Financial Sector Assessment Program-Technical Note-Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT)

This technical note on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) for the Malta summarizes the findings of a targeted review of several aspects of Malta’s progress in addressing AML/CFT vulnerabilities in the financial sector, specifically the banking sector. The report recommends that while Malta has strengthened AML/CFT requirements for banks in recent years, the implementation of AML/CFT preventive measures should be improved further. Although important milestones have been implemented by the Financial Intelligence Analysis Unit and Malta Financial Services Authority to enhance AML/CFT supervision since mid-2017, recent AML/CFT violations raise doubts as to their capacity to effectively identify and address AML/CFT compliance breaches. A multiprong strategy is needed to address these deficiencies. The focus needs to be on developing more effective AML/CFT enforcement and ensuring that banks apply appropriate preventive measures in relation to their high-risk activities and clients. AML/CFT supervision needs to more stringently evaluate banks’ risk mitigation models, ensure that customer due diligence requirements are properly followed, and apply corrective actions and sanctions when deficiencies are identified.


This technical note on Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) for the Malta summarizes the findings of a targeted review of several aspects of Malta’s progress in addressing AML/CFT vulnerabilities in the financial sector, specifically the banking sector. The report recommends that while Malta has strengthened AML/CFT requirements for banks in recent years, the implementation of AML/CFT preventive measures should be improved further. Although important milestones have been implemented by the Financial Intelligence Analysis Unit and Malta Financial Services Authority to enhance AML/CFT supervision since mid-2017, recent AML/CFT violations raise doubts as to their capacity to effectively identify and address AML/CFT compliance breaches. A multiprong strategy is needed to address these deficiencies. The focus needs to be on developing more effective AML/CFT enforcement and ensuring that banks apply appropriate preventive measures in relation to their high-risk activities and clients. AML/CFT supervision needs to more stringently evaluate banks’ risk mitigation models, ensure that customer due diligence requirements are properly followed, and apply corrective actions and sanctions when deficiencies are identified.

Executive Summary1

This technical note (TN) sets out the findings and recommendations of the Financial Sector Assessment Program (FSAP) for the Republic of Malta in the areas of Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT). It summarizes the findings of a targeted review of several aspects of Malta’s progress in addressing AML/CFT vulnerabilities in the financial sector, specifically the banking sector. A full assessment of the AML/CFT framework against the current Financial Action Task Force (FATF) standard was conducted by MONEYVAL in 2018, and the mutual evaluation report was published in July 2019. 2,3 Although significant steps have been taken to strengthen the AML/CFT regime since the March 2012 fourth round MONEYVAL mutual evaluation report to bring the AML/CFT framework into line with the 2012 FATF standard and improve its effectiveness, overall effectiveness is still lacking. The authorities developed an ambitious national strategy and action plan for prioritizing AML/CFT policies and activities, but it is still in its initial phase of implementation.

Some authorities have a good understanding of money laundering and terrorist financing (ML/TF) risks, and the National Risk Assessment (NRA) was recently revised, however more is needed to improve the understanding of risks and use of the risk-based approach by all concerned agencies and reporting entities. Some authorities are cognizant of the main threats (e.g., foreign proceeds of corruption, tax evasion, and fraud) and vulnerabilities (e.g., banking sector, Trust and Company Service Providers (TCSPs), the high reliance on cash). The current understanding of ML/TF risks by the authorities is more limited because it mostly relies on the recent results of the NRA which did not assess comprehensively the risks related to foreign and cross-border flows of proceeds of crimes and was not shared among all concerned agencies.4 The limitation in analyzing cross-border flows and cross-sectorial interconnectedness could understate the magnitude of criminal proceeds in other sectors (e.g. new technologies such as remote gaming, virtual assets). Policy coordination was initiated through the National Coordinating Committee, however, operational cooperation among relevant agencies, including AML/CFT supervisors and law enforcement agencies is still weak.

While Malta has strengthened AML/CFT requirements for banks in recent years, the implementation of AML/CFT preventive measures should be improved further. Banks’ compliance with Customer Due Diligence (CDD) requirements needs to be improved. This is particularly important in the areas of verification of beneficial ownership (BO) information and risk-sensitive ongoing monitoring of accounts, including by applying enhanced or specific measures for new technologies (e.g., virtual assets, remote gaming), and source of funds for the Individual Investor Program (IIP).5 Furthermore, compliance needs to be improved with requirements for enhanced due diligence measures for domestic and foreign politically exposed persons (PEPs), their family members, and close associates and suspicious transaction reporting.

Although important milestones have been implemented by the Financial Intelligence Analysis Unit (FIAU) and Malta Financial Services Authority (MFSA) to enhance AML/CFT supervision since mid-2017, recent AML/CFT violations raise doubts as to their ca pa city to effectively identify and address AML/CFT compliance breaches. These deficiencies cut across several areas of supervision of the FIAU and MFSA and highlighted important deficiencies in the existing regulatory and supervisory framework and its implementation. Furthermore, delays in sanctioning Pilatus Bank combined with an overall low number of sanctions when breaches are identified demonstrate weaknesses in the overall sanction regime. Pilatus bank’s case highlights failure of the domestic supervisors to respond to emerging problems and the limitations arising from the absence of a common EU-wide AML/CFT supervision framework. In addition to the case highlighted above, effective enforcement of AML/CFT requirements should focus on mitigating high-risk areas emanating from non-resident clients and opaque companies, PEPs, remote gaming, source of funds for the IIP, and virtual assets service providers.

A multi-prong strategy is needed to address these deficiencies. The focus needs to be on developing more effective AML/CFT enforcement and ensuring that banks apply appropriate preventive measures in relation to their high-risk activities and clients. AML/CFT supervision needs to more stringently evaluate banks’ risk mitigation models, ensure that customer due diligence requirements are properly followed, and apply corrective actions and sanctions when deficiencies are identified. Finally, establishing a European-level AML/CFT supervisory arrangement could enhance convergence of supervisory practices, and minimize regulatory arbitrage.6

Malta has set up registers of information on the BO of companies and trusts and adopted a new legal framework on BO information. However, the Registry of Companies Agency (ROC) is collecting BO information without conducting proper verification, which negatively impacts the accuracy and credibility of the information in the register. 7

Table 1.

