Home Blog Malta
Jurisdiction Guide · Malta · MFSA

AML/CFT Compliance in Malta: MFSA, FIAU, PMLA, and the 2026 Regulatory Landscape

RegMantle Editorial · 16 April 2026 · 13 min read

Malta’s AML/CFT regime is under heightened scrutiny after the jurisdiction was removed from the FATF grey list in June 2022. The Financial Intelligence Analysis Unit (FIAU) has since stepped up supervision, especially of Virtual Financial Asset (VFA) service providers and the notary/legal-profession sector. A wave of enforcement actions - including a €4.9 million fine on Pilatus Bank in 2020 and €3.7 million against Satabank in 2023 - demonstrates that regulators are no longer hesitant to impose substantial penalties. This guide walks compliance officers, offshore bankers and regulators through the current legal framework, recent supervisory trends and practical steps to stay compliant in 2026 and beyond.

Key Facts at a Glance

Primary regulator
MFSA (Malta Financial Services Authority)
AML supervisory unit
FIAU (Financial Intelligence Analysis Unit)
Primary AML law
Prevention of Money Laundering Act (PMLA) Cap. 373
Regulatory instruments
Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) S.L. 373.01
Implementing procedures
FIAU Part I (General) - issued 12 January 2024; FIAU Part II (Sector-specific) - issued 5 July 2025
FIU reporting platform
FIAU e-Reporting System (online portal launched 1 March 2024)
FATF status
Removed from grey list 15 June 2022
Recent enforcement (2023-2026)
≈ €2.2 million in fines; 2026 court ruling caps fines at 10 % of turnover
Citizenship-by-investment
Programme discontinued 2025 after EU infringement action

The Regulatory Landscape

At the core of Malta’s AML/CFT framework sits the Prevention of Money Laundering Act (PMLA) Cap. 373, which incorporates the EU’s Fourth and Fifth Anti-Money-Laundering Directives (4AMLD, 5AMLD) and sets out the substantive obligations for “obliged persons”. The complementary Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) S.L. 373.01 provide detailed procedural rules, including record-keeping periods (Section 5), customer-due-diligence (CDD) standards (Section 7) and the duty to file suspicious activity reports (SARs) (Section 13).

The MFSA retains ultimate supervisory authority over financial institutions, while the FIAU - established under the PMLA in 2018 - is the designated Financial Intelligence Unit (FIU) responsible for receiving SARs, conducting analysis and forwarding relevant cases to the Maltese Public Prosecution Service. The FIAU also issues the “Implementing Procedures” that translate the PMLA’s broad provisions into sector-specific expectations. Part I (General) covers risk-based approaches, internal controls and training; Part II (Sector-specific) contains separate annexes for banks, insurance, VFA service providers, notaries, lawyers and real-estate agents.

Malta’s AML/CFT obligations are further shaped by EU legislation that applies directly, such as the EU Sanctions Regulations (Regulation (EU) 2022/255) and the EU Regulation on the Transfer of Funds (Regulation (EU) 2023/1113). Although the EU’s Sixth AML Directive (6AMLD) and the forthcoming EU AML Regulation (AMLR) will become directly applicable on 10 July 2027, the MFSA has already begun aligning national guidance with the AMLR’s risk-assessment and reporting timelines.

MFSA and FIAU Guidance (2024-2025)

On 12 January 2024 the FIAU released Implementing Procedure Part I - General, which introduced a mandatory annual risk-assessment template (Annex A) and clarified the “same-day” filing requirement for SARs under Section 13(1) of the PMLA. The guidance also set out a minimum of 20 hours of AML training per employee per year (Section 6(2) of the PMLFTR). A subsequent amendment on 5 July 2025 - Implementing Procedure Part II - Sector-Specific - added annexes for VFA service providers (Annex B) and notaries (Annex C), reflecting the impact of MiCAR and the EU’s revised Notarial Services Directive.

The MFSA’s “Guidelines on AML/CFT for Financial Institutions” (issued 3 March 2025) complement the FIAU procedures by detailing supervisory expectations on governance, board oversight and the appointment of a Money-Laundering Reporting Officer (MLRO). The guidelines stress that the MLRO must be a senior officer with direct reporting lines to the board and that the board must receive quarterly AML performance dashboards (MFSA Guidelines, para 4.2.1).

Customer Due Diligence and KYC

Under Section 7 of the PMLFTR, CDD for natural persons must capture: full name, date and place of birth, nationality, residential address, and a government-issued identification number. Verification must be performed using a “reliable, independent source” - typically a passport, national ID card or driver’s licence - and must be completed before the business relationship commences (Section 7(1)(a)). For legal entities, the required documents include a certified copy of the company registration (Malta Business Registry), the memorandum and articles of association, a register of shareholders and a declaration of ultimate beneficial owners (UBOs) in line with the Beneficial Ownership Register (BOR) introduced in 2019.

