Financial Crime World

VFA Service Provider’s Activities Subject to Anti-Money Laundering Requirements

Malta’s Financial Intelligence Analysis Unit (FIAU) has issued guidelines outlining the anti-money laundering (AML) and combating the financing of terrorism (CFT) requirements for VFA service providers. The FIAU has also issued sector-specific instructions (IPs Part II) to assist these providers in ensuring compliance with their AML/CFT obligations.

Types of Payments or Money Transmission Activities Subject to Anti-Money Laundering Requirements

  • Credit institutions and financial institutions, including payment service providers and money brokers, are required to comply with AML requirements.
  • These entities include:
    • VFA service providers authorized by the Virtual Financial Assets Act (VFAA)
    • Issuers of virtual financial assets making public offers in or from Malta
    • Any activity carried out by a VFA agent registered under the VFAA

Cryptocurrency Industry Subject to Anti-Money Laundering Requirements

  • The AML/CFT obligations imposed on VFA service providers, issuers of virtual financial assets, and VFA agents apply to various entities, including those involved in cryptocurrency transactions.
  • The FIAU has issued sector-specific IPs (IPs Part II) to guide these entities in ensuring compliance with their AML/CFT obligations.

Non-Fungible Tokens (NFTs)

  • The determination of whether an NFT is subject to AML requirements depends on the characteristics of the NFT.
  • If the NFT falls within the definition of a Virtual Financial Asset as defined in the VFAA, it would be subject to AML requirements.
  • Service providers are advised to seek legal advice to determine whether the respective NFT qualifies as a VFA or otherwise.

Compliance Programs for Financial Institutions and Designated Businesses

  • Regulation 5(5) of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) requires service providers to establish and implement measures, controls, policies, and procedures that address ML/FT risks identified through their business risk assessment.
  • These measures include:
    • Customer due diligence
    • Record keeping
    • Reporting
    • Risk management
    • Internal controls
    • Compliance management
    • Communications
    • Employee screening
    • Training
    • Awareness

Recordkeeping and Reporting Requirements

  • Applicable laws and regulations do not impose specific reporting requirements solely based on the size of a transaction.
  • However, service providers are required to detect unusually large transactions and assess their legitimacy.
  • A reporting obligation arises where there is reasonable suspicion of ML/FT or doubts about the veracity of the information and/or documentation gathered.

Customer Identification and Due Diligence Requirements

  • Customer due diligence measures consist of:
    • Identifying and verifying customers
    • Understanding ownership and control structures
    • Obtaining sufficient information to understand the purpose and intended nature of business relationships
  • Service providers are also required to undertake ongoing monitoring, including transaction monitoring.
  • In cases of corporate or legal arrangements, customer due diligence measures include:
    • Ascertain the legal status of the customer
    • Obtain confirmation that beneficial owner information has been filed with the competent authority
    • Identify directors
    • Verify authorized signatories
    • Obtain evidence of authorization

Simplified Due Diligence

  • Service providers may apply Simplified Due Diligence (SDD) in respect of a customer posing a low risk.

By ensuring compliance with these AML/CFT requirements, VFA service providers can mitigate the risks associated with money laundering and terrorist financing.