Restrictive measures in response to the crisis in Ukraine 

The Sanctions Monitoring Board has issued a Guidance Note on the imposition of  EU  Sanctions  concerning  Restrictive  Measures with respect  to actions undermining or threatening the territorial integrity, sovereignty and independence of Ukraine. The guidance note can be accessed through the following link. The Sanctions Monitoring Board is also providing regular updates in relation to Russian sanctions. 

These can be found on this link.

Risk Evaluation Questionnaires 2022 Submission 

On 1 February 2022 the Financial Intelligence Analysis Unit (FIAU) announced that the Risk Evaluation Questionnaires (REQ) submission can be accessed on the Compliance and Supervision Platform for Assessing Risk (CASPAR) portal as of 1st March 2022. The below table shows the deadlines for submission of the 2022 REQ:

Subject persons operating in categories falling on different deadlines should follow the last deadline. Any late submissions may result in subject persons being liable to an administrative penalty. Subject Persons are also reminded to update the ‘Subject Person Profile’ module with the updated information on their: 

• ownership and its structure;
• group (if applicable); 
• shareholders, beneficial owners and directors; 
• turnover and net asset values; 
• target markets; 
• external auditor (if applicable); and 
• a copy of the subject person’s business risk assessment.

Further information may be accessed through this link.

Use of cheques and bank drafts

On 1 January 2022, the Central Bank of Malta Directive 19 on the use of cheques and bank drafts came into force. The aim of this Directive is to decrease the use of such instruments for money laundering purposes. Such directive stipulates that:

• Cheques cannot be issued for amounts below €20;
• Cheques will only be encashed or credited to the person named by the payer;
• Cheques cannot be dated to a future date;
• Cheques over €5,000 can only be deposited into the beneficiary’s own account;
• The payment service provider may withdraw the cheque facility to the customer if cheques are not honoured on repetitive occasions;
• Service providers must ensure that all information related to cheques is retained for at least five years;
• Users who breach the regulations are subject to fines up to €200 for each contravention.

This Directive applies to payment service providers as well as natural and legal persons making use of paper-based instruments.

Further information on this directive may be accessed through this link. 

Beneficial ownership concealment

On 31 December 2021, the FIAU published a factsheet with key information extracted from the results of a strategic analysis carried out in 2021 on the misuse of corporate vehicles in Malta with a focus on beneficial ownership concealment.

The document aims to provide subject persons with money laundering / financing of terrorism (ML/FT) indicators or red flags, which may aid subject persons to detect attempts of ultimate beneficial owner (UBO) concealment of locally registered companies and which may need to be reported to the FIAU due to ML/FT suspicion.

The FIAU emphasises that the indicators to be used in goAML to report such instances should be marked depending on the main reason the possible concealment of ownership is suspected.

Factsheet may be accessed through this link.

Submission of tax related suspicious reports

On 31 December 2021 the FIAU published a guidance note on the submission of tax related suspicious reports as part of its initiatives to increase the number and quality of suspicious reports relating to tax evasion as an underlying crime, in a drive to identify more serious and complex tax-related suspicious reports. 

In 2021 the FIAU introduced a set of criteria (based on goAML report indicators) and started classifying tax-related suspicious reports as well as identifying those considered to constitute serious and complex cases. The aim of the guidance document is to assist subject persons in the correct identification of indicators to be used on goAML when reporting serious and complex tax crimes.

The guidance note may be accessed through this link.

goAML - submission of suspicious reports

On 20 December 2021 the FIAU published a guidance document regarding the updates made to the indicators list used in goAML for the submission of suspicious reports. Such changes became applicable as of 1 January 2022.

The document provides reporting entities with guidance about the indicators which have been removed, modified, or added since 1 January 2021, and provides observations on key data which is needed for better reporting.

The FIAU encourages reporting entities to mark as many relevant indicators as possible on the suspicious reports they submit. The indicators chosen should be those which are considered the most appropriate to reflect the suspicious situation being reported.

