The Risk Based Approach (RBA) to Customer Due Diligence (CDD) procedures 

The RBA was introduced to subject persons through the 4th Money laundering directive, replacing the previously used ‘tick box’ approach to customer due diligence.

Article 7(6) of the Prevention of money laundering and funding of terrorism regulation (PMLFTR) requires a subject person’s customer due diligence procedures to be implemented on a risk-sensitive basis. This obligation is reinforced in chapter 3 of the implementing procedures part 1.

When utilising a RBA to customer due diligence, subject persons must ensure to understand the inherent risk of business relationships and/or occasional transactions, prior to onboarding and on an ongoing basis. This effectively means that subject persons must understand the particular risks they are being exposed to by onboarding and servicing each of their clients.

Upon understanding their risk exposure, a subject person is then expected to effectively mitigate the risk through the implementation of mitigating measures, which address the unique risks identified through the Customer Risk Assessment process. A subject person therefore cannot solely implement standard mitigating measures across the board, as each client, whether establishing a business relationship or requesting an occasional transaction, will expose the subject person to a unique set of risks.

Should a subject person determine however, that they are not able, or are not sufficiently equipped, to mitigate the risks identified, then the subject person should refrain from onboarding or servicing the client.

Can the RBD affect your business adversely? 

If the RBA is not implemented and utilised as intended, yes, it could hinder business, become time consuming, costly and may cause issues with authorities, due to actual risk exposure not being identified and/or addressed.

The scope of adopting a risk-based approach is to allocate resources where they are most needed and to address specific risks. It is however very common for subject persons to default to obtaining more, or more extensively verified documentation when clients are assessed as being higher risk, most of the time completely overlooking the actual risk being faced.

Although in certain instances further documentation and authentication would be the correct mitigating measure, exposure to certain other risks may not necessarily require further KYC documentation to be collected. Alternatively, a higher level of ongoing monitoring or a different method of ongoing monitoring may need to be implemented and further information may be required (not necessarily from the client).

Obtaining meaningful information, both initially and on an ongoing basis, will help subject persons understand their client, establish what ‘normal’ looks like for that particular client and as a result Identify any unusual behaviour/activity.


It is therefore imperative, for the protection & survival of the subject person, that AML/CFT measures are targeted to address the actual risks being faced, rather than collecting a significant amount of documentation to tick the proverbial box and attempting to present a compliant front to the regulator.

Subject persons need to work smarter by understanding and addressing real risk, making AML/CFT measures meaningful and efficient in their implementation. Although this approach is not infallible, it will ensure that the subject person is addressing risk meaningfully, taking the appropriate action where necessary.

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers (CSP). The revised version has been uploaded on the MFSA’s website:

Certain changes have been effected to this year’s ACR and therefore CSPs should seek to download the latest version of the ACR, to ensure that all the necessary fields are completed.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal as follows: 

  • Corporate CSPs, 4 months from the company’s year end
  • Individual CSPs by 30th April 2023

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

The MFSA has issued the Annual Compliance Return (ACR) for completion

The MFSA has issued the Annual Compliance Return (ACR) for completion by Administrators of Foundations, Trustees, and other Fiduciaries. The ACR has been uploaded on the MFSA’s website.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal 4 months from the authorised person’s financial year end.

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

Outcomes of the FATF Plenary, February 2023

The FATF has published a summary of the outcomes stemming from the Plenary held at the FATF headquarters in Paris, which concluded on the 24th February 2023.

Outcome 1: FATF public statements in relation to the Russian Federation

One year after the Russian Federation’s illegal, unprovoked and unjustified full-scale military invasion of Ukraine, the Russian Federation continues to intensify the war of aggression against Ukraine.

This runs counter to FATF’s principles of promoting security, safety and the integrity of the global financial system and the commitment to international cooperation and mutual respect.

As a result, the FATF Plenary has today suspended the Russian Federation’s membership.

Outcome 2: Alterations to the list of Jurisdictions under Increased Monitoring (Grey list)

The FATF has updated the list of jurisdictions under increased monitoring, removing Cambodia and Morocco and added Nigeria and South Africa to the list.

Outcome 3: Beneficial Ownership

Last year, the FATF agreed on tougher global beneficial ownership standards by requiring countries to ensure that competent authorities have access to adequate, accurate and up-to-date information on the true owners of companies.

As a result, Recommendation 24 on legal persons had been revised, requiring countries to ensure that beneficial ownership information is held by a public authority or body functioning as a beneficial ownership registry, or an alternative mechanism they will use to enable efficient access.

The FATF Plenary has now finalised a guidance document, scheduled for publication in March 2023, which will help countries implement the revised requirements of Recommendation 24.

The Plenary also agreed on enhancements to Recommendation 25 on legal arrangements to bring requirements broadly in line with those for Recommendation 24, to ensure a balanced and coherent set of FATF standards on beneficial ownership.

An additional guidance document will be drafted by the FATF in order to help countries implement the revised requirements of Recommendation 25.

Outcome 4: Disrupting the financial flows from ransomware

The FATF has noted that the scale and number of ransomware attacks has increased significantly in recent years, as criminals are exploiting the latest technologies to develop increasingly powerful tools to carry out their attacks.

Due to this, the FATF has carried out an analysis of the methods criminals use to carry out their ransomware attacks and how they launder ransom payments.

A report in relation to this analysis will be published in March 2023. The report will include a list of risk indicators which can help the public and private sector identify suspicious activities related to ransomware.

Outcome 5: Improving implementation of FATF requirements for virtual assets and virtual asset service providers

Despite the FATF strengthening Recommendation 15, in October 2018, to address virtual assets and virtual asset service providers, many countries have failed to implement these revised requirements, including the ‘travel rule’ which requires obtaining, holding, and transmitting originator and beneficiary information relating to virtual assets transactions. This has led to many countries creating opportunities for criminals and terrorist to exploit virtual assets.

