Two Months to Act: The Central Bank of Malta’s New Fraud Risk Expectations for Instant Payments

 

The deadlines, and why they matter now

Within two months of publication, in-scope PSPs are expected to submit a gap analysis to the Bank, identifying the differences between their existing systems, controls and processes and the expectations set out in the notice, together with an implementation plan and defined timelines. Progress updates are then expected every two months until full alignment is achieved, and in any case no later than 1 July 2027.

That places the first deliverable at around August 2026, a short timeframe for work that cuts across fraud monitoring, AML/CFT calibration, customer authentication, device management, customer communications, staff training, information sharing and operational resilience.

 

Key themes in the eleven expectations

The notice is broader than its title may suggest. Key themes include:

• Adjustment of spending limits and the six-hour delay window, including the often-misread point that the delay is a tolerated, risk-based safeguard, not a mandatory or default control, and must not be used to recreate a business-hours-based approval model.
• Registration of new devices, including best-practice measures such as an optional six-hour delay for payment initiation following registration and out-of-band notifications to the user.
• Customer interaction and staff preparedness, including the need for customer-facing staff to recognise potential fraud scenarios and support users who may be vulnerable, manipulated or pressured.
• Real-time, 24/7/365 transaction monitoring, covering both pre-transaction and post-transaction stages. Post-transaction controls alone are expressly insufficient in an instant payments environment.
• High-risk indicators, including new device registration followed by a new payee, unusual access location, recent spending-limit increases, high-value transactions, and remote-access or screen-sharing tools, assessed collectively rather than in isolation.
• Automated controls and payment service user (PSU) interaction, including targeted warnings, out-of-band notifications and dynamic risk-based warnings at payment initiation.
• Detection of remote access, screen-sharing, screen-recording and similar high-risk tools, subject to proportionality and privacy-conscious design.
• Continuous availability of Verification of Payee, supported by contingency arrangements and appropriate safeguards where the service is unavailable.
• PSU awareness and fraud prevention communications, including campaigns on social engineering and emerging fraud typologies.
• Fraud information sharing, including collaboration between PSPs and preparation for emerging European arrangements such as the EPC’s Fraud Information Distribution Arrangement, or FRIDA, and the forthcoming Payment Services Regulation.

Several expectations cross-reference the December 2025 joint CBM/FIAU clarifications on AML/CFT in instant payments; the two should be read together, particularly on risk-based assessment, pre- and post-transaction monitoring, and the case-by-case treatment of transactions.

 

The under-appreciated shift: liability

Expectation 11 is one of the most consequential parts of the notice. Where a PSP can demonstrate consistent and effective implementation of the measures in the notice, this should be taken into account as a significant factor in assessing whether the PSP bears liability for transactions authorised by the user under CBM Directive No. 1. Conversely, material deficiencies in the fraud prevention framework may be considered in assessing the PSP’s responsibilities under that Directive.

This moves the notice beyond a narrow compliance exercise into a governance, evidence and risk-management issue. Authorised push payment fraud cases, where a customer is manipulated into instructing a payment that they later dispute, are often difficult and fact-sensitive. PSPs that cannot evidence consistent alignment with the notice may face a more difficult position when liability is assessed.

 

Why a credible gap analysis is harder than it looks

A useful gap analysis is not a checklist exercise. PSPs need to map the eleven expectation areas against existing fraud, AML/CFT, IT, operations and customer-facing controls, and test how those controls operate continuously, including during evenings, weekends and public holidays.

The implementation plan must also be capable of supervisory tracking in two-month cycles, identifying control owners, dependencies, interim mitigants, target dates, evidence sources and residual risk. A generic policy-mapping exercise is unlikely to be sufficient.

The analysis also requires judgement on the distinction between firm regulatory requirements, supervisory expectations and best-practice encouragement. Treating every item as identical risks over-engineering areas where flexibility is available, while underestimating points where the notice expects clear, demonstrable and continuous capability.

 

How BDO can help

Our risk advisory team works with regulated entities in Malta, with particular depth in fraud risk and AML/CFT, which are the two intersecting frameworks at the centre of this notice. We can support PSPs through the gap analysis and submission package expected within the two-month window, the implementation plan and the two-monthly progress reporting structure that follows, and the stress-testing of fraud controls and AML transaction monitoring against the high-risk indicators in the notice. We are also well placed to review customer journeys, warnings, device-registration controls and escalation processes against the Bank’s expectations, and to advise on the documentation needed to evidence consistent alignment under expectation 11. 

 

Contact us