Malta: Main FSAP Recommendations for AML/CFT

article image
NT = Near Term (within 6 months / 1 year); MT = Medium Term (within 2–3 years).


1. This Technical Note (TN) provides a targeted review of Malta’s AML/CFT system in the context of the FSAP.8 It does not constitute an assessment or evaluation of Malta’s AML/CFT system. A full assessment by the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (MONEYVAL)9 against the current FATF standard will be available in 2019.

2. As discussed with the authorities prior to the beginning of this exercise, staff’s review focuses mainly on Malta’s efforts to address certain vulnerabilities in the banking sector. The topics covered include the authorities’ understanding of ML risks arising from foreign proceeds of crimes being laundered in or through Malta, the licensing requirements for banks (e.g., fit and proper tests) and risk-based supervision of the banking sector, including for implementation of preventive measures by banks for higher risk customers and products (e.g., foreign clients, PEPs, funds related to the IIP), and the reporting of suspicious transactions. Also covered are the effectiveness and dissuasiveness of sanctions imposed on banks for breaches of compliance.

3. Staff analysis is based on a range of materials and benefitted from discussions with authorities. Staff reviewed available information including the most recent Mutual Evaluation Report (MER) from 2012, and the documentation submitted by the authorities to MONEYVAL on progress made since the last mutual evaluation. The analysis also draws on the authorities’ responses to questions submitted by staff ahead of the FSAP, and discussions held during the miss ion u n dert aken on Sept ember 1 0 –14, 2018, when staff met with officials of the FIAU, MFSA, the Attorney General, the tax authority, the Malta Gaming Authority (MGA), and representatives of three banks.

4. The remainder of this note is structured in the following manner. The progress in strengthening the AML/CFT framework since the last assessment is presented broadly. The note assesses four areas: assessment and understanding of ML/TF risks; the preventive measures in banks related to beneficial ownership, PEPs, and reporting of suspicious transactions; AML/CFT risk-based supervision and sanctions for breaches in compliance; and transparency and beneficial ownership of legal persons established in Malta. The note concludes by recommending measures to strengthen the four relevant elements of the AML/CFT regime.

Progress Since the Last Assessment

5. In the 2012 MER, assessors found a number of shortcomings in Malta’s AML/CFT regime.10 The MER identified key deficiencies in the implementation of the AML/CFT regime, including, lack of convictions for ML of legal persons and low volume of confiscations, weak implementation of preventive measures related to PEPs, suspicious transaction reporting by designated non-financial businesses and professions (DNFBPs), and low numbers of sanctions imposed on reporting entities for breaches in compliance.

6. Since 2012, the Maltese authorities have taken some steps to strengthen the country’s AML/CFT regime. Malta has made improvements to its AML/CFT legislation in recent years. The national transposition and implementation of European Union (EU) directives and regulations helped close several gaps identified in 2012. While the FIAU and MFSA’s resources have increased, they have not kept pace with the increased demands on financial intelligence and AML/CFT supervision. Malta conducted an initial NRA in 2013–14, which was subsequently reviewed and updated in 2017. It fed into the development of a national AML/CFT strategy. To implement the strategy for the next three years, a detailed action plan, including more than 50 detailed action points, was devised and published. An AML/CFT National Coordinating Committee was also established. An increase of resources devoted to AML/CFT supervision has been approved and partially implemented by the FIAU.

7. Malta has yet to be assessed against the prevailing FATF standard. The FATF standard and methodology were revised in 2012 and 2013, respectively, placing a greater emphasis on a risk-based approach to AML/CFT and on assessing the effectiveness of AML/CFT regimes. Specifically, the revised standard now highlights the need for countries to identify, assess, and understand their ML/TF risks, and extends enhanced customer due diligence obligations beyond foreign PEPs to cover domestic PEPs. The MONEYVAL is currently assessing Malta’s AML/CFT regime under the prevailing standard.

Assessing and Understanding ML/TF Risks

A. Context and Risk

8. Malta is a regional and international financial center and an important gateway to Europe. The open nature of the economy, the large (relative to the GDP) and well interconnected financial sector and its exposure to non-resident account holders create significant ML/TF risks. Increasing flows from abroad, including from countries generally considered to pose greater ML/TF risks, may exploit vulnerabilities in the banking sector, real estate, remote gaming, virtual assets, and the IIP. Discussions with the authorities and the private sector resulted in an understanding that most illegal proceeds laundered in or through Malta’s financial sector and the broader economy are generated from predicate offenses committed abroad. As such, Malta is particularly vulnerable to foreign proceeds of corruption, tax evasion, and fraud transiting through Malta, including into Europe. The authorities indicated that laundering of foreign proceeds of crime is often committed using companies established abroad but banking in Malta. The real estate sector is also perceived to be used to launder illicit proceeds (including in cash) stemming from organized crime and corruption from geographic areas of high risk (e.g., Italy and Libya).

9. Malta updated its NRA in 2017, based on a limited range of data and sectors, the results of which were neither published nor communicated to all key authorities and the private sector. 11 Although the NRA is generally of good quality and recognizes main areas of threats and vulnerabilities, it mostly relies on analysis of STRs, investigations, international cooperation requests, trade, and, to a limited extent, financial flows data. A broad range of entities, including supervisors and representatives of the private sector, participated in the NRA process which was coordinated by the FIAU. However, the results of the NRA were communicated to few authorities and were not published. The NRA was later reviewed with the assistance of an external consultant with seemingly limited ownership and involvement of the concerned agencies in the process which led to a lack of internalization and proper comprehension of its results. Furthermore, the data and information used were focused on detected cases (the overall number of cases detected and investigated are low) and did not extend to all relevant sectors.12 As a result, the NRA does not provide a holistic picture of ML/TF risks that Malta is facing.

