Malta

Requirements for customer identification, verification and

due diligence measures for non-face-to-face business
relations

Legal disclaimer

This notice applies to all the recipients of this document; please note that we reserve the right to alter and

update it.

This notice is provided on an "as it is" basis and for general informational purposes only; none of its contents

shall be interpreted as creating an attorney-client relationship between its recipient and Sumsub, which shall not

under any circumstances be held liable for any damages incurred as a result of actions taken or not taken based

on the information contained in this document.

This document is a result of the work of our professionals and constitutes the intellectual property of Sumsub. It

may not be disclosed, whether as-is or in any way modified, to any third party without prior authorization by

Sumsub. In the event of such a disclosure, Sumsub shall be entitled to equitable relief under the laws of England

and Wales.

Sumsub offers an all-in-one solution for complying with most

regulations and requirements. The company also has 20+ compliance

experts certified by ICS, CySec and ACAMS to guide you through all

the legal stuff. Schedule a demo with our experts to see how Sumsub

can help.

Below are some of the requirements of the Malta law in the

implementation of which Sumsub can assist

The table below is based on the following documents:

Subsidiary legislation 373.01 prevention of money laundering and funding of terrorism regulations (as amended

in 2021) (herein – pmlftr) 1

Implementing procedures, part 1 issued by the financial intelligence analysis unit (as amended in 2019) (herein

– implementing procedures) 2
Rules Requirement

Identification of Customer

Implementing procedures, Part Identification of a natural person takes place by obtaining a set of
1 (issued by the Financial personal details. The standard set of personal details that is to be
obtained for customers that are natural persons are the following:
Intelligence analysis Unit),
Section 4.3.1 (i)
a official full name;

b place and date of birth;

c permanent residential address;

d identity reference number, where available;

e nationality.

However, in low-risk situations, subject persons will be considered to

have satisfied the identification requirements by obtaining the
following details:

a official full name;

b date of birth; and

c permanent residential address. These are considered to be the

minimum personal details required to identify a natural person.

Identifying a company

The subject person is required to first identify the company by

gathering the following information:

a the company’s official full name;

b the company’s registration number;

c the company’s date of incorporation or registration

d the company’s registered address or principal place of business.

Implementing procedures, Identifying a company’s directors

Section 4.3.2.1 (i),

a the list of directors contained in the most recent version of the

When the Customer is a
Memorandum and Articles of Association;
Company
b by performing a company registry search, provided that the
officers of the company are listed therein;

c by referring to a good standing certificate or a certificate of

incumbency, which is not more than three (3) months old; or

d by obtaining a copy of the directors’ register of the company.

In the case of a corporate director(s), subject persons are required

to obtain details of the corporate director’s:

a official full name;

b registration number;

c registered address or principal place of business.

Identification and Verification of Identity of Beneficial Owner

Regulation 7(1)
Subject persons shall verify the identity of the customer and, where
(b) of the PMLFTR applicable, the identity of the beneficial owner, before the
establishment of a business relationship or the carrying out of an
occasional transaction.

Implementing procedures, Identifying and verifying the identity of beneficial owners

Section 4.3.2.1 (v) When the

Having established who the beneficial owner is, the subject person
Customer is a Company must ensure that the customer provides it with the personal details
listed in Section 4.3.1(i )(a) of Implementing procedures for the
beneficial owner.

The subject person has to then verify the beneficial owner’s identity
by applying any of the verification measures referred to in Section
4.3.1 of Implementing procedures, which may be most appropriate in

the circumstances.

Identification and Verification of Identity of Representative

Regulation 7(3) of the PMLFTR

Regulation 7(3) of the PMLFTR stipulates that, when any person

purports to act on behalf of a customer (i.e., as agents, signatories,
attorneys, etc.), in addition to identifying and verifying the customer’s
Implementing procedures, Part identity and, where applicable, the beneficial owner, the subject
1 (issued by the Financial person has to ensure that this person is duly authorised in writing to
Intelligence analysis Unit), act on the customer’s behalf and is to also identify and verify that
Section 4.1. (d) person’s identity (refer to Section 4.3.3).

