This technical note on banking supervision for Malta focusses on selected topics in relation to the supervision of less significant institutions, which are not directly supervised by the European Central Bank, and on non-European Union branches. The Malta Financial Services Authority’s (MFSA) internal organization reflects its role of an integrated supervisor, and several units are involved in supervision and/or enforcement. Review of supervisory measures reveals that the MFSA has taken decisive action in several instances, but such actions have not been timely. A new organizational structure of the MFSA has been proposed recently. Developing resources devoted to enforcement will enable the unit to spend less time on the preparation of the sanctions and more time on ongoing supervisory monitoring. Involving the head of enforcement and the General Counsel in the decision-making process is positive. The report recommends developing a five-year plan to increase the MFSA’s budgetary resources and capacity to reflect the size and importance of the financial sector in Malta.


This technical note on banking supervision for Malta focusses on selected topics in relation to the supervision of less significant institutions, which are not directly supervised by the European Central Bank, and on non-European Union branches. The Malta Financial Services Authority’s (MFSA) internal organization reflects its role of an integrated supervisor, and several units are involved in supervision and/or enforcement. Review of supervisory measures reveals that the MFSA has taken decisive action in several instances, but such actions have not been timely. A new organizational structure of the MFSA has been proposed recently. Developing resources devoted to enforcement will enable the unit to spend less time on the preparation of the sanctions and more time on ongoing supervisory monitoring. Involving the head of enforcement and the General Counsel in the decision-making process is positive. The report recommends developing a five-year plan to increase the MFSA’s budgetary resources and capacity to reflect the size and importance of the financial sector in Malta.

Executive Summary and Key Recommendations

The mission focused on selected topics in relation to the supervision of less significant institutions (LSIs), which are not directly supervised by the European Central Bank (ECB), and on non-European Union (EU) branches. The supervision of all banks’ anti-money laundering and combating the financing of terrorism (AML/CFT) policies and procedures was also included, as no tasks related to AML/CFT have been conferred upon the Single Supervisory Mechanism (SSM) of the eurozone. The mission took into account the findings and recommendations formulated by the 2018 euro area (EA) FSAP and coordinated closely with FSAP missions organized in France and Italy.

Malta has made significant progress since the last FSAP, in 2003. The national transposition and implementation of EU directives and regulations helped close several gaps identified in 2003, as noted by an independent assessment undertaken in 2011. Further, following the 2011 review, the definition of related parties has been broadened, and the administrative penalties and measures have been set in Subsidiary Legislation. Also, the Malta Financial Services Authority (hereafter referred to as the MFSA or the Authority) has been empowered to issue binding regulations that have been used on several occasions, for instance, to require banks to submit plans to reduce nonperforming loans (NPL). More broadly, the introduction of the SSM has raised the level of supervisory intensity and intrusiveness regarding significant (credit) institutions (SI).

Resources are stretched and still insufficient for the nature and range of tasks the MFSA must carry out for effective banking supervision. Although the MFSA’s resources have increased since the 2003 FSAP, they have not kept pace with the increased demands on supervision. The banking supervision function is materially under resourced, as is evidenced by the difficulties with planning and execution of supervision actions for LSIs; for example, inspections have been postponed, most of the recovery plans and Internal Capital Adequacy Assessment Program/Internal Liquidity Adequacy Assessment Program (ICAAP/ILAAP) documents await review, and it has been difficult to maintain regular contact with all LSIs. Resources are also inadequate to achieve an acceptable frequency of supervisory inspections at LSIs. Further, a different skill set is required going forward (for example, experts with extensive credit risk experience, IT risk experts, statisticians, etc.).

The MFSA has already taken steps to improve its supervisory capacity, but these will take some time to yield results. Steps include deciding to (1) increase the staff by 150 (50 percent) in the next three years (including 20 for the MFSA’s Banking Supervision Unit and 20 for the Enforcement Unit); (2) formalize a new human resources strategy; and (3) improve remuneration. The recent enhancements are positioned in the right direction, although they will take some time to yield results, and others may need to be intensified to achieve the desired goal. The MFSA is therefore strongly encouraged to precisely quantify the resources needed to conduct more intrusive risk-based supervision, map the required skills, and assess on a regular basis whether the new strategy and compensation package effectively addresses difficulties in recruiting and retaining staff.

The MFSA, largely, has the supervisory authority to carry out its tasks, but aspects of operational independence are of concern. The necessary preconditions for operational independence are not all met.

  • First, a recent change in the MFSA’s funding model introduces a degree of uncertainty by requiring the MFSA to negotiate for governmental and parliamentary approval of its budget on a yearly basis.

  • Second, the MFSA does not have full autonomy over the recruitment process, as the projected budget to be allocated for human resources has to be endorsed on a yearly basis by the Ministry of Finance (MFIN), and all the recruitments have to be approved on a case-by-case basis by the Office of the Parliamentary Secretary for Financial Services, Digital Economy, and Innovation (PSFSDEI).

  • Third, even if there are positive aspects, several areas of the proposed reorganization of the MFSA raise concern, as it will lead to a high concentration of powers. All supervisory powers currently vested in the MFSA’s supervisory council, which is focused solely on supervisory issues, will be transferred to the MFSA’s executive committee, chaired by the chief executive officer (CEO) and made up of five MFSA staff members reporting to the CEO. Some of the executive committee members will not have supervisory experience, as the committee will also be in charge of the operational management of the Authority. Given the size and importance of the Maltese banking system and the risks posed to a financial system from an under-resourced supervisory authority, the mission strongly recommends that the MFSA develop a five-year plan to increase its budgetary resources, which should be supported by a strong, publicly stated commitment from the government. Further steps should be taken to bolster the MFSA’s operational independence and enhance checks and balances in the decision-making process. To this end, a dedicated statutory committee tasked with supervisory and enforcement powers should be maintained, ensuring that enough attention, time, and resources are devoted to supervisory actions.

The MFSA uses a reasonable range of techniques and tools to implement its supervisory approach. It employs a mix of on- and offsite supervisory elements to assess the risks that banks are running. An annual Supervisory Priorities document is prepared for LSIs, which is well described an d shared with the ECB (for information only). The supervisors are knowledgeable professionals. The first Supervisory Review and Evaluation Process (SREP) carried out for one high-priority (HP) LSI relied on an in-depth analysis and led to the calculation of a conservative capital surcharge that is commensurate with the bank’s risk levels and controls. The onsite inspection reports are well written, with clear and substantiated findings, and issued shortly after the completion of the investigation phase. The MFSA has devoted significant attention to corporate governance in banks. Concerning HP LSIs and the largest non-HP LSIs, meetings are organized on a regular basis with banks’ chief executives. Measures addressing credit risks, such as NPLs’ reduction plans, have helped decrease the stock of NPLs.

Equally, however, shortcomings are noted in bank supervision. The frequency of onsite inspections at LSIs is low and the MFSA needs to complete the rollout of its supervision strategy, notably, the completion of SREP for all HP LSIs. It will also be important to adopt a more intrusive approach to banks’ risk-management processes, including the banks’ asset recovery function, the monitoring of related parties’ transactions and forbearance measures, and the collateral valuation processes. To further enhance the supervisory approach, the focus should be directed at the main risks faced by Maltese banks (credit risk, liquidity risk, and compliance risk), for example, by reviewing credit files with a view to challenging the risk classification and, if need be, the level of provisioning, and on intensifying the follow-up on remediation progress. Also, improvement in the oversight of non-EU branches is needed. Last, despite improvements, the related parties’ framework still exhibits significant gaps with the Basel Core Principles, which require further action.

Review of supervisory measures reveals that the MFSA has taken decisive action in several instances, but such actions have not been timely. Following onsite inspections, significant delays have been observed between the end of the investigation phase and the date on which decisions were made by the supervisory council. Also, the low and limited number of monetary sanctions imposed on banks have limited deterrent effect, and the MFSA has never taken sanctions (penalties) against natural persons. Moreover, by construction, the limited scope of onsite inspections (low frequency, key risks insufficiently covered) can only reduce the possibilities to detect problems and take relevant action. Further, the way the judicial appeal procedure is handled has a negative impact on the effectiveness of the sanction policy. Any person who is aggrieved by a decision or measure taken by the MFSA may appeal to the Financial Services Tribunal. Appeals against monetary sanctions have suspensive effects, and it is noteworthy that the MFSA has 27 pending appeals, some of which date back to 2009. This is not conducive to implementing a dissuasive sanction policy. The authorities are therefore encouraged to explore ways to eliminate delays in supervisory action due to judicial appeals, including by amending the law if needed. This will better enable the authorities to take full advantage of the broad enforcement powers.

The AML/CFT’s supervisory framework ha s several serious deficiencies. The number of onsite compliance examinations conducted solely by the MFSA, or jointly with the Financial Intelligence Analysis Unit (FIAU), has been extremely low over recent years, and the onsite review plan has not been commensurate with the banks’ risk profile. Due to the short duration of onsite compliance examination (from one to five days), investigations were limited until recently to a series of interviews with the Money Laundering Risk Officer and the analysis of a limited sample of accounts (10 to 30 clients). In-dept h assessment of t he effect iv en ess of banks’ ongoing monitoring and transaction screening processes were not conducted. The lengthy process of providing banks with the findings of onsite compliance examinations, which may take up to two years, seriously weakens its effectiveness. Further, few administrative sanctions have been imposed by the FIAU, which has the final say (none in 2015, three in 2016, and one in 2017), and the amount of penalties has not been dissuasive. Despite extremely severe findings highlighted in compliance examination reports, there were several instances where no sanctions were taken, while some banks were not formally and explicitly instructed to take remedial actions. On the prudential side, the MFSA has not taken enforcement measures based solely on AML/CFT-related risk management and operational risk deficiencies.

The authorities shall therefore take a more forceful approach in ensuring all banks effectively implement the legislation and regulation on AML/CFT. Steps have been taken recently (for example, two in-depth onsite reviews were being carried out at the time of the FSAP mission), but these measures deserve to be significantly intensified, as money laundering risks remain elevated.

Table 1.

Malta: Main Recommendations

article image
article image

Priority: H = High; MH = Medium High; M = Medium

I = Immediate; NT=Near Term (within six months to one year); MT=Medium Term (within two to three years).


A. Scope and Approach

1. The purpose of this note is to present the mission’s assessment of banking supervision based on the discussions that took place during the 2018 FSAP mission in Malta. The analysis took into consideration the legal and regulatory framework in place, the supervisory practices employed, and other conditions as they existed in September 2018. This note uses the 2012 edition of the “Basel Core Principles for Effective Banking Supervision” (BCP) as the reference framework, but it does not contain a formal BCP assessment.

The mission focused on selected topics. They include key aspects of organization and resources of the supervisory authority (referring to Core Principles (CPs) 1 and 2) in relation to the supervision of LSIs, which are not directly supervised by the ECB, and non-EU branches, focusing in particular on (1) the supervisory approaches and tools (CPs 8 and 9); (2) the enforcement and sanctioning framework (CP 11); (3) banks’ governance and risk management (CPs 14 and 15); (4) the assessment of risks and capital adequacy (CPs 16, 17, 18, 22, and 23); (5) the transactions with related parties (CP 20); and (6) the analysis of liquidity risk (CP 24). The supervision of all banks’ AML/CFT policies was also included (as part of CP 29). Conversely, licensing (CP 4) was not included, as the ECB is the authority in charge of all banking authorizations in the EA, whether banks are large or small, and no new license has been granted in Malta since the establishment of the SSM of the eurozone.

3. The mission maintained its consistency with other FSAPs in the EA. The mission took account of the findings and recommendations formulated by the 2018 EA FSAP and coordinated closely with two other FSAP missions organized for France and Italy.

4. The IMF team wishes to thank the authorities and private sector participants for their excellent cooperation. The mission held extensive meetings with the Maltese officials and had access to high-quality documentation. The FSAP review team benefited greatly from the inputs received and exchanges of views during meetings with supervisors, banks’ representatives, and legal auditors.

B. Institutional Setting

5. Banking activities are regulated mainly under EU rules. The prudential framework for credit institutions in the EU is set out in EU regulation and EU legislation transposed into national laws, but a harmonized approach is currently lacking in some key risk areas, particularly major acquisitions and transactions with related parties.

6. With the introduction of the SSM of the eurozone in November 2014, the scope of intervention of the MFSA changed significantly. Under the first pillar of the European banking union, the SSM comprises the ECB and the National Competent Authorities (NCAs) of the participating countries (the member states of the eurozone).2 Within the SSM framework, the ECB directly supervises 129 SIs. The other banks’ LSIs are supervised by the NCAs under the oversight of the ECB. National authorities continue to be responsible for AML/CFT in both SIs and LSIs, as the associated tasks have not been conferred to the ECB.

