_1.png)
.png)
On 17 June 2026, the Malta Financial Services Authority issued a Dear CEO Letter to the management bodies and MLROs of Maltese-licensed credit institutions, setting out the findings of a thematic review on terrorist financing (TF), proliferation financing (PF) and targeted financial sanctions (TFS) evasion. A companion media release followed on 23 June 2026. The review covered every MFSA-licensed credit institution, including locally incorporated banks and branches of foreign banks established and operating in Malta, providing the Authority with a comparable, sector-wide picture.
Why now
The review was informed by Malta’s latest National Risk Assessment, which identifies the banking sector as among the sectors most exposed to TF, PF and TFS evasion, given its central role in the movement of funds. It also reflects recent regulatory developments, notably the EU Instant Payments Regulation and the EBA’s Restrictive Measures Guidelines (EBA/GL/2024/14). The FATF context is also relevant: while terrorist groups’ overall reliance on traditional financial services has declined, those channels remain actively exploited, and there is growing convergence between conventional methods and emerging digital technologies.Where the sector is performing well
The picture is broadly constructive. All respondents maintain a formal TF risk assessment, and CFT-specific policies are in place at every institution. Sanctions governance also shows positive momentum: 90% have formally appointed a senior staff member responsible for restrictive-measures compliance, and 81% provide regular TFS reporting to the management body and/or senior management. Screening is highly automated, with all respondents updating their tools either in real time or within 24 to 48 hours of changes to sanctions lists. With respect to instant payments, most institutions reported aligning their processes with the new payee-verification requirements.Areas for further strengthening
The clearest finding is that proliferation financing is not being treated with the same rigour as TF and TFS. While every institution assesses TF risk, only 71% maintain a PF risk assessment, only 67% have dedicated CPF policies, and board-level updates on PF risk factors fall to 62%, compared with 81% for TF. Given the link between PF and weapons-of-mass-destruction proliferation under the relevant sanctions framework, this gap may warrant heightened supervisory scrutiny.A second area is identity-verification assurance. Only 24% of institutions use dedicated tools to detect forged or fake documents, reflecting a sector that still conducts most onboarding face to face. Among those institutions, only 40% confirmed that they carry out at least annual independent testing. The MFSA’s expectation is that institutions satisfy themselves that the assurance level of any solution is fit for its intended use, regardless of whether verification is digital or manual.
Control assurance more broadly is uneven. On sanctions screening, testing frequency ranged from quarterly, adopted by 38% of institutions, to annual, also adopted by 38%, with the remainder testing less frequently. The sector also relies heavily on third-party screening providers: 67% use external providers and only 5% operate fully in-house solutions. Against that backdrop, the Authority stressed that outsourcing does not transfer responsibility. Institutions remain fully accountable and must be able to demonstrate that vendor tools ingest EU and UN lists without delay.
Artificial intelligence: early days
AI adoption in financial-crime compliance remains limited, with only 15% actively deploying it and 44% reporting no current plans. The MFSA’s position is permissive but conditional: institutions deploying AI must demonstrate a clear understanding of their systems’ design, functionality and limitations, maintain audit trails, and preserve meaningful human oversight. The Authority also links these expectations to forthcoming AML Regulation requirements and DORA obligations relating to ICT third-party providers.What this means in practice
The Authority has signalled that these findings may inform its future outcomes-based supervision. In practical terms, the gaps identified in the review provide a clear indication of where supervisory scrutiny may intensify. Three areas stand out as priorities: closing the PF and CPF gap through distinct risk assessments, policies and board reporting; strengthening independent testing of screening and identity-verification controls; and tightening outsourcing governance over third-party screening vendors.It is also worth noting that the findings are based on self-reported questionnaire responses, so they reflect what institutions say they do. The MFSA’s move toward outcomes-based supervision suggests that the next phase may test whether stated controls work in practice, raising the standard from documented controls to demonstrable effectiveness.
How BDO can help
This shift from documented controls to demonstrable effectiveness is precisely where many institutions will need to focus. Institutions may wish to assess their CFT, CPF and TFS frameworks against the MFSA’s stated expectations, with particular focus on PF risk assessments, CPF policies, board reporting, independent testing of screening and identity-verification controls, and oversight of third-party screening providers. Our financial crime advisory team can support institutions with independent gap assessments, control testing, policy enhancement, outsourcing governance reviews, and role-specific training.If you would like to discuss how these findings affect your institution, or require assistance in assessing and strengthening your CFT, CPF and TFS frameworks, please get in touch with our team.