Follow the Money, episode 5: Siiri Graabi on how Estonia built fincrime PII data sharing

By 2027, every financial institution in the EU will need a structured intelligence sharing framework in place. Most are nowhere near ready. Estonia has been running one for over five years.

In this episode of Follow the Money, host Dr Nicola Harding sits down with Siiri Graabi — sanctions and counter-terrorism financing officer at Coop Pank and chair of the sanctions working group at the Estonian Banking Association — to find out what that system actually looks like from the inside. How it was built. How trust between competing banks was established. What it took to bring public authorities into the same network. And what the rest of Europe needs to stop debating and start doing.

Siiri brings a perspective that very few compliance professionals have: before joining banking, she spent over a decade as an Estonian diplomat, including time in Brussels where she was in the room as EU sanctions packages were negotiated. She helped write the rules. Now she enforces them — and watches them get evaded in real time.

---

Introduction: the strange irony at the heart of AML compliance

Dr Nicola Harding There’s a strange irony at the heart of financial crime compliance. We build our entire regulatory architecture around stopping money laundering, sanctions evasion and fraud. But the people tasked with enforcing those rules mostly work alone, bank by bank, institution by institution, unable to really share what they’re seeing. Estonia decided to do something about that, not in theory, but in practice. And they built a real system in real banks with real results.

And today we’re talking to someone who helped make it happen and who did something quite unusual before that. She helped write the rules in the first place. Our guest today is Siiri Graabi. Siiri is the sanctions and counter-terrorism financing officer at Coop Pank in Estonia and she chairs the sanctions working group at the Estonian Banking Association. Before banking she spent over a decade as an Estonian diplomat including time as a reflex councillor in Brussels which means she was in the room when EU sanctions were being negotiated and written. She now sits on the other side of that work watching how those same sanctions get evaded inside a bank in real time. It’s a very genuinely rare vantage point and why she was absolutely essential to come on and talk to us here on Follow the Money. The context for this conversation matters, the rest of Europe is facing a hard deadline under AMLR article 75 and PSR article 83, financial institutions across the EU will be required to implement structured intelligence sharing frameworks by 2027. Estonia has been doing this for years and today we want to understand what they’ve actually built, how they built it and what everyone else should be thinking about right now. So Siiri, thank you for joining us and welcome to Follow the Money.

Siiri Graabi Hi Nikola and thank you so much for inviting me. I’m very glad to have the opportunity to share my experience with sharing the intelligence and with the rest, whatever your questions bring on the table.

---

From diplomat to banker: seeing sanctions from both sides

Dr Nicola Harding Well, glad that you’re open for an honest and frank discussion because I know that you’ve got such brilliant insights to share. I want to start from the position of moving from a diplomat to banking. You know, most people arrive in financial crime through compliance or law enforcement. Your route has been genuinely unusual. Can you tell us what your work actually looked like, you know, day to day, moving from diplomat to banking?

Siiri Graabi Well, yeah, actually the reason why I left the Foreign Service was that a mini me came to my life. So kind of as usual there’s something happens in a life that makes you kind of review your life in general, your career path, what you’re doing and I decided that I don’t want to be constantly absent traveling around and not seeing my child too much and not spending time with her, not seeing how she’s growing. So I decided to take some time off. But as usual in Estonia, we tend to know each other. Like people are moving from one position to the other. You have cooperated with somebody. So I was cooperating with the head of AML department as a diplomat from the Estonian Swedbank. And then he had moved to another bank in Estonia. So we kind of we still kept going, interacting and as the sanctions became more and more noticed and understood as well in Estonia. So the sanctions officers were required in the banks more and more, especially with the in-depth knowledge. So that’s how I was taken into the banking world.

Dr Nicola Harding When you crossed into the banking side, what was the most striking thing that you noticed? What did sanctions compliance look like from inside the bank compared to how it was conceived in Brussels?

