On Monday 18 October 2021 the FIAU published a revised version of the Implementing Procedures (IPs) Part 1 to 'transpose' the proposals that the FIAU had issued for a consultation back in March 2021 (and which the Institute of Financial Services Practitioners together with STEP Malta, on which Ganado Advocates is represented, had submitted their feedback). Some of the amendments made were merely intended to bring the IPs in line with recent legislative changes (such as the inclusion as a relevant activity for estate agents of rentals when the monthly rent is ?10,000 or more and the reference to persons trading in works of art and freeports).

Once again the FIAU has published a useful version of the IP with the various changes made tracked for easy identification, as has now become customary for them, and this is very much welcomed by practitioners and subject persons alike.

Unfortunately, insofar as one particular new category of subject person is concerned, which was added to the PMLFTR, the FIAU limited itself to merely repeating the words of the relevant regulation in the PMLFTR verbatim without providing any guidance whatsoever. This relates to the category of auditors, external accountants and tax advisors which now also covers "any other person that undertakes to provide, directly, or through other persons to whom he is related, material aid, assistance or advice on tax matters". The FIAU revision lacks the necessary clarity on who is intended to be covered by the phrase "or through other persons to whom he is related" and what is meant by the phrase "material aid".

Adverse Media (section 3.5.1(a) of the IPs)

The relevant section dealing with adverse media has been enhanced with further practical guidance which is very welcome - this type of practical insight and scenarios is what makes guidance all the more useful because it enables the reader to apply the principles being enunciated to practical scenarios. Unfortunately, the IPs stop short of providing guidance on what actually constitutes 'a reliable source' - whilst appreciating that this can be a thorny issue, merely leaving it up to the subject person to determine this, with the risk of the FIAU second-guessing them in the event of an on- or off-site inspection, is far from ideal.

In the revisions made, whilst reiterating the fact that the absence of an arraignment or a conviction should not be automatically taken to mean that any adverse reports can be ignored, the amended IP emphasise that acquittals should also not be taken at face value but should, instead, be factored in when assessing the reputation of the person being scrutinised. Subject persons are urged to consider the reasons that led to the acquittal and whether such reasons serve to dispel any concerns about the individual/entity involved.

By way of example, the FIAU clarify that if criminal proceedings were time-barred, for instance, then this proves that the court would have had no opportunity to actually pronounce itself on the charges themselves, which in turn means that there may still be concerns about the customer or its beneficial owner. The same principle would also apply to any acquittal that is made on the basis of a procedural or other technicality. The bottom line is that if the behaviour complained of has not been proven to not have occurred, then the concerns remain and the mere fact that the person was acquitted, on its own, should not be regarded as sufficient to dispel any concerns raised by the adverse media.

The FIAU also clarify that the nature of the adverse news will also have an impact on its actual relevance for risk assessment purposes. By way of example, the FIAU provide the following example:

"Finding news from a reliable source that an individual was the mastermind behind a major bankruptcy where funds were siphoned off to remote jurisdictions will have a larger impact in terms of risk than finding news from equally reliable sources that one has been indicted for a one-off shoplifting incident involving goods of minimal value."

In this regard, the FIAU recommend that "ideally", the subject person should develop guidelines or have procedures in place to allow officers and employees to discern what is to be considered as reliable media reports and what impact these can have on one's risk understanding. The reference to having procedures in place (which was added on the suggestion of the IFSP/STEP Malta) makes it clear that a subject person is not required to necessarily draw up stand-alone guidance but can build certain procedures into its existing AML-CFT procedures.

The FIAU also emphasise the importance of the passage of time in respect of adverse media, remarking that the impact of adverse media can depend on how remote in time it is. Thus, the longer the passage of time from the date of the media item (or the date of the adverse activity reported on in the media item), the less likely it is that the facts reported on will have an ML/FT impact.

Finally, the context of the adverse media also needs to be assessed so that adverse media is not viewed in isolation - for instance, the question of whether, following any adverse media reports, there were subsequent reports which either showed that the earlier information was groundless or else which otherwise downplayed the gravity and severity of any such prior information should also be taken into consideration.

It goes without saying that where the adverse media gives rise to suspicion of ML/FT, subject persons are reminded of their obligation to report to the FIAU.

