FIU Powers and the Limits of AML Supervision: Estonia’s Supreme Court Decision

8 January 2026, the Supreme Court of Estonia, in case No. 3-23-125, declared unlawful a blanket directive issued by the Estonian Financial Intelligence Unit (FIU or Rahapesu Andmebüroo) that, in late 2022, requested a significant volume of information from all licensed trust and company service providers (TCSPs) offering company registration and virtual office services in Estonia.

This decision became an important landmark for the entire AML (Anti-Money Laundering) supervision system and delineated the boundaries of permissible state interference in the activities of legitimate companies. The position of the Estonian Supreme Court also received broad coverage in the Estonian media, including Postimees and ERR, highlighting its significance not only for the professional community but also for the wider public legal debate.

One of the initiators of the court proceedings that resulted in this landmark ruling by the Supreme Court of Estonia in January 2026 was Ühinenud Õigusbürood OÜ, which is the parent company of Eesti Firma OÜ. The aim of going to court was to obtain legal certainty regarding the permissible limits of supervisory powers in the AML/KYC (Anti-Money Laundering / Know Your Customer) field, as well as to uphold the principle of proportionality in the interaction between the regulator and licensed businesses.

In December 2022, the FIU sent a single directive to 322 licensed TCSPs, requiring them to respond to a questionnaire of 44 questions. The request covered a wide range of topics: from internal AML/KYC procedures to client structure, geographic scope of activities, financial indicators, and the application of sanctions measures.

The regulator justified its actions by the need to obtain a comprehensive understanding of the risks in the sector and to build risk-oriented AML supervision. At the same time, the request was not linked to any specific suspicions, violations, or individual inspections. It was preventive in nature and applied equally to all market participants — regardless of their size, business model, or risk profile.

It was precisely this approach that became the subject of dispute. A number of companies that had already complied with the directive raised the question of where the line lies between lawful AML supervision and excessive administrative burden, and whether the regulator can, as part of an abstract risk assessment, demand such extensive and analytically complex information from businesses.

When reviewing case No. 3-23-125, the Supreme Court did not question the importance of AML/KYC (Anti-Money Laundering / Know Your Customer) measures as tools for protecting the financial system. Instead, it focused on procedural correctness and the legal grounds of the supervisory authority’s actions.

The Court pointed out that the FIU in Estonia combines two different roles. On the one hand, it is a financial intelligence unit (FIU) analyzing suspicious transactions. On the other hand, it is a supervisory authority controlling the compliance of obligated entities with AML/KYC requirements.

These roles have different legal natures and are based on different provisions of law. The powers granted to the FIU for performing financial intelligence tasks cannot automatically be used for conducting state supervision. When engaging in supervisory activities, the regulator must act strictly within the tools explicitly provided for that purpose.

The Court concluded that the FIU had relied on a legal provision that was not intended for mass information requests from private companies as part of preventive supervision. Using an incorrect legal basis was deemed a significant violation, rendering the directive unlawful regardless of its stated purpose.

Importantly, the Court did not assert that collecting information is inherently impermissible. It pointed out that even in the AML/KYC domain, supervisory measures must have a clear, specific, and proper legal justification.

The Court devoted special attention to the sources of information. In the context of preventive AML supervision, the regulator is obliged to first use data that is already in the possession of the state or available through official registers.

Demanding from companies information that can be obtained without their involvement is not permissible. Such an approach does not conform to the principle of proportionality and unjustifiably shifts the regulator’s analytical work onto businesses.

One of the most practical takeaways of the decision was the assertion that an information request must not be turned into an obligation for companies to create new documents or analytical summaries if such detail was not required by law in advance.

Companies, of course, have primary data about their activities. However, the existence of data does not equate to an obligation to have ready-made reports in every breakdown that might interest the supervisory authority. The Court emphasized that AML supervision cannot require businesses to retroactively generate complex analytics solely for the convenience of the regulator.

Even while acknowledging the legitimacy of the goal — assessing risks in the sector — the Court noted the disproportionality of the instrument chosen. An identical 44-question request to all market participants, without consideration of their individual characteristics, was deemed excessive in its breadth and degree of intrusiveness. In the Court’s view, AML supervision should be targeted and minimally sufficient, rather than universal and excessive.

For TCSPs, as well as for fintech companies subject to AML/KYC regulation, this decision has significant practical implications. **Firstly**, it increases the predictability of supervisory practices. Companies have the right to expect that information requests will be justified, proportionate, and legally sound.

Secondly, the decision encourages a better internal organization of compliance processes. Understanding which data a company is obliged to maintain by law, and which data are generated exclusively for internal management purposes, becomes critically important when interacting with regulators.

Thirdly, for the supervisory authorities themselves, the decision sets a framework in which AML oversight remains no less effective, but becomes more legally sustainable. Targeted inspections, clear justification of requests, and the use of available governmental information sources reduce the risk of subsequent disputes and increase overall trust in the system.

The Supreme Court of Estonia’s decision of 8 January 2026 does not weaken the AML/KYC system. On the contrary, it makes it more mature. The Court clearly indicated that the fight against money laundering must be waged within the framework of the law, with respect for the principle of proportionality and the procedural guarantees for businesses.

For licensed TCSPs, this ruling confirmed that legal certainty and effective supervision are not in conflict with each other. For the regulator, it served as a reminder that even in sensitive areas of public interest, regulatory powers have boundaries. It is precisely this balance that creates a stable, predictable, and trust-based environment for business development in Estonia.