Siiri Graabi Time was of essence. We cannot forget that the sanctions are actually a political tool. So if there is something going on in the world, you have to put the political pressure. You have to do it now. You have to achieve an agreement by certain date, by certain time, until certain meeting, right? You have to show the political will. But in the banks, things don’t work with a fingertip that now it’s done. Especially if it’s not done and if it’s not written in the practice of the bank, if it needs the IT development, different departments to be joined and so on and so on. It’s, yeah, time of essence doesn’t work in banks, especially if there are new measures coming in. I don’t mean the new listings, but really like new financial measures where banks have to start collecting the data that they have never collected before and it has not been by any means the obligation they have to collect or that they have to do additional checks which has not been required previously like you have to train your whole bank to act differently, ask different questions and so on. It’s not that easy. Even in a small bank, can you then imagine what it must be in a big bank? And of course, when you’re a diplomat, then you just put something on the table. You mostly argue whether it’s a must, shall or should in the legal act quite often because you have kind of the proposal, comes kind of the political will is there. We have to do so the legal text has to be correct.

But what we tend to do in banks is that maybe we overcomplicate things, we overthink things. And it’s not only in the banks, but as well it’s then the supervisors who give the guidance, as well the European Commission who gives the guidance, because those people who give the guidance, they don’t participate in the political discussions and they don’t always grasp the political aim that any of the sanctions has been having or the politicians or diplomats meant while adding it into the regulation.

Dr Nicola Harding When you were doing the kind of diplomatic work on this, the moments during that drafting process where you knew a measure would be hard to enforce in practice, or did that become more apparent when you were in the banking world?

Siiri Graabi I was there to discuss the Iran sanctions package. Remember those lively discussions still after midnight and whether it’s implementable even or actually think it could be done. People don’t suitcases with cash across the border, right, to Iran. And even then the SWIFT prohibition was discussed whether it would even be possible. Now with Russia’s sanctions we know that it is possible and it’s really kind of the extent it has become now that the sanctions they are they’re going to be evolving and evolving and getting more and more difficult. More restrictions you have, the more evasion cases you have.

---

The working group that became the foundation

Dr Nicola Harding This is a real common thing for us as criminologists, one that people don’t collect enough data or the right data so that when you want to analyse it, it simply isn’t there. And what that means is you call it the dark figure of crime in criminology, but basically we know that it’s there. It’s the known unknowns. And when you start legislating, when you create, you know, crime is a social construction. It’s created through the creation of laws and sanctions, because until you have those laws and sanctions, you don’t recognise that that action is necessarily occurring or at least you can’t kind of draw gates around it to be able to define it and understand the size of the problem and I think it’s something I can very much relate to is that we see it not just in financial services but any large organisation when rules change, when processes change, that action is really difficult to implement but necessary.

But firstly you now chair the sanctions working group in the Estonian Banking Association. Can you tell us a little bit about what that group actually does and how it connects to your day-to-day role at a Coop Bank?

Siiri Graabi Yeah, well, we usually have regular monthly meetings and we actually discuss different topics that are relevant at the moment. For example, the implementation of the regulations, if something new comes out and if there is something new to understand, for example, like the instant payment regulation, there are still so many uncertainties, right? And we at least try to give the common understanding and the common ground so that we would at least implement the things similarly or the Russia sanctions and we also we we share the experiences what we have we have as well the supervisors on boards on the meeting so that if they have something valuable to add or we have any questions to them or they have questions to us then we can exchange the information. We do the trainings as well so I try to involve and share the information in different trainings to the colleagues and yeah and as well for example we have agreed on how we exchange the information and which information through Salv with each other related to sanctions. Yeah but it’s kind of that it seems really simple, the thing we do, but at the same time, you have to really look into it. You need to understand what you’re talking about. You have to chair the group. You have to collect the ideas, what to discuss. But in general, I would have to look into the same legal acts on my daily job anyway, so I look into it. So it’s rather easier to do it collectively and we raise up the questions that we have, kind of we discuss, it’s much easier than to do it on my own because we all notice different things, different patterns. And yeah, it’s always good to know the different evasion cases or get the trainings because this is how I can set up the rules to discover evasion. Kind of train as well my own colleagues in the bank, share them with new information. So it’s kinda of all related to the daily job a lot.

