Malta has now adopted and
implemented the 4th Anti Money Laundering Directive. The updated Prevention of Money Laundering and
Financing of Terrorism Regulations (PMLFTR) was published in the national
gazette in December 2017. Further to this, the Directive’s provisions shall
take effect on January the 1st
2018, through the Subsidiary Legislation 373.01, Legal Notice 372 of 2017.
In Malta, there are two main
legislative documents that regulate money laundering and the prevention
thereof, namely: – Prevention of Money
Laundering Act (1994); and – Prevention
of Money Laundering and Funding of Terrorism Regulations (2008) (referred
to as The Regulations). The Act primarily deals with the criminal aspects of
money laundering, whereas the Regulations give an overview of the obligations
of persons working in sectors which are susceptible to money laundering.
The Directive follows a risk-based approach, and aims to
achieve a unified set of AML regulations across all EU Member States. Further
to this, through the transposition of the Directive’s provisions into Maltese
law, all gambling services such as online gambling services, and not solely
casino operators, will be governed by the EU AML rules.
The main development introduced by these new Regulations is
the greater emphasis on adopting a risk
based approach. The Regulations also seek to fulfil anti-money laundering obligations,
combat the funding of terrorism and in particular customer due diligence requirements.
The Prevention of Money Laundering and Financing of
Terrorism Regulations (PMLFTR) go a step further than what is imposed under the
Directive. Article 9 deals with
additional provisions on customer due diligence for casino and gaming licensees.
The regulation requires casino and gaming licensees to conduct due diligence checks whenever a single transaction,
wager, stakes and/or collection winnings is worth at least €2,000, even if this
occurs through several transactions. This provision applies independent of
whether or not a payment is carried out within the context of a business
relationship. Furthermore, it must be noted that the 4th AML
Directive has also included online
operators within the definition of subject persons.
Further to this, under the revised Regulations, a ‘beneficial owner’ will be defined as “a
subject person will be required to identify those individuals who occupy senior
management positions within the corporate entity concerned.”
The previous regime allowed customer due diligence to be applied on a
risk-sensitive basis. Here, entities could vary the extent and timing of the requirements on the basis of the
risk presented by a business relationship or occasional transaction. However, under the new Regulations, the risk-based approach is
mandatory. Obliged entities (such as gaming operators) operating within the
scope of the Directive, are now required to identify, understand and mitigate their risks, and to document and
update the assessments of risk that they undertake. Furthermore, they must
take into account risk factors including those relating to their customers,
countries or geographic areas, products, services, transactions or delivery
channels. Such steps shall be proportionate to the nature and size of the
obliged entities. This applies not
only to customers, but also to business partners and suppliers. In light of the
above, FIAU have stated that, firms will be allowed greater discretion in
determining how to meet such obligations. This ultimately means that more
flexibility would be granted to firms when assessing any money laundering and
With the addition of the 4th
AML Directive, Member States shall ensure that obliged entities have in place
policies, controls and procedures to mitigate
and manage effectively the risks of money laundering and terrorist
financing identified at the level of
the Union, the Member State and the obliged entity. These shall include the
development of internal policies, controls and procedures, including model risk
management practices, customer due diligence, reporting, record-keeping,
internal control, compliance management including, where appropriate with
regard to the size and nature of the business, the appointment of a compliance
officer at management level, and employee screening.
Customer Due Diligence
Customer due diligence measures
comprise of the following:
the customer and verifying the customer’s identity on the basis of documents
and data obtained from a reliable source;
b. identifying the beneficial owner and taking
reasonable measures to verify that person’s identity;
and, as appropriate, obtaining information on the purpose and intended nature
of the business relationship;
ongoing monitoring of the business relationship.
Obliged entities must be able to demonstrate to competent authorities
or self-regulatory bodies that the measures are appropriate in view of the
risks of money laundering and terrorist financing that have been identified.