7. The MFSA is the supervisory authority for Malta’s financial system and NCA in charge of the banking sector within the SSM. The MFSA is tasked with supervising banks, insurers, and insurance intermediaries, collective investment schemes, and pension funds. Three Maltese banks are designated as SIs, the day-to-day offsite supervision is being conducted by the joint supervisory teams (JSTs) led by coordinators at the ECB.3 The MFSA has responsibility for the direct supervision of LSIs, comprising 18 banks, and of two non-EU branches. For the LSIs, the ECB receives mandatory reporting by the NCAs and ex ante notifications on certain supervisory actions, these being more granular for the HP LSIs.

8. The MFSA is an autonomous body constituted by the Malta Financial Services Authority Act (MFSA Act) and reports annually to parliament. In terms of governance, the MFSA is headed by a chairperson appointed by the prime minister and a Board of Governors, which sets policy and general direction. Beside the chairperson, the Board of Governors comprises eight members appointed by the prime minister, and a CEO designated by the Board. The chairperson’s and Board members’ terms of office shall not exceed five years. A Board member may be relieved of office by the prime minister on the grounds of inability to perform the functions, or of misbehavior. The appointment of Board members and their termination of office or resignation, including the reason from removal, are notified in the government gazette.

9. The MFSA’s supervisory council is responsible for the issuance of various authorizations for the monitoring and supervision of licensees and for taking actions. The council is composed of the director-general in charge of supervision and of each of the directors responsible, respectively, for authorization, banking supervision, conduct supervision, securities and markets supervision, insurance and pensions supervision, and regulatory development. Up until now, directors have been appointed by the chairperson. The grounds for removal/dismissal of directors are those applicable to any employee in terms of general employment law in Malta. Reasons for removal are not subject to public disclosure.

10. The MFSA has its own budget and is empowered to impose fees and levy charges. The authorities’ source of funding was recently changed. Separation of the Registry of Companies from the MFSA in April 2018 redirects the registry’s revenues—accounting for 58 percent of the MFSA’s funding source in 2017—to the government. The MFSA’s resources are provided by the government’s consolidated fund and fees payable in respect of its supervisory functions.

C. Market Structure

11. Malta’s financial system is large and heavily connected with the world. Together banks, insurance companies, and investment funds amounted to about 6½ times GDP in 2017, of which banks stood at 4⅓ times GDP. Nonresident deposits—an important funding source for banks—may be vulnerable to tax and legal changes abroad, as well as to reputational risk.

12. Maltese banks vary considerably in their business models. For analytical purposes, the authorities classify the banks into three categories:

  • Core domestic banks are mainly exposed to the domestic economy. They attract household and corporate deposits and lend mostly domestically, accounting for all mortgages to residents. The three largest banks (Bank of Valletta, HSBC Bank Malta, and MeDirect) hold 87 percent of category assets (42 percent of total bank assets) and account for 80.5 percent of all mortgages.

  • Noncore domestic banks are small, foreign-owned, primarily funded from wholesale markets and nonresident deposits and have some exposure to residents. Business models vary widely (syndication, factoring, trade finance, private banking, and conventional lending).

  • International banks are foreign owned, with insignificant domestic exposures. They rely mostly on wholesale funding (including intragroup) and focus on activities for their group (custodian services, trade finance, investment banking). Two branches of Turkish banks account for 83 percent of this category’s assets (39 percent of total bank assets).

13. For supervisory purposes, the European SSM classifies banks into two groups. The three largest core domestic banks are classified as SIs. The remaining banks are classified as LSIs (18 banks, 16 percent of system assets), a branch and a subsidiary of other EA country banks (one parent entity is an LSI and one as a SI), and non-EU branches. On aggregate, HP LSIs are as large as the smallest SI, and their business models may encompass complex features. For some banks, asset size has increased rapidly. An adequate supervision of LSIs is therefore paramount.

Table 2.

Malta: Banking System Assets, at end -2017

article image
Sources: Maltese authorities and IMF staff calculations.

These banks are a branch and a subsidiary of banks of other EA countries and are classified under the home state of their respective group parent.

Main Findings

A. Progress Since the Previous FSAP

14. Major structural changes have taken place since 2003 and had a positive impact on the prudential regulation and supervision of banks. First, Malta became a member of the EU in May 2004, and both the transposition of the EU legislation into Maltese legislation and the implementation of EU regulation led to the alignment with high regulatory standards. Second, Malta adopted the euro as the national currency in 2008 and the Central Bank of Malta (CBM) became a member of the European System of Central Banks. Third, the establishment of the SSM in 2014, in which the MFSA participates as a NCA, significantly transformed banking supervision in the EA, enhancing the consistency of supervisory practices across the EA.

15. The Maltese authorities have undertaken significant action to implement the recommendations of the 2003 FSAP. Thanks to the authorities’ commitment, the national transposition and implementation of EU directives and regulations helped close several gaps identified in 2003, as noted by an independent assessment undertaken in 2011. Also, following this review, the definition of related parties has been broadened, the administrative penalties and measures have been set out in subsidiary legislation, and supervisory resources have increased in the recent period.

B. Organization, Powers, and Independence

16. The authority to exercise banking supervision is vested in the MFSA, according to the Banking Act and the MFSA Act. The MFSA is defined by the Banking Act as the “Competent Authority” in charge of ensuring that credit institutions carrying out activities in Malta comply with the Act (as well as with any regulations, directives, and banking rules made or issued thereunder), the EU Capital Requirements Regulations (CRR), and the conditions of their respective licenses. The MFSA was established by the MFSA Act, which provides that the power of the competent person to monitor and supervise license holders is vested in the MFSA’s supervisory council.


17. The MFSA’s internal organization reflects its role of an integrated supervisor, and several units are involved in supervision and/or enforcement.

  • The Banking Supervision Unit (BSU) is responsible for the supervision of credit and financial institutions;

  • the Conduct Supervision Unit is responsible for securing appropriate consumer protection in financial services;

  • the Insurance and Pensions Supervision Unit is in charge of the supervision of insurance companies, insurance intermediaries, retirement schemes, retirement funds, and retirement service providers;

  • the Securities and Markets Supervision Unit is tasked with the supervision of investment services companies, collective investment schemes, fund management, and related fund services operations;

  • the Regulatory Development Unit (RDU) monitors systemic risk across all areas of financial services;

  • the Authorization Unit manages and coordinates the processing of applications for authorization under the various sectorial legislation; and

  • the Enforcement Unit is responsible for (1) AML supervision; and (2) reviewing the actions and, where necessary, conducting investigations of license holders who have, or are suspected of having, committed serious compliance failures, serious misconduct, market abuse, breach of listing rules, or any other serious breaches of the law.

18. The MFSA has undergone various organizational changes in recent years. This includes setting up the Enforcement Unit in 2012, and the separation between the supervision of conduct of business and prudential supervision in 2015. Following the introduction of the SSM in the EA, the BSU has gone through a restructuring. Concerning SIs, whereas until the early part of 2016, each analyst in the offsite function was responsible for two to three banks, the function was restructured so that analysts would be responsible for two to three risk areas. Each analyst reports to a sub-coordinator working for the MFSA and to a coordinator at the ECB, who are in a position to form a bank-wide view. Concerning LSIs, the ongoing (offsite) supervision is placed under the responsibility of a deputy director, as depicted in the organizational chart below. A similar setup, with analysts in charge of risk areas, was applied in 2017 for the assessment of one of the HP LSIs and is being applied in 2018 on the remaining HP LSIs. Onsite examiners of LSIs report to another deputy director, while a team in charge of policy issues and the supervision of nonbanks is placed under the responsibility of a third deputy director.

19. A new organizational structure of the MFSA has been proposed recently (see organization chart). The reorganization, which has not yet been implemented, has several positive aspects. Bringing the AML/CFT team under the umbrella of supervision will facilitate information sharing with the BSU. Developing resources devoted to enforcement will enable the unit to spend less time on the preparation of the sanctions and more time on ongoing supervisory monitoring. Involving the head of enforcement and the General Counsel in the decision-making process is positive. However, as already mentioned, the reorganization project, which requires a modification of the MFSA Act, raises some concerns (see paragraph 22).


Malta: MFSA Organization

Citation: IMF Staff Country Reports 2019, 347; 10.5089/9781513520841.002.A001

Source: MFSA.1/ The CEO, the Chief Officers, and the General Counsel will be members of the Executive Committee.

Powers and Independence

20. Banking activities are governed by several key pieces of legislation and regulation. These basically include EU legislation, notably, the fourth Capital Requirements Directive (CRD IV) and the CRR, the Banking Act and Subsidiary Legislation under this Act, and the banking rules. 4 Issued by the MFSA, the banking rules are binding measures having the force of law and are applicable to regulated credit institutions. Over the past years, extensive amendments have been made to the banking rules to implement the European directives and guidelines issued by the European Banking Authority (EBA). Overall, prudential standards have been enhanced significantly.

21. The MFSA has at its disposal a broad range of legal powers, but this assessment also highlights a number of gaps. The MFSA has a broad range of legal powers to address situations where banks do not comply with regulations. Apart from the withdrawal or restriction of license, supervisory measures may include fines and penalties, directives to comply with particular instructions or to desist from a particular activity, and the removal of managers (as further detailed in Section J).5 The MFSA also has the power to require a credit institution to take the necessary measures at an early stage to address problems in cases where either the credit institution does not meet the requirements or the authorities have evidence that the credit institution is likely to breach a regulation. However, some legal powers are not included in the MFSA’s toolkit.

  • The MFSA does not have the authority to force a bank or a banking group to change its organizational structure. While the MFSA is authorized to require any person who directly or indirectly possesses qualifying shareholding in the credit institution to divest himself of all or part of that holding in accordance with Article 9(3)(b) of the Banking Act, it is unclear how the MFSA could impose or facilitate a merger or a purchase of a credit institution. As specified by Article 17E of the Banking Act, the MFSA has the power to require a credit institution to take measures at an early stage to address problems. Article 17E states that the powers shall include those as specified in Regulation 9 of the Banking Act (Supervisory Review) Regulations (Subsidiary Legislation 371.16), which does not include the power to change the organization or impose a merger. The authorities have argued that it does not necessarily mean that these are the only powers vested in the MFSA. This is not entirely convincing, as the regulations and banking rules are quite detailed in Malta. The fact remains that neither the law nor the regulation explicitly empowers the MFSA to impose the measures mentioned earlier.

  • Banks are not specifically required to communicate to the MFSA any substantive changes or materially adverse developments. That said, in the corporate questionnaire submitted by an applicant as part of the authorization process, it is specified that banks have to notify the MFSA in such instances. This, however, does not replace an explicit provision included in the law or regulation.

  • The MFSA does not have the power to review the activities of companies affiliated with a bank’s parent company to determine their impact on the bank’s safety and soundness.6

  • Banks are not required to notify the MFSA as soon as they become aware of any material information that may negatively affect the suitability, fitness, and propriety of a significant shareholder or party that has controlling interest.

  • Concerning major acquisitions, a credit institution cannot, without the consent of the MFSA, acquire or hold shares in another company, which is not a credit institution, when the share exceeds 5 percent of that company's issued share capital (Art. 15.1(d) of the Banking Act). Also, unless there is written consent from the MFSA, no credit institution is allowed to open a new branch, agency, or representative office, or set up or acquire any subsidiary in any place outside Malta (Art. 11(2) of the BA). However, when a credit institution licensed in Malta wants to acquire a minority stake in the capital of a bank located abroad, no authorization or prior notification is specified in the legislation or the regulation. More broadly, there is no applicable regime governing major investment. Moreover, there is no available internal procedure or criteria for assessment of major acquisitions by credit institutions, including whether the acquisitions may expose the credit institution to undue risks or hinder effective supervision.

22. The MFSA, largely, has the supervisory authority to carry out its tasks, but aspects of operational independence are of concern. The necessary preconditions for operational independence are not fully met.

  • The need to annually negotiate for governmental and parliamentary approvals of the budget introduces a degree of uncertainty, especially in a context where expenditures will have to increase to support the expansion of staff resources, as currently envisaged by the MFSA. International standards require budgetary processes that do not undermine autonomy and adequacy of resources. Until recently, the budget was funded solely from the MFSA’s own resources, that is, supervisory fees and revenues from the Registry of Companies. This is no longer the case since the separation of the registry from the MFSA, which resulted from the latest revision of the MFSA Act in 2018. Supervisory fees only covered 40 percent of the MFSA’s total expenses (in 2017) and, to allow the MFSA to carry out its functions going forward, the funding shortfall will be paid out of the Maltese government’s consolidated fund. The MFSA budget for 2019 has been endorsed by the government and remains to be approved by the Parliament. The MFSA has also prepared a multiyear forecast (2019–2021), which shows a significant increase of expenditures, requiring higher government contributions. The MFSA has explained that these projections have been approved verbally by the MFIN, but no written document materializing this commitment has been shared with the mission

  • The MFSA does not have full autonomy over the recruitment process. In accordance with a Maltese directive (Directive 7), which applies to “all public administration organizations which are not government departments and which have a distinct legal personality,” (1) projected budgets to be allocated for human resources have to be approved on a yearly basis by the MFIN; (2) the remuneration package (salary scale, etc.) has to be endorsed by the Industrial Relations Unit (part of public administration); and, on top of that, (3) all the recruitments have to be approved on a case-by-case basis by of the PSFSDEI.7 The mission became aware of instances where the recruitment process was affected by external influence. It is worth mentioning that this directive is not applicable to several entities (CBM, Malta Stock Exchange, University of Malta, etc.), but the MFSA has not been excluded from the scope of application of this directive.

