Malta's AML Rules for the Crypto Sector
In view of the full coming into force of the Markets in Crypto-Assets Regulation (MiCAR), Malta has implemented amendments to the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). The amendments cover the following regulatory changes:
- The Markets in Crypto-Assets (MiCA) Regulation
- The Transfer of Funds (recast) Regulation
- The amendments to the Virtual Financial Assets Act
- The amendments to the 4th AML Directive as set out in Article 38 of the Transfer of Funds (recast)Regulation.
Reflecting the above changes and the revised EBA ML/FT Risk Factor Guidelines, the FIAU has restructured and amended the Implementing Procedures Part II for the crypto-asset sector (hereinafter "the IP2"), which is also applicable as of 30 December 2024.
The restructuring of the IP2 was necessary as to get in line with MiCAR; Chapters 3 and 4 of the previous version of the Implementing Procedures – Part II needed to be removed as those parts referred to specific anti-money laundering and countering the funding of terrorism (AML/CFT) measures to be undertaken by VFA Issuers and VFA Agents. Furthermore, the terminology is updated to align it with the terminology used in the above-mentioned EU regulations.
The updated IP2 introduced additional risk factors to the crypto-asset sector in line with the above referred EBA Guidelines. The risk factors are divided into the following risk areas:
- product, service and transaction risk
- customer risk
- geographical risk
- delivery channel/interface risk.
Crypto-Asset Service Providers (CASP) are reminded on the dynamic nature of their risk assessments, therefore the Business Risk Assessment (BRA) shall be reviewed every 6 months. As CASPs are required to have analytical tools in place, the results of an ML/FT risk analysis run by such tools on the CASP's product that indicate a higher risk of ML/FT is to be considered in the BRA.
In order to reflect the money laundering and funding terrorism (ML/FT) risks, corresponding measures specific to the crypto-assets sector were introduced by adding detailed rules on Enhanced Due Diligence (EDD) and on Simplified Due Diligence. It should be noted that any additional measure or measures applied under EDD will depend very much on the risk factor/s driving the ML/FT risk the customer poses on the CASP, such as collecting specific information on the nature of the customer`s business or employment, source of the customer`s crypto-assets, understanding the level of knowledge of the customer in this field, using advanced analytical tools for monitoring etc.
Reference was made in the updated IP2 to the measures outlined in the amendments to the 4th AML Directive with respect to cross-border correspondent relationships involving CASPs; and transactions to or from self-hosted addresses. Such measures regarding the correspondent relationships include conducting EDD on the respondent institutions from a country other than an EEA member state.
In line with the EBA Travel Rule Guidelines, CASPs are to take adequate measures to assess whether the address is owned or controlled by its customer, where the transfer is to or from a self-hosted address which exceeds EUR 1 000. CASPs are obliged to assess the risk connected to the self-hosted wallets and undertake certain mitigating measures, such as the identification and verification of the identity of the originator or beneficiary, ensuring that the address is under the control and ownership of the customer, requiring additional information on the origin and destination of the transferred crypto-assets, and conducting enhanced ongoing monitoring of those transactions or any other measures that mitigate the risk.
Due to their specific nature, Multi-Party Computational Wallets, which are designed to enhance security by splitting private keys into multiple parts, each held by different parties, trigger additional requirements. Allthe persons holding parts of the key are required to be identified and verified. Additional clarifications are included where a legal person owns the wallet and different parts are held by different representatives and when a software provider retains part of the private key.
A reference to the requirements under the recast of the Transfer of Funds Regulation is also included in the updated text of the IP2. This regulation introduced the so-called 'travel rule' which means that specified information on the payer and the payee must be attached to funds transfers by the CASP. It also requires the CASP to put in place effective procedures to detect the transfers of funds lacking this information, and to determine whether to execute, reject or suspend such transfers.
It is further emphasized that training needs to be provided on the use of automated systems applied by the CASP, including any advanced analytical tools used to monitor transactions and business relationships. Such training should enable employees to interpret the outcomes from these systems and tools, with a view to identify unusual or suspicious transactions and activities that may be related to ML/FT and the red flags associated with the particular customer, service or product.
As the industry has a fast-paced nature with rapid developments, it was necessary to update Annex 1 of the IP2 by including new trends, typologies and case studies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.