IMPLEMENTING PROCEDURES

W W W. F I A U M A LT A . O R G

ISSUED BY THE FINANCIAL INTELLIGENCE ANALYSIS UNIT IN TERMS OF THE PROVISIONS OF THE
PREVENTION OF MONEY LAUNDERING AND FUNDING OF TERRORISM REGULATIONS (S.L. 373.01)

PART I

FIRST ISSUED ON 20 MAY 2011

LAST AMENDED ON 18 OCTOBER 2021
© Financial Intelligence Analysis Unit, 2021

65C, Tower Street ,

Birkirkara BKR 4012,
Malta

No part of this document may be reproduced or copied without adequate

reference being made to the source.

Telephone: (+356) 21 231 333

Fax: (+356) 21 231 090
E- mail: info@fiaumalta.org
W ebsite: www.fiaumalta.org

IMPLEMENTING PROCEDURES
2
TABLE OF CONTENTS

ABBREVIATIONS 8

CHAPTER 1 – OVERVIEW 9
1.1 W hat is money laundering? 9
1.1.1 The definition of money laundering in the PMLA 10
1.1.2 Money laundering in practice 12
1.2 W hat is funding of terrorism? 13
1.2.1 The Funding of Terrorism in practice 14
1.3 International initiatives in the fight against money laundering
and the funding of terrorism 15
1.4 Maltese Legislation on money laundering and funding of terrorism 17
1.4.1 The Prevention of Money Laundering Act 18
1.4.2 The Prevention of Money Laundering and Funding of Terrorism
Regulations 19
1.5 The National Co- ordinating Committee on Combating Money
Laundering and Funding of Terrorism 20
1.6 The Financial Intelligence Analysis Unit 21
1.6.1 The FIAU’s compliance monitoring function 23

CHAPTER 2 – THE IMPLEMENTING PROCEDURES 26

2.1 W ho are the ‘Subject Persons’? 27
2.2 Purpose of the Implementing Procedures 30
2.3 Status and application of the Implementing Procedures 32

CHAPTER 3 – THE RISK- BASED APPROACH 33

3.1 Notions of Risk 33
3.2 Risk Factors 35
3.2.1 Customer Risk 35
3.2.2 Geographical Risk 36
3.2.3 Product , Service and Transaction Risk 38
3.2.4 Delivery Channels Risk 39
3.2.5 Additional Risk Factors 39
3.2.6 Sector Specific Risk Factors 40
3.2.7 Sources of Information 40
3.3 The Business Risk Assessment 41
3.3.1 The Basic Steps 42
Table 1 – Likelihood scale 43

IMPLEMENTING PROCEDURES
3
TABLE OF CONTENTS CONTINUED

Table 2 – Impact Scale 44

Table 3 – Inherent Risk 44
Table 4 – Effectiveness 45
3.3.2 Carrying out the Business Risk Assessment 46
3.3.3 Timing of the Business Risk Assessment 48
3.3.4 Revising the Business Risk Assessment 49
3.4 Mitigating Measures, Policies, Controls and Procedures 50
3.4.1 The Customer Acceptance Policy 52
3.5 The Customer Risk Assessment 52
3.5.1 Timing of the Customer Risk Assessment 56
3.5.2 Preparing/Drafting the Customer Risk Assessment 57
3.5.3 Carrying out the Customer Risk Assessment 57
Table 5 – Risk- scoring grid 60
Table 6 – Risk score 61
3.6 Application of CDD on a Risk- Sensitive Basis 63

CHAPTER 4 – CUSTOMER DUE DILIGENCE 65

4.1 Overview of CDD measures 66
4.2 Definitions 69
4.2.1 The Customer 69
4.2.2 The Beneficial Owner 73
Table 7 – Definition of a beneficial owner 76
4.3 Identification and Verification 90
4.3.1 The nature of identification and verification of a natural person 92
4.3.2 Identification and Verification of Customers other than
Natural Persons 111
4.3.3 The Agent 130
4.4 The purpose and intended nature of the business relationship
and the Customer’s Business and Risk Profile 133
4.4.1 Purpose and Intended Nature of the Business Relationship 134
4.4.2 The Customer’s Business and Risk Profile 134
4.4.3 The Source of W ealth and the Source of Funds 136
4.5 Ongoing monitoring of the business relationship 137
4.5.1 Overview of the duty to conduct ongoing monitoring 137
4.5.2 Transaction Monitoring 138
4.5.3 Ensuring that documents, data and information held on the
customer are kept up to date 147

IMPLEMENTING PROCEDURES
4
TABLE OF CONTENTS CONTINUED

4.6 Timing of Due Diligence Procedures 151

4.6.1 Timing of CDD when establishing a business relationship 152
4.6.2 Timing of CDD when an occasional transaction is carried out 155
4.6.3 Timing of CDD in case of suspicion of ML/FT 156
4.6.4 W hen the subject person doubts the veracity or adequacy of
CDD documentation 156
4.6.5 Timing of CDD in relation to existing customers 156
4.6.6 Acquisition of the business of one subject person by another 159
4.7 Failure to complete CDD measures laid out in Regulation
7(1)(a)- (c) 161
4.8 Simplified Due Diligence 163
4.8.1 Particular situations in which SDD may be applied 165
4.8.2 Circumstances where SDD cannot be applied 170
4.9 Enhanced Due Diligence 171
4.9.1 Situations presenting a High Risk of ML/FT 172
4.9.2 Situations in which EDD is prescribed by law 175
4.10 Reliance on Other Subject Persons or Third Parties 196
4.10.1 Introduction 196
4.10.2 Scope 197
4.10.3 Entities that may be relied on 199
4.10.4 Carrying out reliance 201
4.10.5 The reliance agreement 202
4.10.6 W hen reliance is not permitted 203
4.11 Sanctions Screening 203

CHAPTER 5 – REPORTING PROCEDURES AND OBLIGATIONS 205

5.1 The Money Laundering Reporting Officer 205
5.1.1 The Role of the MLRO 205
5.1.2 W ho Can be Appointed as MLRO? 206
5.1.3 Appointment and Resignation of the MLRO 212
5.2 The Designated Employee 213
5.3 The Monitoring Function 213
5.4 Internal Reporting Procedures 216
5.5 External Reporting Procedures 220
5.6 Actions After Reporting 223
5.7 The obligation to refrain from carrying out a transaction that
appears to be suspicious 225

IMPLEMENTING PROCEDURES
5
TABLE OF CONTENTS CONTINUED

5.8 Delaying the Execution of a Suspicious Transaction 226

5.9 Monitoring Orders 219
5.10 Professional Privilege 228
5.11 Prohibited and Permissible Disclosures 230
5.12 Reports for Compliance Purposes 233
5.13 Reporting under Regulation (EU) 2015/847 234
5.14 The Protection of the W histleblower Act 235
5.15 Protection from Detrimental Action 237

CHAPTER 6 – OUTSOURCING 238

6.1 W hat is to be considered as Outsourcing? 238
6.2 Responsibility of the Subject Person 238
6.3 Extent of Outsourcing 239
6.4 Conditions to which Outsourcing is subject 240
6.5 Outsourcing within a Group Context 244

CHAPTER 7 – AW ARENESS, TRAINING AND VETTING OF

EMPLOYEES 245
7.1 Awareness and training: the obligation and purpose behind it 245
7.2 Company Officials and Employees to be Provided with Training 246
7.3 Content of Training 248
7.4 Method of delivery of training 249
7.5 Screening of new employees 250

CHAPTER 8 – DEALING W ITH NON- REPUTABLE JURISDICTIONS

& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE POLICIES
& PROCEDURES 251
8.1 Introducing the concepts of Non- Reputable Jurisdictions and
High- Risk Jurisdictions 251
8.1.1 Determining Non- reputable jurisdictions 252
Table 8 – Categories identified by FATF 253
Table 9 – Categories identified by Commission Delegated
Regulations 254
8.1.2 Determining High- risk jurisdictions 255
8.1.3 Assessing and managing the ML/FT risk posed by
non- reputable jurisdictions and high risk jurisdictions 258
8.2 Group- wide Policies and Procedures 261

IMPLEMENTING PROCEDURES
6
TABLE OF CONTENTS CONTINUED

8.2.1 Parents, Majority- owned Subsidiaries and Branches 261

8.2.2 Use and Sharing of Information 262
8.2.3 Reporting Suspicious Transactions 263
8.2.4 Impediments to the Application of Group- wide Policies
and Procedures 263

CHAPTER 9 – RECORD KEEPING PROCEDURES 265

9.1 Purpose of keeping records 265
9.2 Records to be retained 265
9.3 Period of retention of records 268
9.3.1 CDD documentation 269
9.3.2 Documentation on the business relationship and on the
transactions carried out in the course of a business relationship
or in relation to an occasional transaction 270
9.3.3 Internal Reports made to the MLRO and STRs 270
9.3.4 Records submitted together with an STR 270
9.3.5 AML/CFT training 271
9.3.6 Employee Screening Records 271
9.3.7 Outsourcing Records 271
9.3.8 Other Records 271
9.4 Form of records 272
9.5 Retrieval of records 272
9.5.1 General Requirements 272
9.5.2 Organisation and Categorisation of Records 273
9.6 Record Keeping Obligations and Data Protection 274

ANNEX A – ADMINISTRATIVE SANCTIONS AND CRIMINAL

OFFENCES FOR BREACHES OF AML/ CFT OBLIGATIONS 277
A1.1 Administrative Sanctions under the PMLFTR 277
Table 10 – Administrative Penalties 278
A1.2 Procedure for the imposition of administrative sanctions 279
A1.3 Appeals from Administrative Penalties 280
A1.4 Publication of Administrative Penalties and other Measures 281
A1.5 Criminal Offences 282

IMPLEMENTING PROCEDURES
7
ABBREVIATIONS

4th AML Directive European Union Directive 2015/849 of 20 May 2015

AML/ CFT Anti- money laundering/combating the funding of terrorism
BRA Business risk assessment
CAP Customer acceptance policy
CDD Customer due diligence
CRA Customer risk assessment
EBA European Banking Authority
EDD Enhanced customer due diligence
ESA European Supervisory Authority
EU European Union
FATF Financial Action Task Force
FATF Recommendations
The FATF Recommendations on Money Laundering and
Terrorist Financing adopted in 2012
FSRB FATF- Style Regional Body
FIAU Financial Intelligence Analysis Unit
FIU Financial Intelligence Unit
MFSA Malta Financial Services Authority
MGA Malta Gaming Authority
ML/ FT Money laundering and funding of terrorism
MLRO Money Laundering Reporting Officer
MONEYVAL The Council of Europe Select Committee of Experts on
the Evaluation of anti- Money Laundering Measures and
the Financing of Terrorism
PEP Politically exposed person
PMLA Prevention of Money Laundering Act (Cap. 373, the Laws
of Malta)
PMLFTR Prevention of Money Laundering and Funding of Terrorism
Regulations (S.L. 373.01)
RBA Risk- Based Approach
SDD Simplified customer due diligence
SMB Sanctions Monitoring Board
STR Suspicious transaction report
UN United Nations

IMPLEMENTING PROCEDURES
8
CHAPTER 1 – OVERVIEW

1.1 W HAT IS MONEY LAUNDERING?

Generally, money laundering is described as the process by which the illegal nature
of criminal proceeds is concealed or disguised in order to give a legitimate
appearance to these illegal proceeds. This process is of crucial importance to
criminals since it enables the perpetrators to make seemingly legitimate economic
use of their criminal proceeds. W hen a criminal activity generates substantial
income, the individual or group involved must find a way to control the funds
without attracting attention to the underlying activity or the persons involved.
Criminals do this by disguising the sources, changing the form, or moving the funds
to a place where they are less likely to attract attention.
Illegal arms sales, smuggling, activities of organised crime (such as drug trafficking
and prostitution rings), bribery, corruption, fraud and insider trading are typical
examples of criminal activities that could generate large profits. The source of
these proceeds would need to be disguised for the criminal to be able to enjoy
the ill- gotten gains made.
Traditionally, three stages were identified for the process of money laundering:
(a) the placement stage;
(b) the layering stage; and
(c) the integration stage.
Placement stage – the physical disposal of cash or other assets derived from criminal
activity. During this phase, the money launderer introduces the illicit proceeds into
the financial system, usually by breaking up large amounts of cash into less
conspicuous, smaller sums and placing these funds into circulation through formal
financial institutions and other legitimate businesses, both domestic and international.
This is the point at which the proceeds of crime are most apparent and most easily
detected – this is the most vulnerable stage in the laundering process.
Examples of placement transactions include:
(a) blending of funds: co- mingling of illegitimate funds with legitimate funds, such
as placing the cash from illegal narcotics sales into cash- intensive, locally
owned restaurants;
(b) purchasing foreign exchange with illegal funds;
(c) repayment of legitimate loans using cash derived from the commission of a
crime; and
(d) placing cash in small amounts and depositing it into numerous bank accounts
in an attempt to evade reporting thresholds.

IMPLEMENTING PROCEDURES
9
1. OVERVIEW CONTINUED

Once the money has been placed in the financial system, the launderer engages
in a series of conversions or movements of the funds to distance them from the
source – the layering stage. This second stage involves converting the proceeds
of the crime into another form and creating complex layers of financial
transactions to obfuscate the source and ownership of the funds.
Examples of layering transactions include:
(a) electronically moving funds from one country to another and dividing them
into advanced financial options and/or markets;
(b) moving funds from one financial institution to another or within accounts held
with the same institution; and
(c) placing money in stocks, bonds and life insurance products.
In the third stage – the integration stage – the launderer seeks to bestow
apparent legitimacy to illicit wealth through the re- entry of the funds into the
economy in what appears to be normal business or personal transactions. This
stage entails using laundered proceeds in seemingly normal transactions to create
the perception of legitimacy.
Examples of integration transactions include:
(a) purchasing luxury assets, like real estate, artwork, jewellery or high- end
automobiles; and
(b) investments that can be made in business enterprises through financial
arrangements or other ventures.
It should be noted that the three- stage model is rather simplistic and does not
reflect every type of money laundering operation.

1.1.1 The definition of money laundering in the PMLA

The definition of money laundering in the PMLA goes beyond generically
expounding the notion of money laundering on the basis of the three traditional
stages identified above. In fact , passive possession of criminal property is also
considered to amount to the offence of money laundering. The definition provides
an exhaustive list of acts that constitute money laundering under Maltese law,
which are the following:
“(i) the conversion or transfer of property knowing or suspecting that such
property is derived directly or indirectly from, or the proceeds of, criminal
activity or from an act or acts of participation in criminal activity, for the

IMPLEMENTING PROCEDURES
10
1. OVERVIEW CONTINUED

purpose of or purposes of concealing or disguising the origin of the property

or of assisting any person or persons involved or concerned in criminal
activity;
(ii) the concealment or disguise of the true nature, source, location, disposition,
movement, rights with respect of, in or over, or ownership of property,
knowing or suspecting that such property isderived directly or indirectly from
criminal activity or from an act or acts of participation in criminal activity;
(iii) the acquisition, possession or use of property knowing or suspecting that
the same was derived or originated directly or indirectly from criminal
activity or from an act or acts of participation in criminal activity;
(iv) retention without reasonable excuse of property knowing or suspecting that
the same was derived or originated directly or indirectly from criminal
activity or from an act or acts of participation in criminal activity;
(v) attempting any of the matters or activities defined in the above foregoing
sub- paragraphs (i), (ii), (iii) and (iv) within the meaning of article 41 of the
Criminal Code;
(vi) acting as an accomplice within the meaning of Article 42 of the Criminal
Code in respect of any of the matters or activities defined in the above
foregoing sub- paragraphs (i), (ii), (iii), (iv) and (v)”.
The definition of money laundering in the PMLA largely emanates from Article
1(3) of the 4 th AML Directive and largely reflects the definition in the Council of
Europe Convention on Laundering, Search, Seizure and Confiscation of the
Proceeds from Crime and on the Financing of Terrorism (also known as the
W arsaw Convention or CETS 198), in the 1988 United Nations Convention
Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (the Vienna
Convention) and that in the 2000 United Nations Convention against
Transnational Organized Crime (the Palermo Convention).
The definition of money laundering under Maltese law, however, goes beyond
that under EU and international conventions, for instance:
(a) mere suspicion of criminal activity is sufficient (being, as it is termed, a so- called
‘suspicion- based regime’) and there is no need to have knowledge of the
criminal activity;
(b) criminalising money laundering, irrespective of the crime that generates the
proceeds – an ‘all crime regime’; and
(c) covering property that may even be indirectly derived from criminal activity.

IMPLEMENTING PROCEDURES
11
1. OVERVIEW CONTINUED

1.1.2 Money laundering in practice

A money launderer will seek to operate in and around the financial system in a
manner that best fits the execution of the scheme to launder funds. As soon as
many governments around the world enacted AML obligations for the banking
sector, a shift in laundering activity into the non- bank financial sector (such as
third- party payment processors, money services businesses, insurance companies,
securities broker- dealers) and to non- financial businesses and professions1
(casinos, dealers in high value items, real estate, vehicle sellers, and various gate-
keepers like notaries, accountants, auditors and lawyers, and trust and company
service providers) started to increase.
Money laundering is an ever- evolving activity; it must be continuously monitored
in all its various forms in order for measures against it to be timely and effective.
Illicit property can move through numerous different commercial channels,
including products, such as transferable cheques, savings and brokerage accounts,
loans, wire transfers, or through intermediaries such as trustees and company
service providers, securities dealers, banks and money services businesses.
The Financial Action Task Force (FATF) and FATF- Style Regional Bodies (FSRBs)
publish periodic typology reports to “monitor changes and better understand
the underlying mechanisms of money laundering and terrorist financing”.2
Their aim is to maintain the dynamism and timeliness of efforts at combating
ML/FT, precisely because of the ever- evolving nature of the crime of money
laundering and the methods used by launderers to disguise the illicit origin/s of
ill- gotten gains.
Money laundering is frequently carried out in an international context , and
therefore measures taken at national level or even at EU level would be futile if
they did not also take into account international co- ordination and co- operation.
Particular account should be taken of the FATF Recommendations, as well as
instruments of other international bodies active in the fight against ML/FT.
A number of initiatives have been created to deal with the problem at an
international level, such as the establishment of the Egmont Group of FIUs, which
is a worldwide group that promotes closer co- operation between FIUs and
facilitates information sharing through a secure internet system known as the
Egmont Secure W eb.3

1. Referred to as DNFBPs.
2. FATF ‘Report on Money Laundering Typologies 2002- 2003’ of 14 February 2003 (page
1, paragraph 2).
3. The FIAU became a member of the Egmont Group in 2003.

IMPLEMENTING PROCEDURES
12
1. OVERVIEW CONTINUED

1.2 W HAT IS FUNDING OF TERRORISM?

The funding of terrorism is the process of making funds or other assets available
to support , even indirectly, terrorist activities. The process of funding terrorist
groups or individual terrorists is addressed in Article 328B and Article 328F of
the Criminal Code.4 The Criminal Code also contemplates other acts that are
considered to constitute funding of terrorism.
These include the use or possession of money or other property for the purposes
of terrorist activities (Article 328G) and the involvement in funding arrangements
to support terrorist activities (Article 328H and Article 328I). The criminal offence
of funding terrorism under the Criminal Code reflects the definition of funding
of terrorism under the 1999 United Nations International Convention for the
Suppression of the Financing of Terrorism.
The funding of terrorist activity, terrorist organisations or individual terrorists may
take place through funds derived from legitimate sources or from a combination
of lawful and unlawful sources. Indeed, funding from legal sources is a key
difference between terrorist organisations and traditional criminal organisations
involved in money laundering operations. W hile the former may thrive on funds
derived from legitimate sources, money laundering necessarily involves funds
derived from illegal sources.
Another difference is that, while the money launderer moves or conceals criminal
proceeds to obscure the link between the crime and the generated funds, and
avails himself of the profits of crime, the terrorist’s ultimate aim is not to generate
profit from the fund- raising mechanisms but to obtain resources to support
terrorist operations.5
Although it would seem logical that funding from legitimate sources would not
need to be laundered, there is often a need for terrorists to obscure or disguise
links between the organisation or the individual terrorist and their legitimate
funding sources. Therefore, terrorists must similarly find ways to process these
funds to be able to use them without drawing the authorities’ attention.6
Financing is required not only to fund specific terrorist acts but , more generally,
to meet the operational costs of terrorist organisations, such as maintaining a
terrorist network or cell, recruitment and training, sustaining an ideology of

4. Cap. 9 of the Laws of Malta.

5. FATF, Guidance for Financial Institutions in Detecting Terrorist Financing, April 2002, pp 4-
5, paragraphs 12, 13 and 16.
6. Ibid, p 5, paragraph 15.

IMPLEMENTING PROCEDURES
13
1. OVERVIEW CONTINUED

terrorism through propaganda, and maintaining an infrastructure of organisational

support (even more so if this is to sustain an international network).
Terrorist organisations will vary from one organisation to another ranging from
large, state- like organisations to small, decentralised and self- directed networks.
Likewise, the nature of terrorist financing will vary depending on the size and scale
of the organisation involved, if any, and the source from which funding is derived.
Terrorist activities may be financed by states, companies or charities, as well as
being self- financed by the terrorists themselves. Various methods of funding may
be used at the same time.

1.2.1 The Funding of Terrorism in practice

Cutting off financial support to terrorists and terrorist organisations is essential
to disrupting their operations and preventing attacks. W ithout funding, the
commission of terrorist acts becomes more difficult (albeit not impossible) to
perpetrate.
Terrorists continue to adapt their tactics and diversify their funding sources.
Charities, for instance, appear to be highly attractive to terrorists for various
reasons. Charities enjoy public trust , they often have access to considerable funds,
their activities are often cash- intensive, they may be subject to significantly lighter
regulatory requirements and, more specifically those with a global presence,
provide the right framework for international operations since they would have
branches in various parts of the world.
Charities have, for this reason, been noted to be highly vulnerable to misuse by
terrorists. They can be misused in various ways, such as by setting up sham
organisations posing as legitimate ones, or by raising funds for a specific charitable
cause through a legitimate organisation and subsequently diverting the generated
funds towards terrorist purposes.
The FATF states in its 2014 Risk of Terrorist Abuse in Non- Profit Organizations
(NPO) Report that:
“The importance of the NPO sector to the global community cannot be
overstated. It is a vibrant sector, providing innumerable services to millions of
people.”
However, this typologies project found that , more than a decade after the abuse
of NPOs by terrorists and terrorist organisations was formally recognised as a
concern, the terrorism threat to the sector remains, and the sector continues to
be misused and exploited by terrorist organisations through a variety of means.

IMPLEMENTING PROCEDURES
14
1. OVERVIEW CONTINUED

The best practices guidance was updated in 2015 to assist countries in

implementing FATF Recommendation 8 on NPOs in line with the risk- based
approach; and to assist NPOs to mitigate terrorist- financing threats and assist
financial institutions to properly implement the risk- based approach when
providing financial services to NPOs.
The FATF’s 2015 Emerging Terrorist Financing Risks report details other funding
methods, such as:
(a) self- funding FTFs (Foreign Terrorist Fighters). The advent of social media,
smartphone applications and internet sharing sites, now provide terrorist
organisations with global reach at little to no cost;
(b) raising funds through social media;
(c) new payment products and services; and
(d) exploitation of natural resources.

1.3 INTERNATIONAL INITIATIVES IN THE FIGHT AGAINST

MONEY LAUNDERING AND THE FUNDING OF TERRORISM
The Financial Action Task Force
Formed in 1989, the FATF is an inter- governmental body whose aim is to set
standards and foster international action against ML/FT. Over the years, the FATF
has developed a series of Recommendations that are recognised as the
international standard for combating ML/FT, and more recently the proliferation
of weapons of mass destruction. These Recommendations were first issued in
1990 and have been revised on a number of occasions, most recently in February
2012. This latter version has been updated regularly since.

MONEYVAL
MONVEYVAL is a body of the Council of Europe tasked with evaluating
compliance with the FATF Recommendations that makes recommendations to
member countries and their respective authorities in relation to improvements
to their AML/CFT regimes. MONEVYAL evaluations are carried out regularly
through a system of peer reviews. MONEVYAL fulfils the role of an FSRB for the
European region. Malta is a founding member of MONEYVAL.

IMPLEMENTING PROCEDURES
15
1. OVERVIEW CONTINUED

The European Union

The EU has over the years taken a number of legislative initiatives to combat
ML/FT. The EU issued the first anti- money laundering directive in 1991 and has
since issued a number of revised versions, with the most recent one being the
4 th AML Directive, published in May 2015, which Malta has transposed into its
national law. W hile the EU’s anti- money laundering directive is largely based on
the FATF Recommendations, it often goes beyond and imposes tighter controls
on a number of aspects, such as on the transparency of legal persons and
arrangements, and the accessibility to their beneficial ownership information.
Directive (EU) 2018/843, frequently referred to as the 5 th Anti- Money
Laundering Directive, has introduced a number of amendments to the 4 th AML
Directive that are in the process of being transposed into Maltese law.
Besides enacting legislation to fight ML/FT, the EU has taken numerous initiatives
to foster EU- wide co- operation in this area. An Expert Group on Money Laundering
and Terrorist Financing has been set up to serve as a platform for Member States to
co- ordinate actions, exchange views and best practices, and provide expertise to the
EU Commission in preparing legislative and implementing measures.
Similarly, the EU Financial Intelligence Units Platform, an informal group set up by
the EU Commission in 2006, brings together EU FIUs to enhance co- operation
through a number of initiatives.
The Joint Committee of the European Supervisory Authorities (ESAs), i.e., the
European Banking Authority (EBA), the European Insurance and Occupational
Pensions Authority (EIOPA) and the European Securities and Markets Authority
(ESMA), is another important EU- wide initiative aimed at strengthening co-
operation between the ESAs. This Joint Committee has established a
sub- committee dedicated to AML/CFT, which is tasked under the 4 th AML
Directive with the issuance of technical guidance to assist authorities and subject
persons in the implementation of the 4 th AML Directive.
Malta actively participates in all these EU bodies and platforms through the
respective authorities.

Egmont Group of Financial Intelligence Units

Recognising the benefits inherent in the development of an FIU network, in 1995
a group of FIUs decided to establish an informal group to stimulate international
co- operation, which has now grown into a worldwide group bringing together
158 FIUs. Through the Egmont Group, member FIUs meet regularly to find ways

IMPLEMENTING PROCEDURES
16
1. OVERVIEW CONTINUED

to co- operate, especially in the areas of information exchange, training and the
sharing of expertise.
The Egmont Group facilitates the exchange of intelligence and financial
information between FIUs through a secure internet system, known as the
Egmont Secure W eb, and has issued a number of statements and papers to assist
FIUs to engage in international co- operation.
Malta became a member of the Egmont Group in 2003.

1.4 MALTESE LEGISLATION ON MONEY LAUNDERING

AND FUNDING OF TERRORISM
The first legislative initiative to introduce an anti- money laundering regime in
Malta dates back to February 1994, when Article 22 (1C) of the Dangerous
Drugs Ordinance was amended to introduce the offence of money laundering in
relation to the proceeds of certain drug- related offences.7 Eventually, the PMLA
was enacted in September of the same year, together with the original
regulations issued thereunder, which introduced a comprehensive regime for the
criminalisation of money laundering in relation to predicate offences that are not
merely drug related, as well as the prevention, investigation and prosecution of
money laundering.
Concurrently with the enactment of the PMLA, an amendment to Article 120A
of the Medical and Kindred Professions Ordinance8 was made to introduce the
offence of money laundering in relation to proceeds of offences related to other
illegal substances beyond the scope of those provided for under the Dangerous
Drugs Ordinance.
After its enactment , the PMLA was amended to extend the remit of the FIAU to
the area of funding of terrorism, which was criminalised through amendments to
the Criminal Code. The regulations were consequently repealed and replaced by
the PMLFTR, which cover the emerging threat of funding of terrorism as well as
other developments in the field of AML/CFT.
The PMLA and the PMLFTR contain provisions that were introduced in pursuance
of Malta’s ongoing commitment to comply with international standards in the
AML/CFT field, as well as to honour its obligations as an EU member state.

7. Cap. 101 of the Laws of Malta.

8. Cap. 31 of the Laws of Malta.

IMPLEMENTING PROCEDURES
17
1. OVERVIEW CONTINUED

1.4.1 The Prevention of Money Laundering Act

The PMLA was enacted on 23 September 1994 and was subject to a number
of amendments thereafter. The more important legislative developments include
the legal provisions establishing the FIAU through the amendment of Act XXXI
of 2001, the extension of the provisions of the PMLA to include the offence of
funding of terrorism by means of the amending Act VI of 2005, and the
implementation of the provisions of the Council of Europe Convention No. 198
on Laundering, Search, Seizure and Confiscation of the Proceeds from Crime and
on the Financing of Terrorism through the enactment of Act XXXI of 2007.
Extensive amendments to the PMLA were also introduced in 2015 and 2017 by
virtue of Act III of 2015 and Act XXVIII of 2017, respectively. Act III of 2015
addressed a number of shortcomings that were identified in MONEYVAL’s fourth
round Mutual Evaluation Report of Malta, adopted in March 2012, and Act XXVIII
of 2017 amended and introduced a number of provisions mainly intended to
transpose into Maltese legislation the 4 th AML Directive. These amendments also
introduced a number of other provisions to strengthen the AML/CFT regime
under Maltese law.
The first part of the PMLA provides a definition of money laundering (refer to
Section 1.1) and criminalises the act of money laundering.9 The maximum penalty
for the offence of money laundering is a fine amounting to two million and five
hundred thousand euro (€2,500,000.00) or to imprisonment for a period not
exceeding eighteen (18) years, or to both the fine and imprisonment .
The PMLA provides that the offence of money laundering may be committed by
a natural person as well as a body of persons, whether corporate or
unincorporated.10 The PMLA also provides a definition of criminal activity11 and
property.12 Originally, the PMLA only applied to a limited list of predicate
offences.13 However, since 31 May 2005, with the coming into effect of Legal
Notice 176 of 2005, Malta has shifted from having a restricted list of predicate
offences to an ‘all crimes’ regime, meaning that ‘any criminal offence’, whenever
or wherever it is carried out , may constitute the basis for the offence of money
laundering.14

9. Article 3(1) of the PMLA.

10. Article 3(2) of the PMLA.
11. Article 2(1) of the PMLA.
12. Article 2(1) of the PMLA.
13. The predicate offence is the underlying criminal activity from which the illegal funds originate.
14. Article 2(1) of the PMLA.

IMPLEMENTING PROCEDURES
18
1. OVERVIEW CONTINUED

The PMLA lays down the procedures for the prosecution of money laundering15
as well as the measures for the confiscation of property on a conviction for money
laundering,16 measures for the freezing of assets when a person is charged with
money laundering17 and measures for the issuance of an investigation and/or
attachment order when a person is suspected of having committed money
laundering.18
Additionally, by virtue of article 435AA of the Criminal Code, which is applicable
to the PMLA, the Criminal Court may order a bank to monitor the banking
operations being carried out through one or more accounts of a person suspected
of having committed money laundering for a specified period. Provisions are also
provided for international mutual assistance in the implementation of measures
relating to confiscation, freezing and other court orders related to the investigation
of money laundering.
The second part of the PMLA establishes the FIAU, a Government agency
purposely set up to perform the functions set out in Article 16 of the PMLA. The
functions and remit of the FIAU are dealt with in more detail in Section 1.6.

1.4.2 The Prevention of Money Laundering and Funding of

Terrorism Regulations
The PMLFTR, which were issued by virtue of Legal Notice 372 of 2017 and
came into force on 1 January 2018, repealed and replaced the 2008
Regulations,19 which had in turn repealed the previous 2003 Regulations. The
various versions of the Regulations since 1994 reflect the corresponding
international developments and legislative developments within the EU. In fact ,
the PMLFTR transpose the 4 th AML Directive, which is in turn modelled on the
FATF Recommendations.
The PMLFTR set out the obligations and procedures that subject persons are
required to fulfil and to implement , and without which an AML/CFT regime
cannot be effective. These procedures mainly consist of the following:
(a) procedures on internal control, risk assessment, risk management, compliance
management and communications;

15. Article 3(2A), (3), (4), (6) and (7) of the PMLA.
16. Article 3(5) of the PMLA.
17. Article 5 of the PMLA.
18. Article 4 of the PMLA.
19. Legal Notice 180 of 2008.

IMPLEMENTING PROCEDURES
19
1. OVERVIEW CONTINUED

(b) customer due diligence;

(c) record keeping;
(d) reporting; and
(e) training and awareness.
The added focus on a Risk- Based Approach (RBA) is considered to be the main
development of the PMLFTR introduced in 2017.20 This obliges a subject person
to take appropriate steps (in proportion to the nature and size of its business) to
identify and assess the risks of ML/FT, taking into account risk factors, including
those relating to their customers, countries or geographic areas, products,
services, transactions or delivery channels, and to take ensuing mitigating
measures commensurate to the risks identified.
W hereas under the old regime the concept of an RBA was optional, under the
new Regulations more emphasis is placed on the risk- based application of
AML/CFT requirements. For further information on the application of the RBA,
subject persons should refer to Chapter 3.

1.5 THE NATIONAL CO- ORDINATING COMMITTEE

ON COMBATING MONEY LAUNDERING AND FUNDING
OF TERRORISM
The National Co- ordinating Committee on Combating Money Laundering and
Funding of Terrorism (NCC) is the body responsible for defining, overseeing and
co- ordinating the implementation of the national AML/CFT strategy. In fulfilling
this function the NCC is responsible for co- ordinating AML/CFT risk assessments
(including National Risk Assessments) and monitoring the evolution of ML/ TF
threats and vulnerabilities in Malta, while keeping stakeholders informed of the
outcomes of such risk assessments, threats and vulnerabilities.
The NCC was established on 13 April 2018 by virtue of the National
Coordinating Committee on Money Laundering and Funding of Terrorism
Regulations.21 It is chaired by the Permanent Secretary of the Ministry for Finance
and is composed of policy makers (representatives from the Ministries for Finance,
Home Affairs and Justice), Supervisors (FIAU, MFSA, MGA), the Malta Police, the
Office of the Attorney General and various other competent authorities involved

20. Legal Notice 372 of 2017.

21. S.L. 373.02.

IMPLEMENTING PROCEDURES
20
1. OVERVIEW CONTINUED

in combating money laundering, funding of terrorism and the financing of

proliferation of weapons of mass destruction.
The NCC is supported by a permanent secretariat .

1.6 THE FINANCIAL INTELLIGENCE ANALYSIS UNIT

The FIAU is a mandatorily required national government agency, having a distinct
legal personality, that handles financial intelligence.22 The FIAU was set up in 2001
by virtue of Act XXXI of 2001, through the inclusion in the PMLA of a number
of provisions that set up the FIAU and define its powers and functions. The FIAU
receives reports of suspicious transactions (STRs) from subject persons,
supervisory and other competent authorities, as well as other persons or entities,
analyses them and disseminates the resulting intelligence to the Malta Police,
other competent authorities and foreign FIUs to combat ML/FT.
The Maltese legislator adopted the administrative model, meaning that the FIAU is
constituted as an independent administrative authority distinct from law enforcement
and judicial authorities. Thus, the FIAU has no investigatory or prosecutorial powers,
which powers are vested in the Police and the Attorney General, respectively. This
type of arrangement serves as a ‘buffer’ between subject persons (composed of
entities and persons carrying out financial and non- financial business or professional
activities) and law enforcement and prosecutorial authorities.
The functions and responsibilities of the FIAU are primarily set out in Article 16
of the PMLA, with some other powers and functions conferred to the FIAU by
virtue of other provisions found in the PMLA and other legislative instruments.
Being the entity responsible for the collection, collation, processing, analysis and
dissemination of information with a view to combat ML/FT, the core function of
the FIAU is the receipt and analysis of reports made by subject persons on
transactions and activities suspected to involve ML/FT or proceeds of crime
(referred to as STRs), and the dissemination of financial intelligence to law
enforcement authorities and other competent authorities.23
Another main function of the FIAU, discussed in more detail in Section 1.6.1
below, is its responsibility to supervise, monitor and ensure compliance by subject
persons with their obligations under the PMLA and PMLFTR.

22. The setting up of an FIU is a mandatory requirement emanating from various international
commitments, such as the FATF Recommendations and the 4th AML Directive.
23. Regulation 16(1) of the PMLA.

IMPLEMENTING PROCEDURES
21
1. OVERVIEW CONTINUED

The FIAU is given additional and extensive powers for co- operating and
exchanging information with counterpart FIUs and foreign supervisory authorities,
and has wide- ranging powers to demand information both to carry out its
functions and also to assist foreign FIUs and supervisory authorities. In fact , in
carrying out its functions according to the PMLA, the FIAU may demand
information deemed to be relevant and useful from subject persons, the Police,
any government ministry, department , agency or other public authority, any
supervisory authority, and any other natural or legal person who, in the opinion
of the FIAU, may hold this information to enable it to pursue its functions.
The FIAU also has the power to impose administrative sanctions, consisting in
administrative penalties, reprimands in writing and corrective action plans or
remediation directives, when it has concerns with a subject person’s application
of their AML/CFT obligations, when it identifies failures to comply with lawful
requirements, orders or directives issued by the FIAU, and for contraventions of
provisions of the PMLFTR or procedures or guidance issued thereunder.
The FIAU may also issue written directives requiring subject persons to carry out
or refrain from carrying out any act and may, in certain specified circumstances,
require the termination of business relationships or the closure of corporate
branches. The FIAU is also empowered to delay the execution of transactions
that are deemed to be suspicious.
The FIAU is composed of two main organs: the Board of Governors and the
Director, together with the FIAU’s permanent staff. The members of the Board
are appointed by the Minister responsible for Finance from four panels, each
consisting of at least three persons, nominated respectively by the Attorney
General, the Governor of the Central Bank of Malta, the Chairman of the Malta
Financial Services Authority and the Commissioner of Police.
All Board members discharge their duties in their personal capacity and are not
subject to the direction of any person or authority. The main responsibility of the
Board is to lay down the policy to be followed by the FIAU, which is then to be
executed and pursued by the Director. The Board of Governors remains
responsible to ensure that the Director carries out that policy accordingly.
Additionally, the Board is responsible for advising the Minister responsible for
Finance on all matters and issues relevant to the prevention, detection,
investigation, prosecution and punishment of ML/FT offences.
In 2016, the EU initiated a number of measures to strengthen the role of FIUs
and their ability to share information across Europe as part of its comprehensive
action plan in the fight against terrorism. The European Commission presented
an Action Plan to strengthen the fight against FT, which included revisions to the

IMPLEMENTING PROCEDURES
22
1. OVERVIEW CONTINUED

4 th AML Directive aimed at enhancing the powers of FIUs to exchange

information and to co- operate.
The EU Commission will also be tasked with assessing whether additional
legislative or other initiatives are required to promote further co- operation
between FIUs, and with enhancing their roles and powers. This follows a detailed
mapping exercise that was carried out by EU FIUs to analyse the obstacles that
FIUs faced in carrying out their functions, and co- operating and exchanging
information with each other.

1.6.1 The FIAU’s compliance monitoring function

The FIAU is responsible for monitoring compliance by subject persons with the
obligations set out under the PMLA and PMLFTR. The FIAU adopts a risk- based
approach when carrying out its supervisory function. For this purpose, the FIAU
conducts risk assessments to understand the risk posed by the various sectors,
businesses and professions, and the various entities and individuals operating
within these sectors.
A risk- based approach (RBA) ensures that the FIAU can focus its resources where
it matters the most to enhance the effectiveness of its role.24 In the fulfilment of
this responsibility, the FIAU conducts both off- site and onsite monitoring, as will
be explained in further detail below. Subject persons may be required to compile
Risk Evaluation Questionnaires containing information and data on their activities
or business to assist the FIAU in carrying out proper risk assessments (for further
details on the Risk Evaluation Questionnaires, refer to Section 5.12).
The FIAU may also from time to time request the submission of other periodical
reports, apart from the Risk Evaluation Questionnaire, in accordance with the
authority granted to it under Regulation 19 of the PMLFTR.
Compliance monitoring is carried out by the FIAU through either off- site or on-
site reviews, or through a combination of both. Onsite reviews entail visits to the
premises of the subject person to determine the extent to which the provisions
of their AML/CFT obligations are being implemented in practice. These visits
typically involve meetings and interviews with key officials of the subject person,
such as the MLRO and other officials or employees, as well as reviews of a
number of customer files and records, the subject person’s policies and
procedures, and any automated systems that the subject person may be using.

24. Regulation 4(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
23
1. OVERVIEW CONTINUED

It is normal practice for subject persons to be informed beforehand of an

impending onsite examination and to be requested to provide information and
documentation to enable the carrying out of the assessment , such as client lists
and policy and procedures documents. However, the FIAU may also opt to carry
out surprise visits without prior notice.
Off- site reviews, on the other hand, do not involve visits to the subject person’s
premises but are carried out through a so- called ‘desk review’ of information
received or requested by the FIAU from the subject person. Such information and
documentation may, for example, include AML/CFT procedures or policy documents,
risk assessment documentation and ongoing monitoring methodologies, and will
depend on the scope and purpose of that particular review.
The extent of both onsite and off- site reviews may vary depending on a number
of factors. Reviews may be carried out to assess the general implementation of
AML/CFT obligations, to focus on particular and specific obligations (such as the
implementation of ongoing transaction monitoring), or to analyse particular services
or products, be it across a sector/s or in relation to one particular subject person.
The extent may also vary depending on the risk of ML/FT posed by the subject
person being reviewed, with the riskier ones to expect more comprehensive and
thorough examinations as opposed to brief supervisory meetings that might be
carried out on subject persons that are deemed to be exposed to a low risk of ML/FT.
It is important to note that the PMLA enables the FIAU to request a supervisory
authority, having supervisory powers over certain categories of subject persons
(such as the MFSA and the MGA) to carry out onsite or off- site AML/CFT
examinations on behalf of or jointly with the FIAU.25 In all cases where onsite and
off- site examinations are conducted by the MFSA or the MGA, the findings of
the examination are reported to the FIAU and the FIAU determines whether any
subsequent administrative action is necessary. Moreover, the FIAU may deem it
expedient to engage experts to assist it in carrying out its functions, including
compliance monitoring.26
Co- operation with other supervisory authorities, both domestic and foreign, is
an important aspect of the FIAU’s supervisory function. The FIAU is empowered
to co- operate with supervisory and regulatory authorities generally to ensure
that the financial sector or any other sector is not misused for criminal purposes
and thus safeguard its integrity.

25. Article 27(3) of the PMLA.

26. Article 26A of the PMLA.

IMPLEMENTING PROCEDURES
24
1. OVERVIEW CONTINUED

This would, for example, involve:

• the sharing of information with authorities empowered to issue licenses;
• authorisations to assist these authorities in their due diligence and fit and
properness tests carried out prior to granting licenses or authorisations;
• the carrying out of joint supervisory actions with foreign counterparts on
obliged entities that have branches, majority owned subsidiaries or other
physical establishments in Malta; or
• subject persons that have branches, majority owned subsidiaries or other
physical establishments in foreign jurisdictions.
The FIAU in its supervisory role is also expected to co- operate and exchange
information with the respective ESA acting in terms of EU directives and
regulations.27

27. Regulation 2(5) of the PMLFTR.

IMPLEMENTING PROCEDURES
25
CHAPTER 2 – THE IMPLEMENTING
PROCEDURES

The misuse of the financial system to channel illicit gains, or even lawful gains destined
for unlawful purposes (namely terrorism), poses a clear risk to the integrity, proper
functioning, reputation and stability of the financial system. These criminal acts know
no boundaries and jurisdictions having weak, ineffective or inadequate AML/CFT
legislative and regulatory frameworks are most vulnerable. Thus, the upholding of
legal and professional standards is critical to the integrity of financial markets.
The techniques used by money launderers constantly evolve to match the source
and amount of funds to be laundered, and the legislative/regulatory/law
enforcement environment of the market in which the money launderer operates.
Therefore, persons undertaking certain activities, defined as subject persons, need
to adopt measures to ensure that money gained through unlawful means is not
channelled and laundered through the system and/or that such money, or even
money from totally legitimate sources, is not used to finance terrorism.
Subject persons should ensure that their AML/CFT policies, controls, processes
and procedures are appropriately designed and implemented, and are effectively
operated to reduce the risk of them being used in connection with money
laundering or terrorist financing activities.
Since firms, businesses and professionals can be used for ML/FT purposes, they
face reputational, legal and regulatory risks. On any level, an operator should have
an inherent interest – if not also an altruistic one, in the interests of society and
the jurisdiction’s reputation as a whole – to ensure that it is not used as a vehicle
to launder funds or to fund terrorist organisations.
Many service providers invest large amounts of time and money to develop their
business, and their reputation invariably takes years to build. However, all this can
be lost in an unbelievably short time if the organisation gets embroiled in an
ML/FT scandal. The same can be said about a country’s reputation, which would
be irreparably harmed by the negative publicity ML/FT cases attract , and which
would, in turn, have serious repercussions on the country’s economic well- being
and the ability to attract the right type of business and investment .
By appropriately implementing effective AML/CFT policies and measures, and
being able to detect and flag suspicious transactions, subject persons would be
assisting the authorities to defend the financial system, and the entity, business
or profession concerned, from criminal activity. They are essentially enabling the
relevant authorities to perform their functions at law in an effective manner, since
ultimately it is subject persons who are the first points of contact for criminals.
For this reason, subject persons and their relevant employees and officials who deal
with customers should be aware and appropriately trained on how to recognise
and deal with transactions and other activities that may be related to ML/FT.

IMPLEMENTING PROCEDURES
26
2. THE IMPLEMENTING PROCEDURES
CONTINUED

2.1 W HO ARE THE ‘SUBJECT PERSONS’?

The PMLFTR define subject persons as those persons, legal or natural, carrying
out “relevant activity” or “relevant financial business”. These persons are
considered subject persons exclusively when carrying out those activities listed
under the definitions of “relevant activity” and “relevant financial business”.
‘Relevant activity’ is defined in the PMLFTR as:
“…the activity of the following legal or natural persons when acting in the exercise of
their professional activities:
(a) auditors, external accountants and tax advisors, including when acting as provided for
in paragraph (c) and any other person that undertakes to provide, directly, or through
other persons to whom he is related, material aid, assistance or advice on tax matters;
(b) real estate agents, including when acting as intermediaries in relation to the letting
of immovable property where the monthly rent amounts to ten thousand euro
(€10,000) or more;
(c) notaries and other independent legal professionals when they participate, whether by
acting on behalf of and for their client in any financial or real estate transaction or by
assisting in the planning or carrying out of transactions for their clients concerning the:
(i) buying and selling of real property or business entities;
(ii) managing of client money, securities or other assets, unless the activity is
undertaken under a licence issued under the provisions of the Investment
Services Act;
(iii) opening or management of bank, savings or securities accounts;
(iv) organisation of contributions necessary for the creation, operation or
management of companies;
(v) creation, operation or management of companies, trusts, foundations or
similar structures, or when acting as a trust or company service provider;
(d) trust and company service providers;
(e) nominee companies holding a warrant under the Malta Financial Services Authority
Act and acting in relation to dissolved companies registered under the said Act;
(f) casino licensees;
(g) gaming licensees;
(h) any natural or legal person trading in goods, but only where a transaction involves
payment in cash in an amount equal to ten thousand euro (€10,000) or more

IMPLEMENTING PROCEDURES
27
2. THE IMPLEMENTING PROCEDURES
CONTINUED

whether the transaction is carried out in a single operation or in several operations

which appear to be linked;
(i) any natural or legal person trading in works of art or acting as intermediary in
the sale of works of art, including when this is carried out by art galleries,
auctioneers and freeports, where the value of the transaction or a series of linked
transactions amounts to ten thousand euro (€10,000) or more; and
(j) free ports when storing works of art the value of which amounts to ten thousand
(€10,000) or more, or when trading in works of art or acting as intermediaries
in the sale of works of art as envisaged under paragraph (i).”28
‘Relevant financial business’ is defined in the PMLFTR as:
“(a) any business of banking carried on by a person or institution who is for the time
being licensed, or required to be licensed, under the provisions of the Banking Act;
(b) any activity of a financial institution carried on by a person or institution who is
for the time being licensed, or required to be licensed, under the provisions of the
Financial Institutions Act;
(c) any long- term insurance business other than business of reinsurance carried on
by a person or institution who is for the time being authorised, or required to be
authorised, under the provisions of the Insurance Business Act;
(d) any insurance intermediary activities carried out by an insurance intermediary or
by a tied insurance intermediary related to long- term insurance business which
person or institution is enrolled or required to be enrolled under the provisions of
the Insurance Intermediaries Act, other than a natural person who is registered or
enrolled and acts on behalf of a tied insurance intermediary or a person or
institution enrolled as a tied insurance intermediary that does not collect premiums,
or other amounts intended for the policyholder or the beneficiary;
(e) any long term insurance business other than business of reinsurance carried on by
a person in accordance with the Insurance Business (Captive Insurance
Undertakings and Captive Reinsurance Undertakings) Regulations, by a cell
company in accordance with the provisions of the Companies Act (Cell Companies
Carrying on Business of Insurance) Regulations or by an incorporated cell company
and an incorporated cell in accordance with the provisions of the Companies Act
(Incorporated Cell Companies Carrying on Business of Insurance) Regulations;
(f) investment services carried on by a person or institution licensed or required to be
licensed under the provisions of the Investment Services Act;

28. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
28
2. THE IMPLEMENTING PROCEDURES
CONTINUED

(g) administration services to collective investment schemes carried on by a person or

institution recognised or required to be recognised under the provisions of the
Investment Services Act other than administration services provided by recognised
incorporated cell companies in accordance with the Companies Act (Recognised
Incorporated Cell Companies) Regulations;
(h) a collective investment scheme marketing its units or shares, licensed, recognised
or notified, or required to be licensed, recognised or notified, under the provisions
of the Investment Services Act;29
(i) any activity other than that of a retirement scheme or a retirement fund, carried
on in relation to a retirement scheme, by a person or institution licensed or required
to be licensed under the provisions of the Retirement Pensions Act and for the
purpose of this paragraph, ‘’retirement scheme’’ and ‘’retirement fund’’ shall have
the same meaning as is assigned to them in the Retirement Pension Act;
(j) any activity of a regulated market and that of a central securities depository authorised
or required to be authorised under the provisions of the Financial Markets Act;
(k) safe custody services provided by any person or institution not covered under
paragraph (a) or (f );
(l) any activity of a VFA agent carried out by a person or institution registered or
required to be registered under the provisions of the Virtual Financial Assets Act;
(m)VFA services carried out by a person or institution licensed or required to be
licensed under the provisions of the Virtual Financial Assets Act;
(n) the issue of virtual financial assets for offer to the public in or from Malta in
terms of the Virtual Financial Assets Act; and
(o) any activity under paragraphs (a) to (k) carried out by branches established in Malta
and whose head offices are situated outside Malta.”30
Over the years, the categories of subject persons have continued to broaden as
the sophistication of the money launderer or terrorist financier has continued to
evolve and as their patterns or trends have shifted from the more mainstream
financial services to the less mainstream or non- financial products or services.

29. “Marketing its units or shares” means the direct or indirect offering or placement at the
initiative of the collective investment scheme (“the scheme”) or on behalf of the scheme,
of units or shares in it, to or with investors. Thus, all schemes the units or shares in which
are offered to or placed with investors, whether directly or indirectly, by the scheme itself
or by other third parties on behalf of the scheme, are considered to be subject persons.
30. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
29
2. THE IMPLEMENTING PROCEDURES
CONTINUED

Gaming licensees have been added as a new category of subject persons (deemed
to be carrying on a relevant activity) and even the threshold for natural or legal
persons trading in goods where a transaction involves a payment in cash, has
been decreased from €15,000 to €10,000 to catch a broader number of traders.
New additions have also been made to persons carrying out ‘relevant financial
business’, which now also covers activities of Virtual Financial Assets (VFA)
operators in terms of the Virtual Financial Assets Act,31 and the activities of safe
custody services, even when provided by any person or institution other than those
licensed or authorised under the Banking Act or the Investment Services Act.

2.2 PURPOSE OF THE IMPLEMENTING PROCEDURES

The purpose of the Implementing Procedures is to assist subject persons to
understand and fulfil their obligations under the PMLFTR, thus ensuring an
effective implementation of the provisions of the PMLFTR. W hen applying certain
AML/CFT measures, a degree of proportionality and flexibility is envisaged.
Therefore, subject persons have a degree of discretion in how they comply with
AML/CFT measures, and on the procedures that they put in place for this purpose,
which should be proportionate to the size, type and complexity of their business
activities. The manner and extent to which this flexibility is to be exercised is
explained in detail in different parts of these Implementing Procedures.
In essence, the Implementing Procedures are being issued to achieve the
following objectives:
(a) to outline the requirements set out in the PMLFTR and other obligations
emanating from the PMLA;
(b) to interpret the requirements of the above- mentioned laws and regulations
and provide measures on how these should be effectively implemented in
practice, promoting the use of a proportionate risk- based approach;
(c) to provide industry- specific good practice guidance and direction on
AML/CFT procedures; and
(d) to assist subject persons in designing and implementing systems and controls
for the prevention and detection of ML/FT.
W hen considering the purpose of AML/CFT measures, it is helpful to go back
to basics and understand the utility and purpose of these measures. Broken down

31. Cap. 590 Laws of Malta.

IMPLEMENTING PROCEDURES
30
2. THE IMPLEMENTING PROCEDURES
CONTINUED

to their very basic elements, AML/CFT measures are intended to ensure the
following:
(a) identification and verification of a customer and ultimate beneficial owner. This
ensures that subject persons know who their customer is and, where
appropriate, who the ultimate beneficial owner is and are sure that the person
being dealt with is, in fact , who he/she purports to be. This, in turn, enables
subject persons to let the FIAU know (where they are obliged to do so by
law) who the person involved in any suspicious activity is;
(b) record keeping. This ensures that the details of a customer relationship or
individual transaction are preserved for eventual assessment by the FIAU and
other law enforcement and relevant authorities, which in turn ensures that
any suspicious transaction can be properly examined by the competent
authorities, investigated and acted upon;
(c) suspicious transaction reporting. This ensures that any suspicious transaction
is brought to the FIAU’s attention, as required by law, to enable it to take the
appropriate action. This is considered to be the most important AML/CFT
obligation of all and it could be safely stated that other AML/CFT obligations
are the means to detect and flag suspicious transactions; and
(d) awareness and training. This ensures that a subject person’s staff remain up
to date on current legal obligations, money laundering and terrorist financing
methods and trends, as well as on their own organisation’s policies and
procedures, among other things.
Of course, other obligations also exist in terms of the applicable law and these
Implementing Procedures, all of which have a useful function to fulfil. Still, the
above main obligations help market operators to appreciate the important role
that subject persons have in the fight against ML/FT. They also emphasise the
fact that , ultimately, both the FIAU and subject persons are on the same side of
the fence when it comes to the fight against ML/FT.
The primary consideration in applying AML/CFT measures should be the extent
of the ML/FT risks to which subject persons may be prone or exposed. As a
general rule, subject persons are required to assess, understand and manage their
ML/FT risks in the most appropriate and proportionate manner.
Subject Persons must address their management of risk in a thoughtful, considered
manner, and establish and maintain systems and procedures that are appropriate and
proportionate to the risks identified to achieve the intended purpose of the PMLFTR
and these Implementing Procedures. The Implementing Procedures also seek to
assist subject persons to achieve this objective within the parameters of the law.

IMPLEMENTING PROCEDURES
31
2. THE IMPLEMENTING PROCEDURES
CONTINUED

2.3 STATUS AND APPLICATION OF THE IMPLEMENTING

PROCEDURES
These Implementing Procedures are being issued in terms of Regulation 17 of
the PMLFTR, which empowers the FIAU to issue these procedures and guidance
to bring into effect the provisions of the PMLFTR. In accordance with this
regulation, these Implementing Procedures are legally binding on all subject
persons and are not merely consultative.
The Implementing Procedures set out what is expected of subject persons and
their staff in relation to the prevention of ML/FT by providing an interpretation on
how the PMLFTR is to be effectively implemented in practice and by indicating what
the FIAU expects from subject persons when implementing their obligations at law.
In view of this, subject persons should be aware that failure to comply with these
procedures may render them liable to the imposition of administrative sanctions.
The Implementing Procedures are divided into two parts. Part I is applicable to all
sectors falling within the definition of ‘relevant activity’ and ‘relevant financial
business’. Part II, on the other hand, constitutes the more specific sectoral
guidance, and must necessarily be read by each specific sector in conjunction with
Part I of the Implementing Procedures.
By adopting this method, it is possible for particular sectors to have implementing
procedures that are tailor- made to the realities of their industry and to take into
account any specific matters that it may not be possible to address comfortably
or properly by rules that are of a more general application.
From time to time, the Implementing Procedures may be amended to ensure that
they remain harmonised with amendments to legislation and other material
developments originating from changes in international standards, especially those
emanating from the FATF and EU AML Directives and Regulations. Subject
persons should therefore ensure that they adhere and refer to the most recent
version of the Implementing Procedures.
A reading of the Implementing Procedures should, of course, not be a substitute for
a reading of the PMLFTR and the PMLA themselves, besides the relevant provisions
of the Criminal Code32 dealing with terrorist financing and related offences. Moreover,
this document should not be used as an internal procedures manual or as an
exhaustive checklist of steps to be taken when complying with AML/CFT obligations.
The Implementing Procedures are binding on subject persons from the date on
which they are issued.

32. Cap. 9 of the Laws of Malta.

IMPLEMENTING PROCEDURES
32
CHAPTER 3 – THE RISK- BASED APPROACH

The PMLFTR oblige subject persons to adopt and implement a series of

measures, policies, controls and procedures to prevent the financial system or
other systems from being misused for ML/FT. However, the PMLFTR also
recognise that the risk of ML/FT may vary from one sector to another, from one
subject person to another as well as from one business relationship, or occasional
transaction, to the other.
Therefore, to ensure that the AML/CFT measures, policies, controls and
procedures adopted are truly effective, the PMLFTR require subject persons to
implement the same on a risk- sensitive basis through the adoption of a risk-
based approach. This means that subject persons must identify and assess the
ML/FT risks they are exposed to, and vary and adapt these measures, policies,
controls and procedures in a way that ensures that resources are applied where
most needed, i.e., where the subject person determines that it is exposed to a
higher than normal risk of ML/FT.

3.1 NOTIONS OF RISK

The effectiveness of the risk- based approach depends on the proper
understanding of the ML/FT risk to which a subject person is exposed. Risk is
here understood as being inherent risk, i.e., the risk one is exposed to prior to
adopting and applying any measures, policies, controls and procedures to mitigate
the same.
To assess risk, it is therefore first necessary to identify and understand how risk
can manifest itself, keeping in mind one’s:
(a) vulnerabilities, i.e., the weaknesses that may be exploited for ML/FT purposes;
and
(b) threats, i.e., the external elements that seek to exploit a subject person’s
vulnerabilities.
Regard must therefore be had to risk factors, i.e., those variables that either on
their own or in combination with each other may increase or decrease the ML/FT
risk posed to a subject person.
Identification of ML/FT risk has to be followed by an assessment of the same by
considering the likelihood of risk manifesting itself and the impact any such
manifestation would have on the subject person.
Impact consists in the nature and seriousness of the resultant damage if a threat
manages to exploit one or more vulnerabilities, and it can take a number of forms,

IMPLEMENTING PROCEDURES
33
3. THE RISK- BASED APPROACH CONTINUED

including reputational risk, business risk, regulatory risk, legal risk, financial loss and
others. Likelihood and impact will lead to the determination of the level of
inherent risk a subject person is exposed to.
Determining the likelihood and impact of risk will highlight the areas where a
subject person’s mitigating measures, i.e., its AML/CFT measures, policies, controls
and procedures, need to be the strongest to mitigate the level of inherent risk
identified. To evaluate the effectiveness of one’s AML/CFT measures, policies,
controls and procedures, one has to look at what level of risk is left after applying
these measures, policies, controls and procedures to the level of inherent risk one
has identified. Any risk left is termed the residual risk.
Thus:
Level of Inherent Risk – Mitigating Measures = Level of Residual Risk
It is acknowledged that independently of the measures, policies, controls and
procedures adopted, there will remain a degree of ML/FT risk that cannot be
addressed, avoided or controlled.
At this stage, a subject person has to consider whether the residual risk falls within
its risk appetite, i.e., whether the subject person is prepared to accept that level
of residual risk in the pursuit of its business objectives. Risk appetite is set through
a consideration on the part of the subject person: Does the subject person deem
it worthwhile to carry out activities in an environment where the likelihood of
risk materialising and the resulting impact are high, or is it preferable to avoid as
much as possible the likelihood of risk materialising and affecting the subject
person’s activities?
W here the residual risk falls outside one’s risk appetite, and to the extent that it
may be possible, the mitigating measures applied have to be revisited to further
strengthen their efficacy in preventing the materialisation of risk and reduce the
residual risk to within acceptable parameters. Alternatively, the subject person would
only be able to control risk through desisting from pursuing that particular activity.
W hile risk appetite will be reflected in one’s risk tolerance, it is important to
remember that this leaves unaffected one’s obligations at law. Thus, a subject
person’s risk appetite should never be more than what can be effectively mitigated
through the measures, controls, policies and procedures adopted to address the
risks it is exposed to. Being willing to accept levels of risk, without being able to
adopt equally effective mitigating measures, would expose the subject person to
supervisory and/or law enforcement action.

IMPLEMENTING PROCEDURES
34
3. THE RISK- BASED APPROACH CONTINUED

3.2 RISK FACTORS

The risk- based approach hinges on two aspects: an understanding of the risks one
is facing and, based on this understanding, the variation of one’s controls, policies,
measures and procedures to achieve the strongest mitigating effect possible. This
calls not only for an understanding and assessment of risk that one’s business is in
general exposed to, i.e., business risk assessments (BRAs), but also for a more
specific assessment of the risk to which a subject person will be exposing
themselves to when establishing individual business relationships or carrying out
a given occasional transaction, i.e., customer risk assessments (CRAs).
In both instances, the assessment of the inherent risks will depend on identifying
the threats and vulnerabilities that one is exposed to. This can be done by
considering those areas from which risk may manifest itself, i.e., the risk factors. In
determining what these risk factors are, subject persons are to refer to Regulation
5(1) of the PMLFTR, which makes reference to “risk factors including those
relating to customers, countries or geographical areas, products, services,
transactions and delivery channels”.
W hat follows is intended to provide subject persons with guidance on some of
the main risk factors falling within each of these categories and deemed to be
common to both the BRA and the CRA. However, this list should in no way be
considered as being exhaustive. The risk factors a subject person may be exposed
to will vary depending on the nature and size of the business, understood as being
both its structures and systems, as well as its actual activities.