Table 3.

Malta: Budget and Financial Projections for the MFSA, 2016–2021

(in thousands of euros)

article image
Source: MFSA.

Until 2017, revenues were higher than expenses, and the MFSA passed on the balance to the consolidated fund.

The revenues in 2018 include fees (full year) and revenues from the ROC (perceived until May 2018).

23. Elements of a proposed reorganization of the MFSA raises concern, as all supervisory powers would be transferred to the MFSA’s executive committee in charge of the day-to-day management of the Authority. 8 This proposal requires amendments to the MFSA Act and has already been sent to the parliament. The executive committee would be headed by the CEO and comprise the general counsel and several chief officers in charge of, respectively, (1) supervision; (2) strategy, policy, and innovation; (3) enforcement; and (4) operations, including human resources. While involving the general counsel and the head of the Enforcement Unit in the supervisory process is welcome (currently neither participate in the meetings of the supervisory council), other aspects of the reform are of concern.

  • The executive committee would include members who do not have any supervisory experience. Conversely, the directors of the supervisory units (including the director of the BSU, who is a member of the SSM Supervisory Board) would no longer participate in the decision-making process.

  • More important, decisions on supervisory measures and sanctions require an in-depth assessment and, potentially, lengthy meetings to weigh the pros and cons. In that regard, creating a decision-making body in charge of all aspects (managerial, operational, human resources, etc.) might not be the best way to achieve this objective and ensure that enough attention, time, and resources at the highest level are devoted to supervisory measures on individual credit institutions.

  • Last, but no less important, apart from the CEO, the executive committee would be solely composed of chief officers who would report to the same person (the CEO) and could be removed, leading de facto to high concentration of power in a single individual. As is the case with the existing supervisory council, there would not be any external member who might be able to bring an independent view (this is already the case with the existing structure). Further, no ex post report on the activities of the executive committee would be sent to the MFSA Board of Governors, as is the case today.

  • That said, the current situation is far from ideal. Checks and balances, and guarantees of independence in the decision-making process, require enhancement, which the proposed new organization is unlikely to achieve. Issues to address include: (1) there is no legal provision in the MFSA Act conferring operational independence upon the supervisory council, which plays a key role; and (2) there are no predetermined criteria outlining the conditions under which the council’s members can be removed. The MFSA has explained that in such instances, the MFSA Staff Handbook would be used as a reference. However, members of a committee in charge of making supervisory decisions should not be treated like any other staff member; (3) there is no explicit provision in the legislation for the members of the Board or of the supervisory council not to take or seek instructions from the government or other state authorities; and (4) while the reasons behind removal of MFSA Board members is notified in the government gazette, this procedure is not applicable to council members.9

24. The cooling-off period for staff leaving the MFSA for the private sector is short and is rarely implemented. Staff from the supervisory units who are resigning or terminating their employment for any reason (including dismissal) shall not work for any entity that is licensed and regulated by the MFSA for an aggregate period of six months after they demit office. Further, for staff employed prior to October 2005 (that is, the most experienced people, who may belong to senior staff), the cooling-off period is reduced to two months after they demit office. Additionally, the cooling-off period is not applicable when staff members including employees holding very senior positions join entities or firms that are not regulated by the MFSA, such as professional associations, audit firms, or consultancy firms. This happened in practice. According to the MFSA’s Ethics Framework (Article 9.9), “members should avoid creating conflict of interest in any activities they may undertake following the termination of their employment.” However, no mechanism is in place (for example, preliminary examination by an ethics committee) to ensure that this provision is rigorously enforced.


The authorities are encouraged to:

  • Amend the legal framework and increase the MFSA’s legal powers and banks’ obligations in relation to (1) the change of legal structures; (2) major acquisitions; (3) review of the activities of companies affiliated to banks’ parent companies; and (4) communication of materially adverse developments.

  • Maintain a dedicated statutory committee focusing solely on supervisory issues and reinforce the supervisory council’s independence. The MFSA’s Board of Governors should be fully informed on a regular basis about the individual conditions of banks and detailed supervisory decisions made by the council. Involving independent external members in the council should be considered.

  • Develop a five-year plan to increase the MFSA’s budgetary resources and capacity to reflect the size and importance of the financial sector in Malta. It should be supported by a strong, publicly announced commitment from the government, including a multiyear budget commitment. This would address the lack of budgetary certainty in the current annual process.

  • Grant the MFSA full autonomy over the recruitment process.10

  • Reduce the potential conflicts of interest by: (1) imposing a longer cooling-off period when staff leave the MFSA to join the banking industry; and (2) setting up an ethics committee.

C. Supervisory Resources

25. Resourcing of the banking supervisory function is currently insufficient despite recent progress. While the resources available to bank supervision have increased since 2003, they have not kept pace with the increased demands on supervision from EU directives, the Basel Committee, the EBA, and other international bodies, and higher expectations of supervisors. An independent report highlighted in 2017 that: (1) the integration into the SSM has led to a relative reduction of resources available for the supervision of LSIs; and (2) the Enforcement Unit required additional staff.11 Regarding SIs, concerns about the adequacy of staffing were expressed by the chairperson of the SSM Supervisory Board in 2015. Corrective measures have been taken by the MFSA, and fulltime employees (FTEs) devoted to banking supervision have significantly increased since 2015, as illustrated in the following table. However, resources are still insufficient for the nature and range of tasks the MFSA must carry out for effective banking supervision. The lack of resources is evidenced by the difficulties with planning and execution of supervision actions for LSIs (inspections postponed, most of the recovery plans and ICAAP documents need to be reviewed, and it has been difficult to maintain regular contacts will all LSIs). Resources are also inadequate to achieve an acceptable frequency of supervisory inspections at LSIs. It is worth noting that the MFSA intends to increase the BSU’s staff by 20 people over the next three years, which is a positive sign. However, there are no assurances that the proposed increase in headcount has been adequately calibrated, or that the MFSA will be able to recruit the required profile.

26. Resources needed for banking supervision have been roughly estimated. The MFSA has not yet carried out a mapping of the skills that are needed in its supervisory process, nor does it conduct annual planning exercises to assess the impact of supervisory priorities on staffing and capacity-building needs. Such a gap analysis (current resources compared to tasks and skills that are needed) remains to be conducted.

Table 4.

Malta: FTEs Available for the Banking Supervision Unit (BSU), 2015–2017

article image
Source: MFSA (FTEs approved).

27. Recruitment is challenging. In a small labor market characterized by a shortage of people with specific skills (for example, IT specialists, experts in risk management, statisticians), the MFSA is in strong competition with the banking industry. The compensation structure used within the MFSA is independent and different from public servant’s salary and CBM salary scales and was originally devised to be competitive with the private sector. An external audit of the MFSA’s human resources systems and practices, carried out by ThinkTalent in 2017, highlighted that salaries and compensation at entry level (for junior staff) compare favorably with the banking industry. However, for management functions (senior analyst to director), remuneration scales are slightly below or even significantly below industry benchmarks. Also, the report indicated that the MFSA’s recruitment process is excessively rigid, bureaucratic, and too lengthy. As a result, the MFSA has encountered difficulties in attracting, and also in retaining, qualified staff. It is worth noting that the turnover rate increased over the past years and stood at 10.5 percent in 2017, which remains an issue considering the MFSA’s willingness to increase its staffing resources. A high turnover necessarily results in a need for high levels of new hires.

28. A new Human Resources Strategy has been formalized by the MFSA. Positive changes have occurred in practice: the recruitment process has been streamlined; the salary scale adjusted upward (by 5 percent in the best case); a variable remuneration scheme has been put in place; and the MFSA works closely with recruitment agencies, which was not the case until recently. The recent enhancements are steps in the right direction, although some time is needed to yield results, and additional measures may need to be taken to achieve the desired goal (for example, the gap analysis mentioned in paragraph 26). Going forward, it will be necessary to assess the impact of these measures on a regular basis and ensure that the employee value proposition is attractive enough and effectively addresses the difficulty in recruiting and retaining employees with appropriate experience and skills sets for particular positions.


The authorities are encouraged to:

  • Continue increasing the number of supervisory staff and to broaden the skills mix to include IT and risk management. A thorough evaluation of the staffing and capacity-building needs should be initiated by the MFSA. It should also carry out a mapping of the skills that are needed in its supervisory process.

  • Further streamline the recruitment process, make it more flexible, and reduce the time needed for new hires to become operational.

  • Assess on a regular basis whether the whole compensation package is attractive enough and whether it effectively addresses the difficulty in recruiting and retaining staff members.

D. Supervisory Approach

Less Significant Institutions

29. The MFSA uses a reasonable range of techniques and tools to implement its supervisory approach. It also includes monitoring of macroeconomic and sector-wide developments. It employs a mix of on- and offsite supervisory elements to assess the risks that banks are running. In accordance with SSM procedures, a distinction is made between three HP LSIs (and another bank treated as a HP LSI) and the others. The classification (annual SSM prioritization exercise) is carried out using the SSM LSI prioritization methodology, which takes into consideration the intrinsic riskiness of a bank and the impact of its failure on the financial system.

30. The BSU prepares on an annual basis a Supervisory Priorities document for LSIs. In setting out such priorities, key risks affecting LSIs in Malta are assessed and identified alongside expected developments in the local economic environment, and within the regulatory and supervisory sphere. In 2016, 2017, and 2018, the MFSA decided to focus on business models, internal governance, credit risk and NPLs, and capital adequacy. Well-articulated and detailed, the Supervisory Priorities document serves as the starting point in developing the annual Supervisory Examination Program (SEP), which covers ongoing and onsite supervision. The BSU has conducted in-depth analyses of the governance of credit institutions, both during onsite inspections and as part of thematic reviews relying on short visits. However, while being included in this document, some of these priorities have not been translated into concrete actions. For instance, in 2016, credit risk with focus on NPLs and concentration risk was one of the four top priorities, and visits were supposed to be undertaken to assess the NPL situation and verify adherence to the relevant EBA implementing technical standards (ITS) on forbearance and nonperforming exposures (NPE). In practice, only one visit was organized. Similarly, the business model of online banking had to be assessed in 2017, but the FSAP mission team did not see evidence of such analyses.

31. The MFSA relies on a four-level minimum engagement level (MEL) framework.12 This classification is the starting point for NCAs in the SSM to decide on the intensity of the SREP assessment (frequency, scope, and granularity), supervisory expectations, information needs, and so on. The level of engagement that takes into account a 1–4 risk score (as detailed in footnote) is the main input for the supervisory plan, whereby banks falling in Levels 1 and 2 are subject to a more intense supervisory approach. The frequency of meetings with Boards of Directors, senior management, and external auditors is driven by this classification. In practice, while meetings are organized on a regular basis and in line with the MEL, with HP LSIs, and with the largest non-HP LSIs (70 meetings in 2017), the BSU has struggled to maintain similar contact with the Boards of Directors and the auditors of the smallest credit institutions due to a lack of appropriate resources.

Offsite Monitoring

32. The ongoing supervision function is tasked with undertaking regular analyses of reports and detailed qualitative analyses of the banks’ material risk elements. Supervisory methodologies are intended to be fully aligned with the SSM Supervisory Manual for SIs but applied on a somewhat proportionate basis. For HP LSIs, the BSU intends to undertake an in-depth analysis of the risk level (quantitative) and risk controls (qualitative) in line with the SSM’s SREP Methodology for LSIs.13 For non-HP LSIs, the BSU uses an in-house risk assessment tool (RAT), which is based on the EBA SREP guidelines and aligned to the extent possible to the SSM SREP Methodology for LSIs.14 The outcome of these two risk assessment systems is a 1–4 risk score (that is, the risk assessment score (RAS)), based on EBA definitions. By 2020, in line with SSM requirements, all LSIs shall be subject to the SSM methodology. As further described (see Section E on capital adequacy for additional information), the first SREP carried out for one HP LSI relied on in-depth analyses and led to the calculation of a capital surcharge that is commensurate with the banks’ risk levels and controls.

33. The BSU has collected recovery plans for all LSIs. After a first review in 2017, which revealed that the recovery plans were quite heterogeneous and not always in line with the supervisory expectations, the MFSA provided feedback to the banking industry. Following banks’ second submission of recovery plans, the BSU has performed a thorough analysis of the recovery plan, prepared by one HP LSI as part of the SREP exercise. For the other LSIs, the review of recovery plans has not yet been completed, which is largely the result of a lack of resources. Also, the setup of a distinct team in charge of crisis management within the LSI ongoing supervision section team did not provide the expected results, as it is somewhat difficult to assess the recovery plans on a stand-alone basis without having a strong knowledge of the banks’ organization and risk profiles. A decision was recently made to merge the crisis management team with the monitoring team of bank analysts, who will be charged, among other things, with the review of recovery plans.

