Implementing Procedures targeting Company Services Providers (CSPs)

According to the results of the ML/FT National Risk Assessment (“NRA”) published by the Government of Malta in 2018, the CSP sector was identified as presenting a high risk of ML/FT to Malta in view of the inherent risks to which the sector is exposed, coupled with weak implementation of AML/CFT controls.

As a result of the NRA and also the 2019 Moneyval Review on Malta, the Financial Intelligence Analysis Unit (“FIAU”) in December 2020 has published sector specific Implementing Procedures for CSPs, setting out legally binding guidance on how CSPs are expected to carry out their customer due diligence (‘CDD’) obligations arising from the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”). The guidance considers the various services offered by CSPs, and places special focus on the following measured that need to be taken into consideration by CSPs:-

• Verification and Identification guidance on Agents, Introducers and Intermediaries, including basic checks and additional checks for higher risk Intermediaries and Intermediary chains. Treatment of other senior officers and staff members for corporate customers are further highlighted;
• Assessment and information gathering for the purpose and intended nature of the business relationship leading to an adequate business and customer risk profile. Information that would be relevant in this context includes:-
  • • Information on the rationale for the setting up of the requested service/s;
    • Information on the activity or purpose behind the intended service/s;
    • Profile of the shareholders or beneficial owners;
    • Value of share capital or assets of that company or entity; and
    • Ongoing monitoring, drawing from the anticipated level of the activity that is to be undertaken through the relationship (e.g., expected volume of transactional activity, projected turnover, proposed suppliers and customers) in order to understand the eventual source of funds flowing through the company;
• Emphasis is placed on the requirement for ongoing monitoring which should enable the CSP to identify transactions and/or activities that are not in keeping with the corporate customer’s operations. This should in turn generate internal reports on unusual transactions or activities to be reviewed by the CSP’s MLRO and thereby ensure that suspicions of ML/FT or proceeds of crime are reported to the FIAU in a timely manner;
• Timing of CDD obligations, again taking note of any risk evaluations of the business relationship; and
• Termination of Business relationships, with guidance on situations where the termination is not a straightforward process. The CSP will have to prove that it has exhausted all possible means to contact the customer and has recorded all the actions undertaken, which will reflect on the actual termination date of the business relationship for the purposes of the PMLFTR.

Proposed Amendments to the Implementing Procedures – Part I

The FIAU has issued a Consultation Document setting out proposals for a number of changes to the Implementing Procedures – Part I, which consider a number of changes which are being set out for the first time and which address concerns and issues that have been arising from time to time. These include the following:-

1. Adverse media as a new tool to assess the risk level of a business relationship. Subject persons should consider any adverse reports on a customer or its UBOs, and determine any risk this presents to the business in terms of the nature of the reports from a reliable source.
2. On-going monitoring, differentiating and providing more clarity as to the nature of the business relationship of the subject person. Subject persons who are entrusted with the full discretionary management of customer funds require less on-going monitoring efforts than other subject persons who act with the intermediation of their customers. On-going monitoring requirements for instances of Simplified due diligence has been further enhanced with guidance on issues which may alter the original low risk rating assigned to a business relationship. Subject persons are encouraged to consider obtaining additional information about any customer since on boarding, such as publicly available supervisory or regulatory information as well as other information, which underlies any deviation from initially set business parameters.
3. Changes to the appointment of MLROs, which will now permit non-executive directors to act as MLROs. Other issues addressed include the considerations which should be taken into account when a subject person locates its MLRO abroad and the adoption of mitigating and proportionality measures rather than outright refusal or removal of the (proposed) MLRO in situations which may present a conflict of interest.
4. Interesting also is proposed removal of the restriction on the number of Designated Employees that can be appointed by each subject person.
5. Jurisdictional Risk Assessments. The proposed updates consider such assessments being carried out by third parties, subject to certain criteria being met. These criteria include the reliability of the risk assessment taking into consideration the number of aspects considered in gauging the risk presented by the particular jurisdiction, the methodology behind the risk assessment as well as the frequency of review of the assessments following a change in a particular jurisdiction’s circumstances. Utilising third party risk assessments will be particularly useful where the subject person’s customers’ business is linked to multiple countries, for assessing risk and understanding the risk presented, but also from a transaction monitoring point of view.

The above-proposed amendments are not yet in force and the FIAU is inviting the industry to submit written feedback by 9th April 2021 via email consultation@fiaumalta.org.