3.2.1 Customer Risk

Customer risk is the risk of ML/FT that arises from entertaining relations with a
given person or entity. This may be due to the business or professional activity
carried out by the customer or the beneficial owner.
Some business or professional activities from which the customer or the
beneficial owner, if applicable, are deriving their wealth or the funds to be used in
the course of a business relationship or an occasional transaction are to be
considered as presenting a high risk of ML/FT.
These include cases when:
(a) the activity pursued is cash (or cash equivalent) intensive;
(b) the activity is commonly associated with a higher risk of corruption (e.g., the
arms trade and defence industry, and the mining industry);

IMPLEMENTING PROCEDURES
35
3. THE RISK- BASED APPROACH CONTINUED

(c) the activity is associated with a higher risk of ML/FT (e.g., virtual currencies
and money remittance);
(d) the activity is conducted through opaque and complex structures for which
there does not seem to be a legitimate justification;
(e) the customer is a personal asset- holding vehicle; or
(f) the customer is a voluntary organisation that primarily engages in raising or
disbursing funds for charitable, religious, cultural, educational or social
purposes (especially when they remit funds to third countries), and hence its
activities are particularly susceptible to be misused for the funding of terrorism.
On the other hand, there are activities that can be considered as presenting a
lower than usual risk of ML/FT.
These include cases when:
(a) entities are listed on a regulated market and are subject to enforceable
disclosure requirements, which ensure adequate transparency of beneficial
ownership;
(b) entities carry out relevant financial business or equivalent activities subject to
equivalent AML/CFT obligations as those applicable in Malta and which are
subject to effective supervision; and
(c) entities form part of the public administration or public enterprises.
Apart from the customer’s business or activities, there are other factors that can
lead to the customer being considered as presenting a higher risk of ML/ TF. These
include situations where:
(a) the customer has applied for, or is benefitting from, residence rights or
citizenship in exchange for capital transfers, purchase of property or
government bonds, or investment in corporate entities; or
(b) the individuals involved in the activity pursued include PEPs or individuals
having otherwise prominent public positions that may equally be exploited for
their personal advantage

3.2.2 Geographical Risk

Geographical risk arises from links with one or more geographical areas, usually
related to those jurisdictions (a) where the customer or its beneficial owner are
based, have their main place of business or where the activity generating the

IMPLEMENTING PROCEDURES
36
3. THE RISK- BASED APPROACH CONTINUED

customer’s or beneficial owner’s wealth is carried out , and the jurisdictions with
which the customer has especially strong trading or financial connections; and/or
(b) with which the customer or its beneficial owner have relevant personal links
(for example the individual’s residence in a given jurisdiction).
The factors that a subject person has to consider when determining whether a
geographical area poses a higher risk of ML/FT include:
(a) countries on the European Commission’s list of third countries having strategic
deficiencies in their AML/CFT regime;
(b) countries identified by other credible sources as having serious deficiencies
within their AML/CFT framework (e.g., FATF, FSRBs like MONEYVAL, IMF,
etc.);
(c) countries subject to sanctions, embargoes or similar measures issued by
international organisations, such as the United Nations Security Council or
the European Union. In addition, in some circumstances, countries subject to
sanctions or measures that may not be universally recognised (e.g., OFAC
sanctions) should be given credence by the subject person because of the
standing of the issuer and the nature of the measures;
(d) countries identified by credible sources as providing funding or support for
terrorist activities or that have terrorist organisations operating within them;
(e) countries identified as having significant levels of corruption or other criminal
activity through credible sources, like the Corruption Perception Index
compiled by Transparency International;33
(f) countries that have shown a lack of willingness to comply with international
tax transparency and information sharing standards (e.g., failure to adhere to
or apply the Common Reporting Standard); and
(g) countries that fail to implement effective beneficial ownership transparency
and availability measures and hence allow the legal entities or arrangements
set up in that jurisdiction to be used as secretive vehicles and misused for
ML/FT purposes.
Membership of regional or international bodies, such as the FATF and
MONEYVAL, on its own is not to be taken to mean that the country necessarily
presents a low risk of ML/FT. The same applies to countries that are not listed in
any international black or grey lists, since it may well mean that a country has still

33. The Corruption Perception Index is available through the website of Transparency
International – https://www.transparency.org/.

IMPLEMENTING PROCEDURES
37
3. THE RISK- BASED APPROACH CONTINUED

to be evaluated by an international organisation or that the failures identified,

which may be in key areas and of relevance to the subject person, were not
sufficient to result in its listing.
Chapter 8 provides further guidance in relation to how to assess the geographical
risk and identify which jurisdictions present a higher level of ML/FT risk.

3.2.3 Product, Service and Transaction Risk

The product , service or transaction risk is the risk one is exposed to as a result of
providing a given product or service, or carrying out a particular transaction. Much
will depend on (a) the level of transparency or opaqueness that the product ,
service or transaction affords; (b) the complexity of the product , service or
transaction; and (c) the value or size of the product , service or transaction.
(a) Transparency
Products or services that inherently provide or facilitate anonymity, thus allowing
the customer or the beneficial owner to remain anonymous or facilitate hiding
their identity, are to be considered as presenting a higher risk of ML/FT than other
products or services. These include products like nominee or omnibus accounts,
and fiduciary and trustee services. The ability of a third party to give instructions,
even though not a party to the business relationship, should also be factored in.
(b) Complexity
The risk of a product or service is conditioned by the complexity of the
transactions that can be carried out by making use of the same. A product or
service allowing international transactions involving multiple parties and multiple
jurisdictions to be carried out , as can be with trade finance, is to be considered as
presenting a higher risk than a product or service used to carry out regular
transactions involving amounts that are constant and the source of which is
known, such as an account to receive social security benefits or salaries only.
(c) Value and Size
A product or service that is cash intensive is to be considered as presenting a
higher risk than other products that cannot be so funded. Regard should also be
had to whether the product or service allows high- value transactions to take
place. A payment instrument or an account without any limits or capping presents
a higher risk than a similar instrument or account that applies the same, though
regard has to be had to how high any such limits or capping are.

IMPLEMENTING PROCEDURES
38
3. THE RISK- BASED APPROACH CONTINUED

Subject persons should here also consider how they are going to make funding
available since some payment methods allow a higher degree of anonymity than
others (e.g., cash, pre- paid cards and virtual currencies).

3.2.4 Delivery Channels Risk

The delivery channel, or interface risk, is the risk arising from how the subject
person interacts with the customer and the channels it uses to provide a given
product or service. Interacting with customers on a non- face- to- face basis need
not be considered as automatically presenting a high risk of ML/FT. The
implementation by a subject person of technological means within its systems to
address the risk of impersonation or identity fraud would significantly reduce the
inherent risk arising from this form of interaction with customers. However absent
these systems, the risk should still be considered as high.
The same applies where these relations with the customer are entertained through
multiple layers of intermediaries. Subject persons have to consider the reliability of
these intermediaries and the standards of AML/CFT they are subject to.
The same applies where a customer is recommended by an introducer or another
entity forming part of the same entity. This is especially true in those instances
when the subject person exercises reliance thereon, as provided for in terms of
Regulation 12 of the PMLFTR.

3.2.5 Additional Risk Factors

Through the wording adopted in Regulation 5(1), it is clear that the above risk
factors are not exhaustive. Thus, a subject person has to consider whether there
are additional risk factors that would need to be considered. One example would
be outsourcing; that is, delegating the implementation of parts of one’s AML/CFT
measures, policies, controls and procedures to a third- party service provider.
Doing so introduces an additional variable since the subject person will be
dependent on the service provider’s reliability and quality of work to obtain the
necessary information on which to base its decisions, including information that
may influence the subject person’s risk assessment and changes thereto.
It is also important to note that risk factors are not static, and it is possible that a
subject person will have to consider additional or new risk factors over time. The
environment within which subject persons carry out their respective activities, as
well as their relations with their customers, will inevitably evolve, leading to the
emergence of risk factors that were not previously considered.

IMPLEMENTING PROCEDURES
39
3. THE RISK- BASED APPROACH CONTINUED

3.2.6 Sector Specific Risk Factors

Subject persons carrying out one or more specific relevant activities and/or
relevant financial business will be exposed to particular risk factors. It is therefore
imperative that subject persons consider any risk factors that may be peculiar to
their particular area of activity. In particular, subject persons have to consider:
(a) any risk factors that may be highlighted by the FIAU in any sector specific
Implementing Procedures that the FIAU may issue from time to time; and
(b) the revised version of the Risk Factors Guidelines issued by the EBA insofar
as these may be applicable to them. These Guidelines contain sections
setting out risk factors particular to activities that constitute “relevant
financial business” in terms of the PMLFTR. W hile these Guidelines focus
on the CRA rather than the BRA, there are various factors that are not
specific to any given business relationship or occasional transaction but
which can manifest themselves throughout and hence should be taken into
consideration even when carrying out the BRA. Thus, anyone carrying out
any relevant financial business referred to in this document , and is assessing
its ML/FT risk, is to also consider any sector- specific risk factors referred to
in this document .
The Risk Factor Guidelines are available on the EBA’s website.

3.2.7 Sources of Information

In determining the risk factors that subject persons are to consider as well as any
change thereto, subject persons can avail themselves of a large body of
information. The PMLFTR themselves oblige subject persons to consider any
supranational risk assessment (i.e., the Supranational Risk Assessment carried out
by the European Commission)34 as well as any national risk assessment .35 This
would extend to cover not only updates to these assessments but also
assessments that consider the ML/FT risk presented by one or more specific
sectors at the supranational and/or national level.

34. The Supranational Risk Assessment is available on the website of the European
Commission – http://ec.europa.eu/newsroom/just/item- detail.cfm?item_id=81272.
35. The results of the latest national risk assessment can be found on the website of the
Ministry for Finance and are accessible through the following link –
https://mfin.gov.mt/en/Library/Documents/Result_of_the_NRA_2018.pdf.

IMPLEMENTING PROCEDURES
40
3. THE RISK- BASED APPROACH CONTINUED

Apart from these assessments, a subject person would also be expected to

consult and make use of:
(a) any relevant reports issued by the FATF, MONEYVAL and other FSRBs;
(b) reports, typologies and other information made available by FIUs or law
enforcement agencies;
(c) sectoral risk assessments;
(d) information, reports and guidance made available by the ESAs and competent
authorities;
(e) information from industry or professional bodies, including self- regulatory
bodies;
(f) information from civil society, such as corruption indices and country reports;
(g) information from international standard- setting bodies, such as mutual
evaluation reports or legally non- binding blacklists;
(h) information from credible and reliable open sources, such as reports in
reputable newspapers;
(i) information from credible and reliable commercial organisations, such as risk
and intelligence reports; and
(j) information from statistical organisations and academia.
Subject persons can also make use of what experience they may already have in
providing their services and/or products.

3.3 THE BUSINESS RISK ASSESSMENT

A BRA is a process whereby the subject person identifies the threats and
vulnerabilities that it is exposed to and assesses the likelihood and impact of
ML/FT risks. On the basis of this assessment , it will be able to determine which
areas to prioritise in terms of AML/CFT and ensure that its AML/CFT measures,
policies, controls and procedures are commensurate with the ML/FT risks it faces
to mitigate the same.
The BRA is therefore the foundation of the risk- based approach and the PMLFTR
impose an obligation on the subject person to “take appropriate steps,
proportionate to the nature and size of its business, to identify and assess the
risks of money laundering and funding of terrorism that arise out of its activities
or business”.

IMPLEMENTING PROCEDURES
41
3. THE RISK- BASED APPROACH CONTINUED

Subject persons forming part of a group are also expected to carry out their
individual BRA. W hile a group can carry out a group- wide risk assessment , this
cannot be relied on blindly by the subject persons within the group without
considering whether this risk assessment is comprehensive enough to cover all
its activities and operations.

3.3.1 The Basic Steps

The identification of the threats and vulnerabilities one is exposed to requires a
consideration of the risk areas and risk factors referred to in Section 3.2 above
both from a qualitative and a quantitative point of view. Thus, for the purposes of
the BRA, it is not sufficient for the subject person to merely draw up an inventory
of the threats or vulnerabilities, but it also has to consider how numerous these
threats or vulnerabilities are. The following are some of the quantitative factors
to consider:
(a) Customer Risk:
• the number of customers within each customer risk type;
• the maturity of the client base, i.e., the duration of existing business
relationships; and
• the volume of business.
(b) Geographical Risk:
• the number of subsidiaries or branches within a given jurisdiction;
• the number of customers and/or beneficial owners from a given
jurisdiction;
• the number of transactions to/from a given jurisdiction; and
• the number of any other links that expose it to a given jurisdiction.
(c) Products, Services and Transaction Risk:
• the number of products, services (including correspondent and trade
finance relationships) and transactions;
• the number of customers per each product and service;
• the volume per product and service.

IMPLEMENTING PROCEDURES
42
3. THE RISK- BASED APPROACH CONTINUED

(d) Delivery Channel:

• the number of relationships started on a non- face- to- face basis;
• the number of distributors and agents; and
• the number of customers introduced through introducers and intermediaries.
Existing subject persons will have to examine their current business structures,
client base and portfolio of products and services, as well as any diversification or
expansion plans they may have. On the other hand, prospective subject persons
will have to look at how they intend to structure their business, which markets
they intend to target , what products or services they are to offer, and any
estimates made.
Doing so should allow a subject person to identify the various risk factors that it
is to take into consideration for its BRA. The combination and assessment of these
risk factors will allow the subject person to identify the threats it is exposed to
and the vulnerabilities that may be exploited for ML/FT purposes.
Having done so, the subject person has to determine the likelihood of any one
scenario materialising, and the possible impact thereof. Taken together, likelihood
and impact will lead to one’s inherent risk. W hile it is left to the individual subject
person to determine how to do so, the following set of tables provides possible
options that a subject person may adopt based on scales.
A Likelihood Scale refers to the potential of an ML/FT risk occurring in the
subject person’s business for the particular risk being assessed. Four levels of risk
are shown in Table 1, but a subject person can have as many as it believes are
necessary.

Table 1 – Likelihood scale

Likelihood Scale Frequency Likelihood of ML/ FT Risk

4 – Extreme Can occur several times a year – very high chance

3 – High Can occur a few times a year – reasonable chance

2 – Medium Can occur once a year – small chance

1 – Low Can occur less than once a year – very unlikely

IMPLEMENTING PROCEDURES
43
3. THE RISK- BASED APPROACH CONTINUED

An Impact Scale refers to the seriousness of the damage (or otherwise) that
could occur should the event happen (and the risk, therefore, materialises). Four
levels of risk are shown in Table 2, but a subject person can have as many as it
believes are necessary.

Table 2 – Impact scale

Consequence Impact of ML/ FT Risk

4 – Extreme Severe loss or damage, heavy supervisory action –

long- term effect

3 – High Large loss or damage, supervisory action –

medium- term effect

2 – Medium Limited loss or damage, minor supervisory action –

short- term effect

1 – Low Negligible loss or damage, no supervisory action –

no effect

Taken together, the subject person will be able to determine the level or degree
of inherent risk it is exposed to:

Table 3 – Inherent Risk

IMPACT
1 2 3 4
LIKELIHOOD

1 Low Risk Low Risk Moderate Risk High Risk

2 Low Risk Low Risk Moderate Risk Extreme Risk

3 Moderate Risk Moderate Risk High Risk Extreme Risk

4 High Risk High Risk Extreme Risk Extreme Risk

IMPLEMENTING PROCEDURES
44
3. THE RISK- BASED APPROACH CONTINUED

Having determined the inherent risk, the subject person has to then consider
what AML/CFT measures, policies, controls and procedures it already has in place
or it plans to adopt , and establish how effective these are in mitigating the
inherent risk. In so doing, a subject person should not only consider regulatory
guidance but , in the case of existing businesses, also their own experience with
the implementation of the measures, policies, controls and procedures the subject
person may already have in place (e.g., internal audit reports, compliance reports
and incidents that may have already led to supervisory action).
In particular, subject persons are to ensure that , to the extent applicable to them,
they consider adopting the mitigating measures referred to in the EBA’s Risk
Factor Guidelines referred to in Section 3.2.6 above.
Effectiveness can be rated using a scale akin to the ones used to rate likelihood
and impact .

Table 4 – Effectiveness
Level of Mitigation Description of Effectiveness

4 – Strong There are measures in place to control risk that are

fully operational and fully effective

3 – Effective Risk is managed adequately but could be improved

in certain parts – mitigating measures work
adequately and are effective

2 – Ineffective Risk is not managed adequately, substantial

improvement necessary but has some effect

1 – Non- Existent No controls or controls are ineffective

Considering the inherent risk level in the light of the effectiveness score will
enable the subject person to determine the residual risk.
Example: Low inherent risk and ineffective level of mitigation = low or medium
residual risk
High inherent risk and ineffective level of mitigation = high residual risk
It is important to note that the effectiveness of one’s measures will leave the
inherent risk unchanged; independently of how effective a mitigating measure
may be, a high- risk situation will remain high risk.

IMPLEMENTING PROCEDURES
45
3. THE RISK- BASED APPROACH CONTINUED

The residual risk will allow a subject person to determine whether it is able to
tolerate that risk as it falls within its risk appetite, or whether it needs to take
further remedial action; that is, either taking additional measures to further
mitigate the risk and bring it within acceptable levels, or to decline pursuing that
particular business in its entirety.

3.3.2 Carrying out the Business Risk Assessment

The BRA, changes thereto, and any connected decision have to be duly
documented to retain evidence that an appropriate review has taken place, and are
to be made available to the FIAU and relevant supervisory authorities on demand.
All the aspects of the BRA should be covered, including:
(a) the methodology adopted by the subject person;
(b) the reasons for considering a risk factor as presenting a low, medium or high
risk;
(c) the outcome of the BRA; as well as
(d) any information sources used.
The BRA has to be proportionate to the nature and size of a subject person’s
business, i.e., both the nature and size of a subject person’s systems and structures,
as well as the nature and size of its activities.
A subject person with a large business conducted through multiple branches,
agencies and subsidiaries is less likely to know its clients personally and it could
offer a greater degree of anonymity than a small business. The same applies with
a business that conducts complex transactions across various jurisdictions, which
could offer greater opportunities to money launderers than a purely domestic
business.
Thus, the more complex the activities of a subject person, the more sophisticated
its risk assessment is expected to be. Conversely, a subject person that does not
offer complex products, services or transactions, and with limited or no
international exposure, will not require a complex or sophisticated assessment .
The subject person would be expected to involve a number of functions, where
applicable, in the drafting of the BRA. The MLRO, the internal auditor as well as
anyone else responsible for monitoring the application of AML/CFT measures,
controls, policies and procedures can all contribute to the BRA through their
insights and experience.

IMPLEMENTING PROCEDURES
46
3. THE RISK- BASED APPROACH CONTINUED

To the extent applicable, the BRA, revisions thereof, as well as any decision taken
in relation thereto, have to be approved by the subject person’s Board of
Directors36 or equivalent management body.
Even this approval has to be properly documented (e.g., through Board minutes
or resolutions). Naturally, such an obligation applies in the case of subject persons
that are entities, firms or similar arrangements, but would not apply in the case of
sole practitioners which would themselves be responsible to implement and carry
out appropriate BRAs.
In terms of the PMLFTR, each subject person is responsible for having its own
BRA. However, this does not necessarily mean that the subject person has to
draw it up itself since subject persons are free to engage external consultants to
assist them or to carry out the BRA on their behalf.
To ease the regulatory burden on subject persons, it is also possible for subject
persons carrying out a specific relevant activity or a specific relevant financial
business to adopt as their own a sectoral BRA prepared by an industry
representative body.
In the circumstances described above, subject persons are to remember that they
remain responsible to ensure that the BRA is at all times current and reflects their
actual circumstances. Hence, when relying on a standard sectoral BRA or
engaging a consultant , subject persons are to ensure that they review the BRA
and the methodology being used to ensure that it always reflects their activities
and specificities. By way of example, it is possible that any such sectoral BRA will
not adequately consider the geographical risk since it may not consider all the
markets that a given subject person is targeting. In such instances, the sectoral
BRA prepared by the industry representative body concerned would have to be
revised and updated so as to factor in the risk arising from any such particular
jurisdiction.
Similarly, to the extent that may be applicable, the Board of Directors or equivalent
management body will retain responsibility to endorse and approve the BRA, and
also to update it as may be necessary from time to time.

36. It is possible that the Board of Directors may delegate some of its functions to one or
more committees (e.g., to the Internal Audit Committee, to the Risk Management
Committee, etc.). This may also include the function of adopting and approving the BRA
and/or its review and update.

IMPLEMENTING PROCEDURES
47
3. THE RISK- BASED APPROACH CONTINUED

Moreover, the possibility does exist that subject persons carrying out a particular
relevant activity or a relevant financial business may be exempt from carrying out
a BRA. This is, however, a sectoral exemption, and not an individual exemption,
and depends on the FIAU granting this exemption as provided by Regulation 5(2)
of the PMLFTR on the basis of a nationwide risk assessment , whether it is all
encompassing or sectoral, which clearly sets out what the ML/FT risks to which
the given sector is exposed are.
An exemption is intended to be granted when the risks are shown to be known
and uniform throughout a sector, meaning that all business relationships or
transactions will present the same risk or that risk will materialise when specific
factors materialise. In these circumstances, the FIAU may provide for an
exemption and the conditions governing the exemption through an Interpretative
Note or sector- specific Implementing Procedures.

3.3.3 Timing of the Business Risk Assessment

The general principle is that in respect of subject persons who are still to
undertake a relevant activity or a relevant financial business the BRA is to be
carried out prior to the commencement of activity on the basis of the kind of
services, products or transactions it intends to offer, the markets it intends to
target , the technologies it will use to deliver the same, and its intended business
model and activities. Eventually, the BRA would have to be revised, as set out in
Section 3.3.4 below.
Existing subject persons may be said to be better placed to carry out a BRA than
new subject persons. Through their experience and on the basis of internal
reports and/or other compliance findings, existing subject persons may already
be aware of the areas where they are most vulnerable and the main threats they
face when it comes to ML/FT.
Moreover, existing clients may easily provide a benchmark on what the expected
level of activity is, making it easier for them to set thresholds to identify activity
that is unusual and that may be indicative of a higher risk of ML/FT. Thus, existing
subject persons should have more concrete data on the basis of which to carry
out a BRA or to revise any such assessment they may have already conducted
prior to the coming into force of the PMLFTR to ensure it complies with the new
requirements at law.

IMPLEMENTING PROCEDURES
48
3. THE RISK- BASED APPROACH CONTINUED

3.3.4 Revising the Business Risk Assessment

Regulation 5(4) of the PMLFTR lays down that a BRA is regularly reviewed and
kept up to date. This requirement stems from the very nature of risk, which is not
static but evolves continuously in view of external changes as well as changes in
the activities or services of the subject person.
A subject person is therefore required to revise and update its BRA:
(a) whenever new threats and vulnerabilities are identified. It is possible that
in carrying out its activities, the subject person will become aware of risks that
it did not factor in during its original BRA. Information may also become
available that new threats have arisen that are exploiting certain vulnerabilities;
(b) whenever there are changes to its business model/structures/activities.
There are many changes that may require a revision of the BRA. The mere
increase in the number of clients serviced may be sufficient in itself to expose
a subject person to a higher risk of ML/FT than originally considered. The
same applies if new markets are ventured into, be it through an increase in
the portfolio of services, products or transactions offered or the targeting of
new customer segments and/or jurisdictions.
The use of new technologies in delivering services, products or affecting
transactions may also increase the possibility of ML/FT. Moreover, the
adoption of new technologies may also impact the ability of the subject
person to fulfil its AML/CFT obligations, increasing the operational and legal
risks to which the subject person is usually exposed.
W hen a revision of the BRA is occasioned through planned changes to be
implemented by the subject person, the revision should take place prior to any
such change being implemented. This will enable the subject person to
understand whether this change will heighten the ML/FT risk it is exposed to
and ensure that any necessary action is taken to adequately address the
change in risk; and
(c) whenever there are changes to the external environment within which
the subject person is operating. These may be brought about by, for instance,
regulatory changes and developments in technologies creating new threats.
The absence of any event provided for above does not mean that the BRA does
not require periodical review. Subject persons should consider whether there
have been any other changes that may affect the reliability and relevance of its
BRA on an annual basis.

IMPLEMENTING PROCEDURES
49
3. THE RISK- BASED APPROACH CONTINUED

If it is found that there is no need to change or alter the BRA, a note should be
kept stating that, following a review of the BRA, it was determined that it was still
current and valid, without requiring any updates. Subject persons are not expected
to repeat the assessment annually but to consider at least on an annual basis
whether there exists a basis for revision to ensure it is always kept up to date.

3.4 MITIGATING MEASURES, POLICIES, CONTROLS AND

PROCEDURES
Once a subject person has identified the ML/FT risks it is exposed to through the
BRA, it has to take measures to prevent these risks from materialising or at least
mitigate their occurrence as much as possible. This is reflected in the obligation
arising from Regulation 5(5) of the PMLFTR, which lays down that a subject
person must have in place and implement measures, policies, controls and
procedures to address the risks identified as a result of the BRA.
These measures, policies, controls and procedures are to include:
(a) CDD, record- keeping procedures and reporting procedures as further
explained in these Implementing Procedures; and
(b) risk management measures, including customer acceptance policies, CRA
procedures, internal control, compliance management , communications, and
employee screening policies and procedures.
It is important that any measures, policies, controls and procedures be clearly
documented and, where applicable,37 approved by senior management . This
applies not only to the initial measures, policies, controls and procedures adopted
by the subject person but to any subsequent revision of the same.
W here changes to any such measures, policies, controls and procedures are
intended to address a variation in ML/FT risks caused through a planned change
in the subject person’s activities, it is important that the revised measures, policies,
controls and procedures be in place prior to the planned change/s taking place.
The complexity of these measures, policies, controls and procedures will depend
on the nature and size of the subject person’s business and activities. Again, the
subject person must factor in the complexity of its internal structure, including
the use of branches or agencies, if any; the range and complexity of the

37. Approval would be necessary for all subject persons that are entities, firms or other types
of arrangements, having a board of directors or similar management body.

IMPLEMENTING PROCEDURES
50
3. THE RISK- BASED APPROACH CONTINUED

services/products it offers or transactions it effects; the number and nature of its

clients and its employees; the distribution channels it makes use of; and the
technological resources it has at its disposal.
The effectiveness of any such measures, policies, controls and procedures will
inevitably depend on their proper application throughout the subject person’s
business structures. It is therefore imperative that a subject person takes the
necessary steps to inform its officers and employees about them and how they
are to be applied internally.
Their effectiveness will become apparent through their application in the subject
person’s day- to- day operations. It is therefore imperative that a subject person
monitors, on an ongoing basis, how these are applied. This will allow a subject
person to ensure their correct application, determine their effectiveness, and
identify and address, in a timely manner, any shortcomings that result . Moreover,
additional risks may be identified that may contribute to further strengthen one’s
BRA.
The PMLFTR themselves lay considerable emphasis on the need to conduct
ongoing monitoring of one’s measures, policies, controls and procedures. They
not only require that the subject person identifies, where applicable, a member
of its management body who is to be responsible for the overall adoption of these
measures, policies, controls and procedures, but also require the subject person
to consider whether, given the size and nature of its business, this function needs
to be strengthened through:
(a) the appointment of an officer at management level whose duties are to
include monitoring of the day- to- day implementation of the measures,
policies, controls and procedures adopted by the subject person (Chapter 5
provides more details in this regard); and
(b) the implementation of an independent audit function to test the said internal
measures, policies, controls and procedures from time to time.
The latter need not necessarily result in the creation of an internal audit function,
since it is possible for the subject person to engage an external consultant
independent of the subject person to evaluate the adequacy of its internal
controls, policies and procedures. Alternatively, the subject person may assign this
task internally to a person other than the MLRO or anyone else involved in the
implementation or operation of the subject person’s AML/CFT compliance
programme.

IMPLEMENTING PROCEDURES
51
3. THE RISK- BASED APPROACH CONTINUED

3.4.1 The Customer Acceptance Policy

As part of the measures, policies, controls and procedures that the subject person
is to implement , it is especially important that it adopts and applies a CAP. This
policy is to provide a description, with non- exhaustive examples, of the type of
customers that are likely to pose a higher than average risk of ML/FT; the risk
indicators that will lead to a business relationship or an occasional transaction
being considered as presenting a low, medium or high risk of ML/FT; the level of
CDD measures, including ongoing monitoring to be applied in their relation; and
under what circumstances the subject person will decline to service someone.
W hen drawing up their CAP, subject persons are to remember their obligation
in terms of Regulation 11(5) of the PMLFTR, whereby their risk management
procedures must be conducive to determine whether a customer or its beneficial
owner is a PEP and the measures to be taken whenever a PEP is identified.

3.5 THE CUSTOMER RISK ASSESSMENT

A subject person will only be able to apply the provisions of its CAP once it has
understood the risk inherent in a particular business relationship or an occasional
transaction. To this end, the subject person has to carry out a CRA, i.e., an
assessment of the particular risks it will be exposed to in providing its services or
products, either in the course of a business relationship or as a one- off event (i.e.,
occasional transaction), to specific customers linked to particular jurisdictions
through one or more channels. The information collected to draw up the CRA
will formulate the customer’s risk profile.
On the basis of the CRA, the proper level of CDD can then be applied as
stipulated in the CAP and in a manner that addresses the identified risks effectively.
This is why the CRA has to be carried out prior to the subject person entering
into a business relationship or carrying out an occasional transaction.
Care has to be exercised, since identifying a customer as presenting a higher risk
of ML/FT does not automatically mean that the customer is involved in ML/FT.
However, if the subject person able to effectively mitigate those risks, the subject
person has to consider desisting from entering into a business relationship with
or carrying out an occasional transaction for that customer. W hen these risks
give rise to a suspicion of ML/FT, the subject person should proceed to submit
an STR to the FIAU. On the other hand, identifying a customer as carrying a lower
risk of ML/FT does not mean that the customer presents no risk at all. A subject
person, its officers and employees need to remain vigilant at all times.

IMPLEMENTING PROCEDURES
52
3. THE RISK- BASED APPROACH CONTINUED

The process to be followed to carry out the CRA is to form part of the measures,
policies, controls and procedures adopted by the subject person and already referred
to in Section 3.4.1 above. The level of detail of a CRA is to reflect the complexity
of the business relationship or occasional transaction to be entered into.
The more complex the relationship or transaction, the more structured and
rigorous the CRA should be to show that the risk assessment took account of all
the circumstances involved rather than being based on a generic or categorised
basis. On the other hand, where the relationship or transaction is fairly simple and
straightforward, a subject person may use standardised profiles where these are
proven to effectively assess the risks of ML/FT.
A subject person must be able to objectively and reasonably justify the outcome
of its CRA and document those justifications.

3.5.1(a) Risk Factors

W hen assessing the risks posed by a customer, the subject person should consider
all risk factors that are known, including those referred to under Section 3.2
above, and ensure that all these factors are included in the customer’s risk profile.
A subject person needs to bear in mind that there are some risk factors that either
arise only in the context of the CRA or which, though considered also for the
purposes of the BRA, have to be reconsidered in view of the particular
circumstances presented by the customer. This is especially relevant when it
comes to the CRA since the customer’s reputation, nature and behaviour also
need to be factored in:
(a) Reputation
Subject persons should consider whether a customer or its beneficial owner
has been the subject of adverse reports linking him/her to crime (especially
financial crimes) and/or terrorism. Subject persons are expected to consider
how reliable these reports are on the basis of the quality and independence
of their source/s, and how persistent these reports are. The absence of an
arraignment or a conviction should not be automatically taken to mean that
any adverse reports can be ignored. W hile acquittals should also be factored
into when assessing one’s reputation, subject persons should consider the
reasons that led to the acquittal and whether such reasons dispel any
concerns about the individual/entity involved. For example, if criminal
proceedings were time barred, the court would have had no opportunity to
actually pronounce itself on the charges and there may still be concerns on
the customer or its beneficial owner.

IMPLEMENTING PROCEDURES
53
3. THE RISK- BASED APPROACH CONTINUED

The nature of the adverse news will also have an impact on its actual relevance
for risk assessment purposes. Finding news from a reliable source that an
individual was the mastermind behind a major bankruptcy where funds were
siphoned off to remote jurisdictions will have a larger impact in terms of risk
than finding news from equally reliable sources that one has been indicted for
a one- off shoplifting incident involving goods of minimal value. Ideally, the
subject person should develop guidelines or have procedures in place to allow
officers and employees to discern what is to be considered as reliable media
reports and what impact these can have on one’s risk understanding.
The impact of adverse media can at times also depend on how remote in time
it is. The longer the passage of time from the date of the media item (or the
date of the adverse activity reported on in the media item), the less likely it is
that the facts reported on will have an ML/FT impact . Equally important is to
consider whether following any adverse media reports, there were reports
which showed that the earlier information was groundless or otherwise
downsized the gravity and severity of any such earlier information. W here the
information derived from adverse media gives rise to suspicion of ML/FT,
subject persons are reminded of their obligation to report to the FIAU.
Subject persons need also to consider what is known about a (prospective)
customer and its beneficial owner through official means (e.g., criminal
convictions, asset seizures, sanctions, etc.), as well as internally through
previous dealings with the same. For example, anyone who has been the
subject of an STR should be considered as representing a higher risk of ML/FT.
There are also instances when, although the customer may usually be
considered as presenting a low risk of ML/FT on the basis of the activity
carried out (e.g., a listed entity or an entity carrying out either relevant financial
business or equivalent activities), this cannot be said to be true in the specific
circumstances due to supervisory or regulatory action undertaken in its regard.
Subject persons have to consider whether any such entity has been the
subject of supervisory or regulatory action in the past and what the nature
of the breach was that led to the taking of that action. In assessing whether
the said information is to influence the ML/FT risk presented by the customer,
there are some considerations that subject persons should take into account
to determine the relevance of the information from a risk point of view:
- W hen did the breach of the requirement/s resulting in administrative
measures take place?
- Is the breach still relevant in view of any regulatory or legislative changes
that may have taken place in the meantime?

IMPLEMENTING PROCEDURES
54
3. THE RISK- BASED APPROACH CONTINUED

- W hat was the regulatory requirement breached? For example, the one-
off failure of a regulated entity to file a regulatory return should be treated
differently from a situation where the (prospective) customer was found
to have breached particular AML/CFT obligations relative to on- going
monitoring.
- W hat was the regulatory action taken against the (prospective) customer?
W here regulatory measures consist in the imposition of hefty
administrative penalties or even the pressing of criminal charges, the effect
that the information should have on one’s risk understanding is going to
be more pronounced than if the regulatory measure consisted in remedial
action.
- Have the regulatory issues been resolved, i.e. has the customer taken
action to address the issues highlighted by its regulator or supervisor?

(b) Nature and Behaviour

The behaviour of a customer or of a beneficial owner, as well as the way an
entity that seeks a subject person’s services is structured, may in itself be
indicative of a high risk of ML/FT. The following are among the risk factors
that should be considered as indicative of a higher risk:
(a) the customer or beneficial owner is reluctant to provide any
documentation and/or information requested by the subject person
without a legitimate reason for doing so;
(b) the documentation presented to meet a subject person’s request for
information/ documentation gives rise to doubts as to its veracity or
authenticity;
(c) the customer is avoiding the establishment of a business relationship,
preferring instead to carry out several one- off transactions without there
being any economical or logical justification for doing so;
(d) the customer or its ownership and control structure involve bearer shares
or nominee/ fiduciary shareholders;
(e) there are material changes to the customer’s ownership and control
structure for which there does not seem to be a legitimate rationale;
(f) the customer requests transactions that are complex, unusually or
unexpectedly large or have an unusual or unexpected pattern without an
apparent economic or lawful purpose or a sound commercial rationale;

IMPLEMENTING PROCEDURES
55
3. THE RISK- BASED APPROACH CONTINUED

(g) the customer requests unnecessary or unreasonable levels of secrecy; and

(h) the customer is not resident in the subject person’s jurisdiction and there
is no sound economic and lawful reason for seeking services or products
from the subject person.
In addition, subject persons should also consider the extent of the difficulty
encountered to establish the actual business or professional activity of the
customer or its beneficial owner, and how consistent the information obtained
or provided is when compared to their former, current or planned business activity,
their business’s turnover, and so on.
W ith respect to the geographical risk, one has to consider what is the factor
linking a given business relationship or occasional transaction with a particular
jurisdiction to determine its relevance for risk assessment purposes. The mere
fact that a customer or a beneficial owner was born in a high- risk jurisdiction
should not of itself mean that the business relationship or occasional transaction
is exposed to a high risk of ML/FT from the geographical point of view since there
may be no actual link between that jurisdiction and the business relationship or
occasional transaction.
The situation would be significantly different when, apart from being born in that
jurisdiction, one either resides there or retains business ties with that jurisdiction
and there may therefore be funds processed through the business relationship
or occasional transaction that originated in that jurisdiction.
Moreover, subject persons are once more to refer to the Risk Factors Guidelines
issued by the EBA insofar as these may be applicable to them. These Guidelines
contain sections setting out risk factors particular to activities that constitute
“relevant financial business” in terms of the PMLFTR and that may materialise
themselves when carrying out the CRA. Thus, anyone carrying out any relevant
financial business referred to in this document, and is assessing its ML/FT risk, is to
also consider any sector- specific risk factors referred to in this document. The Risk
Factor Guidelines are available on the EBA’s website.

3.5.1 Timing of the Customer Risk Assessment

The CRA is to be carried out whenever a new business relationship is to be
entered into or an occasional transaction is to be carried out . However, given that
risk is dynamic, it is important that , in the case of a business relationship, the CRA
be reviewed from time to time, depending on the risk presented by the particular
business relationship, and especially where there is an event marking a material

IMPLEMENTING PROCEDURES
56
3. THE RISK- BASED APPROACH CONTINUED

departure from the business and risk profile of the customer which may be noted
through the ongoing monitoring of transactions (e.g., a client acquires a new
service or product). A revision of a customer’s risk assessment may also be
required whenever the BRA is itself revised.

3.5.2 Preparing/ Drafting the Customer Risk Assessment

As is the case with the BRA, any decisions relative to the CRA and changes
thereto have to be duly documented to evidence that an appropriate assessment
has taken place, and made available to the FIAU and other relevant supervisory
authorities on demand. The same applies to any revisions made to the CRA. It is
equally important that the CRA and any updates thereof be duly dated.
The CRA needs to cater for a situation where a ‘provisional’ risk rating, based on
the information and documentation collected initially, may be revised once any
questions are answered or doubts cleared through the collection of additional
information/documentation. For some customers, a comprehensive profile might
become evident when operations begin; hence, there may be various tiers of risk
assessments at different points throughout the relationship.
It is important to note that , while it is possible for subject persons carrying out a
specific relevant activity or a specific relevant financial business to adopt as their
own a sectoral BRA prepared by an industry representative body, as seen in
Section 3.3.2, the same does not apply to the CRA. In fact , it would still be up to
the individual subject person to carry out a CRA each time that a new occasional
transaction is carried out or a new business relationship is entered into.
In situations where the FIAU exercises its power under Regulation 5(2) of the
PMLFTR and exempts a category of subject persons from carrying out a BRA (as
explained in Section 3.3.2), the same category of subject persons will be equally
exempted from carrying out a CRA. Hence, it would be possible for subject
persons within the exempted sector to take a standard approach to CDD and
dispense with the CRA.

3.5.3 Carrying out the Customer Risk Assessment

The effectiveness of the CRA will depend to a large extent on the methodology
applied to carry out the same. There is no one methodology that is
recommended across the board, though there are common factors that would
need to be present throughout . Thus, the methodology adopted has to be

IMPLEMENTING PROCEDURES
57
3. THE RISK- BASED APPROACH CONTINUED

consistent with the risk factors included in the BRA and apply the conclusions
reached by the same.
Regardless of the methodology used, the subject person has to ensure that it
understands it and deems it to be adequate and appropriate in view of the nature
and size of its business. It is not necessary that this methodology be developed
by the subject person itself since it may engage consultants to assist it or acquire
specific IT software or tools. However, the adoption of the methodology and any
major change thereto has to be approved by senior management. As for the CRA
itself, every aspect and decision relating to the methodology applied has to be
clearly documented.
(a) Categorisation of Risk Factors
The subject person should be able to categorise the various risk factors it may
face when entering into a business relationship or in undertaking an occasional
transaction on the basis of its BRA. The simplest categorisation system
involves dividing risk factors in low- , medium- and high- risk categories, but a
subject person may wish to adopt a system with more levels of risk
categorisation.
(b) W eighting and Rating of Risk Factors
The relevance or weight of a risk factor within a business relationship or an
occasional transaction will, more often than not , depend on the context of
the particular relationship or transaction. Thus, the purpose for establishing
the relationship, the level of assets involved or the size of those transactions
to be undertaken, as well as the regularity or expected duration of the
business relationship, will all influence the relative importance of one or more
risk factors.
For example, the relative importance of the geographical risk will at times be
dependent on the nature and purpose of the business relationship or
occasional transaction. If the service or product allows for the remittance or
transfer of funds to third countries, funding of terrorism would be a more
important aspect to consider and hence one should scrutinise the jurisdiction
of destination for any known concerns with terrorism or terrorist groups. If
the jurisdiction concerned presents these shortcomings, then the geographical
risk associated therewith should be higher than usual.
On the other hand, when the service or product provided consists or requires
the receipt and/or investment of funds, which funds may have been generated
abroad, the subject person should look out for the levels and types of criminal
activities occurring in the jurisdiction of origin. W hen it emerges that the

IMPLEMENTING PROCEDURES
58
3. THE RISK- BASED APPROACH CONTINUED

jurisdiction is known for criminal activity, the geographical risk factor should
have a greater weighting in the assessment process than in situations where
the jurisdiction has limited criminal activity.
The same goes for PEPs and persons associated with them, with regard to
whom any business relationship or occasional transaction is to be considered
as high risk. However, it cannot be ignored that the level of risk associated
with a PEP will vary, depending on the other circumstances of the business
relationship or occasional transaction, with some necessarily presenting a
higher level of risk than others. A PEP who opens an account with a domestic
institution to receive his/her Parliamentary allowance will present one level
of risk whereas a PEP who receives multiple and uneven payments would
surely merit to be rated still higher than in the first case.
Thus, an effective CRA is only possible if the methodology applied allows for
sufficient flexibility to take into account the particular circumstances of each
case.
One possible methodology that can be adopted is that of a scoring system.
The different risk variables within each of the four risk categories in Section
3.2 are each awarded a score on a scale from 1 to 10, where a score of 1 is
awarded to the variable that poses the lowest risk and a score of 10 is
awarded to the variable that poses the highest risk.
It is important to note that this methodology is being provided by way of an
example only and that the FIAU does not expect subject persons to adopt
this specific system nor does it expect subject persons to necessarily adopt a
system based on a scoring methodology. Individual subject persons are free
to design a system that is most appropriate to their circumstances as long as
their system is reliable and respects the principles laid down in these
Implementing Procedures.

IMPLEMENTING PROCEDURES
59
3. THE RISK- BASED APPROACH CONTINUED

Table 5 below illustrates how this system works in practice.

Table 5 – Risk- scoring grid

Type of Product/ Geographical
Scoring Customer Service Interface Connections

• Unregulated • Services • Non- face to • Country

virtual currency intended to face through subject to
VERY HIGH

exchanges render the intermediaries sanctions,

9- 10 customer embargoes
• Corporate anonymous
structures
involving the use
of bearer shares

• Non- Profit • Internet- based • Non- face to • Non- reputable/

Organisations products face using means high- risk
sending funds to with no jurisdiction
non- reputable/ • Services or embedded
high- risk products technological
HIGH

jurisdictions identified as safeguards

6- 8 posing a high risk
• Correspondent of ML/FT
banks

• Fiduciary
arrangements

• Highly paid • Retail products • Non- face to • Reputable

employees face (using jurisdiction
MEDIUM

technological
3- 5 • Public figures systems with
• General public embedded
safeguards)

• Other • Products with • Face to face • EU Member

individuals (e.g., very limited State
LOW

1- 2 pensioners, transaction/
average- salaried deposit • Domestic
employees) thresholds

IMPLEMENTING PROCEDURES
60
3. THE RISK- BASED APPROACH CONTINUED

The following table explains what the four categories of risk scores mean:

Table 6 – Risk score

Rating Impact of ML/ FT risk

Very High Materialisation of risk may have very dire consequences.

Response: Do not establish business relationship or allow
transaction to occur, or else reduce the risk to acceptable level.

High Risk likely to happen and/or to have serious consequences.

Response: Do not allow transaction until risk reduced.

Medium Possible this could happen and/or have moderate consequences.

Response: May go ahead but preferably reduce risk.

Low Unlikely to happen and/or have minor or negligible consequences.

Response: Fine to go ahead.

Taken together, the scores assigned to the individual risk factors should then allow
the subject person to generate an overall risk score and lead it to understand
whether the business relationship or occasional transaction falls within its risk
appetite. W here this is the case, the subject person is then to categorise the
business relationship or occasional transaction accordingly.
The categorisation system adopted by a subject person is expected to at least
allow for business relationships or occasional transactions to be classified as low,
medium or high risk, according to the perceived level of ML/FT risk. These three
classifications are the basic rating system, but other categorisations are possible.
It is therefore left to the discretion of subject persons to adopt a rating system
that can provide a proper categorisation of business relationships and occasional
transactions.
W hile the method used to weight risk factors is left to the individual subject
person, and subject persons enjoy the discretion of designing and implementing
a system that is most appropriate to their circumstances, it should be noted that
any such methodology has to, as a minimum, adhere to certain basic principles:

IMPLEMENTING PROCEDURES
61
3. THE RISK- BASED APPROACH CONTINUED

(a) weighting is not to be unduly influenced by just one factor;

(b) monetary or business considerations are not to influence the risk rating;
(c) the provisions of the PMLFTR on situations that always present a high ML/FT
risk (referred to in Regulation 11(3)- (9)) cannot be overruled by the subject
person’s weighting; and
(d) weighting does not lead to a situation where it is impossible for any business
relationship or occasional transaction to be classified as high risk.
In deciding on the risk weighing methodology to be adopted, it is important that
subject persons also take into consideration the results of the National Risk
Assessment , the Supranational Risk Assessment and other risk assessments or
authoritative guidance on risk that may be available and be relevant to the subject
person concerned.
The above does not exclude the possibility of considering groups of customers
or business relationships that share similar characteristics as presenting the same
level of risk as long as the subject person can demonstrate that the groupings are
logical and specific enough to reflect the reality of the subject person’s business.
W here a subject person uses automated IT systems to allocate overall risk scores
to business relationships or occasional transactions, and does not develop these
in house but purchases them from an external provider, it should thoroughly
understand how the system works and how it allocates weightings and ratings,
i.e., how it combines risk factors to achieve an overall risk score.
In this manner, the subject person should be able to determine whether the
system- generated score actually reflects the subject person’s understanding of
risk. The subject person must also ensure that the IT systems are properly
calibrated to cater for its own specific situation in view of its risk assessment .
A subject person must always be able to satisfy itself that the scores allocated
reflect its understanding of ML/FT risk and it should be able to demonstrate this
to the FIAU or any supervisory authority.
W here risk weighting is carried out using an automated process, the subject
person must retain the ability to override the automatically generated score
where necessary. The rationale for the decision to override these scores should
be documented appropriately. In so doing, attention should be paid to ensure that
the risk scoring is not meddled with, that not all officials and employees may affect
changes, and that there is a clear audit trail of who took the decision to override
the system- generated score and the reasoning behind said override.

IMPLEMENTING PROCEDURES
62
3. THE RISK- BASED APPROACH CONTINUED

3.6 APPLICATION OF CDD ON A RISK- SENSITIVE BASIS

Having identified and assessed both the risk of a business relationship or an
occasional transaction, the subject person is to then apply a commensurate level
of CDD to mitigate these risks. Use can be made of the flexibility inherent to the
risk- based approach to better address risk, since subject persons are allowed to
vary the timing and extent of CDD.
Thus, for business relationships or occasional transactions identified as presenting
a low risk of ML/FT, subject persons may apply SDD. It is important to note that
SDD is not an exemption from CDD obligations, but rather the ability to vary the
timing and extent when determinate CDD measures are to be carried out .
However, all CDD measures will have to be carried out at some point or other. In
this respect , setting thresholds that are reasonably low can be particularly useful
as long as the subject person has systems in place to monitor customer activity
and determine the moment in time when the threshold is met and the application
of one or more CDD measures is triggered.
Questions may arise with regards to how SDD is to be reconciled with the
carrying out of the CRA. Considering the information that needs to be collected
on the customer to correctly compile the customer risk profile, one may consider
the two to be in conflict with each other. However, in situations where most risk
factors are already indicating a low- risk scenario and it is not considered that the
customer risk will influence the overall assessment of the business relationship
or occasional transaction, it would not be necessary to collect all the information
usually required for a CRA to be carried out since the assessment of the customer
risk will ultimately leave things unchanged.
Thus, for example, in situations where the product being offered allows only a
minimal amount of funds to be deposited or transacted, and can be used only
domestically, the collection of source of wealth and/or funds information will not
be relevant since it will ultimately have no bearing on the risk of the relationship
with the customer.
Business relationships or occasional transactions considered as high risk oblige
the subject person to apply EDD measures. In determinate instances, the PMLFTR
themselves lay down what these measures have to be. In high- risk situations,
which are not expressly dealt with in the PMLFTR, the subject person has to
make an informed decision as to the measure/s it is to apply.

IMPLEMENTING PROCEDURES
63
3. THE RISK- BASED APPROACH CONTINUED

The appropriate type of EDD measure applied, including any additional

information/ documentation or ongoing monitoring, will depend on the reason/s
why the business relationship or occasional transaction was deemed to present
a high risk of ML/FT and is to mitigate this risk.
As already remarked, risk is not static and therefore one’s risk assessment has to
be reviewed from time to time to ensure that it is still relevant. In particular, subject
persons have to pay attention to any material change in the business relationship
that can lead to a change in the associated risk.
Should any such revision lead to a change in the individual or overall risk rating,
the subject person has to consider whether this need to translate into a different
level of CDD or the application of different CDD measures.
The subject person should refer to Chapter 4 of the Implementing Procedures,
which explains in greater detail the basic CDD measures that have to be adopted.
Moreover, subject persons are also to refer to the Risk Factor Guidelines issued
by the EBA, which contain general examples of possible EDD measures to apply
in high- risk situations, as well as more specific examples applicable to the areas
falling within relevant financial business.

IMPLEMENTING PROCEDURES
64
CHAPTER 4 – CUSTOMER DUE DILIGENCE

The implementation of a sound CDD programme is key for all subject persons to
safeguard their services and products from being misused and ending up as
conduits for proceeds of crime, or being used for ML/FT purposes. This in turn
should not only protect the reputation and integrity of the subject persons
themselves, but also of the relevant sectors of the Maltese economy. Additionally,
the implementation of CDD measures enables subject persons to assist the FIAU
and law enforcement authorities to carry out their responsibilities of analysing and
investigating cases of ML/FT in an effective manner.
Inadequate implementation of CDD requirements, on the other hand, could result
in enforcement action being taken against the subject person, which could have
serious reputational, operational and financial repercussions.
The requirement to apply CDD measures ensures that subject persons have
adequate mechanisms in place to:
(a) determine who the customer and, where applicable, any beneficial owner are;
(b) verify whether that person is the person he/she purports to be;
(c) determine whether a person is acting on his/her own behalf or on behalf of
another person (e.g., an agent, signatory, attorney, etc.);
(d) establish the purpose and intended nature of the business relationship, and the
customer’s business and risk profile; and
(e) in the case of a business relationship, monitor that relationship on an ongoing
basis.
CDD measures also assist subject persons to determine whether a customer falls
within their risk appetite as well as to understand the customer’s business profile
with sufficient clarity to be able to conduct effective monitoring, including by
identifying those transactions that fall outside this profile and thus consider
whether there is a suspicion of ML/FT or of proceeds of crime.
This chapter focuses on providing guidance on the implementation of the CDD
requirements that are envisaged under Regulations 7 to 12 of the PMLFTR.
Regulation 7 of the PMLFTR sets out the CDD measures that are to be
undertaken by subject persons in relation to their customers (and, where
applicable, beneficial owners and agents) and the business relationships and
occasional transactions that they seek to set up or carry out . Regulation 7 also
stipulates the instances when these CDD measures are to be applied.
Regulation 8 of the PMLFTR sets out the timing when verification of identity
measures is to be implemented, providing for a number of exceptions to the

IMPLEMENTING PROCEDURES
65
4. CUSTOMER DUE DILIGENCE CONTINUED

general principle. Actions required from subject persons when CDD measures
cannot be completed are also set out in Regulation 8(5) of the PMLFTR.
Regulation 9 of the PMLFTR deals with the application of CDD measures by
casino and gaming licensees, and lays down a number of additional obligations that
are to be undertaken by these licensees.
Regulations 10 and 11 of the PMLFTR, respectively, set out the instances when
SDD can and EDD must be undertaken and the measures that are expected to
be taken in each case.
Regulation 12 provides for the possibility of relying on certain CDD measurescarried
out by other subject persons or third parties (referred to as the “reliance procedure”).
W hile this chapter sets out certain standard procedures as to how certain CDD
obligations are to be implemented within the subject person’s policies and
procedures, and how these procedures are to be applied, a certain degree of
flexibility is allowed when it comes to determining the extent of the CDD measures
to be applied and their timing in accordance with the risk- based approach, as
prescribed under Regulation 7(8) of the PMLFTR.
Subject persons are, therefore, allowed to determine, on a risk- sensitive basis, the
extent and timing of CDD measures to be applied in relation to the customer,
depending on the type of customer, product, service, transaction, delivery channel/s
and geographical connections. The risk assessment undertaken by the subject
person on the customer should determine the extent and timing of CDD measures
that are to be applied by the subject person, including the CDD information and
documentation to be obtained, the extent to which the business relationship will be
scrutinised and the nature and frequency of ongoing monitoring.
Subject persons should be able to demonstrate to the FIAU that the extent and
timing of CDD measures applied by the subject person on the customer is
appropriate in view of the risks of ML/ FT posed by the business relationship or
occasional transaction in question. For further information on the application of
the risk- based approach, subject persons should refer to Chapter 3.

4.1 OVERVIEW OF CDD MEASURES

Regulation 7 of the PMLFTR sets out the CDD measures that are to be applied
by subject persons, which are the following:
(a) the identification of the customer and the verification of the identity of the
customer on the basis of documents, data or information obtained from a
reliable and independent source (refer to Section 4.3 below).

IMPLEMENTING PROCEDURES
66
4. CUSTOMER DUE DILIGENCE CONTINUED

W here the customer is a body corporate, a body of persons or any other form
of legal entity or arrangement , the subject person has to also verify the
customer’s legal status and identify all directors or, when the customer does
not have directors, all such other persons vested with its administration and
representation (refer to Section 4.3.2);
(b) the identification, where applicable, of the beneficial owner(s), and the taking
of reasonable measures to verify the identity of the beneficial owner(s), so
that the subject person is satisfied it knows who the beneficial owner(s) is/are,
including, in the case of a body corporate, foundation, trust and similar legal
arrangements, taking reasonable measures to understand the ownership and
control structure of the customer (refer to Section 4.3.2);
In case of customer(s) that are trusts or similar legal arrangements, whose
beneficiaries are designated by particular characteristics or class, the subject
person has to obtain sufficient information on the beneficiaries to be able to
identify and verify their identity at the time of pay- out or at the time the
beneficiaries seek to exercise their vested rights;
(c) assess and, as appropriate, obtain information on the purpose and intended
nature of the business relationship, and establish the customer’s business and
risk profile (refer to Section 4.4); and
(d) conduct ongoing monitoring of the business relationship (refer to Section 4.5);
Regulation 7(3) of the PMLFTR stipulates that , when any person purports to act
on behalf of a customer (i.e., as agents, signatories, attorneys, etc.), in addition to
identifying and verifying the customer’s identity and, where applicable, the
beneficial owner (as highlighted under points (a) and (b) above), the subject person
has to ensure that this person is duly authorised in writing to act on the
customer’s behalf and is to also identify and verify that person’s identity (refer
to Section 4.3.3).
It is to be noted that the PMLFTR prohibit subject persons from keeping
anonymous accounts or accounts in fictitious names.38
CDD measures are to be applied by a subject person in the following instances:39
(a) when establishing a business relationship;
(b) when carrying out an occasional transaction;

38. Regulation 7(4) of the PMLFTR.

39. Regulation 7(5), (6) and (7) of the PMLFTR.

IMPLEMENTING PROCEDURES
67
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) when the subject person has knowledge or suspicion of proceeds of criminal
activity, ML or FT, regardless of any derogation, exemption or threshold that
would otherwise be applicable;
(d) to existing customers, at appropriate times and on a risk- sensitive basis,
including at times when the subject person becomes aware that the relevant
circumstances surrounding a business relationship have changed; and
(e) when doubts arise about the veracity or adequacy of previously obtained
customer identification information.

Application of CDD vis- à- vis casino and gaming licensees

By way of derogation from the provisions of Regulation 7(5)(a) and (b) of the
PMLFTR, which require the application of CDD when establishing a business
relationship or carrying out an occasional transaction, casino and gaming licensees
are, in terms of Regulation 9(1) of the PMLFTR, to apply CDD measures when
they carry out transactions that amount to or exceed two thousand euro
(€2,000). This applies both to business relationships (i.e., when casino or gaming
licensees open gaming accounts) as well as when carrying out occasional
transactions.
This derogation, however, does not apply if the casino or gaming licensee has
knowledge or suspicion of proceeds of criminal activity, ML or FT. Casino and
gaming licensees are also expected to carry out CDD on existing customers (as
explained under point (d) above) and when they have doubts about previously
obtained customer identification information.
It should also be pointed out that Regulation 9(2) of the PMLFTR requires casino
licensees to carry out additional CDD requirements. These include:
(a) identifying any person prior to entering a casino; and
(b) ensuring that the particulars relating to the identity of a person exchanging
chips or tokens to the value of two thousand euro (€2,000) or more is
matched with, and cross referred to, the particulars relating to the identity of
the person exchanging cash, cheques or bank drafts, or making a credit or
debit card payment in exchange for chips or tokens, as well as ensure that
chips or tokens are derived from winnings made while playing a game or
games at the casino. Casino licensees should ensure that they carry out this
requirement not only in the case of individual transactions amounting to
€2,000 or more, but also where in any one gaming session a person carries
out transactions that in aggregate equal or exceed €2,000.

IMPLEMENTING PROCEDURES
68
4. CUSTOMER DUE DILIGENCE CONTINUED

4.2 DEFINITIONS
The concepts of “customer” and “beneficial owner” are referred to throughout
this chapter and therefore it is important for subject persons to understand who
is considered to be a “customer” and a “beneficial owner” in terms of the PMLFTR.
The aim of this Section 4.2 is to expand on the definitions of “customer” and
“beneficial owner” so that subject persons can understand who should be
classified as such.

4.2.1 The Customer

The PMLFTR defines a customer as “a legal or natural person who seeks to form,
or who has formed, a business relationship, or seeks to carry out an occasional
transaction with a person who is acting in the course of either relevant financial
business or relevant activity”.40
The customer is therefore:
• a person (whether legal or natural);
• who seeks to form a business relationship (i.e., a potential customer); or
• with whom a business relationship is formed (i.e., an existing customer); or
• who seeks to carry out an occasional transaction.

A legal or natural person

The customer may either be a natural (physical) or a legal person. This notion is
important since the application of CDD measures varies depending on whether
the customer is a natural person, a legal entity or any other form of legal
arrangement.
W here the customer is a body corporate, a body of persons, or any other form
of legal entity or arrangement , subject persons must also verify the customer’s
legal status and identify all directors or, where the customer does not have
directors, all such other persons vested with its administration and representation.
Furthermore, subject persons are to identify and verify the customer’s beneficial
owner(s).

40. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
69
4. CUSTOMER DUE DILIGENCE CONTINUED

A potential and an existing customer

The definition of customer in the PMLFTR makes reference to the phrase “seeks
to form or who has formed” to capture both potential and existing customers.
This is important given that subject persons are required to carry out CDD
measures both with respect to potential customers (such as the identification and
verification of a potential customer prior to establishing a business relationship or
undertaking an occasional transaction) as well as on existing customers with
whom a business relationship is established (such as the ongoing requirement to
keep documents, data or information on these customers up to date). For all
intents and purposes, a person making a simple enquiry is not to be construed
as a potential customer on which CDD measures are to be undertaken. Hence,
subject persons are to carry out CDD measures on those potential customers
taking active steps (therefore, showing) that they intend to establish a business
relationship or to carry out an occasional transaction.

A business relationship or an occasional transaction

The definition of “customer” under Regulation 2 refers to a person seeking to
form or who has formed a business relationship, or a person who seeks to carry
out an occasional transaction. Thus, two types of customers emerge.
The first is the customer who seeks to form or who has formed a business
relationship. A business relationship, in accordance with the definition provided
in the PMLFTR, must comprise three important cumulative elements, which are
the following:
(a) the relationship must be of a business, professional or commercial nature
between two or more persons;
(b) at least one of the persons involved in the relationship must be a subject
person (whether undertaking a relevant financial business or a relevant
activity); and
(c) the relationship has, or is expected to have at the time when the contact is
established, an element of duration.
Point (c) seeks to capture those instances when it is clear from the outset that
a continuous relationship is being set up (such as, for example, when a credit
institution or a remote gaming operator opens an account for a customer) and
also scenarios when the relationship is inferred from the ongoing provision of
the service that is not clear at the outset (such as when a property contractor
is using the services of a notary on a regular basis).

IMPLEMENTING PROCEDURES
70
4. CUSTOMER DUE DILIGENCE CONTINUED

The “element of duration” will need to be assessed on a case- by- case basis.
Entering into an agreement , such as a retainer agreement , with a subject person
for the ongoing provision of services/products/transactions in itself suggests that
the customer is entering into a business relationship with the subject person.
On the other hand, if the subject person is being engaged to undertake a
transaction or provide a service and the interaction with the customer will
terminate following the completion of the task by the subject person, then a
business relationship is not considered to be established. Instead the transaction
or service will be regarded as an occasional transaction, unless the services or
transactions are being carried out on a regular basis on behalf of the same
customer, even though there is no intention to set up a relationship at the
outset .
The second type of customer is the customer who seeks to carry out an
occasional transaction with a subject person. The PMLFTR defines an occasional
transaction as any transaction or service carried out or provided by a subject
person for his/her customer, other than a transaction or service carried out or
provided within a business relationship, and includes, but is not limited to, the
following:
(a) a transaction amounting to fifteen thousand euro (€15,000) or more, carried
out in a single operation or in several operations that appear to be linked;
(b) a transfer of funds as defined under Regulation (EU) 2015/847 of the
European Parliament and of the Council of 20 May 2015 (i.e., the Funds
Transfers Regulation), which exceeds one thousand euro (€1,000) in a single
operation or in several operations that appear to be linked;
(c) a transaction in cash amounting to ten thousand euro (€10,000) or more,
carried out by a natural person or legal person trading in goods in a single
operation or in several operations that appear to be linked;
(d) a transaction amounting to two thousand euro (€2,000) or more, carried out
by gaming or casino licensees in a single operation or in several operations
that appear to be linked;
(e) the provision of tax advice; and
(f) the formation of a company, trust , foundation or a similar structure.41
The above is not an exhaustive list.

41. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
71
4. CUSTOMER DUE DILIGENCE CONTINUED

For the purposes of determining whether the thresholds mentioned under

paragraphs (a)- (d) above are met or exceeded, one should take into consideration
the monetary value of the transaction or a series of linked transactions that the
subject person carries out for the customer, and not the fee charged by the
subject person to carry out this transaction or transactions.
For the avoidance of doubt , the formation of companies, trusts, foundations or
similar structures, and/or the provision of tax advice (without the provision of
additional services that lead to the establishment of an enduring relationship) by
a subject person, shall be considered to constitute an occasional transaction.
By way of example, CDD measures should be undertaken by the subject person
even when incorporating a company with a share capital amounting to €1,200.
Given that the formation of a new company (without the provision of additional
services following incorporation, which would lead to the establishment of a
business relationship, such as the provision of directorship services and/or company
secretarial services) is by definition an occasional transaction, CDD measures should
be applied irrespective of whether the initial share capital is of a minimal amount.
Similarly, the provision of tax advice is by definition also an occasional transaction
where CDD measures should be applied, irrespective of the values involved.