34. Prudential reporting deserves attention. Checks on the accuracy and consistency of the prudential returns are carried out manually or semi-automatically, which is time consuming. The checks performed by the MFSA have been defined by the EBA and cover all banks. Additional controls defined and performed by the ECB solely cover SIs. Going forward, the MFSA intends to build an automated tool that will run all tests (EBA and ECB) for all banks (SIs and LSIs). This would represent a significant advance considering that data quality can and should be improved. 15 However, the date of completion of this IT project has not yet been confirmed. It is worth mentioning that the team in charge of the implementation of the various controls has also developed key risk indicators (KRI) fed by the COREP and FINREP returns. This report is useful, as it signals trends and outliers.

Onsite Inspection

35. The frequency of onsite inspections at LSIs is low. The BSU aims to undertake onsite inspections at HP LSIs on a yearly basis, while non-HP LSIs are subject to onsite visits based on a supervisory cycle of 24 to 36 months. The implementation of this objective has been constrained by limited resources available and the priority given to SIs. In practice, it appears that the frequency of onsite inspections of LSIs is quite low. The number of onsite inspections at LSIs has fluctuated (six missions in 2015, five (including two follow-up missions) in 2016, and two in 2017). The onsite methodology has been aligned (with a certain degree of proportionality) with the SSM methodology. Also, since 2016, eight thematic reviews of internal governance have been conducted through short onsite visits.16

36. The onsite inspections have focused on governance and ICAAP and much less on credit risk. Priority given to governance is perfectly understandable. Onsite inspection reports do clearly emphasize the main issues, with clear and substantiated findings. Alongside the thematic reviews mentioned earlier, onsite inspections focusing on internal governance have helped improve governance in several banks. However, at some point, it would have been appropriate to assess whether weaknesses in governance structures had (already) translated into poor risk management practices and materialized into excessive risk taking. In that respect, it is noted that onsite inspection reports contain limited information on the development and analyses of risk management. Also, few comprehensive in-depth onsite reviews assessing banks’ credit risk management policies and practices have been conducted since 2013. Similarly, only one credit file review, with the aim of challenging risk classification and provisions, was performed by onsite examiners (in 2016 as part of a mission led by the ECB). Compliance risk per se has never been subject to an onsite inspection.

37. The follow-up of recommendations should be streamlined and intensified. Review of onsite reports and supervisory letters sent to banks after the inspections reveals that remedial measures to be implemented within timelines are not systemically requested from banks. Monitoring of remedial progress could also be improved by using follow-up tools (such as a table detailing the recommendations, the actions that were supposed to be taken by the bank as part of its action plan, and the BSU’s analysis as to whether actions taken are adequate). Involving the ongoing team in the follow-up process (currently undertaken by the onsite examiners), as envisaged by the BSU, would also improve the effectiveness of the monitoring process. Last, once onsite inspections are finalized and issued, the BSU should spend less time discussing the findings with banks, which keep arguing, and take a tougher stance by engaging the discussions on remedial actions to be taken.

Sectoral Analyses

38. Regular assessments of the risks arising from the banking system as a whole are carried out by the RDU. A key tool used in the risk assessment is the Banking Risk Dashboard, which extracts microdata from FINREP and COREP returns from all banks, allowing calculation of key indicators for each credit institution. Additionally, the dashboard provides different forms of data aggregation, enabling macro evaluations of banks’ performance, with the macro dimensions being the entire banking system, core banks, noncore banks, and international banks. The RDU has also developed (1) a Malta Financial Stress Index, which tracks the performance of key indicators relevant to the banking system and the real economy; (2) a credit-to-GDP gap indicator; and (3) various property price valuation metrics to better assess the real estate market. The main conclusions resulting from these analyses are formally communicated to supervisory units through the Financial Stability Monitor report and risk updates provided to the supervisory council. Overall, these reports properly emphasize the main trends and risks, and are taken into account in determining supervisory priorities and performing supervisory activities. Nonetheless, concerning mortgage loans, enhanced information sharing between the MFSA’s units is needed as well as further work (as further discussed later).

The Supervision of Foreign Bank Branches

39. The MFSA is directly responsible for the supervision of all non-EEA branches.17 The MFSA has signed a Memorandum of Understanding (MoU) with 30 foreign authorities, including a MoU with the Turkish Banking Regulation and Supervision Agency, the home supervisor of two banks conducting operations in Malta through branches.18 Under the licensing agreements, each of these two branches has been exempted from all prudential rules applicable in Malta by the MFSA on the grounds of “the bank’s commitment that any non-performing loans of its branch in Malta will be taken over by the bank’s Head Office and consolidated in its balance sheet to set aside the necessary provisions.” According to the EBA, supervisory and regulatory framework applicable to credit institutions in Turkey can be regarded as equivalent to that applied in the EU.19

40. Improvement in the oversight of non-EEA branches is needed.

  • The MFSA has limited understanding of the Turkish branches’ business models. Additionally, the BSU has not conducted onsite inspections of these branches since, respectively, 2010 and 2012 to verify that these entities were complying with the conditions set out in the licensing agreements (adequate staffing, expertise to carry out the activities, and constant and adequate internal controls), and has not organized meetings on a regular basis with the local management. The latest onsite AML/CFT visit team took place in 2014 in one of the branches, while the other has not been subject to a compliance examination.

  • Also, it is worth noting that the MFSA does not participate in non-EA supervisory colleges. Concerning the Turkish branches, the MFSA has not always received a copy of the report following an onsite inspection carried out by the home supervisor and has not communicated to the branches the detailed expectations regarding governance, risk management, and the assessment of the local management’s honesty and competence.

  • Corrective measures are therefore needed, considering that these two branches account for 39 percent of total banks’ assets (the three SIs account for 42 percent). Even though domestic liabilities are negligible, and deposits are not covered by Malta’s deposit insurance scheme, the fact remains that operations are conducted in Malta, which, at a minimum, expose the authorities to reputational risk in case of an adverse event affecting or involving these branches.


The authorities are encouraged to:

  • Finalize the SREP for all HP LSIs, start the process for non-HP LSIs, and review all recovery plans.

  • Increase the frequency of supervisory interactions with banks’ Boards of Directors, Board committees, and the managing directors of all LSIs.

  • Increase the number of onsite inspections of LSIs, and make onsite inspections more risk oriented, assessing the extent of credit risk, liquidity risk, and compliance risk, and the adequacy of risk management.

  • Intensify and harmonize follow-ups to post-onsite inspection remedial actions, define in a systematic fashion the timeframe within which banks’ corrective actions must be taken, and involve the ongoing (offsite) team in the monitoring of remedial progress.

  • Effectively supervise third-country branches and include branches in the onsite inspection program (onsite visits or spot checks). Going forward, the supervision of systemically important third-country branches should be transferred to the SSM, as recommended by the EA 2018 FSAP.

E. Capital Adequacy

41. Prescribed capital requirements are subject to maximum harmonization in the EU. The CRR establishes the calculation of prescribed capital requirements, including thresholds by reference to which a bank might be subject to supervisory action, and which banks are required to satisfy at all times.20 CRD IV gives EU member states some discretion on the application of macroprudential buffers and other measures to address systemic or macroprudential risks, as set out in the CRR and CRD IV, for which each member state determines a designated authority. In Malta, the CBM is the macroprudential authority with the hard power to formulate and implement macroprudential policy. A Joint Financial Stability Board (JFSB) has been established to ensure effective cooperation among relevant authorities for financial stability, comprising five voting members: the CBM governor (the chairperson), the two CBM deputy governors, and the MFSA’s chairperson and CEO.

42. Malta’s macroprudential policy toolkit contains all the instruments provided for in the EU CRR/CRD IV. The authorities have been phasing in several measures, including the additional capital buffers for the three banks identified as other systemically important institutions. The countercyclical capital buffer framework is also implemented, while the buffer rate has been set at 0 percent, given low and negative levels of the credit-to-GDP gap.

43. The total amount of Common Equity Tier 1 (CET1) capital that banks are expected to hold is determined by the SREP. Taking into consideration each bank’s risk profile and other elements of the SREP assessment, the capital decision takes the form of a Pillar 2 capital add-on on top of the Pillar 1 requirements. The Pillar 2 add-on is composed of a Pillar 2 requirement (P2R), which is a biding requirement, and a Pillar 2 guidance (P2G). Banks are expected to meet the P2G, which is set above the level of binding capital (minimum and additional) requirements and on top of the combined buffers. If a bank will not meet its P2G, this will not result in automatic action of the MFSA nor will this be used to determine the maximum distributable amount (MDA) trigger for dividends. However, this will be used in fine-tuning measures based on the bank’s individual situation. Concerning the LSIs, SREP decisions are taken by NCAs and the ECB is informed.

44. In this context, the MFSA has started to implement the SSM SREP methodology for LSIs. P2R and P2G are assigned on the basis of the SREP score and the results of supervisory stress tests (respectively). Initially, the MFSA planned to carry out a full SREP assessment on all HP LSIs by the end of 2018, and a SREP on the remaining LSIs by end-2020. Following that, the standard assessment frequency will be followed (that is, annual for HP LSIs, once every two years for mediumpriority LSIs, and once every three years for low-priority LSIs). The LSIs SSM methodology relies on four key elements: (1) business model and profitability assessment; (2) internal governance and risk management assessment; (3) risk-by-risk assessment of risks to capital; and (4) risk-by-risk assessment of risks to liquidity and funding.

45. At the time of the FSAP mission, a full SREP had been completed for one of the three HP LSIs. At this stage, the MFSA is slightly behind schedule, as the exercise is likely to be finalized in Q1 2019 for the three HP LSIs. More resources will therefore be needed in order to avoid deviating substantially from the initial internally defined plan (detailed in the Table 5) and to start the SREP process for non-HP LSIs. However, it is worth noting that the MFSA has adopted a conservative stance with respect to both P2R and P2G, assigning additional P2R, well above the SSM average in view of the nature of the business model of the one HP LSI for which it has completed the SREP. With respect to P2G, the MFSA applies a 1 percent floor. Also, materials shared with the FSAP mission team revealed that thorough analyses and in-depth assessment of this bank have been performed by the BSU, which relies on a skilled team with a diverse background. The team has also benefited from strong support from the ECB. The presentation to the bank clearly highlights the main supervisory concerns and the findings. The first result of the LSI SREP process therefore looks promising. Going forward, one of the main challenges will be to replicate the same exercise every year while spending less than six to eight months to complete the process.21

Table 5.

Malta: Implementation of SREP: Tentative Calendar

article image
Source: MFSA.

46. The BSU has started to provide feedback to LSIs about the quality of their submitted ICAAP documents. A first detailed and substantiated letter has been sent to one HP LSI (as part of the SREP). Of course, a lot remains to be done to provide feedback to all LSIs, keeping in mind that the quality of ICAAP submissions differ widely from one bank to another.


The authorities are encouraged to:

  • Finalize the implementation of the SREP for all LSIs; and

  • Provide feedback on ICAAP submissions.

F. The Supervision of Credit Risk and Problem Assets

47. The MFSA’s regulation on credit risk is detailed and comprehensive. The definitions of NPLs and forbearance measures are aligned with the applicable EU legal texts (CRR and EBA ITS), which the Maltese Banking Rule BR/09 directly refers to. The BR/09 provides for a detailed framework governing credit risk management.

48. Credit risk is assessed extensively as part of the SREP. Credit risk is the main source of risk for HP LSIs, and the score assigned to credit risk appears to be the main driver of the Pillar 2 capital requirement. In assessing credit risk, the BSU relies on the methodologies laid down in the SSM SREP manual for LSIs. Additionally, an MFSA internal credit risk methodology has been developed, providing further details and guidance on how to conduct the assessment. A number of ad hoc questions and data requests are made to a bank to inform the discussions during meetings held with the bank’s senior management. When deemed necessary, the BSU may also request granular information concerning the loans and collateral. Materials shared with the FSAP mission team confirm the thoroughness of the analyses undertaken as part of the first SREP carried out for an LSI.

49. Onsite examinations of credit risk have rarely been carried out since 2013. The ongoing assessment is to be complemented by onsite inspections. It is noted that:

  • The MFSA has explained that “examiners assess the ongoing adequacy of banks’ policies, practices, and procedures through regular onsite examinations of credit risks. In addition to evaluating policies and procedures as indicated earlier, the examiners select a sample of credits, including all internally classified credits and any other subjectively chosen credits. Thereafter, they evaluate the underwriting standards, management oversight, and internal classification of the credit. In doing so for the selected set of credits, they draw conclusions about the nature of a bank’s credit risk exposures and of credit administration processes.” When conducting onsite inspections, examiners are to follow the procedures, the inspection’s objectives, and the inspection checks laid down in Chapter 6 of the SSM Manual, which covers the credit risk life cycle (granting, monitoring, risk classification, provisioning processes, etc.).