Member States shall require that
verification of the identity of the customer and the beneficial owner take
place before the establishment of a business relationship or the carrying out
of the transaction. However, Member States may allow verification of the identity
of the customer and the beneficial owner to be completed during the
establishment of a business relationship. This will take place if necessary, so
as not to interrupt the normal conduct of business and where there is little
risk of money laundering or terrorist financing. In such situations, those
procedures shall be completed as soon as practicable after initial contact. Further
to this, obliged entities must ensure customer
due diligence measures not only to all new customers but also at
appropriate times to existing customers on a risk-sensitive basis, including at
times when the relevant circumstances of a customer change.
Member States may permit obliged entities to rely on third parties to meet the
customer due diligence requirements laid down in points (a), (b) and (c) of
the first subparagraph of Article 13(1) which have been previously noted.
However, the ultimate responsibility
for meeting those requirements shall
remain with the obliged entity which relies on the third party. In such
cases, the obliged entities to which the customer is referred must take
adequate steps to ensure that the third party provides, immediately, upon
request, relevant copies of identification and verification data and other
relevant documentation on the identity of the customer or the beneficial owner.
Where an obliged entity
identifies areas of lower risk, that
Member State may allow obliged entities to apply simplified customer due diligence measures. However, to do so, obliged entities shall ascertain that the business
relationship or the transaction presents a lower degree of risk. Entities must still carry out sufficient monitoring of the transactions and business
relationships to enable the detection of unusual or suspicious transactions.
In the certain instances, Member States
shall require obliged entities to apply
enhanced customer due diligence measures to manage and mitigate risks
appropriately. Obliged entities must examine, as far as reasonably
possible, the background and purpose of all
complex and unusually large transactions, and all unusual patterns of
transactions, which have no apparent economic or lawful purpose. In
particular, obliged entities shall increase the degree and nature of monitoring
of the business relationship, in order to determine whether those transactions
or activities appear suspicious.
With respect to transactions or
business relationships with politically
exposed persons, Member States shall, in addition to the customer due
diligence, require obliged entities to: (a) have in place appropriate risk
management systems, including risk-based procedures, to determine whether the
customer or the beneficial owner of the customer is a politically exposed
person; (b) apply the following measures in cases of business relationships
with politically exposed persons: (i) obtain senior management approval for
establishing or continuing business relationships with such persons; (ii) take
adequate measures to establish the source of wealth and source of funds that
are involved in business relationships or transactions with such persons; (iii)
conduct enhanced, ongoing monitoring of those business relationships. These
conditions apply also to the family, or close persons of such politically
If such person is no longer entrusted with a prominent public position, entities
must, for at least 18 months, be required to take into account the continuing
risk posed by that person and to apply appropriate and risks sensitive measures
until such time as that person is deemed to pose no further risk specific to
politically exposed person.
to reporting obligations, obliged entities, and, where applicable, their directors
and employees, must cooperate fully by promptly: (a) informing the FIAU, including by filing a report, on their own
initiative, where the obliged entity knows, suspects or has reasonable grounds
to suspect that funds, regardless of the amount involved, are the proceeds of criminal activity or are related to terrorist financing, and
by promptly responding to requests by the FIU for additional information in
such cases; and (b) providing the FIAU,
directly or indirectly, at its request, with
all necessary information, in accordance with the procedures established by
the applicable law.
suspicious transactions, including attempted transactions, shall be reported. Entities
are to refrain from carrying out
transactions in such cases until further instructions by the FIAU. Disclosure of information in good faith
shall not constitute a breach of any restriction on disclosure of
information imposed by contract or by any legislative, regulatory or
administrative provision, and shall not involve the obliged entity or its
directors or employees in liability of any kind even in circumstances where
they were not precisely aware of the underlying criminal activity and
regardless of whether illegal activity actually occurred. Member States shall
ensure that all individuals of the obliged entity will be protected from exposure to threats/hostile action/adverse actions,
following reports. However, obliged
entities and their directors and employees shall
not disclose to the customer concerned or to other third persons the fact
that information is being, will be or has been transmitted or that a money
laundering or terrorist financing analysis is being, or may be, carried out.