The FIAU also provide practical guidance with respect to those situations where the customer of the subject person is actually a listed entity or a person carrying on a relevant financial business, which would generally qualify it as presenting a lower degree of risk, but where the customer has actually been the subject of supervisory or regulatory action.

Here the FIAU offer certain considerations that subject persons should take into account when performing their risk assessment (although regrettably, they stop short of explaining whether these apply only to the extent that the subject person has access to information in respect of the regulatory/supervisory action, which may not necessarily always be public, or whether there is an expectation that the subject person probes this in some depth).

The FIAU considers the following considerations as relevant:

  • when the regulatory action was taken;
  • whether the breach is impacted by supervening legislative or regulatory changes (for instance, something which may have been considered a breach originally may later no longer be considered to be a breach);
  • the nature of the breach itself where the FIAU distinguish the one-off failure by the customer to file a regulatory return from a more serious failure to properly monitor the customer's clients on an ongoing basis or some other more serious AML-CFT breach;
  • the nature of the regulatory action taken, where the FIAU distinguish between mere remedial action and the imposition of a hefty administrative penalty or even the pressing of criminal charges against the customer for the breach committed;
  • whether the regulatory issues have been resolved.

The above seems to be an invitation to subject persons dealing with customers who are themselves, subject persons, to proceed with caution in those instances where the customer has been the subject of serious regulatory or supervisory action when undertaking the risk assessment of the said customer, seeing that the approach by the customer towards its regulatory duties and towards its own clients could be indicative of an ML/FT risk. This is not an invitation to necessarily disengage from any such clients, but a requirement to at least consider the matter carefully.

Establishing the identity of the BO (Sections and of the IPs)

The FIAU have provided clarifications and additional guidance on 2 specific instances:

  • that where the shares of a corporate customer are owned by a trustee; and
  • when customers are state-owned entities (in line with the EBA Risk Factor Guidelines).

Whereas previously the example (above Figure 3) in the relevant section of the IPs guided subject persons dealing with a corporate customer whose shares are held on trust by a corporate trustee not to get side-tracked and start seeking to identify the beneficial owners of the corporate trustee, the FIAU has now amended this to clarify that in such an instance, the subject person is not to identify ALL the beneficiaries of the trust in line with the definition of 'beneficial owner' for trusts (which would also catch within it the trustee and protector), because the customer is the body corporate and NOT the trust itself.

Instead, the subject person is to use the test for beneficiaries for companies and first establish who the 'beneficiaries' of the trust are. By this one presumes that the FIAU is referring to the actual beneficiaries of the trust - ie the persons who may benefit therefrom - and not the persons who fall within the definition of 'beneficial owner of a trust in terms of the PMLFTR since the FIAU specifically clarified that it was not requiring subject persons to identify and verify the identity of all those persons referred to in paragraph (b) of the definition of 'beneficial owner' in the PMLFTR.1

Having established who the beneficiaries of the trust are the FIAU then invite subject persons to consider whether the said benefit, together with any other direct or indirect interest that individual may have within the body corporate, is sufficient to meet the conditions at law to be considered as a beneficial owner of the said body corporate (i.e the requirement that the beneficiaries are ultimately entitled to 25%+1 or more of the shares, or more than 25% of the voting rights) - the key requirement here are the words 'entitled to' meaning that it is an entitlement (albeit indirect, naturally) to the shares in the corporate customer that counts and not any other beneficial interest (such as a discretionary benefit or a mere hope to benefit someday).

Where this is not the case, then the FIAU establishes (rightly so) that:

  • it is those persons exercising control via other means that would qualify as the beneficial owners, and
  • in the absence of any such person, then the beneficial owner of the corporate customer would be the senior management officials of the customer (which the FIAU clarify to mean the corporate customer and not the trustee).

The FIAU also clarify that the same approach would also find application in situations where instead of a trust, there would be a foundation directly or indirectly holding the shares in the corporate customer.

In those instances where the customer is a state-owned enterprise or public administration authority, then in line with the EBA's Risk Factor Guidelines,2 the Senior Managing Officials (SMOs) of the corporate customer will have to be identified as beneficial owners. The EBA's Risk Factor Guidelines also provide further guidance on this matter.