Customer vs Agent
It is also important to distinguish between situations where a customer is acting
directly on his/ her own behalf and where a customer is being represented by
another person, acting as the customer’s agent (e.g., anyone granted a power
of attorney), in its dealings with a subject person. This would be the case where
the customer is a legal person, since it would necessarily be represented by an
agent (e.g., one or more of its directors or bank account signatories). W here the
customer is represented by another person acting as an agent, the subject person
is required to carry out additional measures (refer to Section 4.3.3).
Regulation 7(3) of the PMLFTR stipulates that , when a person purports to act
on behalf of a customer, in addition to identifying and verifying the customer’s
identity and, where applicable, the beneficial owner, subject persons are to ensure
that this person is duly authorised in writing to act on the customer’s behalf, as
well as identify and verify the agent’s identity.
Subject persons must therefore determine whether whoever is requesting the
establishment of a business relationship or for an occasional transaction to be
carried out, is doing so on his/her behalf or on behalf of someone else. In the latter

IMPLEMENTING PROCEDURES
72
4. CUSTOMER DUE DILIGENCE CONTINUED

case, the person making the request is not to be considered as being the customer
but as the customer’s agent. As a result, the customer would be the natural person
or legal person on whose behalf the agent, is requesting the establishment of the
business relationship or for the occasional transaction to be carried out .
Notwithstanding that a person might have indicated that he/she is acting on
his/her behalf and is therefore to be considered to be the customer, there may
be circumstances that indicate otherwise. The subject person should therefore
consider whether the declaration provided is reliable and ensure that the person
is not simulating to appear as the customer when in actual fact it is not the
case, including by being aware of the following:
(a) from where the subject person is receiving instructions;
(b) the source of the funds;
(c) the destination of the funds;
(d) payment references or rationale that do not appear to relate to the purported
customer; and
(e) unusual delay in answering questions (since the purported customer might be
referring the questions to the third party, i.e., the actual customer, for a reply).
In the context of a business relationship, it is important to bear in mind that
Regulation 7(3) is applied not only when a business relationship is being
established but also whenever in the course of a business relationship a new
agent is appointed to act on a customer’s behalf. Thus, a subject person has an
obligation to identify any agent appointed in the course of a business relationship,
as well as verify his/her identity and obtain written proof of the agent’s authority
to act on the customer’s behalf.

4.2.2 The Beneficial Owner

Subject persons are required to identify the beneficial owner, where applicable,
and to take reasonable measures to verify the identity to ensure that the subject
person is satisfied of knowing who the beneficial owner is. In the case of a
customer being a body corporate, foundation, trust or similar legal arrangement ,
subject persons are also required to take reasonable measures to understand
their customer’s ownership and control structure.
The phrase “where applicable” is used since a business relationship or an
occasional transaction does not always involve a beneficial owner, given that the
customer may be an individual directly representing himself/herself. Hence the

IMPLEMENTING PROCEDURES
73
4. CUSTOMER DUE DILIGENCE CONTINUED

obligation to identify and verify the beneficial owner’s identity, outlined in

Regulation 7(1)(b) of the PMLFTR, is not always applicable.
Subject persons should note that the purpose of this section is to define the
concept of beneficial ownership and set out who is considered to be the beneficial
owner in a given scenario. Consequently, this section should not be construed as
necessarily requiring subject persons to identify and verify each and every
beneficial owner at the time of the establishment of the business relationship or
when carrying out an occasional transaction since this may in certain
circumstances be delayed, as set out in other sections of this document . For
guidance on the application of identification and verification requirements on
beneficial owners, including the timing of these measures, please refer to Section
4.3.2, Section 4.6 and Section 4.8.
Regulation 2(1) of the PMLFTR defines a beneficial owner as:
(a) any natural person or persons who ultimately owns or controls the customer;
and/or
(b) the natural person or persons on whose behalf a transaction or activity is
being conducted.
The key element in this definition is the notion of a ‘natural person’. A body
corporate, body of persons, trust or other legal arrangement can never qualify as
a beneficial owner. The beneficial owner, when there is one, must always be a
natural person.42
There may however be instances when the individual requesting a service or to
carry out a transaction is acting on behalf of someone else, which could either
be a corporate entity or body of persons, or another physical person. This could
either be disclosed up front by the individual approaching the subject person or
else inferred from behaviour or surrounding circumstances. Please refer to
Section 4.3.3 for a non- exhaustive list of indicators that a natural person
requesting a service or transaction from the subject person is doing so on behalf
of another person.
W here it appears that a person is not acting on his/her behalf, appropriate
enquiries should be made to determine on whose behalf that person (agent) is

42. An exception is made with regard to trusts and similar legal arrangements since in this
context the definition of beneficial owner covers other involved parties, apart from the
beneficiary of any such arrangement. Thus, where the settlor, protector and/or the
trustee of the trust or similar legal arrangement are not natural persons, the subject
person can limit themselves to consider any body acting as such as a beneficial owner.

IMPLEMENTING PROCEDURES
74
4. CUSTOMER DUE DILIGENCE CONTINUED

acting and additional CDD measures must be carried out (refer to Section 4.3.3).
The definition of beneficial owner further clarifies who is to be considered a
beneficial owner in certain determinate situations. In fact , the definition under
Regulation 2(1) of the PMLFTR comprises three separate definitions of who is to
be considered as the beneficial owner, depending on whether the customer is:
– a body corporate, in which case part (a) of the definition applies;
– a trust , in which case part (b) applies; or
– a legal entity, such as a foundation, or a legal arrangement similar to a trust , in
which case part (c) of the definition applies.
In determining who the beneficial owner is, subject persons should therefore
refer to and apply the definition that corresponds to their customer, regardless
of any other type of entity involved within the structure.
This definition is illustrated in Table 7 below.

IMPLEMENTING PROCEDURES
75
4. CUSTOMER DUE DILIGENCE CONTINUED

Table 7 – Definition of a beneficial owner

(a) Body corporate or body of persons

(i) The beneficial owner is the natural person/s who ultimately own/owns or
control/controls that body corporate or body of persons through the direct or indirect
ownership of a sufficient percentage of shares, voting rights or ownership interest .
Direct ownership or control of the body corporate or body of persons means:
• direct ownership of 25%plus one (1) or more of the shares (including bearer shares);
• direct ownership of more than 25% of the voting rights; or
• a direct holding of an ownership interest of more than 25%.
Indirect ownership or control of the body corporate or body of persons means:
• indirect ownership of 25% plus one (1) or more of the shares (including bearer
shares); or
• indirect ownership of more than 25% of the voting rights; or
• an indirect holding of an ownership interest of more than 25%.
(ii) A natural person(s) who exercise(s) control via other means.
(iii) The natural person(s) holding the position of senior managing official(s) – if, after
having exhausted all possible means, no beneficial owner as defined under
paragraphs (i) and (ii) above is identified.

(b) Trusts
The following are considered to be beneficial owners:
(i) settlor;
(ii) trustee(s);
(iii) protector (where applicable);
(iv) beneficiaries, or where the individuals benefiting from the trust have yet to be
determined, the class of persons in whose main interest the trust is set up or
operates; and
(v) any other natural person exercising ultimate control over the trust by means of
direct or indirect ownership or by other means.

(c) Other types of legal entities (such as a foundation) or legal arrangements

similar to a trust , which administers and distributes funds
Natural person(s) holding equivalent or similar positions to those referred to in (b) above.

The contents of the above table are explained in further detail below.

IMPLEMENTING PROCEDURES
76
4. CUSTOMER DUE DILIGENCE CONTINUED

4.2.2.1 Body corporate or body of persons

This sub- section interprets paragraph (a) of the definition of “beneficial owner”
under Regulation 2(1) of the PMLFTR and analyses the three different manners
in which a natural person(s) can ultimately own or control a customer’s entity that
is a body corporate or a body of persons, and thus be considered a “beneficial
owner”.
(i) The beneficial owner of a body corporate or a body of persons includes all
natural persons who ultimately own or control, whether through direct or
indirect ownership, 25% plus one (1) or more of the shares or more than 25%
of the voting rights or ownership interests, including, where applicable, through
bearer shareholdings, or through control via other means, other than a company
that is listed on a regulated market which is subject to disclosure requirements
consistent with European Union law or equivalent international standards, which
ensure adequate transparency of ownership information.43
W hen the customer is a body corporate or a body of persons, the beneficial
owner is the natural person who ultimately owns or controls that body corporate
or body of persons through the direct or indirect ownership of a sufficient
percentage of the shares, voting rights or ownership interest .

NOTE: Natural person(s) who ultimately own or control a company that

has its securities listed on a regulated market, which is subject to
disclosure requirements consistent with European Union legislation, or
equivalent international standards, which ensure adequate transparency
of ownership information need not be identified and verified as
beneficial owner(s) for the purposes of the PMLFTR. Therefore, the CDD
obligations envisaged under Regulation 7(1)(b) do not apply to such
customers (refer to Section 4.3.2.2). This exemption is also applicable to
companies that are majority owned subsidiaries of these listed companies
to the extent that there can be no other beneficial owners other than
those of the listed company.

To determine who ultimately owns or controls 25%plus one (1) or more of the
shares or more than 25% of the voting rights in the body corporate or body of
persons, reference may be made to the examples in Figures 1 to 3 below.

43. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
77
4. CUSTOMER DUE DILIGENCE CONTINUED

Figure 1 – Beneficial owner through direct and indirect ownership

of a sufficient percentage of shares.

PERSON 2 PERSON 3 PERSON 4 PERSON 2

100% 20% 50% 30%

COMPANY B COMPANY C PERSON 1

10% 60% 30%

Natural persons not required to

be identified as a beneficial owner

Legal persons COMPANY A

Natural persons required to be
identified as a beneficial owner

In Figure 1 subject persons are required to identify the beneficial owners of

Company A (the Customer). Persons 1, 2 and 4 ultimately own 25%plus one or
more of the shares in Company A and thus should be identified as the beneficial
owners of Company A. In the case of Person 1, the shares in Company A are
owned directly, while in the case of Persons 2 and 4 the shares are owned
indirectly through Companies B and C.
At the first layer, Natural Person 1 holds 30%of the shares in Company A and
therefore qualifies as a beneficial owner for the purposes of the PMLFTR.
At the second layer, Natural Persons 2 and 4 qualify as beneficial owners for the
purposes of the PMLFTR. Natural Person 2 holds 10%of the shares in Company
A by virtue of being the sole (100%) shareholder in Company B which holds 10%
in Company A, and holds another 18% of the shares in Company A by being
holder of 30%of the shares in Company C, which in turn holds 60%of the shares
in Company A. Natural Person 2 thus owns 28% of the shares in Company A,
indirectly through two companies, Company B and Company C. Natural Person
4 ultimately holds 30%of the shares in Company A through a 50%shareholding
in Company C, which in turn holds 60%of the shares in Company A.

IMPLEMENTING PROCEDURES
78
4. CUSTOMER DUE DILIGENCE CONTINUED

NOTE: It is important for the subject person to establish and figure out
the customer’s entire corporate structure to be in a position to understand
whether an individual features within an ownership structure through
more than one entity. In such cases, the subject person is expected to
assess all the holdings of that same individual, since that person may,
through different holdings within the structure, hold a sufficient
percentage of shareholding in the customer’s entity that would make
him/her a beneficial owner.

Natural Person 3 ultimately holds 12% of the shares in Company A through

Company C and therefore does not hold a sufficient percentage of shares to
qualify as a beneficial owner.

Figure 2 – Beneficial owner through direct and indirect ownership

of a sufficient percentage of shares. Including indirect ownership
through a trust.

PERSON 4
100%

TRUST Y PERSON 2 PERSON 3 COMPANY Z

100% 20% 50% 30%

COMPANY W COMPANY X PERSON 1

18% 52% 30%

Natural persons not required to

be identified as a beneficial owner

Legal persons / Trust COMPANY V

Natural persons required to be
identified as a beneficial owner

IMPLEMENTING PROCEDURES
79
4. CUSTOMER DUE DILIGENCE CONTINUED

In Figure 2 subject persons are required to identify the beneficial owners of

Company V (the Customer). The natural persons who ultimately own 25%plus one
or more of the shares in Company V, directly or indirectly, are Persons 1, 3 and 4 –
directly in the case of Person 1 and indirectly in the case of Persons 3 and 4.
At the first layer, Natural Person 1 holds 30%of the shares in Company V and
therefore qualifies as a beneficial owner for the purposes of the PMLFTR.
At the second layer, only Natural Person 3 holds a sufficient percentage of shares
(i.e., 26% of the shares in Company V indirectly through Company X) to be
considered a beneficial owner. Natural Person 2 ultimately holds 10.4% of the
shares in Company V and therefore does not hold a sufficient percentage of
shares to be considered a beneficial owner.
At the third layer, Natural Person 4 qualifies as a beneficial owner for the
purposes of the PMLFTR since he ultimately owns 33.6% of the shares in
Company V – being the only beneficiary of Trust Y, he/she is considered to own
18%of the shares in Company V through Trust Y and Company W , and 15.6%of
the shares in Company V through Company Z and Company X.

NOTE: W henever the shares in a body corporate (the customer) are held
in trust , the subject person is not expected to identify and verify all of the
beneficial owners of the trust (i.e. the parties indicated in paragraph (b) of
the definition of beneficial owner provided for in the PMLFTR) as the
beneficial owners of the said shares.
Given that the customer would here be the body corporate and not the
trust itself, determination of the beneficial ownership of the shares and
of the body corporate itself requires that the subject person:
(a) determines who is the beneficiary of the trust; and
(b) considers whether the said benefit, together with any other direct or
indirect interest that individual may have within the body corporate, is
sufficient to meet the conditions at law to be considered as a beneficial
owner of the said body corporate (that is, whether the beneficiaries are
ultimately entitled to 25%+1 or more of the shares, or more than 25%of
the voting rights). This does not exclude the possibility that there may be
someone exercising control via other means. W here no such person is
identified (i.e. either as a beneficiary or as otherwise exercising control), the
beneficial owner would be the senior management officials of the
customer (i.e. the company).

IMPLEMENTING PROCEDURES
80
4. CUSTOMER DUE DILIGENCE CONTINUED

Figure 3 – Beneficial owner through direct and indirect ownership

of a sufficient percentage of shares and voting rights.

PERSON 3 PERSON 4
20% 80%

PERSON 2
10%SHARES /
30%VOTING COMPANY C PERSON 1
RIGHTS 60% 30%

Natural persons not required to

be identified as a beneficial owner

Legal persons COMPANY M

Natural persons required to be
identified as a beneficial owner

In Figure 3 subject persons are required to identify the beneficial owners of

Company M (the Customer). Persons 1 and 4 ultimately own 25% plus one or
more of the shares in Company M and thus should be identified as beneficial
owners of Company M. Person 2 also has to be identified as a beneficial owner,
given that he/she holds 30% of the voting rights in Company M, even though
he/she only holds 10%of the shares in Company M.
At the first layer, Natural Person 1 holds 30% of the shares in Company M
directly and therefore qualifies as a beneficial owner for the purposes of the
PMLFTR. Natural Person 2 only holds 10% of the shares in Company M and
therefore does not surpass the 25%plus one or more threshold. However, each
share held directly by Natural Person 2 in Company M carries three (3) voting
rights and thus Person 2 holds 30%of the voting rights in Company M. Natural
Person 2 therefore qualifies as a beneficial owner for the purposes of the
PMLFTR.
At the second layer, only Natural Person 4 qualifies as a beneficial owner for the
purposes of the PMLFTR since he/she ultimately holds 48% of the shares in
Company M through an 80% shareholding in Company C, which in turn holds
60% of the shares in Company M. Natural Person 3 ultimately hold 12% of the
shares in Company M and therefore does not hold a sufficient percentage of
shares to qualify as a beneficial owner.

IMPLEMENTING PROCEDURES
81
4. CUSTOMER DUE DILIGENCE CONTINUED

Companies whose share capital is issued in the form of bearer shares or that
issue warrants to bearer
Companies whose share capital is issued in the form of bearer shares or that issue
warrants to bearer are likely to pose increased difficulties for subject persons to
determine beneficial ownership. Subject persons should exercise additional care
and diligence when carrying out CDD measures on companies having bearer
shares because these companies pose higher risks of ML/FT.
Companies that issue bearer shares are frequently incorporated in high- risk
jurisdictions. In this regard, additional measures are required to be undertaken by
subject persons to mitigate the risk of ML/FT. In the event that the customer, or
any company within the customer’s ownership and control structure, is a company
with bearer shares, subject persons have to determine the beneficial owners of
these companies by applying one of the following measures:
(a) where documents granting rights of ownership of bearer shares (such as a
bearer share certificate) are issued in a jurisdiction that requires shareholders
to notify the company of their shareholding and the company to record
their identity in a register, subject persons must:
• require a copy of this register signed and certified as a true copy by the
company secretary, the director or the registered agent , as the case may
be; and
• obtain a written undertaking from the company secretary, director or
registered agent and the beneficial owner that the subject person will be
notified immediately if the bearer share certificate is transferred to any
other person.
(b) where bearer share certificates are deposited with a regulated financial
institution or a regulated custodian, the subject person must:
• obtain a copy of the bearer share certificate;
• obtain a written declaration signed by a representative of the financial
institution or the custodian certifying on whose behalf the document is
held; and
• obtain from the financial institution or the custodian, as the case may be,
a written undertaking that he/she would notify immediately the subject
person if the bearer share certificate is transferred to any other person.

IMPLEMENTING PROCEDURES
82
4. CUSTOMER DUE DILIGENCE CONTINUED

In the eventuality that the bearer share certificates are deposited with a regulated
financial institution or a regulated custodian and are also recorded in the company’s
register, subject persons may choose to apply either of the above measures.
In the light of the higher ML/FT risk that these companies may present , subject
persons must desist from establishing a business relationship with, or carry out
an occasional transaction for, any such company when it is not possible to
determine the beneficial owners of the bearer shares in accordance with the
procedure outlined above.

(ii) A natural person or persons who ultimately controls or control that body
corporate or body of persons via other means.44
Subject persons are required to assess and determine whether any individual falls
under this second category of the beneficial ownership definition in two
situations. The first is when no individual could be identified under category (i).
The second is when a beneficial owner was identified under category (i), but the
subject person is aware or has reason to believe that another person(s) is/are
exercising ultimate control over the running of that body corporate or over its
management through other means (i.e., even if he/she owns an insufficient
percentage of shares/voting rights or owns none). These persons would also
qualify as beneficial owners for the purposes of the PMLFTR.
Directors are not considered to fall under this part of the definition of beneficial
owner since, in their capacity of directors, they do not have an ownership interest
in the body corporate, they do not control the voting rights in that body corporate
or body of persons, and they do not exercise control over the management of
that body corporate (i.e., they are not able to control the composition or voting
rights of the board of directors).
Since it is impossible to provide an exhaustive list of persons who fall within this
category (ii), subject persons must make a decision on a case- by- case basis.
However, certain circumstances by their very nature would indicate that a person
is exercising control over the management of a body corporate or body of
persons. By way of example, such cases could include:

44. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
83
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) persons who are granted rights through formal arrangements (such as
shareholders’ agreements or through rights attached to shares) by means of
which that person(s) can exert dominant influence or veto the decision-
making of that legal person (e.g., having absolute discretion or veto rights over
the entity’s business plan, borrowing options or business model);
(b) individuals who, though not being owners of a sufficient percentage of shares
or voting rights (i.e., less than the 25% threshold explained previously),
collectively exceed the 25%threshold and are subject to an arrangement to
exercise their rights collectively in the same way;
(c) individuals who hold the right to directly or indirectly appoint or remove the
majority of the board of directors (or administration) of an entity, or to appoint
or remove the CEO of that entity; and
(d) individuals who through family connections exert influence over the decision-
making body of that entity (e.g., a family business in which a family member,
even though not being formally involved in that entity, is routinely referred to
for direction about company decisions).
One must appreciate that these rights may also be granted on a temporary basis.
The more restricted the use of such a right , the less likely it is for that individual
to exercise ultimate control over that body corporate. Hence, one should not
regard these circumstances as ultimate indicators of absolute control but should
make a case- by- case assessment .
The allocation of voting rights in a corporate structure may also allow one or
more individuals to exercise control over a subsidiary company, even in situations
when the thresholds provided for in the definition of beneficial owner are not
met . An individual may hold sufficient voting rights in a parent company to the
extent that he/she not only exercises control over the parent company but is also
able to influence how the parent company’s voting rights in the subsidiary
company are exercised in their totality and therefore control the subsidiary itself.

IMPLEMENTING PROCEDURES
84
4. CUSTOMER DUE DILIGENCE CONTINUED

Figure 4 – This scenario is illustrated in the example below:

PERSON 3 PERSON 2
20% 80%SHARES /
VOTING RIGHTS

COMPANY P
30% PERSON 1
70%

Natural persons not required to

be identified as a beneficial owner

Legal persons COMPANY Q

Natural persons required to be
identified as a beneficial owner

Person 1 owns 25% plus one or more of the shares in Company Q, making
him/her a beneficial owner.
Person 2 does not ultimately own 25% plus one or more of the shares in
Company Q but , through the ownership of a majority of voting rights in Company
P, Person 2 is able to control certain important decisions in Company P, such as
who is to sit on the company’s board of directors, and, in turn, influence decisions
within Company Q.
Person 3 does not own sufficient shares through Company P to meet the
ownership thresholds and in turn be considered a beneficial owner of Company Q.
Subject persons should therefore take a proactive approach and consider any
information they may have or obtain on their customer and the corporate
structure of which it forms part (e.g., by considering any memoranda and articles
of association, or similar constitutive documents, collected by the subject person)
and identify any additional individual/s who may be in a position to exercise control
over the customer through voting or other rights they are able to exercise with
respect to the parent company.
For additional guidance, reference may be made to the FATF’s “Guidance on
Transparency and Beneficial Ownership” Report 45 or Article 22(1)- (5) of Directive
2013/34/EU.

IMPLEMENTING PROCEDURES
85
4. CUSTOMER DUE DILIGENCE CONTINUED

(iii) If no beneficial owner is identified in accordance with the above, the natural
person(s) who hold(s) the position of senior managing official or officials need to
be identified.46
The definition of beneficial owner in Regulation 2(1) of the PMLFTR provides
that if:
(a) after having exhausted all possible means; and
(b) provided there are no grounds of suspicion,
no beneficial owner has been identified in accordance with category (i) and (ii)
explained above, subject persons are to consider the natural person or persons
who hold the position of senior managing official or officials of the customer
entity to be the beneficial owners, and are to keep a record of the actions taken
to try to identify the beneficial owner in terms of categories (i) and (ii) above.
Subject persons should note that , in these cases, it is the senior management of
the customer entity itself (i.e., the company that has requested the service) that
should be identified and regarded as the beneficial owner(s) and not the senior
managing official(s) of the other entity(s) or arrangement(s) within the corporate
structure of that entity.
It should be noted that the obligation to identify the “senior managing official(s)”
as the beneficial owner(s) is not intended to be a default obligation for all
customers that are body corporates or a body of persons, but an obligation that
is only triggered whenever the subject person:
(a) cannot identify a person(s) who directly or indirectly own(s) 25%plus one or
more of the shares, or more than 25% of the voting rights or ownership
interest within that legal entity (i.e., a beneficial owner under category (i)); and
(b) cannot identify any natural person(s) who is/are controlling the body corporate
or body of persons via other means.
Such a measure is intended to ensure that , in those situations where a structure
is of particular complexity or where the ownership and control interest are so
diversified that no person(s) can be regarded as ultimately controlling that body
corporate, the senior managing official(s) who is/are responsible for taking
strategic decisions and operating that body corporate are identified and known,
and avoid circumstances whereby corporate entities will be providing services
without knowing who is ultimately responsible for controlling that entity.

45. http://www.fatf- gafi.org/media/fatf/documents/reports/Guidance- transparency- beneficial-

ownership.pdf
46. Regulation 2(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
86
4. CUSTOMER DUE DILIGENCE CONTINUED

The definition of “senior managing official(s)” will depend on the type of body
corporate or body of persons. However, it is meant to capture those individual(s):
(a) who are responsible for taking strategic decisions that fundamentally effect
the business operations or general direction of that entity; and
(b) who exercise executive control over the daily or regular affairs of the entity
through a senior management position.
Paragraph (b) would typically include individuals who have executive functions
or are otherwise responsible for the management of the entity, such as
executive directors, chief executive officers (CEOs) and chief financial officers
(CFOs). Directors who do not have any executive function would fall under
paragraph (a).
W here there is more than one official who fulfils either criterion outlined above,
and none is more senior than the other, the subject person should treat all as
senior managing officials. Identifying directors who are “nominee directors” (where
this concept is allowed) or corporate directors, who are acting on behalf of other
individuals/entities who are instructing them and ultimately directing the affairs
of the body corporate, is however of no value and the subject person should
understand whether in such scenarios there are persons who would be
considered as beneficial owners because they are ultimately controlling the
company through other means, as explained above (see category (ii)).
One situation in which senior managing officials will have to be identified as
beneficial owners is in respect of State- owned enterprises or public administration
authorities. This is an interpretation laid down by the EBA in its the Risk Factor
Guidelines. The said Guidelines, which are available on the EBA’s website provide
additional guidance on this aspect and the measures that subject persons are to
take when faced with any such situation.

4.2.2.2 Trusts
Regulation 2(1) of the PMLFTR provides that , in the case of trusts, the beneficial
owners are the following persons:
(a) the settlor;
(b) the trustee or trustee(s);
(c) the protector, where applicable (since not all trusts may necessarily have a
protector or equivalent appointed);

IMPLEMENTING PROCEDURES
87
4. CUSTOMER DUE DILIGENCE CONTINUED

(d) the beneficiaries, or the class of persons in whose main interest the trust is
set up or operates; and
(e) any other natural person exercising ultimate control over the trust by means
of direct or indirect ownership or by other means.
Therefore, for the purposes of the PMLFTR, within the context of a trust , all the
above persons will qualify as beneficial owners and therefore CDD measures, on
a risk- sensitive basis, should be undertaken on these persons in accordance with
Section 4.3.2.5.
The definition of beneficial owner for trusts under Regulation 2(1) of the PMLFTR
should not be confused with the concept of beneficiaries (i.e., those who benefit
or who may benefit from the trust) in terms of applicable trust law. The definition
of a beneficial owner with respect to trusts has, as stated above, been made to
also include the settlor, as well as the protector/s (if one or more are appointed)
and the trustee, who typically enjoy no benefit , as such, under a trust .
The reference to the settlor should not be construed as being limited to the
original settlor but is to include also any other person who subsequent to the
creation of the trust adds property to the trust settlement .
The trustees of a trust are deemed to be its beneficial owners because of the
control they invariably exercise over the trust assets, since they will naturally
exercise control over the trust property. The PMLFTR (reflecting the 4 th AML
Directive and the FATF 2012 Recommendations) also include the settlor within
the definition of beneficial owner (given that he/she may still exercise a degree
of control, even though to a lesser extent than that which a trustee has).
In the case where a protector is appointed, the protector may typically also
exercise some measure of control over the trust and the trust property (as laid
out in the trust instrument), often by retaining a power of veto to approve or
otherwise block certain decisions, as well as the power to remove or appoint
trustees, replace trustees or successor trustees, besides generally by keeping the
trustee in check.
The definition of beneficial owner in the case of trusts includes also all the
beneficiaries of the trust (i.e., the persons indicated in the trust deed as being the
beneficiaries of the trust or the persons who may potentially benefit under the
trust), irrespective of the extent of their beneficial interest . This would include
beneficiaries who are determined, as well as those who are not determined from
the outset , due to the nature of the trust , and also beneficiaries designated by
class (such as, for example, trusts set up for the future grandchildren of the settlor
or some types of purpose trusts or charitable trusts). Reference should be made

IMPLEMENTING PROCEDURES
88
4. CUSTOMER DUE DILIGENCE CONTINUED

to Section 4.3.2.5 for an explanation of the CDD requirements in the case of

such trusts and trusts in general.
In addition, the definition of ‘beneficial owner’ in Regulation 2(1) of the PMLFTR,
with respect to trusts and similar arrangements, also provides that other natural
persons who, in some way or another, exercise ultimate control over the trust ,
possibly by holding significant powers, are also considered as beneficial owners.
In this regard, “control” means a power (whether exercisable alone, jointly with
another person or with the consent of another person) under the trust
instrument or by law to:
(a) dispose of, advance, lend, invest , pay or apply trust property;
(b) vary or terminate the trust;
(c) add or remove a person as a beneficiary or to or from a class of beneficiaries;
(d) appoint or remove trustees or give another individual control over the trust; and
(e) direct , withhold consent to or veto the exercise of a power mentioned in
points (a)- (d),
and which typically are held by the trustee or possibly a protector, albeit
sometimes (to some degree or other) retained by the settlor or other named
person in the trust instrument .

4.2.2.3 Legal entities, such as foundations, and legal arrangements

similar to trusts.
Paragraph (c) of the definition of beneficial owner under Regulation 2(1) of the
PMLFTR covers legal entities, such as foundations and legal arrangements that
have a function or structure similar to trusts. Legal entities or arrangements having
functions or structures similar to trusts would, for example, include Treuhands and
Fiducie, which are considered as the ‘civil law’ equivalents of the trust .
Certain other succession- law institutes (e.g., executorship of a will), various forms
of shared ownership and community of property (in particular, silent partnerships
and contractual investment funds), mandate and commission contracts,
intermediated holding of securities and fiduciary ownership for security purposes,
can also be used in a manner to ‘mimic’ trusts, and each structure should be
assessed on a case- by- case basis.
W ith respect to such legal entities and legal arrangements, the subject person
will need to identify the equivalent persons undertaking a similar role as the ones

IMPLEMENTING PROCEDURES
89
4. CUSTOMER DUE DILIGENCE CONTINUED

identified under Section 4.2.2.2. Therefore, in the case of foundations, for instance,
the subject person would have to identify and verify the identity of:
(a) the founder (equivalent to the settlor in the case of a trust);
(b) the administrator (equivalent to the trustee in the case of a trust);
(c) member/s of the supervisory council (equivalent to the protector in the case
of a trust); and
(d) the beneficiaries or the class of persons in whose main interest the foundation
is set up or operates, and any other person exercising control, as further
detailed in Section 4.2.2.2.
The reference to the founder should not be construed as being limited to the
original founder but is to include also any other person who makes subsequent
endowments to the foundation or is otherwise assigned any rights of the founder.
Similar to trusts, legal entities or legal arrangements might not be established for
the benefit of beneficiaries or a private interest , but rather would be set up for a
cause or a purpose. In these cases, there would be no beneficiaries to identify.
However, subject persons should clearly determine the cause or purpose for
which this entity or arrangement is set up. Reference should be made to Section
4.3.2.4 for an explanation of the CDD measures that are to be carried out for
these entities and arrangements.

4.3 IDENTIFICATION AND VERIFICATION

Subject persons are required to have in place and to implement CDD policies and
measures that include customer identification and verification procedures that
allow subject persons to ascertain the true identity of their customers and, where
applicable, their beneficial owners.
Regulation 7(1) of the PMLFTR sets out the CDD measures subject persons must
undertake when establishing a business relationship or when undertaking an
occasional transaction. The CDD measures relating to the identification and
verification of the identity of the customer and beneficial owner(s) are the following:
(a) identification of the customer, and the verification of the customer’s identity
on the basis of documents, data or information that is obtained from a reliable
and independent source;47 and

47. Regulation 7(1)(a).

IMPLEMENTING PROCEDURES
90
4. CUSTOMER DUE DILIGENCE CONTINUED

(b) the identification, where applicable,48 of the beneficial owner(s), and the taking
of reasonable measures to verify their identity so that the subject person is
satisfied of knowing who the beneficial owner(s) is/are.49
The identification process includes obtaining a set of personal or identifying
details on the customer; the verification process entails verifying the customer’s
identity on the basis of documentation, data or information obtained from reliable
and independent sources. The term “independent” should be interpreted to mean
a source that is independent of the customer (therefore, this would exclude a
declaration made by a customer – while an identification document or a
constitutive instrument issued by a third party, and provided by the customer
himself/herself would be acceptable).
Through the identification and verification of identity procedures carried out , the
subject person has to be satisfied that he/she knows and has verified that the
customer exists, and that the customer is who he/she purports to be. This
process also seeks to ascertain that the customer is not acting anonymously or
under a fictitious or stolen identity.
The CDD policies and measures should be tailored to address the ML/FT risks
that are posed by business relationships or occasional transactions and, as
stipulated under Regulation 7(8) of the PMLFTR, may vary from case to case so
long as the subject person is able to demonstrate that the CDD measures,
including the identification and verification measures adopted, are commensurate
to the risk of ML/FT identified through the CRA.
This section will indicate what information on identity subject persons are
expected to collect in various scenarios and which verification of identity measures
are reliable and suitable to ascertain that a customer is who he/she says he/she
is. Subject persons should determine, on a risk- sensitive basis, the timing and
extent of verification measures on a case- by- case basis in accordance with the
risk assessment carried out by the subject person.
The identification and verification measures to be applied depend also on whether
the customer is a natural person or a body corporate, a body of persons, or any
other form of legal entity or arrangement . The identification and verification
measures to be applied with respect to a natural person are dealt with in the
section below, whereas measures to be applied in the case of a body corporate,

48. A business relationship or an occasional transaction does not always involve a beneficial
owner.
49. Regulation 7(1)(b).

IMPLEMENTING PROCEDURES
91
4. CUSTOMER DUE DILIGENCE CONTINUED

body of persons or any other form of legal entity or arrangement are dealt with
in Section 4.3.2 below.50

4.3.1 The nature of identification and verification of a natural person

The subject person must first identify the customer and then verify the customer’s
identity. Section 4.3.1(i) sets out the standard and minimum set of details that
should be obtained by a subject person when identifying a natural person. Section
4.3.1(ii) provides guidance on the verification measures to be adopted.
As explained above, the objective of carrying out identification and verification is
for the subject person to ensure and be able to demonstrate that it knows and
has verified that the customer exists, and that the customer is who he/she purports
to be. Identification and verification procedures also assist in ascertaining that the
customer is not acting anonymously or under a fictitious or stolen identity.
W hile this chapter will be laying down a standard set of identification details,
information and documentation that has to be collected on customers that are
natural persons, companies, trusts, foundations, etc., and will provide guidance to
subject persons on how verification should be carried out , the approach to CDD
should be risk based. Subject persons should therefore determine on a risk-
sensitive basis (therefore considering the risk posed) the timing, means and extent
of verification.

(i) Identification
Identification of a natural person takes place by obtaining a set of personal details.
The standard set of personal details that is to be obtained for customers that are
natural persons are the following:
(a) official full name;
(b) place and date of birth;
(c) permanent residential address;

50. The situations considered in Sections 4.3.2.1 to 4.3.2.5 are not exhaustive since they do
not take account of all possible legal entities or arrangements that a subject person may
encounter. In the event that a subject person’s customer takes a form other than those
considered under the said sections, the subject person is to apply measures similar to
those set out in Sections 4.3.2.1 to 4.3.2.5, adjusted to reflect the peculiar characteristics
that any such customer may present.

IMPLEMENTING PROCEDURES
92
4. CUSTOMER DUE DILIGENCE CONTINUED

(d) identity reference number, where available; and

(e) nationality.51
However, in low- risk situations, subject persons will be considered to have
satisfied the identification requirements by obtaining the following details:
(a) official full name;
(b) date of birth; and
(c) permanent residential address.
These are considered to be the minimum personal details required to identify a
natural person.

(ii) Verification
Verification of the customer’s identity takes place by making reference to
documents, data or information obtained from a reliable and independent source.
The source has to be independent i.e., the source used to verify the customer’s
identity details should not be the customer himself/herself. A source is reliable if it
is reputable and is trusted by the subject person to provide extensive and sufficiently
accurate data or information to verify the customer’s identity. For the purposes of
this obligation, a reliable and independent source includes, but is not limited to:
(a) a government authority, department or agency;
(b) a regulated utility company; or
(c) a subject person carrying out relevant financial business in Malta or equivalent
activities in a Member State of the EU52 or in a reputable jurisdiction.
The above documents are deemed to be reliable since the issuing entities would
have already checked the existence and characteristics of the customer concerned.

51. Nationality is to be understood as used on passports, i.e., as being synonymous with

citizenship. It refers to one or more jurisdictions with which the individual has formal
political ties, which ties translate into a number of rights (e.g., the right to be issued with
identification documents by that jurisdiction, the right to consular/diplomatic assistance
and protection, the right to vote in elections, etc.), and which can be acquired through a
number of means including by birth or naturalisation. Subject persons are not to consider
the term nationality as being a reference to either the customer’s ethnic group or to the
customer’s own sense of belonging.
52. For the purpose of this document, references to an EU Member State include reference
to an EEA State.

IMPLEMENTING PROCEDURES
93
4. CUSTOMER DUE DILIGENCE CONTINUED

The customer’s identity may be verified by referring to documents or by making

use of electronic sources. By far the most obvious and common sources used to
verify the identity of a customer are identity cards, passports, driving licences and
residence cards. This notwithstanding, subject persons may also refer to, and rely
on, other documents to verify aspects of the customer’s identity, such as
documents issued by regulated financial business entities or utility companies,
which have dealt with or serviced the customer, to verify the customer’s identity.
Verification of the identity of the customer may also take place through electronic
sources, such as e- IDs or Bank- IDs (widely used in Scandinavian countries) and
electronic commercial databases.
Verification is intended to ensure that the subject person knows who they are
dealing with and therefore the personal and identifying details obtained through
the identification process need not always be verified in their totality. Subject
persons may therefore calibrate the extent of the verification of identity on the
basis of whether that extent provides them with sufficient comfort that they
know who their customer is. Verification of the personal and identifying details
that have to be collected, even in low risk scenarios as referred to in Section
4.3.1(i) above, would inevitably have to take place in all cases, whereas the
verification of any other details is left to the discretion of the subject person,
depending on the circumstances of the case.
By way of example, in a situation where a customer’s personal and identifying
details do not present anything unusual, it would be sufficient to verify the
individual’s name and surname, permanent residential address and his/her date of
birth. On the other hand, when a customer’s place of birth and nationality show
a discrepancy, the subject person should not only verify these details but also ask
the customer the reason for this discrepancy. Verification of additional personal
and identifying details may also become relevant as the business relationship
progresses. Situations may arise when, though a customer has stated that he/she
is a national and resident of country ‘X’, the transactions taking place indicate a
close connection with country ‘Y’. In these circumstances, verification of the place
of birth and of the customer’s nationality would be relevant to better understand
the customer’s geographical connections.

IMPLEMENTING PROCEDURES
94
4. CUSTOMER DUE DILIGENCE CONTINUED

4.3.1.1 W hen the customer is present for verification purposes

(face- to- face on- boarding)
(i) Standard Verification Requirements
Verification of identity
W hen customers are on- boarded on a face- to- face basis, the verification of the
identity details is to be carried out either by making reference to a government-
issued document containing photographic evidence of identity or by making
reference to other documents bearing a photo of the individual, which are
recognised as a legal means of identity verification, even if not issued by a
government authority.
Documents issued by government departments or agencies, documents issued
by a court or local authority and other documents that are recognised as a legal
means of identity verification provide a high level of confidence because there is
a greater likelihood that the authorities will have checked the existence and the
characteristics of the persons concerned.
Government- issued documents containing photographic evidence of identity
include:
(a) a valid unexpired passport;
(b) a valid unexpired national or other government- issued identity card;
(c) a valid unexpired residence card; or
(d) a valid unexpired driving licence.

Verification of residential address

The verification of the residential address may be carried out through any of the
identification documents listed above (e.g., national identity card or driving licence).
W hen this identification document does not contain information on the
customer’s residential address, the subject person has to verify the residential
address by making reference to any one of the following documents, provided
that the residential address and the full name of the customer are referred to in
a clear and unequivocal manner in the document itself:
(a) correspondence from a central or local government authority, department or
agency;
(b) an official conduct certificate;

IMPLEMENTING PROCEDURES
95
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) any other government- issued document not mentioned above;

(d) a recent statement or reference letter issued by a recognised credit institution
or entity carrying out relevant financial business in Malta, or equivalent
activities in a Member State of the EU or in a reputable jurisdiction;
(e) a recent utility bill;
(f) a lease contract or agreement; and
(g) any other document as may be specified in sectoral implementing procedures
issued by the FIAU.
The documents listed above must not be more than six (6) months old when
made available to the subject person. In the case of a lease contract or agreement,
the six (6) month rule does not apply but the subject person has to ascertain that
these documents refer to a lease that is still current .
W hen the residential address is verified through reference to a utility bill, the
subject person should ensure that the utility bill was issued in relation to services
linked to that residential property. Therefore, a bill issued in relation to a fixed line
telephone service installed at that property would be acceptable, but mobile
telephony bills, where the services are not linked to a fixed premises, would not
be acceptable.
The customer’s residential address may also be verified by adopting an alternative
procedure that would involve the mailing of correspondence via registered mail
or other mail courier service, or the mailing of codes generated by automated
systems to the residential address provided by the customer. W hen subject
persons avail themselves of this measure to verify the residential address, they
should keep the following records:
(a) documentary evidence (such as an advice of delivery or a printout of the online
tracking report) which indicates that the correspondence was delivered at the
specified address and a copy of the correspondence signed by the customer
indicating the residential address where it was sent;
(b) the advice of delivery signed by the customer himself/herself; or
(c) evidence that the customer received the automatically generated code.
Another way in which subject persons may verify the permanent residential
address when this is not reproduced on any of the identification documents listed
in Section 4.3.1(i) above, is through databases maintained by public authorities
(e.g., electoral roll) or by third party service providers. However, the use of these
databases is dependent on the following conditions being met:

IMPLEMENTING PROCEDURES
96
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) The subject person must have already carried out verification of the
customer’s identity with respect to the other personal details collected, and
on the basis of the verified information it is able to determine that the profile
or entry in the database is actually that of the customer; and
(a) The database must be deemed to be:
(i) Reliable – The subject person has to consider how reputable the service
provider is, how often it updates its information, how accurate its
information has proven to be, etc.;
(ii) Independent – The subject person has to be certain that the data present
in the database has not been merely obtained from the customer and
presented, but has either been verified or was otherwise collected from a
government database/authority, regulated institution (e.g., banks,
investment services providers, etc.) or regulated utility companies that have
verified this personal data.

(ii) Verification requirements in Exceptional Scenarios

Some customers may not be able to produce the standard verification
documentation referred to above for various reasons. In these cases, the subject
persons should consider whether this inability is due to a deliberate avoidance or
reluctance by the customer to provide the necessary documents, data or
information, or whether it is because the required identification information or
documentation does not exist .
If the subject person is unable to complete the necessary procedures due to the
reluctance by the customer to provide the necessary documents, data or
information, the subject person is not to enter into the business relationship or
carry out the occasional transaction and, if there is a suspicion of ML/FT, the
subject person is to file a report with the FIAU, as set out in Section 5.5.
The customer may be unable to meet the standard verification requirements
because certain identification details do not exist , or the customer is unable to
procure the envisaged verification documentation, as in the following cases:
(a) customers with a legal, mental or physical inability to manage their affairs;
(b) individuals dependent on the care of others;
(c) dependant spouses/partners or minors;
(d) students;

IMPLEMENTING PROCEDURES
97
4. CUSTOMER DUE DILIGENCE CONTINUED

(e) refugees and asylum seekers;

(f) customers using temporary addresses;
(g) customers residing on yachts; and
(h) individuals residing in residential care.
The subject person will therefore need to adopt an approach that compensates
for the difficulties that these customers may face in providing the standard
evidence of identity, subject and commensurate to the CRA. This approach is
necessary to ensure that , when people cannot reasonably be expected to
produce standard evidence of identity, they are not unreasonably denied access
to financial services (i.e., financial exclusion).
Subject persons may therefore have recourse to alternative measures that give
reasonable confidence as to the identity of a customer, which may be applied to
verify the customer’s identity or some aspects of his/her identity.
Below are a few examples of alternative measures that may be applied:
(a) when a customer only has a temporary address and has no permanent
residential address elsewhere, such as seasonal workers, a letter from a
director or manager of the employer confirming the residence at a stated
address and indicating the expected duration of employment would be
sufficient;
(b) when a customer resides on a yacht , the customer’s residential address may
be verified by obtaining documentation relating to the chartering of the yacht
and berthing agreements;
(c) when the customer is residing in a nursing home or similar residential care
institution, the subject person may verify the customer’s residential address
by obtaining a letter from the director or manager of the home/institution
confirming the customer’s residential address;
(d) when the customer is homeless or a member of the travelling community,
subject persons must gather sufficient information and, where available,
documentation on the customer’s situation and frequent whereabouts;
(e) when the customer is a student or part of the academic staff, and is residing
in a university, college or any other institutional residence, the subject person
may verify the customer’s residential address by obtaining a letter from the
director or senior official of the university, college or institution confirming the
customer’s residential address;

IMPLEMENTING PROCEDURES
98
4. CUSTOMER DUE DILIGENCE CONTINUED

(f) when the customer is a minor (and therefore might not have identification
documents or cannot present documents issued by recognised credit
institutions or other financial service providers), subject persons may rely on
a birth certificate to verify the minor’s identity. The subject person must
additionally proceed to identify and verify the parent(s) or legal guardian(s) and
obtain reasonable evidence of parenthood or legal guardianship. W ith respect
to the residential address, verifying the residential address of the parents or
guardians with whom the minor resides would suffice; and
(g) when the customer is an asylum seeker, a refugee or otherwise enjoys
international protection status, verification of identity may be carried out on
the basis of the identity documents referred to in the FIAU’s Guidance Note
on AML/CFT Obligations in relation to Payment Accounts with Basic
Features.
W hen obtaining confirmation or declarations by third parties, the subject person
is to gather information to satisfy itself on the suitability of the person making
the declaration. The subject person is therefore required to carry out checks on
open sources or conduct confirmatory phone calls to ensure that the person
providing the declaration is who he/she purports to be. The checks that the
subject person has undertaken to confirm the identity and reliability of the third
party providing the confirmations have to be documented and retained by the
subject person.
The above list is not exhaustive and subject persons may adopt different
alternative measures, depending on the risk posed and on how reasonably
reassuring these measures are to verify that customer’s identity.

(iii) Records to be kept

W hen verification is carried out by making reference to and viewing in person
any of the above- mentioned identification and other documents, subject persons
are required to keep either:
(a) the original itself, where this is possible; or
(b) a copy of the original document .
In the latter case, the copy of the original document viewed for identity verification
purposes has to be dated and certified as a true copy by an officer or employee
of the subject person. The certified true copy may then either be kept on file or
otherwise scanned and the physical document disposed of. As an alternative to
retaining certified true copies, subject persons may instead retain scanned copies

IMPLEMENTING PROCEDURES
99
4. CUSTOMER DUE DILIGENCE CONTINUED

of the original documents using electronic systems that can meet all the following
criteria:
(a) the electronic system used to record the document has to automatically
record data to allow the subject person to determine the officer who would
have scanned the document;
(b) the electronic system also has to automatically record the date and time of
the scanning of the document; and
(c) the electronic system has to have safeguards so as not to allow any of the
data referred to in the previous two points to be altered, amended or
tampered with.
Utility bills, bank statements or other documents may be received or retrieved by
customers through electronic means and hence customers may provide print-
outs of these documents or relay them electronically to the subject persons.
Subject persons should take risk- based measures to determine the reliability of
these documents (such as verifying the existence of the utility company through
open sources). The subject person’s officials receiving these documents must date
them or else retain a copy of the e- mail through which they were received.
W hen subject persons have recourse to exceptional means of verification (refer
to paragraph (ii) above), subject persons must , besides keeping a copy of the
documents obtained for verification of identity purposes, appropriately document
the reasons for reverting to these exceptional means of verification and the
reasons for considering the documents and information used as reasonably
reassuring to verify the customer’s identity.

(iv) Authenticity Checks

Particular care should be taken to ensure that the documents obtained are
authentic and have not been forged or tampered with. The following are some
checks that may be carried out to verify the authenticity of identification
documents. These include:
(a) examining the optical security features that are present on the document and
confirming that these can be seen;
(b) examining the lamination of the identification document to check for any
signs, such as borders around the photographic image of the document or
raised surfaces that might be indicative of the fact that the document has
been tampered with;

IMPLEMENTING PROCEDURES
100
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) checking for any uneven document colours and non- uniformity of text , font
or typeface that would be indicative of a potentially counterfeit document;
and
(d) verifying or decoding the Machine- Readable Zone (MRZ) code contained on
the identification document or the alternative code reproduced on the
identification document .
There are a number of open sources of information that subject persons may use
to assist them in carrying out authenticity checks. Subject persons may refer to
the following websites to view identification document samples of a number of
jurisdictions around the world. These include:
• www.edisontd.net;
• https://ec.europa.eu/home- affairs/sites/homeaffairs/files/e-
library/documents/policies/borders- and- visas/schengen/docs/handbook-
annex_23_part_1_and_2.pdf; and
• https://www.consilium.europa.eu/prado/EN/prado- start- page.html.
Additionally, subject persons may also refer to commercial software solutions that
check the algorithms used to generate passport numbers. This can be used to
check the validity of passports of any country that issues machine- readable
passports. Subject persons should exercise due care when relying on documents
that are issued by high- risk or non- reputable jurisdictions and are, on a risk-
sensitive basis, to determine whether additional checks or documentation should
be carried out or obtained.
Subject persons should be wary of receiving downloaded utility bills, banks
statements or other documentation in a format that may be more easily tampered
with (e.g., MS W ord documents), in the sense that the data within may be
amended or fabricated. In these cases, subject persons should take practical and
proportionate steps to establish whether the relevant source should be
considered to be reliable and be used.
Subject persons must , moreover, ensure that any documentation obtained for
verification purposes is in a language that is understood by the subject person
and the officers or employees carrying out the verification process. W here this is
not the case, appropriate steps should be taken to ensure that the document does
provide the necessary evidence to verify the customer’s identity details. A
translation in writing of any such document should be retained on file.

IMPLEMENTING PROCEDURES
101
4. CUSTOMER DUE DILIGENCE CONTINUED

4.3.1.2 W hen the customer is not present for verification purposes

(non- face- to- face on- boarding):
The type of businesses that are conducted online or provided remotely are on
the increase, leading to more customers not being met physically by subject
persons (i.e., non- face- to- face on- boarding). The provision of services and the
carrying out of occasional transactions on a non- face- to- face basis increases the
risk of ML/FT and customer impersonation.
This is due to a number of factors, such as the ease of accessing services at any
time and from any location, the possibility of setting up multiple fictitious accounts
and avoiding detection, the absence of physical documents that can be viewed
and the speed with which services are provided and transactions carried out .
Subject persons should thus factor this in their BRAs and CRAs, and be more
diligent when undertaking CDD measures on customers on- boarded on a non-
face- to- face basis.
W hile, as explained, there is an increased risk when undertaking non- face- to- face
business relationships and occasional transactions, these relationships and transactions
should not automatically be considered to be high risk and the extent of CDD should
be determined on the basis of a holistic CRA that also takes into consideration other
elements of risk, such as the nature and characteristics of the product, service or
transactions being offered or carried out and the type of customer.
This notwithstanding, subject persons have to bear in mind what verification of
identity entails and should therefore assess whether the identification and
verification measure(s) to be applied, whether documentary or electronic, provide
sufficient comfort that the customer exists and that he/she is truly who he/she
says he is. Should the subject person still have doubts about the customer’s identity,
or of the authenticity of the documents, the subject person should assess whether,
in view of the other risk elements of the relationship or transaction, additional or
different identification and verification measures or checks should be carried out .

(i) Verification on the basis of documents

W hen the customer is not present for verification purposes, subject persons
would only be in a position to obtain copies of the identification documents listed
under Section 4.3.1.1(i) above. W ith respect to other documents that may be
used to verify the residential address listed under the same section (such as utility
bills or banks statements), subject persons may obtain either originals or copies.
It would also be acceptable to verify the residential address through the mailing
of correspondence or codes as explained in Section 4.3.1.1(i).

IMPLEMENTING PROCEDURES
102
4. CUSTOMER DUE DILIGENCE CONTINUED

W hen receiving documentation in copy or scanned format, subject persons should

be mindful of a number of factors when determining the reliability and suitability
of that document for verification purposes. Subject persons should avoid accepting
documents provided in formats that are more susceptible to be tampered with
(e.g., MS W ord documents) and should instead request copies in other more
tamper resistant formats (such as pdf format).
Subject persons should be wary of identification documents and other documents
issued by authorities or entities in high- risk or non- reputable jurisdictions.
Subject persons have also to ensure, when receiving copies or scanned
documentation, that the information and contents of this documentation is clearly
visible and legible, and that the document is in a language that is understood by
the subject person and the officers or employees carrying out verification.
Translations of any such documents should be reduced in writing and retained
on file.
Similarly, to face- to- face on- boarding, subject persons should carry out checks to
ascertain the authenticity of the document supplied (reference may be made to
Section 4.3.1.1 (iv) for guidance on authenticity checks that may be carried out).
The subject person should then determine whether, on the basis of the
documentation obtained, it is confident of having adequately verified the customer
or whether additional checks or measures should be carried out . This
determination should be made on the basis of the CRA for that particular business
relationship or occasional transaction and also on the basis of a number of other
factors, such as the type of document provided and whether doubts arise on the
authenticity of the document itself.
By way of example, in low- risk business relationships or occasional transactions,
the provision of an identification document in copy would be sufficient so long as
no issues arise as to its authenticity or reliability. In other situations, where the risk
of ML/FT is not low, subject persons should consider applying additional measures
to verify the customer’s identity.
The following is a list of additional measures that may be applied by subject persons
to verify the customer’s identity and hence be satisfied of having verified that the
customer exists, and he/she is who he/she says he/she is:
(a) requesting additional identification documentation – through this measure,
the identity details (at least the identity details required in low- risk scenarios)
would be verified at least twice on the basis of multiple documents, as set out
in Section 4.3.1.1. For such a measure to be effective, the documents relied
on for verification purposes should not be issued by the same source. By way

IMPLEMENTING PROCEDURES
103
4. CUSTOMER DUE DILIGENCE CONTINUED

of example, if the subject person obtains a bank statement or correspondence

from a government department to confirm the residential address, it would
not be an effective measure to obtain as a second and additional document a
reference letter issued by the same bank or the same government department
(given that the source of information would be the same);
(b) requiring certified documentation – this measure consists in the certification
of identification or other documents used for verification purposes by embassy
officials, legal or accountancy professionals, entities/persons undertaking a
relevant financial business or equivalent activities in reputable jurisdictions, or
by any other person who is empowered to certify documents within the
customer’s jurisdiction. In the latter case, it is imperative for the subject person
to document that the certifier is actually empowered to do so. The reasoning
here is that the certifier would be providing added comfort on the authenticity
of the document and confirming that the personal details appearing on the
certified document correspond to the customer.
W hen certified documents are obtained, these should include a written
statement to the effect that:
• the document certified is a true copy of the original document;
• the original document has been seen and verified by the certifier; and
• the photo visible on the document (where applicable) is a true likeness of
the customer.
The certified copy must be signed and dated by the certifier and is to include
the certifier’s:
• name and surname;
• address;
• contact details; and
• profession, designation or capacity.
Subject persons should conduct independent checks to verify the existence
of the certifier and document these checks (e.g., checks on open media
sources or professional registers). Subject persons must exercise caution
when accepting certified copy documents, especially when these documents
originate from a country or territory perceived to represent a higher risk than
usual.

IMPLEMENTING PROCEDURES
104
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) Ensure that the first payment or transaction into the account is carried
out through another account held by the same customer in his/ her name
with a credit institution authorised under the Banking Act 53 or a financial
institution authorised under the Financial Institutions Act 54 otherwise
authorised in another EU Member State or a reputable jurisdiction – when
receiving funds from a bank or payment account held by the same customer
with another bank or financial institution, the subject person would have a
degree of comfort 55 that the customer’s identity would already have been
verified by another entity. To this end, it is however important that the
information transmitted with the payment and received by the subject person
allows the subject person to establish that the account from which the
payment is received is actually held by the customer. It is to be noted that the
first payment or transaction into the account held by the customer may also
be a card payment , so long as the card used to affect the payment is linked to
an account held by the payer with a credit or financial institution. E- money
payments are not admissible in terms of this paragraph.
(d) Requesting the customer to confirm automatically generated codes or
PINs before accessing the service/account – such codes or PINs
automatically generated may be supplied to the customer via mail to his
residential address or via verified means of communications (e.g., mobile
phone) requiring the customer to input these security codes or PINs before
acceding to the service or being able to operate an account .
(e) Holding a ‘welcome call’ with the customer via a verified home or mobile
phone number and confirming certain personal information or a transaction
to be undertaken – through this method of verification, the subject person
may verify the personal details provided by the customer at an earlier stage or
details of requested transactions via a telephone call held through a fixed line
or mobile phone number that can be linked to the customer.
(f) Using information that can be retrieved from a customer’s device to
corroborate certain personal details provided by the customer (e.g.,
customer’s IP address or the geo- location of a mobile phone to confirm
residence).

53. Cap. 371 of the Laws of Malta.

54. Cap 376 of the Laws of Malta.
55. To this end, it is important that the subject person consider whether there is any adverse
information available on the institution from where the payment originates that may shed
light on the adequacy of the CDD measures they apply.

IMPLEMENTING PROCEDURES
105
4. CUSTOMER DUE DILIGENCE CONTINUED

(g) Sending a transfer of a small amount of funds to a bank account held by

the customer asking him/ her to return the funds or to indicate the value
of that transaction.
(h) Requiring the customer to send a photograph clearly showing the
customer’s face and the image on the identity document being held in the
same picture to demonstrate this actually belongs to the customer – the
subject person would be able to compare the face, and the features of the face
of the customer, with that included on the identification document and
therefore verify that the identification document truly belongs to that individual.
This list should not be construed as an exhaustive list of additional measures or
checks that subject persons may carry out . Subject persons may revert to other
measures or checks, so long as these measures assist to determine that the
customer really exists and that he/she is who he/she is indicating to be.

Use of video conferencing tools

Subject persons may also remotely verify the identity details of a customer
through video conference facilities. A video call may be carried out subsequent
to the customer submitting copies of the identification or other verification
documents listed in Section 4.3.1.1(i) to the subject person (e.g., by e- mail) or by
making this documentation visible in the course of the video conference call.
W hen making use of this means, subject persons must observe a number of
conditions that are set out in the following paragraphs.
The video call has to allow the subject person and the customer to make both
visual and verbal contact simultaneously. It should be of a sufficiently good quality
to enable clear verbal communication and to allow the subject person to clearly
visualise the customer’s face, as well as view the contents and security features
of identification documents produced by the customer (where identification
documents are being presented through the video call).
Checks to verify the authenticity of verification documents presented through
the video call may either be carried out manually by the officer of the subject
person or automatically through the use of software, which may be embedded
within the video conferencing tool itself and has the capability to carry out these
authentication checks. Subject persons may refer to Section 4.3.1.1(iv) for
guidance on authenticity checks that may be carried out manually. To carry out
some of the listed checks (e.g., to visualise the security features of the
identification document being presented) the customer should be asked to tilt the
document during the video call.

IMPLEMENTING PROCEDURES
106
4. CUSTOMER DUE DILIGENCE CONTINUED

The official carrying out this procedure must also examine the image on the
identification document (presented during the video call or submitted to the
subject person prior to the video call) to ensure that it matches the customer’s
visual appearance as well as the details of the person produced on the
identification document (such as age).
W hen a subject person carries out verification of identity through video
conferencing, the following records must be retained to demonstrate compliance
with the above requirements:
(a) at least an audio recording of the video call or the entire video call itself, which
includes the entire conversation between the official of the subject person
and the customer;
(b) screenshots taken during the video call, which must include an image of the
customer as well as the date and time displayed by the video conference tool;
and
(c) when the identification document is produced by the customer throughout
the video call, screenshots of the identification document (all relevant pages
or sides) will need to be recorded. The photographic evidence of identity as
well as all the information on the identification document must be clearly
visible and legible from the screenshots.

Use of identity verification software

Subject persons may make use of identity verification software, which allows
customers to upload facial images, video clips and scans of the identification
documents listed in Section 4.3.1.1(i) and can carry out authentication checks on
these documents, as well as visual checks, to compare the uploaded customer’s
facial image with the image appearing on the uploaded document .
Prior to acquiring any software, the subject person should assess the system and
evaluate the capabilities of the software (such as what types of documents the
system is able to screen for authentication, whether the system allows for the
retention of documents uploaded, etc.) to ensure that the requirements set out
in this Section are satisfied.
The identity verification software should be able to carry out the following
automated checks on the receipt/uploading of the identification document:

IMPLEMENTING PROCEDURES
107
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) Visual Checks – the system should be able to compare automatically the facial
features of the customer shown on the photographic image visible on the
identification document with the facial features shown on a separate
photograph or a video clip taken and sent by the customer contemporaneously
with the transmission of the identification document.56 Moreover, the system
should have the capability of comparing the images and determining that the
person represented in both photographic images is one and the same.
(b) Authentication Checks – the system should have the capability of
automatically verifying the authenticity and validity of the identification
document submitted by performing a number of checks, such as:
• verifying that the security features (such as holograms) of that particular
identification document are in place;
• examining the lamination and ensure that there are no indicative signs that
the document may have been tampered with;
• examining the document’s layout and features (such as font , typeface and
colour) and ensure that these match the document’s standard; and
• reading and validating the Machine- Readable Zone (MRZ) code or the
alternative code reproduced on the identification document .
The subject person should be satisfied that the systems’ authentication checks
are suitable and reliable, and that they are effective in detecting fake or forged
documents.
Subject persons should ensure that an electronic copy of the identification
document and the photograph taken and sent by the customer or stills of the
video clip showing the customer’s face are retained on file. These documents
should be saved automatically by the same system used to receive these
documents, and the time and date when these documents were received should
be recorded. Moreover, the system must have measures in place to ensure that
these records cannot be altered or tampered with.

56. For the avoidance of doubt, it should be noted that the photograph/video clip with which
the comparison is made should be taken at the same time that the person has accessed
the system to upload the identification document and the system should have inbuilt
features that verify and confirm this.

IMPLEMENTING PROCEDURES
108
4. CUSTOMER DUE DILIGENCE CONTINUED

(ii) Electronic verification of Identity

The methods of verification of identity mentioned in this section do not entail the
presentation of identification documents or other verification documents but
rather allow for the identity of the customer to be verified remotely through
electronic means.

Verification through the use of commercial electronic data providers

It is possible to carry out the verification of a person’s identity electronically
through recognised commercial electronic data providers. These commercial data
providers may have access to multiple data sources, such as electoral registers,
driving licence databases and passport identity registers, among others.
In determining the commercial electronic database that is to be used, the subject
person should have regard to data protection requirements and ensure that the
provider is abiding by any applicable data protection obligations.
In addition, the subject person should ascertain what data sources are being used
by the given provider to populate that database, and consider its reliability and
independence (i.e., it is important that the data used is not obtained from the
individuals themselves) and it is data that can be used for verification purposes.
Moreover, the subject person should ensure that the provider regularly reviews
the data contained in that database and keeps that data updated.
The commercial electronic data provider should allow the subject person availing
himself/herself of its services to capture and store the information it used to verify
the identity.
W hen commercial electronic data providers only cross check the customer’s
personal details provided to ensure that they belong to an existing individual
without determining whether the customer is, in fact , who he/she says he/she is,
the subject person cannot rely solely on the checks undertaken by the
commercial electronic data provider since the subject persons would not be
considered to have successfully verified the customer’s identity.
In these instances, the subject person should also apply one or more additional
measures, as specified in Section 4.3.1.2(i), to verify the customer’s identity.

