The Risk Based Approach (RBA) to Customer Due Diligence (CDD) procedures 

The RBA was introduced to subject persons through the 4th Money laundering directive, replacing the previously used ‘tick box’ approach to customer due diligence.

Article 7(6) of the Prevention of money laundering and funding of terrorism regulation (PMLFTR) requires a subject person’s customer due diligence procedures to be implemented on a risk-sensitive basis. This obligation is reinforced in chapter 3 of the implementing procedures part 1.

When utilising a RBA to customer due diligence, subject persons must ensure to understand the inherent risk of business relationships and/or occasional transactions, prior to onboarding and on an ongoing basis. This effectively means that subject persons must understand the particular risks they are being exposed to by onboarding and servicing each of their clients.

Upon understanding their risk exposure, a subject person is then expected to effectively mitigate the risk through the implementation of mitigating measures, which address the unique risks identified through the Customer Risk Assessment process. A subject person therefore cannot solely implement standard mitigating measures across the board, as each client, whether establishing a business relationship or requesting an occasional transaction, will expose the subject person to a unique set of risks.

Should a subject person determine however, that they are not able, or are not sufficiently equipped, to mitigate the risks identified, then the subject person should refrain from onboarding or servicing the client.

Can the RBD affect your business adversely? 

If the RBA is not implemented and utilised as intended, yes, it could hinder business, become time consuming, costly and may cause issues with authorities, due to actual risk exposure not being identified and/or addressed.

The scope of adopting a risk-based approach is to allocate resources where they are most needed and to address specific risks. It is however very common for subject persons to default to obtaining more, or more extensively verified documentation when clients are assessed as being higher risk, most of the time completely overlooking the actual risk being faced.

Although in certain instances further documentation and authentication would be the correct mitigating measure, exposure to certain other risks may not necessarily require further KYC documentation to be collected. Alternatively, a higher level of ongoing monitoring or a different method of ongoing monitoring may need to be implemented and further information may be required (not necessarily from the client).

Obtaining meaningful information, both initially and on an ongoing basis, will help subject persons understand their client, establish what ‘normal’ looks like for that particular client and as a result Identify any unusual behaviour/activity.


It is therefore imperative, for the protection & survival of the subject person, that AML/CFT measures are targeted to address the actual risks being faced, rather than collecting a significant amount of documentation to tick the proverbial box and attempting to present a compliant front to the regulator.

Subject persons need to work smarter by understanding and addressing real risk, making AML/CFT measures meaningful and efficient in their implementation. Although this approach is not infallible, it will ensure that the subject person is addressing risk meaningfully, taking the appropriate action where necessary.

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers

The MFSA has issued the Annual Compliance Return (ACR) for completion by Company Service Providers (CSP). The revised version has been uploaded on the MFSA’s website:

Certain changes have been effected to this year’s ACR and therefore CSPs should seek to download the latest version of the ACR, to ensure that all the necessary fields are completed.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal as follows: 

  • Corporate CSPs, 4 months from the company’s year end
  • Individual CSPs by 30th April 2023

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

The MFSA has issued the Annual Compliance Return (ACR) for completion

The MFSA has issued the Annual Compliance Return (ACR) for completion by Administrators of Foundations, Trustees, and other Fiduciaries. The ACR has been uploaded on the MFSA’s website.

The return will need to be completed and uploaded, together with the required documentation, to the LH portal 4 months from the authorised person’s financial year end.

The MFSA has also informed the industry that no extensions will be granted to any of the deadlines.

Further information and assistance please contact us on

Outcomes of the FATF Plenary, February 2023

The FATF has published a summary of the outcomes stemming from the Plenary held at the FATF headquarters in Paris, which concluded on the 24th February 2023.

Outcome 1: FATF public statements in relation to the Russian Federation

One year after the Russian Federation’s illegal, unprovoked and unjustified full-scale military invasion of Ukraine, the Russian Federation continues to intensify the war of aggression against Ukraine.

This runs counter to FATF’s principles of promoting security, safety and the integrity of the global financial system and the commitment to international cooperation and mutual respect.

As a result, the FATF Plenary has today suspended the Russian Federation’s membership.

Outcome 2: Alterations to the list of Jurisdictions under Increased Monitoring (Grey list)

The FATF has updated the list of jurisdictions under increased monitoring, removing Cambodia and Morocco and added Nigeria and South Africa to the list.

Outcome 3: Beneficial Ownership

Last year, the FATF agreed on tougher global beneficial ownership standards by requiring countries to ensure that competent authorities have access to adequate, accurate and up-to-date information on the true owners of companies.