This should help the FIAU to better analyse its data, as well as provide a more complete and accurate picture of the money laundering and terrorism financing trends, typologies and emerging threats. It also gives the FIAU the possibility of answering questionnaires and queries from international transnational bodies and evaluators and enables the Unit and Malta to be compliant with international standards and requirements.

The guidance document may be accessed through this link.

Typologies & Red Flags: Indicators of Tax-Related Money Laundering

On 30th November 2021 the FIAU published a factsheet on tax-related money-laundering typologies and red flags, to provide guidelines to subject persons related to tax evasion and associated ML. This factsheet is based on a strategic analysis conducted by the FIAU’s Intelligence Analysis section, on Suspicious Transaction Reports (STRs) which has tax offences as the indicated predicate offence.

The factsheet includes typologies and red flags as well as a number of case studies which should further assist subject persons in identifying red flags and typologies associated with tax-related ML. The aim of the factsheet is to increase subject persons’ knowledge in this area and to help them detect, question and report situations where they suspect that their products or services are, have been, or might be used to launder funds connected to serious tax evasion.

The factsheet may be accessed through this link.

Revised Implementing Procedures

On 18 October 2021 the FIAU published a revised version of the Part 1 of the Implementing Procedures (IPs) transposing the proposals issued in March 2021 for consultation with the following key changes:

Adverse media

Additional guidance has been introduced on the assessment of the relevance, reliability, and timing of adverse media and on the evaluation of supervisory and regulatory information within the context of simplified due diligence.

The updated section on adverse media incorporates further practical guidance and clarifies that the nature of the adverse news will also have an impact on the actual relevance for risk assessment purposes. In this regard, the FIAU recommends that subject persons develop guidelines or procedures to allow officers and employees to discern what is to be considered as reliable media sources and what impact these can have on the understanding of risk. The FIAU also emphasises the passage of time when considering adverse media.

Also, the FIAU suggests adverse media not to be assessed in isolation but the following should be taken into account:

• when the regulatory action was taken;
• whether the breach is impacted by supervening legislative or regulatory change;
• the nature of the breach itself;
• the nature of the regulatory action taken;
• whether the regulatory issues have been resolved.

Beneficial Ownership

The FIAU has provided clarifications and additional guidance on beneficial ownership in relation to instances where:

• the shares of a corporate customer are owned by a trustee; and
• customers are state-owned entities.

According to the new clarification, subject persons do not need to identify all the beneficiaries of the trust. Instead, the subject person is to first establish who the ‘beneficiaries’ of the trust are, then to consider whether the said benefit is sufficient to be considered as a beneficial owner of the said body corporate (i.e the requirement that the beneficiaries are ultimately entitled to 25%+1 or more of the shares, or more than 25% of the voting rights).

If the beneficiaries cannot be established, then:

• it is those persons exercising control via other means that would qualify as the beneficial owners, and
• in the absence of any such person, then the beneficial owner of the corporate customer would be the senior management officials of the customer.

The FIAU also clarifies that the same approach would also apply to a foundation directly or indirectly holding the shares in the corporate customer.

In instances where the customer is a state-owned enterprise or public administration authority, then in line with the European Banking Authority (EBA) Risk Factor Guidelines, the Senior Managing Officials of the corporate customer will have to be identified as beneficial owners.

The Agent

The FIAU also clarifies the customer due diligence (CDD) requirements a subject person should apply when the customer is acting as an agent. When the agent is a body corporate, the subject person is only required to perform identification and verification (ID&V) of the body corporate itself and not the corporate agent’s own beneficiaries. However, the FIAU also clarifies that all directors/partners of the corporate agent need to be identified, but only those “that are authorised to legally represent the body corporate and who exercise the power of representation within the context of an occasional transaction or a business relationship” need to be verified.

