FIAU publishes revised AML/CFT Implementing Procedures

Updates reflect legislative amendments to PMLA and PMLFTR

The aim of the FIAU Implementing Procedures is to assist financial service providers as well as a number of professionals who meet the requirements of subject persons to understand and fulfil their obligations under the law.

Following the entry into force of the 4th Anti-Money Laundering Directive (AMLD IV) in 2017, the Financial Intelligence Analysis Unit (FIAU), as the authority which monitors Malta’s compliance with the directive, issued a revised version of the Implementing Procedures in July 2019, with the scope of providing a more comprehensive guidance to financial service providers as well as subject persons complying with their anti-money laundering and combating the financing of terrorism (AML/CFT) obligations.

These updates reflect the legislative amendments to the Prevention of Money Laundering Act (“PMLA”) and the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”), which took place between December 2017 and January 2018.

The more significant amendments have affected the following topics:

  • Risk-based approach;
  • Customer due diligence;
  • Non-reputable and high-risk jurisdictions;
  • Sanction screening;
  • Money laundering reporting officer; and
  • Outsourcing.

Risk-based approach

The risk-based approach entails that every subject person must adopt and implement a series of measures, policies, controls and procedures to prevent the financial systems from being misused for money laundering or financing of terrorism (ML/FT) according to the sector which they function in. Consequently, the effectiveness of the risk-based approach will depend on the subject person’s proper understanding of the ML/FT risk (vulnerabilities and threats) to which it is exposed to (inherent risk). Furthermore, the identification of the ML/FT risk must be followed by an assessment of these risks by considering the likelihood of risk manifesting itself and the impact any such manifestation would have. The Implementing Procedures indicate that a subject person’s residual risk that should fall within the risk appetite should never be more than that which cannot be mitigated effectively.

In order to enable the subject person to understand its obligations that emanate from the risk-based approach, the Implementing Procedures provide a more detailed explanation on how a business risk assessment (BRA) and customer risk assessment (CRA) are to be conducted. The BRA takes into consideration the list of various risks including customer, geographical, product, services and transaction and delivery channel risk. Further detail is also given for each type of risk in order to aid the subject person to identify and reduce risks from occurring.

Customer due diligence

The section on customer due diligence (CDD) has also been increased substantially. The Implementing Procedures include specific requirements for the definitions of customer, agent and beneficial owner, the method of conducting appropriate and effective on going monitoring by means of an automated system, the steps on how to handle a high-risk scenario, the method on how to deal with politically exposed persons (PEPs) and correspondent banks and the methodology necessary for the usability of technological alternatives for carrying out CDD obligations, particularly for the identification and verification of customers. The Implementing Procedures now offer more flexibility on the use of technological alternatives to fulfil AML/CFT obligations.

Non-reputable and high-risk jurisdictions

The Implementing Procedures now also offer a more detailed procedure for identifying and dealing with non-reputable jurisdictions. A non-reputable jurisdiction is one that has deficiencies in its national AML/CFT regime or has inappropriate and ineffective measures for the prevention of ML/FT. The Implementing Procedures provide a list of sources that subject persons need to take in consideration, namely, FATF documents, Commission Delegated Regulation (EU) identifying high-risk third countries with strategic deficiencies and Statements and/or Declarations issued by the Financial Action Task Force (FATF) or by an FATF-style regional body (FSRB). In addition, it provides categories of risk both for non-reputable jurisdictions and high-risk jurisdictions depending on the strategic deficiencies and on the progress made or on the remediation plans in place.

Sanction screening

Another topic revised by the FIAU is related to sanction screening. Subject persons have to undertake other measures at law which although do not emanate from the Implementing Procedures are now directly mentioned within them. These obligations relate to the National Interest (Enabling Powers) Act relating to sanctions screening, freezing of assets and reporting. Subject persons are encouraged to keep up to date with any sanctions that may be issued by the Sanctions Monitoring Board.

Money laundering reporting officer

The role of the money laundering reporting officer (MLRO) has also been revamped since they do not need to be physically located in Malta and instead could lead the role from where the subject person’s operations are directed or the records are kept. Consequently, it is now up to the subject person to determine where the MLRO must be located to fulfil their function effectively. However, the MLRO must have access at all times (physically or remotely) to all the subject person’s records and systems.


Further clarifications have been offered in the area of outsourcing, in order to aid the subject persons in having a clearer comprehension of what duties can be externalised. The Implementing Procedures also clarify the distinction between the responsibilities of the subject person and of the outsourced service provider and the conditions under which outsourcing can take place.

Virtual Financial Assets

Another interesting addition is the inclusion of Virtual Financial Assets that now also fall within the remit of the Implementing Procedures.


Preparations are currently underway for the transposition of the 5th AML Directive (AMLD V) by January 2020. The AMLD V will further enhance requirements for EU member states and subject persons, making it even more challenging to navigate regulatory requirements. The scope of this directive is mainly to reduce the loopholes that were abused of by criminals by improving accessibility and use of the register of beneficial owners, which also includes trusts and similar arrangements. A major addition to the directive is the decision to tackle the developing sector of virtual currencies, identifying virtual currency platforms and wallet providers as obliged entities, which are now required to implement CDD and transaction monitoring. Other important changes are related to prepaid cards and measures aimed to strengthen the national AML authorities by equipping them with more powers and systems.

Within this context, on 14th October, 2019 the FIAU released a consultation document with the scope of making all the interested parties aware of the proposed amendments to the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). The aim of these amendments is that of “continu[ing] to strengthen the integrity of the EU’s financial system and the fight against money laundering and terrorism financing (“ML/FT”)”

How can Deloitte help?

We offer comprehensive and tailored advisory services covering all aspects of AML compliance. We leverage on our international and local expertise and take a holistic approach to our work giving due consideration to overlapping issues such as international sanctions, fraud, bribery, corruption, retail regulations and data privacy considerations. Within the context of the revised Implementing Procedures, our services include:

  • Training to management and board members.
  • Regulatory framework and gap analysis in light of the revised FIAU Implementing Procedures.
  • Assessment of AML and CFT oversight model and AML function audit.
  • AML/CFT business risk assessment or customer risk assessment support.
  • Customer due diligence support.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?