As a result, Recommendation 24 on legal persons had been revised, requiring countries to ensure that beneficial ownership information is held by a public authority or body functioning as a beneficial ownership registry, or an alternative mechanism they will use to enable efficient access.

The FATF Plenary has now finalised a guidance document, scheduled for publication in March 2023, which will help countries implement the revised requirements of Recommendation 24.

The Plenary also agreed on enhancements to Recommendation 25 on legal arrangements to bring requirements broadly in line with those for Recommendation 24, to ensure a balanced and coherent set of FATF standards on beneficial ownership.

An additional guidance document will be drafted by the FATF in order to help countries implement the revised requirements of Recommendation 25.

Outcome 4: Disrupting the financial flows from ransomware

The FATF has noted that the scale and number of ransomware attacks has increased significantly in recent years, as criminals are exploiting the latest technologies to develop increasingly powerful tools to carry out their attacks.

Due to this, the FATF has carried out an analysis of the methods criminals use to carry out their ransomware attacks and how they launder ransom payments.

A report in relation to this analysis will be published in March 2023. The report will include a list of risk indicators which can help the public and private sector identify suspicious activities related to ransomware.

Outcome 5: Improving implementation of FATF requirements for virtual assets and virtual asset service providers

Despite the FATF strengthening Recommendation 15, in October 2018, to address virtual assets and virtual asset service providers, many countries have failed to implement these revised requirements, including the ‘travel rule’ which requires obtaining, holding, and transmitting originator and beneficiary information relating to virtual assets transactions. This has led to many countries creating opportunities for criminals and terrorist to exploit virtual assets.

The Plenary has therefore agreed on a roadmap to strengthen the implementation of FATF Standards on virtual assets and virtual asset service providers, which will include a stocktake of current levels of implementation across the global network.

Outcome 6: Money Laundering and Terrorist Financing in the Art and Antiquities Markets

The FATF has finalised a further report, which was scheduled for publication on the 27th of February 2023. The report explores the link between money laundering and art and antiquities.

This report is aimed at exploring how terrorist groups can use cultural objects from areas where they are active to finance their operations and include a list of risk indicators which can help the public and private sector identify suspicious activities in the art and antiquities markets.

The report also includes existing good practices which have been implemented by countries to address the challenges they face.

Principles of AML/CFT

In terms of the FIAU’s Implementing Procedures and current regulatory requirements, all employees who are involved in the carrying out of the subject person’s relevant activities and relevant financial activities should undergo training on a regular basis. Fenlex Compliance Services Limited is pleased to inform you that we are offering a 2.30-hour training session to assist subject persons meet this requirement.

Date: 30th March 2023

Time: 3pm – 5.30pm

Course Delivery Method: Live Webinar

CPE/CPD hours: 2.30

Cost: EUR30


The provision of effective anti-money laundering (AML) training is essential in helping organizations meet their regulatory obligations and to prevent the negative impacts money laundering and terrorist financing can have on society, the economy, organizations, their customers, and employees.

This training sessions will provide attendees with a broad understanding of current legislation and regulatory requirements in terms of AML/CFT, as well as provide better understanding of a subject person’s obligations in terms of these requirements.


Please send an email to to register for this session, the cost of which will need to be settled by bank transfer once an invoice has been issued.

For more details kindly open the below brochure.

Compliance Officer VS MLRO

Most people will say that these two functions are one and the same thing. The reality is that in some smaller organisations, these two functions, due to size and resources available are merged.

Whilst this is acceptable for smaller organisations one needs to appreciate the actual responsibilities of these functions and therefore, whilst one person may be fulfilling the function, the importance of keeping these functions separate. 

Money Laundering Reporting officer (MLRO)

As defined in the Implementing Procedures Part 1, Section 5.1, the MLRO is an officer of sufficient command within an organisation which is a subject person, whose main functions are:

  • To receive reports from employees regarding knowledge or suspicion of ML/FT, consider these reports, and report externally to the FIAU when they deem that ML/FT or the suspicion of ML/FT subsists
  • To be the main point of contact for the FIAU

Further to MFSA guidance issued in July 2020, in practice the MLRO should also have oversight over all AML/CFT related activities within the organisation. The MLRO would therefore be responsible for ensuring that;

  • AML/CFT policies, controls, processes and procedures are appropriately designed, implemented, and effectively utilised to reduce the risk of the organisation being used for ML/FT
  • Sufficient training is provided to all employees in terms for AML/CFT general obligations, and organisation specific policy and procedure
  • Proper and sufficient due diligence is performed on customers
  • They assess any client activities which score as high risk of ML/FT either at onboarding stage or thought the client relationship, in order to provide recommendations in relation to the mitigation of the risks identified

The MLRO may also be tasked with the monitoring function of day-today application of the measures, policies, controls and procedures adopted by the subject person to ensure compliance with its AML/CFT obligations.