10. Maltese authorities report to be in the final stages of transposition of the EU Directive 2015/849 (4AMLD) into the national legislation.13 Malta amended its legislative and regulatory framework with the intention to transpose 4AMLD in 2017. Following the issuance of opinion of the European Commission (July 2018) that the transposition is not complete, Maltese authorities have engaged with the European Commission to resolve outstanding issues and aim to complete the transposition of 4AMLD by the end of first quarter of 2019.

11. Understanding of ML risks varies significantly among authorities, financial institutions, and DNFBPs from moderate to basic and sometimes differs significantly from the findings of the NRA. Each competent authority has its own picture of ML risks based on their practical experience which in most cases do not match with each other. The understanding of the risks is rarely based on sufficient analysis and mostly relies on a few data points or perceptions. The understanding of ML risks in the private sector is generally rudimentary and uneven, with a few banks and other reporting entities demonstrating moderate understanding of risks.

12. The authorities’ understanding of vulnerabilities is reasonable but is less so in relation to ML/TF threats. While the authorities demonstrated some understanding of a few risks, overall, they showed an insufficient appreciation of most ML/TF vulnerabilities of various sectors. The key authorities listed main vulnerabilities consistent with the NRA, but no single authority possessed a comprehensive picture of all vulnerabilities. Understanding of threats seems to be less advanced and there are no quantitative or measurable estimates on the amount of proceeds of crime possibly laundered through and in Malta. The NRA noted that the threat posed by the foreign proceeds of crime to Malta is high and listed four groups of several countries according to the level of risk. However, it is not clear what the basis was to include those countries and not others and to assign the level of risk, as some countries in our view seem to pose higher level of risk to Malta than assigned by the NRA. Furthermore, there is an insufficient appreciation of the risks inherent in the Malta’s position of an international financial center and inadequate understanding of the risks emanating from the significant cross-border financial flows and of their nature (e.g., rationale, origin, and destination).

13. The remote gaming industry in Malta faces challenges in understanding and managing ML/TF risks. The NRA noted that controls in the remote gaming industry are at low level and not sufficient to mitigate the ML/TF risks it faces and, as a result, the residual risks remain high in this industry after application of controls. 14 The MGA tends to put an emphasis on safeguards against the fraud of players’ funds and match-fixing but has an insufficiently granular understanding of ML risks specific to the industry. Following amendments to the AML/CFT law, the remote gaming companies became reporting entities in January 2018, therefore subject to CDD, record-keeping, and reporting requirements. The MGA started to conduct AML/CFT inspections in 2018, which may lead to better understanding of risks by the reporting entities and the supervisor.

14. MGA considers that the ML/TF risks in remote gaming are mitigated by the application of preventive measures by financial institutions, as remote gaming transactions are mostly conducted through the financial sector. However, majority of transactions are happening outside of Malta, which limits the ability of the supervisor to ensure that gaming companies only accept payments from financial institutions that are subject to adequate AML/CFT obligations and understand the risks related to remote gaming. Moreover, the Maltese banks that serve the remote gaming do not have an understanding of this industry’s operations and have poor understanding of specific risks in the remote gaming industry.

15. In 2014, Malta introduced a citizenship-by-investment program that allows foreign individuals to acquire European citizenship in exchange for significant fees and investments in the Maltese economy, which entails ML risks.15 Applicants could use illegal proceeds to both pay substantial fees to the authorities and also launder their funds by fulfilling the investment criteria, acquiring an EU citizenship in the process. Malta Individual Investor Program Agency that administers the IIP is generally aware of ML risks inherent in citizenship by investment programs, but considers that the risks are mitigated by its agents who are conducting due diligence on the applicants.16 It may be adequate for some elements of due diligence, like criminal record checks conducted by the Malta’s Police; but performing more complex tasks, such as establishing source of wealth and source of funds of the applicants, which are critical for mitigating ML risks associated with the program, is far more difficult. In particular, the private sector agents commissioned to conduct the due diligence, including the checks on source of wealth and funds, are unable to request information from applicant’s country of origin, which can be useful for getting and verifying information on applicants, but which are accessible only to state bodies. Malta IIP Agency exchanges information with the FIAU, Police, and intelligence services to ensure there are no suspicious reports and/or investigations related to the applicants. In the majority of the cases, Maltese banks both process the contributions and fees and serve as a broker for the IIP clients but seem to perceive it as a low risk activity given the due diligence conducted as part of the application process. This perception among the private sector that the IIP poses low risk seems to be consistent with the NRA, which does not analyze the risks related to the IIP, but such perception is not based on private sector’s own risk assessment or other analysis.

16. The understanding of TF and proliferation financing risks by the authorities and the private sector is generally poor. The NRA concluded that the TF risk is medium-high; however, this conclusion is not based on the analysis of TF threats and was focused mostly on the probability of terrorism acts. TF risks could be mainly associated with migrants coming from conflict zones some of whom may be sympathetic to extremist and terrorist organizations, including by providing financial support, and with transit of funds used for TF through Malta.

17. Malta’s policy requirements for the application of enhanced preventive measures are not supported by risk assessments. Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) requires reporting entities to apply enhanced CDD in certain scenarios (e.g., dealing with natural or legal persons established in a non-reputable jurisdiction, correspondent banking relationships with a non-EU institution), but these measures are not based on the assessment of risks and some of them are the result of transposition of the EU AML Directive. In addition, the FIAU can prescribe the application of enhanced CDD for activities that are determined to pose high ML/TF risks, but no such determination has been made to date. As there has been no articulation of the ML or TF risks by the authorities, the private sector’s knowledge of those risks derives more from generic material such as FATF and MONEVAL typologies, and informal signals from the main regulators.

B. National AML/CFT Policies and Coordination

18. In April 2018, the authorities published a National AML/CFT Strategy to mitigate ML/TF risks and address shortcomings in Malta’s AML/CFT framework but the National Coordinating Committee to oversee its implementation is not yet effective due to the lack of resources. The authorities developed an AML/CFT strategy and a comprehensive and prioritized action plan to address identified ML/TF risks. However, the current activities of competent authorities, particularly of the law enforcement agencies, are only partially consistent with Malta’s risk profile. Additionally, an AML/CFT National Coordinating Committee was established to ensure the proper implementation of the strategy and action plan. However, the National Coordinating Committee’s secretariat still needs to be properly resourced to perform its functions of policy coordination and ensuring the proper implementation of the action plan.