  • In practice, based on the onsite reports shared with the FSAP mission team, it appears that since 2013 only one targeted onsite inspection—which included a comprehensive assessment of credit risk through the review of a sample of credit files and a thorough analysis of credit risk management policies and practices—has been conducted (one credit file review was performed by onsite examiners in 2016 during a mission led by the ECB). It could be argued that credit risk management can also be assessed as part of full scope inspections. However, such inspections do not provide enough time for the examiners to review files with a view to challenging the risk classification and the level of provisioning and verifying that adequate management information systems are in place. The review of a limited sample of loans, which were carried out in several instances, identified issues with the quality of document, but did not lead to any adjustments in the classification and the level of provisioning.

  • As already mentioned, although supervisory priorities for 2016 referred to onsite visits to assess the NPL situation and verify adherence to the relevant EBA ITS on forbearance and NPE, such visits were not conducted.

  • The MFSA is not legally empowered to require a change in the risk classification and/or additional provisions when it is considered appropriate.

50. High levels of NPLs are a source of concern for several banks that have been instructed to prepare a “multi-year NPL reduction plan.” Banking Rule BR/09 “on measures addressing credit risk arising from the assessment of the quality of asset portfolios of credit institutions” was amended in December 2016 to introduce the concept of NPL-reduction plans, and credit institutions are bound by an obligation to maintain a NPL ratio below 6 percent at any point in time. Credit institutions—whose two-year average NPL ratio exceeded the 6 percent threshold at the time when the new rule was published—were required to submit to the MFSA a multiyear NPL reduction plan targeting the decrease in these exposures. The MFSA has explained that unjustified deviations from any phase of the reduction plan, following review by the BSU, would led the Authority to require banks to reinforce their resiliency through the accumulation of an additional capital reserve (reserve for excessive NPLs). Seven banks were required to draw up a multiyear NPL reduction plan. Requiring banks to develop a strategy designed to facilitate NPL resolution was an appropriate decision and, overall, NPLs have declined significantly (from a sector average of more than 5 percent in December 2014 to 3 percent at end-2017). That said, at the time of the FSAP, it was noted that:

  • One bank did not submit a plan to the MFSA, arguing that actions had already been taken. After an initial drop in 2017, this bank’s NPLs have started to increase substantially again (reaching 9.6 percent at end-December 2017), and the decision to allow the bank not to submit a plan probably needs to be reconsidered. In September 2018, no final decision had yet been taken by the BSU and the RDU as to whether a NPL reduction plan would be requested.

  • For one bank, although the share of NPLs is high and fluctuating (40.2 percent in September 2017, 4.7 percent in December 2017), a NPL reduction plan was not requested by the MFSA on the assumption that the data were not accurate. This would have deserved to be supported by tangible evidence obtained from, for instance, a short onsite visit.

  • For another bank, while the NPL reduction plan was not approved, the MFSA did not request the bank to calculate a reserve for excessive NPLs (as per paragraph 54 of the BR/09), despite high NPLs (above 16 percent of exposures).

  • More broadly, the impact of the plans on NPLs level is only assessed by banks and by the MFSA on a yearly basis, a frequency that is probably too low to allow for a proactive intervention. Based on prudential reports, the BSU produces quarterly key risk indicators, which include the evolution of NPLs. However, these indicators cannot be used by the BSU to check compliance with the NPL reduction plans, because NPLs are calculated for the whole credit portfolio (including the new production of loans) while the nonperforming share of the static portfolio subject to the plan is only available at year-end (only a deviation of the NPLs for the static portfolio would provide grounds for action). At some point, onsite inspections (or thematic reviews) focused on the implementation of these plans, coupled with credit file reviews to identify misclassification and under-provisioning, could have been—but were not—used to better assess the effectiveness of these plans.

  • A memo summarizing the main conclusions resulting from the reviews of these plans was not formalized and sent to the supervisory council.

51. A Reserve for General Banking Risks was established by the BR/09. This reserve is equal to 2.5 percent of the regulatory allocation, which is defined as the difference between a credit institution’s level of NPLs less the specific reserves calculated under the accounting rules (that is, the uncovered portion of NPLs). The MFSA considers the allocation of funds as a capital buffer via this methodology as a Pillar 2 measure. The appropriation to the Reserve for General Banking Risks shall be affected from the profits for the year. Where a credit institution has total CET 1, which exceeds a threshold determined by the authority, only half (50 percent) of the appropriation has to be allocated to the Reserve for General Banking Risks from the profits for the year. Further clarity is needed, as (1) the threshold has not been defined by the MFSA; and (2) it is unclear how the calculation of this reserve ties with the general rules specifying the calibration of the Pillar 2 surcharge.

52. The introduction of IFRS 9 raises new challenges. Following the implementation of IFRS 9 in January 2018, the measurement of accounting reserves shifted from an incurred losses model to an expected credit losses (ECL) approach. 22 At the time of the FSAP mission, the impact of the new approach on CET1 had not been measured. Going forward, the MFSA should develop technical capabilities and collaboration with external legal auditors to be able to assess the methods employed by credit institutions to calculate expected credit losses (ECL) and to ensure that loan-loss allowances are adequately calibrated.

53. Concerning credit risk arising from mortgages and construction loans, further analyses are required.23

  • Since 2016, the RDU has, jointly with the CBM, undertaken a granular data-gathering exercise to better assess potential risks to the financial system arising from banks’ exposures secured by real estate collateral. The objectives of the quarterly survey are (1) to assess banks’ lending practices in relation to real-estate exposures; and (2) to provide authorities with more granular information on the credit provided to different categories of borrowers. The survey covers a sample of new loans granted during the quarter under review, enabling analysis of key ratios such as the loan-to-value, loan-to-income, and debt service-to-income ratios, and of the maturity of loan facilities. The FSAP mission team had the opportunity to review the Excel spreadsheet, which details the characteristics of the newly originated mortgage loans. This spreadsheet, which provides extremely useful information, reveals that several banks are granting mortgages with a long maturity (up to 40 years) and “balloon repayment” features.24 It is therefore unfortunate that (1) this spreadsheet has not been shared internally with the BSU at the time of the FSAP mission; and (2) it has not yet led to further analyses to assess the accuracy of the information and to confirm whether these mortgage loans are representative or not from the whole population of new loans. During the meetings with the industry, the banks’ representative highlighted that a sharp decrease of real estate prices would not trigger an increase in the default rates when borrowers are buying their primary residences. However, concerning buy-to-let mortgages, the borrowers’ repayment capacity would be clearly affected by a decrease of real estate prices and rental payments.

  • With respect to construction loans granted to real estate developers who repay the loans by selling the properties upon completion of the construction projects, a decrease in real estate prices would obviously affect adversely the borrowers’ ability to repay the loans. During the meetings with the banks, it was emphasized that some developers have limited experience with managing construction costs and may not have enough equity to cope with lower selling prices. Further, it was mentioned that lending standards differ substantially from one bank to another (loose covenants and limited security packages could be an issue for some lenders). The lack of professional appraisers in Malta was also emphasized (valuations are performed by architects, who may be subject to conflicts of interest). Due to the length of court proceedings and the difficulty to realize collateral securing the loans, Maltese banks are still struggling to recover loans extended to developers who defaulted in 2008–2009 after a somewhat limited correction of house prices. Assessing the repayment capacity of the borrowers and the credit underwriting standards is therefore paramount in a context where real estate valuations are high and price reversal cannot be ruled out. In that respect, it is noted that few credit file reviews have been conducted by the MFSA. Similarly, no review of collateral valuation processes and asset recovery functions has been carried out.


  • The frequency of onsite examinations assessing the extent of credit risk and the adequacy of risk management should be increased.

  • The follow-up of banks’ implementation of NPL reduction plans should be intensified (including by increasing the frequency of compliance assessment from yearly to quarterly) and further action, such as the activation of the reserve for excessive NPLs, should be used if need be. The exclusion of one bank from submitting a NPL reduction plan should be reconsidered after an analysis of the quality of the data submitted to the MFSA.

  • The MFSA should undertake a banking-sector-wide review (including sampling loan files) of credit underwriting standards of mortgages and construction loans (that is, corporate loans granted to real estate developers).

  • Explicit powers should be given to the MFSA to require a change in the risk classification and/or additional provisions when it is considered appropriate.

  • It should be specified how the Reserve for General Banking Risks ties with the general SSM methodology governing the calculation of the Pillar 2 surcharge.

  • The MFSA should intensify collaboration with legal auditors and develop its own develop technical capabilities in order to be able to assess the methods employed by banks to calculate expected credit losses (ECL) under IFRS 9.

G. Related Parties

54. There is no harmonized approach at the EU level for exposures to related parties. Definitions of the term “related parties” and restrictions for credits to related parties can be found in the national legislation of some EU member states, Malta being one of them.

55. The definition of related parties has been amended and expanded to address the recommendations made during the previous FSAP. Article 15(1)(b) of the BA provides restrictions on loans to directors and “anybody of persons in which the bank or any one or more of its directors jointly or severally maintains control” (all transactions must be done on an arm’s-length basis and transactions engaged by a bank with its directors cannot exceed on aggregate EUR 23 million, regardless of the size of the bank). Moreover, a banking rule adopted in 2011 (BR/11) to address one recommendation made by the team that performed the independent assessment in 2011 states that credit institutions shall apply the arm’s-length principle to: qualified and significant shareholders, auditors, or their respective spouses, whether jointly or severally, and to any commercial partnership in which such persons may have control; and officers and employees of the credit institution.

56. Despite improvements, the related-parties framework still exhibits significant gaps with the BCPs (CP 20):

  • Limited scope of related parties. Entities having the same parent company as the credit institution and belonging to the same group (that is, sister companies) are not considered related parties. 25

  • Insufficient scope of transactions. Transactions with related parties solely include credit facilities and other “bank services,” but do not include all claims and dealings, such as service contracts, asset purchases and sales, construction contracts, lease agreements, etc. The term “transaction” is not interpreted broadly enough to incorporate not only transactions that are entered into with related parties, but also situations in which an unrelated party (with whom a bank has an existing exposure) subsequently becomes a related party.

  • Lack of bank Boards’ involvement. The regulation in Malta does not require the prior approval of banks’ Boards before entering into transactions with related parties, writing off of related-party exposures exceeding specified amounts, or which otherwise pose special risks. Further, the regulation does not specify that Board members with conflicts of interest be excluded from the approval process of granting and managing related-party transactions. Last, the regulation does not state that (1) senior management monitors related-party transactions on an ongoing basis; (2) the Board provides oversight of these transactions; and (3) exceptions to policies, processes, and limits are reported to the appropriate level of a bank’s senior management and, if necessary, to the Board, for timely action.

  • Insufficient policies and processes. The regulation does not state that banks shall have policies and processes to identify individual exposures to and transactions with related parties, as well as the total amount of exposures, and to monitor and report on them through an independent credit review or audit process.

  • Limited powers to mitigate risks. Limits are not set on aggregate exposures to related parties. The MFSA does not have the power to deduct such exposures from capital when assessing capital adequacy, or to require collateralization of such exposures. 26

  • Limited information communicated to the MFSA. A report (Analysis of Loans) detailing the loans to directors and staff members is submitted by banks on a quarterly basis. Therefore, this report does not include transactions with all related parties.

  • Insufficient reviews of related-parties’ transactions. In recent years, only one onsite inspection focused on related-parties’ exposures and reviewed a sample of transactions


The authorities are encouraged to:

  • Expand the definition of “related-party transaction” and extend related-party requirements to banks’ sister companies.

  • Strengthen qualitative requirements related to the bank Boards’ involvement.

  • Increase the MFSA’s information and powers to mitigate risks arising from exposures to related parties. The amount of the aggregate limit capping each bank’s exposure to all related parties should be defined by taking into account the size and/or the amount of capital.

  • Review on a more frequent basis the transactions with related parties during onsite inspections.

H. Liquidity and Funding

57. Liquidity requirements are subject to maximum harmonization in the EU. Banks submit the Liquidity Coverage Ratio (LCR) on a monthly basis whereas the Net Stable Funding Ratio (NSFR) is submitted quarterly. 27 The assessment of liquidity and funding risks relies on several approaches: (1) the supervisory view based on the results of the SREP, which takes into consideration the prudential ratios and the institution’s internal risk controls and policies; (2) the banks’ perspective, based on internal assessment of liquidity adequacy (ILAAP) and on funding plans (only for the largest banks); and (3) a forward-looking approach based on the results of stress tests (carried out by the CBM).

58. Requirements on the liquidity management frameworks are in line with EU rules. The legal basis requiring credit institutions to maintain sufficient liquidity to withstand a range of stresses and to have a robust liquidity management framework is established in Article 86 of CRD IV, which has been transposed into Annex 2B of the BR/12. It also provides that credit institutions shall have robust strategies, policies, processes, and systems for the identification, measurement, management, and monitoring of liquidity risk over an appropriate set of time horizons, including intraday, so as to ensure that institutions maintain adequate levels of liquidity buffers.