Implementing procedures, Identifying and verifying the identity details of the agent Depending

Section 4.3.3. (i)

on the nature of the agent, identifying the agent and verifying the
agent’s identity is to be carried out as set out in the sections above.
Identifying and verifying the However, subject persons are to note that where the agent is a legal
identity details of the agent entity, the subject person does not have to:

a establish the agent’s ownership and control structure;

b identify who the agent’s beneficial owners are; and

c identify and verify the identity of the legal entity’s officers and/or
employees providing instructions to the subject person.

erification of Identity of Customer

V

Regulation 7(1)(a), 17 of the Customer due diligence measures shall consist in:
PMLFTR

the identification of the customer, and the verification of the identity

of the customer on the basis of documents, data or information
Implementing procedures, part obtained from a reliable and independent source, including, where
1 (issued by the Financial available, electronic identification means issued under electronic
Intelligence analysis Unit, identification schemes, or relevant trust services as set out in
Section 4.3.1.2 (i)
Regulation (EU) No 910/2014, or any other secure, remote or
electronic identification process approved by the Financial
Intelligence Analysis Unit under procedures issued in terms of

regulation 17:

1 7. The Financial Intelligence Analysis Unit, with the concurrence of

the relevant supervisory authority, may issue procedures and
guidance as may be required for the carrying into effect of the
provisions of these regulations, and which shall be binding on subject
persons.

Regulation 7(1)
Verification on the basis of documents When the customer is not
(a) of the PMLFTR

present for verification purposes, subject persons would only be in a

position to obtain copies of the identification documents listed under
Section 4.3.1.1(i ) of Implementing procedures.

Implementing procedures
Section 4.3.1.1 (i) Standard With respect to other documents that may be used to verify the
Verification Requirements

residential address listed under the same section (such as utility bills
or banks statements), subject persons may obtain either originals or
copies.

The verification of the identity details is to be carried out either by

making reference to a government issued document containing
photographic evidence of identity or by making reference to other
documents bearing a photo of the individual

Government-issued documents containing photographic evidence

of identity include:

a a valid unexpired passport;

b valid unexpired national or other government-issued identity

card;

c a valid unexpired residence card;

d a valid unexpired driving licence.

The verification of the residential address may be carried out through

any of the identification documents listed above (e.g., national
identity card or driving licence).

Implementing procedures, When this identification document does not contain information
Section 4.3.1.1.
on the customer’s residential address, the subject person has to
verify the residential address by making reference to any one of
Verification of residential
the following documents, provided that the residential address
address and the full name of the customer are referred to in a clear and
unequivocal manner in the document itself:

a correspondence from a central or local government authority,

department or agency;

b an official conduct certificate;

c any other government-issued document not mentioned above;

d a recent statement or reference letter issued by a recognised

credit institution or entity carrying out relevant financial business
in Malta, or equivalent activities in a Member State of the EU or in
a reputable jurisdiction;

e a recent utility bill;

f a lease contract or agreement;

g any other document.

Implementing procedures, part Additional measures may be applied by subject persons to verify
1 (issued by the Financial the customer’s identity and hence be satisfied of having verified
that the customer exists, and he/she is who he/she says he/she is:
Intelligence analysis Unit,

4.3.1.2 (i) (a) requesting additional identification documentatio

requesting the customer to confir

automatically generated codes or PINs before accessing the

service/ account using information that can beretrieved from a
customer’s device to corroborate certain personal details provided
by the customer (e.g., customer’s IP address or the geo- location
of a mobile phone to confirm residence

requiring the customer to send a photograph clearly showing the

customer’s face and the image on the identity document being
held in the same picture to demonstrate this actually belongs to
the customer...

a Visual Checks – the system should be able to compare

automatically the facial features of the customer shown on the
photographic image visible on the identification document with
the facial features shown on a separate photograph or a video
clip taken and sent by the customer contemporaneously with the
transmission of the identification document. Moreover, the
system should have the capability of comparing the images and
determining that the person represented in both photographic
images is one and the same.

