The Risk Based Approach (RBA) to Customer Due Diligence (CDD) procedures 

The RBA was introduced to subject persons through the 4th Money laundering directive, replacing the previously used ‘tick box’ approach to customer due diligence.

Article 7(6) of the Prevention of money laundering and funding of terrorism regulation (PMLFTR) requires a subject person’s customer due diligence procedures to be implemented on a risk-sensitive basis. This obligation is reinforced in chapter 3 of the implementing procedures part 1.

When utilising a RBA to customer due diligence, subject persons must ensure to understand the inherent risk of business relationships and/or occasional transactions, prior to onboarding and on an ongoing basis. This effectively means that subject persons must understand the particular risks they are being exposed to by onboarding and servicing each of their clients.

Upon understanding their risk exposure, a subject person is then expected to effectively mitigate the risk through the implementation of mitigating measures, which address the unique risks identified through the Customer Risk Assessment process. A subject person therefore cannot solely implement standard mitigating measures across the board, as each client, whether establishing a business relationship or requesting an occasional transaction, will expose the subject person to a unique set of risks.

Should a subject person determine however, that they are not able, or are not sufficiently equipped, to mitigate the risks identified, then the subject person should refrain from onboarding or servicing the client.

Can the RBD affect your business adversely? 

If the RBA is not implemented and utilised as intended, yes, it could hinder business, become time consuming, costly and may cause issues with authorities, due to actual risk exposure not being identified and/or addressed.

The scope of adopting a risk-based approach is to allocate resources where they are most needed and to address specific risks. It is however very common for subject persons to default to obtaining more, or more extensively verified documentation when clients are assessed as being higher risk, most of the time completely overlooking the actual risk being faced.

Although in certain instances further documentation and authentication would be the correct mitigating measure, exposure to certain other risks may not necessarily require further KYC documentation to be collected. Alternatively, a higher level of ongoing monitoring or a different method of ongoing monitoring may need to be implemented and further information may be required (not necessarily from the client).

Obtaining meaningful information, both initially and on an ongoing basis, will help subject persons understand their client, establish what ‘normal’ looks like for that particular client and as a result Identify any unusual behaviour/activity.


It is therefore imperative, for the protection & survival of the subject person, that AML/CFT measures are targeted to address the actual risks being faced, rather than collecting a significant amount of documentation to tick the proverbial box and attempting to present a compliant front to the regulator.

Subject persons need to work smarter by understanding and addressing real risk, making AML/CFT measures meaningful and efficient in their implementation. Although this approach is not infallible, it will ensure that the subject person is addressing risk meaningfully, taking the appropriate action where necessary.

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers (CSP). The revised version has been uploaded on the MFSA’s website:

Certain changes have been effected to this year’s ACR and therefore CSPs should seek to download the latest version of the ACR, to ensure that all the necessary fields are completed.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal as follows: 

  • Corporate CSPs, 4 months from the company’s year end
  • Individual CSPs by 30th April 2023

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

The MFSA has issued the Annual Compliance Return (ACR) for completion

The MFSA has issued the Annual Compliance Return (ACR) for completion by Administrators of Foundations, Trustees, and other Fiduciaries. The ACR has been uploaded on the MFSA’s website.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal 4 months from the authorised person’s financial year end.

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

Outcomes of the FATF Plenary, February 2023

The FATF has published a summary of the outcomes stemming from the Plenary held at the FATF headquarters in Paris, which concluded on the 24th February 2023.

Outcome 1: FATF public statements in relation to the Russian Federation

One year after the Russian Federation’s illegal, unprovoked and unjustified full-scale military invasion of Ukraine, the Russian Federation continues to intensify the war of aggression against Ukraine.

This runs counter to FATF’s principles of promoting security, safety and the integrity of the global financial system and the commitment to international cooperation and mutual respect.

As a result, the FATF Plenary has today suspended the Russian Federation’s membership.

Outcome 2: Alterations to the list of Jurisdictions under Increased Monitoring (Grey list)

The FATF has updated the list of jurisdictions under increased monitoring, removing Cambodia and Morocco and added Nigeria and South Africa to the list.

Outcome 3: Beneficial Ownership

Last year, the FATF agreed on tougher global beneficial ownership standards by requiring countries to ensure that competent authorities have access to adequate, accurate and up-to-date information on the true owners of companies.

As a result, Recommendation 24 on legal persons had been revised, requiring countries to ensure that beneficial ownership information is held by a public authority or body functioning as a beneficial ownership registry, or an alternative mechanism they will use to enable efficient access.