19. National coordination on operational matters seems to be less effective than on policy matters. There is an apparent lack of effective operational cooperation and coordination among various agencies, especially among AML/CFT supervisors (i.e., FIAU and MFSA) and the FIAU and law enforcement agencies.17 The authorities and the private sector do not have good mechanisms for coordinating AML/CFT activities, such as, for example, fora for public private partnerships or mechanisms for regular sharing of information and expertise.

C. Conclusions and Recommendations

20. The authorities are making efforts at identifying and understanding ML risks, but a more granular understanding is required to effectively mitigate Malta’s ML/TF risks, especially in relation to offshore activities. In particular, the authorities should improve their understanding of ML/TF risks in the banking sector and other vulnerable sectors, such as real estate, remote gaming, virtual assets, and the IIP. The authorities should communicate and share the results of the NRA with relevant stakeholders in the private sector and the competent agencies. The authorities should build on the recent progress in national AML/CFT coordination and enhance operational coordination among relevant agencies, particularly MFSA, FIAU, and law enforcement agencies.

Preventive Measures in Banks—Beneficial Ownership, Peps, and Reporting of Suspicious Transactions

21. Banks have a moderate understanding of ML/TF risks they face and demonstrate an overall weak compliance in applying key preventive measures. This is partly due to the absence, at the time of the on-site examination, of communication regarding the results of the NRA, and of requirements to apply preventive measures on a risk-sensitive basis. According to the authorities and based on results of inspections, compliance is particularly weak in relation to ongoing monitoring and due diligence regarding beneficial owners and PEPs. Banks need to understand the nature and level of ML/TF risks to develop and apply appropriate AML/CFT policies and CDD measures to better enable them to detect and report suspicious transactions.

A. Beneficial Ownership

22. The main risks that banks face are associated with non-resident customers and business activities, new technologies (e.g., virtual assets and remote gaming), and investments from the IIP. It is however unclear if banks have access to or whether they properly identify and verify the identity of their customers including the beneficial owners, including Maltese companies with non-resident beneficial owners, or customers (natural or legal persons) located outside Malta. Furthermore, banks do not always have a good understanding of the nature and level of ML/TF risks they are facing and therefore do not always develop and apply appropriate AML/CFT policies and CDD measures commensurate with the risks they face. Some banks do not have a comprehensive understanding of the risks associated with certain customers, products, and geographic locations, and therefore do not apply a level of due diligence corresponding to the related risks.

23. Generally, banks’ implementation of key preventive measures, including measures to identify and verify the BO, appears to be inadequate. Pilatus Bank’s case exposed serious shortfalls in the implementation of AML/CFT preventive measures, including CDD. While there is a general appreciation within the banking sector of the process for identifying beneficial ownership, there is a lack of consistency in the detailed processes, especially with respect to verifying the identity of beneficial owner(s) through a complex ownership chain of foreign legal persons. Moreover, banks sometimes over-rely on the due diligence undertaken by introducers, resulting in deficient client profiles for purposes of on-going monitoring of accounts. The authorities identified ongoing monitoring regarding beneficial owners as one of the shortcomings in banks. In some banks, CDD do not focus sufficiently on the proper verification of beneficial owners and ongoing monitoring of non-resident clients and opaque companies, PEPs, new technologies (e.g., virtual assets, remote gaming), and source of funds from the IIP.

B. Politically Exposed Persons

24. The laundering of the proceeds of domestic and foreign corruption is one of the main risks faced by Maltese banks. The requirements related to PEPs are in line with international standards. However, the effectiveness in implementing the requirements is uneven across banks. While some banks met during the mission have developed and effectively implemented proper policies and procedures to address relations with PEPs, other banks do not conduct proper verification and ongoing monitoring of PEPs.

25. The gaps in the verification and ongoing monitoring of PEPs affect the banks’ effectiveness in addressing the related risks. Compliance and adequacy in implementing the PEP requirements is weak in some banks. This is often highlighted as an issue by supervisors, including in the case of Pilatus Bank. The overall low number of PEPs identified by some banks may be due to the banks’ weak capacity to identify and verify customers as PEPs, their family members, their close associates, and PEPs who are beneficial owners. Furthermore, some banks do not seem to take appropriate measures to establish the source of wealth of customers identified as foreign PEPs.

C. Reporting of Suspicious Transactions

26. Half of the STRs received by the FIAU are filed by banks and are primarily related to ML activities, but the overall level of reporting is still relatively low. The requirements for banks to report suspicious transactions are in line with international standards. The number of STRs has increased in the last five years. The quality has also improved leading to disseminations of financial intelligence reports from the FIAU to the law enforcement agencies. The analysis unit of the FIAU provides feedback on the quality of STRs with the FIAU supervision unit and the MFSA. However, the number of STRs still seems low relative to the size of the banking sector. Furthermore, recent financial analysis reports including information on STRs were leaked which could potentially have discouraged banks from reporting.

27. Feedback from the FIAU to banks on the quality and outcome of STRs is regular but further guidance on typologies is needed. The FIAU has, since 2014, been providing feedback to reporting entities on the quality and outcome of their reports. In light of the results of the NRA, the FIAU could provide banks with typologies to nudge them toward reporting suspicious activities in line with the risk profile of Malta.

Table 2.

Malta: Suspicious Transaction Reports Filed by Banks

article image
1/ In 2017, 51.2 percent of total reports received from reporting entities were received from banks.

D. Conclusions and Recommendations

28. Supervisors should ensure that banks improve their understanding of ML/TF risks and enhance their compliance with specific AML/CFT requirements. The National Coordinating Committee should share the results of the NRA with banks to improve their understanding of risks. As indicated below, supervisors should enhance their resources and capacity for risk-sensitive supervision to ensure that banks enhance their compliance in applying CDD commensurate with their risks, with a focus on applying enhanced or specific measures for non-resident customers, new technologies (e.g., virtual assets, remote gaming), and ascertaining the source of funds for the IIP. Furthermore, banks’ compliance with PEPs requirements is weak and banks should enhance the application of appropriate measures for domestic and foreign politically exposed persons (PEPs), their family members, and close associates.

