Skip to content

8 Things you need to know about the AML/CFT Implementing Procedures for CSP Sector

It is the moment all MLROs and Compliance Officers within the local Corporate Services Providers (CSP) sphere have been waiting for – the publication of the legally binding Implementing Procedures (IPs) (Part II) in relation to the CSP sector! 

Issued on the 16th of December 2020 by the Financial Intelligence Analysis Unit (FIAU), these Implementing Procedures set out how Providers of Corporate Services are to comply with the AML/CFT obligations arising from the Prevention of Money Laundering and Funding of Terrorism Regulations. 

Here are eight things you need to know about the Implementing Procedures in terms of the AML/CFT obligations to the CSP Sector: 

1. It is not a stand-alone document 

Reading, understanding and following Part II of the Implementing Procedures with regards to the CSP Sector is a good start towards fulfilling your AML/CFT obligations towards local law. However, if you really want become proficient in this area, then Part II of the Implementing Procedures will need to be read in conjunction with Part I of the FIAU’s Implementing Procedures, as well as the relevant sections of the Prevention of Money Laundering Act, and the Prevention of Money Laundering and Funding of Terrorism Regulations.  

2. It identifies the risk drivers attributable to CSPs 

You are probably asking what is so risky about CSPs? All they do is help in forming companies, right? Where is the risk in that? CSPs are considered to be the gatekeepers to the financial services industry and are therefore considered to be very important in identifying potential money launderers who would need to set up a corporate structure in order to launder proceeds of crime. Therefore, there are several risk drivers that are attributable to CSPs, and these have been identified by the ML/FT National Risk Assessment (NRA) published by the Government of Malta in 2018, and can be summarized as follows: 

  • Non-resident UBOs – What is the reason why someone who is not resident in Malta would like to set up a corporate structure in Malta? Is there any justifiable reason for doing so? It is very important in this case to identify the nature and purpose of why a non-resident would like to set up a corporate structure in Malta.  
  • Complex corporate structures, generally including fiduciaries or trusts  Why would anyone want to set up a complex corporate structure that includes fiduciaries, trusts, nominee shareholders/directors, charities, or off-shore vehicles? Is there the intention to hide the Ultimate Beneficial Owner or obscure the true nature and purpose of such a structureAre there Politically Exposed Persons, High Net-Worth Individuals, or NGOs who want to hide illicit proceeds? It is very important that the true nature and purpose is established and ascertaining why and even if there is the need for a complex structure is vital in mitigating any ML/FT risks associated with such complexity. 
  • Exposure to high-risk jurisdictions, especially in cases of non-resident UBOs  Tying into first bullet above, why would a non-resident UBO set up a corporate structure in Malta with significant exposure to unrelated or risky jurisdictions? It may be justifiable for a non-resident UBO to set up a corporate structure in Malta that will trade with or in Malta, but questions should be asked in the case where the trade countries are unrelated to Malta/EU and even have exposure to high risk jurisdictions. Therefore, establishing the full scope of the jurisdictional links and ascertaining the reason behind such jurisdictional links is necessary in order to mitigate this risk drivers. 
  • Large volume of international business handled directly by CSPs  For its small geographical size, Malta houses a significantly large number of CSPs that handle large volumes of international business. It is because of their significance to the industry that CSPs often pose a large risk of ML/FT. The ML/FT NRA also identified that despite the large volume of international business handled by CSPs, the effectiveness of CSPs AML/CFT controls were considered to be weak, and the number of Suspicious Transaction Reports submitted by CSPs was not proportionate to the ML/FT risks that they are exposed to. It was therefore acknowledged that the CSP sector in general needs to allocate more human, technical, and financial resources towards implementing effective and robust AML/CFT controls that are commensurate to the level of ML/FT risks that they are exposed.

  • Use of intermediaries for on-boarding, without ever having direct contact with the UBOs  The risk here lies in not knowing who is truly being represented by the intermediary. Is an intermediary being used to hide the true identity of the UBO? Is the intermediary being used conducting business with good intentions? Are they reputable, or do they have links with high-risk jurisdictions or are subject to adverse media? Customer Due Diligence needs to be conducted on the intermediaries as well as the UBOs in question. The Implementing Procedures in relation to the CSPs go into detail as to how this is to be conducted in order to mitigate any of the ML/FT risks identified. 

3. Provides clarity as to the Business Relationship and  Occasional Transaction debate 

Legally speaking, CSPs are defined as those nature or legal persons, which by way of business, provides any of the following services to third parties: (i) Formation of companies or other legal entities; (ii) Acting as a director or secretary of a company for another person or as a partner in a partnership or in a similar position in relation to other legal entities (also commonly known as ‘the provision of directorship/company secretarial services’); (iii) Providing registered office, business correspondence or administrative address for legal entities. 

It is important to distinguish between business relationships and occasional transactions because the AML/CFT obligations of a subject person are different when handling these two separate situations. The IPs provide clarity as to which CSP services are considered to be business relationships and which are considered to be occasional transactions. 