IMPLEMENTING PROCEDURES
109
4. CUSTOMER DUE DILIGENCE CONTINUED

Use of e- IDs
A number of jurisdictions have developed electronic identification systems (i.e.,
systems that allow an individual to provide evidence of his/her identity remotely).
Personal identification data is encrypted and is either stored on electronic devices
(e.g., electronic chips embedded in identification documents, mobile phones, etc.)
or is otherwise accessed through the use of a set of credentials associated with
the given individual.
Subject persons who are able to retrieve the data stored on any such device or
associated with the credentials used by a given individual can make use of these
systems for verification of identity purposes. However, it would be necessary for
the following conditions to be met:
• this measure is recognised to be a legally valid means of identity verification
in the customer’s jurisdiction of nationality or residence, provided that the
jurisdiction is an EU member state or a reputable jurisdiction; and
• the use of the electronic identification system as a means of identity
verification is administered or approved by the government of an EU member
state or a reputable jurisdiction.
W hen subject persons avail themselves of this measure to verify the customer’s
identity, a print- out or an electronic copy evidencing that all personal details listed
in Section 4.3.1(i) were verified, should be retained on file. The print- out or
electronic copy should also make reference to the system used to transmit and
read the data.
By way of example, it would be permissible for a subject person to use e- IDs or
BankIDs in use within Scandinavian countries to verify the identity of a customer
so long as the e- ID or BankID meets the criteria set out above. Other similar e-
ID systems have also been developed or are being developed by other EU
countries. Equally acceptable would be electronic identification and trust services
developed within the context of Regulation (EU) No 910/2014.

Verification of Identity Platforms

Verification of identity can also be carried out by engaging the services of a third
party, i.e., through an outsourcing arrangement that meets the conditions set out
in Chapter 6 of these Implementing Procedures. This could include engaging a
third party to carry out the verification process with respect to one’s customers.
However, it could also include the use of software solutions or platforms through
which individuals can have their identity verified and enables them to hold

IMPLEMENTING PROCEDURES
110
4. CUSTOMER DUE DILIGENCE CONTINUED

identification information, data and documentation through that solution or

platform. Individuals may then allow subject persons to access this identification
information, data and documentation to verify their identity, when requesting the
carrying out of an occasional transaction or the establishment of a business
relationship.
However, prior to making use of any such service, subject persons should
understand how the verification of identity is carried out and ensure that this
meets the requirements set out in this chapter. To the extent that any such service
satisfies these requirements and the information, data and documentation is still
current and unexpired at the time it is accessed and used by the subject person,
it would not be relevant that the verification of identity through the platform or
software would have taken place prior to the carrying out of an occasional or the
establishment of a business relationship with the subject person.
W hen making use of any such software or platform, subject persons should also
consider who is to be responsible to ensure that information, data and
documentation is kept updated. Should this not be part of the service acquired
through the use of this software or platform, the subject person concerned would
have to ensure that it carries out itself the necessary on- going monitoring to
adhere to its obligations arising from Regulation 7(2)(b) of the PMLFTR. In
addition, even when any such updating is carried out by the service provider itself,
the subject person has to ensure that it is informed whenever a customer refuses
to update the information, data and documentation held through the software
or on the platform.
In this context , it is also important to remark that the subject person should not
only be in a position to access the information, data and documentation used for
verification purposes at all times, but they must also be in a position to retain
copies thereof following termination of the outsourcing agreement .

4.3.2 Identification and Verification of Customers other than

Natural Persons
The following sections set out how a customer other than a natural person is to
be identified and verified. The extent of the identification and verification measures
to be carried out is to be determined by adopting a risk- based approach,
depending on the respective customer’s risk profile. In cases where the customer
is a well- known, reputable organisation with a long history within a particular
industry and substantial public information is available about it , standard evidence
may well be sufficient to meet the CDD measures required to be carried out .

IMPLEMENTING PROCEDURES
111
4. CUSTOMER DUE DILIGENCE CONTINUED

However, when the subject person is entering into a business relationship or

undertaking an occasional transaction with a customer that poses a higher than
normal risk of ML/FT, additional CDD measures in the form of EDD should be
applied by the subject person on a risk- sensitive basis.
The measures outlined below are to be applied in the same manner independently
of the jurisdiction where the customer is registered or established. However, the
particular jurisdiction may influence the reliability of the information obtained
through company or similar registers.
Subject persons should be aware that the type of documentation issued by
registries, and standards of control over that documentation, may vary between
different countries. Particular care should also be taken to ensure that the
documents obtained have not been forged or tampered with, but are authentic.
Subject persons should also bear in mind that the systems in certain jurisdictions
may be less transparent than in others and the documentation emanating from
registries situated in these jurisdictions may not be sufficient to fulfil the
verification requirements laid out in the PMLFTR, as further explained below.
Subject persons therefore have to consider taking additional measures to address
these aspects.
Subject persons should, moreover, ensure that any documentation obtained for
verification purposes is in a language that is understood by the subject person and
its officers or employees carrying out the verification process. W here this is not
the case, appropriate steps should be taken to ensure that the document does
provide the necessary evidence to verify the customer’s identity details. Translations
of any such documents should be reduced in writing and retained on file.

4.3.2.1 W hen the Customer is a Company

(i) Identifying a company
The subject person is required to first identify the company by gathering the
following information:
(a) the company’s official full name;
(b) the company’s registration number;
(c) the company’s date of incorporation or registration; and
(d) the company’s registered address or principal place of business.

IMPLEMENTING PROCEDURES
112
4. CUSTOMER DUE DILIGENCE CONTINUED

(ii) Verifying the Identification Details of a Company

The subject person must verify all the information obtained on the company by
referring to appropriate independent and reliable sources. It is up to the subject
person to ascertain, following careful consideration of the risk posed by the
customer, the appropriate sources. One or more of the following documents may
be referred to by subject persons for verification purposes:
(a) the certificate of incorporation;
(b) a certificate of good standing (which is not older than three (3) months);
(c) a company registry search;
(d) the most recent version of the Memorandum and Articles of Association or
other constitutive document;
(e) audited financial statements, annual returns, and/or tax returns for the previous
or current year; and/or
(f) bank statements that are not older than six (6) months.
This list is not exhaustive, and the subject person may use any other document they
consider as being equally reliable as long as it originates from an independent source.
Original documents and documents downloaded from official registers are
considered to provide the highest level of reliability. W here an original document
is viewed, subject persons are required to keep either the original itself or a true
copy of the document , signed and dated by an officer of the subject person, on
file or in electronic form.
Subject persons may also retain a scanned copy of the document by making use
of the electronic system set out under Section 4.3.1.1(iii). Copies downloaded
from an official registry website would similarly have to be retained by the subject
person, together with a record of when and from which website the documents
were downloaded.
W hen copies of documents are obtained, subject persons should consider, based
on the risk assessment carried out by the subject person, whether additional
checks and safeguards should be applied to ensure they are satisfied of the
robustness of their verification measures. This may include having the documents
duly certified by the company’s officials or by any of the persons referred to under
Section 4.3.1.2(i)(b), as far as they are deemed to be reliable.
The subject person is also required to verify the company’s legal status. This should
be done by confirming that the company has not been or is not in the process of

IMPLEMENTING PROCEDURES
113
4. CUSTOMER DUE DILIGENCE CONTINUED

being dissolved, struck off, wound up or terminated. The verification of this legal
status is to take place either through a company registry search or by obtaining
official registry documentation, such as a good standing certificate.
This documentation may be obtained either in original or as a certified true copy
of the original, with the certification carried out by any one of the persons
referred to in the preceding paragraph. If a search is carried out , then the subject
person is to retain a record of the search and of the results it yielded.

(iii) Identifying a company’s directors

Once the verification is complete, the subject person must identify all the directors
of the company.
In the case of directors who are natural persons identification consists in collecting
as a minimum the identification details referred to in Section 4.3.1(i) for low- risk
scenarios. These can be collected by referring to the same sources that can be
used to verify the identity of the company, as well as other documents, such as:
(a) the list of directors contained in the most recent version of the Memorandum
and Articles of Association;
(b) by performing a company registry search, provided that the officers of the
company are listed therein;
(c) by referring to a good standing certificate or a certificate of incumbency, which
is not more than three (3) months old; or
(d) by obtaining a copy of the directors’ register of the company.
In the case of a corporate director(s), subject persons are required to obtain details
of the corporate director’s:
(a) official full name;
(b) registration number;
and
(c) registered address or principal place of business.
It is important to note that the PMLFTR do not require subject persons to verify
the identity of the directors but only to identify them. However, should an
individual identified as a director be also acting as the company’s agent , as
explained in Section 4.2.1 above, or be also identified as one of the company’s
beneficial owners under any of the circumstances referred to in Section 4.2.2

IMPLEMENTING PROCEDURES
114
4. CUSTOMER DUE DILIGENCE CONTINUED

above, then the subject person would also need to verify the director’s identity
and, where applicable, ensure that he/she is authorised in writing to act on the
company’s behalf.

(iv) Understanding the ownership and control structure

Subject persons are required to establish the company’s ownership and control
structure. W hile some structures are clear and easily understandable, other
structures might be more complex and the use thereof without a legitimate
commercial purpose should give rise to concern and possibly an increased risk of
ML/FT. Subject persons should therefore undertake appropriate checks and
gather information to be able to understand the ownership and control structure,
and determine who is the customer’s beneficial owner.
To comply with this obligation, subject persons must obtain from the customer
and maintain on file or in electronic form an explanation of the company’s
ownership and control structure. In the case of multi- tier and complex structures,
it would be also useful to maintain on file or in electronic form a chart showing
the ownership structure to the extent that would be required to determine who
the beneficial owner is.
Both the explanation and the structure chart should contain sufficient detail to
allow the subject person to understand how the beneficial owner is linked to the
customer and to allow eventual verification of this, as explained below.
Once these are obtained, subject persons should then conduct independent
research to verify the information on the corporate structure by consulting online
commercial databases, company registries, relevant audited accounts or by
obtaining certification by any of the persons referred under Section 4.3.1.2(i)(b).
The reliability of the measures to be adopted in the verification of the structure
should be assessed by the subject person on a risk- sensitive basis.

(v) Identifying and verifying the identity of beneficial owners

Having established who the beneficial owner is, the subject person must ensure
that the customer provides it with the personal details listed in Section 4.3.1(i)
for the beneficial owner. The subject person then has to verify the beneficial
owner’s identity by applying any of the verification measures referred to in Section
4.3.1 that may be most appropriate to the circumstances of the case. W hen the
beneficial owners are the beneficiaries of a trust that is holding shares in the
customer directly or indirectly, and it results that they are either unaware of their

IMPLEMENTING PROCEDURES
115
4. CUSTOMER DUE DILIGENCE CONTINUED

entitlement under the trust or, for their benefit to materialise, it would be
necessary for the trustee to exercise its discretion or for a pre- determined
condition to realise itself, the identification and verification of their identity can
take place as set out in Section 4.3.2.5 (iii) hereunder.
In the case of a business relationship, the subject person must also take all
reasonable measures to ensure that the customer keeps the subject person
informed of any changes in the beneficial ownership, such as by including an
obligation in a letter of engagement (or by means of an exchange of
correspondence) on the customer to keep the subject person updated.
This is not to say that the subject person is divested of its responsibility for
ongoing monitoring since this includes also taking active steps to ensure that the
information held by the subject person is current and valid, especially when
circumstances indicate that there has been a change in beneficial ownership.
Subject persons may also refer to any Beneficial Ownership Registers that are
maintained by EU Member States or other third countries. However, this is not to be
considered as a substitute for carrying out CDD but as a tool to be used on a risk-
sensitive basis to assist the subject person to corroborate the information obtained.
There may be situations when no beneficial owner, as defined in Table 7 part (a)(i)
and (ii) of Section 4.2.2, can be identified.57 In these cases, to the extent that the
subject person has exhausted all possible means to identify a beneficial owner
and does not have any suspicions that there is anyone else who may be so
considered, subject persons are required to treat those persons who hold the
position of senior managing officials of the company as beneficial owners and to
identify and verify their identity accordingly. This would involve identifying and
verifying the identity of the directors or persons occupying similar positions who
effectively manage the company.
The subject person is obliged by the PMLFTR to keep a record of the actions
taken to identify the beneficial owner as mentioned above, and why it was
necessary to consider the senior management officials as beneficial owners.

4.3.2.2 W hen the Customer is a Listed Company

W hen the customer is a listed company, i.e., it has its securities admitted to trading
on a regulated market , subject persons may, to the extent that the requirements
set out in this section are met , limit themselves to carrying out the measures

57. Second proviso to the beneficial owner definition under Regulation 2(1)(a) of the PMLFTR.

IMPLEMENTING PROCEDURES
116
4. CUSTOMER DUE DILIGENCE CONTINUED

referred to in Section 4.3.2.1 (i) and (ii), and refrain from carrying out the measures
referred to in Section 4.3.2.1 (iii)- (v) mentioned above.
To this end, the subject person has to establish whether:
(a) the company’s securities are traded either on an EEA regulated market within
the meaning of MiFID58 or on a non- EEA regulated market . If the regulated
market is located within the EEA, the subject persons has to document how
it has ascertained the status of the regulated market . A full list of all regulated
markets authorised within the EU is available on this website.
If the market is outside the EEA, the subject person has to ascertain that the
jurisdiction where this market is located is a reputable one and then establish
that the market is subject to regulation in a manner similar to that provided
for within the EEA.
(b) the company is subject to disclosure requirements, which ensure adequate
transparency of ownership information. This can be assumed to be the case
when the company’s securities are traded on an EEA regulated market . W hen
the trading is taking place on a non- EEA regulated market , the subject person
has to determine whether the company is subject to disclosure obligations
that are contained in international standards and are equivalent to the
specified disclosure obligations in the EU. The subject person should ensure
that , as a minimum, the company is subject to specified disclosure obligations
that are consistent with the specified articles of (i) the Prospectus Directive,59
(ii) the Transparency Obligations Directive,60 and (iii) the Market Abuse
Directive61 and with EU legislation made under the specified articles.
Subject persons are to note that , prior to exercising the discretion allowed under
this Section, they are to consider whether any regulatory action has been taken
either by the relevant supervisory authority or by the regulated market against
the listed company for breaches of its disclosure requirements.
Should this prove to be the case, the grounds for the application of this exemption
would be questionable and the subject person would have to assess the relevance

58. Directive 2014/65/EU on markets in financial instruments.

59. Directive 2003/71/EC on the prospectus to be published when securities are offered to
the public or admitted to trading and amending Directive 2001/34/EC, as amended from
time to time.
60. Directive 2013/50/EU on the harmonisation of transparency requirements in relation to
information about issuers whose securities are admitted to trading on a regulated market ,
as amended from time to time.
61. Regulation (EU) No 596/2014 on market abuse (market abuse regulation).

IMPLEMENTING PROCEDURES
117
4. CUSTOMER DUE DILIGENCE CONTINUED

of these breaches and determine whether the grounds for the application of this
exception still subsist .62
Subject persons must retain on file records of the assessment they carried out
and of the conclusions reached. Moreover, they should ensure that they review
the position as part of the ongoing monitoring process to ensure that there were
no changes that would no longer allow the subject person to exercise the
discretion allowed under this section (e.g., delisting of the company).
W ith respect to companies that are themselves owned in whole or in part by
a listed company, a distinction has to be drawn between situations when the
customer is wholly owned, directly or indirectly, by the listed company and
situations when that ownership is only partial. In the former situation, there
would be no need to carry out the measures set out in Section 4.3.2.1 (iii)- (v)
since the beneficial ownership would be subject to disclosure requirements due
to the parent company’s listing. On the other hand, in the latter case, the subject
person would have to determine what percentage of shares or voting rights
are held or controlled by the non- listed entity (this entails establishing the
ownership and control structure as envisaged under Section 4.3.2.1 (iv)) and,
when it is determined that there may be additional beneficial owners behind
these entities, the measures set out in Section 4.3.2.1 (v) would still need to be
carried out .

4.3.2.3 W hen the principal is a commercial partnership

(i) Identifying a commercial partnership
The same procedure applicable to a company more or less applies to a commercial
partnership. The subject person is required to first identify the partnership by
gathering the following information, where applicable:
(a) the partnership’s official full name;
(b) the partnership’s registration number;
(c) the partnership’s date of incorporation or registration; and
(d) the partnership’s registered address or principal place of business.
(ii) Verifying the identity of a commercial partnership

62. In assessing the nature of any such breach, the subject person should for example keep in
mind whether the breach was an isolated case and/or the lapse of time since it occurred.

IMPLEMENTING PROCEDURES
118
4. CUSTOMER DUE DILIGENCE CONTINUED

The subject person must verify all the information obtained on the customer by
referring to appropriate independent and reliable sources. It is up to the subject
person to ascertain, following careful consideration of the risk posed by the
customer, the appropriate sources. One or more of the following documents may
be referred to by subject persons for verification purposes:
(a) the certificate of incorporation;
(b) a good standing certificate (which is not to be older than three (3) months);
(c) a registry search;
(d) the most recent version of the partnership agreement or other constitutive
document;
(e) audited financial statements, annual returns and/or tax returns for the previous
or current year; and/or
(f) bank statements that are not older than six (6) months.
This list is not exhaustive, and the subject person may use any other document it
considers as being equally reliable as long as it originates from an independent
source.
Original documents and documents downloaded from official registers are
considered to provide the highest level of reliability. W here an original document
is viewed, subject persons are required to keep a true copy of the document ,
signed and dated by an officer of the subject person, on file or in electronic form.
Subject persons may also retain a scanned copy of the document by making use
of the electronic system set out under Section 4.3.1.1(iii). Copies downloaded
from the official registry website would similarly have to be retained by the subject
person, together with a record of when and from which website they
downloaded the documents.
W hen copies of documents are obtained, subject persons should consider, based
on the risk assessment carried out by the subject person, whether additional
checks and safeguards should be applied to ensure they are satisfied that there
has been adequate verification of the customer’s details. These measures include
obtaining documents duly certified by one of the general partners or an officer
occupying a similar position, or by any of the persons referred to under Section
4.3.1.2(i)(b).

IMPLEMENTING PROCEDURES
119
4. CUSTOMER DUE DILIGENCE CONTINUED

The subject person is also required to verify the partnership’s legal status. This
should be done by confirming that the commercial partnership has not been or is
not in the process of being dissolved, struck off, wound up or terminated. The
verification of this legal status is to take place by either referring to a company
registry search or by obtaining official registry documentation, such as a good
standing certificate. This documentation may be obtained either in original or as a
certified true copy of the original, with the certification carried out by any one of
the persons referred to in the preceding paragraph. If a search is carried out , then
the subject person is to retain a record of the search and of the results it yielded.

(iii) Identifying the persons vested with administration and representation of

the commercial partnership
Once the verification is complete, the subject person must identify all the persons
vested with the partnership’s administration and representation.
In the case of partners who are natural persons, identification consists in collecting
as a minimum the identification details referred to in Section 4.3.1(i) for low- risk
scenarios. These can be collected by referring to the same sources that could be
used to verify the identity of the commercial partnership, such as:
(a) the list of partners contained in the most recent version of the partnership
agreement or other constitutive document;
(b) by performing a registry search, provided that the partners are listed therein;
(c) by referring to a good standing certificate or a certificate of incumbency that
is not more than three (3) months old, if one is available; or
(d) by obtaining a copy of the appropriate register of the partnership that
indicates who the persons vested with the partnership’s administration and
representation are.
In the case of corporate partners, subject persons are required to obtain details
of the corporate partner’s:
(a) official full name;
(b) registration number;
and
(c) registered address or principal place of business.
It is important to note that the PMLFTR do not require subject persons to verify
the partners’ identity but only to identify them. However, should an individual

IMPLEMENTING PROCEDURES
120
4. CUSTOMER DUE DILIGENCE CONTINUED

identified as a partner be also acting as the partnership’s agent , as explained in

Section 4.2.1 above, or be also identified as one of the partnership’s beneficial
owners under any of the circumstances referred to in Section 4.2.2 above, then
the subject person would also need to verify the partner’s identity and, where
applicable, ensure that he/she is authorised in writing to act on behalf of the
commercial partnership.

(iv) Understanding the ownership and control structure

Subject persons are required to establish the partnership’s ownership and control
structure. W hile some structures are clear and easily understandable, other
structures may be more complex and the use thereof without a legitimate
commercial purpose should give rise to concern and a possible increased risk of
ML/FT. Subject persons should therefore undertake appropriate checks and
gather information to be able to understand the ownership and control structure,
and determine who the customer’s beneficial owner is.
To comply with this obligation subject persons must obtain from the customer and
maintain on file or in electronic form an explanation of the partnership’s ownership
and control structure. In the case of multi- tier and complex structures, it would
be also useful to maintain on file or in electronic form a chart showing the
ownership structure to the extent that would be required to determine who the
beneficial owner is. Both the explanation and the structure chart should contain
sufficient detail to allow the subject person to understand the link between the
beneficial owner and the customer, and to verify that, as further set out below.
Once these are obtained, subject persons should then conduct independent
research to verify the information on the corporate structure by consulting online
commercial databases, company registries, relevant audited accounts or by
obtaining certification by any of the persons referred under Section 4.3.1.2(i)(b).
The reliability of the measures to be adopted in the verification of the structure
should be assessed by the subject person on a risk- sensitive basis.

(v) Identifying and verifying the identity of beneficial owners

Having established who the beneficial owner is, the subject person must ensure
that the customer provides it with the personal details listed in Section 4.3.1(i)(a)
for the beneficial owner. The subject person has to then verify the beneficial
owner’s identity by applying any of the verification measures referred to in Section
4.3.1, which may be most appropriate in the circumstances.

IMPLEMENTING PROCEDURES
121
4. CUSTOMER DUE DILIGENCE CONTINUED

In the case of a business relationship, the subject person must also take all
reasonable measures to ensure that the customer keeps the subject person
informed of any changes in the beneficial ownership, such as by including an
obligation in a letter of engagement (or by means of an exchange of
correspondence) on the customer to keep the subject person updated. This is not
to say that the subject person is divested of its responsibility for ongoing
monitoring, since this includes also taking active steps to ensure that the
information held by the subject person is current and valid, especially when
circumstances indicate that there has been a change in beneficial ownership.
Subject persons may also refer to any Beneficial Ownership Registers that are
maintained by EU Member States or other third countries. However, this is not
to be considered as a substitute for carrying out CDD but as a tool to be used on
a risk- sensitive basis to assist the subject person to corroborate the information
obtained.
There might be situations when no beneficial owner, as defined in Table 7 part
(a)(i) and (ii) under Section 4.2.2, can be identified. In these cases, to the extent
that the subject person has exhausted all possible means to identify a beneficial
owner and it does not have any suspicions, subject persons are required to treat
those persons who hold the position of senior managing officials of the
partnership as beneficial owners and to identify and verify their identity
accordingly. This would involve identifying and verifying the identity of the general
partners who effectively manage the commercial partnership.
The subject person is obliged by the PMLFTR to keep a record of the actions
taken to identify the beneficial owner, as mentioned above, and why it was
necessary to consider the customer’s senior management officials as the
beneficial owners.

4.3.2.4 W hen the Customer is a Foundation or an Association

(i) Identifying a foundation or an association
The same procedure applicable to a partnership more or less applies to a
foundation or an association. The subject person is required to first identify the
foundation or association by gathering the following information:
(a) the foundation or association’s official full name;
(b) the foundation or association’s registration number, if applicable;
(c) the foundation or association’s date of registration, if applicable;

IMPLEMENTING PROCEDURES
122
4. CUSTOMER DUE DILIGENCE CONTINUED

(d) the nature, object and purpose of the foundation or association (e.g.,
discretionary foundation, fixed interest foundation, foundation set up by will,
association set up to promote the interests of a particular group, etc.); and
(e) the foundation or association’s registered address or, if allowed to trade, its
principal place of business.

(ii) Verifying the identification details of a foundation or association

The subject person must verify all the information obtained on the customer by
referring to appropriate independent and reliable sources. It is up to the subject
person to ascertain the appropriate sources, following careful consideration of
the risk posed by the customer. One or more of the following documents may
be referred to by subject persons for verification purposes:
(a) the certificate of registration, if available;
(b) a good standing certificate, if available, that is not to be older than three (3)
months;
(c) a suitable registry search, where possible;
(d) the most recent version of the constitutive document;
(e) audited financial statements, annual returns and/or tax returns for the previous
or current year; and/or
(f) bank statements that are not older than six (6) months old.
This list is not exhaustive, and the subject person may use any other document it
considers as being equally reliable as long as it originates from an independent
source.
Original documents and documents downloaded from official registers are
considered to provide the highest level of reliability. W hen an original document
is viewed, subject persons are required to keep either the original itself or a true
copy of the document , signed and dated by an officer of the subject person, on
file or in electronic form. Subject persons may also retain a scanned copy of the
document by making use of the electronic system set out under Section
4.3.1.1(iii). Copies downloaded from the official registry website would similarly
have to be retained by the subject person, together with details of when and
from which website the documents were downloaded.
W hen copies of documents are obtained, subject persons should consider, based on
the CRA carried out by the subject person, whether additional checks and safeguards

IMPLEMENTING PROCEDURES
123
4. CUSTOMER DUE DILIGENCE CONTINUED

should be applied so it is satisfied with the robustness of its verification measures. This
may include having the documents duly certified by the foundation’s or association’s
administrators, or by any of the persons referred to in Section 4.3.1.2(i)(b).
The subject person is also required to verify the foundation or association’s legal
status. This should be done by confirming that the foundation or association has
not been or is not in the process of being dissolved, struck off, liquidated or wound
up. The verification of this legal status may take place by referring to a registry
search, if the foundation or association is registered in an appropriate registry, and
this search is possible, or by obtaining official registry documentation, such as a
good standing certificate. This documentation may be obtained either in original
or as a certified true copy of the original, with the certification carried out by any
one of the persons referred to in the preceding paragraph. If a search is carried
out , then the subject person has to retain a record of the search and of the results
it yielded. The subject person could also consider requesting a signed declaration
from the administrators of the foundation/association confirming the legal status.
It is up to the subject person to ensure, in accordance with its risk assessment
(and bearing in mind, among other matters, the risk posed by the particular
relationship to be established, the governing law of the foundation/association,
the administrator’s country of residence and also the complexity of the structure)
that appropriate measures are adopted to verify the existence of the
foundation/association. Subject persons should bear in mind that documents and
sources vary in their degree of reliability.

(iii) Understanding the ownership and control structure

Subject persons are required to establish the ownership and control structure of the
foundation/association.63 W hereas in some structures the beneficiaries have a fixed
interest and are named, other structures may be more complex since the beneficiaries
may be unnamed and may form part of a discretionary class of beneficiaries, or they
may also not even be aware that they may benefit from the foundation.
For the purpose of establishing the beneficial ownership and control structure,
subject persons should obtain and maintain on file or in electronic form an
explanation of the beneficial ownership and control structure of the foundation or
association from the customer and verify this information by requesting the
appropriate documentation, extracts thereof or declarations from the administrator.

63. Regulation 7(1)(b) PMLFTR: “…in the case of a body corporate, foundations, trusts and
similar legal arrangements, the taking of reasonable measures to understand the
ownership and control structure of the customer”.

IMPLEMENTING PROCEDURES
124
4. CUSTOMER DUE DILIGENCE CONTINUED

In the case of purpose foundations and associations, subject persons are only
required to establish their control structure.

(iv) Identifying and verifying the identity of beneficial owners

In the case of a foundation or an association, the PMLFTR consider the following
as beneficial owners:
(a) the founder;
(b) the administrator or administrators;
(c) the guardian, protector or members of the supervisory council, where
applicable;
(d) the beneficiaries or the class of beneficiaries, as may be applicable; and
(e) any other natural person exercising ultimate control over the foundation by
means of direct or indirect ownership, or by any other means.
Subject persons should not confuse the term ‘beneficial owners’ with the
‘beneficiaries’ of a foundation (in terms of the applicable law regulating foundations),
since the latter covers exclusively those persons who can benefit from the structure
(whether actually or potentially) while for AML/CFT purposes the term “beneficial
owner” covers all of the persons/entities listed in points (a) to (e) immediately above.
To the extent that all beneficial owners are individuals, the subject person has to
ensure that the administrator discloses the identity of the beneficial owners by
providing the personal details listed in Section 4.3.1(i). The subject person must then
verify their identity by applying any of the verification of identity measures set out
in Section 4.3.1(ii) that may be most appropriate in the particular circumstances.
W hen any of the persons indicated in (a) to (d) above are body corporates, bodies of
persons or legal arrangements, the subject person is to identify and verify the identity
of any such body corporate, body of persons or legal arrangement as provided for
in Section 4.3.2.1 to Section 4.3.2.5, as may be applicable.This means that the subject
person is also to identify and verify the identity of the respective beneficial owners
of any such body corporate, body of persons or legal arrangement. Should it result
that a corporate administrator can only act as such following licensing, authorisation
or registration by supervisory authorities in a reputable jurisdiction, and the said
process involves meeting fit and proper requirements, the subject person is not
obliged to identify the beneficial owners of the corporate administrator given that
the corporate administrator would here be acting in a professional capacity and
would not be controlling a foundation in which it has a personal interest.

IMPLEMENTING PROCEDURES
125
4. CUSTOMER DUE DILIGENCE CONTINUED

Subject persons may also refer to any Beneficial Ownership Registers that are
maintained by EU Member States or other third countries. However, this is not
to be considered as a substitute for carrying out CDD, but only as a tool to be
used on a risk- sensitive basis by the subject person to fulfil its CDD obligations.
In the case of purpose foundations and associations, subject persons must establish
the purpose for which the foundation or association is set up or operates, which
may be established by referring to the constitutive document . In the case of a
private foundation, situations may arise when the beneficiaries of a foundation are
designated by particular characteristics or class and have, therefore, not yet been
determined, and are not identified by name, the PMLFTR stipulate that the subject
person need only identify and verify the beneficiaries’ identity at the time of pay-
out or at the time the beneficiaries exercise their vested rights.64
W ithin the context of a private foundation, situations may arise when the
beneficiaries are identified in the foundation deed, but it may prove to be difficult
to obtain verification of their identity. Reference is being made to private
foundations where either the beneficiary is not aware of his/her entitlement or
the right to benefit from the foundation is subject to the discretion of the founder
or to the realisation of a pre- determined condition.
In these instances, the subject person can rely on the information contained in
the foundation deed to identify the beneficiaries and seek on a risk- sensitive basis
to obtain such additional information as may be necessary to establish an
adequate risk profile, and then obtain the rest of the identification details and
verify the beneficiaries’ identity at the time of pay- out or at the time the
beneficiaries exercise their vested rights.
W hen the subject person has entered into a business relationship with the
foundation or association, the subject person must also take all reasonable
measures to ensure that the foundation or association keeps the subject person
informed of any changes to the purpose of the foundation or association, or the
beneficiaries, such as by including an obligation in a letter of engagement (or by
means of an exchange of correspondence) on the customer to keep the subject
person updated.
This is not to say that the subject person is divested of its responsibility since
carrying out ongoing monitoring includes also taking active steps to ensure that
the information held by the subject person is current and valid, especially when
circumstances indicate that there has been a change in beneficial ownership.

64. Regulation 8(4) of the PMLFTR.

IMPLEMENTING PROCEDURES
126
4. CUSTOMER DUE DILIGENCE CONTINUED

4.3.2.5 W hen the Customer is a Trust/ Trustee

Trusts vary considerably in nature and size. W hile there are trusts set up for purely
commercial transactions (such as employee benefit trusts and share option
structures, unit trusts operating as collective investment schemes, trusts operating
in the context of syndicated loans or to hold securities), there are also trusts that
are set up to safeguard the interests of vulnerable persons (such as spendthrifts,
persons with special needs or some disability, the aged and frail, etc.) or under
testamentary arrangements. CDD measures to be applied by the subject person
will need to be proportionate to the risks that the trust of different sizes, areas of
activity and nature of business being conducted, present .
W hen a trust has no legal personality, as is the case with trusts governed by
Maltese law, the trustees entering into the business relationship with the subject
person, or undertaking an occasional transaction through the subject person, in
their capacity as trustees of the particular trust , would be considered to be the
customers for CDD purposes.
In cases where the trust has a separate legal personality, the trust should be
categorised as the customer for the purposes of undertaking CDD measures and
the trustees would be the persons vested with the administration of the trust
(similar to directors in the case of companies and administrators in the case of
foundations that have legal personality). Nonetheless, the obligations outlined in
this section would be applicable in both instances.

(i) Identifying the trust

The subject person is required to identify the trust by obtaining the following
information:
(a) the full name of the trust;
(b) the nature of the trust (e.g., discretionary trust , testamentary trust , bare trust)
as well as its object and purpose (e.g., wealth management , estate planning);
(c) the country of administration and the proper (or applicable) law; and
(d) in jurisdictions where the trust has a legal personality, the registration number,
if applicable.

IMPLEMENTING PROCEDURES
127
4. CUSTOMER DUE DILIGENCE CONTINUED

(ii) Verifying the identity details of a trust

The details obtained on the trust must be verified by referring to appropriate
independent , reliable sources. Verification should be undertaken by either
requesting a copy of the trust instrument from the trustee or an extract of the
relevant parts of the trust instrument. In exceptional circumstances, such as when
a trust is created verbally and thus no trust deed or similar instrument exists in
writing, verification can be carried out by obtaining a signed declaration by the
trustee containing the information listed in paragraphs (a) to (d) above.
W hen trusts are registered in an official registry, another alternative available to
the subject person is to refer to these registers, though particular attention has
to be paid to any limitations on registration therein, which may limit the quality
and reliability of the information reported.
It is up to the subject person to ensure, in accordance with its CRA (and bearing
in mind, among other matters, the risk posed by the particular relationship to be
established, the governing law of the trust, the country of residence of the trustee
and also the complexity of the structure) that appropriate measures be adopted
to verify the existence of the trust . Subject persons should bear in mind that
documents and sources vary in their degree of reliability. In particular, when the
verification documentation and/or information is obtained directly from the
trustee or when one relies on a declaration made by the trustee, the subject
person should keep in mind the status of the trustee (e.g., whether the trustee is
subject to any registration, authorisation or licensing requirements for it to carry
out its activities) and their reliability (e.g., whether there is any adverse information
on the trustee).
W hen copies of documents are obtained, subject persons should consider, based
on the risk assessment carried out by the subject person, whether additional
checks and safeguards should be applied to ensure it is satisfied with the
robustness of its verification measures. This may include obtaining documents
duly certified by the trustee or any of the persons referred to in Section
4.3.1.2(i)(b) above, as far as they are deemed to be reliable.

(iii) Identifying and verifying the identity details of the beneficial owners
For the purpose of the PMLFTR, within the context of trusts, the term beneficial
owner covers:
(a) the settlor;
(b) the trustee or trustees;

IMPLEMENTING PROCEDURES
128
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) the protector, members of a supervisory council, guardian or enforcer, where

applicable;
(d) the beneficiaries or the class of beneficiaries, as may be applicable; and
(e) any other natural person exercising ultimate control over the trust by means
of direct or indirect ownership, or by other means (refer to Section 4.2.2.2).
Subject persons should not confuse the term “beneficial owners” with the
“beneficiaries” of the trust since the latter term covers exclusively those persons
who can benefit from the structure (whether actually or potentially), while for
AML/CFT purposes the beneficial owners are all the persons indicated in (a) to
(e) above. Moreover, it is equally important to note that there may be instances
where one or more of the beneficial owners referred to above may not result
from the trust instrument itself (e.g., the settlor may not be named in a unilateral
declaration of trust , beneficiaries may be named by the settlor in a written
instrument other than the trust instrument itself ). However, these would still have
to be identified and their identity verified as set out hereunder.
To the extent that all beneficial owners are individuals, the subject person has to
ensure that the trustee discloses the identity of the beneficial owners by providing
the personal details listed in Section 4.3.1(i). The subject person must then verify
their identity by applying any of the verification of identity measures set out in Section
4.3.1(ii) that may be the most appropriate in the specific circumstances of the case.
W hen any of the persons indicated in (a) to (d) above are body corporates, bodies
of persons or legal arrangements, the subject person is to identify and verify the
identity of any such body corporate, body of persons or legal arrangement as
provided for in Section 4.3.2.1 to Section 4.3.2.5, as may be applicable. This means
that the subject person is also to identify and verify the identity of the respective
beneficial owners of any such body corporate, body of persons or legal
arrangement. Should it result that a corporate trustee can only act as such following
licensing, authorisation or registration by supervisory authorities in a reputable
jurisdiction, and the said process involves meeting fit and proper requirements, the
subject person is not obliged to identify the beneficial owners of the corporate
trustee given that the corporate trustee would here be acting in a professional
capacity and would not be controlling a trust in which it has a personal interest.
In carrying out the identification of the beneficial owners, subject persons may
also refer to Beneficial Ownership Registries that are maintained by EU Member
States or other third countries. However, particular attention has to be paid to
any limitations on registration therein, which may limit the quality and reliability
of the information reported. Moreover, consulting these registers is not to be

IMPLEMENTING PROCEDURES
129
4. CUSTOMER DUE DILIGENCE CONTINUED

considered as a substitute for carrying out CDD, but as a tool to be used on a

risk- sensitive basis to assist the subject person to carry it out .
In the case where the beneficiaries of the trust are designated by particular
characteristics or class and have, therefore, not yet been determined, and are not
identified by name, the PMLFTR stipulate that the subject person need only
identify and verify the identity of the beneficiaries at the time of pay- out or at
the time the beneficiaries exercise their vested rights.65
It is acknowledged that situations may arise in which the beneficiaries may be
identified in the trust instrument or other written instrument by the settlor, but the
said beneficiaries may either be unaware of their entitlement under the trust or, for
their benefit to materialise, it would be necessary for the trustee to exercise its
discretion or for a pre- determined condition to occur. In these circumstances, a
subject person may opt to identify the beneficiaries on the basis of the information
contained in the trust instrument, or any other document used to verify the trust,
and seek on a risk- sensitive basis to obtain the additional information that may be
necessary to establish an adequate risk profile. The subject person would then
eventually collect any additional identification information that may become
necessary and carry out verification of identity once a pay- out is made.
In the case of purpose trusts, subject persons must establish the purpose for
which the trust is set up or operates, which may be determined by referring to
the trust instrument . In the case of a business relationship, the subject person
must also take all reasonable measures to ensure that the trustees keep the
subject person informed of any changes to the nature, purpose or objects of the
trust , or changes to the beneficial owners as defined in point (iii) above, such as
by including an obligation on the customer through a letter of engagement (or
by means of an exchange of correspondence) to keep the subject person updated.
This is not to say that the subject person is divested of its responsibility since
carrying out ongoing monitoring includes also taking active steps to ensure that
the information held by the subject person is current and valid, especially when
circumstances indicate that there has been a change in beneficial ownership.

4.3.3 The Agent

As already stated in Section 4.2.1, the person requesting a subject person to
establish a business relationship or to carry out an occasional transaction may not

65. Regulation 8(4) of the PMLFTR.

IMPLEMENTING PROCEDURES
130
4. CUSTOMER DUE DILIGENCE CONTINUED

be the customer but the customer’s agent . There may be instances when the
circumstances will themselves indicate that the person is acting on behalf of
someone else. However, there are also situations when this may not be so evident
but may become apparent from other factors. These may include situations when:
(a) instructions on the operation of the business relationship are received from
another person, who is not the person who established the business
relationship;
(b) there are unusual delays in replying to questions posed by the subject person
on the operation or activity – this may be because the subject person has to
refer to someone else for instructions; and
(c) the source of funds or the destination of the funds do not correspond with
the purpose and intended nature of the established relationship – this might
be indicative that a particular account or service is being used to process funds
belonging to a third party.
W hen an agent is present , the subject person is obliged not only to identify and
verify the customer, as set out in the sections above, but must also carry out the
following additional measures.

(i) Identifying and verifying the identity details of the agent

Depending on the nature of the agent , identifying the agent and verifying the
agent’s identity is to be carried out as set out in the sections above. Thus, where
the agent is a natural person, identification and verification of identity is to be
carried out in line with what is set out in Section 4.3.1 hereabove. In situations
where the agent is a body corporate such as a company or a commercial
partnership, it is only necessary to carry out the identification and verification of
the body corporate itself as set out in paragraph (ii) of Section 4.3.2.1 and Section
4.3.2.3 but there would therefore be no need to:
(a) establish the agent’s ownership and control structure;
(b) identify who the agent’s beneficial owners are; and
(c) identify and verify the identity of the legal entity’s officers and/or employees
providing instructions to the subject person.
For example, when a law firm engages a company services provider to incorporate
a company on behalf of one of its customers, the company service provider would
have to identify the customer and verify his identity and, with respect to the law
firm, being the customer’s agent , collect the law firm’s identification details and

IMPLEMENTING PROCEDURES
131
4. CUSTOMER DUE DILIGENCE CONTINUED

verify them on the basis of independent and reliable source/s. However, there
would be no need to identify and verify the identity of the individual lawyers or
law firm employees communicating the customer’s instructions to the company
service provider.
On the other hand, where the customer is a body corporate, subject persons have
to identify all directors or partners in line with what is provided in paragraph (iii) of
Sections 4.3.2.1 and 4.3.2.3 above. The obligation to verify their identity is however
only triggered with respect to those directors or partners that are authorised to
legally represent the body corporate and who exercise that power of representation
within the context of an occasional transaction or a business relationship.
Subject persons carrying out relevant financial business can at times encounter
situations where their own customers are carrying out relevant financial business
or equivalent activities, empowering a significant number of individuals to act as
signatories on their behalf. All of these individuals would be considered as the
customer’s agents, requiring the subject person to identify the said individuals as
well as verify their identity. In these circumstances, the verification of identity
requirement would be considered as equally met on the basis of a declaration by
the customer that it has verified the identity of the said signatories as long as the
subject person ascertained that:
- The customer is a subject person or is otherwise a third party established in
an EEA or a reputable jurisdiction that is subject to equivalent AML/CFT
requirements, including employee screening obligations, and supervision as
those required by Directive (EU) 2015/849; and
- There is no adverse information on the customer or, if there is, it is duly
evaluated as set out in Section 3.5.1(a)(a) and is found to have no major impact
in terms of risk.
In situations where the customer is not carrying out relevant financial business
or an equivalent activity, but equally empowers a significant number of individuals
to carry out transactions on its behalf, the subject person can:
(a) carry out the verification of key signatories and/or other key individuals who
may bind the customer;
(b) ensure that the list of such individuals is communicated by these key individuals
together with a statement that the identities of all such individual have been
verified on the basis of government issued documentation; and
(c) ensure that the individuals whose identity has been verified are always copied
on any instructions received from the customer.

IMPLEMENTING PROCEDURES
132
4. CUSTOMER DUE DILIGENCE CONTINUED

(ii) Authorised to act on behalf of the customer

The subject person has to ensure that the agent is duly authorised in writing to act for
and on behalf of the customer. He/she is therefore to obtain and retain on file either
the original or a copy of the authorisation granted by the customer to the agent.
W ith respect to directors or partners of a body corporate, reference can be made to
the statutory documents of the particular body corporate, like the Memorandum and
Articles of Association, or to the relative power of attorney or resolution authorising
the person concerned, or any other document or company registry record that
evidences the individual’s power to represent and bind the customer.
In this regard, the subject person should also seek to understand the rationale
behind this arrangement and why the customer did not seek to establish the
business relationship or carry out the occasional transaction directly.
This would not be necessary where the customer is a body corporate and is being
represented by one or more of its directors or partners who are vested with the
customer’s legal representation.

4.4 THE PURPOSE AND INTENDED NATURE OF THE

BUSINESS RELATIONSHIP AND THE CUSTOMER’S
BUSINESS AND RISK PROFILE
In terms of Regulation 7(1)(c) of the PMLFTR, subject persons are required to
assess and, where appropriate, obtain information and/or documentation on the
purpose and intended nature of the business relationship. In addition, subject
persons are also required to establish the customer’s business and risk profile.
These requirements entail gathering and analysing information to:
(a) determine whether a service and/or product being provided makes sense in
the customer’s situation and profile;
(b) assess the customer’s intention in acquiring a particular service and/or product;
(c) contribute to its CRA and ensure that the customer falls within the subject
person’s risk appetite;
(d) determine the appropriate risk mitigating measures to be adopted; and
(e) carry out meaningful, ongoing monitoring since it will be able to understand and
identify the expected behaviour, including the expected nature of transactions
or activities, of the customer throughout the business relationship.

IMPLEMENTING PROCEDURES
133
4. CUSTOMER DUE DILIGENCE CONTINUED

4.4.1 Purpose and Intended Nature of the Business Relationship

Subject persons have to understand why a customer is requesting its services
and/or products and how those services and/or products are expected to be used
in the course of the business relationship.
The purpose of certain business relationships can be self- evident, given the nature
and purpose of the service and/or product required (e.g., a customer opening an
account on a gaming website). Other relationships may require a subject person
to assess and, where necessary, obtain information and/or documentation from
the customer to truly understand why the business relationship is being set up.

EXAMPLE: A foreign beneficial owner setting up a company in Malta for which

the subject person is also to provide directorship services – the subject person
should seek to determine the purpose behind the company’s incorporation in
Malta, what it’s activities are to be and other background information.

In all cases, subject persons should have a good understanding of how the
business relationship will be used so as to carry out proper monitoring, as well as
to be able to determine that the product or service requested makes sense in
view of the customer’s profile. Opening a bank account to be used in the context
of a commercial activity would require the subject person understanding the
nature of this commercial activity (e.g., product or service provided, where the
commercial activity is taking place, main markets targeted, etc.).

4.4.2 The Customer’s Business and Risk Profile

The additional obligation resulting from Regulation 7(1)(c) is that of establishing the
customer’s business and risk profile. Risk has already been considered in some detail
in Chapter 3 but in this particular instance a subject person is additionally required to
collect information that will allow it to further strengthen its CRA as well as to have
an idea of what it can expect to take place in the course of a business relationship in
terms of activity and/or funds transacted using its services and/or products.
To this end, a subject person must collect information on and, where necessary,
verify it with documentation such as:
(a) information on the nature of and details concerning the customer’s
business/occupation/employment;
(b) any other activity in addition to (a) above from which the customer derives
his/her wealth (e.g., inheritance);

IMPLEMENTING PROCEDURES
134
4. CUSTOMER DUE DILIGENCE CONTINUED

(c) the expected source and origin of the funds to be used throughout the
business relationship; and
(d) the anticipated level and nature (including expected value and frequency of
transactions) that is to be undertaken throughout the relationship.
Notwithstanding the above list , certain information may not be relevant in all
scenarios and relationships. For instance, gathering information on the anticipated
level and nature of activity in the case of long- term insurance policies with fixed
monthly premia may be unnecessary since it would not add any value, but gathering
information in connection with an investment account is crucial to understand the
frequency and level of investment that the customer is expected to carry out .
Similarly, in cases where, for instance, a customer is investing money that is
claimed to have been accumulated over time, information on the current
business/occupation/employment would certainly need to be complemented with
information on the source that generated that wealth (e.g., previous employment,
inheritance or business profits).
In other instances, it may be possible for the subject person not to collect
information required for the purposes of understanding the customer’s business
and risk profile if it is able to rely on statistical data, as explained below.
Thus, the kind of information gathered will vary according to the customer’s risk
profile and the service or product being requested. The level of information to be
obtained, and whether this information should be backed up by documents, will
depend on the risk assessment of the particular case at hand.
Moreover, where the collection of this information is deemed relevant , subject
persons are not to limit themselves to obtaining information of a generic nature
– a mere reference to ‘business’, ‘employment’ or ‘inheritance’ would never be
deemed sufficient to meet this obligation, independently of the risk presented.
In carrying out this exercise, subject persons should be risk sensitive in their
approach, and should nevertheless remain mindful of a number of principles,
particularly those relating to the protection of their customer’s personal data.
Ideally, subject persons should refrain from requesting data (including information
and documentation) that is disproportionate, excessive or irrelevant .
Disproportionate or excessive requests include anything that is too intrusive
when other, less intrusive data would fulfil the same purpose. Irrelevant data
includes anything that does not add any value to the business and risk profile,
does not serve to mitigate any risks, or does not provide any reassurance relevant
to ML/FT risks.

IMPLEMENTING PROCEDURES
135
4. CUSTOMER DUE DILIGENCE CONTINUED

4.4.3 The Source of W ealth and the Source of Funds

The information items referred to in points (a) and (b) under Section 4.4.2 constitute
what is termed as the customer’s “source of wealth”, i.e., the economic activity or
activities that generate the customer’s wealth. This may be comprised of, for instance,
income through employment or business, or inheritance. The term “source of funds”
refers to the activity, event, business, occupation or employment generating the funds
used in a particular transaction, or to be used in future transactions.
At the outset of a business relationship, a subject person is to collect information
on a customer’s source of wealth and expected source of funds. Subject to what
is set out in Section 3.6, this information will assist the subject person to further
understand the actual ML/FT risk it is exposed to, especially when it comes to the
customer risk factor. W hereas the source of wealth is usually identified at the
beginning of the business relationship and the information thereon is updated
from time to time when material developments arise in the course of the business
relationship, subject persons have to identify and obtain information on the source
of funds of individual transactions when required in accordance with the
obligation of ongoing monitoring, as set out below.
The extent and level of detail of the information required on the source of wealth
and the expected source of funds, and whether and how much documentation
should be requested to substantiate the information provided by the customer,
would depend on the CRA. Ultimately, a subject person should be able to form a
reasonable conclusion that the customer’s wealth has been accumulated legally,
and that subsequent funds that will be used to carry out transactions in the course
of a business relationship are legitimate. In all cases, subject persons should be
aware of the data collection principles outlined above and should refrain from
requesting information or documentation that is excessive or irrelevant in view
of the particular customer profile.
The collection of information on a customer’s source of wealth and expected
source of funds will assist the subject person to carry out its ongoing monitoring
obligations, as explained below. W hen the subject person detects activities or
transactions that appear to be unusual, or not in line when considered vis- à- vis
any such information, the subject person is to collect information and if necessary
supporting documentation on the actual source of funds used to finance the
unusual activity or transaction.
W hile there is no express obligation to establish the customer’s source of wealth
and source of funds when carrying out occasional transactions, subject persons
should still bear in mind that certain occasional transactions may present an
ML/FT risk that can only be mitigated through obtaining information on the

IMPLEMENTING PROCEDURES
136
4. CUSTOMER DUE DILIGENCE CONTINUED

customer’s source of wealth and source of funds. For instance, a customer

financing a residential property largely through own funds should prompt a
Notary to ask about the source of such funds.
W hen the ML/FT risk within an occasional transaction is assessed to be high, and
therefore requiring taking enhanced due diligence, it is very likely that the most
effective measure that can be taken is to query how the funds being used have been
acquired and whether this makes sense, considering the customer’s source of wealth.
In any such circumstances, subject persons would therefore still be expected to
establish a customer’s source of wealth and source of funds, unless they apply
alternative measures that can be shown to be equally effective to address the
risks identified. Thus, subject persons should not refrain from asking about the
customer’s source of wealth and the source of funds of an occasional transaction
if this information serves to mitigate the risk of the transaction.

4.5 ONGOING MONITORING OF THE BUSINESS

RELATIONSHIP
4.5.1 Overview of the duty to conduct ongoing monitoring
Once a business relationship is formed, Regulation 7(1)(d) of the PMLFTR requires
subject persons to carry out on- going monitoring. Monitoring comprises two key
elements:
(a) scrutiny of transactions
The scrutiny of transactions through transaction monitoring consists in using the
subject person’s knowledge of the customer (including the information gathered
on the purpose and intended nature of the business relationship and the
customer’s business and risk profile) to identify any transactions that are unusual.
The term “unusual” includes transactions that are unusual by their very nature
(since they are suspicious, illogical, unnecessarily complex, or unreasonable), as
well as those that are inconsistent with the customer’s profile or are significantly
different to what is usually carried out or requested by the customer.
Moreover, the PMLFTR expressly require subject persons to examine the purpose
and background of all complex and unusually large transactions, and unusual
patterns of transactions that do not have any apparent or economic lawful
purpose, and increase the degree and nature of ongoing monitoring to determine
whether the transactions are suspicious.66

66. Regulation 11(9) PMLFTR.

IMPLEMENTING PROCEDURES
137
4. CUSTOMER DUE DILIGENCE CONTINUED

An unusual transaction should serve as a red flag or a trigger event for the subject
person to assess the situation and request or obtain additional information or
documentation to be able to establish whether the transaction is suspicious and
ought to be reported in terms of Regulation 15(3) of the PMLFTR, or whether
there are legitimate explanations, such as changes in the activity carried out by
the customer, in which case the subject person may need to update the CRA, the
CDD information and documentation it holds and/or enhance the CDD measures
it is applying to the particular business relationship.
Ongoing monitoring thus complements and builds on the initial CDD measures
carried out during the customer on- boarding, so as to further ensure that the
services and/or products of the subject person are not misused for ML/FT purposes.
(b) keeping information, documents and data held on the customer up to date
Subject persons have an obligation to ensure that information, documents or data
related to the customer, as well as any assessment thereof, remain up to date and
relevant , whether it is through their periodic review and updating or following
certain changes in the business relationship, i.e., a trigger event .

Trigger events may include the provision of additional services and/or

products to an existing customer or changes to the activities carried out by
the customer, such as changes in the amount of periodic investments or
changes in a company’s trading or commercial activities.

This ensures that information and documentation is current and valid, and the CRA
reflects the real ML/FT risk arising from a business relationship. In turn, the subject
person would be in a better position to adjust any CDD or other mitigating measures,
including the level of ongoing monitoring, to address the actual ML/FT risks.

4.5.2 Transaction Monitoring

4.5.2.1 The purpose of transaction monitoring
Through the monitoring of customer transactions or activities, subject persons
should be in a better position to:
(a) identify behaviour or transactions that diverge from the usual pattern of
transactions, do not fit within the customer’s profile, or are otherwise not in
line with what is normally expected from the customer, and which therefore
need to be questioned in further detail;

IMPLEMENTING PROCEDURES
138
4. CUSTOMER DUE DILIGENCE CONTINUED

(b) identify suspicious activity in relation to which an STR is to be filed with the
FIAU; and
(c) determine whether the initial risk assessment requires updating, and whether,
in view of the updated risk assessment or other considerations, the business
relationship remains within the subject person’s risk appetite and, if so,
understand whether the level of CDD needs to be adjusted in view of any
changes from the initial risk understanding.
W ith respect to most subject persons, the transactions and activities that are to
be monitored are the ones carried out by the customer through the
intermediation of the subject person. However, where the transactions carried
out by a subject person on behalf of its customers are left to the subject person’s
own discretion, as is the case with discretionary portfolio management and
investment management services offered to collective investment schemes or
retirement schemes, it is not expected that the subject person monitors the
transactions it is carrying out itself. In these cases, the subject person would have
received a mandate from the customer to invest funds and manage assets as the
subject person wishes as long as particular parameters are adhered to; the
carrying out of individual transactions are not directed or dictated by the customer
but by the subject person itself.
In these cases, the activities subject to monitoring would be:
(a) any increase in the funds or assets entrusted to the subject person for
investment purposes, and especially whether any such addition can be justified
on the basis of the economic capabilities of the customer; and
(b) any request from the customer to have any funds or assets entrusted to the
subject person released back to it , especially where this may harm the
performance of the customer’s portfolio or result in significant penalties or
fees being charged by the subject person.

4.5.2.2 Identifying unusual transactions

In terms of Regulation 7(2)(a) transaction monitoring comprises the scrutiny of
transactions undertaken in the course of a business relationship to ensure that
these are consistent with the subject person’s knowledge of the customer and
of his/her business and risk profile. The following is a (non- exhaustive) list of
factors that can be used to detect transactions that are unusual, i.e., that present
a divergence from how the product or service is usually used or from the
customer’s expected or known transactional pattern:

IMPLEMENTING PROCEDURES
139
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) a significant change in the value of individual transactions or in the overall

volume or frequency of transactions;
(b) the carrying out of a number of transactions in rapid succession one to the
other such as the purchase and immediate resale of immovable property,
securities, etc., or the deposit and withdrawal in rapid succession of
funds/securities on an account; and
(c) a change in the geographical destination or origin (or other form of
connection) of a transaction and/or a change in the usual parties that a
customer transacts with.
These factors are especially important when one considers the express obligation
imposed on subject persons to examine the purpose and background of complex
and unusually large transactions, and unusual patters of transactions that do not
have any apparent economic or lawful purpose. However, in this case, subject
persons must bear in mind the amounts involved in the transactions. Should these
amounts be unusually large, even if they may be within the normal pattern of
transactions carried out by the customer, the subject person would still have an
obligation to understand the purpose and nature of such transactions.
Assessing unusual transactions
Determining whether there is a reasonable explanation for an unusual transaction
requires the collection of information and/or documentation that shows that
there is a legitimate reason for that particular transaction or for that divergence
from the customer’s known pattern of activity or transactions. For this purpose,
a subject person may need to request information and/or documentation on one
or a combination of the following:
(a) the source of funds of that transaction;
(b) any new operational activities;
(c) any significant relevant changes relating to the customer, such as a change in
occupation; and
(d) any other information that the subject person deems reasonably necessary
to be satisfied that the funds are derived from legitimate sources.
As explained earlier on in this document , the level of data to be obtained should
allow the subject person to come to a reasonable conclusion on the legitimacy
of the transaction, but should not be excessive, disproportionate or irrelevant, and
the requests should make sense in the context of the transaction and the
customer.

IMPLEMENTING PROCEDURES
140
4. CUSTOMER DUE DILIGENCE CONTINUED

W here notwithstanding the information and/or documentation received, the

subject person is not satisfied with the explanations provided, or the explanation
does not make business or economic sense, or there are doubts on the veracity of
the documentation provided, the subject person has to consider whether there are
sufficient grounds to file an STR. At times, customers may become uncomfortable
when faced with demands for more information or documentation. This may be
understandable. However, when the customer displays an unreasonable reluctance
to co- operate, subject persons should similarly consider filing an STR.
Example: A Company Service Provider (i.e., the subject person) provides
directorship services to a company (i.e., the customer). Through the business and
risk profile established by the subject person it was determined that the
customer’s business activities will take place within the EU. Eventually, through
ongoing monitoring of the business relationship, the subject person detects a
number of transactions to and from non- EU jurisdictions.
These transactions are flagged through the ongoing monitoring procedure and
the customer is requested to explain the reason for these transactions. The
customer explains that it sought new markets for its products and services, and
had managed to obtain a foothold in these third countries. To support this
information, the customer also makes available a series of agreements and related
invoices concluded with other entities situated in these third countries.
Following due consideration of the explanations and documentation provided by
the customer, including independent checks on the non- EU country entities with
which the customer concluded agreements, it is determined that the customer’s
business has legitimately expanded to these countries. The subject person’s risk
assessment considers these jurisdictions not to be high risk and thus decides that
the relationship still falls within its risk appetite. Nevertheless, the subject person
updates the customer’s business and risk profile to reflect these developments.
Had the subject person found the explanation provided by the customer to be
unconvincing or the documentation to present signs of forgery, the conclusion
would have been different since the subject person would also have had to
consider whether there were any grounds to submit an STR.

4.5.2.3 How to conduct transaction monitoring

Transaction monitoring can take place in a number of ways. Any determination
on when and how to conduct this monitoring will depend, among other factors,
on the activity or business carried out by the subject person, the volume of this
activity, the number of clients, whether business is conducted solely remotely, and

IMPLEMENTING PROCEDURES
141
4. CUSTOMER DUE DILIGENCE CONTINUED

the risk ratings ascribed to customers. It is therefore possible that the most
effective manner in which to carry out transaction monitoring requires the
adoption of more than one of the methods described below.
Transactions can be monitored:
(a) in real time (pre- transaction monitoring), whereby transactions or activities are
reviewed as they take place or prior to finalisation.
Pre- transaction monitoring is more commonly applied in scenarios when the
subject person has control over whether the transaction may be executed or not ,
for instance, in face- to- face scenarios. Pre- transaction monitoring allows more
control and reassurance, since suspicious or unusual transactions may be detected
prior to execution and put on hold for further determination, where possible.
In such cases it is crucial that persons dealing directly with customers are, as far
as reasonably possible, in a position to detect these transactions by, for instance,
being aware of the trigger events or red flags associated with the product or
service, or even understanding the expected transactions or use of a particular
business relationship.
Pre- transaction monitoring can also be applied in non- face- to- face situations
when transactions are not carried out instantaneously but allow for receipt of an
order and its subsequent execution at different times.
Pre- transaction monitoring is particularly suited as an EDD measure for high-
risk clients.
(b) after the event (post- transaction monitoring), whereby transactions and patterns
are reviewed after execution.
Certain relationships or services do not easily permit transactions to be monitored
and flagged in real time. Nevertheless, subject persons are still expected to
monitor the relationship, assess any unusual or suspicious transactions and take
any necessary action, including filing an STR when necessary, even after the event.
Post- transaction monitoring is also an essential tool in detecting any patterns of
transactions that raise suspicion and/or are not in line with the customer’s profile.
Subject persons should keep in mind that pre- transaction monitoring alone may
not always be suitable to detect unusual or suspicious transactions or activities.
For instance, a customer depositing a large amount of cash by affecting a number
of deposits, each at different branches of the same bank, would not raise any
suspicion with the tellers at the respective branches. A proper post- transaction
monitoring system would however link the individual transactions carried out by
the same person and trigger an alert .

IMPLEMENTING PROCEDURES
142
4. CUSTOMER DUE DILIGENCE CONTINUED

Thus, although a subject person may be able to stop a face- to- face transaction being
executed until a determination has been reached, an effective transaction monitoring
system would ideally be complemented by adequate post- transaction monitoring.
As regards how to detect unusual or suspicious transactions, there are a number
of methods and systems that can be adopted and which, depending on the
particular circumstances of the subject person’s activities, are equally valid. As
already highlighted above, an effective monitoring system may require the
adoption of more than one of the methods referred to below. Transaction
monitoring can therefore be carried out:
(c) on the basis of a customer’s specific profile.
As explained in Section 4.4 above, the established business and risk profile of the
customer should allow a subject person to understand what kind of transactions
or behaviour are expected through the course of the business relationship. This
means that the subject person has defined or is aware of the set of parameters
or factors within which transactions are considered normal for that particular
customer, and which therefore do not require further assessment .
Thus, a subject person would not necessarily need to carry out further assessment
on transactions to and from a set of jurisdictions, or of a particular value and
frequency or combination thereof, since these transactions or this behaviour
would be consistent with the subject person’s knowledge of the customer.
However, once there are variations that fall outside these pre- set parameters,
the subject person would be expected to question those variations.
(d) by comparing against peer group information.
Subject persons may adopt systems whereby customers of the same
characteristics and risk rating are grouped, and their statistics are extracted and
used to create the profile of an average customer within that group for particular
products or services. Transactions and behaviour of individual customers may then
be compared against the average or expected transactions of that peer group
profile such that anything falling outside would trigger an alert for further
assessment .
Comparing peer group information is only possible when the subject person has
a sufficiently wide customer base from which to obtain substantial statistical data.
Alternatively, depending on the subject person’s activity, it may be possible to
create an average customer profile based on official economic indicators, such as
average national income, average disposable income, etc., issued by national public
bodies or reputable financial institutions.

