Can you please give us an overview of the FIAU and your overall responsibilities?
Kenneth Farrugia: We have two different functions – we are an Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) supervisor and an intelligence agency. It is our job to ensure that subject persons – such as banks, financial institutions, corporate services providers, gaming companies and real estate agents – comply with all the latest AML/CFT legislation, while at the same time, we receive suspicions transaction reports (STRs) that we investigate. If we find anything suspicious, we forward the case to the police. These two functions are carried out by separate teams within the FIAU.
Last year, the FIAU has been in the headlines, particularly after the European Banking Authority (EBA) ruled that you breached EU law in relation to the supervision of Pilatus Bank. What happened since then?
Kenneth Farrugia: 2018 was a game-changer for the FIAU. From the very beginning, we have cooperated with the EBA and the European Commission and acknowledged that there were areas for improvement. From November 2018 onwards, we had weekly meetings with the EBA, and by April 2019, 95% of the agreed action plan had been implemented. We have restructured the organisation, revamped processes and procedures, our budget has been increased, additional people have been hired, and we are investing heavily in technology. Only 5% of the action plan is still outstanding, and those items deal with ongoing tasks, which, in reality, will never be completed, such as issuing guidance notes that require constant updates. The EBA is well aware of this. We are now focusing on training and education, making sure everyone is familiar with the new policies and procedures.
Are you confident that you now have all the resources you need?
Kenneth Farrugia: Our budget in 2014 was €600,000, and this has been increased to €10 million in 2018 and to €7 million in 2019. We now have some 50 people working directly with the FIAU, which is a significant rise compared to the staff complement a few years ago. In 2012, there were just 10 people working with the FIAU. We will see a further increase in numbers in the coming two years, and we’re targeting to have a staff complement of 138 people by 2021. In addition to these, we also have resources within the Malta Financial Services Authority (MFSA) and at the Malta Gaming Authority (MGA) who contribute to the carrying out of AML/CFT supervisory work. We have long been cooperating with these two authorities, but, more recently, we started joint examinations to ensure more consistency.
Can you tell us a bit about your approach to supervision and the nature of your visits?
Kenneth Farrugia: We revamped our entire risk assessment framework. We reviewed other jurisdictions to see what they are doing, and we cross-checked our standards and procedures against international best practice. Any gaps were identified and updated. I’d like to highlight that we started risk-based supervision in 2012 but the data collection questionnaires were quite basic. There was an update in 2017 with regard to banks, trust and company service providers, as well as remote gaming companies. Further updates took place in 2019 with the launching of comprehensive data collection questionnaires for all sectors and the launch of a new online system to receive such data. In total, there are 2,500 subject persons in Malta, including credit and financial institutions, corporate service providers, real estate agents, gaming companies, crypto, notaries and accountants. Our risk assessment is quite extensive – banks for instance have to provide us with more than 200 data points, and we add information from other sources such as regulators, media reports, EU institutions, and many more. This all helps us to establish the risk profile of the subject person, which then determines the frequency and nature of supervisory examinations that we will carry out. These range from desk reviews and offsite examinations for low- and medium-risk subject persons, which we repeat every five years, to in-depth onsite checks for entities in the high-risk category, which we conduct every 18 months.
Are subject persons informed ahead of time of your visits?
Alfred Zammit: It is standard procedure that they are informed; however, it has happened that we performed unannounced visits – but this is the exception. We require a lot of information beforehand. This documentation is being reviewed by our team, and the questions that are being asked very much depend on the findings and outcomes of the desk review that was carried out ahead of the onsite visit. For instance, we ask for customer lists, for risk assessment frameworks, for policies and procedures. We also need to get an idea of how many sample files we need to look at to actually get a proper picture. Doing all this in the midst of an unannounced visit, makes a visit all the more challenging.
How would you gauge the performance of the industry in terms of AML/CFT compliance?
Alfred Zammit: Everyone has understood that AML should be a top priority, and we have seen the number of STRs rise significantly in recent years. In 2014, we received 202 reports; this number increased to 1,679 in 2018. However, I would say the performance varies a lot depending on the sector. The financial sector, especially banks and corporate service providers (CSPs), are well ahead and well versed. They also tend to have better documentation practices than companies from other sectors. Having said that, it is really difficult to generalise because some CSPs have a greater risk appetite than others and are ready to take on riskier business. That’s why our risk assessment is so important.
Who are you holding accountable for breaches?