Providing company formation services is an occasional transaction and does not require on-going monitoring. On the other hand, acting as a Director or Secretary, or providing Registered Office/Business Correspondence Services is treated as a Business Relationship and hence requires ongoing monitoring. 

4. CSP Transaction Monitoring Issues Addressed 

Prior to the publication of these IPs, there was a lot of uncertainty surrounding the extent of transaction monitoring that CSPs have to conduct. CSPs are by their very nature oftentimes not privy to the transactions being conducted by their corporate customers and banks are also reluctant to share transaction records with CSPs. This created ambiguity as to how CSPs are supposed to fulfil their transaction monitoring obligations. 

Thankfully, the IPs tackle this issue head on, and provide much needed clarity on the matter. In cases where CSPs provide registered office and company secretarial services, transaction monitoring is not required. What is required in this case, is updating information and documentation in order to ensure that the CSPs have relevant information and documentation on file. In cases where company secretarial services are provided, then the Company Secretary should have access to company minutes, which should also be consulted when undergoing monitoring to ensure that the company activities are in line with what the customer purported. 

Transaction Monitoring does however need to be conducted when the CSP is providing Company Directorship services. The Director needs to approve transactions before they happen (pre-trade transaction monitoring). In cases where the Directorship power is limited and s/he is unable to approve transactions before they happen, then the Director will have to conduct post-trade transaction monitoring, which entails collecting from the client or from the bank the company’s transactions and going through the transactions to ensure that they are in line with the purported activities of the customer and that there are no ML/FT red flags. The IPs also state that when providing Directorship services, the Director should have access to the minutes of the company, and these can also be used for on-going monitoring, as the minutes should give an indication of the activities being conducted. 

5. Importance of tailor-made staff training 

Ask any Director and MLRO of a CSP and I am sure that they are all aware of their obligation to send staff for AML/CFT training. However, this is not just a tick-box approach. AML/CFT is a vast subject that includes a wide array of topics that can range to Customer Risk Assessments, Business Risk Assessments, Source of Wealth, Source of Funds, Conducting Adverse Media Searches, Sanctions Screening, the Art of Conducting Customer On-Boardings, Transaction Monitoring, Identifying Red Flags, etc. The list is endless and can go on. The IPs in this case are placing a lot of emphasis on staff training as well as the importance of training being tailor made to the activities being conducted by that particular member of staff who attends the training. 

For example, those employees working on monitoring should attend training with respect to ongoing monitoring, whilst client facing staff should attend training that helps them to identify suspicious behaviour and actions based on customer interaction. This point is important for Directors and MLROs of CSPs to keep in mind when approving AML/CFT related training for staff members. 

6. Difficulties with terminating Business Relationships?   Look no further 

The FIAU also the addresses the difficulties when stepping back from offering registered office services when the customer becomes unresponsive. In this case, once the CSP has exhausted all possible means to contact the customer and has documented the actions taken to do so, the termination date for the purposes of the FIAU would be the date when the CSP informs the MBR that it lost contact with the customer and is not willing to continue providing the registered office services any longer. 

7. Another Level of Sanctions Screening  

CSPs might ask if it is enough to conduct sanctions screening on customers. The answer is NO. CSPs are also subject to the provisions of the National Interest (Enabling Powers) Act (Cap 365), and must be kept abreast with the guidance notes, notices, decisions, recommendations and rulings that are issued by the Sanctions Monitoring Board (SMB) in Malta. The SMB is the national competent authority responsible for monitoring the implementation of, and ensuring compliance with, targeted financial sanctions. 

The FIAU expects that subject persons subscribe to updates from the Malta Sanctions Monitoring Board, and one can do so by sending an email to  and ask to be added to the SMB mailing list. 

8. Introducers, Intermediaries, and Agents Explained 

It is common knowledge that CSPs use introducers, intermediaries, and agents to obtain new clients and form new business relationships and occasional transactionsThere are also different risks associated with each of the three, and the FIAU IPs provide clear distinction as well as clarity as to how to treat them from an AML/CFT perspective. 

Whilst no AML/CFT obligations arise in relation to introducers, CSPs do have AML/CFT obligations when it comes to dealing with intermediaries and agents, and MLROs of CSPs must ensure that involvements with agents and intermediaries are specifically catered for in their internal policies and procedures in line with all the relevant AML/CFT regulation and legislation. 


It is evident through the legislation and enforcement of such legislation that local authorities are leaving no stone unturned in fighting money laundering via the provision of corporate services. Despite their best efforts, the local authorities cannot fight this battle by themselves, and this is why Corporate Service Providers need to take a stand against money laundering, and seriously implement systems and controls in place that will enable them to fulfil their AML/CFT obligations. 

It is important to note that this article cannot be construed as being a substitute for reading the full Implementing Procedures (Part II) in relation to the CSP Sector, and readers are highly recommended to refer to all the relevant legal text in relation to local and EU wide AML/CFT obligations. 


Disclaimer:The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet up with any of our representatives to seek further information, please contact us for an appointment. 

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

Ask your question now! Send a message to the author.

Author of the post

Malcolm Wallbank

More Expert Articles