IMPLEMENTING PROCEDURES
143
4. CUSTOMER DUE DILIGENCE CONTINUED

Subject persons are to note that such a system would not be ideal in high- risk
scenarios, which already present characteristics that fall outside the norm and
require more targeted, ongoing monitoring measures.
(e) on the basis of detection rules.
Detection rules comprise of a set of thresholds, scenarios and other parameters
against which individual transactions, as well as a series of transactions over time,
are analysed, usually through the use of an automated system. W hen a pre-
defined detection rule is met , an alert is raised for further assessment .
To be effective, detection rules must be relevant to the particular product or
service being offered and to the customer’s business and risk profile. Detection
rules would need to be periodically tested and fine- tuned to ensure on the one
hand that suspicious/unusual/unusually large transactions and patterns of these
transactions are actually being detected and that, on the other hand, they are not
generating too many false positives. Similarly, detection rules would need to be
updated to reflect changing trends and typologies, particularly with respect to
terrorist financing.
These rules would need to take into account trigger events and red flags that are
relevant to the subject person’s services or activities, as well as a number of other
factors and/or combinations thereof. The following are some examples of what
may need to be factored into detection rules:
(a) the specific product or service being offered;
(b) the customer’s risk rating;
(c) the anticipated level and value of transactions, as determined through the
business and risk profile;
(d) the anticipated or actual jurisdictional connections, as determined through the
business and risk profile;
(e) the value of transactions when taking into account the customer’s
background, occupation, and claimed source of wealth/source of funds;
(f) the distribution channels (such as face- to- face or remote transactions);
(g) whether a transaction is in cash or not; and
(h) whether a dormant account has suddenly become active.
Depending on the subject person’s activity, the system may need to be configured
to take into account combinations of rules. For instance, a system may be set to
raise an alert when transactions in or out of specific jurisdictions reach a particular

IMPLEMENTING PROCEDURES
144
4. CUSTOMER DUE DILIGENCE CONTINUED

frequency within a period of time, regardless of the value. This may be useful to
detect transactions that may be related to terrorist financing.

Automated Monitoring Systems

It is up to the subject person to determine whether a system should be automated
or whether manual monitoring would equally yield the required results. Such a
decision would depend on the size of the subject person’s set- up, the number of
clients and transactions, the level of risk to which it is exposed, the costs incurred,
and so on.
W ith that said, it is expected that subject persons processing hundreds of
transactions regularly adopt automated systems, unless they can provide sufficient
justification on how transactions are being monitored effectively and efficiently.
These subject persons may find that automated monitoring systems permit more
accurate, detailed reports on alerts.
The following questions may be relevant when considering the automated system
to be adopted:
(a) does the system generate or permit the creation of a report demonstrating
the reasons why an alert was raised and which rules or parameters were
considered?
(b) can the system be adapted with relative ease and efficiency to cater for
changes, new trends and typologies?
(c) does the system have functionalities to learn from previous false positives and
fine- tune its operations?
Subject persons are expected to be able to demonstrate a clear understanding
of certain relevant aspects of the system, namely the kind of scenarios, typologies
and detection rules applied, how the system is compatible with the products or
services the subject person offers, and how it can be adjusted to match different
profiles or adapt to changes in the relationship, among others. Subject persons
would also need to know whether and how a system maintains an audit trail of
the alerts raised.
Regardless of the systems and methods adopted to carry out transaction
monitoring, subject persons must carry out periodic tests and reviews to assess
the effectiveness of the alerts being generated, and should moreover be able to
demonstrate a good understanding of their operation.

IMPLEMENTING PROCEDURES
145
4. CUSTOMER DUE DILIGENCE CONTINUED

Ongoing monitoring of high- risk scenarios

Adopting a risk- based approach towards the application of AML/CFT obligations
invariably means that subject persons must apply a stricter level of ongoing
monitoring of high- risk relationships to mitigate the risks of ML/FT.
Adjusting the procedures to cater for high- risk customers involves increasing the
frequency and nature of the transaction monitoring carried out . This may mean:
(a) carrying out regular reviews of transactions to detect any warning signs or
patterns;
(b) applying stricter or more stringent detection rules;
(c) applying alerts for lower transaction value thresholds, especially when a higher
FT risk is identified;
(d) giving more weighting to factors such as higher value transactions and
dealings with other jurisdictions;
(e) adjusting the thresholds for different services and products within the same
relationship, depending on the risks presented by each service and product;
(f) increasing the level of control by placing higher- risk customers under more
vigilant watch; and
(g) considering the application of pre- transaction monitoring, or adjusting the
intensity of such monitoring.
Subject persons should identify those scenarios that would constitute suspicious
or unusual activity within a high- risk scenario. In these cases, subject persons
should, as far as reasonably possible, use pre- transaction monitoring procedures
to ensure that transactions in high- risk scenarios can be appropriately scrutinised
prior to execution.

Training
The training of employees plays a vital role in the effectiveness of a subject person’s
ongoing monitoring systems. Employees should be properly trained to identify
unusual or suspicious transactions and activities that may be related to ML/FT, and
the red flags associated with the particular customer, service or product .
Employees dealing with customers directly, particularly when it comes to
transactions that take place on a face- to- face basis, must be knowledgeable in
AML/CFT measures, the subject person’s AML/CFT policies and procedures, as
well as in the recognition of red flags and dubious or suspicious transactions

IMPLEMENTING PROCEDURES
146
4. CUSTOMER DUE DILIGENCE CONTINUED

related to the products or services they offer. These employees are best
positioned to recognise and detect suspicious or unusual actions and to flag them
for further assessment prior to execution, when this is permitted.
In this regard, reference should be made to Chapter 7 on the nature of training
to be provided to employees and officials of subject persons.

4.5.3 Ensuring that documents, data and information held on the

customer are kept up to date
In carrying out their ongoing monitoring obligations, subject persons are also
tasked with “ensuring that the documents, data or information held by the subject
person are kept up to date”.67 The documents, data or information (for the purposes
of Section 4.5.3 collectively referred to as “information”) referred to in this section
comprises of the information obtained in fulfilment of CDD obligations,
particularly those required under Regulation 7(1)(a)- (c) and Regulation 7(3).

Beneficial Ownership Information

Subject persons have to establish who is the beneficial owner of any customer they
onboard or service, when such customer is not a natural person. However, changes
can take place from time to time within the shareholding or structure of a body
corporate or there may be changes within a trust, foundation or association which
result in a change in beneficial ownership. In some cases, the subject person may
be aware of any such changes as the subject person will be assisting in
implementing the same. However, changes may also take place without the subject
person’s knowledge and there is therefore the need for the subject person to
enquire from time to time whether the beneficial ownership information obtained
at on- boarding is still current or otherwise. In either case, should the subject person
become aware that changes have taken place in a customer’s beneficial ownership,
it has an obligation to update the beneficial ownership information it holds.

Purpose
Business relationships are not static, and the circumstances surrounding them
and the customers themselves are very likely to change over time. The CRA, as
well as the initial CDD measures and any other mitigating measures carried out ,

67. Regulation 7(2)(b) PMLFTR.

IMPLEMENTING PROCEDURES
147
4. CUSTOMER DUE DILIGENCE CONTINUED

would have all been based on the information obtained on the customer prior to
the establishment of the business relationship.
This information must therefore remain relevant , accurate and sufficiently timely
if the subject person is to have a clear understanding of the ML/FT risks it is
exposed to and that the measures it has put in place are effective. This is why it is
essential that subject persons adopt policies and procedures to keep information
up to date. Moreover, changes that affect the risk profile and, possibly, the CRA
should lead the subject person to update its CRA accordingly.
Ensuring that information is kept up to date should not therefore be considered
as a requirement to carry out afresh the CDD measures that would have been
applied at the inception of the business relationship, unless the subject person has
doubts on the information collected as reflected in Regulation 7(7) of the PMLFTR.

Information Monitoring Methods

Updating can be carried out through one or a combination of methods. The
following are some examples of methods that may be used but it does not
exclude the possibility that there may be others that are equally effective. It is up
to the subject person to determine the best approach towards keeping
information up to date, depending on a number of factors relating to the subject
person itself (size, number of customers, type of services offered and resources),
and the customer base (risk rating, range of products/services offered), among
other considerations. The methods adopted may also vary to better address the
circumstances presented by different customer groups or services.

Trigger events
At times, updating may be prompted by certain trigger events. For instance, an
assessment of an unusual transaction or pattern of transactions carried out ,
referred to in the previous section, may indicate that there has been a (legitimate)
change in the business relationship or in the customer’s relevant circumstances,
and the business and risk profile may need to be adjusted to ensure that all
relevant factors are being taken into account . This may entail obtaining new
information or documentation to substantiate the new circumstances.
By way of example, a customer may have been requested to provide information on
the source of funds following a gradual but significant increase in transaction value.
The subject person subsequently determines that the customer, only known to be a
student, has graduated and has set up a small consultancy office that is bearing fruit.

IMPLEMENTING PROCEDURES
148
4. CUSTOMER DUE DILIGENCE CONTINUED

This new information on the background (occupation) of the customer is

considered to affect the customer’s profile, which would need to be updated
accordingly. Moreover, the subject person would have to consider whether its
CRA and the mitigating measures adopted on that basis are still valid or whether
they need to be revisited to better address the new level of ML/FT risk posed by
the particular business relationship.
On other occasions, updating would be necessary in the light of a request for a
new product or service that presents different ML/FT risks. In these cases, the
subject person would need to consider whether the information held is sufficient
or whether it would be best to request more detailed information on, for instance,
the anticipated source of funds.
A request for information received from the FIAU or the Police on a particular
customer may also be a trigger for the subject person to take a closer look at how
it had risk assessed and rated that customer and what it knows about him/her.
Trigger events can also be applied in relation to the updating of documentation
that has a set expiry date, such as identification documents. A customer who has
been inactive for a considerable period of time is unlikely to pose any ML/FT risk
and therefore even if the documentation used to verify his/her identity may have
expired, requesting fresh copies would not be addressing any particular risk.
However, if the customer attempts to make use of the subject person’s services or
products once more, any activity should be made subject to the customer providing
copies of fresh identification documents prior to any such activity taking place.
Trigger events can also assist the subject person in questioning whether any
changes to the beneficial ownership of the customer are taking place or have
already taken place. Examples would include situations where the subject person
is acting as director or company secretary for a corporate customer and is requested
to sign and submit to the Malta Business Registry a copy of the relative form
notifying a change in shareholding. The same can be said with respect to fiduciaries
holding shares in a corporate customer who are requested to transfer part of the
shares to existing or new shareholders.

Periodic Reviews
Another method that may be applied to ensure that information is up to date is that
of periodic reviews. Depending on the level of risk, subject persons may set up a
schedule to review the information they hold on file at regular intervals, even in the
absence of an event that may point to a change in the given business relationship.

IMPLEMENTING PROCEDURES
149
4. CUSTOMER DUE DILIGENCE CONTINUED

Periodic reviews may be particularly useful when it comes to the documentation

collected for verification of identity purposes, where the subject person sets out
a schedule for their review and requests updated copies when it emerges that
this has expired. Periodical reviews would be equally relevant in the context of
ensuring that beneficial ownership information and documentation is kept
updated. Since this process necessarily needs to be risk based, the timeframe for
the review of business relationships considered to present a high risk of ML/FT
should be more frequent than those deemed to be low risk.
Subject persons may take the following factors into consideration when it comes
to deciding how frequently information needs to be updated, and to which extent:

Frequency
(a) The customer’s risk rating;
(b) the kind of information to be updated (e.g., a subject person may determine
that the residential address should not be updated frequently as long as the
customer is transacting from within the same jurisdiction); and
(c) whether there are any risks that may be mitigated through updating.

Extent
(a) The factors listed above;
(b) the relevance of the information with respect to CDD and AML/CFT; and
(c) the necessity of the information to be updated.
It should be noted that not all information adds value to the business and risk
profile or serves to mitigate any ML/FT risks, in which case subject persons should
consider whether the information is actually necessary. By way of example,
requesting updated documentation evidencing the customer’s change in
occupation or residence may not be necessary when the customer has retained
the same risk rating and transaction patterns.

Processing of personal data

W hile subject persons are obliged at law to keep information, data and
documentation up to date, they are to keep in mind a number of principles,
particularly those relating to the processing of personal data. Requests for

IMPLEMENTING PROCEDURES
150
4. CUSTOMER DUE DILIGENCE CONTINUED

information should not be excessive or disproportionate, especially when other,

less intrusive methods may suffice to fulfil the purpose of the obligation.
Subject persons should consider discarding documents that are no longer
relevant for AML/CFT purposes and that are not needed under record- keeping
obligations.

4.6 TIMING OF DUE DILIGENCE PROCEDURES

This part of the Implementing Procedures deals with the various scenarios when
the subject person would usually be required by the PMLFTR to carry out the
CDD measures provided for in Regulation 7(1)(a)- (c). These are provided for under
Regulations 7(5)- (7) of the PMLFTR, which require the application of CDD
measures to:
(a) new customers when establishing a business relationship;
(b) customers when carrying out an occasional transaction;
(c) existing customers at appropriate times and on a risk- sensitive basis, including
at times when the subject person becomes aware that the relevant
circumstances surrounding a business relationship have changed;
(d) existing business relationships whenever doubts arise about the veracity or
adequacy of the previously obtained customer identification information, data
or documentation; and
(e) situations when the subject person has knowledge or suspicion of proceeds
of criminal activity, money laundering or the funding of terrorism, regardless
of any derogation, exemption or threshold.
Regulation 8 of the PMLFTR then specifies the moment in time when these
measures are to be applied within the above situations. W hile a subject person
would usually be expected to apply the CDD measures in the above situations at
the moment in time indicated in the PMLFTR, the risk- based approach allows
subject persons to vary the applicability and/or timing of the measures depending
on the risk of ML/FT identified.
Thus, even where the exceptions provided for under this Section providing for a
delay in the carrying out of CDD do not find application, subject persons are still
allowed to vary the timing of these measures on the basis of risk. In this regard,
subject persons should therefore have regard to what is provided in Section 4.8
on Simplified Due Diligence.

IMPLEMENTING PROCEDURES
151
4. CUSTOMER DUE DILIGENCE CONTINUED

4.6.1 Timing of CDD when establishing a business relationship

Regulation 8(1) of the PMLFTR requires subject persons to verify the customer’s
identity and, where applicable, the beneficial owner’s identity when establishing
a business relationship. Therefore, as a general rule, when a customer seeks to
establish a business relationship, subject persons are required to apply CDD
measures when the prospective customer takes active steps to benefit from a
service or a product provided by the subject person and at all times prior to any
product or service being provided to the customer.
In practice, requiring the customer to provide documentation for the purposes of
verification in the context of a preliminary meeting or when initial enquiries are
still being made, may not always be realistic and reasonable. For example, when
a subject person receives general enquiries on the tax regime applicable in Malta
or a request for a quote, it would be premature for the subject person to seek to
obtain identification and verification of identity of the potential customer.
However, when the same person takes active steps that show that there is an
intention to establish a business relationship, with the exception of circumstances
that justify a delay in the carrying out of CDD measures, the subject person is
required to complete these CDD measures. A delay may, for example, be justified
insofar as verification of identity is concerned, when the subject person assesses
the business relationship to be a low- risk one.
This does not mean that subject persons cannot take steps that may facilitate the
eventual carrying out of the CDD measures. Giving a prospective customer prior
notice of what would be required in the event that he/she takes a decision to
establish a business relationship with the subject person may facilitate the
eventual carrying out of those measures. Thus, during preliminary meetings, it
may be advisable to inform prospective customers that the subject person’s CAP
requires the prospective customer to provide the necessary CDD documentation
immediately, prior to the establishment of that business relationship.

Exceptions when CDD may be carried out after the establishment of a

business relationship
(i) Specific exceptions in relation to certain circumstances
Notwithstanding the obligation to complete verification procedures prior to the
establishment of a business relationship, the PMLFTR provide that verification
procedures may be completed after the establishment of a business relationship
when it is necessary so as not to interrupt the normal conduct of business.
However, this exception is subject to the following two conditions being met:

IMPLEMENTING PROCEDURES
152
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) the risk of ML/FT is low; and

(b) the verification procedures have to be completed as soon as is reasonably
practicable after the establishment of the business relationship.68
Subject persons are to note that the low risk of ML/FT does not here refer to
the overall risk of the business relationship that would result following the
carrying out of the CRA. Rather, it is the risk within the initial phase of the business
relationship that must be assessed. By way of example, the use of some products
within the initial phase of a business relationship may be so limited in value, or
the type of product itself or its level of activity may appear to pose such a low
risk of ML/FT, that the business relationship at that point in time will present a
low risk of ML/FT independently of any other factors.
In the event that CDD measures are applied after the establishment of a business
relationship, subject persons should record the reasons for deferring their
application.

(ii) Specific exceptions applicable in relation to long- term insurance business

In terms of Regulation 7(9) of the PMLFTR, subject persons providing long- term
insurance business have, in addition to identifying and verifying the customer’s
identity, and where applicable, that of the beneficial owner, to carry out the
following CDD measures on the beneficiaries of long- term insurance policies:
(a) when the beneficiaries are specifically named natural persons, legal entities or
arrangements, subject persons have to identity these beneficiaries;
(b) when the beneficiaries are designated by characteristics, class or other means,
subject persons have to obtain sufficient information about those beneficiaries
to be able to identify them at the time of pay- out;
(c) when the beneficiaries assign any of their rights vested under the policy,
subject persons have to identify the natural persons, legal entities or
arrangements receiving for their benefit the value of the policy assigned at
the time of becoming aware of the assignment; and
(d) verify the identity of the beneficiaries at the time of pay- out .
Thus, while beneficiaries have to be identified when the business relationship is
being established, the PMLFTR provide for the possibility that verification takes
place after the establishment of the business relationship – and this

68. Regulation 8(2) of the PMLFTR.

IMPLEMENTING PROCEDURES
153
4. CUSTOMER DUE DILIGENCE CONTINUED

notwithstanding what has been stated so far. However, verification of identity

must always take place at or before the time of pay- out (i.e., prior to the funds
being transferred to the beneficiary).
In cases where the beneficiary under a long- term insurance policy assigns all or part
of his/her rights under the said policy to a third party, the subject person has to:
(a) identify the assignee (as the new beneficiary) as soon as the subject person
becomes aware of the assignment; and
(b) verify the identity of the assignee at the time of pay- out at the latest , but
always prior to any funds being transferred to the assignee.

(iii) Specific exceptions in relation to the opening of accounts

Notwithstanding the general principle and the exception under paragraph (i)
above, subject persons carrying out relevant financial business may open an
account (including accounts that permit transactions in transferable securities)
prior to the completion of the verification process.69 This exception is subject to
the condition that adequate safeguards are put in place such that no transactions,
apart from the initial transfer of funds necessary to open the account , are to be
carried out through the account until the verification procedures have been
satisfactorily completed.
By way of example, a subject person carrying on the business of banking under
the provisions of the Banking Act 70 may open a bank account for the customer,
and accept an initial transfer of funds, as referred to above, prior to the completion
of the verification process, provided that safeguards are put in place to ensure
that no transactions are carried out through that account until the verification
procedures are satisfactorily completed.

(iv) Specific exceptions in relation to certain legal entities and legal

arrangements that administer and distribute funds
There may be other situations, particularly in the area of trusts, foundations and
similar legal arrangements, when it may not be possible to identify and verify the
identity of the beneficiary at the time of the establishment of the business
relationship since the beneficiaries are simply designated by particular
characteristics or class and not (specifically) named as beneficiaries.71
In these cases, at the establishment of the business relationship (such as the
setting up of the trust), the subject person is only required to gather sufficient

IMPLEMENTING PROCEDURES
154
4. CUSTOMER DUE DILIGENCE CONTINUED

information concerning the class or characteristics of beneficiaries (which

information one would expect to be contained in the trust instrument) to be able
to establish if the beneficiaries, once they are determined, are entitled to receive
the distribution.
Having established as much, subject persons are to carry out identification and
verification of the beneficiaries. The verification of their identity may be delayed
until the time of pay- out (i.e., prior to the funds being transferred to the
beneficiary) or at the time the beneficiaries seek to exercise their vested rights.
Furthermore, if the beneficiary assigns any of its rights, the assignee has to be
identified as soon as the subject person becomes aware of this assignment . Here
again, the verification of the assignee’s identity may, however, be delayed until
pay- out .
Apart from the above, there may be other situations when a subject person
encounters one or more impediments to carrying out CDD measures vis- à- vis
the beneficiaries. This may include instances when the beneficiaries may not even
be aware that they have been designated as beneficiaries. In these cases,
identification can still be carried out on the basis of the personal details contained
in the trust instrument and/or obtained from the settlor/trustee. However,
verification of identity can then be delayed until pay- out , as explained above.
The same reasoning can be applied to beneficiaries who have not yet received
any distribution under the trust or when the distribution is subject to one or more
conditions being met or to the trustee’s discretion, and the risk of ML/FT is
considered to be low. Even in these cases, it is possible for verification of identity
to be delayed until pay- out , as explained above.

4.6.2 Timing of CDD when an occasional transaction is carried out

Regulation 8(1) of the PMLFTR requires subject persons to verify the customer’s
identity and, where applicable, the beneficial owner’s identity, before carrying out
an occasional transaction. Therefore, when a customer seeks to carry out an
occasional transaction, subject persons are required to apply CDD measures
when the prospective customer takes active steps to benefit from a service or a
product provided by the subject person and at all times prior to any product or
service being provided to the customer.

69. Regulation 8(3) of the PMLFTR.

70. Cap. 371 of the Laws of Malta.
71. Regulation 8(4) of the PMLFTR.

IMPLEMENTING PROCEDURES
155
4. CUSTOMER DUE DILIGENCE CONTINUED

On the other hand, when a customer merely seeks to obtain information from
the subject person, such as, for instance, the general conditions under which a
subject person would be ready to provide its services or products, the subject
person would not be required to carry out any CDD measures. Such an obligation
would only arise once the customer takes active steps to engage the subject
person to provide its services or products to carry out the occasional transaction.
Occasional transactions may vary in nature and therefore, depending on the case
at hand, subject persons are to apply suitable CDD measures. For instance, in the
case of a transfer of funds through the services of a money remitter where the
service is to be provided immediately, CDD measures have to be applied, and
documentation collected, prior to carrying out the occasional transaction.

4.6.3 Timing of CDD in case of suspicion of ML/ FT

Regulation 7(5)(c) of the PMLFTR provides that subject persons are required to
carry out CDD measures when they know or suspect that a customer may have
been, is, or may be engaged in ML/FT, or that a transaction involves the proceeds
of criminal activity. In these instances, any exemption, exception or other change
in timing or extent of CDD measures to be carried out on the customer is not
applicable and the subject person has to carry out CDD to the extent that is
reasonably practicable.

4.6.4 W hen the subject person doubts the veracity or adequacy of

CDD documentation
Subject persons must repeat CDD measures immediately when doubts arise on
the veracity or adequacy of previously obtained customer identification
information, data or documentation. In addition, the subject person must also
consider whether the CRA needs to be revised in line with the subject person’s
policies and procedures on CRAs and whether the situation gives cause for the
filing of an STR with the FIAU.

4.6.5 Timing of CDD in relation to existing customers

The PMLFTR require subject persons to apply CDD measures to existing
customers at appropriate times on a risk- sensitive basis, including when the subject
person becomes aware that changes have occurred in the relevant circumstances

IMPLEMENTING PROCEDURES
156
4. CUSTOMER DUE DILIGENCE CONTINUED

surrounding the business relationship. In terms of Regulation 7(6) of the PMLFTR,

subject persons have to reassess and review the CDD carried out with respect to
existing customers/business relationships under two scenarios.

Scenario One – Reassessing and reviewing CDD measures on a risk- sensitive basis
Under this first scenario, the subject person is required to assess and review on a
risk- sensitive basis the CDD measures applied to all customers with which it
already had an established business relationship on the coming into force of a
revised version of the PMLFTR, any Implementing Procedures or any amendments
thereto. In this manner it can determine whether the risk management procedures
and CDD applied on all existing customers are in line with the requirements of the
revised or amended version of the PMLFTR and/or any Implementing Procedures
or any amendments thereto. In the event that any shortfalls are found, the subject
person would have to take action to remedy the situation and bring the situation
in line with the new applicable requirements.
Thus, when:
(a) the customer would be categorised as presenting the same level of ML/FT
risk within the subject person’s risk management procedures under both the
old and the revised versions of the PMLFTR and of the Implementing
Procedures;
(b) the subject person has sufficient CDD documentation and information on file
to meet the requirements under the revised PMLFTR and Implementing
Procedures (i.e., the CDD carried out is commensurate to the risk identified);
and
(c) the CDD documentation and information on file, as well as the nature and
level of ongoing monitoring carried out is sufficient to mitigate the ML/FT
risks that the customer presents
the subject person would not need to undertake any additional measures.
On the other hand, when any one or more of the conditions set out above are
not met , the subject person is required to review its business relationship with
the customer on a risk- sensitive basis to determine what action is to be
undertaken to ensure that the risk- based approach and CDD measures are being
applied in an appropriate manner.
In these circumstances, the subject person should consider giving priority to
business relationships that are rated as presenting a higher risk of ML/FT following

IMPLEMENTING PROCEDURES
157
4. CUSTOMER DUE DILIGENCE CONTINUED

the application of the risk assessment procedures outlined in Chapter 3. Subject

persons should also consider taking any additional action on certain trigger events
(e.g., when the customer approaches the subject person for a new service or
product , or prior to carrying out another transaction), even if this is not in keeping
with the subject person’s review plan.
This risk- based revision should therefore lead the subject persons to determine
what AML/CFT measures need to be repeated on these customers to ensure
that they are adhering to their obligations under revised versions of the PMLFTR,
any Implementing Procedures or any amendments thereto. It is important that
any this review be undertaken within a reasonable period of time.

Scenario two – Changes in the circumstances relative to the business relationship

Subject persons are also required to review the business relationship when there
are changes in its circumstances that would give rise to a change in the ML/FT
risk posed by the customer and therefore lead to a different categorisation of the
customer. In these circumstances subject persons have to consider whether the
CDD measures applied have to be updated to mitigate effectively the new level
of risk they are exposed to and carry out the necessary changes.
By way of example, these changes may arise in the context of ongoing
monitoring, when the subject person notes changes in the customer’s transaction
patterns, changes in the payment method used or changes in the jurisdiction links
of the customer. In these cases, the subject person is first required to understand
whether these changes result in a change in the customer’s risk profile.
If there is a change in the risk level posed by the customer, then the CDD
measures applied on this customer also need to be revised, especially if the risk
of ML/FT has increased. Moreover, reference should also be made to Section 3.5
of these Implementing Procedures since the CRA would also need to reflect any
of these changes and be updated accordingly.
It is also possible that a change in the circumstances of a given customer will not
result in a change in the risk level to which the subject person is exposed but
leads to a change in the risk factor/s that had led to the business relationship being
considered as presenting a given level of risk. In these circumstances it would be
important for the subject person to consider whether the CDD measures applied
originally are sufficiently adequate to address the new risk factors or whether
new CDD measures have to be applied to counter and hence mitigate the new
specific risk factor/s identified.

IMPLEMENTING PROCEDURES
158
4. CUSTOMER DUE DILIGENCE CONTINUED

4.6.6 Acquisition of the business of one subject person by another

W hen a subject person acquires the business of another subject person or of a
third party,72 in whole or in part , it is not necessary to undertake CDD measures
anew on all existing customers, provided that the records of all customers are
acquired with the business and that the subject person is satisfied that the
procedures adopted by the previous subject person or third party, including its
CRA procedures, were in line with the provisions of the PMLFTR and the
Implementing Procedures.
This should not be limited to an evaluation of the policies and procedures adopted
and applied by the subject person or third party whose business is being acquired,
but should also include taking a sample of customers to ensure that these policies
and procedures were being implemented in practice. The acquiring subject person
should retain evidence of the sampling and checks carried out .
In the event that the records of the customers are not all obtained, or the
procedures adopted by the previous subject person or third party were not in line
with the provisions of the PMLFTR and the Implementing Procedures, CDD
measures must be undertaken on a risk- sensitive basis as soon as reasonably
practicable, ensuring that in the interim period any ML/FT risks are appropriately
mitigated. In these cases, the subject person should assess the extent of these
deficiencies and consider whether:
(a) they should repeat CDD measures on all customers;
(b) only particular CDD measures need to be repeated; or
(c) they should conduct CDD measures on those customers who are affected.
Subject persons are to note that the exclusion from carrying out CDD measures
does not extend to ongoing monitoring, which the subject person is obliged to
meet from the day on which it acquires another subject person’s or third party’s
customers.
Subject persons transferring their business, whether in whole or in part , still have
record- keeping obligations in relation to the customers they are transferring.
However, in this case, subject persons may fulfil their record- keeping obligations
by adopting one of the following options:
(a) the subject person transferring the business can opt to pass on the
documentation collected for CDD purposes, while retaining a copy of these
documents; or

72. For the definition of a “third party”, refer to Regulation 12(2) of the PMLFTR.

IMPLEMENTING PROCEDURES
159
4. CUSTOMER DUE DILIGENCE CONTINUED

(b) the subject person transferring the business can opt to pass on the
documentation collected for CDD purposes without retaining any copies
thereof. These subject persons should however ensure that they retain the
CDD information required in accordance with the provisions of Regulation
7(1)(a)- (c), as updated in terms of Regulation 7(2)(b). If this option is adopted,
the transferor passing on the documents would need to enter into a written
agreement with the subject person to whom the business is being transferred
to ensure that all CDD documentation being passed on would be made
available immediately on request .
(c) It is also to be noted that all other records concerning the business relationship
and all records of transactions carried out by the customer in question would
need to be retained by the subject person transferring the business, in line
with record keeping obligations, as outlined in Chapter 9.

4.6.6.1 Change in Fund Administrators servicing Collective

Investment Schemes
Situations involving a change in the fund administrator servicing a collective
investment scheme may present particular challenges where the collective
investment scheme has outsourced both the carrying out of its AML/CFT
obligations as well as its MLRO as set out under Chapter 6 and Section 5.1.2
respectively of these Implementing Procedures. More often than not , these will
be functions which the collective investment scheme will have delegated to its
administrator. Therefore, with a change in fund administrator comes a change in
the outsourced service provider as well as a change in MLRO.
In this scenario, the fund administrator may not only have to transfer the
documentation collected for CDD purposes on the collective investment scheme
itself, being the fund administrator’s outgoing customer, but also any other original
documentation on the investors in the collective investment scheme collected in
fulfilling the scheme’s own AML/CFT obligations.
This may not always prove to be possible as, where there are one or more
common investors having multiple holdings in two or more collective investment
schemes serviced by the same fund administrator, it is very likely that the fund
administrator will have collected a common set of documentation for CDD
purposes. Requiring the transfer of this documentation could potentially result
in the other collective investment schemes being in breach of their AML/CFT
obligations with respect to documentation bearing certification in original or
documentation that had otherwise been collected in original.

IMPLEMENTING PROCEDURES
160
4. CUSTOMER DUE DILIGENCE CONTINUED

In these circumstances, the outgoing fund administrator can provide to the

incoming fund administrator on behalf of the collective investment scheme a copy,
electronic or otherwise, of the documentation collected on the investors effected
by any such change. However, in any such circumstances, the outgoing fund
administrator would also have to provide a declaration addressed to the collective
investment scheme, outlining why the documentation in original cannot be made
available and a declaration confirming that the documents provided are true copies
of the originals held on file.
Thus, to the extent that the said declaration is retained on file by the collective
investment scheme or by the incoming fund administrator on its behalf, it will be
equally deemed that the collective investment scheme has met its record keeping
obligations with respect to its investors. This would be without prejudice to the
scheme’s on- going monitoring obligations to ensure that any data, information
or documentation is kept up- to- date as and when necessary. Sufficient time
should be allowed for the transfer of records to ensure that the incoming fund
administrator is in possession of these records by the time it starts to carry out
any outsourced AML/CFT requirements.
The above would be equally applicable in situations where the collective
investment scheme is engaging a third party service provider that is not a fund
administrator to carry out its AML/CFT obligations on its behalf.

4.7 FAILURE TO COMPLETE CDD MEASURES LAID OUT

IN REGULATION 7(1)(A)- (C)
W hen a subject person is unable to comply with paragraphs (a)- (c) of Regulation
7(1) of the PMLFTR, the subject person must:
(a) desist from carrying out any transaction through the account;
(b) desist from establishing the business relationship or carrying out an occasional
transaction; and
(c) terminate the business relationship with the customer.
In addition, subject persons are to consider whether it should file an STR with the
FIAU. It is important to highlight that the reluctance of the customer to provide
CDD documentation on its own should not automatically be equated with a
suspicion of ML/FT.
The subject person should consider all factors and information it has at its disposal.
If, after this assessment , the subject person determines that there are grounds

IMPLEMENTING PROCEDURES
161
4. CUSTOMER DUE DILIGENCE CONTINUED

giving rise to a suspicion of ML/FT, then it has to submit an STR to the FIAU.
Prior to applying the measures under paragraphs (a), (b) and (c) above, the subject
person should consider whether this action may frustrate efforts at analysing or
investigating suspected instances of ML/FT. In that event , or when taking the
measures under paragraphs (a)- (c) above is impossible, the subject person should
carry on with the business and immediately inform the FIAU of the circumstances.
Subject persons may be in a situation where they are unable to fulfil their
obligations under Regulation 7(1)(a)- (c) when they are already in possession of
customer funds. In this instance, the action to be taken by the subject person will
hinge on whether the subject person has a suspicion or otherwise of ML/FT.
Thus, if, after considering all factors and information at its disposal, the subject
person determines that:
(a) there are grounds giving rise to a suspicion of ML/FT, then it must submit an
STR to the FIAU and act in accordance with the provisions relative to the
suspension of execution of transactions envisaged under Article 28 of the
PMLA; and
(b) if there are no grounds to suspect ML/FT, the subject person must determine
whether there are any other reasons to hold onto the funds that are still in
the customer’s account and, if there are none, remit the funds to the customer.
W henever a subject person is remitting funds to the customer, they must:
(a) remit the funds to the original source using the same channels used to receive
the funds; and
(b) to the extent that this may be possible, indicate in the script/instructions
accompanying the funds that these are being remitted due to its inability to
complete CDD.
In the event that the subject person are unable to remit the funds to the source
using the same channels, it will inevitably have to request fresh instructions from
the customer. If these instructions give rise to a suspicion, it should submit an STR
and suspend the remittance in line with Article 28 of the PMLA.
It should be clear that the remittance of any funds would not be possible when
an order, directive or notice have been issued in terms of the PMLA, the Criminal
Code or the PMLFTR which prohibit the subject person from releasing the funds.
Finally, it is to be noted that the PMLFTR provide that subject persons carrying
out a relevant activity under paragraph (a)- (c) of the definition of ‘relevant activity’,
which refers to:

IMPLEMENTING PROCEDURES
162
4. CUSTOMER DUE DILIGENCE CONTINUED

(a) external accountants;

(b) auditors;
(c) tax consultants; and
(d) notaries and other independent legal professions,
shall not be bound to apply the measures indicated above provided that these
subject persons are acting in the course of ascertaining their client’s legal position
or of performing their responsibilities of defending or representing their customer
in, or concerning, judicial proceedings, including advice on instituting or avoiding
proceedings.

4.8 SIMPLIFIED DUE DILIGENCE

Regulation 10 of the PMLFTR provides for the application of SDD. The application
of SDD is not an exemption from carrying out CDD but rather a variation of the
extent and timing of CDD to be applied in view of the lower risk of ML/FT that
the circumstances present . W hen applying CDD measures, subject persons are
therefore allowed, in a way that is commensurate to the low risk they have
identified, to adjust:
(i) the timing of the CDD. An example would be when the product , service or
transaction sought has features that limit the possibility of its use for ML/FT
purposes, in which case subject persons can decide to postpone the
verification of identity or other CDD measures until a pre- determined
threshold or other triggering event is reached;
(ii) the quantity of information and/or documentation obtained for verification of
identity and other CDD measures. An example would be when a product
sought is limited in use and transaction values, and therefore the subject
person can opt to obtain less information on the customer’s source of wealth
or funds;
(iii) the quality of information/documentation obtained for verification and other
CDD measures. An example would be when the product , service or
transaction sought has features that limit the possibility of its use for ML/FT
purposes. Subject persons can adjust the source of information obtained for
CDD purposes, such as by accepting information obtained from the customer
rather than an independent source to establish the customer’s business and
risk profile. This would not be acceptable to verify the customer’s own identity;
and

IMPLEMENTING PROCEDURES
163
4. CUSTOMER DUE DILIGENCE CONTINUED

(iv) the frequency and intensity of ongoing monitoring. An example would be

when:
(a) the frequency and/or intensity of transaction monitoring is varied by for
example monitoring only transactions that meet or exceed a given
threshold. W hen firms choose to do this, they must ensure that the
threshold is set at a reasonable level and that they have systems in place
to identify linked transactions that, together, would exceed that threshold.
Having said that , subject persons should ensure that the level of ongoing
monitoring is always sufficient to a degree that the subject person can
determine whether the circumstances on the basis of which it was
decided to apply SDD are still current; and
(b) the frequency of CDD updates and reviews of the business relationship is
adjusted, for example, to take place only when trigger events occur, such
as the customer looking to take out a new product or service or when a
certain transaction threshold is reached. Subject persons must make sure
that this does not result in a de facto exemption from keeping CDD
information and documentation up to date.
By way of example, if a product like an account or policy is considered to be low risk
since it is capped to a low value amount, the subject person should have mechanisms
in place that prevent a customer from depositing amounts in excess of the applicable
capping or from opening multiple accounts to circumvent this mentioned capping.
In applying any of the above- mentioned variations in timing and extent of CDD
measures, subject persons have to ensure that:
(a) the variation in the extent and timing of CDD does not result in a de facto
exemption from CDD measures;
(b) any threshold or event set to trigger CDD measures is set at a reasonably low
level (although with regard to terrorist financing, subject persons should note
that a low threshold alone may not be enough to reduce risk and thus
particular care should be exercised when providing services or products that
are particularly susceptible to being misused for terrorist financing purposes);
(c) they have systems in place to (i) detect when the threshold has been reached
or/and an event has materialised and (ii) prevent bypassing any restrictions,
limitations or characteristics applicable to the product or service; and
(d) they do not vary, defer or delay any CDD measures they cannot vary, defer
or delay under any EU Regulations, the PMLFTR, these Implementing
Procedures or any other binding instrument , order or directive.

IMPLEMENTING PROCEDURES
164
4. CUSTOMER DUE DILIGENCE CONTINUED

Moreover, subject persons are, as a minimum, always required to identify the

customer as per Section 4.3.1 and/or 4.3.2 and carry out a sufficient degree of
ongoing monitoring to ensure that the circumstances on the basis of which SDD
was applied are still applicable. Therefore, when applying SDD, the subject person
is still required to undertake ongoing monitoring of the business relationship with
the customer to ensure that the ML/FT risk posed by the customer remains low
and to be able to identify any suspicion of ML/FT.
The information the subject person obtains when determining to apply SDD
measures must enable the subject person to be reasonably satisfied that the risk
associated with that particular business relationship is low. It must also be
sufficient to give the subject person adequate information about the nature of
the business relationship to identify any unusual or suspicious transactions.
Importantly, subject persons are to note that SDD does not exempt an institution
from reporting suspicious transactions to the FIAU.
Moreover, the rest of the CDD measures and an increased level of ongoing
monitoring are to be carried out or applied whenever the business relationship is
no longer deemed to represent a low risk of ML/FT or the subject person has a
suspicion of ML/FT.73 W henever this occurs, subject persons are to ensure that
the risk rating of that business relationship is changed accordingly and SDD is no
longer applied.

4.8.1 Particular situations in which SDD may be applied

The PMLFTR no longer set out specific circumstances that allow the application
of SDD. Instead Regulation 10(1) allows subject persons to apply SDD measures
in circumstances that fall within either of the following two categories:
(i) in relation to activities or services that are determined by the FIAU to
represent a low risk of ML/FT, having taken into consideration the findings of
any national risk assessment and any other relevant factors as may be deemed
appropriate; and
(ii) when, on the basis of a risk assessment carried out in accordance with
Regulation 5(1) of the PMLFTR, the subject person determines that an
occasional transaction or a business relationship represents a low risk of ML/FT.
Thus, subject persons enjoy discretion on when SDD can be applied as long as
any decision to apply one or more SDD measures is justified on the basis of their

73. In these cases an STR would also need to be submitted to the FIAU.

IMPLEMENTING PROCEDURES
165
4. CUSTOMER DUE DILIGENCE CONTINUED

business and CRAs. The low risk factors mentioned in Chapter 3 can provide
some indicators as to when SDD may be permissible. Moreover, the Risk Factor
Guidance, issued by the EBA and referred to in Chapter 3 above, provides a series
of scenarios that can be considered as low risk and the accompanying measures
that can be applied.
The following are some examples of situations that in normal circumstances are
deemed to present a low risk of ML/FT:

Customers carrying out Relevant Financial Business

In determining whether a business relationship presents a low risk of ML/ TF, and
therefore the extent to which it is appropriate to apply SDD measures, a subject
person can take into account , inter alia, whether the customer is a subject person
carrying out relevant financial business or a third party established in an EU
Member State or in a reputable jurisdiction carrying out an equivalent activity and
subject to equivalent AML/CFT requirements and supervision as those required
by Directive (EU) 2015/849.
In determining whether SDD should be applied when servicing corporate
customers indicated in this section, the subject person should carry out
background checks on the entity to determine that it meets the criteria set out
above. This would involve:
(a) checking for any publicly available adverse regulatory or supervisory
information which is to be evaluated as set out in Section 3.5.1(a)(a); and
(b) obtaining evidence that the customer institution is licensed or authorised to
conduct financial and/or banking business. This could take place by:
• consulting public registries and websites maintained by supervisory and
regulatory authorities;
• requesting information directly from the customer; and
• checking with another office, subsidiary, branch or correspondent bank
operating in the same country of the customer.
W hen a customer is carrying out relevant financial business or an equivalent
activity, it would similarly be necessary to have an understanding of the activities
that customer is undertaking, i.e., an understanding of the services and products
offered as well as a general understanding of its customer- base (e.g., main
customer categories, main geographical location of the same, etc.). In so doing,
the subject person will be in a better position to appreciate the actual ML/FT risk

IMPLEMENTING PROCEDURES
166
4. CUSTOMER DUE DILIGENCE CONTINUED

that they are being exposed to. In addition, the subject person would have to
determine whether the customer applies robust and risk- sensitive CDD measures
to its own customers and, where applicable, to their beneficial owners.

Customer is a Collective Investment Scheme

W here the customer is a collective investment scheme and the said scheme meets
all of the conditions set out above, the subject person is able to exercise SDD in
relation thereto. This means that the subject person servicing the collective
investment scheme would not need to identify and verify the identity of any of
the underlying investors, being the customers of the collective investment scheme.
By way of example, when a collective investment scheme is established as a trust ,
the subject person could opt not to identify the trust’s beneficiaries.
However, any decision not to do so would be dependent on the collective investment
scheme meeting the conditions set out in the introductory paragraphs to this section
4.8.1 and be also based on a consideration of ML/FT risk as explained in the same
paragraphs. The subject person shall obtain a confirmation from the collective
investment scheme that it has carried out CDD on all of the underlying investors,
which confirmation shall also include an undertaking by the collective investment
scheme that it will provide such information and documentation to the subject person
upon demand, so that the subject person can fulfil all of its AML/CFT obligations as
may be applicable. Such confirmation is to be signed by the Scheme’s officials and not
by the Fund Administrator or any other entity contracted for such function.

Nominee or Omnibus Securities’ Accounts

Financial instruments like bonds, shares, and units in collective investment schemes,
can be held in a nominee capacity or through an omnibus account, i.e. the said
financial instruments are registered in the name of a regulated entity which however
holds the same on behalf of the entity’s own customers. In these situations, the
regulated entity would be considered as the subject person’s customer, allowing for
the possible application of SDD even in these circumstances. SDD would here entail
that there would be no need to identify and verify the identity of the regulated
entity’s customers, being the actual beneficial owners of the financial instruments.
However, the application of SDD would be dependent on the regulated entity
meeting the conditions set out in the introductory paragraphs to this section 4.8.1
and be also based on a consideration of ML/FT risks as explained in the same
paragraphs. In so doing, the subject person will be able to understand whether

IMPLEMENTING PROCEDURES
167
4. CUSTOMER DUE DILIGENCE CONTINUED

the regulated entity’s business model, and especially the category of underlying
investors serviced as well as the volume of funds that will be invested in this
manner, falls within the subject person’s risk appetite or otherwise. The subject
person shall also obtain a written declaration from the regulated entity that it has
carried out CDD on all of the underlying investors and which confirmation shall
include an undertaking to provide such information and documentation to the
subject person upon demand so that the subject person can fulfil all of its
AML/CFT obligations as may be applicable.
It is also important to obtain an undertaking from the regulated entity, that it will
immediately inform the subject person about any changes in the information
provided at the inception of the business relationship such that the subject person
may factor the same in its customer risk assessment as applicable.
Subject persons should record the steps they have taken to check that their
customer meets the conditions to be considered as generally low risk.

Client Accounts
Persons who hold client money or other assets in pooled accounts (whether in
a bank account or through a securities holding) may themselves be subject to
AML/CFT measures. W hen this is the case, they are expected to have already
carried out CDD measures on the assets’ beneficial owners. Thus, subject persons
carrying out a relevant financial business, with whom these client accounts are
held, can consider applying SDD measures, provided that all of the following
conditions are met:
(a) the business relationship with the holder of the pooled account presents a
low risk of ML/FT, considering among others the account holder’s business,
the type of underlying customers serviced by the holder and the jurisdictions
the holder’s business is exposed to;
(b) the holder of the account is a subject person or is otherwise a third party
established in the EEA or in a reputable jurisdiction that is subject to equivalent
AML/CFT requirements and supervision as those required by Directive (EU)
2015/849;
(c) it is determined that the holder of the pooled account applies robust and risk-
sensitive CDD measures to its own customers and, where applicable, to their
beneficial owners;
(d) an undertaking is obtained from the customer that CDD information and
documentation on the persons on whose behalf monies are held in the

IMPLEMENTING PROCEDURES
168
4. CUSTOMER DUE DILIGENCE CONTINUED

pooled account will be made immediately available to the subject person upon
the subject person’s request; and
(e) there is no adverse information on the account holder.
Subject persons may reasonably apply a similar approach to client accounts that
only contain the funds of a single beneficial owner.
In these cases, the subject person may decide not to ask for any information and
documentation on the identity of the assets’ beneficial owner/s and limit itself to
applying CDD measures to the account holder and carrying out a sufficient level
of ongoing monitoring to ensure that there is no change in the level of risk to
which the subject person is being exposed to.

Public Sector Bodies

In respect of customers who are local or overseas governments (or their
representatives), supranational organisations, government departments, state- owned
companies or local authorities, the approach to identification and verification may be
tailored to the customer’s circumstances,reflecting the subject person’s determination
of the level of ML/FT risk presented. W hen the subject person determines that the
business relationship presents a low risk of ML/FT, SDD measures may be applied.
Public sector bodies include state supported schools, colleges and universities.
For the avoidance of doubt , subject persons must make a distinction between
state- owned entities and bodies engaged in public administration. Bodies engaged
in public administration may involve different revenue/payment streams from
those of most businesses and are typically funded from government sources, or
from some other form of public revenues.
State- owned businesses, on the other hand, may engage in a wide range of
activities, some of which might involve higher risk factors, leading to a different
level of CDD being appropriate. These entities may be partly publicly funded or
may derive some or all their revenues from trading activities.
Furthermore, in determining the level of ML/FT risk presented, subject persons
are required to assess the jurisdictional risk.
By way of example, a government department of a jurisdiction listed by FATF as a
high- risk and non- co- operative jurisdiction should not be considered to represent
a low degree of ML/FT risk and hence should not be subject to SDD. The same
may apply to other jurisdictions that may not necessarily be listed by FATF but , for
instance, are characterised by corruption, political instability or civil unrest .

IMPLEMENTING PROCEDURES
169
4. CUSTOMER DUE DILIGENCE CONTINUED

4.8.1.1 On- Going Monitoring

As has been already stated, the application of SDD still requires a degree of on-
going monitoring to take place so as to determine if the business relationship in
question still merits being considered as a low risk one. Amongst the checks that
should be carried out , subject persons are to periodically ensure that any
information obtained at the start of the business relationship is still current ,
independently of any undertaking obtained from the customer that it will be
informing the subject person of as much.
In addition, the subject person should consider whether:
• Any new regulatory or supervisory information has been made public which
may somehow impact the subject person’s earlier customer risk assessment
and rating of the business relationship as one presenting a low risk of ML/FT.
• Any increase in the volume of funds being channelled or invested through a
nominee, omnibus or pooled account can somehow be considered to increase
the risk of ML/FT posed by the given business relationship.
• Any data, information or documentation made available in relation to
particular transactions or the underlying investors or customers is in keeping
with the information provided by the customer at the start of the business
relationship.

4.8.2 Circumstances where SDD cannot be applied

The PMLFTR prohibit the application of SDD when the subject person knows or
suspects that a customer may have been, is, or may be engaged in ML/FT, and
when the subject person knows or suspects that funds originate from criminal
activity. In these circumstances, even though the customer or the product qualifies
for SDD, the SDD procedure may not be applied and the subject person is
required to file an STR with the FIAU.
Furthermore, even if a business relationship or occasional transaction may present
elements of a low- risk situation, whenever the law expressly requires the
application of EDD measures in accordance with Section 4.9, SDD measures
cannot be applied. By way of example, if the product is a low- risk product but
the customer is a PEP, or has links with a non- reputable jurisdiction, even though
the product poses a low risk of ML/FT, the subject person is still required by law
to apply the appropriate risk- based EDD measures, given that the customer is a
PEP or coming from a non- reputable jurisdiction.

IMPLEMENTING PROCEDURES
170
4. CUSTOMER DUE DILIGENCE CONTINUED

Subject persons are reminded that whenever the activities or services are no
longer determined by the FIAU to represent a low risk of ML/FT in terms of
Regulation 10(1)(a) or the CRA no longer indicates a low risk of ML/FT in terms
of Regulation 10(1)(b), they are to refrain from applying SDD and vary the level
of CDD accordingly.
For this to be done, subject persons are to always carry out sufficient ongoing
monitoring to be able to detect unusual and suspicious transactions, as well as to
be able to detect any changes that may require the subject person to revisit the
customer’s risk assessment and, as a result , the level of CDD being applied.
It is to be noted that the Risk Factor Guidelines issued by the EBA and referred to in
Section 3 contain a series of scenarios in which SDD can or cannot be applied,
together with possible measures to be undertaken. Subject persons carrying out
relevant financial business are to consider this document whenever it appraises
whether a situation presents a low risk of ML/FT and the measures to be undertaken.
Situations corresponding to those considered in these Guidelines and in terms of
which SDD is not considered possible should not be treated as low risk by subject
persons unless significant divergent circumstances subsist that justify a
reconsideration of the resulting ML/FT risk.

4.9 ENHANCED DUE DILIGENCE

Subject persons must apply EDD measures on a risk- sensitive basis in those
situations that , by their nature, represent a higher risk of ML/FT. In essence, EDD
measures are additional measures to the CDD measures set out in Regulation
7, which are to be applied to ensure that the higher risks presented by certain
customers, products, services or transactions are better monitored and managed
to avoid any involvement in ML/FT.
W hereas the PMLFTR provide for SDD measures to be applied on an optional
basis, it is mandatory for EDD measures to be applied in any situation that
presents a higher risk of ML/FT and in any other scenario when the application
of these measures is mandated by law. Regulation 11 of the PMLFTR provides
an exhaustive list of these scenarios and provides for the respective EDD
measures to be undertaken. In situations that are otherwise deemed to be high
risk, the EDD measures are largely left to the subject person’s discretion, so long
as they are appropriate to manage and mitigate the high risk of ML/FT.74

74. Regulation 11(2) of the PMLFTR.

IMPLEMENTING PROCEDURES
171
4. CUSTOMER DUE DILIGENCE CONTINUED

In either context , the identification and verification of the customer’s identity and,
where applicable, of the beneficial owner, as well as in the case of a business
relationship, obtaining information on its purpose and intended nature (refer to
Sections 4.3 and 4.4) are important to ensure that the subject person:
(a) is well informed and understands the risks that would enable the subject
person to take appropriate mitigating measures; and
(b) is able to carry out proper ongoing monitoring, thus detecting misuse of the
product or service being provided by the subject person.
Subject persons are expected to gather additional information and/or
documentation (as appropriate), which is more thorough and detailed, on those
business relationships or transactions that pose a higher risk of ML/FT. In practice,
under a risk- based approach, it will not be appropriate for every product or service
provider to know their customers equally well, but the subject person’s information
demands need to be proportionate and appropriate to the respective ML/FT risk.
Subject persons should also determine the type and/or intensity of ongoing
monitoring that should be carried out on a particular customer, depending on the
risks posed by the customer and/or the customer’s activities. The extent of
additional information sought, and of any monitoring carried out in respect of any
particular business relationship, or class/category of business relationship, will
depend on the ML/FT risk that the customer, or class/category of business
relationship, is assessed to present to the subject person.
A subject person should have a clear policy on the escalation of decisions to
senior management concerning the acceptance or continuation of high- risk
business relationships.

4.9.1 Situations presenting a High Risk of ML/ FT

Regulation 11 requires the application of EDD in relation to the following situations:
(a) In relation to activities or services that are determined by the FIAU to
represent a high risk of ML/ FT, having taken into consideration the
findings of any national risk assessment and any other relevant factors, as
may be deemed appropriate.
In the event that the FIAU determines that a particular activity or service
represents a high risk of ML/FT, and therefore warrants the application of EDD
measures, the subject person is to apply EDD measures irrespective of whether
the subject person has classified the customer or business relationship as not

IMPLEMENTING PROCEDURES
172
4. CUSTOMER DUE DILIGENCE CONTINUED

representing a high risk in its BRA or CRA carried out by the subject person in
accordance with Chapter 3.
By way of example, when the Government of Malta launched an investment
registration scheme, the FIAU issued corresponding AML/CFT guidance, which laid
down a number of EDD measures that were to be applied by specific subject persons.
(b) W here, on the basis of the risk assessment carried out in accordance with
Regulation 5(1) of the PMLFTR, the subject person determines that an
occasional transaction, a business relationship or any transaction
represents a high risk of ML/ FT.
Subject persons should here refer to Chapter 3 of these Implementing Procedures
for guidance on how subject persons are to assess the risks posed by their particular
business, services or activities and the risks posed by specific customers. In the event
that the results of the CRA indicate that a business relationship or an occasional
transaction represent a high risk of ML/FT, EDD measures should be applied.
In this regard, subject persons carrying out relevant financial business are to refer
to the Risk Factor Guidelines issued by the EBA and alluded to in the context of
Chapter 3. W hen faced with situations analogous to the ones described in these
Guidelines, requiring the application of EDD measures, subject persons must
consider adopting these measures or ones that are equally effective to mitigate
the risk of ML/FT.
These Guidelines should also be taken into consideration by subject persons
carrying out relevant activity since it is possible that they will encounter situations
that present risks of a similar nature. Thus, the measures set out in these Risk
Factor Guidelines to counter these risks may be equally applicable by subject
persons, even if they do not carry out relevant financial business.
(c) W hen dealing with natural or legal persons established in a non- reputable
jurisdiction as defined in Regulation 2(1) of the PMLFTR, other than
branches or majority- owned subsidiaries which comply with group- wide
policies and procedures, as required under Regulation 6 of the PMLFTR,
in relation to such branches or majority- owned subsidiaries EDD is to be
applied when these present a high risk of ML/ FT.
Identifying situations that would require the application of EDD in terms of this
sub- section requires an understanding of a number of concepts, namely:
(a) “Dealing with Natural or Legal Persons” – subject persons are to interpret
the term “dealing” in as wide a manner as possible. Thus, it is not only the
entering into a business relationship or the carrying out of an occasional

IMPLEMENTING PROCEDURES
173
4. CUSTOMER DUE DILIGENCE CONTINUED

transaction that must be considered as “dealing” but also, for example, the
carrying out of transactions within the context of a business relationship that
have links with non- reputable jurisdictions. W hen transactions are concerned,
attention should be paid to the source of funds, the parties to the transaction,
the accounts through which funds are to flow, etc.
(b) “Established” – subject persons here must have regard to connecting factors,
such as the citizenship or residency in the case of a natural person or the
jurisdiction of registration, incorporation or licensing in the case of legal
persons. The main place of business of the natural or legal person has to also
be considered as a possible link. The same applies with regard to the person’s
source of wealth, i.e., if the activities that have generated or are generating
the person’s wealth are located in non- reputable jurisdictions. Having
citizenship on its own need not be automatically equated with the natural
person being established in the non- reputable jurisdiction if the individual has
no other links with the jurisdiction concerned.
(c) “Non- Reputable Jurisdiction” – subject persons are here required to refer to
Section 8.1 of these Implementing Procedures, which interprets the concept
of ‘non- reputable third countries’ and how to assess whether a jurisdiction is
reputable or otherwise.
Subject persons are not required to carry out EDD measures in cases where the
natural or legal person established in a non- reputable jurisdiction is a branch or
a majority- owned subsidiary, which complies with group- wide policies and
procedures, as set out in Section 8.2. This exemption, however, cannot be applied
if, in line with the risk assessment carried out by the subject person, the scenario
is still considered to represent a high risk of ML/FT.
Insofar as non- reputable jurisdictions are concerned, the proviso of Regulation
11(2) of the PMLFTR also makes reference to non- reputable jurisdictions in
respect of which an international call for countermeasures has been made. The
proviso states that , when undertaking occasional transactions for, or establishing
a business relationship with, or acting in the course of a business relationship with
a natural or legal person established in a non- reputable jurisdiction in respect of
which there has been an international call for counter- measures, prior to the
establishment of the business relationship or the undertaking of an occasional
transaction, subject persons have to:
(a) apply EDD measures; and
(b) inform the FIAU of the proposed business relationship, occasional transaction
or transaction that is to take place within an already existing business
relationship prior to these taking place.

IMPLEMENTING PROCEDURES
174
4. CUSTOMER DUE DILIGENCE CONTINUED

In these cases, the FIAU may, in collaboration with the relevant supervisory
authority, require the subject person:
(a) not to establish the business relationship,
(b) not to continue this business relationship,
(c) not to undertake an occasional transaction; or
(d) to apply any other countermeasures as may be adequate under the circumstances.
The subject person should here refer to Section 8.1, which provides further
guidance, particularly when it comes to those jurisdictions listed in FATF public
statements and EU legal acts identifying countries which have strategic AML/CFT
deficiencies and to which countermeasures apply.

4.9.2 Situations in which EDD is prescribed by law

4.9.2.1 Correspondent Relationships
EDD measures have to be applied whenever subject persons carrying out
relevant financial business seek to establish a cross- border correspondent
relationship with respondent institutions situated in a country other than an EU
Member State. For the purposes of the PMLFTR, a correspondent relationship
can therefore also be considered to subsist between subject persons other than
credit institutions as long as they carry out relevant financial business.
This results from the very definition of “correspondent relationship” provided in
Regulation 2(1) of the PMLFTR, which refers to:
(a) the provision of banking services by one bank as the correspondent to
another bank as the respondent, including providing a current or other liability
account and related services, such as cash management , international funds
transfers, cheque clearing, payable- through accounts and foreign exchange
services; and
(b) the relationship between and among institutions carrying out relevant financial
business and activities equivalent thereto, including when similar services to
those under paragraph (a) are provided by a correspondent institution to a
respondent institution, and including relationships established for securities
transactions or funds transfers.
The correspondent banking relationships referred to in paragraph (a) above
cover the provision of banking- related services by one credit institution (“the

IMPLEMENTING PROCEDURES
175
4. CUSTOMER DUE DILIGENCE CONTINUED

correspondent bank”) to another credit institution (“the respondent bank”). The

possible nature of these banking- related services is indicated in the same
paragraph. Through such a correspondent banking relationship, the respondent
bank would be able to access cross- border products and services that it cannot
provide on its own, typically due to the lack of an international network, for its
own purpose or on behalf of its customers.
In the latter case, the correspondent bank (i.e., the subject person) would
therefore be servicing the respondent bank by processing and/or executing
payments or other transactions for the end- benefit of the respondent bank’s
customers (and vice- versa) with whom it would have no direct relationship.
Correspondent banking does not include one- off transactions or the mere
exchange of SW IFT Relationship Management Application (RMA) keys75 in the
context of non- customer relationships, but rather is characterised by its
(expected) ongoing, repetitive nature. The scope of a relationship and extent of
products and services supplied will vary according to the needs of the respondent,
and the correspondent’s ability and willingness to supply them.
The other correspondent relationships referred to in paragraph (b) above relate
to relationships established between subject persons carrying out relevant
financial business to provide services equivalent or similar to those provided within
the context of a correspondent banking relationship. Thus, these relationships
may still be established to facilitate the transfer of funds pertaining to the
respondent institution’s customers, but they may also involve services provided
on assets other than funds, such as securities.
Given the nature of a correspondent relationship, the correspondent institution (i.e.,
the subject person) is in all instances deemed to be establishing a business
relationship with the respondent institution and not the respondent institution’s
customers. To this end CDD measures in terms of Regulation 7 must be applied on
the respondent institution and, in addition thereto, in cases where the respondent
institution is established in a jurisdiction other than an EU Member State, Regulation
11(3) also requires that the following additional measures be applied:
(a) gather sufficient information about the respondent institution to fully understand
the nature of the respondent’s business and to determine from publicly available
information:

75. The SW IFT RMA is a messaging capability enabling SW IFT members to exchange
messages over the network and can create a non- customer relationship in particular
cases of cash management, custody, trade finance, exchange of messages with payments
and securities markets infrastructure entities, e.g., exchanges depositories.

IMPLEMENTING PROCEDURES
176
4. CUSTOMER DUE DILIGENCE CONTINUED

(i) the reputation of the institution; and

(ii) the quality of supervision of that institution.
The amount of information and/or documentation to be gathered by the
subject person will vary depending on the risks posed by the respondent
institution. In this regard, the information to be obtained in relation to the
nature of the respondent institution’s business would include the type of
respondent (i.e., kind of relevant financial activity or equivalent activities
provided), the business model and the type of products, services and
transactions that the respondent offers, and the reputability of countries
where the respondent operates.
W hen assessing the reputation and the quality of the supervision of the
respondent institution, its parent undertaking or other companies within the
same group, subject persons should have regard, among other matters, to the
regulatory status (if any) of the respondent institution, the AML/CFT regime
to which it is subject and to the supervisory record of the respondent (i.e.,
whether the respondent has been subject to any ML/FT investigations or
regulatory enforcement measures in the past).
Subject persons are to also consider other factors that might affect the
respondent’s risk profile, such as whether the history of the business relationship
with the respondent gives rise to concern, for example because the amount of
transactions being undertaken are not in line with what the correspondent
would expect, based on its knowledge of the nature and size of the respondent.
As regards the quality of supervision, regard should be had to any assessments,
such as FATF and other FSRBs mutual evaluation reports, carried out on the
level and quality of supervision applicable in the jurisdiction where the
respondent institution is established and to which laws it is subject . Thus, use
may be made of information already collected to determine whether a
jurisdiction is reputable or otherwise.
Subject persons may make use of publicly available information to understand
the nature of the respondent institution’s business, its reputation and the
quality of supervision on that institution.
(b) it assesses the adequacy and effectiveness of the respondent institution’s measures,
policies, controls and procedures for the prevention of ML/FT.
There are various measures that can be carried out to fulfil this requirement .
These measures, which may be applied either independently of each other
or cumulatively, are the following:

IMPLEMENTING PROCEDURES
177
4. CUSTOMER DUE DILIGENCE CONTINUED

(1) the correspondent institution obtains a copy of the AML/CFT procedures

manual of the respondent institution and assesses the adequacy and
effectiveness of the respondent institution’s AML/CFT measures, policies,
controls and procedures on the basis of the measures set out in the
PMLFTR and these Implementing Procedures; or
(2) the correspondent institution develops a questionnaire with specific
questions covering the legal obligations and the internal procedures
applied by the respondent institution to meet these obligations; or
(3) the correspondent institution requests a declaration from the respondent
institution on the adequacy of its internal controls, possibly certified by its
supervisory authority or by an independent third party qualified to make
such an assessment .
(c) it obtains prior approval of senior management for the establishment of new
correspondent relationships;
Obtaining the approval of senior management means having the approval of
a senior management official who has sufficient knowledge of the subject
person’s ML/FT risk exposure and hold sufficient seniority to take decisions
affecting its risk exposure, but need not be a member of the board of directors
or equivalent body. The approval of senior management should be clearly
documented and made available, if required by the FIAU.
W hat will constitute senior management will depend on the size, structure and
nature of the subject person and it is possible that this decision may be taken
also by an internal committee of the correspondent institution. By requiring
senior management approval, subject persons will ensure that they are not
entering into a business relationship without applying the necessary controls.
(d) it documents the respective responsibilities of each institution for the prevention
of ML/FT;
The correspondent institution must ensure that the AML/CFT measures that
each institution is to carry out and the responsibilities of each institution are
clearly set out and documented. Thus, although it is not necessary that the
two institutions formalise their respective responsibilities in a detailed, formal
written document, there must be some form of documentation clearly setting
out the respective institutions’ responsibilities.
(e) it is satisfied that, with respect to payable- through accounts, the respondent
institution has verified the identity of and performed ongoing due diligence on the
customers having direct access to the accounts of the respondent institution and
that it is able to provide relevant CDD data upon request.

