspondence?

Section 4: Compliance Documentation

• Does the company have basic AML/KYC internal rules?
• Is there a designated person responsible for AML matters?
• Is the annual report filed on time? Non-filing triggers additional scrutiny.

Section 5: Crypto and Fintech Specifics

On March 23, 2026, Finantsinspektsioon confirmed that the transition period for crypto companies ends in summer 2026. From July 1, 2026, the CASP license becomes the only valid form of authorization for crypto activities in Estonia. All VASP licenses previously issued by the FIU are revoked on that date — no grace period after the sunset date.

A MiCA CASP authorisation obtained through Finantsinspektsioon satisfies both Estonian and EU requirements and enables passporting across the EEA — meaning one license covers all EU member states.

• Have you transitioned from VASP to CASP license before July 1, 2026?
• Do you meet minimum capital requirements? €100,000 for exchange and storage services; €250,000 if virtual currency transfers are included
• Is your Travel Rule compliance in place? Under the EU Transfer of Funds Regulation, the Travel Rule applies to all crypto transfers with no minimum threshold
• Is your transaction monitoring system producing documented, explainable outputs — not just flagging anomalies but recording why?

What happens without preparation

Your bank restricts the account while you gather documentation. A payment provider declines onboarding because your client list includes flagged jurisdictions. An investor asks for AML compliance documentation and you have nothing to show.

None of these are catastrophic individually. All of them cost time and money to fix — and most are preventable with a one-time documentation exercise.

The bottom line

Estonia remains one of the best EU jurisdictions for international founders. The e-Residency system works, the tax model is competitive, and the digital infrastructure is genuinely excellent. But “easy to register” never meant “no compliance obligations.” The 2025–2026 AML tightening — driven by AMLA, 6AMLD, MiCA, and the EU Single Rulebook — makes that gap more visible and more consequential.

If you registered an Estonian OÜ and have not revisited your compliance documentation since incorporation, now is the right time.

Legarithm advises on Estonian company formation, AML compliance setup, and ongoing obligations for international founders. Feel free to contact us for advice on AML policies as well as KYC for UE jurisdictions.