Guidance from FIAU re Limited CSPs (Registered persons)

The FIAU has issued new guidance for limited company service providers (CSPs), explaining how they should apply AML/CFT obligations in a proportionate way based on the size and nature of their activities.

Key distinctions: the 3 categories of CSPs

Under the revised Company Service Providers Act and the Malta PMLFTR framework, CSPs are classified into three types:

1. Restricted CSPs (notification-only) — Whilst these must notify the MFSA, they are not deemed to perform “relevant activity,” and therefore are not subject to the obligations arising from these changes.
2. Limited (registered) CSPs — These CSPs must register with MFSA but provide only limited services and are subject to a capped number of engagements.
3. Authorised CSPs — full-scale operators with broader scope and full AML/CFT obligations who must continue applying Implementing Procedures Part I and Part II for CSPs, as also other guidance from the FIAU.

The new FIAU guidance note deals specifically with Limited (registered) CSPs and explains how certain AML/CFT obligations can be eased (while still maintaining overall compliance).

How the new guidance impacts Limited CSPs :

The document carves out proportionate requirements for Limited CSPs, reflecting their lower scale and lower risk profile as seen below:

• Limited CSPs are not required to maintain a documented Business Risk Assessment or a fully documented methodology or customer risk assessments.

They must understand the risks, but need not formalize them

• They are not obliged to maintain written manuals or formal documentation of all policies and procedures. They must still apply AML/CFT mitigating measures and be able to describe them if asked.

• Limited CSPs do not need to register themselves in CASPAR; the MFSA will provide their details to the FIAU. Also, the requirement to complete the Risk Evaluation Questionnaire is removed for their limited CSP activities.

• Limited CSPs remain bound by reporting obligations (e.g. under Regulation 15 PMLFTR) and must register on goAML and submit required reports. The guidance doesnot exempt them from those core reporting duties.

• The guidance clarifies that the relaxations do not derogate from the substantive AML/CFT measures required by the law. The CSP must still apply the full suite of legal measures (e.g. customer due diligence, record-keeping) for their registered CSP activities. Furthermore, all obligations under the PMLFTR continue to apply to any additional activities carried out by a registered CSP that qualify as relevant financial activity or relevant financial business and must be followed in line with the Implementing Procedures and other guidance from the FIAU.

Find the FIAU guidance document here.

RMC Wise offers tailored regulatory compliance, risk management, consulting/advisory and MLRO services to CSPs and other players within the financial services industry. Feel free to contact us with any questions or for support in integrating these changes into your compliance framework.