Skip to content

An appreciation of the key updates to the FIAU’s Implementing Procedures – Part I

The FIAU’s Implementing Procedures are issued by the Financial Intelligence Analysis Unit (FIAU) to implement the PMLFTR (Prevention of Money Laundering and Funding of Terrorism Regulations) (in terms of reg. 17) and are binding on ALL ‘subject persons’, both natural & legal, from the date they are issued.

The implementing procedures focus primarily on the following subjects:

  • An overview on ML (Money Laundering) and AML (Anti-Money Laundering) measures, the relevant Maltese legislation and the regulation on these subjects and their prevention. They also delve into the National Co-Ordinating Committee on Combating Money Laundering and Funding of Terrorism whilst also getting into the role of the FIAU and its function of compliance monitoring.
  • The Implementing Procedures themselves, their purpose, status and application as well as defining who a Subject Person is.
  • A detailed and exhaustive explanation on the ‘Risk-based approach’ that has been adopted as per the latest implementing procedures.
  • Another vital subject in the implementing procedures is CDD (Customer Due Diligence),. This is the process whereby all the pertinent and important information of a client is collected and assessed for any possible risk the organisation may be exposed to or for the risk of money laundering and the finance of terrorism.
  • The reporting procedures (both internal and external) and obligations, with the role of the MLRO (Money Laundering Reporting Officer) explained in further detail.
  • Rules Governing Outsourcing arrangements.
  • Another important subject and one that seems to hit the national headlines for one reason or another on a regular basis is dealing with non-reputable jurisdictions and high-risk jurisdictions, and group-wide policies and procedures on this theme.
  • Last but not least are the record keeping procedures that ensure that all records are kept in a fit and proper manner for means testing.

The first FIAU implementing procedures were issued in May 2011 with the latest and most important update being issued in July 2019. The new set of implementing procedures have been issued with current issues in mind, in light of what is happening not only within the confines of Malta but also in the EU and beyond.

Risk-based approach

This approach acknowledges that AML/CFT measures should be adapted and fine-tuned according to the level of risk that arises in specific jurisdictions and sectors, in short not a one size fits all approach. In principle this means maximising the efficient use by directing resources in a proportional manner in line with the extent of the MLFT risks posed. This goes to say that the clients, be it businesses, products etc. that pose the highest risk are accordingly attributed the highest scrutiny.

The model on which the risk-based approach is based on for it to be implemented may be simple or complex depending on the effect the following factors have:

  • The size and nature of the business and the services offered;
  • The customer base; and
  • The geographical area in which the operations take place.

This involves that the MLFT risks are respectively, (i) identified, (ii) recognised, (iii) assessed, (iv) categorised and ranked.

The risk-based approach involves two seemingly simple but at the same time complex effects and results, these being likelihood and impact. Likelihood is determined when the exposure to risk factors is consequentially determined. These risk factors can be further divided into two main issues: threats and vulnerabilities.

Threats manifesting themselves in the external elements that result in risk and vulnerabilities which in turn are manifested in the internal elements that result in risk.

On the other hand, impact manifests itself in three categories: financial, regulatory and reputational.

The Business Risk Assessment

Also referred to as the BRA, this document is to be prepared before operations commence and since the risk is not a static one, it has to be reviewed and updated on a regular basis. This as a result of new threats, vulnerabilities that emerge as well as fluctuations to the business model, structure, activities, services as well as to the external environment. If such risk is not identified, the BRA can be done yearly.

Four main categories of risk can be identified and acted upon when working on the BRA. These are:

i) the Customer Risk;
ii) the Product/Service risk;
iii) the Interface Risk; and
iv) the Geographical Element.

International Sanctions

These are political and economic decisions that are taken in the light of diplomacy trying to find a solution by countries, organisations against states or organisations. These are taken for a number of reasons, be it so that national security interests are safeguarded or so that international law and peace and security are too in turn safeguarded.

The FATF (Financial Action Task Force) considers the following country related factors when it comes to international sanctions; those countries that are subject to sanctions, embargos or related measures promulgated by international organisations such as the United Nations and the Security Council.

Under this umbrella there are also those countries that have inadequate MLFT laws, regulations and their enforcement, as well as those that lend their support to terrorist activities and organisations.

One must not leave out those countries that have serious levels of corruption or other criminal activity.

Also, when it comes to sanctions and their reach, the European Union has a ‘consolidated list’ of Sanctions, the United Nations has a Consolidated United Nations Security Council Sanctions List whilst the United States has a Sanctions Programs and Country Information.