Dr Nicola Harding It feels like the working group is like a bit of a kind of sanctions kind of engine behind some of the things that are going on in Estonia. And I can completely relate, you know, we kind of have that phrase, don’t we, that more heads are better than one. But being able to come and share those experiences and kind of elevate each other’s standards as well without having to do that in and see that this is a competitive but rather cooperative is really —

Siiri Graabi Indeed, that is very helpful and as well it builds trust, that if we see each other, if we all discuss things openly, and it doesn’t build only trust between the banks, but as well with the public sector, because we know each other, we have each other’s phone numbers, so that the person who is calling you, you know the face, you know that there’s somebody who has a trouble and he or she wants to discuss them, then it’s so much easier to do if you know and trust the people.

---

How intelligence sharing works in practice

Dr Nicola Harding Let’s now get into that system itself. For people who are maybe listening to this but haven’t encountered it in practice, what is cross-institution intelligence sharing in Estonia? What does it actually involve? And if you’re able to, can you walk us through a specific scenario, like anonymised, if it makes it easier, of like a fraud case or a sanctions hit? What happens?

Siiri Graabi Well in Estonia we have had Salv up and running for over five years now and it’s a really useful tool.

First, I think we were kind of, we were really looking forward to it. We were open. We wanted to exchange the information and, you know, the information is exchanged anyway. Not only in Estonia, but as well in other countries. We all have those, know those WeChat groups and different forums where to share the information or just text messages, groups, whatever that are accessible. Right. But why not to do it then actually in legal encrypted way so that we can actually track then afterwards the information where did we receive it, what we are basing our information on, or where did we receive it? The kind of all the audit trail is really important. So and it’s really simple if you can say that yes, we have this exchange of information platform and we got it there. We got the date of birth directly from the source, right? And so that when we started sharing the information. It started slowly. We were not really sure how to ask, what to ask. But sanctions. Sanctions were really easy. If you sent a sanction RFI, usually what you need is the father’s name, date of birth, citizenship, or whether the person is resident currently so you can kind of eliminate that actually this Sergei Ivanov is not the sanctioned Sergei Ivanov.

So that was really easy and that has been up and running really fast. And really the practical case is that you have an alert because we all have to do the screening. So I can send it takes literally seconds to send from the template to the other bank. Could you please send the date of birth and citizenship, whatever is required. And you’ll get the reply within minutes. So the money can really flow because the aim is to make the payment happen for my client and the aim for the other bank should be to receive the funds for their clients so that both of our clients can be happy. And if there’s nothing wrong, why not?

And with the fraud, it’s the same. We actually do see when there’s the fraudulent case. We see if our client is a victim. For example, let’s take our client as a victim. The funds from her account, his account have been sent to another bank. I can instantly send the message, our client has been frauded, we just got the confirmation. And then the other bank can block the account where the funds were sent to, so that the funds are not sent to the other bank’s, PSPs around the world. So that there is much higher possibility to get the funds back when then the official recall is presented.

And actually we even have managed to receive funds back if the vIBAN account has been used. So that means that vIBAN we all know it might not even be the citizen of the EU or SEPA area. So those funds usually travel out really fast from Europe.

And what we also do is that we exchange the information as well. If I see that, for example, my bank’s client is a victim and I know that he or she has an account in another bank as well. I can straight away notify that our client is making the transfer between own accounts. Have you seen the fraudulent behavior as well? Please pay attention to that account. And it’s quite often then that the funds actually can be stopped because we have all those wonderful other tools as well to notice the different behavior, we have the monitoring rules and so on and so on. But, you know, we don’t check every payment from the first euro, right? The fraudsters, they have their own companies with the psychological knowledge. They have trainings, they have call centers and so on. So it’s quite common that those people who have been victims of the fraud at some point they are turned to become the money mules themselves for example. And if a person who has been manipulated and hears the same information from different banks, from different people, then the person is much more open to understand that he or she has been frauded.