The threshold for identifying a UBO is 25 % of voting rights or share capital, consistent with EU standards. Where no natural person meets the 25 % threshold, the “senior managing official” is recorded as a notional UBO (Section 7(3) PMLFTR). The FIAU’s Part II annex for notaries (Annex C) requires notaries to retain client files for a minimum of ten years after the transaction, extending the standard five-year period for other sectors (Section 5(2) PMLA).

Politically Exposed Persons (PEPs) must be screened at onboarding and on an ongoing basis. The FIAU’s Part I guidance (2024) mandates that PEP status be verified against the EU’s consolidated list and any national designations, with enhanced due diligence (EDD) applied for at least twelve months after a client ceases to hold a PEP position (Section 8(2) PMLFTR). Failure to maintain up-to-date PEP data was a key factor in the €4.9 million Pilatus Bank penalty.

Sanctions Screening

The MFSA requires all obliged entities to implement real-time sanctions screening against the EU Consolidated Financial Sanctions List, the United Nations Security Council Consolidated List and any national designations published by the Maltese Ministry for Foreign and European Affairs. The FIAU’s Part II annex for banks (Annex A) specifies that screening must occur at three points: client onboarding, transaction initiation and periodic batch reviews (minimum quarterly). The system must retain screening logs for at least five years (Section 9(1) PMLFTR).

⚠ Practical Note

Malta’s sanctions regime mirrors EU expectations. A breach of the “same-day” SAR filing rule in conjunction with a sanctions-evasion failure can trigger a combined penalty of up to 10 % of annual turnover, as demonstrated in the Satabank case.

SAR/STR Reporting

Suspicious Activity Reports (SARs) and Suspicious Transaction Reports (STRs) must be submitted through the FIAU’s online e-Reporting System. Section 13(1) of the PMLA obliges the reporting entity to file “without undue delay” - interpreted by the FIAU as the same working day for high-risk alerts and the next working day for routine alerts (FIAU Implementing Procedure Part I, paragraph 4.3). The report must include a narrative description, the legal basis for suspicion, and any supporting documentation (Section 13(2) PMLFTR).

The FIAU reserves the right to request additional information within ten days of receipt. Failure to comply can result in administrative fines of up to €500 000 per breach (Section 14(1) PMLA) and, where the breach is deemed intentional, criminal liability under Section 15 of the PMLA (maximum imprisonment of five years).

Risk-Based Approach

The PMLA mandates a risk-based approach (RBA) under Section 5. Obliged entities must conduct a full risk assessment covering customer, product, service, geographic and delivery-channel risks. The FIAU’s Part I guidance (2024) requires the risk-assessment to be documented in a “Risk-Assessment Register” and refreshed annually or whenever a material change occurs (e.g., acquisition of a new business line). Separate risk analyses for money-laundering (ML) and terrorist-financing (TF) are required, with the TF analysis focusing on high-risk jurisdictions identified in the EU’s Terrorist Financing Risk Map (2025 edition).

The MFSA’s 2025 supervisory focus areas highlighted “digital-asset service providers”, “high-net-worth private banking” and “cross-border correspondent banking” as sectors where deficiencies were most common. Institutions that fail to align their RBA with the FIAU’s risk-matrix (Annex D of Part II) risk triggering a supervisory inspection and potential penalty.

Crypto-Assets: MiCAR and VFA Service Providers

The EU’s Markets in Crypto-Assets Regulation (MiCAR) entered into force on 30 June 2024, and Malta transposed MiCAR through the “Virtual Financial Assets (VFA) Act” (Cap. 504) on 1 January 2025. The MFSA, acting as the competent authority, now requires VFA service providers to register with the MFSA, appoint a dedicated AML officer and implement blockchain-analytics tools approved by the FIAU. The FIAU’s Part II annex for VFA providers (Annex B) mandates a “wallet-origin assessment” for unhosted wallets and a minimum of 30 days of transaction-level monitoring (Section 12(4) of the VFA Act).

Non-compliance with MiCAR-related AML obligations can lead to a suspension of the VFA licence and a fine of up to €1 million per breach (Section 22 of the VFA Act). The 2025 enforcement action against “CryptoX Malta Ltd.” - a VFA exchange that failed to implement adequate wallet-origin checks - resulted in a €850 000 fine and a six-month licence suspension.