‘Non-reputable’ and ‘high-risk’ jurisdictions and their assessment

As stated in the PREVENTION OF MONEY LAUNDERING ACT (CAP. 373), regulation 2, ”non-reputable jurisdiction” means ‘any jurisdiction having deficiencies in its national anti-money laundering and counter funding of terrorism regime or having inappropriate and ineffective measures for the prevention of money laundering and the funding of terrorism, taking into account any accreditation, declaration, public statement or report issued by an international organisation which lays down internationally accepted standards for the prevention of money laundering and for combating the funding of terrorism or which monitors adherence thereto, or is a jurisdiction identified by the European Commission in accordance with Article 9 of Directive (EU) 2015/849’.

Particular attention is required when it comes to business relationships and transactions with persons, companies and undertakings based in jurisdictions that are considered as being non-reputable.

The FATF has 3 categories when it comes to considering high-risk and non-cooperative jurisdictions;

  • Category 1 – Jurisdictions that have fallen afoul to properly tackling their AML/CFT deficiencies or have not pledged to implement countermeasures;
  • Category 2 – Jurisdictions that have not achieved satisfactory progress in tackling their AML/CFT deficiencies or have not pledged to an action plan developed in conjunction with FATF; and
  • Category 3 – Those jurisdictions that have an action plan together with FATF and have made a serious political commitment to address their AML/CFT deficiencies.

High-risk jurisdictions are subjective and defined by the individual Subject Persons, which should reflect the policies and procedures which take into consideration the nature and size of the SP’s business.

To note that High-risk jurisdictions are determined via internal assessments which take into consideration the sources that are referenced in the FIAU IPs which help the SPs to interpret what makes a jurisdiction, one that is either non-reputable or high-risk. The assessments need to be done and updated on a regular basis.

Customer Due Diligence (CDD)

CDD together with KYC (Know-Your-Customer) are the foundations for an effective AML/CTF (Anti-Money Laundering/Counter-Terror Financing) program. The most important and unavoidable question when it comes to CDD is, “is this person or company really who they say that they are?”.

CDD is one of a number of important steps that need to be taken to reduce the risk that business relationships might come face to face deriving from the points of view of financial crimes, credit worthiness and AML/CFT.

In simple terms, CDD and KYC is the act of performing background checks on the Subject Person/s and company/companies so that it is ensured that a proper risk assessment is done before onboarding.

CDD is performed via the (i) identification and (ii) verification of the customer and the beneficial owner, and that the (i) purpose and (ii) intended nature of the business relationship which are then  verified together with regular monitoring of BRs.

The customer is “a legal or natural person who seeks to form a business relationship or seeks to carry out an occasional transaction with a subject person” whilst the beneficial owner is “any natural person/s who ultimately own or control the customer and/or on whose behalf a transaction is being conducted.”

Five stages need to be done so that the CDD process for a company can be completed.

CDD process

Offences and penalties

In this particular realm, a differentiation needs to be made between ‘administrative sanctions’ and ‘criminal offences’.

In the revised implementing procedures of the FIAU we find that, “Regulation 21 of the PMLFTR states that the failure to comply with any lawful requirement, order or directive issued by the FIAU under the PMLFTR and the PMLA, as well as any contravention of the PMLFTR or of any procedures (including these Implementing Procedures) or guidance issued in terms of Regulation 17, may render subject persons liable to an administrative sanction.

Administrative sanctions can vary to a minimum of €250 for minor contraventions to a high of €5 million or 10% of the annual turnover in the case of serious, repeated or systematic breaches.

Money Laundering, Disclosure of an Investigation or Monitoring Order, Disclosure to prejudice an Attachment Order or Connected Investigation, Acting in contravention of an Investigation or Attachment Order as well of a Freezing Order, providing a False declaration or documentation or representation by a Customer or Representative and illegal disclosure all fall under the umbrella of criminal offences.

Fines can reach a maximum of €2.5 million with a good number of offences whose fine does not exceed €11,646.87. There are also cases where imprisonment is given which cannot exceed a term of 2 years and there are cases where an imprisonment term cannot exceed 18 years. In certain instances, and depending on the gravity, both fine and imprisonment may be given.


The new FIAU implementing procedures give rise to a number of valid points and queries but they are also a reflection of the many challenges that have risen in the last few years as a result of numerous changes in the business sector. The amended implementing procedures haven been amended so as to reflect these changes and to ensure that all the safeguards are up-to-date.



The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

Ask your question now! Send a message to the author.

Author of the post

Philipp M. Sauerborn

More Expert Articles