CryptaCount
EN
EnglishENDeutschDEEspañolESFrançaisFRItalianoIT日本語JA한국어KONederlandsNLPolskiPLPortuguêsPT
Log in Start Free

MFSA CFT/CPF/TFS Thematic Review: What Firms Must Do

CryptaCount Editorial · · 5 min read
AML / KYC / LICENSING MFSA CFT/CPF/TFS Thematic Review:What Firms Must Do

The Malta Financial Services Authority has published the findings of its thematic review covering terrorist financing, proliferation financing, and targeted financial sanctions evasion risks across credit institutions. The review identifies where the sector is performing well, where gaps remain, and what the MFSA expects firms to do next. For compliance officers and their advisers, this is not background reading: it is a direct signal of where supervisory attention will fall.

MFSA CFT/CPF/TFS Thematic Review: What Firms Must Do

Context and Scope of the Review

The MFSA conducted this exercise as part of a wider national effort to assess how credit institutions manage CFT, CPF and TFS evasion risks. It follows an earlier review completed in March 2025, which examined the same risk areas across financial institutions and crypto-asset service providers. That prior review, combined with the current findings, forms a connected picture of how Malta's regulated sector is positioning itself against illicit finance threats.

The MFSA anchors its expectations firmly in Malta's National Risk Assessment and in supranational risk assessments at EU level. The FATF, it notes, has highlighted a growing convergence between traditional financial channels and emerging digital technologies as a vector for illicit activity. Separately, concerns around the sophistication of proliferation financing actors have been flagged in recent international publications.

Why credit institutions specifically

Credit institutions sit at the intersection of payments, lending, and correspondent relationships, making them a primary channel through which sanctions evasion and proliferation financing can occur. The MFSA's decision to focus this round of thematic supervision on banks and similar entities reflects the sector's systemic importance and its exposure to high-risk jurisdictions and complex ownership structures.

What the MFSA Found: Key Observations

The review produced a set of high-level thematic observations. The MFSA is careful to note these are not exhaustive, but they carry clear supervisory weight.

National and supranational risk assessment integration

Entities generally showed solid alignment with Malta's National Risk Assessment. The MFSA expects this to continue and to be extended: firms must integrate both the national assessment and relevant supranational risk assessments into their business-wide and jurisdictional risk frameworks. This is not a one-time mapping exercise. It requires ongoing calibration as risk profiles evolve.

Distinct treatment of TF, PF and TFS within internal frameworks

The regulator is explicit that terrorist financing, proliferation financing and targeted financial sanctions evasion must each receive separate and substantive consideration within a firm's internal controls. Treating them as a single undifferentiated obligation is not acceptable. Each risk category has distinct typologies, indicators, and regulatory obligations, and the framework must reflect that.

Proportionate risk-based controls for restrictive measures

Firms are expected to apply proportionate, risk-sensitive measures to detect and prevent breaches of restrictive measures, including those relating to proliferation financing. The review appears to have identified variation in how rigorously firms are applying this across different business lines and client segments. The MFSA's use of the word "circumvention" is deliberate: passive non-compliance is not the only concern; active evasion by customers must be anticipated and controlled for.

AI governance and audit trails

Any entity using or planning to use artificial intelligence in its financial crime controls must demonstrate that it understands how those systems work, including their limitations. The MFSA is specific: comprehensive audit trails of alerts and decisions generated by AI tools are required. This matters for both supervisory review and internal accountability. Deploying an AI screening tool without being able to explain, reproduce, and challenge its outputs will not satisfy the Authority.

This finding connects directly to the broader regulatory direction across the EU, where AI governance in regulated financial services is receiving increasing scrutiny. For credit institutions in Malta, the message is clear: AI adoption in compliance is welcome, but it must be transparent and auditable.

Training programmes: risk-sensitive and role-specific

The MFSA calls for training that is robust, risk-sensitive, and tailored by role, with particular attention to staff in higher-risk functions. Generic annual awareness sessions are not sufficient. The expectation is for ongoing, practical training that equips staff to identify and escalate the specific risks they are most likely to encounter. This has direct implications for how firms design and document their training programmes ahead of future supervisory visits.