29. The FIAU could provide additional guidance on specific typologies to further increase the quantity of STRs in line with ML/TF risks. In line with the ML/TF risks identified in the NRA, the FIAU in consultation with the MFSA could provide additional feedback to assist banks in improving the reporting. These could focus—among others—on the risks related to virtual assets, e-casinos, tax evasion techniques, and the use of legal persons to hide the identity of the beneficial owners.

AML/CFT Supervision of Banks— Risk-Based Approach and Sanctions

A. Supervision Based on Risks

30. The MFSA conducts ownership and control tests for banks, but important vulnerabilities remain. Fit and proper tests or other similar measures used with regard to persons holding senior management functions, holding a significant or controlling interest, or professionally accredited in banks are generally adequate and in line with the standard. However, these controls do not always prevent criminals from holding or being the beneficial owners of a significant or controlling interest or holding a management function in banks. Breaches of such licensing requirements were not properly detected in a few instances.

31. The FIAU is the main AML/CFT supervisor in Malta.18 As set out in the PMLA, the FIAU is responsible for supervising and ensuring subject persons’ compliance with the PMLA, the PMLFTR and the Implementing Procedures. The Compliance Section of the FIAU, which is responsible for this task, achieves compliance through onsite examinations and offsite assessments of subject persons.

32. The MFSA carries out AML/CFT oversight of the financial services sector as an agent of the FIAU. Onsite supervision of MFSA license holders is carried out by the Enforcement Unit of the MFSA, acting as an agent of the FIAU in accordance with the PMLA. The FIAU remains the sole authority responsible for reviewing cases presented before it, and for taking decisions on any breaches and on the sanctions to be imposed.19

33. There are plans to increase supervisory resources of the FIAU and the Agency has modified its approach to AML/CFT supervision. In line with its 2017 restructuring plan, the FIAU is planning to expand its human resources (from 20 to 56 staff members by the end of 2020, 19 of which will be dedicated to AML/CFT supervision). Similarly, recruitment is planned at the MFSA (from 9 supervisors working on AML/CFT in June 2018 to 30 by the end of 2018).20 At the time of the FSAP mission, the size of the MFSA team was reduced to 6 supervisors (due to 3 resignations) and the plan to recruit 23 people (20 new and 3 replacements) by the end of the year 2018 seemed to be over optimistic. Furthermore, in June 2017, the FIAU developed new methodology for supervision in coordination with the MFSA and initiated on the development of risk-based supervisory tools that were piloted in 2018.

34. The FIAU and MFSA’s understanding of the ML/TF risks of banks is generally good, however, supervision should increasingly be implemented on a risk sensitive basis. The FIAU and the MFSA initiated the design of a risk-based approach to supervising banks by developing an action and a methodology. However, at the time of the onsite visit, both agencies were still applying a compliance-based supervisory approach that focuses more on identifying regulatory deficiencies and less on aligning supervisory resources to risk analyses and banks’ risk profiles. This approach limits effective supervision especially in light of resource constraints in the FIAU’s compliance unit. The number of qualified AML/CFT supervisors at the MFSA are also limited. Inspection reports are provided to banks with long delays (e.g., one year) which undermines supervisory efforts. Banks reported that examinations are neither regular nor demanding. The risk-based supervisory tools are expected to be used as of the 2019 inspection cycle.

35. In July 2018, the European Banking Authority (EBA) established that the FIAU had breached Union laws in the case of Pilatus Bank and issued a series of recommendations. In October 2017, the European Commission’s Director General for Justice and Consumers asked the EBA to investigate a possible breach of European Union law. The EBA investigation pointed out in July 2018 to general and systemic shortcomings in the FIAU’s application of the Third EU directive on the prevention of AML/CFT. This was related to the apparent failure of the FIAU to apply effective, proportionate and dissuasive sanctions for alleged infringements by Pilatus Bank of Malta’s AML/CFT provisions in line with Article 39 of the Third EU Directive on the prevention of AML/CFT (Directive 2005/60/EC or ‘AMLD3’).

36. The FIAU and MFSA conduct a low number of onsite AML/CFT reviews (two to three a year) of 21 banks in Malta. This is due to the limited resources combined with the lack of prioritization of functions and, as indicated above, the delay in finalizing the risk-based approach tools. Although the resources of the FIAU have been increased, the new staff were not exclusively dedicated to bolster supervision of banks but have been involved in the financial intelligence unit core functions (e.g., analysis), supervision of non-bank financial institutions and DNFBPs, and preparation for the MONEYVAL assessment. The number of onsite visits conducted solely by the MFSA or jointly with the FIAU, albeit slightly increasing, has been low over the recent years (five onsite reviews in 2017, three in 2016, three in 2015) and the yearly plan has not been commensurate with the banks’ risk profiles. The five largest banks in terms of assets have not been inspected since 2015. Similarly, a bank active in commodity-trade finance and which has foreign branches of significant size, which are potentially vulnerable to ML, has never been inspected.

EBA Investigation

In July 2018, the EBA has pointed out to general and systematic shortcomings in the FIAU’s application of the Third EU Directive on the prevention of AML/CFT.

  • According to the EBA, the FIAU failed to ensure that one credit institution (Pilatus Bank) put in place adequate and appropriate AML/CFT policies and procedures, as required under Article 34 of AMLD3; and the FIAU neither imposed effective, proportionate and dissuasive sanctions, nor any other supervisory measures to correct the shortcomings it had identified to ensure the institution’s compliance with Directive’s requirements. The EBA decided not to open a breach of Union law investigation into the MFSA, reflecting the recent supervisory actions taken by the MFSA and the current requirements of Union law. Nonetheless, the EBA did express significant concerns about the actions of the MFSA in some areas.

