.svg)
The Malta Financial Services Authority (MFSA) has identified major shortcomings in how crypto-asset service providers (CASPs), e-money institutions (EMIs) and payment service providers (PSPs) address financial terrorism and targeted financial sanctions risks.
In a new “Dear CEO” letter, the regulator has stressed the need for stronger governance and compliance cultures, and called on firms to improve their financial crime frameworks, reduce their reliance on third-party compliance tools and enhance their staff training.
The MFSA shared details of a recent review, which found that although firms recognise risks in these areas, many fail to implement the necessary technologies to help mitigate them.
“The increasing prominence of crypto-asset services and instant payments is juxtaposed by implications resulting from the geo-political context characterising the EU's periphery and beyond,” the letter says.
“The implementation of restrictive measures has become a core issue for both those regulating and those being regulated.”
According to the regulator, “the financial services industry's expanded diversity can, even unintentionally, result in increased FT risks and heightened exposure to the circumvention of sanctions”.
“As a consequence, stronger mitigating measures may be required.”
More use of tech necessary
The review found that 94 percent of firms include financial terrorism risk in their money laundering reporting officer reports, yet only 27 percent of EMIs and PSPs use advanced technologies such as artificial intelligence (AI), machine learning or blockchain analytics to strengthen financial crime controls.
Although 52 percent plan to adopt AI and machine learning, 48 percent have no such plans, raising concerns that many firms may struggle to meet future regulatory expectations.
The MFSA also flagged deficiencies in sanctions compliance.
Although 92 percent of firms use third-party sanctions screening tools, 10 percent still conduct screening manually, and 6 percent admitted their systems do not detect sanctions list updates in real time.
The review also highlighted that 20 percent of firms do not screen beneficiaries or merchants in transactions, and 4 percent do not assess corporate ownership structures when screening clients.
The MFSA reminded firms that they are fully responsible for sanctions compliance, even when relying on third-party providers.
In transaction monitoring, 14 percent of firms still rely entirely on manual processes, 68 percent use a mix of manual and automated monitoring, and only 18 percent have fully automated systems.
Among those using automated tools, one-third admitted that their systems do not analyse false positives, and 20 percent said their monitoring lacks the ability to detect terrorism financing or sanctions evasion.
The MFSA said that it expects firms to align monitoring systems with their risk exposure and business models, warning that crypto firms, in particular, must invest in advanced technologies to detect suspicious activity effectively.
The regulator also cautioned that blockchain analytics alone is insufficient and urged firms to adopt a broader risk-based approach.
Next steps
The MFSA outlined its key expectations of firms in terms of strengthening financial crime compliance: improving staff training; incorporating the latest national risk assessment into risk assessments; conducting a sanctions risk exposure assessment; independently reviewing third-party compliance solutions; ensuring policies clearly define applicable sanctions lists; and considering new technologies to enhance financial crime controls.
The regulator warned that its latest findings may influence future supervisory action and urged firms to use this report as an opportunity to assess and strengthen their compliance frameworks.
It welcomed engagement from firms seeking clarification on sanctions compliance, reaffirming its commitment to providing ongoing guidance and best practices to the financial services sector.
Going forward, CASPs, EMIs and PSPs operating in Malta should reassess their financial crime compliance practices to ensure that they can meet the requirements in full, and, if necessary, they should ask the MFSA for guidance.