In fulfilling these functions, the MLRO may delegate and/or be assisted by other employees falling under his/her supervision, however the MLRO shall remain responsible for the carrying out of the core functions outlined above and thus shall ensure that he/she is carrying out appropriate supervision. Certain subject persons therefore also appoint a designated employee/s, to temporarily replace the MLRO when absent. The main purpose of a designated employee is therefore to deputise for the MLRO.

Compliance Officer (CO)

On the other hand, the CO is an officer of a regulated person (entity) whose role is to ensure that the organisation complies with all laws under which it operates, and rules issued by the Regulator. The CO must therefore ensure that the licence holder is abiding by all license requirements and regulation such as GDPR, ICT regulation, CRS, FATCA, Governance requirements, MBR firm specific filings and any other applicable regulations.

Contrary to the common belief, the CO is not expected to draft and implement all the required policies and procedures and ensure that they are to date with every issued regulation, but rather to ensure that these are established and implemented by the relevant departments within the organisation and followed by all employees (as necessary).

The CO’s responsibilities therefore include:

  • Monitoring and assessing on a regular basis the adequacy and effectiveness of the measures and procedures put in place by the licence holder, to comply with all its obligations in accordance with regulatory requirements and licence conditions. Record and report any breaches of such requirements and outline the actions taken to address any deficiencies;
  • Advise and assist a license holder to comply with its legal and regulatory obligations.

Whereas the MLRO function may not be outsourced, except in very specific circumstances and subject to approval by the MFSA, the CO function may be outsourced by the subject person to 3rd parties.

The CO function is an oversight function, responsible for ensuring that the subject person is abiding by all relevant regulatory and license requirements, which is entirely distinguishable from the to the MLRO function, which is responsible for unusual activity reports, communication with the supervisory authority and ensuring that AML/CFT policies and procedures are in place, effective and implemented.

In terms of AML/CFT, the CO should therefore be overseeing the AML function, ensuring that the MLRO is fulfilling his/her function and that there are appropriate policies and procedures in place, which are being implemented and adhered to by the MLRO and all other employees within the subject person, as required by current regulation.

When the CO is burdened with MLRO duties, the CO would have a clear conflict of interest in this regard, since it becomes impossible for there to be effective oversight over and assessment of the AML/CFT function of the organisation, by the CO.

The Risk Evaluation Questionnaire

The Risk Evaluation Questionnaire (REQ) 2023 deadlines have been issued by the FIAU:

Thursday 13th April 2023

Virtual Financial Assets Agents

Virtual Financial Assets Service Providers

Real Estate Agents


Gaming Operators

Thursday 20th April 2023

Trust and Fiduciaries

Company Service providers

Accountants and Auditors

Tax Advisors


Thursday 27th April 2023

Credit institutions

Financial Institutions

Investment Service and Securities Markets

Insurance & Pensions

The FIAU has in light of this provided copies of the revised REQs on their website, to allow subject persons to start collating the necessary data, required for the completion of the questionnaire.

Since the REQ may only be submitted through CASPAR portal, the 2023 REQ will be made available on the portal as form 1st March 2023. Fenlex Compliance would also like to take this opportunity to remind you that your company profile on CASPAR portal should be reviewed and updated as necessary prior to the submission of the 2023 REQ.

Fenlex Compliance Services Limited may assist you with completing the questionnaires due next month, as well as provide you with a solution which will allow you to complete the REQ more efficiently. Fenlex may also provide you with various support services aimed at assisting you organise and improve your AML/CFT and regulatory compliance functions.

Please contact Ann Baldacchino @ for further information and support.

New Legal Notices relating to Payroll

Date: 02 March 2022

The Minister of Finance and Employment has recently issued Legal Notices relating to Payroll.

