An appreciation of the key updates to the FIAU’s Implementing Procedures – Part I

The FIAU’s Imple­ment­ing Pro­ce­dures are issued by the Finan­cial Intel­li­gence Analy­sis Unit (FIAU) to imple­ment the PMLFTR (Pre­ven­tion of Mon­ey Laun­der­ing and Fund­ing of Ter­ror­ism Reg­u­la­tions) (in terms of reg. 17) and are bind­ing on ALL ‘sub­ject per­sons’, both nat­ur­al & legal, from the date they are issued.

The imple­ment­ing pro­ce­dures focus pri­mar­i­ly on the fol­low­ing sub­jects:

  • An overview on ML (Mon­ey Laun­der­ing) and AML (Anti-Mon­ey Laun­der­ing) mea­sures, the rel­e­vant Mal­tese leg­is­la­tion and the reg­u­la­tion on these sub­jects and their pre­ven­tion. They also delve into the Nation­al Co-Ordi­nat­ing Com­mit­tee on Com­bat­ing Mon­ey Laun­der­ing and Fund­ing of Ter­ror­ism whilst also get­ting into the role of the FIAU and its func­tion of com­pli­ance mon­i­tor­ing.
  • The Imple­ment­ing Pro­ce­dures them­selves, their pur­pose, sta­tus and appli­ca­tion as well as defin­ing who a Sub­ject Per­son is.
  • A detailed and exhaus­tive expla­na­tion on the ‘Risk-based approach’ that has been adopt­ed as per the lat­est imple­ment­ing pro­ce­dures.
  • Anoth­er vital sub­ject in the imple­ment­ing pro­ce­dures is CDD (Cus­tomer Due Dili­gence),. This is the process where­by all the per­ti­nent and impor­tant infor­ma­tion of a client is col­lect­ed and assessed for any pos­si­ble risk the organ­i­sa­tion may be exposed to or for the risk of mon­ey laun­der­ing and the finance of ter­ror­ism.
  • The report­ing pro­ce­dures (both inter­nal and exter­nal) and oblig­a­tions, with the role of the MLRO (Mon­ey Laun­der­ing Report­ing Offi­cer) explained in fur­ther detail.
  • Rules Gov­ern­ing Out­sourc­ing arrange­ments.
  • Anoth­er impor­tant sub­ject and one that seems to hit the nation­al head­lines for one rea­son or anoth­er on a reg­u­lar basis is deal­ing with non-rep­utable juris­dic­tions and high-risk juris­dic­tions, and group-wide poli­cies and pro­ce­dures on this theme.
  • Last but not least are the record keep­ing pro­ce­dures that ensure that all records are kept in a fit and prop­er man­ner for means test­ing.

The first FIAU imple­ment­ing pro­ce­dures were issued in May 2011 with the lat­est and most impor­tant update being issued in July 2019. The new set of imple­ment­ing pro­ce­dures have been issued with cur­rent issues in mind, in light of what is hap­pen­ing not only with­in the con­fines of Mal­ta but also in the EU and beyond.

Risk-based approach

This approach acknowl­edges that AML/CFT mea­sures should be adapt­ed and fine-tuned accord­ing to the lev­el of risk that aris­es in spe­cif­ic juris­dic­tions and sec­tors, in short not a one size fits all approach. In prin­ci­ple this means max­imis­ing the effi­cient use by direct­ing resources in a pro­por­tion­al man­ner in line with the extent of the MLFT risks posed. This goes to say that the clients, be it busi­ness­es, prod­ucts etc. that pose the high­est risk are accord­ing­ly attrib­uted the high­est scruti­ny.

The mod­el on which the risk-based approach is based on for it to be imple­ment­ed may be sim­ple or com­plex depend­ing on the effect the fol­low­ing fac­tors have:

  • The size and nature of the busi­ness and the ser­vices offered;
  • The cus­tomer base; and
  • The geo­graph­i­cal area in which the oper­a­tions take place.

