ESTO: An outside set of eyes gives additional assurance

Financial services are one of the most strictly regulated business areas. It is to be expected that every financial service provider must have an internal auditor, be it a paid staff member or outsourced service. ESTO Group, a credit provider founded in 2017 that expanded to Latvia and Lithuania in 2021, went the outsourcing route and partnered with Grant Thornton Baltic for internal audit services.

One of the founders of ESTO, current ESTO Holdings OÜ CEO Mikk Metsa recalled that cooperation with Grant Thornton Baltic started in 2019 when ESTO only had a few employees. The company then started growing quickly and now has several dozen employees in Estonia, and subsidiaries in Latvia and Lithuania, so that the group has a total 70 employees. ESTO clients include more than 3000 online stores and hundreds of thousands of individual consumers shopping online. The rapid growth and internationalization made the company start looking for a capable internal auditor. Mikk Metsa takes questions.

How did ESTO’s partnership with Grant Thornton Baltic begin ?

At the start of the company’s operations, we had another internal audit service provider, but we weren’t satisfied and started looking around. Grant Thornton Baltic was recommended to us and since we wanted a service provider who would also operate in Latvia and Lithuania, that was a weighty argument in favour of Grant Thornton Baltic.

You mentioned that you weren’t happy with the first internal auditor. What were the criteria that determined the selection of internal auditor to your satisfaction?

It was important for us that processes be well managed. We work closely with external service providers and thus we have a great deal of information that has to move between different people. Exchange of information has to be professional – there has to be a definite procedure for who talks to whom and who deals with obtaining and structuring additional information. Unfortunately smaller internal audit providers aren’t up to all challenges, but at Grant Thornton Baltic everything is organized professionally.

In the financial sector, having an internal auditor is obligatory but leaving that aside, why is an internal auditor beneficial from the CEO’s point of view?

When we started out, the company was smaller, I was personally involved in every part of the work and had an overview of it all. Now there are subsidiaries in Estonia, Latvia and. Lithuania and each country’s company has its own team, director and regulatory obligations. The stakes are high – if we give loans on the wrong terms somewhere or fail to check backgrounds of borrowers the consequences can be high.

For me as the CEO of the group, having an internal auditor is very important. The auditor is the outside party who keeps an eye on our procedures, prepares reports and I can later communicate to the directors of the Baltic subsidiaries what needs to be improved and what is well. Although every director makes sure that things are in order, an outside set of eyes is useful for getting additional assurance.

In 2022, you launched internal audits in Latvia and Lithuania. How has the process got under way?

Well. What speaks in favour of Grant Thornton Baltic is the fact that they have staff in both Latvia and Lithuania and the internal audits of the companies there are not done from Estonia. This ensures convenient communication in local languages and a thorough knowledge of the local regulations and particularities.

How are Estonian regulations different from those of Latvia and Lithuania?

The common keyword for the Baltics is the very detailed rules imposed on lenders that are not banks. ESTO has been issued a credit provider’s licence and supervisory authorities scrutinize very pedantically every detail related to issuing loans, customer identification and anti-money laundering measures.

It was however a surprise to us that the Lithuanian central bank is the most detail-oriented and has regulated more aspects than in Latvia and Estonia. In Latvia, in our opinion, the requirements are more detailed than in Estonia. So when we entered these states in 2021, we didn’t expect the requirements to be so strict and we had to bear additional expenses to meet them. But we did all we could to ensure that the processes related to gathering, retaining and processing customer data were organized as required.

What value-added has internal auditor’s work given ESTO?

The main benefit is in the fact that people from outside review our processes. Yes, legislation and other regulations have the requirements clearly detailed, but in every process and especially in the fintech business there is a huge amount of data and the technology must be checked constantly. That’s why it’s great that in addition to our internal audits there is also external oversight.

If you had to describe the partnership between ESTO and Grant Thornton Baltic in the field of internal audit?

Professional, fast and efficient.

Internal audits in ESTO AS

Risk assessment, assessment of the efficacy of internal AML processes and their conformity to legislation, and internal audits in the field of data security and personal data protection. Each year, compliance with the previous year’s internal audit recommendation has been analysed as well.

^{Kai Paalberg, Grant Thornton Baltic's Head of Business Risk Services and Senior Internal Auditor}