- within Law Department Performance, Criminal Law and Privacy topic(s)
On 17 June 2026, the Malta Financial Services Authority (MFSA) issued a Dear CEO Letter to the management bodies and Money Laundering Reporting Officers of Maltese licensed credit institutions, communicating the findings of a thematic review on the identification, assessment and mitigation of terrorist financing (TF), proliferation financing (PF) and targeted financial sanctions (TFS) evasion risks.
The Letter was issued against the backdrop of an increasingly complex financial crime landscape. Recent publications by the Financial Action Task Force (FATF) highlight that while terrorist groups continue to exploit traditional financial channels, they are also increasingly leveraging new technologies and more sophisticated methods to move funds, evade sanctions and facilitate proliferation financing. At the same time, Malta’s latest National Risk Assessment identifies the banking sector as one of the sectors most exposed to TF, PF and TFS evasion risks, reflecting its central role in the movement of funds and the effectiveness of key controls such as customer due diligence, transaction monitoring, sanctions screening and suspicious transaction reporting.
Thus, the thematic review sought to assess how effectively credit institutions have embedded controls to identify and mitigate these evolving risks, taking into account recent regulatory developments, including the EU Instant Payments Regulation, the EBA Restrictive Measures Guidelines (EBA/GL/2024/14) and recent FATF publications. Building on earlier thematic work involving financial institutions and crypto asset service providers, the Letter does more than summarise industry practices. It sets out the MFSA’s supervisory expectations in key areas of financial crime compliance and provides a clear indication of the standards against which the Authority is likely to assess credit institutions during future supervisory engagements.
The MFSA’s key supervisory messages
The principal observations can be summarised as follows.
Governance frameworks have strengthened, but proliferation financing remains comparatively underdeveloped
The review found encouraging progress in the governance of terrorist financing and sanctions risks. Most respondents reported conducting restrictive measures exposure assessments, providing regular reporting to senior management and appointing dedicated personnel responsible for sanctions compliance.
However, proliferation financing continues to receive comparatively less attention. While all institutions maintained formal TF risk assessments, only 71% maintained dedicated PF risk assessments and only 67% had specific CPF policies and procedures in place. To address this gap, the MFSA expects institutions to embed PF considerations more fully within their enterprise wide risk management frameworks. The Letter also reminds credit institutions that, under the EBA Restrictive Measures Guidelines (EBA/GL/2024/14), management bodies are responsible for overseeing the adequacy of restrictive measures policies and assessing the effectiveness of the compliance function at least annually.
Risk assessments show greater alignment with the National Risk Assessment and emerging financial crime risks
The MFSA welcomes the fact that many institutions are aligning their entity level risk assessments with Malta’s NRA and incorporating its findings into their internal frameworks. Nevertheless, Regulation 5(1) of the PMLFTR requires subject persons to consider both national and supranational risk assessments when identifying and assessing ML and TF risks. Failure to integrate the NRA constitutes a regulatory gap that should be addressed promptly, with NRA based assumptions reviewed periodically to ensure they remain relevant.
The Authority also notes a strong level of alignment with the EBA Restrictive Measures Guidelines (EBA/GL/2024/14) and the revised National Interest (Enabling Powers) Act, 2025. Institutions are expected to adopt proportionate measures to identify and assess risks arising from restrictive measures breaches, proliferation financing and sanctions circumvention, taking into account customer, jurisdictional, product, service, transaction and delivery channel risk factors.
The Letter further emphasises that management bodies should oversee the effectiveness of restrictive measures compliance frameworks through regular reviews and ensure responsibility is assigned to an appropriately qualified senior officer.
The MFSA also highlights the importance of jurisdictional risk assessments. Institutions should assess jurisdictions based on the specific risks they present rather than relying solely on jurisdictional reputation, while ensuring that related assessments and risk ratings are reviewed and updated on a regular basis.