This involves that the MLFT risks are respec­tive­ly, (i) iden­ti­fied, (ii) recog­nised, (iii) assessed, (iv) cat­e­gorised and ranked.

The risk-based approach involves two seem­ing­ly sim­ple but at the same time com­plex effects and results, these being like­li­hood and impact. Like­li­hood is deter­mined when the expo­sure to risk fac­tors is con­se­quen­tial­ly deter­mined. These risk fac­tors can be fur­ther divid­ed into two main issues: threats and vul­ner­a­bil­i­ties.

Threats man­i­fest­ing them­selves in the exter­nal ele­ments that result in risk and vul­ner­a­bil­i­ties which in turn are man­i­fest­ed in the inter­nal ele­ments that result in risk.

On the oth­er hand, impact man­i­fests itself in three cat­e­gories: finan­cial, reg­u­la­to­ry and rep­u­ta­tion­al.

The Business Risk Assessment

Also referred to as the BRA, this doc­u­ment is to be pre­pared before oper­a­tions com­mence and since the risk is not a sta­t­ic one, it has to be reviewed and updat­ed on a reg­u­lar basis. This as a result of new threats, vul­ner­a­bil­i­ties that emerge as well as fluc­tu­a­tions to the busi­ness mod­el, struc­ture, activ­i­ties, ser­vices as well as to the exter­nal envi­ron­ment. If such risk is not iden­ti­fied, the BRA can be done year­ly.

Four main cat­e­gories of risk can be iden­ti­fied and act­ed upon when work­ing on the BRA. These are:

i) the Cus­tomer Risk;
ii) the Product/Service risk;
iii) the Inter­face Risk; and
iv) the Geo­graph­i­cal Ele­ment.

International Sanctions

These are polit­i­cal and eco­nom­ic deci­sions that are tak­en in the light of diplo­ma­cy try­ing to find a solu­tion by coun­tries, organ­i­sa­tions against states or organ­i­sa­tions. These are tak­en for a num­ber of rea­sons, be it so that nation­al secu­ri­ty inter­ests are safe­guard­ed or so that inter­na­tion­al law and peace and secu­ri­ty are too in turn safe­guard­ed.

The FATF (Finan­cial Action Task Force) con­sid­ers the fol­low­ing coun­try relat­ed fac­tors when it comes to inter­na­tion­al sanc­tions; those coun­tries that are sub­ject to sanc­tions, embar­gos or relat­ed mea­sures pro­mul­gat­ed by inter­na­tion­al organ­i­sa­tions such as the Unit­ed Nations and the Secu­ri­ty Coun­cil.

Under this umbrel­la there are also those coun­tries that have inad­e­quate MLFT laws, reg­u­la­tions and their enforce­ment, as well as those that lend their sup­port to ter­ror­ist activ­i­ties and organ­i­sa­tions.

One must not leave out those coun­tries that have seri­ous lev­els of cor­rup­tion or oth­er crim­i­nal activ­i­ty.

Also, when it comes to sanc­tions and their reach, the Euro­pean Union has a ‘con­sol­i­dat­ed list’ of Sanc­tions, the Unit­ed Nations has a Con­sol­i­dat­ed Unit­ed Nations Secu­ri­ty Coun­cil Sanc­tions List whilst the Unit­ed States has a Sanc­tions Pro­grams and Coun­try Infor­ma­tion.