Dr Nicola Harding It really strikes me in everything that you’ve described is that I always think about data as kind of different if you think about the night sky and stars. So each little data point is one of those pinpricks of light. What you’re describing is almost where you’re able to make those connections, whether it be from the victim’s bank into a money mule account or what have you. But the point that you made around have they opened other accounts and stuff like that, it’s almost like you start to be able to see the constellations and how they all connect together before it kind of completely collapses.

Siiri Graabi Mm-hmm.

Dr Nicola Harding Having this kind of infrastructure in place allows people who maybe haven’t been in the industry as long, haven’t been able to network and make those connections. It’s less reliant on who you know and are able to talk to and more as an infrastructurial base that will last beyond those relationships. And I think that’s the key thing for me is that you’ve got that clear audit trail as you said but it comes back to still trust and I think you know you mentioned this earlier trust is the real foundation of this between institutions that can also sometimes be considered competitors. I’d really love to dig into more about how that trust was actually built in Estonia, you know, were their early sceptics among the banks and what shifted their position?

---

How trust was built between competing banks

Siiri Graabi Well, I wouldn’t say that we have had really those skeptics in the banks because where it all started from was as well that we used to have information sharing working group as well in the banking association. And kind of the idea first came from there because of the working group, it met bi-weekly, so not too often and there was really kind of there were those urgent cases that you really had to share. So it was kind of raised then to the people in the banks. Salv was already on the market as well, opening their screening and monitoring tool, so the Salv people were involved and since of the Estonian banks, were actually willing and understood the issue. So straight away the authorities were involved, the legal acts were reviewed, whether it allows, as well from the GDPR’s perspective. So the Estonian Data Protection Authority was involved straight away. So I think there was such a strong, both political will and as well kind of from the industry side, there was the will to make it official, to make it faster, and to really fight the financial crime. That it just happened naturally, I would say, out of the necessity.

There was like, is this actually allowed by the law that we can share? Trying to find the limits what we can do, what we cannot do and kind of then the memorandum of understanding was drafted so that we would all behave. It all started. It was kind of the combination of everything.

Dr Nicola Harding I think because of everything you’ve already mentioned, obviously Estonia being quite small, but also there seems to be that genuine will to want to collaborate and collaboration already happening, but just needing that avenue to really embed it in infrastructure. So we’ve got Estonia sorted. I’m really interested in how this now goes across border. I know that Estonian banks are now sharing intelligence with Lithuanian institutions. Including different fintechs. Like how did that cross-border extension happen and what were the additional complexities if any compared to just doing it within Estonia?

---

Going cross-border and the fintech question

Siiri Graabi It’s always much easier if you do it in your own country, right? Where we have our own language and then Lithuania it has it’s completely different language. But luckily we have the common financial language.

I wouldn’t say that there were any complications, but there were hesitations, there were discussions whether it’s allowed, is it possible, what would be the legal basis to do that cross-border. But we found the common ground, the possibilities, and again, there’s the will. If we see that most of the fraudulent funds go to one fintech in another country and the other fintech doesn’t want to be as the fintech where all the fraudulent funds go, right? Then they want to the cooperation and we want to receive the funds back for our clients. So it’s all the matter of the will in the end. And I think the cooperation is really good.

Dr Nicola Harding Are there any kind of operational difference between fintechs and more traditional banks? You know, obviously the fintechs were supposed to be the disruptors in this marketplace. Now they’re a little bit older and they’ve been around a little while. Do you think that kind of this kind of cooperation, is it something that’s favoured more by fintechs or traditional banks or do you think that it’s much in the same?

Siiri Graabi I think it’s rather more maybe even favoured by traditional banks because we have the compliance structures in place, we have the the ground is more solid where to start from while you are the fintech or just a smaller PSP. You have so many things to do and there’s always the shortage with staffing and sometimes the fintechs might not be part of the banking associations. But those who want, they will find means and they will join and they will do it.

Dr Nicola Harding Think that’s again where this collaboration comes in, isn’t it? Is that there’s a lot that can be learnt, not just through the sharing of intelligence, but even like the practices and I you said at the beginning, you know, at first you didn’t know even what questions to ask. You know you guys have got that experience now, not just that fintechs can learn from more traditional banks, but also that the rest of Europe should be looking at Estonia as a case study. Yes, OK, you’re small, but you’re doing it and that model can be replicated Europe-wide and obviously with the new regulations coming in, should be. So it’s not a case of you how do we do this now, it’s being done, it’s how can we roll this out.