The Plenary has therefore agreed on a roadmap to strengthen the implementation of FATF Standards on virtual assets and virtual asset service providers, which will include a stocktake of current levels of implementation across the global network.

Outcome 6: Money Laundering and Terrorist Financing in the Art and Antiquities Markets

The FATF has finalised a further report, which was scheduled for publication on the 27th of February 2023. The report explores the link between money laundering and art and antiquities.

This report is aimed at exploring how terrorist groups can use cultural objects from areas where they are active to finance their operations and include a list of risk indicators which can help the public and private sector identify suspicious activities in the art and antiquities markets.

The report also includes existing good practices which have been implemented by countries to address the challenges they face.

Principles of AML/CFT

In terms of the FIAU’s Implementing Procedures and current regulatory requirements, all employees who are involved in the carrying out of the subject person’s relevant activities and relevant financial activities should undergo training on a regular basis. Fenlex Compliance Services Limited is pleased to inform you that we are offering a 2.30-hour training session to assist subject persons meet this requirement.

Date: 30th March 2023

Time: 3pm – 5.30pm

Course Delivery Method: Live Webinar

CPE/CPD hours: 2.30

Cost: EUR30


The provision of effective anti-money laundering (AML) training is essential in helping organizations meet their regulatory obligations and to prevent the negative impacts money laundering and terrorist financing can have on society, the economy, organizations, their customers, and employees.

This training sessions will provide attendees with a broad understanding of current legislation and regulatory requirements in terms of AML/CFT, as well as provide better understanding of a subject person’s obligations in terms of these requirements.


Please send an email to to register for this session, the cost of which will need to be settled by bank transfer once an invoice has been issued.

For more details kindly open the below brochure.

Compliance Officer VS MLRO

Most people will say that these two functions are one and the same thing. The reality is that in some smaller organisations, these two functions, due to size and resources available are merged.

Whilst this is acceptable for smaller organisations one needs to appreciate the actual responsibilities of these functions and therefore, whilst one person may be fulfilling the function, the importance of keeping these functions separate. 

Money Laundering Reporting officer (MLRO)

As defined in the Implementing Procedures Part 1, Section 5.1, the MLRO is an officer of sufficient command within an organisation which is a subject person, whose main functions are:

  • To receive reports from employees regarding knowledge or suspicion of ML/FT, consider these reports, and report externally to the FIAU when they deem that ML/FT or the suspicion of ML/FT subsists
  • To be the main point of contact for the FIAU

Further to MFSA guidance issued in July 2020, in practice the MLRO should also have oversight over all AML/CFT related activities within the organisation. The MLRO would therefore be responsible for ensuring that;

  • AML/CFT policies, controls, processes and procedures are appropriately designed, implemented, and effectively utilised to reduce the risk of the organisation being used for ML/FT
  • Sufficient training is provided to all employees in terms for AML/CFT general obligations, and organisation specific policy and procedure
  • Proper and sufficient due diligence is performed on customers
  • They assess any client activities which score as high risk of ML/FT either at onboarding stage or thought the client relationship, in order to provide recommendations in relation to the mitigation of the risks identified

The MLRO may also be tasked with the monitoring function of day-today application of the measures, policies, controls and procedures adopted by the subject person to ensure compliance with its AML/CFT obligations.

In fulfilling these functions, the MLRO may delegate and/or be assisted by other employees falling under his/her supervision, however the MLRO shall remain responsible for the carrying out of the core functions outlined above and thus shall ensure that he/she is carrying out appropriate supervision. Certain subject persons therefore also appoint a designated employee/s, to temporarily replace the MLRO when absent. The main purpose of a designated employee is therefore to deputise for the MLRO.

Compliance Officer (CO)

On the other hand, the CO is an officer of a regulated person (entity) whose role is to ensure that the organisation complies with all laws under which it operates, and rules issued by the Regulator. The CO must therefore ensure that the licence holder is abiding by all license requirements and regulation such as GDPR, ICT regulation, CRS, FATCA, Governance requirements, MBR firm specific filings and any other applicable regulations.

Contrary to the common belief, the CO is not expected to draft and implement all the required policies and procedures and ensure that they are to date with every issued regulation, but rather to ensure that these are established and implemented by the relevant departments within the organisation and followed by all employees (as necessary).

The CO’s responsibilities therefore include:

  • Monitoring and assessing on a regular basis the adequacy and effectiveness of the measures and procedures put in place by the licence holder, to comply with all its obligations in accordance with regulatory requirements and licence conditions. Record and report any breaches of such requirements and outline the actions taken to address any deficiencies;
  • Advise and assist a license holder to comply with its legal and regulatory obligations.

Whereas the MLRO function may not be outsourced, except in very specific circumstances and subject to approval by the MFSA, the CO function may be outsourced by the subject person to 3rd parties.

The CO function is an oversight function, responsible for ensuring that the subject person is abiding by all relevant regulatory and license requirements, which is entirely distinguishable from the to the MLRO function, which is responsible for unusual activity reports, communication with the supervisory authority and ensuring that AML/CFT policies and procedures are in place, effective and implemented.

In terms of AML/CFT, the CO should therefore be overseeing the AML function, ensuring that the MLRO is fulfilling his/her function and that there are appropriate policies and procedures in place, which are being implemented and adhered to by the MLRO and all other employees within the subject person, as required by current regulation.

When the CO is burdened with MLRO duties, the CO would have a clear conflict of interest in this regard, since it becomes impossible for there to be effective oversight over and assessment of the AML/CFT function of the organisation, by the CO.