The FATF Plenary has now finalised a guidance document, scheduled for publication in March 2023, which will help countries implement the revised requirements of Recommendation 24.

The Plenary also agreed on enhancements to Recommendation 25 on legal arrangements to bring requirements broadly in line with those for Recommendation 24, to ensure a balanced and coherent set of FATF standards on beneficial ownership.

An additional guidance document will be drafted by the FATF in order to help countries implement the revised requirements of Recommendation 25.

Outcome 4: Disrupting the financial flows from ransomware

The FATF has noted that the scale and number of ransomware attacks has increased significantly in recent years, as criminals are exploiting the latest technologies to develop increasingly powerful tools to carry out their attacks.

Due to this, the FATF has carried out an analysis of the methods criminals use to carry out their ransomware attacks and how they launder ransom payments.

A report in relation to this analysis will be published in March 2023. The report will include a list of risk indicators which can help the public and private sector identify suspicious activities related to ransomware.

Outcome 5: Improving implementation of FATF requirements for virtual assets and virtual asset service providers

Despite the FATF strengthening Recommendation 15, in October 2018, to address virtual assets and virtual asset service providers, many countries have failed to implement these revised requirements, including the ‘travel rule’ which requires obtaining, holding, and transmitting originator and beneficiary information relating to virtual assets transactions. This has led to many countries creating opportunities for criminals and terrorist to exploit virtual assets.

The Plenary has therefore agreed on a roadmap to strengthen the implementation of FATF Standards on virtual assets and virtual asset service providers, which will include a stocktake of current levels of implementation across the global network.

Outcome 6: Money Laundering and Terrorist Financing in the Art and Antiquities Markets

The FATF has finalised a further report, which was scheduled for publication on the 27th of February 2023. The report explores the link between money laundering and art and antiquities.

This report is aimed at exploring how terrorist groups can use cultural objects from areas where they are active to finance their operations and include a list of risk indicators which can help the public and private sector identify suspicious activities in the art and antiquities markets.

The report also includes existing good practices which have been implemented by countries to address the challenges they face.

Principles of AML/CFT

In terms of the FIAU’s Implementing Procedures and current regulatory requirements, all employees who are involved in the carrying out of the subject person’s relevant activities and relevant financial activities should undergo training on a regular basis. Fenlex Compliance Services Limited is pleased to inform you that we are offering a 2.30-hour training session to assist subject persons meet this requirement.

Date: 30th March 2023

Time: 3pm – 5.30pm

Course Delivery Method: Live Webinar

CPE/CPD hours: 2.30

Cost: EUR30


The provision of effective anti-money laundering (AML) training is essential in helping organizations meet their regulatory obligations and to prevent the negative impacts money laundering and terrorist financing can have on society, the economy, organizations, their customers, and employees.

This training sessions will provide attendees with a broad understanding of current legislation and regulatory requirements in terms of AML/CFT, as well as provide better understanding of a subject person’s obligations in terms of these requirements.


Please send an email to to register for this session, the cost of which will need to be settled by bank transfer once an invoice has been issued.

For more details kindly open the below brochure.

Compliance Officer VS MLRO

Most people will say that these two functions are one and the same thing. The reality is that in some smaller organisations, these two functions, due to size and resources available are merged.

Whilst this is acceptable for smaller organisations one needs to appreciate the actual responsibilities of these functions and therefore, whilst one person may be fulfilling the function, the importance of keeping these functions separate. 

Money Laundering Reporting officer (MLRO)

As defined in the Implementing Procedures Part 1, Section 5.1, the MLRO is an officer of sufficient command within an organisation which is a subject person, whose main functions are:

  • To receive reports from employees regarding knowledge or suspicion of ML/FT, consider these reports, and report externally to the FIAU when they deem that ML/FT or the suspicion of ML/FT subsists
  • To be the main point of contact for the FIAU

Further to MFSA guidance issued in July 2020, in practice the MLRO should also have oversight over all AML/CFT related activities within the organisation. The MLRO would therefore be responsible for ensuring that;

  • AML/CFT policies, controls, processes and procedures are appropriately designed, implemented, and effectively utilised to reduce the risk of the organisation being used for ML/FT
  • Sufficient training is provided to all employees in terms for AML/CFT general obligations, and organisation specific policy and procedure
  • Proper and sufficient due diligence is performed on customers
  • They assess any client activities which score as high risk of ML/FT either at onboarding stage or thought the client relationship, in order to provide recommendations in relation to the mitigation of the risks identified

The MLRO may also be tasked with the monitoring function of day-today application of the measures, policies, controls and procedures adopted by the subject person to ensure compliance with its AML/CFT obligations.