IMPLEMENTING PROCEDURES
178
4. CUSTOMER DUE DILIGENCE CONTINUED

Payable- through accounts are correspondent accounts that are used directly
by the respondent institution’s customers to carry out transactions on their
own behalf. Given the higher risk of ML/FT presented by this form of
correspondent relationship, the correspondent institution is expected to
determine who, apart from the respondent institution, is making use of this
type of account .
This can be done by:
(i) obtaining written confirmation from the respondent institution that it will
assume responsibility to carry out CDD on these persons, including
identification and verification of the identity of any of its customers who
are granted access to this type of account; and
(ii) carry out random and spontaneous checks to ascertain that appropriate
AML/CFT measures are being undertaken.
Correspondent relationships must also be subject to a degree of ongoing
monitoring. This may be carried out in a number of ways, including, but not limited
to, the following:
(a) Conducting ongoing monitoring of the respondent institution – such as undertaking
periodical reviews of the CDD information and documentation obtained on the
respondent institution. The frequency of review will depend on the level of risk
associated with the respondent institution. W here these reviews reveal a
change in the risk posed by this respondent institution, the subject person
should consider adjusting its risk assessment of the respondent institution and,
if appropriate, obtain additional information and/or documentation to support
the adjustment in the risk assessment.
(b) Ongoing monitoring of transactions – this monitoring is required to be able to
detect any changes in the respondent institution’s transaction patterns or
activity. For more information in relation to the type of transaction monitoring
to be undertaken by the subject person, refer to Section 4.5.
(c) Targeted transaction monitoring – the monitoring of transactions depending on
unique risk factors (e.g., location of the customers of the respondent institution,
the high number of STRs filed, where the payment flows are inconsistent with
the stated purpose of the account, etc.). The level and nature of transaction
monitoring will vary, depending on the risks and the nature of the correspondent
services being provided. For example, if the main purpose of the correspondent
relationship is to process international wire transfers on behalf of the
respondent institution’s customers, the focus of account monitoring could be
how well the respondent institution is implementing sanctions screening.

IMPLEMENTING PROCEDURES
179
4. CUSTOMER DUE DILIGENCE CONTINUED

(d) Enhancing the level of ongoing monitoring and request for information about
transactions – in the event that the subject person flags any unusual activity, the
subject person should have internal processes in place to further review the activity
and be able to request information and/or documentation from the respondent
institution to be able to clarify the situation and possibly clear the alert.
In the context of correspondent relationships, a CRA is important from a number
of perspectives:
(a) in relation to those correspondent relationships where the EDD measures to be
applied are mandated by law, the CRA will allow the correspondent institution to
calibrate the intensity and frequency of the EDD measures described above,
including ongoing monitoring, as well as identify any additional risks that may
require additional EDD measures to mitigate identified risks in an effective manner.
(b) (b) in relation to any other correspondent relationship that does not fall within
the ambit of Regulation 11(3) of the PMLFTR, i.e. a correspondent relationship
held with an institution located in Malta or in another EU Member State, the
CRA will lead the subject person to understand the actual risk presented by
that relationship. W hen the ML/FT risk identified is high, the correspondent
institution is to apply the same EDD measures as those provided for under
Regulation 11(3). The subject person must therefore still determine if the
correspondent relationship is a high- risk business relationship in the context of
which EDD is applicable in terms of Regulation 11((1)(b) and, even though
Regulation 11(3) may not be applicable thereto, apply the same mitigating
measures provided for under the said Regulation 11(3).
W here a revision of the CRA becomes necessary, the subject person should consider
how the CDD measures may, within the limits allowed by law, be recalibrated to
better address the revised risk level. In the case of correspondent relationships, the
risk factors to be considered are to include, but are not be limited to, the following:
(a) the respondent’s place of establishment – the jurisdiction where the respondent
institution and/or its parent undertaking is headquartered may increase or
decrease the risk of ML/FT and therefore subject persons should evaluate the
degree of risk presented by the jurisdiction in which the respondent and/or
its parent undertaking is/are based;
(b) the respondent’s ownership and control structure – the location of the
shareholders, their corporate legal form and/or lack of transparency of the
ultimate beneficial owners are indicative of the risk the respondent institution
presents. Subject persons should therefore consider whether the respondent
institution is publicly or privately owned; if publicly held, whether its shares

IMPLEMENTING PROCEDURES
180
4. CUSTOMER DUE DILIGENCE CONTINUED

are listed or otherwise, on an exchange or regulated market in a reputable

jurisdiction with a satisfactory regulatory regime; and, if privately owned, the
identity of any beneficial owners and controllers. Similarly, the location and
experience of management may indicate additional concerns, as would unduly
frequent management turnover. The involvement of PEPs in the management
and/or control structure may also increase ML/FT risk;
(c) the respondent’s business and customer base – the type of business activities
undertaken by the respondent institution, as well as the type of customer
base the respondent institution has, will have a bearing on the risk posed by
the respondent institution. Involvement in certain business segments that are
recognised internationally as particularly vulnerable to ML/FT or corruption,
may present additional concerns. By way of example, a respondent bank that
derives a substantial part of its income from customers located in high- risk
jurisdictions or from customers who deal in certain sectors that are more
vulnerable to ML/FT, present a higher risk of ML/FT;
(d) downstream correspondent clearing (i.e., nested relationships) – when the
respondent bank is itself a downstream correspondent clearer subject persons
will, on a risk- sensitive basis, take reasonable steps to understand the type of
risks posed by the respondent bank’s customers; and
(e) in addition to the above, it is to be noted that subject persons carrying out
relevant financial business are prohibited from entering into, or continuing,
correspondent relationships with shell institutions. Moreover, the PMLFTR also
require these subject persons to take appropriate measures to ensure that they
do not enter into, or continue, a correspondent relationship with a respondent
institution that is known to permit shell institutions to use its accounts.
In this regard, it is pertinent to keep in mind that subject persons need to make
adequate checks to assess the extent to which any respondent institution, it has
entered into a correspondent relationship with, permits shell institutions to use
their accounts, and needs to also maintain a record of these verifications.

4.9.2.2 Politically Exposed Persons

PEPs pose a high risk of ML/FT due to the position they occupy and the influence
they exercise. PEPs may abuse of their prominent public functions for private gain,
such as by being involved in corrupt practices, accepting bribes or abusing or
misappropriating public funds. These crimes generate proceeds that would need
to be laundered. Certain PEPs in certain positions may also be exposed to the
possibility of being involved in FT. The application of EDD measures is therefore

IMPLEMENTING PROCEDURES
181
4. CUSTOMER DUE DILIGENCE CONTINUED

necessary to mitigate the potential risks of ML/FT that arise when a subject
person deals with PEPs.
Similarly, family members or persons known to be close associates of PEPs may, as
a result of this connection, also benefit from, or be used to facilitate, abuse by the
PEP of his/her position and influence. Therefore, EDD measures are required also
with regard to family members or persons known to be close associates of PEPs.
Regulation 11(5) of the PMLFTR requires that subject persons have appropriate
AML/CFT risk management procedures in place that enable them to determine
whether a customer or a beneficial owner (current or prospective) is a PEP and,
subsequently, to carry out EDD measures both when establishing or continuing
business relationships with or undertaking occasional transactions for a PEP.
Specific EDD measures are moreover outlined under Regulation 11(6) to cover
scenarios where PEPs are beneficiaries of long- term insurance policies.
Regulation 11(8) of the PMLFTR stipulates that these same obligations apply to
family members and persons known to be close associates of a PEP.
W hile EDD measures are to be applied on PEPs, their family members and
persons known to be their close associates, this is not to be interpreted as
meaning that , whenever any such individual is establishing a business relationship
or carrying out an occasional transaction, the business relationship or occasional
transaction is connected to ML/FT.
Subject persons are therefore required to carry out EDD measures that are
commensurate and proportionate to the ML/FT risks envisaged. However, subject
persons are not required to turn away any prospective customers or close a business
relationship on the basis that the prospective customer or the customer, or beneficial
owner, is a PEP (or a family member or person known to be a PEP’s close associate).
It should be made clear, however, that if, after collecting all the necessary information
and documentation on the prospective customer, customer or its beneficial owner,
and conducting a CRA, the subject person determines that the prospective business
relationship or occasional transaction falls outside its risk appetite (because the risks
posed are higher than it can effectively mitigate), the subject person has to decline
or close the business relationship, or not carry out the occasional transaction.

(a) W ho qualifies as a PEP?

Regulation 2(1) of the PMLFTR defines a PEP as a natural person who is or has been
entrusted with a prominent public function, other than middle ranking or more junior
officials. W hile middle ranking or more junior officials are not considered to hold

IMPLEMENTING PROCEDURES
182
4. CUSTOMER DUE DILIGENCE CONTINUED

prominent public functions and therefore are not considered to require the application
of EDD measures in terms of Regulation 11(5) and Regulation 11(6), this does not
exclude the possibility that EDD measures may still have to be applied when it is
determined that a high risk of ML/FT subsists in accordance with Regulation 11(1)(b).
The PMLFTR does not provide a definition of what constitutes a ‘prominent public
function’ since this may vary depending on a number of factors, such as the type,
size, budget , powers and responsibilities associated with a particular public
function and the organisational framework of the government or international
organisation concerned, as well as the specific jurisdiction concerned.
The PMLFTR do, however, provide a non- exhaustive list of public functions that
are considered to be prominent public functions and would therefore render the
holder thereof a PEP. This includes:
(a) Heads of State, Heads of Government , Ministers, Deputy or Assistant
Ministers, and Parliamentary Secretaries;
(b) members of Parliament or similar legislative bodies;
(c) members of the governing bodies of political parties;
(d) members of the superior, supreme, and constitutional courts or of other high-
level judicial bodies whose decisions are not subject to further appeal, except
in exceptional circumstances;
(e) members of courts of auditors, or of the boards of central banks;
(f) ambassadors, chargé d’affairesand other high- ranking officers in the armed forces;
(g) members of the administrative, management or supervisory boards of state-
owned enterprises; and
(h) anyone exercising a function equivalent to those set out in paragraphs (a)- (f) above
within an institution of the European Union or any other international body.
This list is by no means exhaustive, and subject persons are required to assess on
a case- by- case basis whether a particular public function presents characteristics
that would fall to be considered as a ‘prominent public function’ in terms of the
PMLFTR and these Implementing Procedures.
The same public function may in one case or country lead to its holder being
considered a PEP, while in another situation or country this may not be the case.
By way of example, the positions and powers assumed by a mayor of a large city
or head of a region in a foreign jurisdiction may not necessarily be equivalent to
those assumed by a Maltese mayor and therefore a mayor may be treated
differently, depending on the jurisdiction concerned.

IMPLEMENTING PROCEDURES
183
4. CUSTOMER DUE DILIGENCE CONTINUED

It is important to note that the PMLFTR do not distinguish between local and
foreign PEPs and thus any person entrusted with a prominent public function,
whether in Malta or in any other jurisdiction (including persons entrusted with a
prominent public function in a supranational institution or within inter-
governmental bodies, such as the European Union and the United Nations), is
considered to be a PEP and the subject person is required to carry out the EDD
measures specified in Regulation 11(5) and (6) on that customer.
In the Maltese context the prominent public functions indicated in the PMLFTR
that would render their holder a PEP should be understood as follows:
(i) Heads of State, Heads of Government, Ministers, Deputy or Assistant Ministers
and Parliamentary Secretaries – means the President of the Republic of Malta,
the Prime Minister and all ministers and parliamentary secretaries;
(ii) Members of Parliament or similar legislative bodies – means the Speaker and all
Members of the House of Representatives;
(iii) Members of the governing bodies of political parties – the term ‘political parties’
should be limited to those political parties represented in the House of
Representatives. Persons falling within this category would include individuals
entrusted with the management and administration of that political party and
does not include paid- up members or regional or town representatives;
(iv) Members of the superior, supreme, and constitutional courts or of other high-
level judicial bodies whose decisions are not subject to further appeal, except in
exceptional circumstances – in the local context this means all Judges of the
Courts of Malta and Gozo;
(v) Members of courts of auditors, or of the boards of the central banks – means
the Auditor General, the Deputy Auditor General, and the Governor and
Deputy Governor/s of the Central Bank of Malta;
(vi) Ambassadors, charge d’affaires and high- ranking officers in the armed forces –
all ambassadors and chargés d’affaires of foreign jurisdictions in Malta, as well
as all Maltese ambassadors and chargés d’affaires abroad. Honorary Consuls
are not to be considered as PEPs. The Commander and Deputy Commander
of the Armed Forces of Malta also fall within this category;
(vii)Members of the administrative, management or supervisory boards of state-
owned enterprises – means members of the administrative, management or
supervisory boards of commercial entities and companies in which the
Government of Malta has an ownership interest or control of more than 50%.

IMPLEMENTING PROCEDURES
184
4. CUSTOMER DUE DILIGENCE CONTINUED

It must be reiterated that the above list of who should be considered as a PEP in
Malta is not exhaustive and represents only the list of prominent public functions
set out in the PMLFTR as interpreted in the local context . There are other public
functions in Malta that can be considered as being “prominent” public functions
that are not indicated above and that would qualify their holder to be considered
as a PEP. Such prominent public functions would also include:
• Magistrates of the Courts of Malta and Gozo;
• Permanent Secretaries within all the Government ministries;
• Chiefs of staff within all the Government ministries;
• the Attorney General; and
• the Commissioner and Deputy Commissioners of Police.
All Maltese individuals who are entrusted with a prominent public function
equivalent to those envisaged in points (i) to (vi) above in an EU institution or other
international body would be considered PEPs – such as the Maltese EU
Commissioner, Maltese Members of the European Parliament , Maltese Members
of the European Court of Auditors and of the European Court of Justice.
It is therefore emphasised that subject persons are required to assess on a case-
by- case basis whether a particular office presents characteristics that fall within
the definition of a ‘prominent public function’.
W ith respect to the term ‘family members’ of PEPs, Regulation 11(8) of the
PMLFTR defines the term as including:
(a) the spouse, or any person considered to be the equivalent to a spouse;
(b) the children and their spouses, or persons considered to be the equivalent to
a spouse; and
(c) the parents.
The list of “family members” is not an exhaustive list and therefore subject persons
should consider whether other family relationships in specific circumstances may
be considered to be similar to those under the indicative list in the PMLFTR.
W ith respect to the term ‘persons known to be close associates’, the PMLFTR
provide under Regulation 11(8) that the term means:
(a) a natural person known to have:
(i) joint beneficial ownership of a body corporate or any other form of legal
arrangement;

IMPLEMENTING PROCEDURES
185
4. CUSTOMER DUE DILIGENCE CONTINUED

(ii) or any other close business relations with that PEP.

(b) a natural person who has sole beneficial ownership of a body corporate or
any other form of legal arrangement that is known to have been established
for the benefit of that PEP.
In the case of personal relationships, the social, economic and cultural context
may also play a role in determining how close those relationships generally are.
This process can even become more difficult when seeking to form a view on the
status of close family members, such as children and their spouses, who may, in
certain circumstances, be quite distant or estranged from their parent/s or other
relative having a PEP status. For the assessment of risk, it is the links between
the close associate and/or family member with the PEP that determine the level
of risk.

(b) How to determine that a person is a PEP?

Regulation 11(5) of the PMLFTR requires subject persons to maintain risk
management procedures to determine whether a customer or a beneficial owner
is a PEP or a family member or close associate thereof. This requirement is not
only applicable to prospective customers but also to existing customers, given
that existing customers may become PEPs or associated therewith, including
through family ties, at a point in time in the course of an ongoing relationship.
Subject persons should therefore ensure that their risk management procedures
incorporate a mechanism to ascertain when the status of an existing customer
changes to that of any of the above. This procedure should be incorporated within
the ongoing monitoring systems of the subject person.
In determining whether the customer or a beneficial owner is a PEP, subject
persons may:
(i) rely on publicly available information, including internet and media searches;
or
(ii) obtain this information directly from the customer or beneficial owner; or
(iii) use commercial databases.
In relation to the publicly available information, subject persons should consider
and assess the reliability of the sources being relied on. Subject persons should
consider referring to different sources rather than relying solely on one particular
source, especially in higher ML/FT risk scenarios. All searches undertaken by the
subject person should be duly documented and retained by the subject person.

IMPLEMENTING PROCEDURES
186
4. CUSTOMER DUE DILIGENCE CONTINUED

Information related to point (ii) above may be obtained from the customer in
response to a question posed in the application (or onboarding) form when this
forms part of the subject person’s procedures. Alternatively, subject persons may
develop a questionnaire with specific reference to criteria that identify PEPs
(including, for the avoidance of doubt , family members and persons known to be
close associates of the PEP). This questionnaire would be required to be
completed and signed accordingly by the customer and, where applicable, the
beneficial owner.
On the basis of the risk procedures referred to in Chapter 3, subject persons
should determine whether the use of commercial databases or other sources to
confirm the information provided by the customer is necessary. Prior to making
use of any commercial databases, subject persons should understand how a
commercial database is populated and to what extent it is able to detect and flag
PEPs, family members and persons known to be close associates of PEPs, and
hence determine whether this commercial database would be adequate to assist
the subject persons in identifying PEPs, family members and persons known to
be close associates, as required by the PMLFTR.
The application of EDD to PEPs, their family members and close associates is
mandatory as long as a PEP remains entrusted with a prominent public function,
as defined above, and for at least a subsequent 12- month period from when
he/she ceases to be so entrusted. This, however, does not mean that after the
lapse of those 12 months there will no longer any obligation to carry out EDD
since this will ultimately depend on the risks posed by the business relationship
established with or the carrying out of an occasional transaction for such an
individual; any such individual may still be exposing the subject person to a high
risk of ML/FT and therefore, in any such circumstances, the application of EDD
measures would still be required. Subject persons are at all times required to
ensure that the CDD measures applied are commensurate to the risks of ML/FT
posed by a particular business relationship or occasional transaction, and hence
to apply EDD measures when a high risk of ML/FT is identified.

(c) EDD measures to be applied in relation to PEPs

Regulation 11(5) and (8) of the PMLFTR require subject persons to apply specific
EDD measures in relation to PEPs, their family members and persons known to
be close associates.
Since not every PEP poses the same risk of ML/FT, subject persons are required
to assess and determine the level of ML/FT risk posed by that particular PEP,

IMPLEMENTING PROCEDURES
187
4. CUSTOMER DUE DILIGENCE CONTINUED

family member or person known to be a close associate. Subject persons should

therefore assess the different types of risks it is exposed to (geographical,
product/service/transaction, customer, delivery/distribution channel/interface) and
determine, based on the CRA it has undertaken, the level of EDD measures
required in each case.
It is important to point out that, by classifying a business relationship or occasional
transaction involving a PEP, family member or person known to be a close associate
of the PEP as low risk, the subject person is not, however, exempt from applying
the EDD measures set out in Regulation 11(5) of the PMLFTR. This
notwithstanding, in cases where a business relationship or occasional transaction
involving a PEP is considered to pose a low risk, the subject person may apply a
lighter level of the EDD measures required in terms of the PMLFTR than in a higher
risk case. Thus, the quality and quantity of information and/or documentation that
may have to be collected can be varied to better reflect the actual ML/FT risk
presented by the given business relationship or occasional transaction.
The following characteristics might suggest that a business relationship or an
occasional transaction involving a PEP poses a low risk:
(a) customer is seeking to have access to a product/service/transaction that has
been assessed by the subject person to pose a low risk (such as products,
services or transactions that under other circumstances would qualify for
SDD);
(b) customer does not have executive decision- making responsibilities (e.g., an
opposition member of the House of Representatives, or a member of the
party in government but with no ministerial office);
(c) the PEP is subject to rigorous disclosure requirements (such as registers of
interests, independent oversight of expenses, etc.); and
(d) the PEP is entrusted with a prominent public function in a jurisdiction where
information indicates that the jurisdiction shows the following characteristics
(therefore, the subject person should assess the jurisdiction separately):
• low levels of corruption;
• political stability, and free and fair elections;
• strong state institutions;
• strong compliance with AML/CFT rules;
• a free press with a track record for probing official misconduct;

IMPLEMENTING PROCEDURES
188
4. CUSTOMER DUE DILIGENCE CONTINUED

• an independent judicial and criminal justice system free from political

interference;
• a track record of investigating political corruption and taking action against
wrongdoers;
• strong traditions of audit within the public sector;
• legal protection for whistleblowers; or
• well developed registries for ownership of land, companies, etc.
On the other hand, the following characteristics might suggest a PEP poses a
higher risk:
(a) when the customer is seeking to have access to a product , service or
transaction that is capable of being misused to launder the proceeds of
corruption or bribery;
(b) personal wealth or lifestyle is inconsistent with known legitimate sources of
income or wealth;
(c) credible allegations of financial misconduct; and
(d) the PEP is entrusted with a prominent public function in a jurisdiction where
there is a higher risk of corruption and where information available indicates
that the jurisdiction shows the following characteristics (therefore, the subject
person should assess the jurisdiction separately):
• high levels of corruption;
• political instability;
• weak state institutions;
• weak AML/CFT defences;
• armed conflict;
• non- democratic forms of government;
• widespread organised criminality;
• political economy dominated by a small number of people or entities with
close links to the state;
• lack of a free press where journalistic investigation is constrained;
• a judicial and criminal justice system vulnerable to political interference;

IMPLEMENTING PROCEDURES
189
4. CUSTOMER DUE DILIGENCE CONTINUED

• lack of expertise and skills related to book- keeping, accountancy and audit ,
particularly in the public sector;
• law and culture antagonistic to the interests of whistleblowers;
• weaknesses in the transparency of registries of ownership of land,
companies, etc.; or
• human rights abuses.
Moreover, the following characteristics may suggest a family member or a close
associate of a PEP poses a higher risk:
• wealth derived from the granting of government licences (such as mineral
extraction concessions, licence to act as a monopoly provider of services, or
permission for significant construction or other projects);
• wealth derived from preferential access to the privatisation of former state assets;
• wealth derived from commerce in industry sectors associated with high
barriers to entry or a lack of competition, particularly where these barriers
stem from law, regulation or other government policy;
• wealth or lifestyle inconsistent with known legitimate sources of income or wealth;
• credible allegations of financial misconduct (e.g., facilitated, made, or accepted
bribes); or
• appointment to a public office that appears inconsistent with personal merit .
W hen undertaking additional CDD measures on PEPs, their family members or
persons known as close associates, subject persons must apply all the EDD
measures set out in Regulation 11(5) of the PMLFTR, namely:

(a) obtaining senior management approval;

Obtaining the approval of senior management means having the approval of a
senior management officer of the subject person with sufficient knowledge of
the subject person’s ML/FT risk exposure and sufficient seniority to take decisions
affecting its risk exposure. This officer need not be a member of the board of
directors or equivalent body. The approval of senior management should be clearly
documented and made available, if required by the FIAU.
W hat will constitute senior management will depend on the size, structure and
nature of the subject person and it is possible that this decision may also be taken
by an internal committee within the subject person’s structure. By requiring senior

IMPLEMENTING PROCEDURES
190
4. CUSTOMER DUE DILIGENCE CONTINUED

management approval, subject persons will ensure that they are not entering into
a business relationship without applying the necessary controls.
The establishment of a business relationship, or a continuation thereof, or the
undertaking of an occasional transaction, where the customer is a PEP, or with
family members or persons known to be close associates of PEPs, requires the
prior approval of senior management , irrespective of the risk they pose. This
notwithstanding, the level of escalation within the subject person’s structure will
vary depending on the risk posed by the customer, as well as the entity structure
and the level of delegation within the subject person’s structure.
W hen considering whether to approve a PEP relationship, senior management
should base their decision on the level of ML/FT risk the subject person would
be exposed to if it entered into that relationship and how well equipped it is to
manage that risk effectively.

(b) taking adequate measures to establish the source of wealth and funds involved;
Subject persons must in any case take adequate measures to establish:
• the source of wealth; and
• the source of funds
of the customer to be satisfied that it does not handle proceeds derived from
corruption or other criminal activity associated with PEPs. However, the extent
of information and/or documentation to be requested by the subject person will
vary depending on the risk posed by the customer.
In case of lower risk situations, the subject person may take less intrusive and less
exhaustive steps to establish the source of funds and source of wealth of the PEP,
family members or known close associates of the PEP. In these cases, the subject
person may use information already available (such as transaction records) or may
rely on publicly available information and is not required to make further enquiries
unless the subject person identifies certain anomalies from the information
available to it .
It is necessary to seek source of wealth information but in all lower risk cases,
especially when dealing with products, services or transactions that carry a lower
risk of ML/FT, subject persons can minimise the amount of information they
collect and how they verify the information provided.
In higher risk situations, subject persons are required to be more intrusive and
rigorous, and should not rely on information provided by the customer in order to

IMPLEMENTING PROCEDURES
191
4. CUSTOMER DUE DILIGENCE CONTINUED

establish the source of funds and source of wealth of the PEP, family members or
known close associates of the PEP. Subject persons must refer to additional and
multiple sources of information, such as asset and income declarations that some
jurisdictions expect certain senior public officials to file and which often include
information about an official’s source of wealth and current business interests.76
Subject persons should also be aware that some jurisdictions impose restrictions
on their PEPs’ ability to hold foreign bank accounts or to hold other office or paid
employment . As part of its EDD measures, subject persons should consider, on a
risk- sensitive basis, whether the information on source of wealth and source of
funds should be evidenced or verified. For example, for source of wealth or funds
from inheritance, a copy of the will could be requested, or if from a sale of
property, evidence of transfer of legal title could be sought .
For further information in relation to source of funds and source of wealth,
reference should be made to Section 4.4.3.

(c) conducting enhanced ongoing monitoring.

For low- risk customers, the subject person is required to undertake less frequent
reviews than higher risk customers. In the case of low- risk customers, the subject
person would be required to periodically review the CDD measures undertaken
at the establishment of the business relationship and update the CDD
documentation and information as appropriate.
Subject persons would also be required to review and, where necessary, update
the CDD documentation and information obtained at the commencement of the
business relationship when a new product , service or transaction is requested.
Similarly, the regularity and extent of transaction monitoring should be less in the
case of low- risk customers, while ensuring that the subject person is at all times
able to detect suspicious or unusual types of transactions and activities.
For higher risk customers, a subject person’s ongoing monitoring should be
conducted more regularly (in some cases prior to each transaction being carried
out) and more thoroughly, and a closer analysis should be undertaken on the
transactions and their origin. Subject persons should also regularly consider
whether the business relationship with these customers should be maintained.
For further information on ongoing monitoring, reference should be made to
Section 4.5.

76. The World Bank has compiled a library on various countries’ laws about disclosure of officials’
income and assets. See http://publicofficialsfinancialdisclosure.worldbank.org/about- the- library.

IMPLEMENTING PROCEDURES
192
4. CUSTOMER DUE DILIGENCE CONTINUED

In all cases, subject persons should be able to identify suspicious or unusual

transactions and should ensure that any new or emerging information that could
affect the customer’s risk assessment is identified in a timely manner and taken
into consideration.
Subject persons should remember that new and existing customers may not
initially meet the definition of a PEP but may subsequently become one during
the course of a business relationship. Subject persons should have appropriate
systems and/or procedures in place to ensure that they are able to detect when
existing customers become PEPs, family members or close associates thereof.
It is for this reason that an automated system of checks against publicly available
information, or through specialist PEP databases of commercial service providers,
would be useful in this respect , especially in the case of medium or large entities
that have a considerable number of client and ongoing relationships.

(d) EDD measures for long- term insurance business

In the case of long- term insurance business, subject persons should take
reasonable measures to determine whether the beneficiaries of a policy and,
where applicable, the beneficial owner of that beneficiary, are PEPs, their family
members or known close associates, that measures have to be taken no later
than the time of pay- out or the time of the assignment , in whole or in part , of
the policy.77
Therefore, not later than the time of pay- out, or the time of the assignment, subject
persons are first expected to check whether there is any involvement of PEPs,
family members or known close associates in the transaction. In the event that the
beneficiary of the policy or, where applicable, the beneficial owner of the beneficiary
are PEPs, family members or known close associates, senior management approval
is required before proceeding with the pay- out under the policy.
Moreover, subject persons are required to scrutinise the relationship with the
policyholder to ensure that the policy would not have been misused to channel
funds to the PEP (e.g., a long- term insurance is set up and withdrawn within a
short period of time, or there seems to be no apparent or logical sense for the
particular customer to be a beneficiary of a policy). Subject persons should be
careful to assess the logical and economic rationale of the entire set- up. The
extent of the checks to be undertaken will vary depending on the level of risk
that the customer poses.

77. Regulation 11(6) of the PMLFTR.

IMPLEMENTING PROCEDURES
193
4. CUSTOMER DUE DILIGENCE CONTINUED

4.9.2.3 Complex and unusually large transactions

Regulation 11(9) requires subject persons to, as far as reasonably practicable,
examine the purpose and background of all complex and unusually large
transactions, and all unusual patterns of transactions that have no apparent
economic or lawful purpose. The degree and nature of the monitoring of these
transactions and the business relationship within which these transactions are
being undertaken should be increased to ascertain whether these transactions
or activities lead to suspicions of ML/FT activities.
This obligation requires subject persons to pay special attention to the following
transactions:
(a) complex and unusually large transactions that have no apparent economic or
lawful purpose;
(b) unusual patterns of transactions that have no apparent economic or lawful
purpose; and
(c) transactions that are particularly likely, by their nature, to be related to
ML/FT.
Unusual activity also includes anything that causes the subject person to doubt
the identity of the customer (including the beneficial owner/s) or anything that
causes the subject person to doubt the good faith of the customer (including the
beneficial owner/s).
Unusual transactions may vary in nature and therefore there is no exhaustive list
of transactions that are to be deemed as unusual. Hereunder is a non- exhaustive
list of unusual transactions:
(a) transactions or instructions that have no apparent legitimate purpose and
appear not to have a commercial rationale;
(b) transactions, instructions or activity that involve apparent unnecessary
complexity;
(c) where the transaction being requested by the customer is out of the ordinary
range;
(d) the extensive use of non- co- operative tax jurisdictions when the customer’s
needs are inconsistent with the use of these services;
(e) unnecessary routing of funds through third- party accounts;
(f) the size or pattern of the transactions is out of line with expectations for that
customer;

IMPLEMENTING PROCEDURES
194
4. CUSTOMER DUE DILIGENCE CONTINUED

(g) where the customer who has entered into a business relationship uses the
relationship for a single transaction or for only a very short period of time
when such a short duration was not expected;
(h) unusual investment transactions with no discernible purpose;
(i) extreme urgency in requests from the customer, particularly when they are
not concerned by large transfer fees or early repayment fees; and
(j) transfers to or from high- risk jurisdictions that are not consistent with the
customer’s expected activity.
Unusual transactions are detected either when carrying out ongoing monitoring
of the business relationship, when establishing a new business relationship, when
requested to carry out an occasional transaction, during ongoing communications
with the customer, or when receiving instructions from the customer.
In these cases, subject persons are expected to perform EDD measures by making
enquiries with the customer, asking the questions one would reasonably ask in
the circumstances, performing appropriate scrutiny, and gathering additional
information on the transaction and activities of the customer, including examining
the purpose and background of these transactions.
By obtaining the above information, on a risk- sensitive basis, the subject person
should be able to conclude whether a particular transaction is suspicious and, if
so, file an STR with the FIAU. If the activity does not give rise to suspicion of
ML/FT but still is unusual or risky, subject persons should assess whether the
customer’s risk assessment should be updated or whether more frequent ,
ongoing monitoring should be undertaken.
In the event that the risk assessment results on the customer do not fall within
the subject person’s risk appetite, the subject person may consider terminating
or declining the business relationship with the customer or the request to
perform the occasional transaction.
Subject persons should ensure that the examination of the purpose and
background of all complex and unusually large transactions and all unusual
patterns of transactions is duly documented and recorded.
For further information on the ongoing monitoring and the examination of
complex and unusually large transactions, and all unusual patterns of transactions,
subject persons should refer to Section 4.5.

IMPLEMENTING PROCEDURES
195
4. CUSTOMER DUE DILIGENCE CONTINUED

4.10 RELIANCE ON OTHER SUBJECT PERSONS OR

THIRD PARTIES
4.10.1 Introduction
The PMLFTR permit subject persons to rely on the CDD measures carried out
by other subject persons or by certain other third parties (hereinafter
collectively referred to as ‘entities’), subject to a number of conditions. A reliance
arrangement can be set up between entities when those entities are servicing
the same customer, or when that same customer is in contact with multiple
entities to a transaction (as further explained below), with each entity being under
a legal obligation to carry out CDD measures on the customer.
Having multiple entities carrying out CDD measures on the same customer does
not necessarily mitigate the risk of ML/FT or add value to the AML/CFT efforts
being undertaken, and perhaps only adds inconvenience to the customer, who
would need to provide multiple sets of CDD documentation to each of the
entities involved.
The following are examples of scenarios in which subject persons can rely on
CDD carried out by other entities:
(a) subject person A enters into a business relationship with the customer of
subject person B by accepting instructions given through subject person B on
behalf of the customer (e.g., Maltese company service provider in Malta sets
up a company in Malta for the client of a company service provider in another
jurisdiction);
(b) subject person A and subject person B both act for the same customer in
respect of an occasional transaction (e.g., subject person A is the customer’s
lawyer and subject person B is the customer’s accountant , and both are
assisting the customer in the acquisition of an undertaking); or
(c) subject person A and subject person B form part of the same group of
companies but carry out different relevant activities.
In these scenarios, subject person A can rely on the CDD measures carried out
by subject person B or vice- versa.

IMPLEMENTING PROCEDURES
196
4. CUSTOMER DUE DILIGENCE CONTINUED

4.10.2 Scope
As specified in Regulation 12(1) of the PMLFTR, subject persons may only rely
on the CDD measures undertaken by other subject persons or third parties in
relation to:
(a) the identification and verification of a customer;
(b) the identification and verification of beneficial owner(s), where applicable; and
(c) information on the purpose and intended nature of the business relationship,
and on the business and risk profile.78
The obligation to carry out ongoing monitoring of the business relationship as
provided in Section 4.5 remains the subject person’s responsibility. This means
that the subject person cannot rely on another subject person or third party to
scrutinise transactions and, subject to what is stated below, to keep information,
data and documentation up to date.
Regardless of any reliance on another subject person or third party, subject
persons always remain ultimately responsible for compliance with their CDD
requirements under Regulation 7(1) of the PMLFTR. This means that subject
persons may need to consider whether the entity relied on, in addition to meeting
the criteria listed in this section, is sufficiently able to manage the inherent risk in
the process.
At the same time, subject persons have to bear in mind that the customer does
not necessarily present the same level of risk to them as to the other entity
being relied on. This may render the CDD measures undertaken by that entity
insufficient or inappropriate when it comes to mitigating the ML/FT risks to which
the subject person placing reliance on the other entity is being exposed to. Hence,
subject persons should exercise caution when it comes to relying on other
entities in relation to obtaining information on the purpose and intended nature
of the business relationship and information on the customer’s business and risk
profile in terms of Regulation 7(1)(c) of the PMLFTR. This is so because the
circumstances of a business relationship/occasional transaction between the
customer and subject persons may differ.
By way of example, subject person A might be offering the customer a particular
service, whereas subject person B will be offering the same customer a
completely different service. Here, the information on the purpose and intended
nature of the business relationship and the customer’s business and risk profile

78. Regulation 7(1)(a)- (c) of the PMLFTR.

IMPLEMENTING PROCEDURES
197
4. CUSTOMER DUE DILIGENCE CONTINUED

may differ greatly. For this reason, subject persons A and B should exercise caution
if and when they are placing reliance on one another in this regard.
As a result , while subject persons may rely on information on the purpose and
intended nature of the business relationship and information on the customer’s
business and risk profile (subject that the same information be relevant to the
subject person placing reliance, as explained above), the CRA needs to be carried
out individually by each and every subject person.
For the avoidance of any doubt , subject persons may rely on PEP screening
conducted by other entities, so long as the subject person placing reliance is
confident and comfortable that the PEP screening being conducted is sufficient ,
satisfactory and up to date.
Furthermore, the subject person must understand whether the measures
implemented by the other entity to counter the risks of ML/FT are equivalent to
those that the subject person placing reliance on the other entity deems sufficient.
In this regard, the subject person should, prior to entering into a reliance
arrangement , ensure that it understands the type of CDD measures that the
entity undertakes on its customers. Such assessments should be put down in
writing and documented accordingly.
Moreover, subject persons may rely only on CDD measures carried out by the
entity being relied on. Thus, it cannot rely on information, data or documentation
obtained by that entity or to which it has access through other reliance
arrangements - i.e., having a chain of reliance arrangements is not permissible. By
way of example, subject person A may only rely on subject person B if subject
person B itself is the one conducting the CDD measures. If, on the other hand,
subject person B is itself relying on CDD measures carried out by subject person
C, subject person A cannot exercise reliance on subject person B since the subject
person B would not be carrying out any measures itself. If anything, subject
person A may consider entering into a reliance arrangement directly with subject
person C.
In terms of Regulation 12(6) of the PMLFTR, the provisions permitting reliance
do not apply to outsourcing or agency relationships where, on the basis of a
contractual agreement , the outsourcing service provider or agent is to be
regarded as part of the subject person. These contractual relationships are not
to be regarded as reliance arrangements since, in the case of outsourcing, the
subject person is delegating the fulfilment of its obligations to a third- party service
provider who has no relationship with the subject person’s customer, while in the
case of an agency arrangement , the agent is merely an extension of the subject
person not a separate and distinct entity with its own CDD obligations. Thus, in

IMPLEMENTING PROCEDURES
198
4. CUSTOMER DUE DILIGENCE CONTINUED

both instances, it is the subject person who is considered as carrying out the CDD
measures fulfilled either by the outsourced service provider or by its agent .

4.10.3 Entities that may be relied on

All subject persons may rely on the CDD measures carried out by:
(1) persons falling within the definition of ‘subject person’ under the PMLFTR;
(2) third parties that are:
(a) persons or institutions undertaking activities equivalent to ‘relevant
financial business’ or ‘relevant activity’, as defined under Regulation 2(1) of
the PMLFTR;
(b) member organisations or representative bodies of the said persons or
institutions; or
(c) other institutions or persons in an EU Member State (other than Malta)
or other third country;
as long as the third parties listed under (2) above:
(i) apply CDD requirements and record keeping requirements that are consistent
with those laid down under the PMLFTR; and
(ii) have their compliance with AML/CFT obligations monitored in a manner that
is consistent with Section 2 of Chapter VI of Directive (EU) 2015/849 (the
4 th AML Directive).
Subject persons may not rely on third parties from a non- reputable jurisdiction,
unless these third parties are branches or majority- owned subsidiaries of persons
or institutions established in an EU Member State, subject to national provisions
implementing the 4 th AML Directive and which comply fully with group- wide
policies and procedures equivalent to those listed in Regulation 6 of the PMLFTR.

Assessing consistency
W hen assessing whether a third party satisfies the conditions under points (i) and
(ii) above, subject persons should assess whether the requirements in the
jurisdiction where the third party is established are similar to those imposed by
the PMLFTR. In this regard, subject persons should as a minimum consider the
equivalence of the following matters:

IMPLEMENTING PROCEDURES
199
4. CUSTOMER DUE DILIGENCE CONTINUED

(i) identification details of the customer and the beneficial owner (refer to
Section 4.3.1);
(ii) instances where EDD measures should be applied (refer to Section 4.9);
(iii) timing of the application of CDD measures (refer to Section 4.6);
(iv) record keeping requirements, including the retention periods (refer to
Chapter 9);
(v) AML/CFT policies and procedures equivalent to those required under the
PMLFTR; and
(vi) that the effective implementation of the measures and requirements referred
to above is subject to supervision by a relevant authority (supervisor) or any
other appropriate body.
In applying a risk- based approach, subject persons may opt to extend their
assessment by considering other factors over and above those referred to in (i)
to (vi) above.
Furthermore, for the requirements to be deemed consistent , subject persons
must also assess whether the relevant laws and regulations of that jurisdiction
have been effectively implemented in that country. In this regard, subject persons
would need to consider whether there are any structural elements or other issues
in that jurisdiction that hamper the proper implementation and enforcement of
the AML/CFT laws and regulations.
In determining the equivalency or adequacy of CDD and record keeping
requirements and supervision, regard has to be made to any FATF or FSRB
Mutual Evaluation Reports that would present an assessment of a country’s
adherence and implementation of AML/CFT obligations and supervision.
In all cases, subject persons are expected to assess the subject persons or third
parties being relied on, regardless of whether that entity is established within
Malta, an EU Member State or a third jurisdiction. In doing so, subject persons
may, on a risk- sensitive basis, take into consideration issues such as:
(a) any publicly available adverse regulatory or supervisory information about the
entity being relied on;
(b) the nature of the customer, the type of products or services offered or
transactions undertaken, and the value of the transactions;
(c) any known adverse experience with the entity relied on to the extent that
these may affect compliance by the subject person with its obligations; and

IMPLEMENTING PROCEDURES
200
4. CUSTOMER DUE DILIGENCE CONTINUED

(d) any other knowledge, whether obtained at the outset of the relationship or
subsequently (during the relationship), that the subject person has on the
entity’s standing.
It should generally be noted that subject persons may recognise and accept the
outcome of the relevant CDD measures carried out in accordance with provisions
equivalent to the PMLFTR by third parties as explained above, even if the
documents or data through which these requirements have been fulfilled are
different to those under domestic requirements.

4.10.4 Carrying out reliance

The subject persons placing reliance should immediately obtain the information
required under Regulation 7(1)(a)- (c) of the PMLFTR from the subject person or
third party being relied on. This means that, regardless of the fact that the subject
person is relying on another entity for the fulfilment of CDD requirements, the
subject person must still obtain the information concerning the customer’s
identity, the identity of the beneficial owner(s) (where applicable), the information
on the purpose and intended nature of the business relationship and the
customer’s business and risk profile.
All this information must be obtained by the subject person before carrying out
an occasional transaction or entering into a business relationship. This is because,
when placing reliance, the subject person must at least have the customer’s (and
beneficial owner’s, where applicable) identification data, information on the
purpose and intended nature of the business relationship and information on the
customer’s business and risk profile on file to enable it to perform its own CRA
and also to comply with its ongoing monitoring obligations, where applicable.
W here reliance in accordance with Regulation 12 of the PMLFTR is being made,
the subject person placing reliance is not obliged to receive copies of the
identification and verification data, and other relevant documentation (in relation
to the purpose and intended nature of the business relationship and on the
customer’s business and risk profile) obtained by the other subject person or third
party being relied on, unless the subject person requests the entity being relied
on to provide such information.
This is in line with the principle behind the concept of reliance i.e., that multiple
requests for documentation are not always necessary, and that one has relied on
a reputable entity to carry out verification. It is to be further noted that , in the
case of verification data and/or documentation, the subject person has to rely on
the entity with whom it has entered into a reliance arrangement even for keeping

IMPLEMENTING PROCEDURES
201
4. CUSTOMER DUE DILIGENCE CONTINUED

that documentation up to date since it would otherwise be impractical to seek

updated documentation directly from the customer.
Should the subject person require this information and documentation, it must
be forwarded by the entity being relied on immediately on request.79

4.10.5 The reliance agreement

Regulation 12(4) requires subject persons to take adequate steps to ensure that,
on request , the entity relied on immediately forwards relevant copies of the
identification and verification documents on the CDD measures undertaken.
In this regard, subject persons should have a written formal agreement with the
entity, signed by both parties, that would regulate the procedures and conditions
on these requests to ensure that the data is made available immediately.
Subject persons should also consider carrying out occasional tests to ensure that
the entity being relied on is in a position to provide the requested information and
documentation and, moreover, to ensure, from time to time, that the CDD measures
undertaken by the entity are satisfactory. Subject persons should also bear in mind
that, in the case of a request for information from the FIAU, the information is to
be furnished by the subject person within five (5) working days from the request,80
or such other shorter period of time that may be indicated in the request for
information, regardless of whether the CDD measures were carried out by an entity
being relied on. This has to be factored into the agreement to ensure that the subject
person remains in a position to fulfil its obligations at all times.
The agreement has to also provide for situations when the entity terminates its
business relationship with the customer, or ceases to operate altogether, to
ensure that the subject person placing reliance is still in a position to fulfil its
obligations at law, even when the reliance agreement ceases to be in force.
Finally, subject persons should also ensure that they remain in a position to fulfil
their record- keeping obligations, particularly in view of the retention periods
stipulated in Regulation 13 of the PMLFTR, and any extensions thereof.
The signed reliance agreement and any exchange of correspondence in relation
to specific business relationships/occasional transactions reliance is being applied
for, must be retained by the subject person as part of its record- keeping

79. Regulation 12(4) of the PMLFTR.

80. Regulation 15(8) of the PMLFTR.

IMPLEMENTING PROCEDURES
202
4. CUSTOMER DUE DILIGENCE CONTINUED

obligations, together with any copies of the documentation forwarded by the

subject person or third party being relied on.

4.10.6 W hen reliance is not permitted

W hen the FIAU determines or is informed that a jurisdiction does not meet the
criteria of a reputable jurisdiction, and the criteria for a third party, it will, in
collaboration with the relevant supervisory authorities, prohibit subject persons
from relying on persons or institutions from that jurisdiction for the performance
of CDD requirements. For further information on the notion of a ‘non- reputable
jurisdiction’, subject persons should refer to Section 8.1.

4.11 SANCTIONS SCREENING

These Implementing Procedures are intended to assist subject persons to
understand and fulfil their obligations under the PMLFTR, thus ensuring an
effective implementation of the provisions of the PMLFTR. However, subject
persons have to undertake other measures at law aimed at combating terrorism,
terrorism financing and the financing of the proliferation of weapons of mass
destruction which do not emanate from the PMLFTR or the Implementing
Procedures.
A case in point relates to the obligations emanating from the National Interest
(Enabling Powers) Act 81 relating to sanctions screening, freezing of assets and
reporting. This Act also provides for the constitution of the Sanctions
Monitoring Board (“SMB”), which is the national competent authority
responsible to monitor the implementation of, and ensure compliance with,
targeted financial sanctions.
In this regard, subject persons are encouraged to continuously keep up to date
with any sanctions that may be imposed and with any guidance, notices, decisions,
recommendations or rulings that may be issued by the SMB. The latest guidance
document issued by the SMB titled ‘Targeted Financial Sanctions Imposed
Pursuant to European Union Regulations and the National Interest (Enabling
Powers) Act under UN Security Council Resolutions Related to Terrorism and
Terrorist Financing, and Proliferation’ may be accessed through the Ministry for
Foreign Affairs website, via this link.

81. Cap. 365 of the Laws of Malta.

IMPLEMENTING PROCEDURES
203
4. CUSTOMER DUE DILIGENCE CONTINUED

Further information on the functions and powers of the SMB, the National Listing
Procedure, the applicable penalties for breach of sanctions and the National
Interest (Enabling Powers) Act may be accessed through the Ministry for Foreign
Affairs website, via this link.
W hile the competent authority responsible for ensuring compliance with these
obligations is not the FIAU, subject persons may still be required to provide the
FIAU with information on their sanction screening policies and procedures and
their implementation whenever the FIAU is carrying out a compliance
examination. This in view of a Memorandum of Understanding concluded
between the FIAU and the SMB to give effect to article 15 of the National
Interest (Enabling Powers) Act , setting out how the two authorities are to co-
operate and collaborate with one other.
Through this MoU, the FIAU acts as agent of the SMB and assists the SMB by
monitoring compliance with the obligations emanating from the National Interest
(Enabling Powers) Act in relation to targeted financial sanctions related to
terrorism, terrorism financing and proliferation financing, and reporting the
findings to the SMB for any subsequent enforcement action as envisaged under
the National Interest (Enabling Powers) Act .
Any questions, queries and/or requests for clarification on the implementation of
targeted financial sanctions obligations are to be addressed to the SMB through
the following channels:
E- mail address: [email protected]
Postal address: Sanctions Monitoring Board, Ministry for Foreign Affairs and
Trade Promotion, Palazzo Parisio, Merchants Street , Valletta.
Telephone: +356 2124 2191

IMPLEMENTING PROCEDURES
204
CHAPTER 5 – REPORTING PROCEDURES
AND OBLIGATIONS

Subject persons are required to have internal and external reporting procedures
in place to report any knowledge or suspicion of ML/FT to the FIAU, and any
knowledge or suspicion that funds or property are the proceeds of criminal activity.
Throughout this chapter, whenever reference is made to knowledge, suspicion or
reasonable grounds to suspect ML/FT, this will also be deemed to include knowledge,
suspicion and reasonable grounds to suspect that funds or property are the proceeds
of criminal activity. References to knowledge or suspicion of ML/FT are to be
deemed as also including references to reasonable grounds for suspicion, or to an
attempt to carry out a transaction or activity related to proceeds of criminal activity
or funding of terrorism.

5.1 THE MONEY LAUNDERING REPORTING OFFICER

5.1.1 The Role of the MLRO
Regulation 15 of the PMLFTR82 requires a subject person to appoint one of its
officers as the MLRO, whose core functions are to:
(a) receive reports from the subject person’s employees, or through software
solutions used to analyse transactions, on information or matters that may
give rise to knowledge or suspicion of ML/FT, or that a person may have been,
is or may be connected with ML/FT;
(b) consider these reports to determine whether knowledge or suspicion of
ML/FT subsists or whether a person may have been, is or may be connected
with ML/FT;
(c) report knowledge or suspicion of ML/FT or of a person’s connection with
ML/FT to the FIAU; and
(d) respond promptly to any request for information made by the FIAU.
In discharging these functions the MLRO may delegate and/or be assisted by
other employees falling under his/her supervision. It is expected that subject
persons provide their MLROs with the necessary human, technological and any
other resources that are required to enable the MLRO and his/her staff to carry
out their functions in an effective and efficient manner. Any references
throughout this Chapter to actions that are to be undertaken by the MLRO are
not to be construed as meaning that such actions shall necessarily be taken by
the MLRO himself/herself, as these may be delegated to employees falling under

82. Regulation 15(1)(a) of the PMLFTR.

IMPLEMENTING PROCEDURES
205
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

the MLRO’s supervision, which is crucial for an effective reporting process.

Nonetheless the MLRO shall remain responsible for the carrying out of the core
functions outlined above and thus shall ensure that he/she is carrying out
appropriate supervision.

5.1.2 W ho Can be Appointed as MLRO?

Not any officer of the subject person can be appointed as MLRO. In terms of the
PMLFTR, the officer appointed to this position also has to be of sufficient seniority
and command:

(a) Officer of a Subject Person

For the purposes of identifying an individual who can be appointed as MLRO,
there must subsist an employment relationship between the officer and the
subject person. Alternatively, either a director, or anyone in an equivalent
position in the case of subject persons set up other than as companies, can
also be appointed as MLRO.
In addition, the functions of a MLRO may not be:
• outsourced;
• carried out by a person who merely occupies the position of company
secretary of the subject person and does not hold any other position
within the organisation; or
• carried out by a person who undertakes internal audit functions within
the organisation.
Notwithstanding the above, there are situations where the person appointed
as the MLRO need not be an officer in employment or a director of the
subject person. These are:
(i) in the case of an insurance company managed by a company that is
enrolled to act as an insurance manager in terms of the Insurance
Intermediaries Act .83 This company may enter into an arrangement with
the insurance manager to have the duties attributable to the MLRO of
the insurance company carried out by the MLRO of its manager;

83. Cap. 497 of the Laws of Malta.

IMPLEMENTING PROCEDURES
206
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

(ii) in the case of a collective investment scheme that is subject to the

PMLFTR and that does not have a physical operational set- up in Malta
other than a registered address and a board of directors, does not engage
any employees and is not involved in the acceptance and processing of
subscriptions and the collection of funds from investors. Here, the duties
attributable to the MLRO can be carried out by the administrator’s MLRO.
The above outsourcing arrangement may only be entered into when:
(a) either the administrator is recognised under the Investment Services
Act;84 or
(b) the administrator is subject to authorisation, licensing or recognition
in an EU Member State or in third country other than a non- reputable
jurisdiction, is subject to AML/CFT obligations consistent with the
PMLFTR, especially in relation to reporting and reporting procedures,
and is supervised for compliance with these obligations;
(iii) in the case of a group comprising two or more subject persons or other
persons undertaking activities equivalent to relevant activity or relevant
financial business that can avail themselves of the exemptions allowed in terms
of Regulation 16(2)(b) and (c). These subject persons may designate one of
their employees as the group- wide MLRO, with each individual subject
person considering whether the appointment of a designated employee is
necessary to assist the MLRO to meet his/her functions effectively; and
(iv) in the case of a group comprising two or more subject persons, or other
persons undertaking activities equivalent to relevant activity or relevant
financial business, it is possible for the employee of one subject person to
be seconded with another subject person forming part of the same group
to act as its MLRO. W hen the group also includes an entity to which
subject persons within the group have delegated fulfilment of their
AML/CFT obligations, it is possible for an employee of sufficient seniority
and command within that entity to be seconded with a subject person
within the group as its MLRO.
Section 5.1.2(a)(i) and (ii) allow insurance undertakings as well as collective
investment schemes to outsource their MLRO function to their insurance
manager and fund administrator respectively. In these circumstances, the
MLRO may be carrying out this function with respect to multiple insurance
undertakings or collective investment schemes. Consideration should

84. Cap. 370 of the Laws of Malta.

IMPLEMENTING PROCEDURES
207
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

therefore be given to the appointment of a designated employee by the

insurance undertaking or the collective investment scheme concerned to
assist the MLRO. The designated employee should be an officer of the
insurance manager or of the fund administrator, answerable to the MLRO
who has to exercise oversight over the activities of the designated employee.
Additional exceptions to this principle may be included in sector- specific
Implementing Procedures.
The MLRO need not be located in Malta nor does he/she need to be present
from where the subject person’s operations are being directed or the records
kept . It is left to the subject person to determine where the MLRO can be best
located so as to fulfil his/her functions effectively. Thus, the MLRO must at all
times have access (physically or remotely) not only to all the subject person’s
records but also to any of the subject person’s systems as may be necessary
to carry out his/her functions and duties. In addition, the MLRO has to be able
to fulfil his/her role as the single point of reference for the FIAU in its
interactions with the subject person in an effective, efficient and timely manner,
independently of whether this may consist of a request for information, the
follow- up to an STR or the exercise of the FIAU’s compliance functions. This
would include ensuring that the MLRO makes himself accessible for any FIAU
meetings and/or interviews that the FIAU or any other relevant supervisory
authority would like to carry out .
In exercising this discretion, subject persons are to consider the nature of the
activities and business carried out by the same, their business model and the
technological means at their disposal. W here a subject person is targeting the
domestic market or has a brick and mortar business, it would be very hard to justify
why the MLRO should be located abroad. On the other hand, it may be easier to
justify any such instance where the subject person is targeting foreign markets and
depends on means of distance communications to carry out its activities.
It is also relevant to point out that, when an employee is acting as the MLRO
for two or more subject persons, it has to be ensured that these multiple
appointments still allow the MLRO to fulfil his/her functions in an effective
manner. Time commitment is key to ensure as much. Moreover, the person
fulfilling MLRO duties has to be mindful of any ensuing conflicts of interest
and/or confidentiality obligations. W hile there is no set number of appointments
that one may accept as MLRO, the more appointments one holds and the more
complex or voluminous the activities of the subject person concerned, the more
difficult it will inevitably become for the MLRO to meet his/her obligations at
law in a satisfactory manner. A subject person who considers this as a viable

IMPLEMENTING PROCEDURES
208
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

option has to assess whether the MLRO will be able to dedicate sufficient time
to cater for the subject person and this assessment should be reviewed from
time to time to ensure that the MLRO is actually managing to dedicate sufficient
time to fulfill all of the functions associated with the said role.
W hile having a dedicated MLRO function is ideal, it is recognised that this may not
always be possible and situations will arise where the officer or employee acting
as MLRO will also have additional functions and/or duties within the subject person.
In these latter circumstances, the subject person is to assess whether such an
arrangement may somehow negatively impact the independence and impartiality
required from the MLRO and therefore undermine the effectiveness with which
the MLRO is to carry out the duties and responsibilities associated with the said
role. In particular, regard has to be had as to whether such an arrangement will:
(a) Give rise to any conflicts of interest - Situations which would give rise to
such a conflict include, by way of example, scenarios where other functions
assigned to him are remunerated depending upon whether particular
targets are met (e.g. onboarding of new customers, generation of fees and
commissions etc.). Particular involvements in developing new business
opportunities may also at times give rise to a conflict of interest. A similar
conflict of interest arises where the MLRO, independently of whether the
individual holds any other employment or office with the subject person,
also results to be a beneficial owner of the subject person concerned.
W hile any such conflict of interest is to be avoided, it is recognised that
exceptional cases may present themselves where the ability to do so will
be limited and too onerous. In these circumstances, the subject person
has to implement measures which counterbalance any dilution in the
MRLO’s independence and impartiality (e.g. through external review of its
AML/CFT controls, policies, measures and procedures).
(b) Impact the time commitment that the MLRO is able to dedicate to the
functions associated with the said role. Having the MLRO carrying out
additional functions will also give rise to questions as to whether the
MLRO is actually in a position to dedicate sufficient time to his role as
MLRO, especially where the MLRO is not provided with additional human
resources and technological means to mitigate the time he has to dedicate
to the other roles or functions he has to carry out for the subject person.
Such an assessment has to be documented. Any decision taken to amalgamate
the role of MLRO with other functions within the subject person and/or any
determination that there exist exceptional circumstances that do not allow its
MLRO to be free from conflict of interest is to be justified on the basis of:

IMPLEMENTING PROCEDURES
209
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

(a) the (prospective) nature and size of the subject person’s business, activities
and structures (the financial, technical, and human resources available to
the subject person; the volume, frequency, and value of transactions
processed or activity carried out; the (prospective) number and risk profile
of customers; its internal structures and overall network for the provision
of the services and products it offers; its geographical presence etc.);
(b) the ML/FT risk presented by any such business and activities; and
(c) the inability of the subject person to apply any of the exceptions provided
for under (i) to (iv) above.
The need for such considerations and assessment set out above would equally
apply in those circumstances where the subject person is to appoint one of
its directors (or, in situations where the subject person is an entity other than
a company, someone having an equivalent role to a director) as its MLRO. In
particular, the nature of the subject person’s activities is a key consideration
when the MLRO function is to be assigned to a director that has a non-
executive role. W hile this may be acceptable with respect to subject persons
that have a very basic structure like a collective investment scheme, the same
would not be possible within the context of subject persons that are expected
by the very nature of their activities to have a more structured and complex
set- up, as would be the case with credit and financial institutions.

(b) Sufficient Seniority and Command

The MLRO must occupy a senior position within the institution where effective
influence can be exercised on the subject person’s AML/CFT measures,
policies, controls and procedures and should not be precluded from posing an
effective challenge when necessary. Thus, the person occupying this position
must be able, where he/she deems it necessary, to communicate directly with
the Board of Directors. This implies that the MLRO is to be knowledgeable of
the ML/FT risks faced by the subject person and of the measures, policies,
controls and procedures implemented to mitigate these risks.
The MLRO must also have the authority to act independently in carrying out
his/her responsibilities and should have full and unlimited access to all records,
data, documentation and information of the subject person85 for the purposes
of fulfilling his/her responsibilities.

85. Regulation 15(1)(c) of the PMLFTR.

IMPLEMENTING PROCEDURES
210
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

W hile it is understandable that the MLRO has to be accountable to the

subject person’s management for the manner in which he carries out his
functions, duties and responsibilities, the MLRO must at all times be free from
any undue influence when it comes to the consideration of internal reports,
the determination as to whether an STR is to be submitted to the FIAU, what
information to make available to the FIAU and the exercise of any other duty
associated with the said role.
In addition, it is also important that the subject person’s policies and
procedures relative to the MLRO set out how any conflict of interest arising
due to personal, professional or economic ties is to be addressed. By way of
example, it is questionable how objective the MLRO can be when assessing
an internal report which happens to be about how the MLRO’s parent, spouse
or child is using an account held with the subject person. Similar questions
will arise where the internal report relates to a corporate customer for whom
the MLRO also acts as director. The vested interest in these scenarios will
inevitably impair the MLRO’s ability to objectively assess the situation.86
Subject persons servicing sister companies or entities forming part of the same
group, may present particular challenges to the MLRO. Situations may arise
where an internal report is escalated to the MLRO relative to transactions
involving one or more of the entities owned by the same group as the subject
person. The situation may be further exacerbated where the directors or
shareholders of the said entities are also members of the subject person’s own
Board of Directors or management . Notwithstanding what may be the
established praxis within the subject person, in these cases it becomes even
more important that the MLRO be in a position to determine himself in an
independent and autonomous manner if there are grounds to submit an STR
or otherwise. Subject persons forming part of groups and providing services
to entities within such groups should therefore consider what safeguards can
be implemented so as not to allow their particular circumstances from
undermining the correct implementation of their AML/CFT obligations.
W hile it is key that the aspects referred to above are considered by the subject
person when deciding on who to appoint as MLRO, it is equally important that
these same aspects are reconsidered from time to time as the business and
activities of the subject person evolve or whenever it is being considered whether

86. In situations where the employee or officer of the subject person notices that the MLRO
fails to take action on internal reports due to a possible conflict of interest on the MLRO’s
part , the said officer or employee can consider making use of the W histleblowing
procedures referred to in section 5.14.

IMPLEMENTING PROCEDURES
211
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

the MLRO should be entrusted with additional responsibilities and functions other
than those associated with the role of MLRO. In the absence of any such change,
the subject person is to consider as much on an annual basis.
W hen the subject person is a sole trader or a sole practitioner with no employees
or no persons working within his/her practice, the subject person has to carry
out the functions of MLRO himself/herself.