b Authentication Checks – the system should have the capability of

automatically verifying the authenticity and validity of the
identification document submitted by performing a number of
checks, such as:

verifying that the security features (such as holograms) of that

particular identification document are in place

examining the lamination and ensure that there are no

indicative signs that the document may have been tampered
with

examining the document’s layout and features (such as font,

typeface and colour) and ensure that these match the
document’s standard; an

reading and validating the Machine- Readable Zone (MRZ)

code or the alternative code reproduced on the identification
document.

Implementing procedures, part Subject persons may also remotely verify the identity details of a
1 (issued by the Financial customer through video conference facilities.

Intelligence analysis Unit,

A video call may be carried out subsequent to the customer
4.3.1.2 (i )

submitting copies of the identification or other verification documents

listed in Section 4.3.1.1(i ) of Implementing procedures to the subject
Use of video conferencing tools
person (e.g., by e-mail) or by making this documentation visible in the
course of the video conference call.

When making use of this means, subject persons must observe a

number of conditions that are set out in the following paragraphs.

The video call has to allow the subject person and the customer to
make both visual and verbal contact simultaneously.

It should be of a sufficiently good quality to enable clear verbal

communication and to allow the subject person to clearly visualise the
customer’s face, as well as view the contents and security features of
identification documents produced by the customer (where
identification documents are being presented through the video call).

Checks to verify the authenticity of verification documents presented

through the video call may either be carried out manually by the
officer of the subject person or automatically through the use of
software, which may be embedded within the video conferencing tool
itself and has the capability to carry out these authentication checks.

Subject persons may refer to Section 4.3.1.1(iv) for guidance on

authenticity checks that may be carried out manually. To carry out
some of the listed checks (e.g., to visualise the security features of
the identification document being presented) the customer should be
asked to tilt the document during the video call.

The official carrying out this procedure must also examine the image
on the identification document (presented during the video call or
submitted to the subject person prior to the video call) to ensure that
it matches the customer’s visual appearance as well as the details of
the person produced on the identification document (such as age).

When a subject person carries out verification of identity through

video conferencing, the following records must be retained to

demonstrate compliance with the above requirements:

a at least an audio recording of the video call or the entire video

call itself, which includes the entire conversation between the
official of the subject person and the customer;

b screenshots taken during the video call, which must include an

image of the customer as well as the date and time displayed by
the video conference tool; and

c when the identification document is produced by the customer

throughout the video call, screenshots of the identification
document (all relevant pages or sides) will need to be recorded.

The photographic evidence of identity as well as all the information on

the identification document must be clearly visible and legible from
the screenshots.

Information on the Purpose and Intended Nature of Business Relations

Implementing procedures Subject persons have to understand why a customer is requesting its
issued by the Financial services and/or products and how those services and/or products are
expected to be used in the course of the business relationship
Intelligence Analysis Unit
(FIAU). 4.4.1.

O ngoing monitoring

Regulation 7(1)
Once a business relationship is formed, Regulation 7(1)(d) of the
(d) of the PMLFTR
PMLFTR requires subject persons to carry out on-going
monitoring.

Implementing procedures, Part

1 (issued by the Financial M onitoring comprises two key elements:
Intelligence analysis Unit),
Section 4.5.1
a scrutiny of transactions

b keeping information, documents and data held on the customer

up to date

Screening (sanctions, watch lists)

Implementing procedures, Part Subject persons have to undertake measures at law aimed at
1 (issued by the Financial combating terrorism, terrorism financing and the financing of the
proliferation of weapons of mass destruction which emanating from
Intelligence analysis Unit), the National Interest (Enabling Powers) Act relating to sanctions
Section 4.11. screening, freezing of assets and reporting.

This Act also provides for the constitution of the Sanctions Monitoring
B oard (“SMB”), which is the national competent authority responsible
to monitor the implementation of, and ensure compliance with,
targeted financial sanctions.