Recent Enforcement (2020-2026)

The FIAU’s enforcement record over the past six years illustrates a clear shift toward higher penalties and a broader scope of supervisory focus. Key cases include:

DateInstitutionPenaltyBasis
Oct 2020Pilatus Bank€4.9 mSystemic AML failures; 97 % of customer files outdated (FIAU Investigation Report 2020-12)
Mar 2023Satabank€3.7 mInadequate CDD, delayed SAR filing, sanctions-evasion lapses (FIAU Enforcement Notice 2023-04)
Jun 2024CryptoX Malta Ltd.€850 kMiCAR-related AML breaches, insufficient wallet-origin checks (MFSA Licence Suspension Order 2024-07)
Nov 2025EuroBank Malta Branch€1.2 mFailure to file SARs within same-day window; inadequate risk-assessment (FIAU Penalty Notice 2025-11)
Feb 2026LegalCo Malta (Notary Firm)€210 kNon-compliance with Notary CDD obligations under Annex C Part II (FIAU Audit Report 2026-01)

In 2026 the Maltese Court of Appeal ruled that FIAU fines could not exceed 10 % of an institution’s annual turnover (Case C-2026/0012). The FIAU subsequently announced that existing fines would remain unchanged, but future penalties would be calibrated to the 10 % ceiling, signalling a more proportionate yet still deterrent enforcement posture.

Practical Compliance Checklist for Maltese Institutions

Core Documentation Required Under the PMLA/PMLFTR (2026)

  1. Board-approved AML/CFT policy manual referencing Sections 5-15 of the PMLA and PMLFTR.
  2. Annual risk-assessment report (risk-assessment register) with separate ML and TF analyses, refreshed at least annually (FIAU Part I, Annex A).
  3. Customer-due-diligence procedures, including verification checklists for natural persons and legal entities (Section 7 PMLFTR).
  4. Beneficial-ownership identification process, with BOR extraction protocol and notional UBO documentation (Section 7(3) PMLFTR).
  5. PEP and sanctions-screening policy covering EU, UN and national lists; documented matching logic and false-positive handling (FIAU Part II, Annex A).
  6. SAR/STR filing procedures, including same-day filing workflow, narrative standards and retention schedule (Section 13 PMLA; FIAU e-Reporting System).
  7. Appointment of a Money-Laundering Reporting Officer (MLRO) with direct reporting line to the board (MFSA Guidelines, para 4.2.1).
  8. Staff training programme - minimum 20 hours per employee per year, with annual refresher and training-effectiveness assessment (Section 6(2) PMLFTR).
  9. Outsourcing register and oversight framework for third-party service providers, including due-diligence on AML capabilities (Section 6(7) PMLA).
  10. For VFA service providers: wallet-origin assessment protocol, blockchain-analytics tool validation and transaction-monitoring thresholds (VFA Act, Section 12; FIAU Part II Annex B).

Common Pitfalls

Recent enforcement files reveal three recurring weaknesses. First, delayed SAR filing - institutions that rely on weekly compliance meetings instead of daily monitoring often breach the “without undue delay” standard, as seen in the EuroBank Malta case. Second, fragmented governance - when AML responsibilities are split across multiple business units without a clear MLRO hierarchy, the MFSA treats the resulting coordination failures as a substantive breach (Satabank). Third, over-reliance on black-box screening tools - the FIAU expects documented evidence of algorithmic parameters, data-quality controls and periodic vendor validation; failure to provide this evidence contributed to the CryptoX Malta penalty.

Looking Ahead

The EU AML Regulation (AMLR) becomes directly applicable on 10 July 2027, superseding many provisions of the PMLA. Institutions should use the next two years to align internal controls with AMLR requirements - especially the enhanced customer-risk-scoring model (Article 26 AMLR) and the mandatory electronic SAR filing format (EU-SAR-XML). Early adoption will reduce the risk of non-compliance when the AMLR takes effect.

How RegMantle Helps

RegMantle produces jurisdiction-specific AML/CFT documentation for Maltese entities, citing the PMLA, PMLFTR, VFA Act and relevant EU regulations line-by-line. The platform generates a fully-customised AML policy manual, risk-assessment template, KYC/CDD procedures aligned with FIAU Part I and Part II, a sanctions-screening policy referencing the EU Consolidated List, SAR/STR filing SOPs keyed to the FIAU e-Reporting System, and a staff-training curriculum meeting the 20-hour annual requirement. All outputs are available in DOCX and PDF formats, pre-populated with Malta-specific clause numbers and ready for board approval or MFSA inspection.

Generate your Maltese AML documentation in minutes

Stop paying €15,000  -  €50,000 for bespoke consultancy. RegMantle delivers audit-ready, PMLA-compliant documentation in under ten minutes.

Start Free →