In this regard, operators must ensure that they have a
Suspicion Action/transaction reporting procedure to be followed internally
which will ensure that the necessary reports are made to the FIAU.
Data protection and retention
Entities are to retain
certain documents and information for the purpose of preventing, detecting
and investigating, by competent authorities. This shall be considered to be a
matter of public interest. In cases of
customer due diligence, a copy of the documents and information necessary to
comply with customer due diligence regulations must be retained for a period of five (5) years after the end of the business
relationship with their customer or after the date of an occasional
transaction. This also applies to supporting evidence and records of
transactions which consist of original documents or copies admissible in judicial
proceeding. Upon expiry of the retention periods referred to in the first
subparagraph, Member States shall ensure that obliged entities delete personal
data, unless otherwise provided for by national law, which shall determine
under which circumstances obliged entities may or shall further retain data.
Personal data shall be processed by
obliged entities on the basis of these regulations only for the purposes of the prevention of money laundering and
terrorist financing and shall not be further processed in a way that is
incompatible with those purposes. Using these regulations for commercial
purposes is prohibited.
Where obliged entities have branches or majority-owned
subsidiaries located in third countries where the minimum AML/CFT requirements
are less strict than those of the Member State, their branches and
majority-owned subsidiaries located in the third country must implement the
requirements of the Member State, including data protection, to the extent that
the third country’s law so allows.
obliged entities that are part of a group must implement group-wide policies and
procedures, including data
protection policies and policies and procedures for sharing information within
the group for AML/CFT purposes. The sharing of information within the group
is allowed. Information on suspicions that funds are the proceeds of criminal
activity or are related to terrorist financing reported to the FIAU shall be
shared within the group, unless otherwise instructed by the FIAU.
Policies must include staff training that covers an awareness of the provisions of the
directive, recognition of potential money laundering activities and how to
proceed in such cases.
In addition, a clearly defined and robust Customer
Acceptance Policy is required.
In the case of providers of gambling services,
competent authorities (the MGA) shall have enhanced supervisory powers.
Payment and E-money institutions
The changes in the PMLFTR are largely
in line with the Directive. However, the
Regulations seems to go one step further with regards to provisions relating to
payment and e-money institutions. It must be noted that for such
institutions passporting into the country, Maltese authorities will require a central contact point to be established.
The Regulation has also stuck to the letter of the Directive on due diligence
exemption for e-money providers, which are subject to 250 Euro monthly transaction cap. This has created indirect barriers to entry for some e-money issuers, with
those passporting into a host member state potentially placed at a disadvantage
placed at a disadvantage compared with entities licensed there.
Obliged entities shall be held liable for breaches of
The administrative sanctions and measures that can be
applied include at least the
following: (a) a public statement which identifies the natural or legal person
and the nature of the breach; (b) an order requiring the natural or legal
person to cease the conduct and to desist from repetition of that conduct; (c)
where an obliged entity is subject to an authorisation, withdrawal or
suspension of the authorisation; (d) a temporary ban against any person
discharging managerial responsibilities in an obliged entity, or any other
natural person, held responsible for the breach, from exercising managerial
functions in obliged entities; (e) maximum administrative pecuniary sanctions
of at least twice the amount of the benefit derived from the breach where that
benefit can be determined, or at least one million euro (EUR 1,000,000).
Member States may empower competent authorities to
impose additional types of administrative sanctions in addition to those
referred to in points (a) to (d) of paragraph 2 or to impose administrative
pecuniary sanctions exceeding the amounts referred to in point (e).
In conclusion, one must note that the MGA has not yet
issued guidelines and procedures for gaming operators, however we are expecting
that more clarification from the Authority’s end will be issued shortly.