59. The assessment of “risk to liquidity and funding” is included in the SSM LSIs SREP methodology. It provides for an assessment of an institution’s capacity to meet its short-term financial obligations (short-term liquidity risk) and a longer-term assessment of the sustainability of its funding profile (funding sustainability risk). As a complement to the SSM methodology, the MFSA has developed its own guidelines (“Procedures Notes—Assessment of Liquidity and Funding Risk”), which are extremely detailed and provide a useful tool for offsite analysts.

60. As already emphasized, a full SREP has only been completed for one HP LSI. Another SREP should be finalized shortly, while the reviews of the remaining HP LSI and another LSI are expected to be completed by the end of Q1 2019. As part of the first SREP exercise, a thorough analysis of the risk profile and risk management has been performed, even though no specific targeted meetings have been held on liquidity issues. By the end of Q1 2019, the MFSA will have enhanced significantly its understanding of liquidity and funding risks faced by HP LSIs.

61. For the other LSIs, the situation is mixed. On average, the Maltese banks do report high LCRs, well above the regulatory minimum (LCR stood at 183.8 percent for the core domestic banks, 263.9 percent for the noncore domestic banks, and 280.7 percent for the international banks as of end-2017). Similarly, the customer loan-to-deposit ratio is low (58.9 percent for the core domestic banks, 47 percent for the noncore domestic banks). However, some banks are more vulnerable to liquidity shocks (reliance on wholesale funding, and a substantial share of deposits held by nonresidents). In this context, it is noted that (1) the SREP has not yet started for non-HP LSIs; (2) the ILAAP documents that had been submitted were being analyzed by the MFSA at the time of the FSAP mission, and no feedback has yet been provided to the industry; (3) only one non-HP LSI has been requested to submit a funding plan; and (4) liquidity risk is not subject to onsite inspections (no targeted inspection has ever been organized, and full-scope inspections have been rather seldom).28 The BSU relies therefore on prudential returns and meetings that can be organized from time to time with non-HP LSIs. Also, the KRIs, which are based on prudential returns, adequately include the key metrics, including the share of deposits held by nonresidents. It is noteworthy that the Financial Stability Risk Identification and Monitoring report issued by the RDU in February 2018, which highlighted a surge of deposits held by noncore and international banks, recommended implementing a “close monitoring of funding models of LSIs to assess linkages to domestic economy” and to “monitor whether banks follow business models as defined at authorization stage.” In that respect, while maintaining a proportionality approach, more frequent meetings with banks could be organized with non-HP LSIs on liquidity risk issues. Given the potential volatility of deposits held by nonresidents, ongoing scrutiny of liquidity risk is needed.

62. The BR/05 on liquidity requirements is no longer consistent with the CRR, which is directly applicable. The BR/05 contains a minimum asset requirement and still refers to the Maltese lira. The rule deserves to be either amended or removed.


The authorities are encouraged to:

  • Organize more frequent meetings on liquidity risks with the LSIs, which are subject to SREP once every two to three years.

  • Increase the frequency of onsite assessments of liquidity risk (either through targeted or full-scope missions). In view of overarching resource constraints, this may also be an appropriate topic for a horizontal review.

  • Review the ILAAP documents and provide feedback to the banks.

I. Governance and Risk Management

63. The MFSA’s regulation (BR/12) contains several detailed principles for good governance and risk management in banks.

  • Transposing the provisions of CRD IV related to internal governance and risk management, the BR/12 states that a credit institution’s internal governance arrangements should include a clear organizational structure with well-defined, transparent, and consistent lines of responsibility; effective processes to identify, manage, monitor, and report the risks that it is, or might be exposed to; and adequate internal control mechanisms, including sound administrative and accounting procedures (Article 13).

  • Further, it is specified that internal governance aims at ensuring that a credit institution’s management body (the Board of Directors) is explicitly and transparently responsible for its business strategy, organization, and internal controls. The Board is concerned mainly with setting the credit institution’s business objectives and its appetite for risk, how the business of the credit institution is organized, how responsibilities and authority are allocated, how reporting lines are set up, and what information they convey, and how internal controls (including risk control, compliance, and internal audit) are organized (Article 14).

  • These arrangements, processes, and mechanisms shall be comprehensive and proportionate to the nature, scale, and complexity of the credit institution’s activities within the context of the principle of proportionality. Provisions are further detailed in Annex 2B (technical criteria on governance arrangements).

  • Credit institutions are also expected to follow the principles on internal governance as issued by the EBA, but these guidelines are not legally binding, as they have not yet been implemented in the regulations (the deadline for implementation being mid-2018). The MFSA has committed itself to implementing these guidelines “in the near future.”

64. From a review of onsite reports and offsite analyses, signs of weak governance persist in several areas. In several instances, onsite examiners noted inadequate composition of Boards and functioning of Board committees (the size of the Board not commensurate with the risk profile, inappropriate mix between independent and non-independent directors). Ownership also represents a potential governance issue because some LSIs have a single ultimate beneficial owner in the form of a private individual, a form that requires enhanced supervisory oversight. Limited awareness among banks’ Boards and senior management was also emphasized during discussions with various parties. Overall, corporate governance practices in the LSIs still need to be significantly improved, but the BSU is aware of the challenges faced by banks.

65. The MFSA’s supervisory actions related to corporate governance policies generally stem either from onsite inspections or through ongoing supervision. Full-scope inspections of LSIs always include a review of governance. Several targeted inspections assessing governance and thematic reviews have also been conducted. All in all, a lot of attention has arguably been paid by the MFSA to corporate governance. Onsite inspectors are to be guided by SSM Manual Chapter 6, on Onsite Inspections and a Joint Standard issued by the ECB on the conduct of onsite inspections at the LSIs. Detected deficiencies in corporate governance, which included issues relating to policies, have also resulted in the application of administrative penalties in two cases. At some point, as a complement to the review of corporate governance, it would have been appropriate to assess whether weak governance structures have translated into excessive risk taking. Such an analysis remains, to a large extent, to be carried out (as already outlined).

66. The SREP methodology serves as an overall review of a credit institution’s operational and organizational structure, overall risk control, and risk-management framework. The assessment covers three main aspects: (1) the banks’ internal governance framework (including key control functions, such as risk management, internal auditing, and compliance); (2) the risk-management framework and risk culture; and (3) the risk infrastructure, internal data, and reporting. The BSU assesses whether the overall risk management framework is appropriate to both the scale and complexity of the institution, with a view to ensure that it is adequately staffed and sufficiently independent, both in terms of quality and quantity of human resources allocated to the function, and whether it maintains links with operational lines. There is particular emphasis on the Chief Risk Officer (CRO); the assessment criteria are, among others, whether the CRO has the necessary experience and skills, bears the responsibility for risk management, and is able to give the risk perspective significant weight within the institution with regard to significant business decisions. The BSU holds regular meetings with a number of representatives of the LSIs, including the CRO. However, as already discussed, only one full LSI SREP was completed at the time of the assessment.

67. Reviews and evaluations of ICAAP and ILAAP have commenced as part of the annual SREP (as explained earlier). The results of these assessments feed into the SREP assessment and are used for determining Pillar 2 capital and liquidity requirements for credit institutions. Also, the purpose of the ICAAP is to inform the Board of Directors of the ongoing assessment of the banks’ risks, how the banks intend to mitigate those risks, and how much current and future capital is necessary, having considered other mitigating factors. Article 17C of the Banking Act, which transposes Article 73 of the CRD IV, requires all banks to have in place an internal adequacy assessment process in relation to their risk profiles. The ECB published its supervisory expectations on ICAAP and ILAAP in January 2016. Although these expectations are directed at SIs, the LSIs have been encouraged by the MFSA to refer to the ECB Supervisory Expectations. At this stage, the MFSA has collected ICAAP and ILAAP for all LSIs, but reviews of these submissions have not yet been completed (as already mentioned).

68. As part of the internal governance framework, a licensed credit institution shall have in place a Board-approved policy for the remuneration of its management and staff members. Malta has transposed Articles 92 to 95 of the CRD (into Annex 2E of the BR/12) whereby credit institutions’ remuneration policies for staff members whose professional activities have material impact on the credit institutions’ risk profile; shall ensure that remuneration is consistent with sound and effective risk management; and provides an incentive for prudent and sustainable risk taking. Credit institutions shall also disclose detailed information on their remuneration policies, practices, and, for reasons of confidentiality, aggregated amounts for those members of staff whose professional activities have a material impact on the risk profile of the institution. Credit institutions that are significant in terms of their size, internal organization, and the nature, scope, and complexity of their activities shall establish a remuneration committee. The MFSA carries out an annual remuneration exercise (in line with ECB and EBA requirements) to collect remuneration information from all credit institutions, relating to aggregated data, remuneration for material risk takers, as well as remuneration of high earners. This information is reviewed and discussed with the banks, if necessary. In situations where issues arise, the MFSA discusses the matter with the bank to ensure that remuneration practices are in line with the requirements.

Fit-and-Proper Evaluation

69. Fit-and-proper decisions for the LSIs are still taken by the national supervisors, except in the case of a new bank license.29 In the latter case, fit-and-proper reviews must first be conducted by the NCAs in compliance with national legislation, before submission and further analysis by the ECB. CRD IV and the guidelines on the suitability of members of the management body published by the EBA aim to provide harmonization at both the legislative and the regulatory levels. Being not directly applicable, the provisions of the CRD IV have been transposed into national law. Article 14 of the Banking Act stipulates that a controller or a director of a credit institution must be a suitable person to exercise that control. Further, Article 32 states that any person who has been adjudged bankrupt or is interdicted or has been involved in money laundering, or found guilty of a crime, shall not act or continue to act as an officer of a credit institution.

70. The information needed for the fit-and-proper assessment is collected through a detailed Personal Questionnaire. Once a person is considered fit and proper, no further assessment is conducted by the MFSA, unless changes occur in the organization (changes in the composition of the Board of Directors, appointment of a new CRO, etc.).

71. Powers to change the composition of the Board of Directors or to remove a controller have not been used so far.

  • If the MFSA is of the opinion that any person who is, or is proposed to become, a controller or director of a credit institution is unsuitable, the MFSA may make an order requiring the person to cease to be a controller or director or restraining the person from becoming a controller or director (Article 14(10) of the Banking Act). It is noted that, in practice, the MFSA has never formally used its powers to change the composition of a Board by considering that a director was no longer fit and proper. However, some banks have been instructed to include more independent directors and/or directors with specific expertise.

  • This approach is not in line with the EBA guidelines on the suitability of members of the management body whereby “the assessment of the individual and collective suitability of the members of the management body should be performed on an ongoing basis by competent authorities, as part of their ongoing supervisory activity” and “in particular, competent authorities should re-assess the individual or collective suitability of the members of the management body whenever significant new facts or evidence are unveiled during the course of ongoing supervision.”


The authorities are encouraged to:

  • Increase the number of onsite inspections of the LSIs and make onsite inspections more risk-oriented in assessing the adequacy of risk management.

  • Conduct on a regular basis an updated fit-and-proper evaluation of relevant persons, especially when onsite inspections identify serious concerns, such as potential breaches of AML requirements.

J. Enforcement and Sanctioning

72. Sanctioning is a shared responsibility between the ECB and the MFSA. The ECB’s direct enforcement and sanctions powers are limited to pecuniary penalties on SIs, which breach directly applicable EU law or ECB decisions or regulations. In the event of breaches of national law implementing EU directives, breaches committed by natural persons, or when a non-pecuniary penalty has to be imposed, the ECB may request that the MFSA open proceedings with a view to impose penalties, if appropriate.30 Concerning LSIs, the MFSA has the power to impose sanctions on the legal entities and their management for breaches. The ECB can also impose enforcement measures against LSIs for ongoing breaches of ECB decisions or regulations imposing an obligation vis-à-vis the ECB. The MFSA has exclusive competence to impose sanctions in relation to breaches by the SIs and LSIs, and their management of national laws that do not relate to the ECB’s tasks.

73. The MFSA has a broad range of corrective and sanctioning powers. They include:

  • Imposing an administrative penalty when a credit institution (1) breaches any of the provisions of the Banking Act, or any regulation or banking rules issued thereunder, or the CRR; (2) does not comply with a directive issued by the MFSA under the BA; and/or (3) fails to comply with the conditions imposed in the licensing agreement (Article 35.A of the Banking Act). In determining the sanction or fine, the supervisory council is guided by the Administrative Penalties, Measures and Investigatory Powers Regulations (Subsidiary Legislation 371.05). An administrative penalty or measure may also be imposed on a natural person (senior management, for instance) and/or any director of a credit institution. The amounts are potentially dissuasive (up to €5 million for a natural person, up to 10 percent of the total annual net turnover in the case of a legal person).