Alfred Zammit: At the moment, a Money Laundering Reporting Officer (MLRO) cannot be held liable, at least not in the case of administrative breaches. For instance, if an organisation did not take its responsibilities serious enough, and even if the MLRO did not take any steps to ensure that the company complies, it is the legal entity itself – the company and its directors – that will be held accountable. Should the MLRO be part of any criminal activity, then it is obviously a different story.
Do you see a change coming there?
Alfred Zammit: We are currently looking into how we can increase accountability and responsibility. This does not solely concern the MLRO, but it is also relevant to models that outsource AML compliance, whereby the subject person itself remains responsible, even if the outsourcing company messes up. One of the things we’d like to introduce is that someone from the Board of Directors has to be given the task of overlooking AML issues. This makes the board more sensitive to AML/CFT issues and leaves no room for excuses.
You have been very good at putting the structure in place but one of the criticisms that Malta gets is that it falls down on enforcement. What will all this investment lead to?
Alfred Zammit: We are now working toward the development of specialised teams – four different teams are already in place, for instance, one team is working on gaming, one on non-financial subject persons such as notaries and real estate agents. As Malta’s economy grows and sectors become more complex, it becomes increasingly important to have people with specialist sectorial knowledge. For instance, it is important to know how a gaming company works to understand how systems could be abused.
However, you cannot generalise that Malta is a lax country. There are areas where there is room for improvement, for instance when it comes to the number of convictions and investigations. But when it comes to adhering to AML/CFT obligations by the industry, I don’t think that Malta is really on the lower end. It is one thing if you have an institution that is deliberately involved in a money laundering activity – every country has that – but if you talk about normal business operators, Malta is as good as any other country.
On the other hand, it has become increasingly difficult to open bank accounts in Malta for individuals but especially for corporates. How can we achieve a balance?
Kenneth Farrugia: From a supervisory point of view, we are taking a lot of actions, and everyone is being cautious to abide by the obligations. This year we already issued almost €4 million in sanctions. Last year, this figure was just shy of €1 million. Banks are de-risking and are much more cautious when accepting new business. If a client is high risk, certain questions have to be asked and information has to be made available before the account can be opened. But we can’t solely blame the banks for the current situation. In many cases, there is a genuine mismatch between a bank’s risk appetite and the profile of the clients that CSPs are delivering. However, we also need to educate more and explain what our expectations are, and if we see that banks are misapplying the risk-based approach, we need to address it because this means they might be putting too much focus on areas where it is not needed and not enough focus on areas where it is needed.
Moneyval is expected to publish its report on Malta in September. What are your expectations in regard to their evaluation of Malta?
Kenneth Farrugia: Moneyval visited in November 2018. We recently reviewed the draft report, and many of the actions listed in the draft report which concern the FIAU have already been implemented since then, which, unfortunately, will not be reflected in the upcoming final report. There has also been a change in Moneyval’s methodology. In addition to technical compliance, countries are now assessed on their effectiveness. Moneyval is checking how many STRs have been received, how many cases the police are investigating, how many prosecutions and convictions are taking place, and so forth. They are looking at the entire system. While we have seen significant improvements in terms of reporting, given the volume of business in Malta, the case numbers are still a bit low. So, we all expect that we will need to make further improvements and are willing to do so.
Gaming companies in the UK are being hit with eye-watering anti-money laundering fines at the moment, and most of them have extensive operations in Malta. Why is Malta not catching them?
Alfred Zammit: This is a question of timing. Gaming companies in the UK became AML subject persons long before they became subject to AML in Malta. The fines that are currently being issued in the UK refer to AML breaches in previous years. Timing is more the issue than anything else. We have done site visits and are in the process of carrying out investigations, which have yet to be concluded.
Do you have a final message that you would like to share with the international community about Malta or a piece of advice to subject persons?
Alfred Zammit: In my opinion, Malta is wrongly perceived as a high-risk jurisdiction. I am not saying that Malta is risk free, but Malta is not a washing machine. We have had a few cases, and we learned our lessons. There are also some areas where Malta is performing really well – for instance when it comes to transparency of beneficial ownership information and international cooperation. There is no way that one can set up a company in Malta with the help of a corporate service provider without disclosing the beneficial owners. Both the police and the FIAU have full access to this information at any time and often exchange this type of information with their international counterparts.
Kenneth Farrugia: I’d like to add that we, the FIAU, acknowledged that we had certain issues and addressed our weak spots. In my opinion, this is an approach that everyone else should follow. All subject persons in Malta should complete a self-assessment test, take note of any shortcomings and improve within the shortest possible timeframe.
Published: 23 July 2019