If the customer of the subject person carrying out relevant financial business is itself a subject person carrying out relevant financial business (or equivalent) and empowering a significant number of individuals to act as signatories on its behalf, then all such persons need to be identified. The verification requirement can be satisfied on the basis of a declaration by the customer that it has verified the identity of the said signatories, provided certain conditions are met such as that no adverse media exists.

Keeping information on Ultimate Beneficial Owners up-to-date

The FIAU recognises the fact that subject persons may not necessarily be always aware of changes that take place amongst the UBOs of a corporate customer, including changes to trusts and foundations. The revised IPs place an obligation on subject persons to “enquire from time to time whether the beneficial ownership information obtained at onboarding is still current or otherwise”.

Subject persons are also to look out for any ‘trigger events’ that can assist a subject person in questioning whether any changes to the beneficial ownership information of the customer have taken place, such as where the subject person is acting:

• as director or company secretary of the customer and is required to submit to the Malta Business Registry (MBR) the form notifying it of certain changes; or
• as a fiduciary in a corporate customer and is requested to transfer part of the shares to new or existing shareholders.

The FIAU also recommends using the periodic reviews to ensure that ultimate beneficial owner information is still current.

Transaction Monitoring

The FIAU has provided guidance on transaction monitoring clarifying that when the transactions in question are left to the subject person’s own discretion such as in the case of discretionary portfolio management and investment management services or retirement schemes, then the subject person is not required to monitor the transactions it is carrying out itself.  The Implementing Procedures also clarify that in these instances the subject person is only required to monitor:

• any increase in the funds or assets entrusted to the subject person for investment purposes, and especially whether any such addition can be justified on the basis of the economic capabilities of the customer; and
• any request from the customer to have any funds or assets entrusted to the subject person released back to it, especially where this may impact the performance of the customer’s portfolio or result in significant penalties or fees being charged by the subject person.

Ongoing Monitoring

The Implementing Procedures provide guidance on the checks that need to be carried out for low-risk business relationships, and whether the relationship still merits to be considered low risk.

Guidance is also provided on the application of simplified due diligence when the customer is a collective investment scheme or a nominee/omnibus securities’ account.

Money Laundering Reporting Officer

The IPs include changes with respect to the criteria for the appointment of a Money Laundering Reporting Officer (MLRO), including that both executive and non-executive directors may be appointed as MLROs.

The revised IPs also provide guidance on when a subject person considers appointing an MLRO that is located outside Malta taking into account the following considerations:

• the nature of the activities and business carried out;
• the business model; and
• the technological means at their disposal.

In cases where the MLRO is located outside Malta, the FIAU expects that the MLRO makes himself/herself available for any meetings or interviews requested by the FIAU or any other relevant supervisory authority.

The FIAU places an obligation on the subject person to assess whether the MLRO will be able to dedicate sufficient time to cater for the subject person, which assessment should be reviewed from time to time to ensure that the MLRO is actually managing to dedicate sufficient time to fulfil all of the functions associated with the said role.

Where the MLRO is not dedicated exclusively to AML/CFT matters, subject persons need to ensure that there is no impact on the independence and impartiality required from the MLRO, which would, in turn, undermine the effectiveness of the MLRO’s duties. In particular, the subject person is required to assess the likelihood of any conflicts of interest. The FIAU has also included a requirement that the subject person’s policies and procedures should include how any conflicts of interest of the MLRO are dealt with. Such policies and procedures need to be revised on a periodical basis and as a minimum on an annual basis.

The revised IPs also clarify that there are no restrictions on the number of designated employees that can be appointed in line with the size or complexity of the subject person’s operations.

Jurisdictional Risk Assessment

The revised IPs provide additional guidance on the manner in which jurisdictional risk assessments are to be undertaken, giving also the facility for them to be outsourced completely, provided that the requirements set out in the revised IPs are met.

The FIAU acknowledges that subject persons may outsource the jurisdictional risk assessment or rely on third-party assessments, however it reminds subject persons that these usually adopt different methodologies and focus on particular areas such as perception of corruption. Therefore, subject persons may need to refer to multiple sources in their jurisdictional risk assessment. 