Dealing with agents (section 4.3.3 of the IPs)

The FIAU has also clarified the CDD requirements applicable when a subject person is dealing with a person who is acting as an agent, clarifying that where the agent is a body corporate, the subject person is only required to ID & V the body corporate itself and not the corporate agent's own beneficiaries. More importantly, the FIAU clarify that when it comes to identifying the directors/partners of the corporate agent, while all need to be identified, it is only those "that are authorised to legally represent the body corporate AND who exercise the power of representation within the context of an occasional transaction or a business relationship" whose identity needs to be verified.

The FIAU also address the situation where the customer of the Subject Person carrying out relevant financial business is itself a subject person carrying out relevant financial business (or equivalent) and empowering a significant number of individuals to act as signatories on its behalf. It is clear, here, that the FIAU is regarding the situation of a person acting on behalf of a corporate customer as a situation of agency (as is confirmed also by section (ii) of 4.3.3 of the IP further on).

In this case, whilst requiring that all such persons be identified, the FIAU regard the verification requirement as being satisfied on the basis of a declaration by the customer that it has verified the identity of the said signatories, provided certain conditions are met (including that no adverse media exists, or that if there is any, it has been duly evaluated in accordance with the IPs).

Where the customer of the Subject Person carrying out relevant financial business is not itself carrying out relevant financial business but equally empowers a significant number of individuals to carry out transactions on its behalf, different conditions apply as set out in the revised IP. What is not clear is whether this example applies only to subject persons carrying out relevant financial business or also to other subject persons who may not be carrying out relevant financial business.

The FIAU also eliminate any doubt that there may have been that they regard directors and partners of a legal organisation to be agents, thereby requiring ID & V, and clarify that in the case of directors or partners of a body corporate, reference can be made to the statutory documents of the particular body corporate, such as the Memorandum and Articles of Association, or to the relative power of attorney or resolution authorising the person concerned, or to any other document or company registry record that evidences the individual's power to represent and bind the corporate customer.

Transaction monitoring

The FIAU has provided further guidance on transaction monitoring clarifying that when the transactions in question are left to the subject person's own discretion - such as in the case of discretionary portfolio management and investment management services offered to CIS's or retirement schemes - rather than being carried out by the customer and with the intermediation of the subject person, then the subject person is not required to monitor the transactions it is carrying out itself. The FIAU further clarifies that in these instances the subject person is only required to monitor:

  • any increase in the funds or assets entrusted to the subject person for investment purposes, and especially whether any such addition can be justified on the basis of the economic capabilities of the customer; and
  • any request from the customer to have any funds or assets entrusted to the subject person released back to it, especially where this may harm the performance of the customer's portfolio or result in significant penalties or fees being charged by the subject person (which in themselves constitute red flags if no plausible justification for such course of action is forthcoming).

Keeping information on UBOs up-to-date (section 4.5.3 of the IPs)

The FIAU recognise in the revised IP that a subject person will not necessarily always be aware of changes that take place amongst the UBO's of a corporate customer, including changes within a trust or foundation that lies at the very top of a structure. Where the subject person happens to be assisting the customer with such changes the issue does not arise because the subject person will clearly be aware of them, but in those situations where the subject person is unaware of such changes, the FIAU now expressly place an obligation on subject persons to "enquire from time to time whether the beneficial ownership information obtained at onboarding is still current or otherwise".

They also guide subject persons to look out for 'trigger events' that can assist a subject person in questioning whether any changes to the beneficial ownership information of the customer have taken place, such as where the subject person is acting:

  • as director or company secretary of the customer and is required to submit to the MBR the form notifying it of certain changes; or
  • as a fiduciary in a corporate customer and is requested to transfer part of the shares to new or existing shareholders.

The FIAU also recommend using the periodic reviews that are already contemplated by the IPs for the purposes of ensuring that information is still current.

Important changes to MLRO requirements

The FIAU has also introduced important changes to the regime regulating the appointment of an MLRO, including that both executive and non-executive directors may now be appointed as MLRO's. This is a complete change from the previous position which expressly prohibited the appointing of non-executive directors as MLRO's. Whilst the revisions did not go so far as to allow outright outsourcing of the MLRO function, it is relevant that the EBA has also issued for consultation (closing on November 2 2021) draft guidance on the role of AML/CFT compliance officers (which includes the MLRO and which goes into significant detail not just on the role of the AML/CFT compliance officer but also on the roles in an AML/CFT context of the board of directors, the management function and also of a designated member of the Board of Directors responsible for AML/CFT matters inter alia.)3

The possibility of having non-executive directors appointed as MLRO's will be particularly welcome in the collective investment schemes sector where it is known that funds typically do not have executive directors that would be in a position to take on the role of MLRO.