  • Requiring a credit institution to take the necessary measures at an early stage to address problems in cases where either the credit institution does not meet the requirements or is likely to breach the requirements of the Banking Act, regulations, or banking rules issued thereunder or of the CRR (Article 17E of the Act). This would include instances where risk governance, systems, and controls are not effective or adequate in terms of the legislative provisions referred to above. These measures may include those listed in Regulation 9 of the Banking Act (Supervisory Review) Regulations (Subsidiary Legislation 371.16), such as the possibility (1) to require a credit institution to hold its own funds in excess of the requirements; (2) to require the reduction of the risk inherent in the activities, products, and systems of credit institutions; (3) to require credit institutions to present a plan to restore compliance with supervisory requirements; (4) to restrict or limit the business, operations, or network of credit institutions, or to request the divestment of activities that pose excessive risks to the soundness of a credit institution; (5) to require a credit institution to limit variable remuneration as a percentage of net revenues where it is inconsistent with the maintenance of a sound capital base; (6) to impose additional or more frequent reporting requirements; and (7) to require additional disclosures.

  • Issuing directives in writing requiring a licensee to do, or to refrain from doing, any act, including such prohibitions, restrictions, and conditions as may be specified in the directive (Article 16 of the MFSA Act).

  • Taking control of a credit institution, by appointing a competent person to take charge of the bank’s assets or to assume control of the business, require the credit institution to wind up its business, and/or by appointing a liquidator (Article 29 of the Banking Act). Ultimately, the license can be withdrawn.

74. Decision-making powers rest with the MFSA supervisory council. When the final decision-making comes to the taking of regulatory action, such as the imposition of administrative penalties, cancellation, suspension or restriction of license, and the issuing of directives is conferred to the council, the process is normally activated by the relevant supervisory unit, which may bring matters to the attention of the supervisory council when it is perceived that regulatory action may be necessary.

  • Supervisory council memos are circulated to all team members and are then discussed during meetings. They contain detailed information on the matter/concern, which is being brought to the attention of the council (for example, details of any noncompliance issues, findings resulting from investigations conducted by the relevant supervisory unit, and so on) and would normally also include one or more recommendations or possible courses of action for the supervisory council’s consideration.

  • With regard to certain types of regulatory action (restriction, suspension, or cancellation of a license), the law obliges the MFSA to first serve a written notice of its intention to do so to the licensee, specifying the grounds upon which the MFSA intends to take that action and stating a time period within which the licensee is entitled to submit its observations. The decision to issue any such notice/minded letter is taken by the supervisory council. In certain cases, the council has adopted the approach of following the minded letter—representations—final decision procedure, even when not strictly bound to do so by law in view of due process considerations and/or because of the serious nature of the proposed regulatory action (for example, when the MFSA intends to impose an administrative penalty).

75. In determining the sanction or fine, the supervisory council is guided by a specific regulation. The Administrative Penalties, Measures and Investigatory Powers Regulations, Subsidiary Legislation 371.05 provides for factors that may affect the penalty that is to be meted out against the licensee.31 Concerning the use of prompt remedial actions (measures taken at an early stage, directives), it is noted that thresholds at which a supervisory action is required, have not been defined, even though the BSU may make use of automated KRIs.

76. Before making use of supervisory powers, the MFSA employs a progressive remedial process. Applying gradual responses rather than immediately resorting to more coercive measures is not questionable per se, as long as tools and processes are in place to: (1) address supervisory concerns with banks in a proactive and timely manner, including formal communication and escalation to senior management and the Board as appropriate; and (2) ensure adequate and timely follow-up of actions taken by banks. In that regard, it was noted that remediation progress and completion were insufficiently monitored and documented.

77. Despite the vast range of corrective measures and powers that the MFSA enjoys based on the legislation, evidence of effective application of all of these enforcement powers is somewhat limited. In the past five years, the MFSA has imposed a limited number of sanctions, as illustrated in Table 6. Further, the low pecuniary penalties imposed on banks have a limited deterrent effect. Also, the MFSA has never exacted sanctions against natural persons. Last, no actions have been decided on grounds of insufficient internal controls to prevent money laundering risks.

Table 6.

Malta: Administrative Measures and Penalties Against Credit Institutions, 2013–2018

article image
Source : MFSA website (public information).

78. Review of supervisory measures in the broad sense suggests that the MFSA has taken decisive action in several instances, but such actions may not have been as timely as desirable. More supervisory measures have been decided since 2015. Such measures are mainly adopted following an onsite inspection. In that respect, it is worthwhile to note that over the past few years, significant delays were observed between the end of the investigation phase and the date on which decisions were taken by the supervisory council (up to one year). Additionally, as already emphasized, the frequency of onsite inspections is low, with several banks that have not been inspected over the past five years. The main risks faced by the Maltese banks (credit risk, liquidity risk, and compliance risk) are not subject to in-depth onsite inspections. By construction, this can only reduce the opportunities to detect problems and take appropriate supervisory measures. For one bank, a competent person was appointed in 2016 following an onsite inspection jointly carried out with the ECB. The joint inspection had revealed excessive related-parties’ exposures and under-provisioning. It is noted that while a 2015 onsite inspection carried out by the MFSA emphasized serious governance shortcomings, it did not include an in-depth review of credit risk, a thorough analysis of related-parties’ transactions, and a review of the adequacy of provisions.

79. The way the appeal procedure is handled has a negative effect on the effectiveness of the sanction policy. Any person who is aggrieved by a decision or measure taken by the MFSA may appeal to the Financial Services Tribunal. 32 Moreover, appeals against pecuniary penalties have suspensive effects, and it is noteworthy that the MFSA has 27 pending appeals, some of which date back to 2009. This is not conducive to implementing a dissuasive sanction policy. The Financial Services Tribunal’s resources appear to be limited (no permanent secretariat, and part-time judges are appointed).


The authorities are encouraged to:

  • Perform a thorough follow-up on banks’ implementation of supervisory recommendations.

  • Take action in a timely manner by reducing the delay between the finalization of onsite inspections and the date on which supervisory measures are taken.

  • Use proactive, preventative, and earlier corrective actions to address risk management issues.

  • Make more use of monetary fines as part of the sanctioning regime for credit institutions.

  • Ensure that supervisory action is not delayed through judicial appeal and achieve greater certainty that actions would not be reversed. To this end, the authorities should investigate ways to limit the circumstances in which actions could be stayed (including through a revision of the legal framework for judicial review of supervisory actions), and to circumscribe remedies to monetary compensation in the event that the authority is found to have acted in contravention of the law. The legal framework for judicial review of supervisory actions should aim to incorporate (well circumscribed) limitations on such judicial review to strike a balance between the right for due process and a legitimate need for judicial review on the one hand and the effectiveness of such actions on the other hand. The authorities should also consider increasing the Financial Services Tribunal’s resources and capabilities (such as a permanent secretariat and full-time judges).

K. Financial Integrity

80. According to the authorities, the money laundering threat to Malta is relatively high and driven mostly by the laundering of foreign proceeds of crime. The main vulnerabilities identified through the national risk assessment—NRA (see the following)—point toward Malta’s open economy and large financial sector (the banking and securities sectors in particular), gaming sector (especially remote gaming), and designated nonfinancial business and profession (DNFBP) sector (particularly trust and company service providers, legal and accounting professionals, and the real estate sector).33 The NRA furthermore highlights Malta’s heavy use of cash and transferable checks as a compounding factor, with many sectors, such as construction and tourism, relying on cash transactions, rendering Malta a cash-intensive economy in general.

81. Several initiatives have been taken by the Maltese authorities over recent years. Malta carried out an initial AML/CFT NRA in 2013–2014, which was subsequently reviewed and updated in 2017. It led to an updated NRA Report, as well as a national AML/CFT strategy based on the findings. A detailed action plan, including more than 50 detailed action points, was devised for implementation of the strategy in the next three years. This national AML/CFT strategy has been published. A National Coordinating Committee on Combatting Money Laundering and Funding of Terrorism has also been established. An increase of resources devoted to money laundering prevention has been decided. Concerning the legal powers, it is worth reminding that the Report on Fourth Assessment Visit from the Committee of Experts on the Evaluation of Anti-Money Laundering Measures and the Financing of Terrorism (MONEYVAL) noted in 2012 that Malta has a comprehensive legal structure to combat money laundering.

82. The FIAU is the main AML/CFT supervisor in Malta. The FIAU is an independent government agency established in terms of Article 15 of the Prevention of Money Laundering Act (PMLA). The FIAU is the receiving agency for Suspicious Transaction Reports (STR). When, following an analysis of a STR, the FIAU has reasonable suspicion that the reported transaction, activity, or person could involve money-laundering or terrorism-funding activities or criminal proceeds, it shall send an analytical report to the police, as the law enforcement agency.

83. The FIAU also has a supervisory role and is assisted by the MFSA in the AML/CFT oversight of the financial services sector. As set out in Article 26 of the PMLA, the FIAU is responsible for monitoring and ensuring subject person compliance with the PMLA, the Prevention of Money Laundering and Funding of Terrorism Regulation (PMLFTR), and the implementing procedures. The compliance section of the FIAU is responsible for this task, which is achieved through onsite compliance examinations and offsite assessments of subject persons falling within the definitions of “relevant financial business” and “relevant activity” under the PMLFTR. Onsite supervision of MFSA license holders is carried out by the Enforcement Unit of the MFSA, acting as an agent of the FIAU in accordance with Article 26(5) of the PMLA. The FIAU remains the sole authority responsible for reviewing cases presented before it, and for taking decisions on any breaches and on the sanctions to be imposed.34 In line with its 2017 restructuring plan, the FIAU is planning to expand its human resources (from 20 to 56 staff members by end-2020, 19 of whom will be dedicated to AML/CFT supervision). Similarly, recruitment is planned at the MFSA (from nine supervisors working on AML/CFT as of June 2018 to 30 by end-2018).35 At the time of the FSAP mission, the size of the MFSA team was reduced to six supervisors (due to three resignations) and the plan to recruit 23 people (20 new and three replacements) by end-2018 may turn out to be over-optimistic.

84. The EBA pointed out in July 2018 general and systematic shortcomings in the FIAU’s application of the Third EU Directive on the prevention of AML/CFT.

  • In October 2017, the European Commission’s Director General for Justice and Consumers asked the EBA to investigate a possible breach of Union law. This was related to the apparent failure of the FIAU to apply effective, proportionate, and dissuasive sanctions for alleged infringements by Pilatus Bank of Malta’s AML/CFT provisions in line with Article 39 of the Third EU Directive on the prevention of AML/CFT (Directive 2005/60/EC or “AMLD3”).

  • According to the EBA, the FIAU failed to ensure that one credit institution (Pilatus Bank) put in place adequate and appropriate AML/CFT policies and procedures, as required under Article 34 of AMLD3; the FIAU neither imposed effective, proportionate, and dissuasive sanctions, nor any other supervisory measures, to correct the shortcomings it had identified to ensure the institution’s compliance with the directive’s requirements. The EBA decided not to open a breach of Union law investigation into the MFSA, reflecting the recent supervisory actions taken by the MFSA and the current requirements of Union law. Nonetheless, the EBA did identify significant concerns about the actions of the MFSA in some areas.

  • As highlighted in the EBA’s Recommendations, “the findings from the EBA’s investigation reveal a general practice of the FIAU at the time of the case at issue and not only, as argued by the FIAU, a failure in this particular case.” The FIAU has informed the EBA of general actions that, as an Action Plan, it has already undertaken, or which are in train, to strengthen its supervision. The EBA noted that “while a move in the right direction, these measures are not enough to be satisfied that the deficiencies that led to a breach of Union law have been resolved” and, as a consequence, adopted recommendations aimed at remedying the particular failings that it had identified.

  • The FIAU has challenged the issuance of the recommendation because an Action Plan had been already adopted by the FIAU to address these concerns. According to the EBA, “the need identified by the FIAU for such a wide-ranging nature Action Plan provides support for its findings that the procedures and policies applied at the time of the case at issue were not appropriate and effective.”

85. A swift implementation of the Action Plan is critical considering the AML/CFT supervisory framework has serious deficiencies. The FSAP mission’s review of onsite reports and enforcement measures taken revealed the following observations.36

  • Low number of onsite reviews. The number of onsite visits conducted at credit institutions solely by the MFSA or jointly with the FIAU, albeit slightly increasing, has been low over recent years (five onsite reviews in 2017, three in 2016, and three in 2015), and the yearly plan has not been commensurate with the banks’ risk profiles. The five largest banks in terms of assets have not been inspected since 2015. Similarly, a bank active in commodity-trade finance, which is potentially prone to money laundering, has never been inspected.

  • Limited number of sanctions. Few administrative sanctions have been imposed on credit institutions by the FIAU (none in 2015, three in 2016, one in 2017) and the amount of penalties has not been dissuasive.37 In several instances, no sanction was made despite extremely severe findings highlighted in compliance examination reports. Explanations were not provided in the final decisions. It is also noted that no sanction has been made by the MFSA on grounds of insufficient internal controls and compliance checks.

  • Short duration of the onsite reviews and narrow scope of investigations. The mission team had the opportunity to review a sample of compliance examination reports. It appears that the onsite investigation phase was limited to a couple of days. Even though preparatory work can be carried out prior to the mission, the fact remains that this short duration does not give the examiners sufficient time to examine a large number of clients’ accounts and to extract data from the banks’ information systems for identification of potentially suspicious transactions. Until recently, investigations were limited to a series of interviews with the money laundering risk officers and the review of a limited sample of accounts (33 for one of the largest Maltese bank). Accordingly, the effectiveness of ongoing monitoring and transaction screening was not assessed. However, the two latest reviews launched in 2018 lasted five months (they were not finalized at the time of the IMF mission).