In fulfilling these functions, the MLRO may delegate and/or be assisted by other employees falling under his/her supervision, however the MLRO shall remain responsible for the carrying out of the core functions outlined above and thus shall ensure that he/she is carrying out appropriate supervision. Certain subject persons therefore also appoint a designated employee/s, to temporarily replace the MLRO when absent. The main purpose of a designated employee is therefore to deputise for the MLRO.

Compliance Officer (CO)

On the other hand, the CO is an officer of a regulated person (entity) whose role is to ensure that the organisation complies with all laws under which it operates, and rules issued by the Regulator. The CO must therefore ensure that the licence holder is abiding by all license requirements and regulation such as GDPR, ICT regulation, CRS, FATCA, Governance requirements, MBR firm specific filings and any other applicable regulations.

Contrary to the common belief, the CO is not expected to draft and implement all the required policies and procedures and ensure that they are to date with every issued regulation, but rather to ensure that these are established and implemented by the relevant departments within the organisation and followed by all employees (as necessary).

The CO’s responsibilities therefore include:

  • Monitoring and assessing on a regular basis the adequacy and effectiveness of the measures and procedures put in place by the licence holder, to comply with all its obligations in accordance with regulatory requirements and licence conditions. Record and report any breaches of such requirements and outline the actions taken to address any deficiencies;
  • Advise and assist a license holder to comply with its legal and regulatory obligations.

Whereas the MLRO function may not be outsourced, except in very specific circumstances and subject to approval by the MFSA, the CO function may be outsourced by the subject person to 3rd parties.

The CO function is an oversight function, responsible for ensuring that the subject person is abiding by all relevant regulatory and license requirements, which is entirely distinguishable from the to the MLRO function, which is responsible for unusual activity reports, communication with the supervisory authority and ensuring that AML/CFT policies and procedures are in place, effective and implemented.

In terms of AML/CFT, the CO should therefore be overseeing the AML function, ensuring that the MLRO is fulfilling his/her function and that there are appropriate policies and procedures in place, which are being implemented and adhered to by the MLRO and all other employees within the subject person, as required by current regulation.

When the CO is burdened with MLRO duties, the CO would have a clear conflict of interest in this regard, since it becomes impossible for there to be effective oversight over and assessment of the AML/CFT function of the organisation, by the CO.

The Risk Evaluation Questionnaire

The Risk Evaluation Questionnaire (REQ) 2023 deadlines have been issued by the FIAU:

Thursday 13th April 2023

Virtual Financial Assets Agents

Virtual Financial Assets Service Providers

Real Estate Agents


Gaming Operators

Thursday 20th April 2023

Trust and Fiduciaries

Company Service providers

Accountants and Auditors

Tax Advisors


Thursday 27th April 2023

Credit institutions

Financial Institutions

Investment Service and Securities Markets

Insurance & Pensions

The FIAU has in light of this provided copies of the revised REQs on their website, to allow subject persons to start collating the necessary data, required for the completion of the questionnaire.

Since the REQ may only be submitted through CASPAR portal, the 2023 REQ will be made available on the portal as form 1st March 2023. Fenlex Compliance would also like to take this opportunity to remind you that your company profile on CASPAR portal should be reviewed and updated as necessary prior to the submission of the 2023 REQ.

Fenlex Compliance Services Limited may assist you with completing the questionnaires due next month, as well as provide you with a solution which will allow you to complete the REQ more efficiently. Fenlex may also provide you with various support services aimed at assisting you organise and improve your AML/CFT and regulatory compliance functions.

Please contact Ann Baldacchino @ for further information and support.

The CSP Reform, what’s new?

Author: Adrian Mercieca, Manager, Corporate Administration Department

Date: 29th March 2021

On the 15th March 2021, the MFSA published the new Company Service Providers (‘CSP’) Rulebook which shall apply to all Company Service Providers that are currently authorised under the Company Service Providers Act, 2013 (the ‘Act’) together with many other operators such as accountants and law firms who previously has an exemption and did not require authorisation from the MFSA and where therefore ‘unregulated’. .

