The Anti-Money Laundering (AML) Framework

This article highlights the important components of a subject person’s Anti-Money Laundering (AML) regime and the risk-based approach required to fulfil the regulatory requirements that are outlined in the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR), and the implementing procedures of the Financial Intelligence Analysis Unit (FIAU).

Apart from periodic regulatory reporting to the FIAU, subject persons may also be subject to onsite and offsite compliance reviews by the FIAU. For this reason, this article further underscores the importance of the effective design and implementation of the subject person’s AML policies and procedures.  

The Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) require subject persons to implement the components of the AML framework (namely policies, controls, and procedures) through the adoption of a risk-based approach. In essence, this means that every subject person must identify and assess the Money Laundering (ML) and Terrorism Financing (TF) risks that they are exposed to. By doing so, the respective controls and procedures will be designed in a way that addresses the areas determined as higher risk by the subject person, through the appropriate mitigating measures. However, these same mitigating measures will have to be substantially revised if the residual risk falls outside the subject person’s risk appetite until such risk is reduced to acceptable parameters.

As outlined above, what is of the essence in the world of AML is the understanding of the risks that one is exposed to and having strong mitigating measures to counter such risks. Hence, the two key documented processes that serve this purpose are the Business Risk Assessment (BRA) and the Customer Risk Assessment (CRA). While in the former, one would expect the subject person to have identified its business-specific AML threats, vulnerabilities, and mitigating measures,  the latter should comprise of more specific assessments, such as those focusing on individual business relationships or on carrying out occasional transactions.

The adoption of a Customer Acceptance Policy (CAP) is also given prominence in the FIAU’s implementing procedures.

Such a policy provides a description, with non-exhaustive examples, of the type of customers that are envisaged to pose a higher AML risk, as well as the risk indicators which are used as criteria to determine whether a business relationship or occasional transaction constitutes a low, medium or high risk; the level of Customer Due Diligence (CDD) measures, including ongoing monitoring to be applied in relation to these; and under what circumstances the subject person will decline to service someone. Therefore, while the CRA would outline the risk profile of a given customer, the level of CDD measures and the relevant ongoing monitoring would be outlined in the CAP.

The PMLFTR also requires subject persons to appoint and identify a Money Laundering Reporting Officer (MLRO). The functions falling within this role include receiving and analysing reports from the subject persons’ employees, or other channels that may give rise to knowledge or suspicion of ML/FT; the reporting of such cases to the FIAU; and responding promptly to any requests for information made by the FIAU.

Furthermore, the PMLFTR emphasise the need for ongoing monitoring of one’s measures, policies, controls, and procedures. These regulations require that the subject person identifies, where applicable, a member of its management body who is to be responsible for the overall adoption of these measures, policies, controls, and procedures. In addition, the PMLFTR also require the subject person to consider whether, given the size and nature of its business, this function needs to be strengthened through the appointment of a dedicated officer at management level, or the implementation of an independent audit function (or engagement of an external consultant) to test the said internal measures, policies, controls and procedures from time to time.

Finally, from a regulatory review perspective, apart from periodic regulatory reporting to the FIAU, subject persons may also be subject to onsite and offsite compliance reviews by the FIAU and/or other supervisory entities, such as the Malta Financial Services Authority (MFSA) and Malta Gaming Authority (MGA). Offsite reviews may entail the examination of the subject persons’ AML/CFT policy and procedural documentation, while onsite reviews generally include testing the subject persons’ implementation of their AML/CFT obligations. Naturally, a strong AML Framework would be considered pivotal towards obtaining a successful regulatory review.

This article was written by Ian Bugeja, Advisory Senior at Mazars in Malta, specialising in AML, internal audit, and forensic investigation services.