  • Far too excessive delays to finalize the onsite reports. The IMF mission noted that it may take up to 1.5 years to produce the final report. The complexity of the FIAU internal procedure governing the conduct of onsite visits is unlikely to solely explain and justify these delays, keeping in mind that the discussion on the findings with the inspected entities takes place after the finalization of the report. This lengthy process of providing findings and recommendations to banks based on onsite examinations seriously weakens its effectiveness.

  • Inadequate timeliness of the regulatory response. Delays in coming to a final decision are excessive (up to three years after concluding an onsite inspection).

  • Insufficient involvement from the BSU regarding the effectiveness of internal controls related to AML risks. Onsite reviews of the compliance with prudential requirements on risk management, internal control, and internal audit could have been—but were not—used by the MFSA as a way to act on a standalone basis (without any request from the FIAU), and to take supervisory measures against banks found with inadequate internal controls and compliance frameworks. Additionally, the BSU could ensure that (1) banks have adequate compliance functions and audit functions dealing with all material risks, including AML/CFT; (2) AML internal policies and practices are subject to regular audits; (3) the conclusions of internal audit missions focusing on AML are adequately communicated to the relevant persons; (4) there is an internal follow-up of recommendations; (5) AML is included in the risk mapping; (6) AML policies and processes are integrated into the bank’s overall risk management; and (7) the information system is robust. Documentation shared with the FSAP mission shows that such reviews are not conducted on a regular basis. Also, STRs are not communicated by banks to the MFSA when suspicious activities are material to the safety, soundness, or reputation of banks, and the BSU does not conduct regular contact with the banks’ money laundering risk officers.


  • The number of onsite compliance examinations of credit institutions should be significantly increased.

  • The scope, duration, depth, and methodology of the investigations should be significantly revised—being less formal and more risk-oriented—with a view to ensuring that banks are taking steps to identify, assess, monitor, and mitigate the risk of money laundering.

  • The FIAU and the MFSA should shorten the turnaround time of supervisory reviews from initiation to final report, and from the report to final decision. Time-bound remedial action plans should be imposed at a minimum in a systematic fashion when findings are made by onsite examiners. The decision-making process within the FIAU should be simplified to speed up the sanctioning process.

  • The FIAU should make more use of monetary fines as part of the sanctioning regime for credit institutions and increase the amount of penalties.

  • The MFSA should devote more resources to consider AML/CFT risk in risk assessments and supervision of banks.

  • The MFSA should take supervisory measures based on AML/CFT-related risk management and operational risk deficiencies (instead of, at best, increasing capital requirements as part of the SREP).

  • Although ongoing EBA work to strengthen supervisory convergence and enhance information exchange mechanisms are positive steps, a EA (or EU) level AML/CFT supervision should be considered as a more comprehensive solution, as emphasized in the EA FSAP.


This technical note was prepared by Luc Riedweg (IMF staff). The assessment of banking supervision took place in the period September 12–27, 2018. The conclusions of this assessment were presented to the authorities during a technical pre-wrap-up meeting on September 20. The mission team would like to thank the C EO, the Directors, and the staff of the MFSA for their excellent cooperation and fruitful discussions.


The European banking union has three pillars. The two others are a common framework for recovery and resolution (in the form of the Single Resolution Mechanism and Single Resolution Fund) and for deposit protection.


The size, overall composition, and organization of a JST vary depending on the nature, complexity, business model, and risk profile of the supervised institutions. JSTs are staffed by the ECB and NCAs, with coordinators from the ECB and sub-coordinators from NCAs where the parent entity is located.


The CRR is a directly applicable maximum harmonization EU regulation not requiring transposition into Maltese national law. As an EU directive, CRD IV required transposition into national law. Both CRR and CRD IV led to (1) significant enhancement in the quality and quantity of capital banks are required to hold; and (2) the setting of minimum liquidity requirements. In Malta, all ac ts (primary legislation ) are en acted by parliament while regulations (secondary legislation) are made by the minister responsible for the regulation of financial services, acting on the advice of the MFSA, which are then tabled before the House of Representatives.


Article 4(1)(a) of the SSM Regulation establishes the ECB as the exclusive competent authority for the authorization of credit institutions in EA member states, whether the institutions are SIs for which the ECB is also the supervisory authority, or LSIs directly supervised by the NCAs. The ECB is also the exclusive competent authority for the withdrawal of such authorizations. Withdrawals of authorizations can be taken at the initiative of the NCAs or the ECB itself. NCAs are fully integrated into the authorization process and in case of license withdrawals. Decisions are taken on the basis of applicable national law.


In some EU member states, supervisors may extend the onsite inspection of an entity subject to its supervision to: its subsidiaries; the legal entities that directly or indirectly control it; the subsidiaries of said legal entities; any other company belonging to the same group; the entities that have entered into a management agreement with said company; or any other agreement likely to affect its operational autonomy, and any company which is affiliated with it.


This directive (Directive 7) was issued by the Principal Permanent Secretary in 2005 in accordance with the Public Administration Act.


The organizational changes discussed in this chapter reflect the draft structure as presented by the MFSA during the FSAP mission in September 2018.


Following the discussion between the FSAP mission team and MFSA staff, and after the completion of the field mission, the MFSA has proposed and the government has agreed to the introduction of an independent enforcement decisions committee in the amendments to the MFSA Act currently before parliament. The FSAP mission team did not review these new amendments (distinct from those presented earlier), and the assessment was based on the information available as of September 26, 2018 (the date of the concluding meeting). More important, the solution proposed by the authorities would not be in line—were it implemented—with the FSAP recommendation that a supervisory council should be maintained, which means that all supervisory decisions (for example, licenses), and not only the sanctions, should be made by a dedicated statutory committee.


Following discussions with the FSAP mission team, the cabinet decided to add the MFSA to the list of entities that are exempt from Directive 7. As the amendment took place after the end of the FSAP mission, it was not reviewed by the team.


In January 2017, the MFSA requested that th e Prom ontory Financ ial Group analyze the c urrent organization, respon sibilities, and func tions of the Authority. T he resulting report w as fin alized in Ju ly 2017.


Level 1: HP LSI with a Risk Assessment System (RAS) score of 1, 2. Level 2: Highest level of engagement—HP LSI with a RAS score of 3, 4. Level 3: Lowest level of engagement—Non-HP LSI with a RAS score of 1, 2. Level 4: Non-HP LSI with a RAS score of 3, 4.


Established by Article 97 of the CRD as a major task for supervisory authorities, the SREP is further detailed in several other documents, mainly the EBA’s 2014 guidelines on common procedures and methodologies for the SREP, and the 2015 ITS on joint decisions on prudential requirements. It represents a structured framework for a holistic annual assessment of banks across the SSM, aimed at providing a synthetic overview of each bank’s risk profile, considering its capital and liquidity planning in terms of both its internal consistency and comparison with peers. The overall SREP represents the basis for assessing capital and liquidity adequacy, and for addressing concerns by taking supervisory measures of both quantitative (on capital and liquidity) and qualitative nature.


The RAT is consistent with the EBA guidelines on SREP and SSM SREP methodology, in the sense that an identical set of risk categories, covering Basel Pillar I and common Pillar II risks, has been adopted (credit risk, market risk, liquidity risk, IRRBB, and so on). For each category, a risk level grade and a risk control grade are assigned, ranging from RAS score 1 corresponding to “low risk” to RAS score 4 implying “high risk.” Risk level and risk control scores are aggregated by averaging the two ratings. Each risk category net assessment is assigned a weight reflecting a bank’s business model and risk profile, with material risks being assigned a higher risk weight. A summation of all weighted category ratings is undertaken to arrive at an overall score from 1 to 4.


As emphasized by other work streams during the FSAP mission.


Onsite inspections and onsite visits differ in terms of status and duration. Visits are much shorter and only a follow-up letter is shared with the bank (not the report itself).


Banks that are domiciled in a country outside of the EEA do not have the option of the passporting regime. Under regulation 1024/2013 establishing the SSM, branches are not under SSM/ECB supervision when the home state is not in the EEA (“Supervisory tasks not conferred on the ECB should remain with the national authorities. Those tasks should include the power […] to supervise credit institutions from third countries establishing a branch or providing crossborder services in the Union”).


Another foreign bank branch is an EU branch operating under the “single passport.” Prudential responsibility and supervision are therefore not conferred upon the MFSA.


The MFSA’s banking rules governing the calculation of capital requirements have been repealed as a result (Own Funds of Credit Institutions Authorized under the Banking Act 1994 (BR/03), Capital Requirements of Credit Institutions Authorized under the Banking Act 1994 (BR/04), and Capital Adequacy of Credit Institutions Authorized under the Banking Act 1994 (BR/08)).


Concerning the one HP LSI for which the first SREP has been completed, the presentation during a supervisory disclosure meeting of the findings of the 2017 SREP exercise took place in early 2018. The official final SREP letter (with official notification of the outcome of the 2017 SREP) has not been sent yet to the ECB or to the bank that has, however, already raised equity to comply with the P2R, which was communicated by the MFSA. For this bank, the 2018 exercise has not yet started.


Under IAS 39, loss allowances were only recorded for impaired exposures. The new requirements under IFRS 9 result in earlier recognition of credit losses, by necessitating a 12-month ECL allowance for all credit exposures not measured at fair value through profit or loss (stage 1). In addition, there is a larger allowance for all credit exposures that have significantly deteriorated (stage 2). While credit exposures in stage 3 (objective evidence of impairment) are similar to those deemed by IAS 39 to have suffered individual incurred losses (and thus requiring specific reserves), higher loan losses allowances are expected under IFRS 9 due to allowances in stages 1 and 2 (even though credit exposure in stages 1 and 2 may replace those exposures measured under IAS 39’s collective approach).


The exposure to the housing market (mortgages, construction loans, real estate activities) in the aggregate banking sector is substantial (roughly 60 percent of total lending to the private sector). In particular, strong mortgage lending has brought the share of mortgages in total lending to 45 percent.


For one bank, mortgages with “balloon repayment” account for 24 percent of the newly originated mortgage loans included in the survey.


Following the discussion with the FSAP mission team, the MFSA adopted a revised version of the Banking Rule BR/11 in order to expand the definition of related parties. As the BR/11 was amended on October 22, 2018, after the end of the FSAP mission (the closing meeting was held on September 26), the team did not review these amendments.


The EU legislation does not constitute an obstacle to the implementation of such requirements. For instance, in the E U, some national laws empower the respective competent authorities to impose upper limits on loans to related parties (for example, Spain), or to deduct such exposures from capital when assessing capital adequacy (for example, in Germany).


Several Articles of the CRR lay down the requirements on the LCR requirements. The CRR is supplemented by the Commission Delegated Regulation (EU) 2015/61, which provides additional details on the calculation of the LCR. Apart from short-term liquidity needs, institutions should also adopt funding structures that are stable over a longerterm horizon. The NSFR, which is not yet a binding minimum standard in the EU, is subject to an observation period.


Banks are required to submit funding plans on an annual basis as specified in BR/16. This requirement is only applicable to credit institutions that represent a material share of the total banking system. Two LSIs have been requested to submit a plan (one HP and one non-HP).


Moreover, the ECB takes all fit-and-proper decisions for directors of the 129 SIs in the EA, which are directly supervised by the ECB.


In such instances, the NCA conducts these procedures and decides on the resulting sanctions in accordance with applicable national law.


Such circumstances include: (1) the gravity and the duration of the breach; (2) the degree of responsibility of the natural or legal person responsible for the breach; (3) the financial strength of the natural or legal person responsible for the breach, as indicated, for example, by the total turnover of the responsible legal person or the annual income of the responsible natural person; (4) the amount of profits gained or losses avoided by the natural or legal person responsible for the breach, insofar as they can be determined; (5) the losses for third parties caused by the breach, insofar as they can be determined; (6) the level of cooperation of the natural or legal person responsible for the breach with the competent authority; (7) previous breaches by the natural or legal person responsible for the breach; and (8) any potential systematic consequences of the breach.


Any type of decision or measure, including but not limited to pecuniary sanctions.


As defined by the Financial Action Task Force.


Penalties exceeding a certain threshold are notified to the FIAU’s Board of Governors.


In 2015, a dedicated AML/CFT team was established within the Enforcement Unit of the MFSA, which took over the role of assisting the FIAU in carrying out AML/CFT inspections of the financial services operators regulated by the MFSA, a role that was previously performed by the various supervisory units within the MFSA. This team became operational in 2016 and started carrying out onsite inspections on behalf and jointly with the FIAU.


The FSAP team had the opportunity to review a large sample of compliance examination reports, which did not include the reports on Pilatus Bank.


€40,000 against HSBC, €20,000 against BoV (public information disclosed on the FIAU’s website).