Non-reputable’ and ‘high-risk’ jurisdictions and their assessment

As stat­ed in the PREVENTION OF MONEY LAUNDERING ACT (CAP. 373), reg­u­la­tion 2, ‘’non-rep­utable juris­dic­tion” means ‘any juris­dic­tion hav­ing defi­cien­cies in its nation­al anti-mon­ey laun­der­ing and counter fund­ing of ter­ror­ism regime or hav­ing inap­pro­pri­ate and inef­fec­tive mea­sures for the pre­ven­tion of mon­ey laun­der­ing and the fund­ing of ter­ror­ism, tak­ing into account any accred­i­ta­tion, dec­la­ra­tion, pub­lic state­ment or report issued by an inter­na­tion­al organ­i­sa­tion which lays down inter­na­tion­al­ly accept­ed stan­dards for the pre­ven­tion of mon­ey laun­der­ing and for com­bat­ing the fund­ing of ter­ror­ism or which mon­i­tors adher­ence there­to, or is a juris­dic­tion iden­ti­fied by the Euro­pean Com­mis­sion in accor­dance with Arti­cle 9 of Direc­tive (EU) 2015/849’.

Par­tic­u­lar atten­tion is required when it comes to busi­ness rela­tion­ships and trans­ac­tions with per­sons, com­pa­nies and under­tak­ings based in juris­dic­tions that are con­sid­ered as being non-rep­utable.

The FATF has 3 cat­e­gories when it comes to con­sid­er­ing high-risk and non-coop­er­a­tive juris­dic­tions;

  • Cat­e­go­ry 1 – Juris­dic­tions that have fall­en afoul to prop­er­ly tack­ling their AML/CFT defi­cien­cies or have not pledged to imple­ment coun­ter­mea­sures;
  • Cat­e­go­ry 2 – Juris­dic­tions that have not achieved sat­is­fac­to­ry progress in tack­ling their AML/CFT defi­cien­cies or have not pledged to an action plan devel­oped in con­junc­tion with FATF; and
  • Cat­e­go­ry 3 – Those juris­dic­tions that have an action plan togeth­er with FATF and have made a seri­ous polit­i­cal com­mit­ment to address their AML/CFT defi­cien­cies.

High-risk juris­dic­tions are sub­jec­tive and defined by the indi­vid­ual Sub­ject Per­sons, which should reflect the poli­cies and pro­ce­dures which take into con­sid­er­a­tion the nature and size of the SP’s busi­ness.

To note that High-risk juris­dic­tions are deter­mined via inter­nal assess­ments which take into con­sid­er­a­tion the sources that are ref­er­enced in the FIAU IPs which help the SPs to inter­pret what makes a juris­dic­tion, one that is either non-rep­utable or high-risk. The assess­ments need to be done and updat­ed on a reg­u­lar basis.

Customer Due Diligence (CDD)

CDD togeth­er with KYC (Know-Your-Cus­tomer) are the foun­da­tions for an effec­tive AML/CTF (Anti-Mon­ey Laun­der­ing/­Counter-Ter­ror Financ­ing) pro­gram. The most impor­tant and unavoid­able ques­tion when it comes to CDD is, “is this per­son or com­pa­ny real­ly who they say that they are?”.

CDD is one of a num­ber of impor­tant steps that need to be tak­en to reduce the risk that busi­ness rela­tion­ships might come face to face deriv­ing from the points of view of finan­cial crimes, cred­it wor­thi­ness and AML/CFT.

In sim­ple terms, CDD and KYC is the act of per­form­ing back­ground checks on the Sub­ject Person/s and company/companies so that it is ensured that a prop­er risk assess­ment is done before onboard­ing.

CDD is per­formed via the (i) iden­ti­fi­ca­tion and (ii) ver­i­fi­ca­tion of the cus­tomer and the ben­e­fi­cial own­er, and that the (i) pur­pose and (ii) intend­ed nature of the busi­ness rela­tion­ship which are then  ver­i­fied togeth­er with reg­u­lar mon­i­tor­ing of BRs.

The cus­tomer is “a legal or nat­ur­al per­son who seeks to form a busi­ness rela­tion­ship or seeks to car­ry out an occa­sion­al trans­ac­tion with a sub­ject per­son” whilst the ben­e­fi­cial own­er is “any nat­ur­al person/s who ulti­mate­ly own or con­trol the cus­tomer and/or on whose behalf a trans­ac­tion is being con­duct­ed.”

