Outsourced AML & MLRO in Estonia — Virtual, Fractional, or In-House

When an MLRO is required

Estonian law requires an MLRO for any obliged entity under the Money Laundering and Terrorist Financing Prevention Act — financial institutions, EMIs, payment institutions, virtual-asset service providers, accountants and tax advisers among others. RAB registration triggers the appointment requirement. The MLRO must be sufficiently senior, locally available, and free of conflicts that would compromise reporting independence.

For an early-stage fintech, the practical question is not "must I appoint someone" — you must — but "in-house, fractional, or outsourced?" The answer depends on volume, risk profile, and growth plans.

Three ways to staff the role

In-house: a full-time employee, suitable for licensed firms with material AML volume. Highest cost; deepest coverage. We support in-house MLROs with policy review, peer-benchmarking and training.

Fractional / part-time: a named officer who serves two or three small fintechs simultaneously, contracted to each. Lower per-firm cost, still meets the senior-attention bar. Common for early-stage EMIs and CASPs pre-launch.

Outsourced (virtual MLRO): we act as the registered MLRO, notified to RAB with fit-and-proper documentation on file. The client retains overall accountability through governance, but day-to-day reporting, monitoring oversight and STR filing run through us. This is the right answer for most fintechs that have not yet built in-house volume.

RAB registration and fit-and-proper notification

New obliged entities register with RAB before commencing AML-obliged activity. The appointed MLRO is named in that registration; subsequent changes are notified within the statutory window. Fit-and-proper documentation includes CV, criminal-record extract, AML training evidence, and a description of the candidate's authority within the firm.

A common stumbling block is naming an MLRO who lacks sufficient seniority or independence — RAB pushes back, the timeline slips, and the firm cannot operate. We pre-screen candidates against the bar before submission.

AML programme components

A complete AML programme covers: (1) customer due diligence (CDD) and enhanced due diligence (EDD) procedures with a documented risk-based approach; (2) PEP and sanctions screening at onboarding and ongoing; (3) transaction monitoring rules sized to the business model; (4) suspicious-transaction reporting (STR) workflow into RAB; (5) record-keeping for the statutory retention period; (6) annual training for all staff with AML-relevant duties; (7) periodic independent review or internal audit.

We deliver these as templates calibrated to your business model — an EMI programme is not the same as a CASP programme is not the same as an accountant's own AML programme.

Ongoing obligations — STR, training, independent review

Beyond setup, the MLRO files STRs to RAB when triggers fire, runs annual staff training, signs off on the annual AML report to the board, and coordinates with the external auditor where AML controls are in audit scope. Outsourced engagements include all of this; fractional engagements split it across firms.

Trilingual delivery matters here: many founders are international, but RAB correspondence is in Estonian and STR filings are in Estonian. We translate without loss.