MFSA CFT/CPF/TFS Thematic Review: What Firms Must Do

What Firms Should Do Now

The MFSA encourages entities to read its findings alongside guidance published by the Financial Intelligence Analysis Unit (FIAU). Both sets of material should inform a structured gap assessment against current CFT, CPF and TFS frameworks.

The regulator also signals that insights from this review may shape its future outcomes-based supervisory approach in financial crime compliance. That language carries practical implications: firms that address these observations proactively are better placed when the MFSA turns its attention to individual entities rather than sector-wide themes. For accounting firms and auditors advising credit institution clients, this review sets a clear benchmark for what adequate controls look like in the MFSA's eyes.

Firms with exposure to digital asset activity alongside traditional banking services should cross-reference these expectations with the Malta VFA to CASP transition and MFSA MiCA licence guidance, as the overlap between traditional and crypto-asset risk frameworks is growing. The MFSA's prior thematic work on terrorist financing risks in financial statements also provides relevant context for how the Authority approaches these issues across different entity types.

MFSA Malta

What is the MFSA thematic review on CFT, CPF and TFS?

It is a supervisory exercise by the Malta Financial Services Authority examining how credit institutions identify and manage terrorist financing, proliferation financing and targeted financial sanctions evasion risks. The results were published in June 2026.

What does the MFSA expect on AI use in compliance?

The MFSA expects firms using AI in their financial crime controls to understand the design and limitations of those systems and to maintain full audit trails of all alerts and decisions generated by the AI tools.

Must TF, PF and TFS be treated separately in internal frameworks?

Yes. The MFSA explicitly requires that each of these three risk categories receives distinct and substantive treatment within a firm's internal controls, rather than being grouped under a single AML/CFT obligation.

How should firms use this review?

Firms should read the MFSA findings alongside FIAU guidance and conduct a structured gap assessment of their existing CFT, CPF and TFS frameworks. The review may also inform how the MFSA conducts future outcomes-based supervision.

Does this review apply to crypto-asset service providers?

This particular publication focuses on credit institutions. However, the MFSA conducted a related review of financial institutions and crypto-asset service providers in March 2025, and the underlying risk expectations are consistent across both exercises.

EUMALTAGeneralEnforcementAML/KYC & Licensing

FAQ

What is the MFSA thematic review on CFT, CPF and TFS?

It is a supervisory exercise by the Malta Financial Services Authority examining how credit institutions identify and manage terrorist financing, proliferation financing and targeted financial sanctions evasion risks. The results were published in June 2026.

What does the MFSA expect on AI use in compliance?

The MFSA expects firms using AI in their financial crime controls to understand the design and limitations of those systems and to maintain full audit trails of all alerts and decisions generated by those tools.

Must TF, PF and TFS be treated separately in internal frameworks?

Yes. The MFSA explicitly requires that each of these three risk categories receives distinct and substantive treatment within a firm's internal controls, rather than being grouped under a single undifferentiated obligation.

How should firms use this review?

Firms should read the MFSA findings alongside FIAU guidance and conduct a structured gap assessment of their existing CFT, CPF and TFS frameworks. The review may also shape how the MFSA conducts future outcomes-based supervision.

Does this review apply to crypto-asset service providers?

This particular publication focuses on credit institutions. The MFSA conducted a related review covering financial institutions and crypto-asset service providers in March 2025, and the underlying risk expectations are consistent across both exercises.

Related articles

AML/KYC & Licensing
Huione Group: World's Largest Illicit Marketplace and the USDH Stablecoin Risk
AML/KYC & Licensing
MFSA Annual Report 2025: Supervision, Enforcement, and Regulatory Framework
AML/KYC & Licensing
CSSF Warning: tresorwacht.com Fraudulently Cites Luxembourg Entities
AML/KYC & Licensing
Spain Rules Out MiCA Extension: What Firms Must Do Now