  • The preliminary EBA enquiry has focused on the MFSA authorization process, the prudential supervision of Pilatus Bank, and the recent supervisory measures taken by the MSFA. The EBA’s preliminary enquiries have raised significant concerns regarding the MFSA’s authorization and supervisory practices in relation to Pilatus Bank. However, in light of the requirements set out in Union law for prudential supervisors which make it difficult to conclude that there have been b r ea c hes o f clear and unconditional obligations established in Union law, and especially in light of the significant supervisory actions taken by the MFSA in relation to Pilatus Bank, the EBA have decided to close the case without opening a breach of Union law investigation.

  • As highlighted in the EBA’s Recommendations to the FIAU, “the findings from the EBA’s investigation reveal a general practice of the FIAU at the time of the case at issue and not only, as argued by the FIAU, a failure in this particular case”. The FIAU has informed the EBA of general actions that, as an Action Plan, it has already undertaken, or which are in train, to strengthen its supervision. The EBA noted that “while a move in the right direction, these measures are not enough to be satisfied that the deficiencies that led to a breach of Union law have been resolved” and, as a consequence, adopted recommendations aimed at remedying the particular failings that it had identified.

  • The FIAU has challenged the issuance of the Recommendation because an Action Plan had been already adopted by the FIAU to address these concerns. According to the EBA, “the need identified by the FIAU for such a wide-ranging nature Action Plan provides support for its findings that the procedures and policies applied at the time of the case at issue were not appropriate and effective”.

Table 3.

Malta: On-site AML/CFT Inspections of 21 Banks in Malta

article image

37. Although supervisory practices are generally improving, the onsite reviews are typically of a short duration and a narrow scope. The onsite examination phase was typically limited to a couple of days. Even though preparatory work can be carried out prior to the onsite examination, the fact remains that this short duration does not give the examiners sufficient time to examine many client accounts, extract data from the banks’ information systems, and assess robustness of risk management and internal controls in order to identify potential breaches in implementing AML/CFT requirements. Until recently, onsite examinations were limited to a series of interviews with the Money Laundering Reporting Officers and the review of a limited sample of accounts (33 for one of the largest Maltese banks). Accordingly, the effectiveness of ongoing monitoring and transaction screening was often not assessed. However, due to the new methodology agreed between MFSA and the FIAU in early 2018, the two latest onsite examinations lasted five months and were more comprehensive. However, they were not completely finalized at the time of the FSAP mission.

38. There is often an excessive delay in finalizing reports about onsite AML/CFT examinations. In some cases, it may take up to 1.5 years to produce the final examination report from the end of the on-site examination. The complexity of the FIAU internal procedures governing the conduct of onsite examinations is unlikely to solely explain and justify these delays, keeping in mind that the discussion on the findings with the inspected banks takes place after the finalization of the report. This lengthy process of providing findings and recommendations to banks based on onsite examinations seriously weakens its effectiveness.

39. The FIAU and MFSA do not seem to share or promote their understanding of ML/TF risks and provide appropriate feedback to banks. At the time of the onsite visit, the results of the NRA were not shared with banks. Although the FIAU and the MFSA took various initiatives to engage with the private sector and provide more training on AML/CFT requirements during 2017 and 2018, they do not conduct regular outreach about their supervisory expectations to banks.

B. Sanctions for AML/CFT Violations

40. The FIAU applies sanctions and remedial actions for non-compliance with AML/CFT requirements; however, these appear to be neither dissuasive nor proportionate. The FIAU imposed few administrative sanctions (none in 2015, three in 2016, one in 2017). In the instances where it has imposed administrative sanctions, these have been low and not dissuasive (e.g., € 30,000 on average), and have not been proportionate to the severity of the violations and the amount of penalties has not been dissuasive.21 In several instances, no sanctions were applied despite extremely severe findings highlighted in examination reports. Although the FIAU has broad range of administrative and civil sanctions, it does not have the power to withdraw the license of a bank in case of egregious violations of AML/CFT requirements. Sanctions are often challenged before the appeal court and are imposed after a long delay from the time of identification of the breach. In four instances in 2018, fines were determined against banks but are currently under review or judicial appeal. 22

41. The MFSA has imposed a limited number of sanctions in recent years. It is also noted that no sanctions have been applied by the MFSA on grounds of weak AML/CFT internal controls or compliance checks. The regulatory response is not timely and often inadequate. Delays in coming to a final decision are excessive (up to three years from concluding an onsite inspection).

Table 4.

Malta: Sanctions Imposed Against Banks by the FIAU and MFSA for AML/CFT Violations

article image

C. Conclusions and Recommendations

42. The MFSA should enhance its implementation of licensing controls (i.e., fit and proper tests) to prevent criminals and their associates from holding or being a BO of a significant or controlling interest or of holding management function in a bank.

43. The FIAU and MFSA should improve their identification and understanding of ML/TF risks. The results of NRA should be shared with banks. Supervision should be risk-sensitive and focus on high-risk clients, including non-resident clients, and opaque companies, BO requirements, PEPs, and new technologies.

44. The FIAU and MFSA should increase their resources in order to be able to develop further the risk-based tools for offsite monitoring and onsite AML/CFT supervision and ensure timely delivery and confidentiality of inspection reports. More precisely, they should: (i) devote more resources to fully implement a risk-based approach for supervision of banks; (ii) significantly increase the number of onsite AML/CFT compliance examinations of banks; (iii) implement the revised methodology to deepen the scope of the AML/CFT compliance examinations for banks; (iii) should shorten the turnaround time of AML/CFT reviews from initiation to final report, and from the report to final decision; and (iv) strengthen their internal controls to ensure the confidentiality and prevent the leakage of their supervision reports.

45. The FIAU and the MFSA should impose a broad range of sanctions against banks that are dissuasive and proportionate to the severity of the AML/CFT violations. More precisely the FIAU should shorten the period between the detection of violations and imposition of sanctions and make more use of monetary fines as part of the sanctioning regime for banks and increase the amount of penalties for breaches of AML/CFT requirements. Time-bound remedial action plans should be imposed at a minimum in a systematic fashion when findings are made by onsite examiners. Finally, the MFSA and the FIAU should shorten the turnaround time from the final report to imposition of remedial actions and sanctions.