Whilst reiterating the rule that the MLRO need not necessarily be located in Malta, the FIAU have added some guidance on the considerations to be taken into account when exercising the subject person's discretion whether to have the MLRO present in Malta or not. In this regard the FIAU state that the subject person is to consider:

  • the nature of the activities and business carried out;
  • its business model; and
  • the technological means at their disposal.

Thus, for instance, where a subject person is targeting the domestic market or has a so-called 'brick and mortar business, it would be very difficult, according to the FIAU, to justify why the MLRO should be located abroad. On the other hand, it may be easier to justify any such instance where the subject person is targeting foreign markets and depends on means of distance communications to carry out its activities.

In the case of MLRO's located outside Malta, the FIAU expect the MLRO to make himself available for any FIAU meetings or interviews that the FIAU or any other relevant supervisory authority may wish to carry out.

Insofar as concerns MLRO's that have accepted multiple MLRO positions, the FIAU have continued reiterating the importance of ensuring that the selected candidate is able to dedicate a sufficient amount of time to each role. The FIAU places an obligation on the subject person to assess whether the MLRO will be able to dedicate sufficient time to cater for the subject person, which assessment should be reviewed from time to time to ensure that the MLRO is actually managing, in practice, to dedicate sufficient time to fulfil all of the functions associated with the said role.

The FIAU has also provided guidance in respect of those cases where the subject person is not in a position to implement what the FIAU refer to as the 'ideal' situation of having an MLRO dedicated exclusively to AML/CFT matters (something that the FIAU recognise is not always possible for a subject person to do). In these instances, the FIAU requires the subject person to ensure that this does not negatively impact the independence and impartiality required from the MLRO, which would, in turn, undermine the effectiveness of the MLRO's duties. In particular, the subject person is required to assess:

  • the likelihood of conflicts of interest (such as where the other roles are remunerated depending on certain targets being met or where the MLRO has particular duties in developing new business opportunities). Although the FIAU also singles out the situation of having an MLRO who also happens to be the beneficial owner of the subject person - a situation which is not uncommon at all in practice - in the final iteration of the revised IP the FIAU clarified that while such conflicts are to be avoided as much as reasonably possible, it recognises that this may not always be possible, in which case the FIAU expects the MLRO to implement measures that counterbalance any possible dilution in the MLRO's independence and impartiality. The FIAU suggest that this can be done, for instance, through the external review of its AML/CFT controls, policies, measures and procedures. The message, therefore, is clearly to seek in the first instance to avoid conflicts of interest and anything that can dilute the MLRO's independence and impartiality, but where this is not possible to seek to manage the situation in a meaningful manner;

The FIAU has also added a requirement that the subject person's policies and procedures dealing with the role of the MLRO set out how any conflicts of interest arising due to personal, professional or economic ties are to be addressed. By way of example the FIAU question how objective the MLRO can be if, for instance, an internal report relates to:

  • how a relative of the MLRO is using an account held with the subject person, or
  • a corporate customer for whom the MLRO also acts as director;
  • or where the subject person provides services to some group entities and the internal report relates to entities forming part of the same group as the subject person.

In this regard, the FIAU recommend that the subject person reconsider these matters periodically, as the business and activities of the subject person evolve or when it is contemplated to entrust the MLRO with additional functions beyond his role as MLRO, and as a minimum on an annual basis.

  • whether the multiple roles will negatively impact the time commitment that the MLRO is able to dedicate to the role, including by ensuring that the MLRO has sufficient human resources and technological means to fulfil his duties efficiently.

The FIAU has eliminated ambiguity in the consultation document about the documenting of any such assessment and has made it clear that the assessment must be documented.

In this regard, the FIAU clarify that any decision to amalgamate the role of MLRO with other functions within the subject person or any determination that there exist exceptional circumstances that do not allow its MLRO to be free from conflict of interest is in both cases to be justified on the basis of:

  • the (prospective) nature and size of the subject person's business, activities and structures (the financial, technical, and human resources available to the subject person; the volume, frequency, and value of transactions processed or activity carried out; the - prospective – number and risk profile of customers; its internal structures and overall network for the provision of the services and products it offers; its geographical presence etc);
  • the ML/FT risk presented by any such business and activities; and
  • the inability of the subject person to apply any of the specific exceptions to appointing an MLRO who is not a director or officer in employment provided for in the IP.