LN 66 of 2022- The Minister for Finance and Employment has notified of new amendments relating to the FS4 form. The change refers to Section B box B5 whereby the exempt income increased from €9,840 to €10,020 with effect from basis year 2022. Please click here to read the Legal notice issued LN 66 of 2022 – Final Settlement System (FSS) (Amendment) Rules, 2022

LN 67 of 2022 – The Part-time Work (Amendment) Rules, 2022 have been amended by LN 67 of 2022 to delete Schedule A and Schedule B. Schedule A was a form that used to be filled in by self-employed individuals to declare their profit and loss while schedule B was a form used to declare tax to be paid from part-time employment. These forms can now be downloaded from the Commissioner for Revenue website. Please click here to read the Legal notice issued LN 67 of 2022 – Part-time Work (Amendment) Rules, 2022

LN 68 of 2022 -Rule 3 of the Tax on Overtime Rules has been amended in such a manner that with effect from the year of assessment 2023, the maximum amount of qualifying overtime income derived by an individual in terms of Article 90B of the Income Tax Act cannot exceed (a) EUR 10,000 and (b) does not exceed the number of the actual overtime hours multiplied by the maxrate of 40 hours. Please click here to read the Legal notice issued LN 68 of 2022 – Tax on Overtime (Amendment) Rules, 2022

Fenlex welcomes three new Directors to the Board

Fenlex welcomes three new Directors to the board – Claire Scicluna, Adrian Mercieca and Josef Pace, who have been part of the management team at Fenlex for a number of years. Their appointment to the Board of Directors is in line with the company’s vision and commitment to prepare the organisation for further growth and development, to recognise individual performance as well as strengthen its service provision and  governance by adding new blood that is experienced and qualified .

Claire Scicluna, holds a Bachelor of Commerce degree from the University of Malta, majoring in Management and Accounts and post-grad certification from The Chartered Governance Institute (CGI). She been working with Fenlex since graduating in 2006 and has risen through the ranks in various roles including head of operations and business development.

Adrian Mercieca holds an MBA from the University of Derby and a post grad Diploma in Strategic Management and Leadership from Pearson . He joined the organisation in 2008 and currently heads the Company Administration Department handling all corporate, compliance and banking matters.

Josef Pace is an Accountant by profession with a practice certificate in Auditing. He moved to Fenlex in 2017 after having held the position of CFO for many years with one of the big four firms in Malta. Josef is currently responsible for the Finance and Risk functions of the organisation

Practical Implications of Legislative Amendments Introduced by Act LX of 2021. New Form K and Incorporation Form.

Author: Oxana Gritsun, Corporate Administrator

Date: 8 February 2022

Act LX of 2021 introduced various legislative amendments to the Companies Act, Cap. 386. Among others, these included required updates to the contents of Memorandum & Articles of Association of companies, inclusion of new definitions in preliminary provisions of the Act, changes in Annual Return Form and additional duties of the Registrar. For a detailed overview of the above-mentioned amendments, kindly click here.

This article is aimed to cover the practical implications of changes in relation to the appointment of directors (Article 139), namely the requirement on proposed directors to personally sign the M&As or, as an alternative, deliver a signed consent to the Malta Business Registry (the “MBR”) to hold office as such. In addition, the proposed directors shall declare whether they are aware of any circumstances, which could lead to disqualification from them holding office as director.

To put the above-mentioned requirements into practice, the MBR has incorporated these declarations into the respective statutory forms, namely an amended Form K and the newly introduced Form K(1).

Form K

The updated Form K is now divided into two sections (A and B). Section A replicates the original form, which can be signed by any eligible company officer, informing the MBR of any changes in directors, company secretary or legal representation of a company. The new section B is dedicated to director’s consent and declaration for appointment and can be only signed by the newly appointed director.

Form K (electronic filing)

In case of electronic filing via the Malta Business Registry’s online portal, a stand-alone Form K – Section B should be submitted. It will appear under Private Documents as “Declaration of Director/s in terms of Law”, while Section A will be generated through the online system.

Form K(1)

This new form mirrors the same reporting obligations as section B of the amended Form K, however forms part of the required documentation upon the formation of a new company.

It is vital to note that as from the 1st February 2022, only these new statutory forms will be accepted by the Malta Business Registry.


Fenlex Corporate Services Ltd. and Fenlex Management Services Limited are licenced by the Malta Financial Services Authority and may also assist in submitting these forms with EU qualified digital signature as an alternative to wet-ink originals, which will expedite filings by non-resident directors. Should you require any further information or assistance on the matter, please do not hesitate to reach out to us personally on


©Fenlex Corporate Services Ltd. 2022

Disclaimer │ The information provided on this Update does not, and is not intended to, constitute legal advice. All information, content, and materials available are for general informational purposes only.  This Update may not constitute the most up-to-date legal or other information and you are advised to seek updated advice.