46. Establishing a regional AML/CFT supervisory arrangement could enhance convergence of supervisory practices and minimize regulatory arbitrage.23 Although ongoing EBA work to strengthen supervisory convergence and enhance information exchange mechanisms are positive steps, a euro area (or EU) level AML/CFT supervisory arrangement should be considered as a more comprehensive solution, as emphasized in the Euro Area FSAP.

Transparency and Beneficial Ownership of Legal Persons in Malta

A. Background and Risks

47. Malta’s legislation provides for several types of legal entities and arrangements.24 The number of legal entities registered in Malta has increased from 37,050 in 2007 to over 51,000 in early 2018, including 1,284 partnerships. The Maltese authorities estimate that approximately 48 000 of these companies are currently active. Approximately half of all companies incorporated in Malta have at least one non-resident shareholder, but the number of legal entities that are beneficially owned or controlled by non-residents is unknown. The trustees licensed in Malta administered 3,529 trusts as of August 31, 2018.

48. Basic information about legal persons incorporated in Malta is generally available and easily accessible but may not be accurate. 25 The ROC collects and updates basic information on a regular basis and holds a public online website that allows easy access for the general public. 26 Some authorities raised concerns about the accuracy of the information since a significant number of inactive companies do not update their basic information.

49. No assessment of ML/TF risks presented by the different types of legal persons and arrangements has been conducted. The authorities recognize that legal persons and arrangements can be misused for criminal purposes. Legal entities established in Malta with foreign ownership generally represent a higher risk for misuse for criminal purposes. Malta has 186 legal and natural persons registered as Company Service Providers (CSPs) in addition to professions that are not required to be licensed as CSPs to provide CSP services (e.g., notaries, accountants). Malta also has 171 persons licensed as trustees. In addition, around 20 percent of the companies hold shares on a mandate/fiduciary basis with CSPs. Incorporation of a legal entity does not require engagement of a CSP, but only about five percent of companies are registered without the use of an intermediary. The sector of TCSPs has grown in recent years and is recognized as one of the main vulnerabilities in the NRA.

50. Malta’s recent progress in strengthening the legal framework to enhance transparency of legal persons and arrangements needs to be complemented by effective implementation. In December 2017, Malta issued the Companies Act (Register of Beneficial Owners) and The Trusts and Trustees Act (Register of Beneficial Owners) Regulations with the intention to transpose the relevant provisions on BO information of 4AMLD. These regulations have entered into force on January 1, 2018, with the exception of article 7 of the Companies Act Regulations, on the access to the register of beneficial owners, which came into force on April 1, 2018.

51. Trusts established in Malta are considered by authorities to pose a lower ML/TF risk than the legal persons. Persons providing trustee or other fiduciary services require an authorization from the MFSA under the Trusts and Trustees Act and are supervised by the MFSA. Since January 1, 2018 all trustees licensed in Malta who are appointed as trustees of a trust, which generates tax consequences in Malta, are required to provide to the MFSA the BO information of such trusts. In addition, all trustees licensed in Malta were required to provide by July 1, 2018, BO information regarding trusts, which generate tax consequences in Malta, for which they had already been acting as trustees before 2018. Authorities indicated that the register by the end of 2019 will cover all trusts, not only the ones that generate tax consequences, as a result of the implementation of the Fifth Anti-Money Laundering Directive, so the trustees of all trusts would be required to provide the BO information to the register.

B. Availability and Accuracy of the Beneficial Ownership Information

52. Since January 1, 2018, incorporation of a company in Malta has required information on the beneficial owners to be provided to the ROC. It includes the name, date of birth, nationality, country of residence, official identification document number indicating the type of document and the country of issue, and the nature and extent of the beneficial interest held. If this information is not provided, the Registrar would not register the company’s memorandum and articles (or a deed of partnership). The regulations also include a broader power of the Registrar to refuse to register any document of a company if he/she is not satisfied that the company has provided accurate and up-to-date information on all the beneficial owners of the company.

53. The companies formed and registered before coming into force of the Regulation on the Register of Beneficial Owners are also required to provide BO information. These companies should send a BO report on the anniversary of its registration falling due after July 1 or where there is any change in the BO of the company occurring after July 1, whichever earlier. Therefore, the register of BO should have the BO information regarding all obliged companies and partnerships by August 2019 at the latest. Any officer, shareholder, or beneficial owner who knowingly or recklessly provides to the ROC information on the BO of a company that is misleading, false or deceptive is liable to pay a fine up to €5,000 or to being imprisoned for up to six months or both fine and imprisonment. Penalties are also established for other various violations, such as failure to keep record of beneficial owners at the level of the firm or failure to provide information to the register about the beneficial owners of the company.

54. However, requirements to report BO to the register do not apply to listed companies and, of significant concern, to companies where all the registered shareholders are natural persons. The latter exemption does not seem to take into account the risk that the shareholders could be controlled by third parties (e.g., via participation in the financing of the enterprise, contractual, or personal connections). Requiring all companies to report BO information to the register has an advantage of bringing all companies under a single framework with an option of applying corresponding sanctions for non-compliance. In this context, there was no evidence that effective sanctions are applied against persons who do not comply with the BO information requirements beyond sanctions for delayed submission.

55. Furthermore, the ROC collects the BO information without verifying its accuracy. The ROC considers that it has sufficient legal powers to conduct verification by using its right to request additional information, but it does not have sufficient resources to do this in practice. Overall, there are three avenues for the competent authorities to obtain BO information: (i) financial institutions and DNFBPs; (ii) the legal entity itself; and (iii) the register of BO. Given the uneven compliance with the BO-related requirements across the sectors and reporting entities, providing the resources and developing the capacity of the ROC, particularly to conduct verification, seems to be key to ensuring accuracy and availability of BO information.