The revised IPs may be accessed through this link .

Proposal for a directive and regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing

On 16 February 2022, the European Central Bank (ECB) published its opinion on the European Commission (EC) proposal for a directive and a regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing.

The ECB sets out both general and specific observations on the legislative proposal for the AML regulation.

The proposed regulation was part of a package of legislative proposals published by the Commission on 20 July 2021, with the aim of strengthening the EU rules on AML and CFT. The legislative proposal included a proposal for (i) the regulation on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing (AML regulation); (ii) regulation on information accompanying transfer of funds and certain crypto-assets.

The opinion can be found in the following link.

Proposal for a regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets

On 7 February 2022, the European Parliament (EP) published a draft report on the proposal for a regulation on information accompanying transfers of funds and certain crypto-assets. The EP welcomes the Commission’s proposal to recast the Funds Transfer Regulation as part of the AML legislative package published on 20 July 2021.

The EP highlights that the proposal intends to close an important loophole in the fight against money laundering and terrorist financing by extending the current regime applied to wire transfers to transfers of crypto-assets. Nevertheless, the EP believe that the proposal can be further strengthened and should better reflect the specific characteristics of crypto-assets.

The draft report can be found in the following link.

EBA launches 'EuReCA’ - the European Union’s central database for anti-money laundering and counter-terrorism financing 

On 31 January 2022, the EBA launched its central database ‘EuReCA’ for AML/CFT. The system will be central in order to coordinate efforts by competent authorities and the EBA to prevent and counter money laundering and terrorist financing risks in the Union.

EuReCA will include information on material weaknesses identified by the competent authorities in the financial institutions within the EU as well as measures imposed by the authorities on financial institutions in order to rectify such material weaknesses. EuReCA will also include any internal audit findings that have been identified by prudential authorities during on-site inspections and which institution’s management body have been informed about but decided not to remediate.

The EBA will use the information from the central system to identify the ML/FT risks affecting the EU financial sector and have the authority to share the information from EuReCA with competent authorities as appropriate, to support them at all stages of the supervisory process and, in particular on specific ML/FT risks or emerging trends.

EuReCA will start collecting data once the draft Regulatory Technical Standards (RTS) published on the EBA website on 20 December 2021 has been approved by the European Commission.

Further information may be accessed through this link.

Selected payment fraud data under the Payment Services Directive

On 17 January 2022 the European Banking Authority published a Discussion Paper on its preliminary observations on selected payment fraud data under the Payment Services Directive (PSD), as reported by the industry for the years 2019 and 2020. The Paper includes the main findings relating to three payment instruments: credit transfers, card-based payments and cash withdrawals.

The study identified that fraud rate occurs the least through credit transfers, both in terms of volume and value, while card payments reported by acquirers are the most common payment instrument used for fraud. Another observation is that among the cross-border payments, the payments with counterparts located outside of the European Economic Area (EEA) are more frequently subject to fraud compared to the payments executed within the EEA. This is the case for all the three payment instruments noted above.

Among the various types of fraud that have been reported, the issuance of a payment order by the fraudster is the most common fraud type for card payment and cash withdrawals. This accounts for more than 90% of the volume and value of the fraudulent card transactions and cash withdrawals.

The most fraud types identified were:

• theft of card details - high fraud arising from social engineering with phishing being the main cause;
• lost or stolen cards, also used for cash withdrawals;
• counterfeit cards.

The EBA invites stakeholders to respond to the questions raised in the Discussion Paper, which responses will support the EBA, the ECB and national authorities in interpreting the fraud data in the future. The deadline for the submission of comments is 19 April 2022.

The discussion paper may be accessed through this link. 

Updated list of high-risk countries under the 4th Anti-Money Laundering Directive

On 7 January 2022, the European Commission amended the list of high-risk third countries with strategic AML and CFT deficiencies set out in Delegated Regulation (EU) 2016/1675 as follows:

The following countries have been added to the list of third countries identified as having strategic AML and CFT deficiencies:

• Burkina Faso
• Cayman Islands
• Morocco
• Senegal
• Haiti
• Philippines
• South Sudan
• Jordan
• Mali.