Identity verification tools remain underutilised and are not consistently tested
Given that most Maltese banks continue to onboard customers through face to face interactions, only a minority have implemented dedicated tools to detect forged or falsified identification documents. Among those that have adopted such technology, detection rates over the previous twelve months were relatively low, while independent testing of these systems remains inconsistent across the sector.
The MFSA reiterates that customer verification obligations under the PMLFTR apply irrespective of the onboarding channel. Institutions deploying identity verification technology should therefore be able to demonstrate that these solutions are effective through appropriate testing and validation rather than relying solely on vendor assurances.
In addition, the EBA Guidelines on Remote Customer Onboarding and the FIAU Implementing Procedures require institutions to maintain tamper proof electronic records, ensure compliance with EU data protection requirements, and perform ongoing quality assurance and sample testing to verify that the technology continues to operate effectively.
Moving beyond automation by embedding expert judgement into transaction monitoring
The review confirms that transaction monitoring systems generally capture the principal TF, PF and sanctions evasion typologies. However, the MFSA makes it clear that institutions should not rely exclusively on automated monitoring rules.
Monitoring frameworks should remain proportionate to customer and product risks, incorporate emerging typologies and red flags, undergo regular calibration and testing, and be complemented by documented expert judgement where automated scenarios may not adequately identify suspicious activity.
The Authority also highlights the need to adapt transaction monitoring frameworks to reflect the operational realities introduced by the EU Instant Payments Regulation. In particular, institutions should ensure compliance with the Regulation’s real time Verification of Payee requirements by verifying the payee’s name before a payment is authorised and are encouraged to consult the joint FIAU and Central Bank of Malta Questions and Answers document for further guidance.
Sanctions compliance extends beyond screening technology
Although most institutions rely on automated third party sanctions screening solutions that update sanctions lists promptly, the MFSA emphasises that outsourcing does not diminish an institution’s regulatory responsibility.
Institutions remain accountable for ensuring that screening tools operate effectively, screening systems are independently tested on a regular basis, outsourcing arrangements are appropriately governed, and customer screening complies with the revised requirements applicable to instant payments, including daily customer screening and immediate rescreening following new EU restrictive measures.
Artificial intelligence adoption remains limited, but supervisory expectations are already emerging
Only a small proportion of surveyed institutions currently use artificial intelligence within their financial crime compliance frameworks. Nevertheless, the MFSA has already outlined clear supervisory expectations for future deployment, aligning these with the UN Algeria Guiding Principles and Article 76 of the forthcoming EU AML Regulation.
Where AI is adopted, institutions should ensure meaningful human oversight, transparency and explainability of AI outputs, comprehensive audit trails, robust model governance and appropriate independent assurance over model performance. These expectations reflect a broader regulatory trend towards balancing technological innovation with sound governance and accountability.
Training is shifting from generic awareness to role specific competence
While institutions generally deliver a combination of e learning and instructor led training, the MFSA considers that training frameworks should move beyond theoretical awareness towards practical, role specific learning.
Consistent with the FATF Guidance for a Risk Based Approach for the Banking Sector, training should be tailored to the risks associated with specific functions and incorporate sector relevant case studies, red flag indicators and clear Suspicious Transaction Report escalation procedures. Training should also be delivered as an ongoing process rather than a one off exercise, with content regularly updated to reflect legislative and regulatory developments.
The Letter also emphasises the importance of ensuring that board members and senior management receive structured briefings on emerging financial crime threats, including evolving sanctions evasion methodologies, thereby reinforcing a strong top down compliance culture.
Overall takeaway
Perhaps the most significant message conveyed by the Letter is that the MFSA’s expectations now extend well beyond technical compliance with AML and CFT obligations. Increasingly, the Authority expects credit institutions to demonstrate effective governance, dynamic risk assessments, continuous control testing and the ability to respond proactively to emerging financial crime risks. In particular, the review highlights proliferation financing as an area where supervisory expectations continue to evolve, signalling that institutions should ensure these risks receive the same level of attention as terrorist financing and sanctions compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]