The amendments, also introduce categorisation of CSPs into three licensing classes as follows:

  • Class A CSP – captures the provision of (i) company incorporation and re-domiciliation and (ii) provision of registered office, business address or administrative address.
  • Class B CSP – includes a CSP that acts or arranges for another to act as a director, company secretary or partner in a partnership or any other similar position in an entity; and
  • Class C CSP – a CSP that provides all the services captured by Class A and Class B or as defined in the Rulebook all of the services of a company service provider specified in the definition of “company service provider” contained in article 2(1) of the Act

Application under one of these CSP licence classes is obligatory subject to two exceptions:

  1. Under threshold Class A CSPs – Individual warrant holders or civil partnerships in possession of a warrant or equivalent, to carry out the profession of advocate, notary public, legal procurator or certified public accountant whose revenue from corporate services work forms, or is forecast to form, in the upcoming year, not more than: [a] 35% of the combined total revenue in a calendar year from the provision of all professional services; or [b] EUR100,000, whichever is the higher.
  2. Under threshold Class B CSPs– Individuals who hold not more than ten involvements as a director, company secretary or partner in a partnership or any other similar position in an entity.

Depending on the Class of CSP licence that an applicant submits different capital and insurance requirements apply as indicated in the table below (fig.1).

CSP Class Initial Capital Requirement
Class A CSPs € 10,000
Under threshold Class A CSPs – € 2,500
Class B CSPs € 15,000 + Mandatory Pll
Under threshold Class B CSPs – € 5,000
Class C CSPs € 25,000 + Mandatory Pll

Figure 1

Whilst risk has always been an important matter on the agenda of CSPs, the Rulebook introduces a requirement on the Class C CSPs to establish and maintain a risk management function which shall independently, implement policies and procedures referred to in the Rulebook and provide reports and advice to the CSPs senior management. The MFSA may allow the CSP to establish and maintain an in house risk management function, provided that the said CSP provides evidence to the Authority that the establishment and maintenance of a dedicated independent risk management function ,with the sole responsibility for risk management is not appropriate and proportionate in view of the nature, scale and complexity of its business and the nature and range of the CSP services. This notwithstanding, where a Risk Officer is not specifically employed by the CSP, the role should be performed by a senior official of the CSP or a non-executive director.

The MFSA will also be assessing the fitness and properness of any applicants. In this regard the following aspects will be assessed (i) Competence (ii) Reputation (iii) Conflicts of Interest and Independence of Mind and (iv) Time Commitment. The fitness and properness assessment shall be applicable to: (i) the Applicant, where the CSP is a natural person; (ii) Qualifying Shareholders; and (iii) any individual that intends to hold an approved position within the CSP.

On the 16th March 2021, the MFSA opened applications for authorisations under the Act.  CSPs have to submit applications via the online portal between the 16th March and the 16th May of 2021. It is interesting to note though, that existing CSPs who were in possession of a CSP Licence prior to the date of coming into force of the amendments introduced by Act L of 2020 are obliged to take all necessary steps in order to adhere with the obligations within six (6) months from the date of the publication of the Rulebook. Provided of course that during such interim period, said CSPs shall remain compliant with the previous version of the Rules and do their utmost to comply with the new Rulebook to the best of their abilities.

Fenlex has over 30 years of experience in the sector and through its Compliance team is in a position to provide support and  assist individuals and or organisations now required to apply for a license and who are now deemed to be subject persons and required to fully comply with the Prevention of Money Laundering and Funding of Terrorism Regulations as well as the implementing procedures as published by the FIAU. Contact us at for more info.

Electronic Money Institutions in Malta

As was the case for remote gaming and (much more recently) distributed ledger technology and cryptocurrencies, Malta was the first EU member state to publish legislation for Electronic Money Institutions under the Financial Institutions Act in 2011.

An Electronic Money Institution, or e-Money Institution (“EMI”) is a financial institution that is authorised to issue electronic, or digital (including magnetically stored) money. Said authorisation may be obtained through a licence in line with the Financial Institutions Act or through a similar grant from another EU jurisdiction in accordance with the Electronic Money Directive.

In addition, licenced EMIs may provide certain payment services and the operation of payment systems. These include:

  • Cash deposits on and cash withdrawals from a payment account
  • Payment transactions (including through a payment card or similar device)
  • Direct debits & standing orders
  • Issuing debit cards.

Since EMIs are not permitted to undertake lending or other bank related activities (hence the issuance of credit cards is not permitted), clients are not exposed to credit risk as would be the case with a normal bank. While EMIs may grant credit related to certain payment services, this is subject to the condition that any such credit shall not be granted from the funds received in exchange of e-money and held in accordance with the prescribed safeguarding requirements.

Similar to obligations imposed on licenced remote gaming companies in Malta, funds representing e-money must be ring-fenced and EMIs are liable for any shortfalls.

Fenlex Corporate Services Ltd. has a dedicated banking & compliance team with a working relationship with licenced EMIs in Malta. For more information to open an account with an EMI in Malta, kindly contact