The following countries have been removed from the list of countries identified as having strategic AML and CFT deficiencies

• Ghana  
• Botswana
• Mauritius
• Bahamas
• Iraq.

The Delegated Regulation enters into force on 13 March 2022.

The regulation may be accessed through this link.

European Banking Authority -  ‘De-Risking’

On 5 January 2022, the EBA published its Opinion on the scale and impact of de-risking within the European Union and the steps that competent authorities should take with respect to unwarranted de-risking. The EBA findings suggest that de-risking has a detrimental impact on the achievement of the European Union’s objectives, in particular in relation to fighting financial crime effectively and promoting financial inclusion. The Opinion presents a number of proposals aimed at competent authorities and governing entities within the EU to address this issue classified as two common themes as follows:

• The need for guidance and education to close the “information gaps” that contribute to unwarranted de-risking. On the “competent authorities” side, this includes providing easily digestible informational literature for participants within the market – both to financial institutions and to individual customers;
• De-risking should remain within the financial system by applying the right mitigants, rather than pushing customers into the shadow banking world.

The EBA is committed to follow up with the competent authorities on the actions they have taken to tackle unwarranted de-risking going forward. The opinion may be accessed through this link. 

Characteristics of a risk-based approach to anti-money laundering and terrorist financing supervision

On 16 December 2021 the European Banking Authority published its revised Guidelines on risk-based supervision of credit and financial institutions’ compliance with anti-money laundering and countering the financing of terrorism obligations under Article 48(10) of Directive (EU) 2015/849. These Guidelines foster greater convergence of supervisory practices across the EU and, as a result, contribute to further strengthening Europe’s AML/CFT defences before the new legal framework enters into force.

The revised Guidelines build on the existing four-step approach to the risk-based AML/CFT supervision and provide additional guidance on ML/FT risk assessments, including sectoral risk assessment. They also help supervisors choose the most effective tools to meet their supervisory objectives and emphasise the importance of cooperation between AML/CFT supervisors and other stakeholders, including prudential supervisors, Financial Intelligence Units (FIUs) and tax authorities.

The full report on the guidance may be accessed through this link.

Cooperation and information exchange between prudential supervisors, AML/CFT supervisors and financial intelligence units

On 16 December 2021 the EBA published its final Guidelines on cooperation and information exchange between prudential supervisors, AML/CFT supervisors, and financial intelligence units under Directive 2013/36/EU.

The guidelines set out how prudential supervisors, anti-money laundering, and countering the financing of terrorism supervisors and financial intelligence units should cooperate and exchange information in relation to AML/CFT, both at the level of Member States, and across the EU’s Single Market and in line with provisions laid down in the Capital Requirements Directive (CRD).

The cooperation and information exchange is extended throughout the supervisory life cycle covering authorisations of new institutions, on-going supervision including the risk assessment, and, where relevant, the imposition of supervisory measures and sanctions, including the withdrawal of the authorisation. Whilst each authority will continue to have its own role and responsibilities in the fight against ML/FT, there are areas where the tasks of the different authorities complement each other and therefore, effective cooperation and information exchange among them is essential to identify, address, and mitigate the ML/FT risks.

The guidelines will apply from 1 June 2022.

The final guidelines may be accessed through this link.

Remote Customer Onboarding Solutions 

On 10 December 2021, the European Banking Authority launched a public consultation on the draft guidelines on the use of remote customer onboarding solutions under Article 13(1) of Directive (EU) 2015/849.

The draft guidelines have been developed as part of the Digital Finance Strategy, published in 2020 and in line with the EBA’s legal mandate to lead, coordinate and monitor the EU financial sector’s fight against money laundering and terrorist financing.