5.1.3 Appointment and Resignation of the MLRO

MLROs are to register themselves on the FIAU’s Compliance and Supervision
Platform for Assessing Risk (CASPAR), which is accessible through the FIAU’s
website – W hen the prior approval of a supervisory authority is required to
proceed with the appointment of the MLRO, the MLRO should register only once
the relevant supervisory authority has issued the approval. In all cases, the FIAU
reviews all new registrations received through CASPAR to ensure that there are
no obstacles to proceed with the registration. For detailed guidance on the
process for registration and approval of the MLRO through the CASPAR portal,
please refer to the dedicated Guidance Note available on our website.
In exceptional circumstances, when the existing MLRO resigns or is dismissed and
the new MLRO is pending approval by a supervisory authority, the subject person
should inform the FIAU of this and provide the FIAU with the details of the employee
who, for the interim period, will be assuming the role of reporting officer and to
whom the FIAU can address any requests or queries. This employee may be a
previously appointed designated employee. The subject person should ensure that
anyone so appointed has been properly screened as set out in Section 7.5 of these
Implementing Procedures and that the individual in question has an understanding
of the AML/CFT obligations applicable to the subject person. The FIAU is to be
notified in writing that the individual so chosen has met all of the conditions set out
hereabove prior to the said individual starting acting in this capacity.
A subject person must notify the FIAU of the resignation or removal of its MLRO
as soon as reasonably practicable on becoming aware of the proposed resignation
or removal. The MLRO must also notify the FIAU whether his/her departure was
in any way linked to the implementation of the subject person’s obligations under
the PMLFTR and whether this had any regulatory implications that should be
brought to the FIAU’s attention. This latter notification is to be made within 15
days from the date of resignation or removal. As regards the MLRO’s account on
CASPAR, the CASPAR Guidance Note specifies the process to be followed to
deactivate that account.

IMPLEMENTING PROCEDURES
212
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

5.2 THE DESIGNATED EMPLOYEE

Given the functions that the MLRO has to carry out , it is imperative that he/she
is available at all times. However, it is recognised that this is not always possible
and that the volume of internal reports he/she may have to consider may
undermine his/her effectiveness. To this end, subject persons are to consider
whether, given the nature and size of their activities, there is the need to appoint
one or more designated employees to assist and, whenever necessary, temporarily
replace the MLRO when absent .
The main purpose of a designated employee is to deputise for the MLRO.
Employees who only assist the MLRO through the processing of internal reports,
collection of information, liaising with other units or sections with the subject
persons, etc., are not deemed to be acting as designated employees. Deputising
for the MLRO is deemed to involve more onerous obligations and entails that the
designated employee can in his/her own right determine that an STR is to be filed
in those situations when the MLRO is absent . Thus, any reference to the MLRO
in these Implementing Procedures is to be construed as referring also to the
designated employee.
The appointment of the designated employee must receive the approval of the
MLRO87 and this appointed person will work under the MLRO’s direction. The
designated employee must register through the CASPAR portal, at which point
the MLRO will be requested to approve the designated employee through the
portal. The CASPAR User Guide sets out how this can be done.

5.3 THE MONITORING FUNCTION

The PMLFTR make reference to a general oversight function, as well as to the
possible creation of a day- to- day monitoring function:
(a) Day- to- Day Monitoring Function
In terms of Regulation 5(5)(c), a subject person has to appoint , where
appropriate with regard to the nature and size of its business,88 an officer at
management level whose duties are to include the monitoring of the day- to-
day application of the measures, policies, controls and procedures adopted by
the subject person to ensure compliance with its AML/CFT obligations.

87. Regulation 15(1)(f) of the PMLFTR.

88. Reference can here be made to Section 3.3.2 of the Implementing Procedures, where
guidance is being provided on what is meant by the nature and size of one’s business.

IMPLEMENTING PROCEDURES
213
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

In carrying out its business, a subject person may employ a considerable

number of employees or structure its organisation in multiple units, offices or
branches. Moreover, the business being carried out may itself involve a
number of different activities. The same AML/CFT controls, policy measures
and procedures would have to be applied and ensuring this is done in a
uniform albeit flexible manner may prove impossible if there is no one officer
charged with this responsibility.
W hen a subject person considers this function to be necessary, it is left to the
subject person to determine whether this function is to be also carried out
by the MLRO or whether it would prove to be more effective if it were
entrusted to a separate officer. In the latter case, it would be especially
important that communication between the two is as good as possible to
ensure the effectiveness of the subject person’s AML/CFT controls, policies,
procedures and measures.
W hen the subject person opts to outsource its AML/CFT obligations in line
with Chapter 6, the monitoring role would involve ensuring that the
outsourced service provider is fulfilling its contractual obligations and carrying
out the necessary controls, and to monitor the implementation of those
AML/CFT obligations, if any, that have not been outsourced. In this scenario,
the subject person has to decide, based on the volume of oversight work
involved, whether a dedicated monitoring function is necessary or whether
this role could be equally handled by the MLRO.
W here this function is entrusted to someone other than the MLRO, it has to
be carried out by:
(i) an officer of the subject person; and
(ii) this officer has to be at management level.
These two requirements are considered to be equivalent to the requirements
for the appointment of an MLRO, i.e., an officer of the subject person having
sufficient seniority and command, and is therefore to be construed in the same
manner, including the restrictions on outsourcing.
The one exception relates to the possibility of having a group- wide monitoring
function. In this case, there would be no limitation arising from the non-
disclosure requirements set out by Regulation 16 of the PMLFTR and the
possibility of a group- wide monitoring function could be availed of
independently of the activities carried out by the subject persons comprised
therein.

IMPLEMENTING PROCEDURES
214
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

However, subject persons would have to consider whether it may be necessary

to appoint employees internally within the group to assist the officer entrusted
with the group- wide monitoring function to ensure its effectiveness.
Although the PMLFTR only provide a very generic description of what the
duties and responsibilities of any such officer should be, it would be expected
that this officer would be responsible for:
• ensuring continued compliance with the requirements of the PMLFTR, the
FIAU’s Implementing Procedures or other guidance issued by the FIAU;
• day- to- day oversight of the subject person’s AML/CFT measures, policies,
controls and procedures;
• regular oversight reporting, including reporting of non- compliance, to
senior management;
• addressing any FIAU feedback about the subject person’s risk
management performance or AML/CFT measures, policies, controls and
procedures;
• contributing to designing, implementing and maintaining internal AML/CFT
compliance manuals, policies, procedures and systems;
• conducting or seeing to periodic internal AML/CFT training for all relevant
staff members and employees (refer to Chapter 7 of these Implementing
Procedures).
W hile some of these duties can be delegated to other employees of the
subject person, the officer entrusted with the monitoring function retains
responsibility for implementing and assessing the ongoing operation of the
subject person’s AML/CFT measures, policies, controls and procedures.
The appointment , removal or resignation of the officer to whom the day- to-
day monitoring function is entrusted has to be notified to the FIAU in writing.
(b) General Oversight Function
Given that the subject person is ultimately responsible for ensuring compliance
with its AML/CFT obligations, the PMLFTR provide that the board of directors
or administrators, or any other equivalent body responsible for the management
of the subject person, may designate one of its members with responsibility to
ensure that the subject person is fulfilling its AML/CFT obligations.
In view of the above, it is important that senior management provides the
MLRO and its monitoring function with sufficient resources, including appropriate

IMPLEMENTING PROCEDURES
215
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

staff and technological means, to ensure that they are able to carry out their
obligations effectively.

5.4 INTERNAL REPORTING PROCEDURES

The internal reporting procedures of a subject person have to clearly set out the
steps to be followed when an employee of the subject person becomes aware
of any information or matter that in his opinion gives rise to knowledge or
suspicion that a person or a transaction is connected to ML/FT.89 Internal
reporting requirements for employees are understood to be also applicable to
those individuals who may not have an employment relationship with the subject
person but who are engaged to provide services to the subject person (such as
contracted or outsourced third parties) through which they could become aware
of information that may give rise to knowledge or suspicion of ML/FT.
The internal reporting procedures should clearly state that , when an employee
becomes aware of any such information or matter, he/she shall treat the case
with the utmost urgency and shall report the matter to the MLRO without delay.
The FIAU expects such a report to be made by not later than the next working
day. Therefore, it is crucial that all employees are informed of the identity of the
appointed MLRO (and of the designated employee, where applicable) to whom
the report has to be made, and of the procedure to follow and the information
that has to be made available with the report . The internal reporting procedures
should also include information on the procedures employees of the subject
person are to follow when the MLRO is absent from duties.
Internal reports are to be submitted in writing (manually or in electronic format),
preferably using a standard template, together with all relevant information and
documentation available to the employee to assist the MLRO in making a
determination as to how best to proceed. The report should include details on
the customer and/or the transaction/activity that is the subject of concern and as
full a statement as possible of the information or matter that gave rise to the
employee’s concern.
Reporting lines should be kept as short as possible, ideally allowing an employee
to report directly to the MLRO to ensure speed, confidentiality and quick access
to the MLRO. It is acknowledged that an employee may wish to discuss the
circumstances surrounding a particular customer or transaction with his/her
immediate superior prior to determine whether to submit an internal report . In

89. Refer to Section 5.5 for an explanation of these concepts.

IMPLEMENTING PROCEDURES
216
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

such cases any discussions with immediate superiors are to be given immediate
priority, and the FIAU expects any eventual internal report to be raised with the
MLRO within the next working day from when the employee becomes aware of
the information or matter that have rise to his/her suspicion.
Subject persons could also use software solutions to identify transactions or patterns
of transactions that are unusual or exceed a given threshold as part of a subject
person’s ongoing monitoring systems. The reports generated by any such software
solution need not be transmitted automatically to the MLRO and may be further
considered and analysed. Such consideration and analysis shall be given priority and
those transactions found to have an indication of knowledge or suspicion of ML/FT
shall then be reported to the MLRO without delay. The FIAU expects such reports
to be raised with the MLRO by not later than the next working day from when the
identified transactions are found to have an indication of knowledge or suspicion.
However, when extending reporting lines in this manner, including situations
where the subject person has outsourced ongoing monitoring to a third party, it
is important that:
(a) the MLRO understands and is in agreement with the filtering criteria used and
analytical methodology applied to identify those reports that he/she is to
receive. W hen reviews are carried out on the effectiveness of the procedures
adopted by the subject person, these are to be made available to the MLRO
with sufficient information to allow him/her to raise any concerns he/she may
have in relation to these procedures and ensure these are considered and, if
necessary, properly addressed.
(b) when a decision is taken not to proceed with submitting an internal report to
the MLRO, a written record has to be kept of the circumstances of the case
and of the reasons why it was decided not to file an internal report . These
records are to be made available to the MLRO and, if applicable, to the officer
entrusted with the monitoring function and to the subject person’s internal
audit function. An internal audit function may be carried out by an employee or
officer of the subject person but may also involve an audit or review carried out
by an external consultant. These records may provide important information on
the effectiveness of a subject person’s internal procedures and their review can
lead to the eventual improvement of one’s internal reporting procedures.
(c) when a decision is taken not to forward a report to the MLRO, the employee
who made the report has to be informed of the decision. If the employee still
considers that the report should be escalated to the MLRO, the internal
procedures should be such as to still enable the employee to submit the
report directly to the MLRO.

IMPLEMENTING PROCEDURES
217
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

It is possible that additional internal reports may have to be made following the
submission of an initial report since the employee may notice further related
transactions or activities that give rise to knowledge or suspicion of ML/FT. These
too need to be reported to the MLRO.
The MLRO must consider, with the utmost urgency and without unreasonable
delay, every internal report he/she receives to decide whether:
(a) the information contained in the report does give rise to a knowledge or
suspicion of ML/FT in which case the MLRO should proceed to submit a STR
to the FIAU in a prompt manner as explained under Section 5.5; or
(b) additional information is necessary to reach this determination.
W here additional information is deemed necessary, the MLRO must collect and
consider any additional information and/or documentation he/she deems relevant
to make this determination, which may include:
(a) previous transactions, transaction patterns and volumes, previous patterns
of instructions, the duration of the business relationship and CDD
information;
(b) where applicable, other connected accounts and the existence of other
relationships, including where the person suspected of ML/FT:
(i) is a settlor, donor, contributor, protector, trustee or beneficiary of a trust ,
foundation, trust account or other trust or fiduciary relationship with the
subject person; or
(ii) is a beneficial owner, director, shareholder or legal representative of a legal
entity or other legal arrangement having a business relationship with the
subject person; or
(iii) holds a power of attorney or has any fiduciary arrangements related to a
business relationship with the subject person; and
(c) other information or documents that are reasonably accessible through public
sources, or that may be obtained from the customer or person subject of that
internal report .
The consideration of internal reports and the collection and consideration of any
additional information and/or documentation by the MLRO has to take place
without unreasonable delay. W hile it is not possible to give a clear definition of
what constitutes an unreasonable delay, as this may vary from one case to
another, subject persons should be guided by the following expectations:

IMPLEMENTING PROCEDURES
218
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

(a) MLROs are not expected to carry out investigative or analytical work. Their
role is that of determining whether there is knowledge or suspicion of ML/FT
which ought to be flagged to the FIAU for analysis;
(b) The highest priority should be given to those cases which might be related to FT;
(c) Priority should also be given to cases of ML involving substantial amount of
funds (especially if the funds in question are still within the control of the
subject person), pending transactions, or cases involving PEPs;
(d) MLROs should be supported by adequate human and technical resources to
be able to make such assessments as expeditiously as possible;
(e) W here the MLRO identifies the need to obtain information from the
customer or any person or other external sources, the request should be
made immediately and followed up regularly. The lack of cooperation,
including non- response, by a customer could be seen as a further indicator
of suspicion;
(f) Information that is already held by the subject person (e.g. previous
transactional history or information on connected accounts) should be
obtained without delay; and
(g) There should not be any unnecessary delays in making the necessary
considerations and determinations.
Failure by the MLRO to diligently consider all relevant material available to the
subject person may lead to vital information being overlooked and the knowledge
or suspicion not being identified and subsequently disclosed to the FIAU. In view
of this requirement , the MLRO should be granted unrestricted access to all
relevant documentation and information.
The decision to file or not to file an STR must always be the
MLRO’s/designated employee’s own, and should not be subject to the direction
or approval of other parties within the subject person. This is not to say that a
determination on w hether an internal report gives rise to knowledge or
suspicion of ML/ FT shall alw ays be made by the MLRO or the designated
employee and may not be delegated by the MLRO to other employees under
his/her supervision, or that the MLRO cannot seek assistance, including from
internal staff of the subject person or external advisors. W here the MLRO
seeks the assistance of other internal members of staff or external advisors,
due consideration ought to be given to the sensitivity and confidentiality of
information that may be disclosed and the non- disclosure obligations that
subject persons have to adhere to.

IMPLEMENTING PROCEDURES
219
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

If the MLRO, after having obtained and considered the additional information
necessary to reach his/her determination, concludes, for justifiable reasons, that
an internal report does not give rise to knowledge or suspicion of ML/FT, the
MLRO need not file a report with or otherwise inform the FIAU.90 In this case,
the MLRO must keep a written record (manually or in electronic format) of the
internal report received, the assessment carried out , the outcome and the reasons
why the report was not submitted to the FIAU. On request by the FIAU or the
relevant supervisory authority acting on behalf of the FIAU, the MLRO must make
this information available.

5.5 EXTERNAL REPORTING PROCEDURES

After considering the internal report and all the necessary documentation, when
the MLRO or the designated employee determines that the subject person:
(a) knows;
(b) suspects; or
(c) has reasonable grounds to suspect that:
• a transaction, including attempted transactions, may be related to ML/FT;
or
• a person may have been, is or may be connected with ML/FT; or
• ML/FT has been, is being or may be committed or attempted,
the MLRO must file an STR with the FIAU as set out hereunder.91 In so doing,
the MLRO is not to disclose the name of the employee who made the internal
report to the FIAU.
It should also be kept in mind that a transaction may not be suspicious at the time,
but suspicions may arise later, in which case the obligation to file an STR still arises.
Any disclosures should be made to the FIAU promptly, meaning that a
suspicious transaction report should be submitted on the same day when
knowledge or suspicion of ML/FT is considered to subsist by the MLRO. This
notwithstanding, the FIAU recognises that in certain more complex cases the
compilation and submission of the STR within the same day when the
knowledge or suspicion of ML/ FT would prove challenging in view of the

90. Regulation 15 (6) of the PMLFTR.

91. Regulation 15(3) of the PMLFTR.

IMPLEMENTING PROCEDURES
220
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

extensive volume and/or complexity of information / documentation that may

need to be provided. In such instances the MLRO shall ensure that the STR is
submitted within the shortest time possible. The reporting of suspicions
transactions shall be treated as a priority by subject persons, and thus shall
ensure that the MLRO is provided with the necessary human and IT tools to
carry out his tasks appropriately. Undue delays in the submission of STRs
occasioned by lack of resources are not acceptable.
Moreover, the subject person and MLRO are not only expected to ensure that
their ongoing monitoring and internal/external reporting processes are conducted
in an expeditious and effective manner as required under Section 5.4, but that
the analysis of internal reports is carried out with the necessary due diligence,
keeping in mind that subject persons would be in breach of their reporting
obligations where they are in possession of information that constitutes even a
reasonable ground to suspect ML/FT, and which is not brought to the attention
of the FIAU.
Timing is an aspect that should be clearly considered by subject persons when
drawing up their internal reporting procedures, especially if they include
intermediate filtering levels.
STRs are to be submitted to the FIAU in electronic format as may be indicated by
the FIAU from time to time using such templates as may be provided. Guidance
on STR reporting is also provided on the FIAU’s website. In exceptional cases,
when subject persons do not have access to IT systems to submit STRs online,
manual submissions are also accepted. In completing this report MLROs should
seek to provide as much detail as possible together with the relevant identification
and other supporting documentation.
It is important to keep in mind that subject persons must file STRs only with
the FIAU and with no other supervisory authority.
The PMLFTR require the MLRO to report to the FIAU when he/she has
knowledge, suspicion or reasonable grounds to suspect ML/FT or that funds
(regardless of the amount involved) are the proceeds of criminal activity. Subject
persons are required to report also attempted transactions that are deemed
suspicious but which never materialise, as by way of example the subject person
would have desisted from servicing or on- boarding the customer in question. The
same obligation to file an STR applies to a sole trader or sole practitioner with no
employees or no persons working within his/her practice, who has a similar
knowledge, suspicion or reasonable grounds of suspicion.
A brief explanation of these three concepts is provided below:

IMPLEMENTING PROCEDURES
221
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

(i) Knowledge
Being an objective criterion, the existence of knowledge of ML/FT is not
difficult to ascertain since a person either knows something or does not . If for
any reason the MLRO, or any other employee of the subject person, is aware
or is in possession of information that indicates that any of the above activities
may have taken place, are taking place or will be taking place, the MLRO should
immediately proceed with filing an STR with the FIAU.
(ii) Suspicion
Suspicion of ML/FT is more subjective than knowledge and, in order to
determine its existence, the MLRO must rely on objective criteria, which differ
depending on the circumstances.
For instance, an unemployed customer of a bank depositing considerable
amounts of money into his bank account should raise the bank’s suspicion. In
this case the objective element is the fact that the person is unemployed and,
although the bank does not have any concrete evidence that the money
derives from an illegal activity, there are objective indications pointing to such
a possibility.
Another objective element on which suspicion may be based, which is
specifically referred to in the PMLFTR,92 is the situation when the subject
person is unable to complete CDD due, for instance, to the unwillingness of
the applicant for business to provide the required documentation or
information. In this case, the PMLFTR require the subject person to consider
filing a report with the FIAU.
Certain pronouncements by the courts in the United Kingdom may be of
assistance in determining what constitutes ‘suspicion’ for the purposes of the
PMLFTR and the degree of suspicion that is required for an STR to be filed:
“A degree of satisfaction and not necessarily amounting to belief but at least
extending beyond speculation as to whether an event has occurred or not”.
“Although the creation of suspicion requires a lesser factual basis than the
creation of a belief, it must nonetheless be built upon some foundation.”
In R v Da Silva [2006] 4 All ER 900, the UK Court of Appeal stated:
“It seems to us that the essential element in the word ‘suspect’ and its
affiliates, in this context, is that the defendant must think that there is a

92. Regulation 8(5) of the PMLFTR.

IMPLEMENTING PROCEDURES
222
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

possibility, which is more than fanciful, that the relevant facts exist. A vague
feeling of unease would not suffice. But the statute does not require the
suspicion to be ‘clear’ or ‘firmly grounded and targeted on specific facts’.”
Furthermore, in Shah & Another v HSBC Private Bank (UK) Limited [2012]
EW HC 1283 (QB), the UK High Court held that “[t]o be a suspicion rather
than a mere feeling of unease it must be thought to be based on possible
facts, but the sufficiency of those possible facts as a grounding for the
suspicion is irrelevant…”
The Court in this case further stated that:
“Parliament intended suspicion as a subjective fact to be sufficient (1) to expose
a person to criminal liability for money laundering and (2) to trigger disclosures
to the authorities. Parliament did not require, in addition, that the suspicion be
based upon ‘reasonable’ or ‘rational’ grounds. There are good practical reasons
for this. Unlike law enforcement agencies, bankshave neither the responsibility
nor the expertise to investigate criminal activity to satisfy themselves that the
grounds for their suspicion are well founded, reasonable or ‘rational’.”
A transaction that appears unusual is not necessarily suspicious. Even customers
with a stable and predictable transactions profile will have periodic
transactions that are unusual for them. Many customers will, for perfectly
good reasons, have an erratic pattern of transactions or account activity. So,
the unusual is, in the first instance, only a basis for further enquiry that may in
turn require judgment as to whether it is suspicious.
(iii) Reasonable Grounds to Suspect
The requirement to file an STR goes beyond “suspicion” and also includes the
obligation to report when “reasonable grounds to suspect” exist. This implies
that a further obligation to report arises where, on the basis of objective facts
or circumstances, a reasonable person would have inferred knowledge or
formed the suspicion that ML/FT existed or that funds were the proceeds of
criminal activity.

5.6 ACTIONS AFTER REPORTING

On receipt of an STR, the FIAU sends an acknowledgement to the subject person
and the process of assessing the STR is then initiated by the FIAU’s Analysis Section.
In the course of the analysis of the STR, the FIAU may require further information
and, in terms of the PMLFTR, it can request this information from the subject

IMPLEMENTING PROCEDURES
223
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

person filing the STR or any other subject person.93 W hen the FIAU makes a
request for information to a subject person, that subject person has to comply
with the request as soon as is reasonably practicable but not later than five (5)
working days from when the demand is first made,94 unless the subject person
makes representations justifying why the requested information cannot be
submitted within this period of time.
The FIAU can, at its discretion and after having considered these representations,
extend the time limit as is reasonably necessary to obtain the information. The
subject person shall then submit the information requested within the extended
time limit . Subject persons should make a request under this provision with
caution and only when absolutely necessary since its frequent use could hinder
the FIAU in conducting its duties.
It should be noted that, in terms of the proviso to Regulation 15(8) of the PMLFTR,
the FIAU may, following the submission of an STR or when it deems necessary,
demand that the information be submitted within a shorter period of time.
If once an STR is filed the subject person decides to maintain the business
relationship with the customer who is the subject of the STR, the subject person
should:
(a) classify the customer as a high- risk customer; and
(b) remain vigilant and monitor the activities of that customer to a larger extent .
It is to be noted that in such circumstances subject persons should not
automatically report to the FIAU every transaction carried out by that customer
after the STR has been filed. Subject persons should analyse the circumstances
of the case and where necessary consider passing on additional information to
the FIAU.
For instance, if a customer who has been the subject of an STR receives his
monthly salary into the same account through which a suspicious transaction was
deemed to have been carried out , the subject person would not be expected to
report this transaction. However, if a transaction similar to the transaction that
was reported to the FIAU were to be carried out , this transaction is likely to give
rise to a further suspicion and would therefore need to be reported.
Additionally, before taking any decision related to a customer and services
provided thereto, which may have an impact on the analysis or any future

93. Regulation 15(8) of the PMLFTR.

94. Ibid.

IMPLEMENTING PROCEDURES
224
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

investigation, it would be advisable to hold discussions with the FIAU prior to

carrying out these transactions to ensure that the steps taken by the subject
person do not hinder the analysis or the investigation. This may involve the return
of funds to the customer or the termination of the business relationship.
Subject persons filing an STR with the FIAU may request feedback from the FIAU
on the progress of the analysis of the STR. The FIAU may also, on its own initiative,
provide feedback to subject persons making an STR. W hen giving feedback, the
FIAU will provide the reporting subject person with the information it considers
to be of interest to the subject person to enable that subject person to regulate
its affairs and to assist it to carry out its duties under the PMLA and the PMLFTR.
Subject persons must treat feedback information with utmost confidentiality.

5.7 THE OBLIGATION TO REFRAIN FROM

CARRYING OUT A TRANSACTION THAT APPEARS
TO BE SUSPICIOUS
In accordance with Regulation 15(4) of the PMLFTR, when subject persons know
or suspect that a transaction that is still to be carried out is or may be related to
proceeds of criminal activity or the funding of terrorism, the subject person, on
informing the FIAU thereof in terms of Section 5.5 above, must, in terms of Article
28 of the PMLA, refrain from carrying out the transaction. In these cases, subject
persons must provide the FIAU with all the information related to the transaction.
Therefore, subject persons are required to delay the transaction to allow the FIAU
time to consider whether or not to oppose the execution of the transaction.
This notwithstanding, Regulation 15(5) states that , when it is not possible for
subject persons to refrain from carrying out a transaction that is known or
suspected to be related to ML/FT prior to informing the FIAU, subject persons
must carry out the transaction and inform the FIAU immediately after the
transaction is affected.
However, it is important to note that the impossibility to do so must be due either to
the nature of the transaction (e.g., the system used to process the transaction does
not allow at any point human interference, such as automated clearing or settlement
systems) or because refraining from executing the transaction is likely to frustrate
efforts to investigate or pursue the beneficiaries of the suspected criminal activity.
This obligation is mirrored in Article 29 of the PMLA, which states that when the
subject person is unable to inform the FIAU before the transaction is executed,
either because it is not possible to delay executing the transaction due to its nature

IMPLEMENTING PROCEDURES
225
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

or because delay in executing the transaction could prevent the prosecution of

the individuals benefiting from the suspected ML/FT, subject persons must carry
out the transaction and then inform the FIAU immediately afterwards, giving the
reasons why the FIAU was not so informed before the transaction was executed.
In these two provisions, besides the failure to inform the FIAU because of the
likelihood of frustrating investigation and prosecution efforts, the law states that
it is only in cases when it is not possible to refrain from executing the transaction
that the subject person may carry out the transaction and this impossibility must
arise from the nature of the transaction itself.

5.8 DELAYING THE EXECUTION OF A SUSPICIOUS

TRANSACTION
Under Article 28 of the PMLA, the FIAU itself may oppose the execution of a
transaction that it knows or suspects to be related to ML/FT. This power may be
exercised by the FIAU when it becomes aware of a prospective transaction that
may be linked to ML/FT through:
(a) information provided by a subject person;
(b) information provided by a foreign FIU; or
(c) any other information in its possession.
W hen the FIAU considers it necessary to oppose the execution of a suspicious
transaction, a notification of this opposition is to be made to the subject person
concerned by any written means. In those cases when the FIAU opposes the
execution of the transaction following the receipt of information from a subject
person, the notification of opposition must be made to the subject person by not
later than one (1) working day following the day on which the information was
received by the FIAU.
W ithin this one (1) working day, the subject person is prohibited from carrying
out the relevant transaction. If, after the passage of one (1) working day, following
notification to the FIAU, the subject person has not received notification from
the FIAU to suspend that transaction, the subject person can proceed with
executing the transaction.
W hen the FIAU suspends the execution of the transaction, the suspension is
effective for a period of one (1) working day, following the day of notification of
the opposition by the FIAU. The FIAU may, however, authorise the execution of
the transaction before the expiration of this period by any written means.

IMPLEMENTING PROCEDURES
226
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

In terms of Article 28(3) of the PMLA, the FIAU may, if it considers necessary, extend
the period of suspension by a further one (1) working day. W hen the FIAU decides
to extend the period of suspension, it should notify the subject person in writing
before the previous one (1) working day suspension period expires. In practice,
therefore, in terms of Article 28, a transaction may be delayed by a maximum of
three (3) working days, following the day the subject person notifies the FIAU. The
diagram below provides a timeline of a postponement order’s issue and application.
Subject persons may only proceed with the execution of a transaction that has
been opposed by the FIAU once the respective suspension period expires. This
obligation not to execute a transaction opposed by the FIAU prevails over any
legal or contractual obligation to which the subject person may be subject .

Figure 5 - Postponement Order Timeline

Friday Saturday Sunday Monday Tuesday W ednesday Thursday

17/ 02 18/ 02 19/ 02 20/ 02 21/ 02 22/ 02 23/ 02

S/P reports Transaction Transaction Transaction

transaction suspended suspended suspended
to be
executed
Suspended Suspended
{ Suspended w/d 1
By operation of the law (Article 28) }{ w/d 2 –
FIAU Notice }{ w/d 3 –
FIAU Notice }
(Discretional) (Discretional)

On the lapse of the 1st w/d the subject person may proceed unless FIAU postpones
the transaction or if an attachment order is issued

Subject persons should also be aware that an attachment order issued by the
competent Court may be served on the subject person while a transaction is
suspended by the FIAU. In these cases, the subject person would be bound by
the attachment order and thus would not be able to execute the transaction even
after the expiry of the suspension period in terms of Article 28 of the PMLA.
W hen the FIAU does not oppose the execution of a transaction reported by a
subject person or the respective suspension period lapses without there being
any other legal impediment to the execution of the transaction, it is left to the
discretion of the subject person whether to proceed or otherwise with the
execution of that transaction and Article 28 does not require the FIAU to
authorise the execution of the relevant transaction.

IMPLEMENTING PROCEDURES
227
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

5.9 MONITORING ORDERS

In terms of Article 30B of the PMLA, the FIAU may demand that a subject person
monitor transactions or banking operations suspected of being related to ML/FT.
This power may be exercised by the FIAU when it:
(a) receives an STR; or
(b) when from information in its possession the FIAU suspects that:
• a subject person/s may have been used for any transaction/s suspected
to involve ML/FT; or
• property is being held by a subject person that may have derived directly
or indirectly from, or constitutes the proceeds of criminal activity or from
an act or acts of participation in criminal activity.
A monitoring order can only be made for a specified period of time. Throughout
its duration, the subject person is required to monitor the transactions or, in the
case of banks, banking operations:
(a) carried out through one or more accounts in the name of any natural or legal
person suspected of an ML/FT offence; or
(b) carried out through one or more accounts suspected to have been used in
the commission of an ML/FT offence; or
(c) which could provide information about an ML/FT offence or the circumstances
thereof.
The FIAU may issue this monitoring order before, during or after the commission
of the ML/ FT offence referred to above. Subject persons are required to
communicate to the FIAU the information resulting from the monitoring and
the FIAU may use that information to carry out its analysis and reporting
functions.

5.10 PROFESSIONAL PRIVILEGE

By virtue of Regulation 15(9), auditors, accountants, tax advisors, notaries and
members of the legal profession are exempt from the duty to report suspicious
transactions to the FIAU in accordance with the provisions of Regulation 15(3)
and the duty to inform the FIAU prior to carrying out a transaction that is known
or suspected to be related to ML/FT in accordance with Regulation 15(4), if this
information is received or obtained in the course of ascertaining their client’s legal
position or performing their responsibility of defending or representing that client

IMPLEMENTING PROCEDURES
228
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

in, or concerning judicial proceedings, including advice on instituting or avoiding

proceedings, whether this information is received or obtained before, during or
after these proceedings.
This principle was upheld in a judgment by the European Court of Justice in Ordre
des barreaux francophones and germanophones & Others vs Conseil des Ministres
C- 305/ 05, (ECJ Grand Chamber) 26 June 2007. The court held the following:
“The reporting obligations apply to lawyers only insofar as they advise a client
in the preparation or execution of certain transactions – essentially those of a
financial nature or concerning real estate – or when they act on behalf of and
for a client in any financial or real estate transaction. As a rule, the nature of
such activities is such that they generally take place in a context with no link to
judicial proceedings and, consequently, those activities fall outside the scope of
the right to a fair trial.
“Moreover, as soon as lawyers acting in connection with a financial or real estate
transaction are called on for assistance in defending a client or in representing
such a client before the courts, or for advice as to the manner of instituting or
avoiding judicial proceedings, those lawyers are exempt from the reporting
obligations, regardless of whether the information has been received or obtained
before, during or after the proceedings. An exemption of that kind safeguards
the right of the client to a fair trial.”
Although the judgment only related to lawyers, Regulation 15(9) extends the
same principle to other legal professions, notaries, auditors, accountants and tax
advisors. This principle ensures that the trust placed by the client in the
professional is not breached when these professionals are called on to ascertain
a client’s legal position, to defend a client or represent that client before the
courts, or for advice on the manner of instituting or avoiding judicial
proceedings.
Moreover, when the subject persons mentioned in this section are seeking to
dissuade a client from engaging in an illegal activity, they will not be in breach of
their confidentiality obligations and any such disclosure will not constitute tipping
off.95 Nevertheless, in any other circumstances when the professional privilege
referred to under this section does not apply, the professional is under an obligation
to file an STR with the FIAU, ensuring also that all non- disclosure obligations under
the PMLFTR and these Implementing Procedures are adhered to.

95. Regulation 16(3) of the PMLFTR.

IMPLEMENTING PROCEDURES
229
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

5.11 PROHIBITED AND PERMISSIBLE DISCLOSURES

Regulation 16(1) prohibits a subject person, as well as any official or employee of
a subject person, from disclosing to the person concerned or to a third party that:
(a) an STR has been made to the FIAU;
(b) the FIAU demanded information within the context of an ML/FT analysis;
(c) information has been or may be transmitted to the FIAU within the context
of an ML/FT analysis; and
(d) an ML/FT analysis or investigation has been, is being carried out or may be
carried out by the FIAU or by a law enforcement agency, respectively.
The term ‘third party’ includes any person who does not constitute part of the
subject person and is thus considered to be an external person to the subject
person. This would include any person to whom the subject person may have
outsourced any of its functions, processes, etc.
Although this prohibition does not extend to the disclosure of the above defined
information within the subject person, it is recommended that subject persons
adopt a careful stance when circulating this information internally to avoid risks
of leakages and disclosures, which would place subject persons in breach of
Regulation 16(1).
Breach of the above constitutes a criminal offence termed as “tipping off” and, given
the potential prejudice that any disclosure of the above mentioned information may
have on an analysis or investigation, it arises even though no prejudice may actually
result or the person disclosing the information did not know or suspect that the
disclosure was likely to prejudice the analysis or investigation. Therefore, for this
offence to subsist it is sufficient that the disclosure be made, irrespective of the
effect that such a disclosure has or is likely to have. The punishments applicable for
the offence of tipping off are laid out in more detail in Section 8.3.6.
A subject person must , however, still retain the necessary contact with a
customer and should enquire, in a tactful manner, on the background to one or
more transactions or to activity that appears to be inconsistent with the
customer’s normal pattern of activity, or in adverse media coverage that the
subject person may have become aware of. This is prudent practice and forms
an integral part of CDD measures. Such enquiries would not in themselves give
rise to tipping off.
Although the PMLFTR outline the prohibition of disclosure for subject persons,
there are certain circumstances established by the PMLFTR when disclosures

IMPLEMENTING PROCEDURES
230
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

made will not constitute an offence in terms of the PMLFTR.96 Such

circumstances include disclosures:
(a) to the supervisory authority relevant to that subject person or to law
enforcement agencies in accordance with applicable law;
(b) between a subject person and another person who:
(1) undertakes activities equivalent to relevant financial business;
(2) is situated in an EU Member State or third country; and
(3) forms part of the same group of companies and applies group- wide
policies and procedures as provided for in Regulation 6;
(c) between a subject person who undertakes activities under paragraphs (a) or
(c) of the definition of ‘relevant activity’ in terms of Regulation 2 of the
PMLFTR and another person who:
(1) undertakes equivalent activities in a Member State or a third country
imposing requirements similar to those laid down in the PMLFTR; and
(2) performs his professional activities, whether as employee or not within
the same legal person or within a larger structure to which the subject
person belongs, and which shares common ownership, management or
compliance control;
(d) between a subject person who undertakes relevant financial business or
activities under paragraphs (a) or (c) of the definition of ‘relevant activity’ in
terms of Regulation 2 of the PMLFTR and another person:
(1) from the same professional category situated in an EU Member State or
a third country imposing requirements similar to those laid down in the
PMLFTR; and
(2) in cases related to the same customer and the same transaction; and
(3) when these persons are subject to obligations of professional secrecy and
personal data protection;
(e) disclosures by a subject person to a competent court, tribunal or other judicial
authority in or outside Malta in the course of proceedings instituted against the
subject person for or as a consequence of the failure or the delay in carrying out
a transaction, including disclosures made in any written pleadings or submissions.

96. Regulation 16(2) of the PMLFTR.

IMPLEMENTING PROCEDURES
231
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

These disclosures would be permissible and would not constitute a breach

of Regulation 16(1) of the PMLFTR only if both of the following conditions
are met:
(1) the disclosure is made after the lapse of the one (1) working day period
of suspension as stipulated in Article 28(1) of the PMLA; and
(2) where applicable, the disclosure is made after the lapse of any period of
time during which the execution of the transaction is opposed by the FIAU
in terms of Article 28 of the PMLA;
(f) disclosures by a subject person to a supervisory authority or professional body
exercising supervision or regulatory oversight over the subject person making
the disclosure, that the subject person delayed from carrying out a transaction
in terms of Article 28(1) of the PMLA.
Such a disclosure would be permissible and would not constitute a breach
of Regulation 16(1) of the PMLFTR only if both of the following conditions
are met:
(1) the disclosure is made on the lapse of the one (1) working day period of
suspension, as stipulated in Article 28(1) of the PMLA; and
(2) where applicable, the disclosure is made after the lapse of any period of
time during which the execution of the transaction is opposed by the FIAU
in terms of Article 28 of the PMLA; and
(g) disclosures by an individual in the course of proceedings instituted under
Regulation 15A, including any disclosures made in any written pleadings or
submissions.
Subject persons forming part of a group have to bear in mind the obligations
arising from Regulation 6 of the PMLFTR in relation to the sharing within the
group of any STR filed with the FIAU and on the application of group- wide
policies. These group- wide policies are to include policies and procedures on data
protection, and are to regulate the sharing of information within that group, even
when the subsidiaries or branches are established outside the EEA.
This would include policies and procedures regulating the sharing of information,
including information on STRs, to reflect the obligations arising from Regulation
6 and Regulation 16 of the PMLFTR. W hen the laws of a third country do not
allow a subsidiary or a branch to adhere to the group policies and procedures,
including on sharing information, the subject person is expected not to share
information with these subsidiaries and branches, and refer the matter to the
FIAU, as provided for under Regulation 6(4) of the PMLFTR.

IMPLEMENTING PROCEDURES
232
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

Furthermore, any bona fide communication or disclosure made by a subject person

or by an employee or director of this subject person, in fulfilment of any
requirement envisaged under the PMLFTR, does not constitute a breach of the
duty of professional secrecy, or any other restriction (whether imposed by statute
or otherwise) and this person will not be subject to liability of any kind.97

5.12 REPORTS FOR COMPLIANCE PURPOSES

Article 16(1)(c) of the PMLA charges the FIAU with the responsibility of
monitoring compliance by subject persons of their AML/CFT obligations. This
responsibility is further elaborated under Article 26 of the PMLA, which
empowers the FIAU to carry out this responsibility on a risk- sensitive basis. To
be able to do so, the FIAU has to collect data, information or documentation from
subject persons.
Regulation 19 of the PMLFTR empowers the FIAU to require periodical reports
from subject persons on the internal policies and procedures they maintain and
apply, as well as any other information the FIAU deems necessary for the
fulfilment of its supervisory functions.
On the basis of the information gathered from these reports, the FIAU can get a
clear picture of where the risk is, what the risk is and how best to manage that
risk. These reports assist the FIAU to fulfil another essential function, which is the
compilation of statistics and records to coherently plan its compliance reviews, as
well as gauge the effectiveness of the AML/CFT regime in Malta. This function
emanates from Article 16(1)(g) of the PMLA and is reflected in Regulation 14(2)
of the PMLFTR.
Reports required from subject persons may take the form of a questionnaire
having both closed- ended and open- ended questions. They will usually require
the completion of general details on the subject persons, as well as other
information that may, inter alia, include:
(a) information and data relating to the risk exposure of the subject person;
(b) information and data relating to the AML/CFT preventive and mitigating measures
adopted by the subject person to tackle the identified risk exposure; and
(c) statistical data in relation to the subject person’s business.

97. Regulation 15(10) of the PMLFTR.

IMPLEMENTING PROCEDURES
233
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

W henever the FIAU requests subject persons to compile and transmit a report ,
the FIAU will provide subject persons with specific instructions and details on the
procedure to follow, including:
(a) instructions on how the report is to be compiled;
(b) instructions on how and in what manner the report is to be transmitted to
the FIAU;
(c) the time frames/deadlines within which the report is to be submitted to the FIAU;
(d) any applicable administrative fees (including late submission fees, if and where
applicable) in relation to the submission of the compliance report; and
(e) appropriate intimation notice/s warning subject persons of the consequences
for non- observance of the instructions and information provided in the
Explanatory Note.
The FIAU emphasises that the information gathered through these reports is
intended to drive its risk- based supervision and that these reports are not in
themselves an exercise to determine compliance by individual subject persons.
In this regard, subject persons should ensure that the information provided is
accurate and reflects the subject person’s position and his/her business.

5.13 REPORTING UNDER REGULATION (EU) 2015/ 847

Subject persons that are payment service providers have additional reporting
obligations in terms of Regulation (EU) 2015/847. This Regulation obliges
payment service providers that are acting either as a payee’s payment service
provider or as an intermediary payment service provider to notify the FIAU about
payment service providers that repeatedly fail to include information required in
terms of this Regulation with the transfer of funds.
This reporting obligation is explained in more detail in the Guidance Note issued
by the FIAU, entitled Guidance Note on Information Accompanying Fund Transfers.
Any reporting under this section should be done using the form attached to this
Guidance Note, which is to be submitted electronically on the following e- mail
address, compliance@fiaumalta.org. Reporting should take place without undue
delay, and no later than three months after identifying the repeatedly failing
payment service provider.

IMPLEMENTING PROCEDURES
234
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

5.14 THE PROTECTION OF THE W HISTLEBLOW ER ACT

The FIAU has been designated one of the authorities that , in terms of the
Protection of the W histleblower Act ,98 is to receive external disclosures of
improper practices from the private sector. In the case of the FIAU, the external
disclosures must relate to improper practices linked to the PMLA or the PMLFTR.
These may include disclosures relative to actions:
(a) whereby a person has failed, is failing or is likely to fail to comply with any AML/CFT
obligation arising from the PMLA, the PMLFTR, the FIAU Implementing
Procedures and any other binding procedures issued by the FIAU; or
(b) which are tantamount to a money laundering or funding of terrorism offence,
whether this has been committed, is being committed or is likely to be committed.
Employees who makes any such disclosure are afforded the protection of the
law against any discriminatory action that the employer may take against them. It
should be noted that the identity of the employee making the external disclosure
is protected and can only be disclosed in exceptional circumstances when it is
necessary to take action on the external disclosure and only if the person’s prior
consent is obtained. Any employee can make an external disclosure, including
employees of subject persons.
However, it is important to note that:
(a) employees making a disclosure will only be able to benefit from the safeguards
provided by the Protection of the W histleblowing Act if the relevant
disclosure is made in good faith without any expectations of personal gain
and reasonably believing that the information provided is true; and
(b) an external disclosure may be received by the FIAU only once the improper
practice has been reported through any internal whistleblowing procedures
maintained by the employer, and no action was taken by the employer to
redress that disclosure. W hen determinate conditions subsist , the employee
may proceed with disclosing the improper practice externally to the FIAU even
without attempting to make an internal disclosure. This is only possible when
the employee has reasonable grounds to believe that:
(i) the head of the organisation is or may be involved in the improper practice; or
(ii) immediate reference to the FIAU is justified by the urgency of the matter
to which the disclosure relates or some other exceptional circumstance; or

98. Cap. 527 of the Laws of Malta.

IMPLEMENTING PROCEDURES
235
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

(iii) at the time he/she makes the disclosure, he/she will be subjected to
occupational detriment if he/she makes an internal disclosure; or
(iv) it is likely that evidence relating to the improper practice will be concealed
or destroyed if he/she makes an internal disclosure.
In the case of subject persons’ employees, prior to making an internal disclosure
in terms of the Protection of the W histleblower Act , they should consider
whether the information they are seeking to disclose should be reported
internally to the MLRO by making use of the internal reporting procedures
maintained by the subject person to report knowledge or suspicion of ML/FT.
External disclosures should ideally be submitted to the FIAU in writing and
marked as strictly confidential. Submissions may be sent either via e- mail on
whistleblowing@fiaumalta.org or in writing, addressed to the FIAU’s W histleblowing
Reports Unit . On receipt of an external disclosure, the W histleblowing Reports
Unit will carry out a first review of the report to determine whether:
(a) all the conditions for an external disclosure to be made are met . This Unit is
allowed forty- five (45) days from receipt of the external disclosure within
which to make this determination and inform the employee on its conclusions.
W hen the W histleblowing Reports Unit concludes that an internal disclosure
should have been filed, it will desist from considering any further the alleged
improper practice and will direct the employee to disclose the improper
practice internally; and
(b) another authority referred to under the Protection of the W histleblower
Act or the Malta Police would be better placed to investigate the alleged
improper practice disclosed by the employee. W hen it so concludes, the
W histleblowing Reports Unit will transmit the relevant information to that
authority or to the police, and notify the employee in writing of the action
taken. This has to be done within thirty (30) days from receipt of the external
disclosure. At no point will the employee’s identity be disclosed, and he/she
will still be entitled to the protection offered by the Protection of the
W histleblower Act .
Any external disclosures that are deemed by the W histleblowing Reports Unit
to fall within its remit will be thoroughly investigated to determine whether there
is any prima facie evidence of wrongdoing. To this end the W histleblowing
Reports Unit may request the employee to attend meetings, request any
witnesses indicated in the external disclosure to give statements, collect additional
information on the organisation or individuals involved in the alleged improper
practice and carry out any other checks that it may deem necessary.

IMPLEMENTING PROCEDURES
236
5. REPORTING PROCEDURES AND
OBLIGATIONS CONTINUED

Information disclosed to the W histleblowing Reports Unit may be shared with

other sections of the FIAU when these other sections request information in the
course of conducting their own functions. Any information shared will not include
any details of the employee’s identity.
The employee will be duly informed of the investigation’s outcome and of any
action taken when this may be warranted. Given the potential different nature of
the improper practices that may be disclosed to it , the W histleblowing Reports
Unit is not in a position to set a determinate timeframe within which it will
conclude its investigation. However, it will strive to do so within a reasonable time.
Action may include forwarding the information received to other sections within
the FIAU for further analysis or action or, when the improper practice is considered
to amount to a crime or contravention, referring the matter to the Malta Police.
Any information so forwarded will not include any details on the employee’s identity.
An employee may opt to make an anonymous disclosure. W hile the
W histleblowing Reports Unit will take into consideration even these disclosures,
employees who make anonymous disclosure do not benefit from the protection
provided for in the Protection of the W histleblower Act .

5.15 PROTECTION FROM DETRIMENTAL ACTION

Regulation 15A of the PMLFTR seeks to protect anyone who either submits an
internal report or otherwise files an STR with the FIAU. Not only is the identity
of any such individual to be kept confidential by anyone who may be aware of
the same, but the PMLFTR also provide the said individual with remedies at law
should any detrimental action, as defined in Regulation 15A(13), be taken against
him/her for complying with his/her obligations at law.
These remedies at law are exercisable even when no detrimental action has been
taken but the individual concerned believes that any such action is likely to be
taken against him/her due to having disclosed information either internally or to
the FIAU. It is important to note that , due to their sensitivity, any proceedings
undertaken in the context of Regulation 15A are to take place in camera.

IMPLEMENTING PROCEDURES
237
CHAPTER 6 – OUTSOURCING

6.1 W HAT IS TO BE CONSIDERED AS OUTSOURCING?

Outsourcing is the engagement of a third party by a subject person to carry out
an activity, process or service that would normally be carried out by the subject
person itself. Outsourcing therefore means that the subject person would not
implement certain measures and procedures itself but would delegate their
implementation to another person.
For the avoidance of doubt , the acquisition of software or access to commercial
databases to assist in, or facilitate, the carrying out of AML/CFT obligations
without any data or information belonging to the subject person being submitted
to and processed by a third party is not to be considered as outsourcing.
Outsourcing is to be distinguished from the possibility allowed to subject
persons to exercise reliance on the CDD measures carried out by another
subject person in terms of Regulation 12 of the PMLFTR. In case of reliance,
the subject person would typically rely on another subject person or a third
party who would have carried out CDD to meet its own AML/CFT obligations
and the subject person or third party being relied on grants the subject person
placing reliance access to the information and documentation so collected. No
reliance can be made insofar as risk assessment and ongoing monitoring
obligations are concerned.
The situation in the case of outsourcing differs from the reliance arrangement in
that , rather than relying on the CDD measures undertaken by another subject
person or third party, the subject person is delegating the implementation of
certain AML/CFT obligations to another person(s). The below sections set out
the requirements that are to be applied when a subject person outsources certain
AML/CFT obligations to another person.
To the extent allowed by law, subject persons may also be able to appoint agents
to extend their network to carry out their activities. This is not to be considered
as outsourcing since the agent is deemed to form part of the subject person itself
and has to abide by the controls, policies, measures and procedures established
by the subject person.

6.2 RESPONSIBILITY OF THE SUBJECT PERSON

The PMLFTR are very clear in setting out what the general obligations of subject
persons are when it comes to preventing ML/FT; it is the subject person’s
responsibility to ensure that it is abiding by these obligations at all times.
Responsibility can never be delegated and as a consequence:

IMPLEMENTING PROCEDURES
238
6. OUTSOURCING CONTINUED

(a) outsourcing is not to be extended to the adoption and application of policies

and procedures necessary to ensure the subject person is compliant with its
AML/CFT obligations at all times. W hile it is permissible for a subject person
to engage consultants to assist it in carrying out any risk assessment or
drawing up any policies and procedures, it is the subject person’s ultimate
responsibility to ensure that these address the ML/FT risks to which it is
exposed, satisfy the requirements at law, and are implemented properly;
(b) the subject person must effectively monitor how the service provider is
carrying out the outsourced AML/CFT measures and procedures to ensure
that these are being carried out as required by law and in accordance with
the subject person’s own policies and procedures. By way of example, this
can be done through periodical reports provided by the person to whom a
function has been outsourced to the subject person, spot checks and requests
for CDD information on particular clients. Subject persons may implement
other measures to ensure effective supervision; and
(c) the subject person must ensure that it has a contingency plan in place in the
eventuality of a sudden termination of the outsourcing arrangement that
would ensure it can resume without undue delay the implementation of the
outsourced AML/CFT obligations.
The FIAU will consider the subject person as responsible at all times for
compliance with its AML/CFT obligations.

6.3 EXTENT OF OUTSOURCING

Outsourcing is to be allowed only insofar as the implementation of a subject
person’s policies and procedures are concerned. A subject person may, therefore,
outsource certain AML/CFT obligations to another person. The obligations that
may be outsourced, whether in whole or in part , relate to:
(i) the implementation of risk assessment procedures (Regulation 5 of the PMLFTR);
(ii) the implementation of CDD procedures (Regulation 7 to Regulation 11 of
the PMLFTR); and
(iii) the implementation of record keeping obligations (Regulation 13 of the PMLFTR)
(collectively referred to as the “General Outsourced Activities”). In this regard, it
is to be noted that anything that is usually required to be done by an officer or
employee of the subject person would then have to be carried out by officers or
employees of the outsourced subject persons.

IMPLEMENTING PROCEDURES
239
6. OUTSOURCING CONTINUED

The subject person will remain responsible at all times for all other obligations in
terms of the PMLFTR and these Implementing Procedures, including, without
limitation, the acceptance or otherwise of a customer, the termination of a
business relationship, the undertaking of an occasional transaction, etc.
Unless otherwise specified in these Implementing Procedures (such as set out in
Section 5.1.2 of these Implementing Procedures) or in any ad hoc guidance,
outsourcing does not extend to the appointment of the MLRO and of the officer
in charge of the monitoring function referred to in Section 5.3. This means that
these two functions cannot be outsourced to third parties since they have to be
carried out at all times by an officer or employee of the subject person who meets
the conditions set out in Chapter 5 of Part I of the Implementing Procedures. The
person/s assuming these functions is/are to continue to exercise the functions
assigned to him/her/them under Chapter 5 and is/are to be responsible for
monitoring the third party’s activities. On the other hand, when the outsourcing
of the MLRO and of the officer in charge of the monitoring function is allowed,
any such outsourcing would be subject to the conditions set out in this chapter.
In addition, unless otherwise specified in these Implementing Procedures or in ad
hoc guidance, the outsourcing of the General Outsourced Activities does not
extend to the determination on whether an STR is to be filed with the FIAU. This
is to remain within the discretion of the subject person’s MLRO and the subject
person must ensure (through its internal reporting procedures) that even the third
party (to whom certain functions are outsourced) can submit reports to the
MLRO for the MLRO to assess whether an STR should be filed with the FIAU.
Nevertheless, a subject person may still outsource a third party to flag unusual
transactions that may become the subject of an internal report to the MLRO or,
where applicable, to the designated employee, or engage consultants to assist in
the determination of whether an STR is to be filed or otherwise, in full respect
of any non- disclosure obligations binding the subject person, and in line with
conditions set out in Section 5.4 above.

6.4 CONDITIONS TO W HICH OUTSOURCING IS SUBJECT

Given the risks to which the subject person may be exposed in situations where
the outsourced third party fails to effectively carry out the outsourced function,
the FIAU considers that outsourcing is not to be unconditional but that there
must be specific requirements that must be met for outsourcing to be permissible.
To this end, whenever a subject person is outsourcing the General Outsourced
Activities, the subject person must ensure that the third party is complying with

IMPLEMENTING PROCEDURES
240
6. OUTSOURCING CONTINUED

the requirements set out in this section. In this regard, prior to outsourcing the
General Outsourced Activities to a third party, the subject person should:
(i) make an assessment of any potential ML/FT risk due to the proposed
outsourcing;
(ii) maintain a written record of the assessment; and
(iii) monitor the perceived risk.
To ensure that proper arrangements are in place and the outsourced entity has
the necessary competence and resources to be able to undertake the General
Outsourced Activities in an appropriate manner, the subject person is required to
ensure that all the following conditions are met:
(a) the outsourcing does not negatively prejudice the subject person’s ability to
comply with its obligations at law and the effectiveness of the subject person’s
compliance and audit functions, nor will the outsourcing impede the effective
supervision of the subject person by the FIAU or the compliance by the
subject person with any obligation related to the FIAU’s analytical function;
(b) the third party has the necessary resources, qualifications, skills and
authorisations (if required) at its disposal to effectively carry out the measures
and procedures it is to perform on behalf of the subject person;
(c) the manner in which the third party proposes to implement the General
Outsourced Activities on behalf of a subject person is in line with all applicable
legal requirements and the subject person’s own policies and procedures;
(d) the third party is in good standing, there being no adverse information in its
regard, and it is located and operating from Malta, an EU Member State or
another reputable jurisdiction; and
(e) the third party is not subject to any obligation that would lead to a breach of
any data protection, professional secrecy, confidentiality or non- disclosure
obligation to which the subject person has to adhere.
The subject person must maintain a copy of the assessment undertaken prior to
entering into an outsourcing arrangement and will make it available to the FIAU
on request .
The outsourcing of the General Outsourced Activities to a third party must be
regulated by a written agreement that clearly sets out:
(a) the exact parameters of the measure or procedure being outsourced to the
third party;

IMPLEMENTING PROCEDURES
241
6. OUTSOURCING CONTINUED

(b) the precise requirements concerning the performance of the measure or

procedure, taking account of the intended objective of the measure or
procedure to be outsourced;
(c) the respective rights and obligations of the parties to the agreement ,
including:
• the obligation of the third party to notify the subject person immediately
of any change in its circumstances that negatively affects its standing or
its ability to meet its obligations under the agreement;
• the right of the subject person to monitor the third party’s performance
and the obligation of the third party to take any corrective measures that
may be required by the subject person to ensure that the measure or
procedure being outsourced is carried out effectively;
• unrestricted and immediate access at any time by the subject person to
any data, documentation, information, reports or findings that are
collected, obtained or made use of to fulfil the measures or procedures
outsourced, including the ability to access and retrieve data, information
and documentation to enable STRs to be submitted or to reply to
requests for information from the FIAU, law enforcement and any other
relevant supervisory authority without having to disclose the purpose
that data, information or documentation is being accessed; and
• where the retention of data, information and documents collected in the
course of implementing the outsourced measures or procedures also
forms part of the outsourcing agreement , the data, information and
documents are segregated from that belonging to the third party or any
other customer thereof.99
(d) the circumstances under which the agreement can be terminated and the
terms that would become applicable, including:

99. In situations where multiple collective investment schemes have outsourced their
AML/CFT obligations to the same fund administrator or third- party service provider, it is
possible for the said service provider to maintain a common record of CDD information
and documentation collected for investors holding units in two or more of the said
collective investment schemes. The fund administrator or service provider shall however
ensure at all times that it is able to determine in which collective investment schemes (and
related sub- funds) any such investor holds units and make available the relative
documentation and information upon demand either to the collective investment scheme
concerned or to the relative competent authorities.

IMPLEMENTING PROCEDURES
242
6. OUTSOURCING CONTINUED

• a termination clause allowing either the proper and orderly transfer of

the outsourced measure or procedure to another third party identified
by the subject person or the proper and orderly reintegration of that
measure or procedure within the subject person, with the third party
continuing to carry out the outsourced measure or procedure until such
time as the transfer is complete; and
• the possibility for the subject person to terminate the agreement when
the FIAU so requires and when the third party is no longer in a position
to meet its obligations under the agreement .
(e) the ownership of any data, information, reports or other documentation that
may be produced, collated or collected in the course of carrying out the
measure or procedure being outsourced, taking into consideration the record-
keeping obligations of the subject person;
(f) that any processing of personal data has to take place in accordance with
applicable data protection laws and any data, information, reports or other
documentation are kept confidential and will not be disclosed to anyone other
than in the circumstances where the law permits this disclosure;
(g) the communication lines to be followed, especially with regard to the transmission
of data, information, documentation, reports or findings to the subject person by
the third party related to the measures or procedures outsourced;
(h) that the third party is to allow the FIAU, including anyone duly authorised to
act on its behalf, direct access to its premises and to any data, information,
documentation reports or findings relative to the outsourced measures or
procedures, as the FIAU may require;
(i) that sub- contracting by the third party is not to be allowed without the prior
agreement of the subject person, whose consent can only be granted once the
subject person has ascertained that the sub- contractor meets the conditions set
out in this section and that the sub- contracting will not impact negatively the
arrangement entered into between the subject person and the third party; and
(j) the subject person must regularly evaluate the third party’s performance, using
mechanisms, such as service delivery reports, self- certification, independent
reviews or the subject person’s own audit function.
The said agreement need not be provided to the FIAU prior to or after its
conclusion, but a subject person may be requested by the FIAU or any other
relevant supervisory authority to provide the authority concerned with the original
or a copy of that document .

IMPLEMENTING PROCEDURES
243
6. OUTSOURCING CONTINUED

Subject persons are to note that the above does not exempt subject persons
from any additional regulatory requirements to which they may be subject .

6.5 OUTSOURCING W ITHIN A GROUP CONTEXT

W hen the subject person forms part of a group of companies and it contemplates
outsourcing the General Outsourced Activities to another group entity, the
subject person will still have to ensure that the conditions set out herein are met .

IMPLEMENTING PROCEDURES
244
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

7.1 AW ARENESS AND TRAINING: THE OBLIGATION AND

PURPOSE BEHIND IT
Every subject person is required to take appropriate and proportionate measures
from time to time to:
• ensure that employees100 are aware of relevant AML/CFT legislation and data
protection requirements, as well as of the subject person’s AML/CFT
measures, policies, controls and procedures; and
• provide training in relation to the recognition and handling of operations and
transactions that may be related to proceeds of criminal activity, money
laundering or the funding of terrorism.101
The emphasis in the PMLFTR is on the words “appropriate” and “proportionate”.
Therefore, there is no place for a ‘one size fits all’ or a haphazard approach towards
training. Training needs to be well thought out and planned, targeted but also
proportionate, depending on the nature of the subject person’s activities, the risks
it is exposed to, as well as the size of the subject person’s business or operation.
The PMLFTR also emphasises that these measures need to be taken from time
to time, meaning that these training and awareness- raising initiatives are taken
on a regular basis. A subject person should set its training programme, including
the content and frequency of any training or awareness- raising sessions, on the
basis of the risks identified through the subject person’s BRA, the specific roles
of the employees being trained, and any relevant developments, including
legislative changes, the development of new products or services, new markets
targeted by the subject person, etc. In all cases, new employees should be made
aware of their responsibilities and those of the subject person on being employed
or engaged in their relevant position.
Awareness of the subject person’s AML/CFT procedures and training in relation
to identification of unusual activities or suspicious transactions are key elements
in the detection and deterrence of ML/FT activities. It is therefore critical that
every subject person allocate adequate resources to train its employees.
Even though a subject person may have the best designed AML/CFT policies and
procedures, the effectiveness of these procedures ultimately depends on its
employees being fully aware of them and sufficiently knowledgeable to implement

100. References to employees throughout this chapter should also be taken to include sole
practitioners.
101. Regulation 5(5)(b) and (e) of the PMLFTR.

IMPLEMENTING PROCEDURES
245
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

them. The content and effectiveness of the training provided will therefore be
critical to the success or failure of a subject person’s AML- CFT strategy.
Proper training to staff, to ensure that they are fully alert to the very real risks of
money laundering and the funding of terrorism, in the identification of unusual
transactions, and riskier situations that may turn out to be suspicious, is critical to
the success and effectiveness of a subject person’s efforts at combatting ML/FT.
In terms of applicable law, individual members of staff (and in particular directors
or similar officers responsible for the management of a body or association of
persons,102 as well as employees in certain instances103) may face administrative
sanctions for contraventions of AML/CFT obligations or lawful requirements,
orders or directives issued by the FIAU committed by the body or association of
persons, or criminal penalties if they are involved in money laundering or the
funding of terrorism, or if they breach their non- disclosure obligations under the
PMLFTR. It is important , therefore, that staff is made aware of these obligations,
and is given appropriate training.
It should also be borne in mind that Regulation 5(5)(c) of the PMLFTR obliges
subject persons to “appoint, where appropriate with regard to the nature and
size of the business, an officer at management level whose duties shall include
the monitoring of the day- to- day implementation of the measures, policies,
controls and procedures adopted under this regulation”, which also includes the
implementation of a training programme.