According to the revised IPs, the need for such considerations and assessment set out above would equally apply in those circumstances where the subject person appoints one of its directors (or equivalent) as its MLRO, in which case the nature of the subject person's activities is a key consideration when the director is a non-executive one. The reason provided for this is because while this may be acceptable with respect to subject persons that have a very basic structure like a collective investment scheme, the matter is different for subject persons that are expected by the very nature of their activities to have a more structured and complex set-up, as would be the case with credit and financial institutions.

Insofar as the requirement for the MLRO to occupy a senior position commanding sufficient seniority and command is concerned, the FIAU clarify that such position must enable the MLRO to be knowledgeable about the ML/FT risks faced by the subject person and of the measures, policies, controls and procedures implemented to mitigate such risks.

Number of designated employees (section 5.2 of the IPs)

The revised IPs have also finally settled the question of whether or not, depending on the size or complexity of the subject person's operations, it is possible for it to appoint more than one designated employee to assist the MLRO. The revised IP clarify, in fact, that there are no restrictions on the number of designated employees that can be appointed.

Jurisdictional Risk Assessments ("JRA"; section 8.1.2 of the IPs)

Although the previous IPs already addressed the jurisdictional links that may be relevant for the purposes of a JRA, which naturally vary depending on the nature of the particular relevant activity or relevant financial business being carried out by the subject person, the FIAU have provided further guidance relevant to:

  • subject persons involved in the processing of payments (where the geographical exposure is not restricted to the jurisdictions linked to the customer and its BO but will also arise from the main jurisdictions from where it is receiving or to which it is remitting funds on behalf of its customer);
  • tax advisors to a given corporate structure, where the geographical risk associated with the jurisdictions where the entities used to channel funds or to exercise control within the said structure are incorporated, registered or established have to be considered together with that linked to the customer and its BO (with jurisdictions known to provide favourable tax regimes and that have BO transparency issues inevitably increasing the ML risk linked to tax evasion or arising from attempts at shielding the identity of the BOs involved);
  • providers of directorship services, where the geographical risk is not limited to the country of incorporation of the corporate entity itself or that of its BOs but also from those jurisdictions where its main trading partners are located or the assets held by it are located;
  • subject persons collecting funds from customers (such as CISs or insurance intermediary undertakings), where the jurisdictional risk arises from the jurisdictions where the respective products are marketed and its customers are resident, incorporated or otherwise established.

The revised IPs then provide additional guidance on the manner in which such JRA's are to be undertaken, also allowing them to be outsourced completely, provided certain requirements are met as set out in the revised IPs.

Unfortunately, while the 'political' sensitivities in having the FIAU (or indeed the state) draw up such JRA's is evident, side-stepping this challenge by expecting subject persons to conduct their own JRA seems unfair, especially in those cases where the subject person does not have the capacity and resources to undertake a thorough JRA and keep it updated.

While the possibility of outsourcing the JRA or relying on third-party assessments is welcome, and while there are indeed many available, these typically use different methodologies and in many cases have specific aims, focusing on areas such as perception of corruption, for instance, forcing the subject person to have to refer to multiple sources. Aside from all this, there is also the risk that different subject persons may arrive at different risk assessments for the same jurisdiction, which can never be a good thing. Having a centralised source for JRAs, which would be accessible to all subject persons in Malta, providing a common base across the industry and across the country, would be a welcome development.


1 ".(b) in the case of trusts the beneficial owner shall consist of: (i) the settlor or settlors; (ii) the trustee or trustees; (iii) the protector or protectors, where applicable; (iv) the beneficiaries or the class of beneficiaries as may be applicable; and (v) any other natural person exercising ultimate control over the trust by means of direct or indirect ownership or by other means..."

2 https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/9636 37/Final%20Report%20on%20Guidelines%20on%20revised%20ML%20TF%20Risk%20F

3 https://www.eba.europa.eu/eba-consults-new-guidelines-role-amlcft-compliance-officers

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.