ARTICLE
26 March 2026

What The MFSA’s CMP Guidance Means For EMIs, PSPs And Financial Institutions In Practice

BD
BDO Malta

Contributor

BDO Malta logo
Forming part of BDO’s Global Network, BDO Malta is a professional services and advisory firm, assisting companies in accelerating business growth through exceptional client service. Established in 1978, BDO Malta provide a wide portfolio of services including regulatory advisory, outsourcing, audit and assurance, tax & technology regulatory compliance to assist clients across different industries in growing their businesses efficiently.
Explore Firm Details
Recent guidance issued in relation to the Annual Compliance Report and the Compliance Monitoring Plan provides an important signal to financial institutions. The Authority is no longer reviewing the CMP as a routine compliance document. It is reviewing it as evidence of whether the institution understands its own risk profile and whether it is actively testing the effectiveness of its controls.
Malta Finance and Banking
Andrew Vella and Neil Baldacchino
Your Author LinkedIn Connections
BDO Malta are most popular:
  • within Government, Public Sector and Employment and HR topic(s)

Recent guidance issued in relation to the Annual Compliance Report and the Compliance Monitoring Plan provides an important signal to financial institutions. The Authority is no longer reviewing the CMP as a routine compliance document. It is reviewing it as evidence of whether the institution understands its own risk profile and whether it is actively testing the effectiveness of its controls.  

This clarification is significant. For the first time, the Authority has found it necessary to publish detailed guidance on what a CMP and ACR should contain, following its review of submissions and the identification of recurring deficiencies. This reflects a concern that many institutions have been approaching compliance monitoring as a checklist exercise rather than as a structured, risk driven process derived from an understanding of the institution’s risks.  

The guidance makes the Authority’s expectations explicit. The CMP must be based on the main risks of the Authorised Person, prepared in liaison with the Risk Function and must take into consideration Internal Audit findings. It must clearly show what is being tested, why it is being tested, how often testing occurs, who is responsible, and what the outcomes of that testing are. The Compliance Officer is expected to perform independent testing and cannot rely solely on checks performed by other departments.  

This is where many institutions are exposed without being aware of it. In practice, it is common to encounter generic risk assessments that are not fully aligned to the business model, CMPs that follow standard templates rather than the institution’s specific risk profile, AML testing that is disconnected from broader compliance monitoring, internal audit findings that are not integrated into the CMP, and policies and procedures that are documented but not actively tested by the Compliance function. 

These are precisely the types of weaknesses the Authority is cautioning against. The guidance also highlights elements that were present in submissions assessed as high quality. This indicates that the Authority now has a benchmark and will assess future submissions against these standards.  

At the core of this expectation is a clear and traceable link where the institution identifies its risks, addresses those risks through appropriate policies and procedures, defines mitigation measures, and reflects in the CMP how these measures are tested throughout the year, with findings documented and remedial actions properly tracked. 

If this chain is not clearly visible, the CMP will not demonstrate what the Authority expects to see. This applies across the wide range of areas specifically referenced in the guidance, including governance, board and committee effectiveness, financial crime compliance, safeguarding of client funds, own funds, technology and operational resilience, outsourcing and third-party management, conduct, training, and the monitoring of internal and external audit findings. These are all risk areas that the Authority expects to see reflected within a risk-based CMP.  

Institutions should therefore consider important questions. Has the current CMP been developed after a thorough and documented assessment of the institution’s risks? Or was it prepared primarily as a compliance planning document based on standard regulatory obligations? 

Where the latter approach has been taken, there is a real possibility that the CMP does not accurately reflect the institution’s true risk exposure, and subsequently not aligned with regulatory expectations. 

The regulatory risk now lies in this gap. A CMP that is not demonstrably risk driven may suggest that the institution has not fully analysed where its vulnerabilities lie. This is precisely what the Authority is now seeking to assess through its review of CMPs and ACRs. 

Addressing this requires more than revising the CMP. It requires revisiting the identification and documentation of risks across operational, legal, compliance, strategic, liquidity, reputational, cyber, technology, and financial crime areas, and rebuilding the CMP so that it clearly reflects how those risks are monitored and tested in practice. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Andrew Vella
Andrew Vella
Photo of Neil Baldacchino
Neil Baldacchino
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More