Five stages need to be done so that the CDD process for a com­pa­ny can be com­plet­ed.

CDD process

Offences and penalties

In this par­tic­u­lar realm, a dif­fer­en­ti­a­tion needs to be made between ‘admin­is­tra­tive sanc­tions’ and ‘crim­i­nal offences’.

In the revised imple­ment­ing pro­ce­dures of the FIAU we find that, “Reg­u­la­tion 21 of the PMLFTR states that the fail­ure to com­ply with any law­ful require­ment, order or direc­tive issued by the FIAU under the PMLFTR and the PMLA, as well as any con­tra­ven­tion of the PMLFTR or of any pro­ce­dures (includ­ing these Imple­ment­ing Pro­ce­dures) or guid­ance issued in terms of Reg­u­la­tion 17, may ren­der sub­ject per­sons liable to an admin­is­tra­tive sanc­tion.

Admin­is­tra­tive sanc­tions can vary to a min­i­mum of €250 for minor con­tra­ven­tions to a high of €5 mil­lion or 10% of the annu­al turnover in the case of seri­ous, repeat­ed or sys­tem­at­ic breach­es.

Mon­ey Laun­der­ing, Dis­clo­sure of an Inves­ti­ga­tion or Mon­i­tor­ing Order, Dis­clo­sure to prej­u­dice an Attach­ment Order or Con­nect­ed Inves­ti­ga­tion, Act­ing in con­tra­ven­tion of an Inves­ti­ga­tion or Attach­ment Order as well of a Freez­ing Order, pro­vid­ing a False dec­la­ra­tion or doc­u­men­ta­tion or rep­re­sen­ta­tion by a Cus­tomer or Rep­re­sen­ta­tive and ille­gal dis­clo­sure all fall under the umbrel­la of crim­i­nal offences.

Fines can reach a max­i­mum of €2.5 mil­lion with a good num­ber of offences whose fine does not exceed €11,646.87. There are also cas­es where impris­on­ment is giv­en which can­not exceed a term of 2 years and there are cas­es where an impris­on­ment term can­not exceed 18 years. In cer­tain instances, and depend­ing on the grav­i­ty, both fine and impris­on­ment may be giv­en.


The new FIAU imple­ment­ing pro­ce­dures give rise to a num­ber of valid points and queries but they are also a reflec­tion of the many chal­lenges that have risen in the last few years as a result of numer­ous changes in the busi­ness sec­tor. The amend­ed imple­ment­ing pro­ce­dures haven been amend­ed so as to reflect these changes and to ensure that all the safe­guards are up-to-date.



The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet with up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Dr. Jörg Werner

Dr. jur. Jörg Wern­er, born 27 May 1971, attend­ed the law school of the Uni­ver­si­ty of Leipzig and passed his first state exam­i­na­tion in the State of Sax­ony in 1996. After suc­cess­ful­ly com­plet­ing his manda­to­ry legal intern­ship, he suc­cess­ful­ly passed the sec­ond state exam­i­na­tion of the State of Sax­ony-Anhalt in 1998 and was admit­ted to the bar and began to prac­tice as a Ger­man attor­ney (Recht­san­walt) before the court of Magde­burg the same year. He worked as an attor­ney at the Law Offices of Prof. Dr. Fre­und & Kol­le­gen until he formed the firm of Wrede & Wern­er. He was also admit­ted to prac­tice before the Supe­ri­or Court of Naum­burg. In 2001, he moved the firm’s offices to Cen­tral Berlin, where he was admit­ted to prac­tice before the Courts of Berlin. Dr. jur. Jörg Wern­er then com­plet­ed his doc­tor­al stud­ies at the Uni­ver­si­ty of Ham­burg and grad­u­at­ed as a Dok­tor der Rechtswis­senschaften (Doc­tor of Laws).

View All Posts

Leave a Reply

Your email address will not be published.