Due Diligence

The Risk Based Approach (RBA) to Customer Due Diligence (CDD) procedures 

The RBA was introduced to subject persons through the 4th Money laundering directive, replacing the previously used ‘tick box’ approach to customer due diligence.

Article 7(6) of the Prevention of money laundering and funding of terrorism regulation (PMLFTR) requires a subject person’s customer due diligence procedures to be implemented on a risk-sensitive basis. This obligation is reinforced in chapter 3 of the implementing procedures part 1.

When utilising a RBA to customer due diligence, subject persons must ensure to understand the inherent risk of business relationships and/or occasional transactions, prior to onboarding and on an ongoing basis. This effectively means that subject persons must understand the particular risks they are being exposed to by onboarding and servicing each of their clients.

Upon understanding their risk exposure, a subject person is then expected to effectively mitigate the risk through the implementation of mitigating measures, which address the unique risks identified through the Customer Risk Assessment process. A subject person therefore cannot solely implement standard mitigating measures across the board, as each client, whether establishing a business relationship or requesting an occasional transaction, will expose the subject person to a unique set of risks.

Should a subject person determine however, that they are not able, or are not sufficiently equipped, to mitigate the risks identified, then the subject person should refrain from onboarding or servicing the client.

Can the RBD affect your business adversely? 

If the RBA is not implemented and utilised as intended, yes, it could hinder business, become time consuming, costly and may cause issues with authorities, due to actual risk exposure not being identified and/or addressed.

The scope of adopting a risk-based approach is to allocate resources where they are most needed and to address specific risks. It is however very common for subject persons to default to obtaining more, or more extensively verified documentation when clients are assessed as being higher risk, most of the time completely overlooking the actual risk being faced.

Although in certain instances further documentation and authentication would be the correct mitigating measure, exposure to certain other risks may not necessarily require further KYC documentation to be collected. Alternatively, a higher level of ongoing monitoring or a different method of ongoing monitoring may need to be implemented and further information may be required (not necessarily from the client).

Obtaining meaningful information, both initially and on an ongoing basis, will help subject persons understand their client, establish what ‘normal’ looks like for that particular client and as a result Identify any unusual behaviour/activity.


It is therefore imperative, for the protection & survival of the subject person, that AML/CFT measures are targeted to address the actual risks being faced, rather than collecting a significant amount of documentation to tick the proverbial box and attempting to present a compliant front to the regulator.

Subject persons need to work smarter by understanding and addressing real risk, making AML/CFT measures meaningful and efficient in their implementation. Although this approach is not infallible, it will ensure that the subject person is addressing risk meaningfully, taking the appropriate action where necessary.

Salient Changes to the Company Incorporation Process

Authors: Christian Farrugia, Senior Corporate Administrator and Clarissa Musu, Corporate Administrator

5th February, 2021

In an ever-developing industry with the continuous introductions of new and the updating of current regulations and procedures, recent months have brought about numerous changes to the process of setting up a new company with the Malta Business Registry (the “MBR”). While some of these changes may be more significant than others for the overall process, it is important that no step is overlooked to ensure a smooth incorporation.

  1. The Setting up of an FDI Screening Office

The National Foreign Direct Investment (FDI) Screening Office was set up in 2020 to review direct investments originating from countries outside the EU on grounds of security and public order. The screening process was therefore implemented into (but is not limited to) the incorporation procedure when formation documents are to be filed with the MBR.

Not all industries are subject to screening and therefore every incorporation must be looked at on a case-by-case basis to determine whether the proposed activities of the company fall into one of the applicable sectors. These include:

  1. critical infrastructure, whether physical or virtual, including energy, transport, water, health, communications, media, data processing or storage, aerospace, defence, electoral or financial infrastructure, and sensitive facilities, as well as land and real estate crucial for the use of such infrastructure;
  2. critical technologies and dual use items as defined in point 1 of Article 2 of Council Regulation (EC) No 428/2009 (15), including artificial intelligence, robotics, semiconductors, cybersecurity, aerospace, defence, energy storage, quantum and nuclear technologies as well as nanotechnologies and biotechnologies;
  3. supply of critical inputs, including energy or raw materials, as well as food security;
  4. access to sensitive information, including personal data, or the ability to control such information; and
  5. the freedom and pluralism of the media.

Applicable companies, through the ultimate beneficial owner/s or with the assistance of their corporate services provider such as Fenlex, would need to complete an online notification form in line with the guidelines provided. Applicants would then be notified on the outcome of the application by email.

  1. Due Diligence Requirements for the MBR

The MBR recently updated its ‘Know Your Client’ requirements in line with anti-money laundering obligations as implemented by the Financial Intelligence Analysis Unit (FIAU), with particular emphasis on the certification of identification documents.  Certifications are to follow specific guidelines, which if not followed correctly, may delay the incorporation process.

Certification must be carried out by a legal professional, a notary, an accountant or any person undertaking relevant financial business or a person undertaking an activity equivalent to relevant financial business carried out in another jurisdiction.

The certification must be evidenced by a written confirmation stating that:

  1. The document is a true copy of the original;
  2. The document has been seen and verified by the certifier; and
  3. The photo is a true likeness of the client or the beneficial owner/s

Moreover, it is of utmost importance that the certifier signs and dates the certification clearly, whilst also indicating his/her name, profession or office, warrant number (if applicable) and includes their contact details. The certifier is to ensure the certification is completed in the English language, and where this is not possible, a translation would need to be provided.

Where the certification of a document is done by a certifier outside the EU, said document must be further endorsed by an apostille. If this is not possible, the signatory should be authenticated by a local (EU or Maltese) services provider like Fenlex or a warranted professional.

Non-EU nationals are required to provide a bank reference to the registry prior to incorporation.  This regulation is exempt to EEA countries and any shareholder who holds less than 5% of shares in the Company to be incorporated.

  1. Deposit of Initial Share Capital

The maximum threshold allowed by the MBR for the deposit of the initial share capital into a formation account, i.e. a client’s account belonging to a service provider such as Fenlex, is fifty thousand Euro (€ 50,000). Once the company is incorporated and an account is opened in its own name, the initial funds may be transferred there and there are no limits from an MBR perspective on subsequent share capital allotments.

Should you wish to incorporate a company which would require an issued share capital of € 50,000 or more in the short term, please get in touch with a member of the Fenlex team for assistance.

  1. Other Considerations
  • The email address of at least one of the directors must be provided to the MBR when submitting incorporation documents.
  • Any proposed officers of the new company who already hold office in existing companies must ensure that said existing companies are in good standing with the MBR. This includes (but is not limited to) having audited financial statements, annual returns and annual beneficial ownership declarations filed, and having no outstanding dues with the MBR.

Should you require any further information or assistance on the matter, please do not hesitate to reach out to us personally on info@fenlex.com.

©Fenlex Corporate Services Ltd.

Disclaimer │ The information provided on this Update does not, and is not intended to, constitute legal advice. All information, content, and materials available are for general informational purposes only.  This Update may not constitute the most up-to-date legal or other information and you are advised to seek updated advice.