FIAU ‘pleased to note more commitment to implement effective AML/CFT procedures’

Malta’s Financial Intelligence Analysis Unit (FIAU) has released its latest Enforcement Factsheet, reporting its common observations across sectors subject to AML/CFT, concluding with pleasure, that “overall it is observing more commitment and investments by subject persons to implement effective AML/CFT procedures”.

This, it says, “augurs well in [its] joint bid to fight money laundering and the financing of terrorism”. 

Especially, the organisation identifies that throughout the past years it has noticed several improvements with regards to adhering to this obligation particularly within the Credit and Financial Institutions and Gaming Industry.

In these sectors, it has seen that “institutions and industries are investing in transaction monitoring tools”.  

The FIAU comments that “the most common finding noted across all sectors relates to the appreciation of risk”. 

“While understanding risks is essential”, it continues, “the transposition of such understanding into effective methodologies to determine the risk exposure both at the business and customer level is critical”. 

Another issue is a lack of implementation of some measures.

FIAU presents an example in which a remote gaming operator provided it with a procedures manual which was “noted to be quite robust and provided adequate guidance as to how the customers were to be onboarded and how their business relationship was to be monitored throughout”. 

However, when the onsite compliance review was carried out, the FIAU explains that this procedures manual was not being implemented.

This finding, the authority says, is “considered to be serious”, because it is “futile” to have processes and procedures in place without implementing them, and “where appropriate, monitoring that they are being adequately implemented”.

Another area which the FIAU singled out as needing attention is in the collection of anti-money laundering data by remote gaming operators, many of whom, it says, only collect data that “add no value” for some high-risk players.

It emphasises that in the case of higher risk individuals, “obtaining details such as “employed”, “in business”, “entrepreneur” etc add no value in understanding the customer’s profile and determining his source of wealth”.

Discussing internal and external reporting, the FIAU finds it “positive to note that the number of Suspicious Transaction Reports (SRTs) submitted to the organisation has been increasing steadily over the past years”, from 1,668 in 2018 to 5,090 in 2020.

The main contributors to this increase, the organisation says, “remain the Banking and Remote Gaming Sector”. 

Other sectors noted by the FIAU as having shortcomings was the real estate industry, where the organisation has spotted “shortcomings with regard to the identification and verification measures”.

The FIAU cites an example where “whenever the sale of a property involved a legal entity, the subject person, while carrying out customer due diligence on the agent… and the legal entity, failed to verify the identity of the beneficial owners of the legal entities”.

Both real estate agents and notaries, the agency finds, have obligations to detect anomalous, unusual or suspicious transactions or transactions presenting higher risks, and subject persons in these sectors were sometimes failing to query large payment in cash.

“While not frequent, there were isolated cases where the subject person failed to question the purchase of immovable property involving substantial amounts of lump sums paid from own funds”, the FIAU says.

In the financial sector, the most common breaches noted in 2020 were in customer risk assessments, of which 12.12 per cent were inadequate, and breaches around obtaining information on the purpose and intended nature of a business relationship.

In the non-financial sector, the most common breach was also in customer risk assessments, 11.36 per cent were found to be inadequate, followed by in business risk assessments, where 7.58 of business failed to perform one.