We’ve focused a lot on banking so far and I wanted to just touch a little bit upon the public-private dimension because intelligence sharing infrastructure in Estonia doesn’t just connect banks to banks, there’s also a relationship with the public authorities. So what does that look like in practice?

---

Public authorities in the system

Siiri Graabi Yeah, well with Salv, we actually have as well the public sector involved and that is also based on trust and they need to exchange the information. So it started slowly as well, kind of private sector was already in, but the public sector was still, whether they can exchange the information or not, kind of the platform is secure enough, whether it’s encrypted enough. So that’s always the question as well, right? That it’s not so easy in public sector to have some private platform attached to their systems, especially if there’s a lot of restricted material in maybe.

If that that was all through and checked in we had our first public sector authority who was joined and with whom we started exchanging the information straight away actively because this is as well kind of the information that you wouldn’t otherwise share with the kind of text message so it’s rather kind of best if it is encrypted and treated confidentially. And as well then, as in Estonia the law changed, we have to inform as well some other authorities of the sanction evasion cases that we discover, not only than the financial sanctions, but for example trade sanctions or other restrictions and since now there were new authorities who had to receive the information that they didn’t receive before and they didn’t have the platform like the Estonian FIU has for the reporting so they needed something. So Salv was there as the fastest easiest option to open the route for us, the encrypted route where you can as well attach the documents as many as needed because just, you know, encrypting a large amount of documents usually the emails don’t allow such volume to be sent through, so it had to be in different batches and so on, now it’s nice, secure, easy way for the authorities to receive the information and as well to export it from Salv so that they could add it or copy it to their own systems.

That has been really fruitful, that it’s easy. We have the structure, we took people from Salv and from the authorities behind the table. We drafted all together kind of the basis, the kind of form we have to fill, what everybody would find easy to do. So that has been kind of a really easy and smooth process for each party.

Dr Nicola Harding Is this something that the regulators being involved in as well? Because obviously, like you said, the informal networks were there, but this is not the type of data or the type of sharing that you could have done within those networks. So it’s been able to expand out the ability, you know, with criminals, they have no regulation, they don’t care, they share data. And it’s surprising with criminals, you would think, if you’ve got one organised crime group, they want to keep all of their secrets away from another. But actually that information getting exchanged and shared is currency in the criminal world. So if they want to go from there to there, they can do it without any restrictions in ways that we simply can’t. Being able to share this data now safely and in legal ways that can then be actioned upon. To take actions against these criminal entities, you know, is needed in the fight against financial crime and serious organised crime. What was the regulator’s take on the regulator’s role? Is this something that they’re helping with? Have they supported?

Siiri Graabi Yeah, the regulators have really been supporting it. As I said previously as well, then was as well the political understanding and the political will and Salv was being part of the discussions with the politicians, with the regulators, with all the different sides as well as the platform provider and then the banks, they were all jointly backing that we really need this platform.

Received and for example when we have received the regular feedback as well from the Estonian FIU as well they actually appreciate if we put down in our reports that we have received bits and pieces of information through Salv Bridge because then they know that there will be probably within the days a new report coming from a different bank as well adding some additional investigation points or they they could choose to actually build the whole case and they know that they will see a much bigger, wider picture. Otherwise it might have been lost, you know you might discover the dots a few years later when it’s too late, right? There’s nothing to do, the crimes already happened, the funds are wasted, washed, whatever is done with it.

---

The 2027 deadline and advice for Europe

Dr Nicola Harding So thinking forward now, the rest of Europe has got a deadline. The AMLR Article 75 and the PSR Article 83 intelligence sharing frameworks require across EU institutions by 2027. That sounds like a long time. Is it for what needs to be achieved?

Siiri Graabi I would say already —

Dr Nicola Harding What do you think is the minimum viable timeline to build something that actually works, not just ticks a box?