7.2 COMPANY OFFICIALS AND EMPLOYEES TO BE

PROVIDED W ITH TRAINING
It should be noted that awareness and training should be provided to employees
and other company officials whose duties include the handling of either relevant
financial business or relevant activity,104 irrespective of their level of seniority.
This includes:
(a) directors;
(b) senior management;
(c) the MLRO and designated employee(s);

102. Regulation 21(7) of the PMLFTR.

103. Regulation 16(1) of the PMLFTR.
104. Regulation 5(7) of the PMLFTR.

IMPLEMENTING PROCEDURES
246
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

(d) compliance staff; and

(e) all members of staff involved in the activities of the subject person that fall
within the definition of ‘relevant financial business’ and ‘relevant activity’.
It is important to emphasise that , when referring to employees in an AML/CFT
context , the term should not be interpreted in a restrictive manner, meaning that
it should not only refer to individuals who have a contract of employment with
the subject person in the strict legal sense of the term, but should be interpreted
to also include individuals who are engaged by the subject person to carry out
aspects of its business involving relevant activity or relevant financial business (such
as temporary or contract staff ).
The training should be relevant to the respective employees’ specific
responsibilities and functions within that subject person. Thus, it is expected that
front- office employees, for instance, would be provided with training that is
different from that required by back- office employees.
Effective training measures should ideally refer to real- life scenarios that are or will
be encountered by the employees, such as, for instance, the steps to be followed
when onboarding customers, the handling of high- risk customers and the
behaviour to be adopted when faced with transactions that appear to be suspicious.
To be in a position to recognise and handle suspicious transactions, employees
should be trained on how the subject person’s products and services may be
misused for ML/FT purposes. Of relevance to this is strong awareness of ML/FT
typologies and of red flags and risk indicators applicable to the particular subject
person. Knowledge of relevant typologies plays an important role in the
recognition of ML/FT, and employees should be kept aware of the ever- changing
behaviour and practices of money launderers and terrorist financiers. Similarly,
employees should be provided with a relevant list of red flags and risk indicators
since these are a useful tool to help them recognise possible ML/FT activity.

Employees located outside Malta

W hen activities relating to the operations of a Maltese subject person are
undertaken by staff outside Malta, those employees must be made aware of and
trained to follow the AML/CFT policies and procedures applicable to the Maltese
operations. W here relevant , there may also be certain local training and
awareness obligations in the host state that may also need to be met .

IMPLEMENTING PROCEDURES
247
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

7.3 CONTENT OF TRAINING

Through training measures, the subject person should seek to ensure that
relevant employees are knowledgeable of the subject person’s:
(a) CDD measures;
(b) record- keeping procedures;
(c) internal reporting procedures;
(d) the role of the MLRO in filing STRs with the FIAU (external reporting);
(e) risk management measures, including:
• customer acceptance policies;
• CRA procedures;
• internal controls;
• compliance management;
• communications;
• employee screening policies and procedures; and
• any other relevant policies and procedures concerning AML/CFT; and
(f) the ML/FT risks posed by the business and/or activities of the subject person
(i.e., the outcomes of its BRA).
All employees should know who their MLRO, any designated employee(s) and
the officer carrying out the monitoring function referred to in Section 5 are, as
well as the functions and responsibilities of these key persons.
Employees should also be made aware of the following legislative instruments
and other binding guidance:
(a) the provisions of the PMLA;
(b) the provisions of the PMLFTR;
(c) the provisions of the Criminal Code concerning the funding of terrorism;
(d) relevant data protection laws, rules and guidance;
(e) the FIAU Implementing Procedures, other guidance and/or interpretative
notes issued by the FIAU; and
(f) the applicable offences and penalties resulting from breaches of all the above.

IMPLEMENTING PROCEDURES
248
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

Furthermore, employees should be made aware of the potential effect of any

breach of applicable law and regulations on the subject person, the employees
personally and the subject person’s customers.
The lists provided for under this Section are not exhaustive, and any policies and
procedures related to AML/CFT implemented by the subject person would need
to be incorporated into the training measures. Moreover, all policies and
procedures should be made readily available to all employees to enable them to
refer to this information whenever required.

7.4 METHOD OF DELIVERY OF TRAINING

The FIAU does not seek to impose any particular methods of training and hence
subject persons may determine what would work best in accordance with the
size and nature of their activities and taking into consideration training methods
used for other aspects of their operations. Training may, for instance, be comprised
of a mix of online learning systems with focused classroom training for higher
risk activities, video and other digital media, external training, procedures manuals
or any other medium that is able to deliver effective training.
Regardless of the medium used, any training provided should ideally include or be
supplemented with material that employees may refer to from time to time as
may be necessary in the course of carrying out their duties.
Furthermore, subject persons are to maintain records of the training provided to
monitor which employees have received training, how frequently, and the nature
of training provided. In line with record- keeping requirements, training records
are to include:
(a) the details of the training provider;
(b) the date on which training was delivered;
(c) the nature of the training;
(d) the names of the employees who received training; and
(e) where available, a copy of any training materials provided.

IMPLEMENTING PROCEDURES
249
7. AW ARENESS, TRAINING AND
VETTING OF EMPLOYEES CONTINUED

7.5 SCREENING OF NEW EMPLOYEES

Subject persons must put appropriate procedures for due diligence in place when
hiring employees who would be handling relevant financial business or relevant
activity for the subject person, which is to include obtaining a Police conduct
certificate or equivalent documentation.105 The screening should enable subject
persons to assess the individual’s conduct and integrity.
It is also relevant to note that various laws, regulations and guidelines applicable
to regulated entities require the licensee to employ staff who is ‘fit and proper’
and in possession of the necessary skills and expertise, knowledge and experience,
sufficient to enable them to discharge the obligations entrusted to them. This
should also be borne in mind by all subject persons whenever engaging
employees to handle relevant financial business or relevant activity, especially
when engaging an MLRO, designated employee or an officer to carry out the
monitoring function referred to in Chapter 5 above.
Screening of individuals should be carried out prior to their engagement or, if they
are already employed with the subject person, whenever they are entrusted with
new roles or responsibilities concerning relevant duties. Moreover, screening must
be an ongoing process and thus subject persons should ensure that they carry
out employee screening from time to time.
Finally, subject persons must retain employee screening records as outlined in
more detail in Section 9.3.6 of these Implementing Procedures Part I.

105. Regulation 5(5)(a)(ii) of the PMLFTR.

IMPLEMENTING PROCEDURES
250
CHAPTER 8 – DEALING W ITH
NON- REPUTABLE JURISDICTIONS &
HIGH- RISK JURISDICTIONS, AND
GROUP- W IDE POLICIES & PROCEDURES

8.1 INTRODUCING THE CONCEPTS OF NON- REPUTABLE

JURISDICTIONS AND HIGH- RISK JURISDICTIONS
A number of obligations under the PMLFTR require subject persons to assess
whether the jurisdictions they are dealing with are non- reputable jurisdictions
or are otherwise to be regarded as high- risk jurisdictions.
Regulation 2(1) of the PMLFTR provides for a clear definition of which jurisdictions
are to be deemed as non- reputable jurisdictions as well as provides for what
subject persons are to look out for when conducting their assessment. A non-
reputable jurisdiction is one that has deficiencies in its national AML/CFT regime
or has inappropriate and ineffective measures for the prevention of ML/FT.
In assessing the aforementioned elements, one is to take into account any
accreditation, declaration, public statement or report issued by an international
organisation which lays down internationally accepted standards for the
prevention of ML/FT, or which monitors adherence thereto, as well as whether
the jurisdiction has been included by the European Commission in the list it is to
publish in terms of Article 9 of the 4th AMLD.106
Hence, the concept of non- reputability of a jurisdiction primarily relates to issues
and/or shortcomings concerning AML/ CFT. In assessing and establishing the
business and risk profile of the customer, subject persons are to take into
consideration a number of risk factors, including the geographical/ jurisdictional
risk. In fulfilling this obligation, subject persons are required to go beyond the
mere identification of non- reputable jurisdictions and should also include the
assessment of certain risk factors associated with that particular jurisdiction, which
may result in that same jurisdiction to be considered as a high- risk jurisdiction by
the subject person.
Unlike the concept of non- reputable jurisdictions, when assessing whether a
jurisdiction is to be considered as high risk, subject persons are required to conduct
a wider assessment than merely assessing the jurisdictions’ AML/CFT issues and
shortcoming, and hence should also include other factors when conducing their
assessment.

106. Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016 supplemented

Directive (EU) 2015/849 of the European Parliament and of the Council by identifying
high- risk third countries with strategic deficiencies.

IMPLEMENTING PROCEDURES
251
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

Even if the interplay between the two concepts of non- reputable jurisdictions and
high- risk jurisdictions is significant, subject persons are to note that, while a non-
reputable jurisdiction is always to be regarded as a high- risk jurisdiction, a high- risk
jurisdiction may not necessarily always be regarded as a non- reputable jurisdiction.

8.1.1 Determining Non- reputable jurisdictions

As we have seen under Section 8.1 above, Article 2(1) of the PMLFTR not only
provides for a definition as to what makes a non- reputable jurisdiction, but goes
on to also provide what one is required to take into account when determining
whether a jurisdiction is to be deemed non- reputable.
As a result , the list of sources that subject persons are required to take into
consideration in this regard is very much exhaustive:
1. Financial Action Task Force (FATF) Public Documents;
2. Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016
Identifying high- risk third countries with strategic deficiencies; and
3. Statements and/or Declarations issued by the FATF or by an FATF- Style
Regional Body (FSRBs107 ).

1. FATF Public Documents

The FATF issues two public documents that provide a list of jurisdictions considered
to pose a higher risk of ML/FT in view of a number of identified strategic deficiencies
within their respective AML/CFT regime. The ML/FT risks posed by the jurisdictions
listed in the FATF documents vary depending on the seriousness of the deficiencies
and the level of commitment made by each jurisdiction to address those deficiencies.
It is to be noted that the FATF documents are issued three108 times a year and, as a
result, the list changes depending on the level of progress achieved (or the lack of
it) by each jurisdiction in addressing the deficiencies identified in their respect.109
The first public document issued by the FATF is the Public Statement, which
classifies jurisdictions into the following two categories:

107. A total of nine FSRBs have been established: MONEYVAL, APG, MENAFATF, CFATF, EAG,
GIABA, ESAAMLG, GAFILAT and GABAC.
108. In the months of October, February and June of each year.
109. The latest issued FATF Public Documents may be accessed through the FIAU website on
this link.

IMPLEMENTING PROCEDURES
252
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

(a) jurisdictions subject to an FATF call on its members and other jurisdictions to
apply countermeasures to protect the international financial system from the
ongoing and substantial ML/FT risks emanating from the jurisdictions
(Category 1 jurisdictions); and
(b) jurisdictions with strategic AML/CFT deficiencies that have not made sufficient
progress in addressing the deficiencies or have not committed to an action
plan developed with the FATF to address the deficiencies and are subject to
a FATF call on its members to consider the risks arising from the deficiencies
associated with each jurisdiction (Category 2 jurisdictions).
The FATF also issues a second document , entitled Improving Global AML/ CFT
Compliance: On- going Process (“On- going Process document”). This document
contains a list of jurisdictions (Category 3 jurisdictions) that have been identified
by the FATF as having strategic AML/CFT deficiencies but that have provided a
high- level political commitment to address the deficiencies through
implementation of an action plan developed in conjunction with the FATF. The
situation differs in each jurisdiction and therefore every country on the list
presents different degrees of ML/FT risks. Subject persons are to deem all listed
jurisdictions by the FATF as non- reputable jurisdictions, irrespective of the
category they have been listed under. Having said that subject persons are to take
into consideration the different categories (hence, different degrees of ML/FT
risks) when determining the extent of the Enhanced Due Diligence (EDD)
measures, that is in determining the number and type of EDD measures to apply.
Three different categories of non- reputable jurisdictions are therefore identified
in the FATF public documents, as shown in the table below:

Table 8 – Categories identified by FATF

Categories identified by the FATF

Category 1 Jurisdictions that have strategic AML/ CFT deficiencies and to

which countermeasures apply

Category 2 Jurisdictions with strategic AML/ CFT deficiencies that have not
made sufficient progress in addressing the deficiencies or have
not committed to an action plan developed with the FATF to
address the deficiencies

Category 3 Jurisdictions with strategic AML/ CFT deficiencies that have

developed an action plan with the FATF and have made a high-
level political commitment to address their AML/ CFT deficiencies

IMPLEMENTING PROCEDURES
253
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

2. Commission Delegated Regulations Identifying high- risk third countries with

strategic deficiencies
Article 9 of the 4 th AML Directive empowers the European Commission to adopt
delegated acts identifying and therefore listing high- risk third countries with
strategic deficiencies in their AML/CFT regimes that pose significant threats to
the Union’s financial system to protect the proper functioning of the internal
market .
The relevant delegated acts should, where appropriate, be aligned with FATF
standards to reinforce the efficacy of the fight against ML/FT at a global level,
albeit the Commission’s assessment in identifying high- risk third countries is
deemed to be an autonomous process based on specific criteria, while taking
into account evaluations made by FATF and other international organisations. This
therefore means that the European Commission remains free to differ from the
FATF list, meaning that the list of jurisdictions may not necessarily reflect one
another.
The Commission Delegated Regulations identifying high- risk third countries
provide for a list of jurisdictions that can be found in the ANNEX of these
delegated acts. The list provides for three different categories of high- risk third
countries, as shown in the table below:

Table 9 – Categories identified by Commission Delegated Regulations

Categories identified by the European Commission

Category I High- risk third countries which have provided a written high-
level political commitment to address the identified deficiencies
and have developed an action plan with FATF.

Category II High- risk third countries which have provided a high- level political
commitment to address the identified deficiencies, and have decided
to seek technical assistance in the implementation of the FATF
Action Plan, which are identified by an FATF Public Statement.

Category III High- risk third countries which present ongoing and substantial
money- laundering and terrorist- financing risks, having
repeatedly failed to address the identified deficiencies and which
are identified by an FATF Public Statement .

IMPLEMENTING PROCEDURES
254
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

3. Statements and/or Declarations issued by the FATF or by an FATF- Style

Regional Body (FSRBs)
The FATF and any FSRB have the power to issue statements and/or declarations
against a particular country or jurisdiction whenever such action is merited. Even if
this is not a very usual occurrence, subject persons are reminded that whenever
such declarations and/or statements are issued, any country or jurisdiction mentioned
in these declarations and/or statements shall be regarded as a non- reputable
jurisdiction for as long as such statement and/or declaration is kept in force.

8.1.2 Determining High- risk jurisdictions

As already seen under Section 8.1 above, the concept of high- risk jurisdictions
goes beyond that of non- reputable jurisdictions, in the sense that it extends to
other risk factors beyond AML/CFT issues or shortcomings. Hence, the factors
and sources that subject persons are to take into consideration in this regard are
numerous and non- exhaustive. Below is an indicative and non- exhaustive list of
factors and sources:
• Level of Transparency & Rule of Law (e.g., of source/s include W orld Justice
Project Rule of Law Index, Freedom in the W orld and Freedom of the Press,
issued by Freedom House;
• Level of Corruption (e.g., of source/s include Corruption index, issued by
Transparency International);
• W ar- torn countries/Civil unrest (e.g., of source/s include UN list of Embargoed
Countries);
• Significant level/s & type/s of crime/s (jurisdictions known for high level of
different types of crimes, including drug trafficking, arms trafficking, human
trafficking, jurisdictions known to be a hub for terrorist groups);
• Significant level of terror threat (e.g., of source/s include the Global Terrorism
Index, issued by the Institute for Economics and Peace);
• Mutual Evaluation Report (MERs) issued by the FATF or any FSRB; and
• Other notable sources (e.g., of source/s include the Basel AML Index, issued
by the International Centre for Asset Recovery).
As to the jurisdictions that are to be considered for assessment purposes, this
may vary depending on the nature of the relevant activity or relevant financial
business carried out by the subject person. Section 3.2.2. already indicates what

IMPLEMENTING PROCEDURES
255
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

these jurisdictional links may be. The following examples are intended to provide
some additional guidance on the matter and complement what is already
explained in the said section:
(a) W here a subject person is involved in the processing of payments, its
exposure to geographical risk will not be limited to the jurisdictions linked to
its customer and beneficial owner but it will also arise from the main
jurisdictions from which it is receiving or remitting funds on behalf of its
customer. However, attention has always to be paid to the risk of FT which
may manifest itself through geographical risk independently of the value and
volume of payments remitted to jurisdictions presenting a high risk of FT.
(b) W here a subject person is providing tax advice in relation to a given corporate
structure, the geographical risk associated with the jurisdictions where the
entities used to channel funds or to exercise control within the said structure
are incorporated, registered or otherwise established has to be considered
together with the geographical risk linked to the customer and its beneficial
owner. The presence of entities incorporated or registered in jurisdictions
known to provide favourable tax regimes and that have beneficial ownership
transparency issues will inevitably increase the ML risk linked to tax evasion
or arising from attempts at shielding the beneficial owners of the said
structure.
(c) W here the subject person is providing directorship services to a corporate
entity, the geographical risk will not be limited to the country of incorporation
or registration of the corporate entity itself or that where its beneficial owner
is resident but will also arise from those jurisdictions where its main trading
partners are located or the assets held by it are located.
(d) W here the subject person is collecting or receiving funds from customers as
is the case with collective investment schemes or insurance (intermediary)
undertakings, the geographical risk will arise from the jurisdictions where the
respective products are being marketed and its customers are resident ,
incorporated or otherwise established.
Jurisdictional risk assessment should highlight the main risks associated with a
jurisdiction. The detail included can vary as it is expected that the same be
proportionate to:
(a) the size and nature of one’s business and activities as is the case for the
Business Risk Assessment; and
(b) the particular exposure that a subject person has to a given jurisdiction.

IMPLEMENTING PROCEDURES
256
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

The higher the exposure, the more detailed the said risk assessment is to be so as
to allow a comprehensive understanding of the factors contributing to the overall
risk thereof. Hence why it is important to also consider quantitative factors as
provided for under Section 3.3.1 of the Implementing Procedures – Part I.
It is not necessary for any such assessment to be carried out by the subject person
itself. The subject person may decide to engage a third party consultant to draft the
same or otherwise to even rely on standardised jurisdiction risk assessments drawn
up by third parties. However, any adoption of a risk assessment drawn up by a third
party should only be done following due consideration of a number of points, including:
• The risk assessment carried out considers a sufficient number of aspects that
may impact the subject person, and the sources used for the purposes of the
said assessment are not only known but are also reliable ones. Subject
persons can refer to Section 8.1.2. of the Implementing Procedures – Part I
regarding reliability.
In the event that particular aspects are not factored in, then the subject
person should supplement the said risk assessment and consider what is likely
to be the impact on the risk rating provided by the third party. By way of
example, a third party assessment that does not consider the level of terrorism
or funding of terrorism to which a jurisdiction is exposed would be of no value
to anyone providing money remittance or similar services.
• The subject person must understand the methodology behind the risk assessment
and the resulting risk rating attributed to any one given jurisdiction. It has to be
ascertained that the said methodology makes sense and is sufficiently objective.
• The subject person has to ensure that any assessment and associated risk
rating is updated periodically. In particular, subject persons have to consider
how quickly the said assessments and ratings are revised once there are
changes in a jurisdiction’s circumstances. Events can precipitate quite quickly
and what was once a low risk jurisdiction may undergo a drastic change in
risk. If the third party risk assessments and associated rating are not revised
regularly within a reasonable period of time, the subject person would have
to consider and factor in any new information that may become available and
that impacts one’s risk understanding itself.
• The fact that a subject person may be making use of a readily available index
does not absolve the subject person from understanding the main reasons
for a jurisdiction being considered as presenting its assigned level of risk,
especially in situations where a jurisdiction is deemed to present a higher than
usual risk of ML/FT.

IMPLEMENTING PROCEDURES
257
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

The use of assessments carried out by third parties may prove to be especially
important when it comes to the subject persons the activities of whom are not
limited in terms of jurisdictions with which they may be linked and where the
nature of activity can present particular difficulties to delay the provision of service
so as to duly assess the risks linked to a particular jurisdiction. In these instances,
identifying high risk jurisdictions would not only be important from a risk
assessment and understanding perspective but also from a transaction monitoring
point of view.

8.1.3 Assessing and managing the ML/ FT risk posed by non-

reputable jurisdictions and high risk jurisdictions
Customer Risk Assessment (CRA)
Regulation 5(5) of the PMLFTR requires subject persons to have procedures in
place to manage the ML/FT risks posed by their customers, products and services,
transactions and delivery channels, as well as countries and geographical areas.
These procedures are mandatorily required for subject persons to be able to
determine, inter alia, whether a customer or a beneficial owner is likely to pose a
higher risk of ML/FT.
Among other things, the CRA should include the identification of risks posed by
a business relationship or an occasional transaction established or carried out with
a natural or legal person from a particular jurisdiction, particularly those considered
to pose a higher risk of ML/FT.
The FATF Risk- Based Approach Guidance110 lists a number of factors that
should be assessed in determining whether a jurisdiction poses a higher risk.
This includes the situation when a jurisdiction is identified by credible sources
as lacking appropriate AML/CFT laws, regulations and other measures.
Therefore, all the jurisdictions that are deemed to be non- reputable or high risk
are to be considered as posing varying degrees of risk (whether ML/FT risk or
other associated risks arising from other factors) are required to include the
risks posed by these jurisdictions when conducting their CRA. For further
guidance on carrying out CRAs and the factors to be considered, refer to
Section 3.5.

110. FATF RBA Guidance, p. 23, paragraph 3.5.

IMPLEMENTING PROCEDURES
258
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

Application of EDD measures

On the basis of Regulation 11(1)(c) of the PMLFTR, when dealing with natural or
legal persons established or linked with a non- reputable jurisdiction, subject
persons are explicitly required to apply commensurate EDD measures accordingly.
Hence, whenever a subject person is faced with a business relationship or an
occasional transaction connected to a non- reputable jurisdiction, subject persons
should, in accordance with the above- mentioned regulation, apply appropriate
EDD measures. It should be noted that the PMLFTR do not prohibit the
establishment of a business relationship or the carrying out of an occasional
transaction with/for a natural or legal person established or linked with a non-
reputable jurisdiction but , rather, requires subject persons to apply commensurate
EDD measures targeted to mitigate and, if possible, neutralise ML/FT risks
associated with that particular jurisdiction.
On the basis of Regulation 11(1)(b) of the PMLFTR, subject persons may be
required to apply commensurate EDD measures when, on the basis of the risk
assessment, it is determined that an occasional transaction, business relationship
or any transaction represents a high risk of ML/FT. Needless to say, the
requirement to apply commensurate EDD measures in this regard arise when the
high risk level determined is attributed and pushed by jurisdictional links.
A connection to a non- reputable or high- risk jurisdiction may take various forms
and therefore subject persons are to assess the link or links with the said
jurisdictions. By way of example, a business relationship or an occasional
transaction will be considered to be connected to a non- reputable/high- risk
jurisdiction if the customer, the beneficial owner, the source of funds/wealth or
the business/economic activity are situated in or originate from this jurisdiction.
On the other hand, however, not every form of connection to a non-
reputable/high- risk jurisdiction will give rise to the requirement to apply EDD. By
way of example, when a business relationship or an occasional transaction involves
a customer who is a citizen of a non- reputable/high- risk jurisdiction but does not
reside in that jurisdiction and the business/economic activity and/or the source of
wealth/funds involved are not in any way connected with that jurisdiction, the
requirement to apply EDD does not arise.
As already explained under Section 8.1 above, subject persons should also apply
the risk- based approach when it comes to the application of EDD measures
when dealing with non- reputable/high- risk jurisdictions. By way of example, EDD
measures in relation to a business relationship or an occasional transaction
connected to a jurisdiction falling within FATF Category 1 should be more
stringent than those applied in relation to a business relationship or an occasional

IMPLEMENTING PROCEDURES
259
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

transaction connected to a jurisdiction falling within FATF Category 2 since the

ML/FT risks posed by Category 1 are considered to be higher.
Subject persons may, with respect to business relationships or occasional
transactions involving non- reputable or high- risk jurisdictions, consider applying
the following EDD measures:
(a) obtain additional information on the customer and on the beneficial owner(s);
(b) obtain additional information on the intended nature of the business relationship;
(c) obtain information on the source of funds and source of wealth of the
customer and of the beneficial owner(s);
(d) obtain information on the reasons for the intended or performed transactions;
(e) obtain the approval of senior management to establish or continue the
business relationship;
(f) conduct enhanced monitoring of the business relationship by increasing the
number and timing of controls applied, and selecting patterns of transactions
that need further examination;
(g) introduce an enhanced, relevant reporting mechanism or systematic reporting
of financial transactions; and
(h) limit business relationships or transactions with natural persons or legal
entities from non- reputable jurisdictions.

Prohibition from the application of SDD & reliance and other actions to be taken by
subject persons
Subject persons are prohibited from applying SDD measures set out under
Regulation 10 of the PMLFTR whenever a business relationship or occasional
transactions are connected to non- reputable jurisdictions as well as when, on
the basis of the risk assessment carried out , subject persons determine a high
risk level of ML/FT, attributed and pushed by jurisdictional links.
Subject persons are likewise prohibited from applying the provisions on reliance set
out under Regulation 12 of the PMLFTR, meaning that subject persons may not rely
on third parties from a non- reputable jurisdiction, unless those third parties are
branches or majority- owned subsidiaries of persons or institutions established in an
EU member state (including an EEA state), which are subject to national provisions
implementing the 4th AML Directive and which comply fully with group- wide policies
and procedures (equivalent to those mentioned under Regulation 6 of the PMLFTR).

IMPLEMENTING PROCEDURES
260
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

In terms of the proviso under Regulation 11(2) of the PMLFTR, subject persons
are reminded that when dealing with non- reputable jurisdictions in respect of
which there has been an international call for countermeasures (i.e., FATF
Category 1/Commission Delegated Regulation identifying high- risk third
countries with strategic deficiencies Category III), subject persons are obliged to
notify the FIAU accordingly – and follow the FIAU’s legitimate discretion, which
may (in collaboration with the relevant supervisory authority) require:
• a business relationship to cease;
• for an occasional transaction not to be undertaken; or
• to apply any other countermeasure/s as the FIAU may deem adequate and fit
under the respective circumstances.

8.2 GROUP- W IDE POLICIES AND PROCEDURES

8.2.1 Parents, Majority- owned Subsidiaries and Branches
Regulation 6 of the PMLFTR requires subject persons that form part of a group
to implement effective group- wide AML/CFT policies and procedures.111 W hat
this implies for subject persons that are included within a group, will vary according
to whether they are a parent undertaking on the one hand or a majority- owned
subsidiary or branch on the other.

8.2.1.1 Subject Person as the Parent Undertaking

W here the subject person is a parent undertaking, it has to ensure that it adopts
a set of group- wide policies and procedures that effectively address the risks
that each individual component of the group subject to AML/CFT requirements
faces, as well as the risks that the group as a whole is exposed to.
Thus, apart from an individual BRA, it may also be necessary to carry out a group- wide
BRA. Moreover, in drafting these policies and procedures, the subject person has to
consider the respective AML/CFT obligations to which its majority- owned subsidiaries
or branches are subject and ensure that the group- wide policies and procedures do
not impede its subsidiaries and branches from meeting these obligations.

111. That include the measures established under Regulation 5(5) of the PMLFTR, as well as
policies and procedures on data protection and the sharing of information within the
group for the prevention of ML and FT.

IMPLEMENTING PROCEDURES
261
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

8.2.1.2 Subject Person as a Majority- owned Subsidiary or Branch

W hen the subject person is a majority- owned subsidiary or a branch, the subject
person will have to ensure that any group- wide policies and procedures that it is
required to apply allow it to meet its AML/ CFT obligations. In situations where
these policies and procedures impede as much, the subject person is still required
to abide by its obligations at law and should inform its parent that the group- wide
policies and procedures being applied are not in line with Maltese law.
Shortcomings in the group- wide policies and procedures cannot justify non-
compliance with the PMLA, the PMLFTR, any Implementing Procedures or any
other order, directive or guidance issued by the FIAU.

8.2.2 Use and Sharing of Information

The group- wide policies and procedures have to include policies and procedures
on data protection and the sharing information for AML/CFT purposes within
the group. Thus, insofar as any information is collected by a subject person to
meet its obligations under the PMLA, the PMLFTR or any FIAU Implementing
Procedures, that information has to be used only for AML/CFT purposes and not ,
for example, for commercial purposes.
An exception is made in this regard to entities delegated with the implementation
of AML/CFT measures, policies, controls and procedures of the group. Even if
these entities would have no grounds to receive this information since they
themselves do not have any AML/CFT obligations, the sharing of such
information would still be allowed since they are tasked (delegated) with the
implementation of the group’s AML/CFT measures, policies and procedures.
However, it is important to note that any such sharing of information would be
dependent on:
• the information having been collected by an entity forming part of the group;
• there being in place group- wide policies and procedures relative to AML/CFT
equivalent to those provided for under the PMLFTR; and
• the application of the aforementioned policies and procedures being subject
at the group level to supervision by a relevant authority.
Moreover, when sharing information within a group for AML/CFT purposes,
subject persons have to consider whether by so doing they would run counter
to the non- disclosure obligation arising from Regulation 16 of the PMLFTR. As
already explained in Section 5.11, a subject person is precluded from disclosing

IMPLEMENTING PROCEDURES
262
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

to third parties that information has been demanded by the FIAU or that
information has been or may be transmitted to the FIAU.
This restriction applies also within a group context unless it is possible for the entities
within the group to rely on the exceptions provided for under Regulation 16(2)(b)
and (c). For the avoidance of any doubt, the proviso under Regulation 6(1) of the
PMLFTR clearly provides that, subject to the provisions of Regulation 16 of the
PMLFTR and unless otherwise instructed by the FIAU, a subject person that is part
of a group and that makes a disclosure in accordance with Regulation 15(3) of the
PMLFTR (i.e., reporting an STR to the FIAU), that subject person has to share that
disclosure within the group for the purpose of preventing and detecting ML/FT.
By sharing the disclosure made, subject persons are to provide a copy of the disclosure
(STR) made to the FIAU, including the details of the customer in question. Additional
information (including but not limited to any attachments made to the STR and sent
to the FIAU) is only to be shared if it is necessary. An example when this necessity
test may warrant the sharing of such additional information is when an entity within a
group is actually servicing (or may have been approached to service) the same
customer against which the disclosure (STR) was made and sent to the FIAU.

8.2.3 Reporting Suspicious Transactions

Reporting of suspicious transactions is another aspect that needs to be considered
carefully.Insofar as all the subject persons within a group are subject to the PMLFTR
and they have appointed a group- wide MLRO (when this is allowed in terms of
these Implementing Procedures),it is possible for reporting to be centralised within
the group. W hen either of these conditions are not met, each subject person would
have to report any suspicious transactions individually and on its own account.
In particular, it is to be noted that when a group comprises entities that are subject
to reporting obligations in jurisdictions other than Malta, these entities have to
comply with the reporting obligations set out in the laws of those jurisdictions
applicable to them.

8.2.4 Impediments to the Application of Group- wide Policies and

Procedures
Subject persons with majority- owned subsidiaries or branches in a jurisdiction
other than a Member State that does not impose AML/CFT obligations of an
equivalent level as those arising from the 4 th AML Directive have to ensure that

IMPLEMENTING PROCEDURES
263
8. DEALING W ITH NON- REPUTABLE JURISDICTIONS
& HIGH- RISK JURISDICTIONS, AND GROUP- W IDE
POLICIES & PROCEDURES CONTINUED

these subsidiaries and branches still apply the same group- wide policies and
procedures as any other entity within the group, subject to AML/CFT obligations
equivalent to those arising from the 4th AML Directive.
W hen there may be impediments to do so, the subject person has to consider
whether this impossibility gives rise to ML/ FT risks and must take measures to
address them. In this regard, it is to be noted that the EBA has been mandated to
issue regulatory technical standards on the measures to be taken by subject
persons carrying out relevant financial business.112 Given that these standards are
issued by means of a regulation, they need not be transposed into Maltese law
and are directly applicable to the subject persons they are addressed to. This
notwithstanding, other subject persons not carrying out relevant financial business
are to consider whether the measures laid down therein can also be applied in
their particular circumstances and, should this be the case, apply them accordingly.
W hen a subject person has to take any such additional measures to effectively
handle the risk of ML/FT, it is to inform the FIAU accordingly of the particular
circumstances encountered, the risks identified and, to the extent that this was
possible, the measures taken to counter these risks and why it was deemed that
these were sufficiently effective. In addition, subject persons are to note that in these
circumstances, they would not be able to rely on any information collected by any
such entities. Furthermore, if those entities are located in non- reputable jurisdictions,
any transactions or activities involving them are to be considered as presenting a
high risk of ML/FT, requiring the application of the commensurate EDD measures.
It is important to note that the PMLFTR empower the FIAU, together with the
relevant supervisory authority, to take additional action when it considers that
the measures implemented by the subject person are not sufficient . These
measures may include one or more of the following:
(a) not to establish or even terminate business relationships that involve any such
subsidiary or branch in that third country;
(b) not to undertake any transactions through or involving these subsidiaries or
branches in that third country; and
(c) to require such subsidiary or branch in that third country to close down its
operations.

112. https://www.eba.europa.eu/documents/10180/2054088/Joint+draft+RTS+on+the+imple-
mentation+of+ group+wide+AMLCFT+policies+in+third+countries+%28JC+2017+25%29.pdf.

IMPLEMENTING PROCEDURES
264
CHAPTER 9 – RECORD KEEPING
PROCEDURES

9.1 PURPOSE OF KEEPING RECORDS

Subject persons must retain records of any business relationship they enter
into and of any transaction they carry out , be it an occasional transaction or a
transaction that takes place within the context of a business relationship.
These records are to include any documentation and information produced or
obtained in complying with their obligations under the PMLA, the PMLFTR, these
Implementing Procedures, Part I or any Sector Specific Implementing Procedures,
Part II issued thereunder.
These records are not only intended to show that a subject person complied with
its obligations at law, but are also essential for a subject person to effectively
discharge certain aspects of its AML/CFT obligations, like carrying out or revising
its BRA and carrying out effective ongoing monitoring.
In addition, the records maintained by subject persons are intended to assist the
FIAU, relevant supervisory authorities and law enforcement agencies in the
prevention, detection, analysis or investigation of possible ML/FT. Hence, these
bodies have the authority at law to request this information.113 Moreover, subject
persons should be aware that other authorities may, in terms of any other
applicable law, demand access to certain records maintained in terms of this
section for purposes other than the prevention, detection, analysis or investigation
of possible ML/FT.

9.2 RECORDS TO BE RETAINED

Subject persons must have procedures in place and apply the same, so as to
ensure that the following records are maintained:
(a) records of the actions taken to adopt and implement the risk- based approach,
which are to include the following:
(i) a copy of the BRA referred to in Section 3.3, changes thereto, as well as
a record of any decision taken with respect to that assessment;
(ii) a copy of the subject person’s most recent controls, policies, measures
and procedures; and
(iii) a copy of each CRA carried out by the subject person as is referred to in
Section 3.5 and of any revision/s thereof.

113. Regulation 13(1) of the PMLFTR.

IMPLEMENTING PROCEDURES
265
9. RECORD KEEPING PROCEDURES CONTINUED

(b) the CDD information and documents obtained for identification and verification
of identity purposes. The records to be maintained are to include the following:
(i) where subject persons view the original CDD documents listed in Section
4.3.1.1(i) and (ii), the original documents themselves (where it is possible
to retain originals) or a true copy of these original documents, signed and
dated by an officer of the subject person or a scanned copy retained by
making use of the electronic system set out under Section 4.3.1.1(iii);
(ii) when subject persons receive a copy of the CDD documents listed in
Section 4.3.1.2(i), this copy should be maintained;
(iii) when subject persons use commercial electronic data providers in
accordance with Section 4.3.1.2(ii) to verify the identity of any individual,
the results of the search should be maintained;
(iv) when subject persons use video conferencing tools, identity verification
software, or E- IDs as envisaged under Section 4.3.1.2 (i) and (ii) to verify
the identity of any individual, the records listed in those sub- sections
should be retained;
(v) when the verification of the residential address of any individual is carried
out by visiting that individual at the address indicated, a record of the visit
should be maintained;
(vi) when verification of the residential address of any individual is carried out
by sending correspondence or codes via registered mail or other mail
courier service in accordance with the procedure set out under Section
4.3.1.2 (i), the records listed in that section should be retained;
(vii)the documentation and other information obtained in fulfilment of the
obligations set out in Sections 4.3.2.1 to4.3.2.5, Section 4.8 and Sections
4.9 should be retained; and
(viii)any document obtained to ensure that the agent is duly authorised in
writing to act on the customer’s behalf (in fulfilment of the obligation set
out in Section 4.3.3) should also be retained;
(c) records containing details relating to the business relationship that is formed
and all transactions carried out in the course of a business relationship or an
occasional transaction. These records are to include the following:
(i) information gathered on the purpose and intended nature of the business
relationship and information gathered to establish the business and risk
profile, as required under Section 4.4;

IMPLEMENTING PROCEDURES
266
9. RECORD KEEPING PROCEDURES CONTINUED

(ii) files related to accounts held by the subject person, where applicable, and
all business correspondence of the subject person exchanged in the course
of a business relationship or in carrying out an occasional transaction;
(iii) details on all transactions, whether international or domestic, carried out
by the customers. The details should include:
a. the customer’s and beneficiary’s:
• name,
• address, or
• other identifying information that is usually used by the subject
person to identify parties to a transaction;
b. the nature and date of the transaction;
c. the type and amount of currency involved;
d. the type and identifying number of any account involved in the transaction;
e. the volume of funds flowing through the account; and
f. the origin of the funds, where necessary, and the form in which the
funds were placed or withdrawn114; and
(iv) any supporting evidence and records necessary to reconstruct all
transactions carried out or facilitated by that subject person in the course
of a business relationship or any occasional transaction.
Such records should either consist of original documents or copies that are
admissible in court proceedings.
Subject persons should also retain the following records required as evidence
of compliance with the PMLFTR and for statistical purposes:
(a) internal reports made to the MLRO, as referred to in Section 5.4;
(b) a record of any written determinations made by the MLRO and the designated
employee, including the reasons for not filing an STR with the FIAU;
(c) STRs made by the subject person to the FIAU and any follow- up submissions
made in connection thereto;
(d) a record of AML/CFT training attended by sole practitioners/provided to
employees, as indicated in Section 7.3;

114. These requirements only apply to those subject persons who carry out transactions in the
course of their business.

IMPLEMENTING PROCEDURES
267
9. RECORD KEEPING PROCEDURES CONTINUED

(e) records of conduct certificates or other documentation obtained in carrying

out employee screening, as referred to in Section 7.5;
(f) records of any outsourcing agreements entered into and other
documentation that provides evidence of the subject person’s adherence to
its obligations under Chapter 6 of these Implementing Procedures, Part I;
(g) records of any reliance agreements entered into and of any related
assessments undertaken on the other subject person or third party in terms
of Section 4.10; and
(h) other important records, including:
• any reports by the MLRO or by the officer entrusted with the monitoring
function under Section 5.3 made to senior management made for the
purposes of complying with the obligations under the PMLFTR, such as
recommendations on internal procedures, correspondent banking
relationships, PEPs, among others;
• records of consideration of those reports made to senior management
and of any action taken as a consequence thereof;
• records of any internal audit reports or assessments dealing with
AML/CFT issues; and
• any other records that are necessary to demonstrate compliance with the
obligations under the PMLA, the PMLFTR and any Implementing
Procedures, Part I or any Sector Specific Implementing Procedures, Part
II issued thereunder.

9.3 PERIOD OF RETENTION OF RECORDS

Unless otherwise specified in this Section, Subject persons must maintain the
records, referred to in Section 9.2, for a period of five (5) years. However, subject
persons are to note that the FIAU, relevant supervisory authorities or law
enforcement agencies are entitled to demand that records, including personal
data, be retained for longer periods, when this extension is considered necessary
for the purposes of the prevention, detection, analysis and investigation of ML/FT
activities by the FIAU, relevant supervisory authorities or law enforcement
agencies.115

115. Second proviso to Regulation 13(2) of the PMLFTR.

IMPLEMENTING PROCEDURES
268
9. RECORD KEEPING PROCEDURES CONTINUED

This does not mean that subject persons can be directed to hold any records
indefinitely since the retention period as extended can never exceed ten (10)
years in total.
W here a subject person ceases to conduct ‘relevant financial business’ or ‘relevant
activity’ and the retention period has not yet lapsed, the record retention period
will continue to run until it lapses in full and irrespective of this cessation. Thus,
individuals and/or entities that have carried out ‘relevant financial business’ or
‘relevant activity’ in the past are still obliged to retain records in accordance with
this Chapter of the Implementing Procedures Part I even after they cease to be
considered as subject persons.
Although on the expiry of the five (5) year period or any extension thereof, the
necessity to retain records, including personal data in terms of the PMLFTR would
cease, subject persons should consider whether they are subject to any other
record retention obligations under any other applicable laws that set a longer
retention period for the same data.
The date of commencement of this time period depends on the type of records
to be retained as set out in Section 9.3.1 to Section 9.3.8 below.

9.3.1 CDD documentation

W ith respect to CDD documentation referred to in Section 9.2(b), the time period
of five (5) years commences from the date on which the business relationship is
terminated or the occasional transaction carried out. W hen there is a series of
occasional transactions, the five- (5) year period starts to run on the date the last
transaction in that series was carried out.
W hen the formalities necessary to end a business relationship could not be
observed, the five (5) year period commences on the date on which the last
transaction in the course of that business relationship was carried out.
The above does not apply only with respect to CDD documentation, but also to
the CRA and any revisions thereof applicable to the particular business
relationship or occasional transaction.

IMPLEMENTING PROCEDURES
269
9. RECORD KEEPING PROCEDURES CONTINUED

9.3.2 Documentation on the business relationship and on the

transactions carried out in the course of a business relationship or
in relation to an occasional transaction
The time period for the retention of documentation referred to in Section 9.2(c)
commences from the date on which all dealings taking place in the course of
the transaction in question were completed. In relation to an occasional
transaction or a series of occasional transactions, the time period commences on
the date on which the occasional transaction or the last of a series of
occasional transactions took place.
Insofar as any other records that relate to the business relationship itself rather
than to the transactions carried out in the course of that relationship are
concerned, the retention period commences to run from the date on which the
business relationship is terminated. W hen the formalities necessary to end a
business relationship could not be observed, the five (5) year period commences
on the date on which the last transaction in the course of that business
relationship was carried out.

9.3.3 Internal Reports made to the MLRO and STRs

An internal report made to the MLRO, which has not given rise to a disclosure
to the FIAU under Regulation 15(3) of the PMLFTR, must be maintained by the
subject person for a period of five (5) years. Likewise, a record of the reasons for
not forwarding the report to the FIAU is to also be maintained by the subject
person for a period of five (5) years. This period commences to run on the date
when the MLRO reaches the determination not to make a disclosure to the
FIAU.
Copies of STRs, together with any relevant documentation submitted as part
of, or together with the STR itself, to the FIAU, must also be retained by the
subject person for five (5) years. This period starts to run on the date when the
report was submitted to the FIAU.

9.3.4 Records submitted together with an STR

Notwithstanding what has been stated in Section 9.3.1 and Section 9.3.2 above,
the retention period for any records that are submitted as part of, or together
with, an STR (referred to in those Sections), is to commence on the later date
between either the date when the STR was submitted to the FIAU or the date

IMPLEMENTING PROCEDURES
270
9. RECORD KEEPING PROCEDURES CONTINUED

when the business relationship ended or the transaction, be it an occasional

transaction or otherwise, was carried out .
The above is applicable also in those cases when an STR is submitted following
the termination of a business relationship.

9.3.5 AML/ CFT training

The time period of five (5) years for the retention of AML/CFT training records
referred to in Section 9.2, commences to run from the date when the training
was attended and/or conducted (provided).

9.3.6 Employee Screening Records

The retention period for employee screening records carried out by the subject
person shall start to run from when the employment relationship comes to an
end or the employee is no longer entrusted with carrying out relevant
financial business or relevant activity on behalf of the subject person.

9.3.7 Outsourcing Records

Records related to outsourcing and reliance arrangements are to be retained for
five (5) years from the termination of any such arrangement.

9.3.8 Other Records

W ith respect to any other records referred to in Section 9.2 above, the retention
period for the records referred to in Section 9.2(a)(i) and (ii) commences to run
on cessation of activities by the subject person. Any reports, assessments or
action plans referred to in Section 9.2 and not already covered in the previous
sections are to be retained for five (5) years, or for a longer period as the subject
person may be directed. This period commences when this material is adopted
or approved by the subject person.

IMPLEMENTING PROCEDURES
271
9. RECORD KEEPING PROCEDURES CONTINUED

9.4 FORM OF RECORDS

Subject persons may maintain their records in any one of the following forms:
(i) in physical files; or
(ii) in any electronic form.
Notwithstanding the above, whenever subject persons obtain documents
certified by third parties (i.e., not being officers or employees of the subject person)
in fulfilment of their obligations under these Implementing Procedures Part I,
subject persons should retain on file the physical document bearing the
original third- party certification and not a copy thereof.
Records kept must be of good quality and clearly legible. Any photographic
evidence of identity is to be sufficiently clear as to allow the individual concerned
to be easily identified. Subject persons should use a standardised approach to
record keeping and must ensure that the approach used enables the quick
retrieval of records for the purposes laid out in Section 9.5 below.

9.5 RETRIEVAL OF RECORDS

Subject persons are required to maintain efficient record- keeping procedures
that enable them to retrieve and/or grant access to information in a timely
manner when so requested by the relevant authorities acting in accordance with
the applicable laws.

9.5.1 General Requirements

Subject persons are required to provide the FIAU, the relevant supervisory
authorities and law enforcement agencies, for the purposes of the prevention,
detection, analysis and investigation of ML/FT, with information as might be
required from time to time related to:
(i) whether they maintain or have maintained a business relationship with, or
carried out an occasional transaction for, or involving, a specified natural or
legal person/s during the previous five (5) years; and
(ii) the nature of that relationship or transaction.
To this effect , subject persons are required to establish effective systems that are
commensurate with the size and nature of their business, and that enable them
to respond efficiently, adequately, promptly and comprehensively to these

IMPLEMENTING PROCEDURES
272
9. RECORD KEEPING PROCEDURES CONTINUED

enquires made to them by the FIAU, supervisory authorities or law enforcement

agencies in accordance with applicable law. The provision of this information is
of particular importance in the context of procedures leading to measures such
as freezing or seizing of assets.
W hen requests for information are made by the FIAU, subject persons should
ensure that they are able to reply to these enquiries in a timely manner, but not
later than five (5) working days from when the demand is made.116 It should be
noted that the FIAU may impose a shorter response time for replies to requests
for information.117
In all cases, the subject person may make representations justifying why the
requested information cannot be submitted within the response time imposed
by the PMLFTR, or as shortened by the FIAU.118 In these cases the FIAU may, at
its discretion and after having considered these representations, extend the time
period as may be reasonably necessary for the subject person to obtain the
information, whereupon the subject person must submit the information
requested within the time period as extended.

9.5.2 Organisation and Categorisation of Records

To facilitate the retrieval of records and to assist in any compliance monitoring
activity conducted by the FIAU or other relevant supervisory authorities, subject
persons are to maintain a list of their current business relationshipssetting out:
(i) the name of the customer and/or customer reference number;
(ii) the risk categorisation of the business relationship (risk rating or risk score);
(iii) the type of service being provided or product being offered;
(iv) whether the customer is a natural person, legal person, a trust or other legal
arrangement;
(v) the date of commencement of the business relationship and, where applicable,
the date on which it ceased;
(vi) a list of all the jurisdictions that the customer deals with, including the
jurisdictions where:

116. Regulation 15(8) of the PMLFTR.

117. First proviso to Regulation 15(8) of the PMLFTR.
118. Second proviso to Regulation 15(8) of the PMLFTR.

IMPLEMENTING PROCEDURES
273
9. RECORD KEEPING PROCEDURES CONTINUED

(i) the customer and, where applicable, the ultimate beneficial owner/s reside/s;
(ii) the legal person, trust or other legal arrangement is registered or
incorporated, as may be applicable;
(iii) the business or economic activity the customer carries out;
(vii) whether the customer or ultimate beneficial owner is a PEP, an immediate
family member or a close associate of a PEP; and
(viii) whether reliance has been exercised with respect to the particular business
relationship.
A similar list should also be maintained for any occasional transactions carried
out over the previous five (5) years and any business relationships that were
terminated over the same period of time.

9.6 RECORD KEEPING OBLIGATIONS AND DATA

PROTECTION
The records that a subject person is required to retain may inevitably contain
personal data. At times, this may give rise to questions on how a subject person
is to reconcile its obligations in terms of the PMLA, the PMLFTR and any
Implementing Procedures (Part I or Part II) issued thereunder, and the data
protection obligations that it has to abide by. To this end, subject persons are to
note that:
(i) a subject person has to inform a customer that the collection of personal data
is necessary to comply with its obligations under the PMLA, the PMLFTR or
any applicable Implementing Procedures (Part I or Part II) issued thereunder,
and that any such personal data will be used only for AML/CFT purposes
(other than where the subject person is subject to additional obligations that
require it to process the same data). It is therefore important that subject
persons ensure that any such data is actually used only for these purposes
and should restrict access thereto accordingly;
(ii) the provisions of the Restriction of the Data Protection (Obligations and
Rights) Regulations, issued under the Data Protection Act (Cap. 586 of the
Laws of Malta), provide for restrictions to certain obligations and rights
emanating from Article 23 of the GDPR. In particular, subject persons should
be aware that Regulation 4(b) permits restrictions to these rights to be made
when these restrictions are a necessary measure required ‘for the prevention,
detection, investigation and prosecution of criminal offences, including measures

IMPLEMENTING PROCEDURES
274
9. RECORD KEEPING PROCEDURES CONTINUED

to combat any money laundering activity, and the execution of criminal

penalties’.
Reference to these regulations is to be found in Regulation 16(4) of the
PMLFTR, which provides for a restriction of data subjects’ rights, and in
particular to one’s right of access, when this is necessary to adhere to the
obligations arising from Regulation 16(1) of the PMLFTR. Thus, in replying to
a data subject who is exercising his right of access, a subject person cannot
disclose that it has received and replied to a request for information from the
FIAU in his regard, or that it has generated an internal report or submitted an
STR with the FIAU that concerns the data subject . And this so as to ensure
that any analysis or investigation into possible cases of ML/FT is not
prejudiced.;
(iii) once the five (5) year retention period expires, subject persons have to assess
the necessity of retaining personal data held in terms of the PMLA, the
PMLFTR and any Implementing Procedures (Part I or Part II) for longer
periods. Subject persons should therefore consider any data protection
requirements to which they are subject and whether there exists a
justification to hold onto these records (e.g., an additional requirement at law
to retain all or part of these records for a period in excess of the five (5) years
imposed by the PMLFTR); and
(iv) the risk- based approach allows subject persons to understand what
information may be required to carry out CDD measures that are
commensurate and appropriate according to the level and kind of risks
identified. W hen requesting information and documents from the customer,
such as for identification and verification purposes, or to assess the source of
wealth, subject persons should consider the necessity and proportionality of
the specific requests made in the light of the risk posed by a given business
relationship or occasional transaction. This may be done by assessing:
(i) whether the information or document that is requested or provided helps
the subject person to fulfil the purpose or the requirement for which it is
being requested or retained; and
(ii) whether other information or documents that are less intrusive or hold
less personal data may be obtained to achieve the same purpose.
Examples of unnecessary processing include:
(i) requesting a bank statement to verify the residential address when a
government- issued identification document has already been provided
containing the same information; or

IMPLEMENTING PROCEDURES
275
9. RECORD KEEPING PROCEDURES CONTINUED

(ii) requesting detailed information on the source of wealth of a PEP when

opening a bank account for that PEP’s son/daughter, when that bank account
is being opened primarily to receive monthly university stipend payments.
In the event that a subject person is directed by the FIAU, a relevant supervisory
authority or a law enforcement agency to retain records for a period in excess of
five (5) years, as described in Section 9.3, the subject person would have to carry
out this assessment once the longer retention period as directed expires.

IMPLEMENTING PROCEDURES
276
ANNEX A – ADMINISTRATIVE SANCTIONS
AND CRIMINAL OFFENCES FOR
BREACHES OF AML/ CFT OBLIGATIONS
The PMLA and the PMLFTR contemplate a number of criminal offences and
administrative breaches. Criminal offences carry with them pecuniary fines and/or
imprisonment, and are subject to proceedings before the criminal courts of Malta
as regulated by the Criminal Code (Chapter 9 of the Laws of Malta). The criminal
offences under the PMLA and the PMLFTR are listed under Section A1.5.
The following subsections deal with breaches of an administrative nature.

A1.1 ADMINISTRATIVE SANCTIONS UNDER THE PMLFTR

Regulation 21 of the PMLFTR states that the failure to comply with any lawful
requirement , order or directive issued by the FIAU under the PMLFTR and the
PMLA, as well as any contravention of the PMLFTR or of any procedures
(including these Implementing Procedures) or guidance issued in terms of
Regulation 17, may render subject persons liable to an administrative sanction.
The FIAU is empowered to take any of the following administrative sanctions:
1. impose an administrative penalty (pecuniary sanction);
2. issue reprimands in writing;
3. instead of or in conjunction with the imposition of a pecuniary sanction or
reprimands in writing, require a subject person to take any action or measure
to remedy a contravention or to ensure that the subject person is in
compliance with its AML/CFT obligations.
Administrative sanctions may also be accompanied by other measures, including
the publication of administrative penalties on the FIAU website or notification to
relevant authorities or bodies, depending on the nature of the breach.
Furthermore, administrative penalties may either be imposed as a one- time fixed
penalty or on a daily, cumulative basis. In the latter case, the minimum daily penalty
that may be levied is €250 per day.

Administrative Penalties
The value of the sanctions that may be imposed for every separate contravention
or failure to comply ranges from one thousand euro (€1,000) to forty- six
thousand five hundred euro (€46,500).

IMPLEMENTING PROCEDURES
277
ANNEX A CONTINUED

Serious, repeated or systematic contraventions

Notwithstanding the above, in cases of serious, repeated or systematic
contraventions of the provisions of the PMLFTR or of any procedures or
guidance issued in terms of Regulation 17 of the PMLFTR (including these
Implementing Procedures), the maximum sanction that may be imposed will vary
depending on the activity carried out by the subject person as follows:
W hen the subject person carries out relevant activity, the maximum penalty that
can be imposed by the FIAU is that of one million euro (€1,000,000), or the
equivalent of twice the value of the benefit derived from the contravention in
question, where this value can be quantified.
W hen the subject person carries out relevant financial business, the maximum
penalty that can be imposed by the FIAU is that of five million euro (€5,000,000),
or of the equivalent of 10% of the total annual turnover of the subject person,
according to the latest available approved financial statements.
Minor contraventions
W here, on the other hand, the contraventions are deemed to be minor, and the
circumstances so warrant, the FIAU may impose a penalty below the aforementioned
minimum threshold of one thousand euro (€1,000), but in any case not less than two
hundred and fifty euro (€250). The FIAU may alternatively issue a reprimand in writing.
As with all sanctions imposed, the issuance of a reprimand on a subject person will
be taken into consideration by the FIAU in determining any future sanctions.
Table 9 below illustrates the penalties that may be imposed for breaches of the
PMLFTR.

Table 10 – Administrative Penalties

Subject Persons carrying out Relevant Activity

Minimum Maximum

Penalty for each contravention €1,000.00 €46,500.00

Minor contraventions €250.00* €1,000.00

Serious, repeated or systematic €1,000.00 €1,000,000.00 or 2x the

breaches value of the benefit derived

IMPLEMENTING PROCEDURES
278
ANNEX A CONTINUED

Subject Persons carrying out Relevant Financial Business

Minimum Maximum

Penalty for each contravention €1,000.00 €46,500.00

Minor contraventions €250.00* €1,000.00

Serious, repeated or systematic €1,000.00 €5,000,000.00 or 10%of

breaches annual turnover

* This is without prejudice to the possibility of issuing a reprimand in writing rather

than imposing an administrative penalty.
Penalties imposed on directors of a legal person
In cases where a contravention has been committed by a legal person, the FIAU
may deem it more appropriate to impose the penalty on that natural person,
who at the time of the contravention was a director or officer tasked with the
responsibility for the management of the legal person, or was purporting to act
in this capacity, unless that person can prove that the contravention was
committed without his/her knowledge and that all due diligence was exercised
to prevent the commission of that contravention.
In these instances, the FIAU may additionally communicate with the relevant
authority or body responsible for the authorisation, licensing, registration or
regulation of the subject person in question to recommend that action be taken
to preclude that natural person from exercising any managerial functions within
the subject person, as may be appropriate.

A1.2 PROCEDURE FOR THE IMPOSITION OF

ADMINISTRATIVE SANCTIONS
W hen the FIAU becomes aware that a subject person may potentially be in
breach of its obligations at law, it is to follow the procedure outlined hereunder
to determine whether the circumstances warrant the imposition of an
administrative sanction:
1) the subject person is notified in writing of the potential breach or breaches
detected by the FIAU, and is furthermore advised of the possibility that these
breaches may lead to an administrative sanction;

IMPLEMENTING PROCEDURES
279
ANNEX A CONTINUED

2) subject persons are given the opportunity to make written representations,

which may also be substantiated with material documentation and
information. The written representations, together with any documentation
and information, will allow the FIAU’s Compliance Monitoring Committee
(CMC)119 to finally determine whether a breach subsists (or otherwise) and
what administrative sanction/s is/are to be imposed on the subject person.
Hence, the written submissions, together with any documentation and
information provided, will, as long as received by the CMC within the stipulated
deadline, be considered by the CMC.
W hen an administrative sanction is imposed, the subject person is to be notified
of the decision by means of a sanction letter. This letter will include the reasons
for the decision, and instructions on payment , if and when an administrative
penalty is imposed. W henever an administrative penalty is imposed subject
persons have twenty (20) calendar days from the date of notification to settle
the payment of the penalty. Subject persons may also appeal decisions when the
administrative penalty imposed is in excess of five thousand euro (€5,000). The
procedure for appealing administrative penalties is further explained under Section
A1.3. On the lapse of the aforementioned 20 calendar days, should the subject
person not have settled the payment or filed an appeal, the penalty shall be
deemed to be final and due.
The CMC may also determine that the breach does not subsist , in which case the
subject person is notified accordingly through a closure letter.

A1.3 APPEALS FROM ADMINISTRATIVE PENALTIES

Article 13A of the PMLA introduces the possibility of appealing an administrative
penalty imposed by the FIAU in excess of five thousand euro (€5,000), whether
this amount is in respect of one or more contraventions covered by the same
administrative act .
Subject persons may appeal from the entire penalty or from part thereof, as long
as the part(s) appealed from exceed five thousand euro (€5,000), in which case
the subject person is to clearly state which parts of the penalty are being appealed
from. The outcome of an appeal will either confirm, vary or reverse the
administrative penalty in question.

119. The Compliance Monitoring Committee (CMC) is an internal committee of the FIAU that
is responsible to monitor and enforce subject persons’ adherence with their AML/CFT
obligations.

IMPLEMENTING PROCEDURES
280
ANNEX A CONTINUED

Subject persons must file an appeal application within twenty (20) calendar days
of notification of the sanction letter. The application must be filed in the Court of
Appeal (Inferior Jurisdiction) and the relevant provisions of the Code of
Organisation and Civil Procedure (Cap 12 of the Laws of Malta) are to apply.
Subject persons are to note that the information and documents that form part
of the appeal proceedings, including the appeal application and reply, remain
confidential and, while subject persons have every right to consult a lawyer to
represent them in court , the appeal will be held behind closed doors. The
judgment will not be published through the usual means, save for those provisions
relating to publication of penalties under the following sections.

A1.4 PUBLICATION OF ADMINISTRATIVE PENALTIES

AND OTHER MEASURES
A1.4.1 Publication
Article 13C of the PMLA requires the FIAU to publish those administrative
penalties imposed by the FIAU in excess of ten thousand euro (€10,000) and
have become final and due.
A sanction is deemed to have become final and due:
• on the lapse of twenty (20) days from the date of notification of the sanction
letter and no appeal has been filed; and
• on the termination of appeal proceedings filed by the subject person, if the
appeal is decided against the subject person or is withdrawn or deserted by
the same.
Publication is to be carried out in accordance with the policies and procedures
established by the FIAU’s Board of Governors, which are available on the FIAU’s
website.120

A1.4.2 Notification
Notification to ESA (Article 13(4) PMLA)
The FIAU is obliged to notify the relevant European Supervisory Authorities
(ESAs) of any administrative sanction or measure imposed on a subject person

120. https://fiaumalta.org/enforcement- measures/.

IMPLEMENTING PROCEDURES
281
ANNEX A CONTINUED

carrying out relevant financial business. In these cases, the FIAU is to notify the
relevant ESA of the action taken, and is to also notify it of any appeal proceedings
lodged by the subject person, and the eventual outcome of that appeal.
The ESAs responsible for the supervision of entities carrying out relevant financial
business are the following:
• European Banking Authority (EBA);
• European Insurance and Occupational Pensions Authority (EIOPA); and
• European Securities and Markets Authority (ESMA);

Notification to relevant supervisory authority (Article 21(6) PMLFTR)

W henever the FIAU imposes an administrative penalty on any subject person, it
is to inform the supervisory authority, body or entity responsible for the
authorisation, licensing, registration or regulation of, or the granting of a warrant
to, the subject person in question. In doing so, the FIAU will provide all the
necessary information and documentation on the contravention.

A1.5 CRIMINAL OFFENCES

Criminal Offences under the PMLA
Article 3(1)
Offence Money laundering.
Penalty A fine (multa) not exceeding two million five hundred thousand euro
(€2,500,000), or imprisonment for a period not exceeding (eighteen)
18 years, or both the fine and imprisonment .

Article 4(2) / 4B(2)

Offence Disclosure that an investigation is taking place, or other disclosures
likely to prejudice an investigation.
Penalty A fine (multa) not exceeding eleven thousand, six hundred and forty-
six euro and eight seven cents (€11,646.87), or imprisonment for a
period not exceeding twelve (12) months, or both the fine and
imprisonment .

IMPLEMENTING PROCEDURES
282
ANNEX A CONTINUED

Article 4(6A)
Offence Disclosure likely to prejudice an attachment order or a connected
investigation.
Penalty A fine (multa) not exceeding eleven thousand, six hundred and forty-
six euro and eight seven cents (€11,646.87), or imprisonment for a
period not exceeding twelve (12) months, or both the fine and
imprisonment .

Article 4(5) / 4(10)

Offence Acting in contravention of an investigation order or an attachment
order.
Penalty A fine (multa) not exceeding eleven thousand, six hundred and forty-
six euro and eight seven cents (€11,646.87), or imprisonment for a
period not exceeding twelve (12) months, or both the fine and
imprisonment .

Article 6
Offence Acting in contravention of a freezing order.
Penalty A fine (multa) not exceeding eleven thousand, six hundred and forty-
six euro and eight seven cents (€11,646.87), or imprisonment for a
period not exceeding twelve (12) months, or both the fine and
imprisonment .

Criminal Offences under the PMLFTR

Regulation7(11)
Offence False declaration, false representation or the production of false
documentation by a customer or person purporting to act on the
customer’s behalf.
Penalty A fine (multa) not exceeding fifty thousand- euro (€50,000), or
imprisonment for a period not exceeding two (2) years, or both the
fine and imprisonment .

IMPLEMENTING PROCEDURES
283
ANNEX A CONTINUED

Regulation16(1)
Offence Prohibited disclosures (tipping off ).
Penalty A fine (multa) not exceeding one hundred and fifteen thousand euro
(€115,000), or imprisonment for a period not exceeding two (2) years,
or both the fine and imprisonment .

IMPLEMENTING PROCEDURES
284
IMPLEMENTING PROCEDURES
PART I

W W W. F I A U M A LT A . O R G