56. The authorities are encouraged to add BO information to the annual return submitted by companies. All companies are required to submit annually to the ROC a return confirming the accuracy of the basic information held by the Registrar. The authorities are encouraged to include confirmation of BO information to this return, to eliminate situations in which a company could choose not to update BO information in the register and to pay a fine. By including the requirement to confirm the BO information, such companies and shareholders would be subject to criminal liability for submitting false information, with possible sanction of a jail sentence as opposed to a modest fine for not updating the BO information

C. Access to The Beneficial Ownership Information by Relevant Entities

57. Law enforcement agencies and supervisors rely almost exclusively on the BO information collected by banks and TCSPs. 27 The authorities report that the BO information of corporate entities is mostly available from both banks and TCSPs and can be accessed by the competent authorities in a timely fashion. Considering the questionable quality of BO information obtained by banks and the generally low level of compliance with BO-related requirements, accuracy of BO information, as reported by the authorities, is in sharp contrast with the experience of other jurisdictions.

58. Regulations on the Beneficial Ownership outline the range of persons who have the right to access the BO information held by the ROC. It includes: designated AML/CFT authorities (including the tax authorities) and reporting entities as defined in PMLFTR. In addition, any person or organization that can satisfactorily demonstrate and justify a legitimate interest can access the name, the month and year of birth, the nationality, the country of residence, and the extent and nature of the beneficial interest of the beneficial owners of a company.

D. Conclusions and Recommendations

59. The authorities should build on the recent progress and amendments to the legal framework related to BO information by strengthening the ROC so that it can verify BO information submitted to it. This would require a more proactive mandate for ROC and a corresponding increase in its resources. The authorities are also encouraged to conduct an assessment of the risk that legal persons are misused for ML/TF purposes, including risks posed by legal persons established abroad and risks associated with various legal forms of entities available in Malta. The authorities should also streamline the legal framework on BO information by removing loopholes, such as the exemption for companies where all the shareholders are natural persons from the BO reporting requirements and ensure robust application of sanctions for violations of the reporting requirements related to both, BO and basic information requirements.


This note was prepared by Chady El-Khoury and Maksym Markevych (IMF’s Legal Department). It reflects the findings and discussions during the September 2018 FSAP mission to Malta.


The FAT F-sty le region al body of which Malta is a member.


Effectiveness of Maltese AML/CFT supervision, ML investigation and prosecution, and confiscation were rated as low. Effectiveness of six other immediate outcomes were rated as moderate and two as substantial. Legal provisions relevant to 9 FATF Recommendations were rated as partially compliant, the rest of legal framework is largely compliant or compliant with respect to FATF Recommendations. The effectiveness ratings received by Malta may lead to a closer scrutiny by the FATF under the process of identification and review of jurisdictions with strategic AML/CFT deficiencies.


Results of the NRA are now publicly available.


Malta’s IIP was introduced in 2014. It is a citizenship-by-investment program that allows individuals to acquire citizenship in exchange for major investments in the Maltese economy.


See IMF, 2018, Euro Area—Financial System Stability Assessment. The 2018 Euro Area FSSA recommended that, in addition to ongoing efforts to strengthen AML/CFT supervision at the national levels and improve information sharing among domestic AML/CFT supervisors, consideration should be given over the longer term to establishing an EU-level institution directly responsible for AML/CFT supervision.


The Registry of Companies (ROC) was renamed Malta Business Registry (MBR) in 2019.


Under current FSAP policy, every FSAP should incorporate timely and accurate input on AML/CFT. Where possible, this input should be based on a comprehensive AML/CFT assessment conducted against the prevailing standard. In instances where a comprehensive assessment against the prevailing standard is not available at the time of the FSAP, staff may derive key findings on the basis of other sources of information, including already available information or information obtained in the context of the FSAP. See the Acting Chair’s Summing Up—Review of the Fund’s Strategy on Anti-Money Laundering and Com bating the Financing of Terrorism —Executive Board Meeting 14/22, March 12, 2014, BUFF/14/23.


The FATF-style regional body of which Malta is a member.


Results of the NRA were communicated to private sector and key authorities following the FSAP team visit.


Moreover, the NRA did not rely on: typology studies and strategic analysis conducted by the FIAU, data on CBRs, transportation of cash, or financial soundness data. Furthermore, it did not properly identify the vulnerabilities of products and clients faced by banks.


Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of ML or TF.


The NRA was conducted before the gaming companies became AML/CFT reporting entities.


EU passport could be issued for the equivalent of a contribution of €650 000, other fees, purchase, or rental of high-end real estate and other investments in Malta.


Malta Individual Investor Program Agency reported that only 77 percent of applicants are approved and considers this approval rate to be an indicator of effectiveness of IIP controls.


Following the FSAP team on-site visit in September 2018, the Memorandum of Understanding between the FIAU and MFSA was upgraded and the joint supervisory procedures were adopted.


The FIAU is an independent government agency established in terms of Article 15 of the Prevention of Money Laundering Act (PMLA). The FIAU is the Financial Intelligence Unit in Malta in charge of receiving, analyzing and disseminating financial intelligence related to ML, related predicate crimes, and FT. In addition to its financial intelligence unit functions, the FIAU is in charge of supervising financial institutions and DNFBPs to ensure compliance with the AML/CFT requirements.


Decision taken by FIAU’s Board of Governors based on proposals made by the FIAU’s Compliance Monitoring Committee.


In 2015, a dedicated AML/CFT team was established within the Enforcement Unit of the MFSA, which took over the role of assisting the FIAU in carrying out AML/CFT inspections of the financial services operators regulated by the MFSA, a role which was previously performed by the various supervisory units within the MFSA. This team became operational in 2016 and started carrying out onsite inspections on behalf and jointly with the FIAU.


€40,000 against HSBC, €20,000 against BoV (public information disclosed on the FIAU’s website).


One case for €327,500 and another for €199,500 under appeal. One case for €11,200 and another for €8,000 under consideration by the FIAU compliance monitoring committee.


See IMF, 2018, Euro Area—Financial System Stability Assessment.


Main types are partnership en nom collectif, partnership en commandite or limited partnership, public and private limited liability companies, trusts, foundations, and associations.


Company name, legal status, address of registered office, basic regulating powers, names, addresses and official identification document numbers of all shareholders, partners, directors and company secretaries.

26 Basic information is available online for free, memorandums of association and deeds of partnership are also available online, but for a small fee.


The authorities indicated that the registers of beneficial ownership of companies and trusts that were set up in 2018 potentially are another avenue to source BO information.