In this regard, subject persons are encouraged to continuously keep

up to date with any sanctions that may be imposed and with any
guidance, notices, decisions, recommendations or rulings that may be
issued by the SMB.

nhanced due diligence. Politically exposed persons

E

Implementing procedures, Part Subject persons must apply EDD measures on a risk-sensitive basis in

1 (issued by the Financial those situations that, by their nature, represent a higher risk of ML/FT.

Intelligence analysis Unit), Regulation 11(5) of the PMLFTR requires subject persons to maintain
Sections 4.9., 4.9.2.2.

risk management procedures to determine whether a customer or a

beneficial owner is a PEP or a family member or close associate
Regulation 11(5) and (8) of the thereof. This requirement is not only applicable to prospective
customers but also to existing customers, given that existing
PMLFTR

customers may become PEPs or associated therewith, including

through family ties, at a point in time in the course of an ongoing
relationship.

Regulation 11(5) and (8) of the PMLFTR require subject persons to

apply specific EDD measures in relation to PEPs, their family members
and persons known to be close associates.

Subject persons must in any case take adequate measures to

establish:

the source of wealth; an

the source of funds of the customer to be satisfied that it does not

handle proceeds derived from corruption or other criminal activity
associated with PEPs.

However, the extent of information and/ or documentation to be

requested by the subject person will vary depending on the risk
posed by the customer.

Keeping records

Implementing procedures, Part Subject persons must maintain the records, referred to in Section 9.2
1 (issued by the Financial of Implementing procedures, for a period of five (5) years. However,
subject persons are to note that the FIAU, relevant supervisory
Intelligence analysis Unit), authorities or law enforcement agencies are entitled to demand that
Section 9.3.

records, including personal data, be retained for longer periods, when

this extension is considered necessary for the purposes of the
Second proviso to Regulation prevention, detection, analysis and investigation of ML/FT activities
by the FIAU, relevant supervisory authorities or law enforcement
13(2) of the PMLFTR.
agencies.
Sumsub offers

User verification (KYC/AML)

Sumsub’s KYC/AML compliance software brings together

effective verification flows and higher conversion rates. It
lets you tailor your flow to different customer groups
through a wide selection of checks like ID verification,
Liveness, Proof of Address verification and more. Plus, you
can add AML monitoring to stay compliant with all
regulatory requirements, anywhere.

Business verification (KYB)

Currently, Sumsub offers two types of KYB:

Full-cycle KYB Auto KYB

Sumsub’s full-cycle verifies business Taking just 3 minutes to perform, Sumsub’s

counterparties faster and more effectively. AutoKYB check references data on more
The solution consolidates automated KYB than 200,000,000 companies and
checks, beneficiary KYC checks and manual beneficiaries across registries spanning 220
review by certified KYB/AML experts. countries/territories.

Payment fraud prevention

Sumsub’s Payment Fraud Prevention solution prevents businesses

from losing money to chargeback fraud. This is done by ensuring
that bank cards actually belong to users before transactions are
made.

Video identification

Sumsub’s Video Verification platform combines automation with

flexible, agent-assisted video interviews. This results in a
people-friendly flow that ensures compliance with AML
regulations and keeps conversion rates high. Video Verification
is a required compliance step in countries like Germany, Estonia,
z
Swit erland and others.

h
Face aut entication

Sumsub’s Face Authentication takes just 4 seconds to complete and

achieves 99% completion rates. It works everywhere in the world,
even with a slow internet connection, and has been tested by iBeta
OE
in accordance with IS /I C 30 0 1 7-3.

Transaction monitoring (KY T)

Sumsub’s transaction monitoring system uses the most flexible risk
management solution on the market to detect fraudulent
transaction activity and protect your business from financial losses.
Safeguard your revenue and accept more payments, all while
staying AML-compliant.

h
Sc edule a demo no w

© Sum and Substance Ltd. (UK), 2021. All rights reserved. Company number 09688671. @sumsub.com
info