The growing demand for remote customer onboarding solutions was further exacerbated by restrictions on movement caused by the COVID-19 pandemic. Thus, the EBA considers that it is important for the competent authorities and the financial sector operators to understand the capabilities and opportunities offered by these new remote solutions but at the same time be vigilant of the ML/FT risks arising from the use of such tools and take appropriate steps to mitigate these risks effectively.

The draft guidelines set common EU standards on the development and implementation of sound, risk-sensitive initial customer due diligence processes in the remote customer onboarding context. They also include the steps EU financial sector operators should follow when choosing remote customer onboarding tools and what financial sector operators should do to satisfy themselves that the chosen tool is adequate and reliable on an ongoing basis allowing them to comply effectively with their initial CDD obligations.

The consultation period for the Guidelines is open until 10 March 2022.

The consultation document may be accessed through this link.

The Application of Group-Wide Programmes by Non-Financial Business and Professions

In October 2021, FATF amended recommendation 23 (Designated non-financial Businesses and Professions (DNFBPs): Other measures) and the FATF glossary to clarify the requirements of recommendation 18 (Internal controls and foreign branches and subsidiaries) regarding implementation of the group-wide programme against money laundering and terrorist financing on DNFBPs.

Recommendation 18 requires financial institutions to implement programmes against money laundering and terrorist financing and that financial groups should implement group-wide programmes against money laundering and terrorist financing, including policies and procedures for sharing information within the group for the purpose of anti-money laundering and combatting the financing of terrorism.

As per the recommendation, financial institutions need to ensure that their foreign branches and majority-owned subsidiaries apply AML/CFT measures consistent with the home country requirements by implementing the FATF recommendations through financial group programmes against money laundering and terrorist financing.

The financial institution’s programme against money laundering and terrorist financing should include development of internal policies, procedures and controls, including appropriate compliance management arrangements and adequate screening procedures to ensure high standards are adopted when hiring employees and are provided with ongoing training with independent audit and testing functions.

Casinos, real estate agents, dealers in precious metals, dealers in precious stones, lawyers, notaries, other independent legal professionals, and accountants, as well as trust company service providers, are now considered under the definition of DNFBPs.

The comprehensive monitoring of DNFBPs requires a highly skilled professional having sufficient knowledge to understand the depth and technicalities of the different sectors.

The FATF recommendations may be accessed through this link.

Risk-based approach - Virtual assets and virtual asset service providers

On 28 October 2021, FATF published updated guidance for a risk-based approach for virtual assets (VA) and virtual asset service providers (VASP). This guidance includes how the FATF plans to closely monitor the VA and VASP sector for any material changes that necessitate further clarification of the FATF standards.

The updated guidance explains how the recommendations should apply to VA and VASP activities, provides relevant examples, identifies obstacles to applying mitigating measures and offers potential solutions in relation to the following areas:

• Clarification of the definitions of VA and VASP;
• Guidance on how the FATF Standards apply to stablecoins;
• Additional guidance on the risks and the tools available to countries to address the ML/FT risks for peer- to-peer transactions;
• Updated guidance on the licencing and registration of VASPs;
• Additional guidance for the public and private sectors on the implementation of the ‘travel rule’;
• Principles of information-sharing and co-operation amongst VASP supervisors.

The guidance may be accessed through this link.

Cross border payments - Survey results on implementation of the FATF Standards 

On 22 October 2021, FATF published the results of the survey it carried out between December 2020 and March 2021 to identify the key areas of divergence in the implementation of its AML/CFT requirements for cross-border payments. The participants included banks, Fintechs, and other stakeholders.

The survey has identified four key areas of divergence:

• Identification and verification of customers and beneficial owners;
• Sanctions screening;
• Sending and receiving customer/transaction information;
• Establishing and maintaining correspondent banking relationships.

FATF’s conclusions in the survey highlight that information sharing continues to be a major challenge, together with the need for a broader global understanding of FATF requirements and national registries for know your customer (KYC) and beneficial ownership information.

The survey results may be accessed through this link.