Siiri Graabi You need the passionate crime fighters to build it like are in Salv. Each time when I meet anybody from Salv I just feel that how the knowledge and the brains and the vibes to do something better in the world hit me. I all of a sudden feel much smarter. But so first of all, so there needs to be somebody who provides the platform. Who have the mission to do something themselves. So is there a platform? Is there a legal grounds in place at all in the country or do they wait for the regulations to kick in and then they start kind of writing their own regulation? Are the politicians ready to give such possibilities even? How do they interpret GDPR? Like it’s so easy to say that, no, no, no, we are not allowed, GDPR doesn’t allow. Not all data is GDPR. First of all. So let’s start from there. And then what is under GDPR? Let’s see if the GDPR allows to share the data exchange and share the data, the intelligence or not. It’s not all restricted, right? And then the internal policies of the banks and fintechs, they have to correspond. You have to have enough resources. Then you have to have your IT department ready to install the systems right. Some systems are more complicated than the others. It does take time. So I say that 2027 it’s already —

Dr Nicola Harding Based on everything that you’ve seen and experienced in Estonia and right from your origins in the beginning as a diplomat, what do you think is the most important thing that public authorities need to do differently to make this happen?

Siiri Graabi Public authorities have to be more open and more willing to share themselves while they should set the example that sharing is fine. As well, discuss with us the new possible financial measures and sanction regulations where we could give our feedback, improve the wording of the regulations, say straight away that it wouldn’t work. So, yeah, this is where we should start, kind of the openness, from as well from the public sector side.

Dr Nicola Harding Completely agree. What do you think is the biggest misconception that European banks have about intelligence sharing right now?

Siiri Graabi That we all want to get the other banks’ clients to ourselves, but it’s not the case. I don’t actually want your criminal to become my client. I just want to receive the information and intelligence to know if my doubts are correct. Or I don’t want your client. I just want your client to receive the funds and I need the date of birth to eliminate the sanctions applicability.

Dr Nicola Harding For a compliance officer at a mid-sized bank in Germany or France listening to this right now, what would their version of what you’ve built actually look like? Where would they need to start?

Siiri Graabi That would look pretty much like we have in Estonia, right? But it’s just that they need to start understanding that it’s a requirement and they should change their mindset that it’s a will and they shouldn’t be afraid that it will bring much more workload. Actually, it helps to do the investigations much faster, much simpler. You have much fuller reports, so it benefits. And it doesn’t create more work. So this is where to start, of shifting the mindset.

Dr Nicola Harding What’s one thing that Estonia did right that the rest of Europe hasn’t understood yet?

Siiri Graabi We started straight away from doing and not —

Dr Nicola Harding The moment you realised that the system was actually working?

Siiri Graabi That was like, wow, it really works. The transactions actually go through much faster. You don’t have to have this extra work for sending SWIFT messages to another bank in Estonia. Or you don’t have to call to another colleague in the bank who has actually already changed the position or moved to another bank or on maternity leave or parental leave or, you know, enjoying the life in Bahamas. All of the sudden, some of the things became so simple.

Dr Nicola Harding What piece of regulation do you wish you could rewrite now that you’ve seen the other side?

Siiri Graabi I don’t know if there would be any real regulation I would write differently, but I would engage the financial associations more to understand better how actually the banks work.

Dr Nicola Harding And the one thing that public authorities could do tomorrow that would make the biggest difference?

Siiri Graabi Open, start sharing and don’t treat us like enemies but as collaborators.

Dr Nicola Harding And finally, if you weren’t doing this, what would you be doing?

Siiri Graabi I would be probably living in New Zealand, being a shepherd, reading the books under the tree in the shade and having my daughter and my dog with me and just, you know, enjoying life. Or I would do the charity work.

Dr Nicola Harding Brilliant. That sounds idyllic. It really does.

Siiri you’ve been an absolute brilliant guest. I’m so fascinated and I honestly could just talk to you all day. Thank you so much for joining us today. Really, really appreciate it and for sharing your experiences and for all the work that you’ve done both in Estonia and in the EU. Thank you so much.

Siiri Graabi Thank you once again for having me and it was really a lovely chat.