Malta -- AML/CFT Compliance Regulatory Overview

Malta's AML/CFT requirements for cryptocurrency service providers are governed by the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and the Virtual Financial Assets Act (VFAA), with oversight by the Financial Intelligence Analysis Unit (FIAU) and the Malta Financial Services Authority (MFSA)[1][2].

AML/CFT Legislation Framework

The regulatory structure comprises three primary legislative acts[2]:

• Virtual Financial Assets Act (VFAA) – The foundational legislation enacted in 2018 that first regulated cryptocurrency in Malta[1][6]
• Markets in Crypto-Assets Regulation (MiCA) – EU-wide regulation implemented in Malta through Act XIV of 2024, which integrated Titles III and IV concerning Asset-Referenced Tokens (ARTs) and E-Money Tokens (EMTs)[5]
• Prevention of Money Laundering Act (Chapter 373, Laws of Malta) and associated PMLFTR regulations, which transpose the EU's 5th AML Directive 2015/849/EU[2]

As of December 30, 2024, the FIAU restructured the Implementing Procedures Part II (IP2) for the crypto-asset sector to align with MiCA requirements[4].

Customer Due Diligence Requirements

Virtual Asset Service Providers (VASPs) must perform comprehensive customer due diligence, including[6]:

• Customer identification and verification
• Ongoing transaction monitoring for suspicious activity
• Enhanced Due Diligence (EDD) for higher-risk customers
• Simplified Due Diligence for lower-risk transactions

For self-hosted wallet transactions, CASPs (Crypto-Asset Service Providers) must identify and verify both the originator and beneficiary, ensure the address is under customer control, require additional information on the origin and destination of crypto-assets, and conduct enhanced ongoing monitoring[4].

Suspicious Transaction Reporting

VASPs are required to[6]:

• Monitor financial transactions for suspicious activity
• Submit regular reports to the relevant regulatory authority
• Maintain adequate AML/CFT policies and procedures
• Appoint a Money Laundering Reporting Officer for compliance[6]

Record-Keeping Obligations

Service providers must[6]:

• Prepare and file periodic financial statements and reports
• Maintain detailed AML/CFT documentation
• Keep records of customer transactions and due diligence procedures
• Comply with ongoing financial reporting requirements

Regulatory Oversight

The Financial Intelligence Analysis Unit (FIAU) operates under the AML regime and enforces compliance with anti-money laundering measures[5]. The Malta Financial Services Authority (MFSA) regulates virtual financial assets services and requires licensing for any crypto service involving advice, recommendation, or placement of virtual assets within or from Malta[1][5].

Any entity providing "relevant activities" under the Maltese AML framework must comply with AML laws, and offshore businesses cannot provide services to local customers on an active solicitation basis without proper licensing[5].