MFSA Opens Consultation on EU AML Directive 2025/1: What Firms Must Know
Malta's financial services regulator, the MFSA, published a consultation document on 1 July 2026 inviting feedback on how Directive (EU) 2025/1 should be transposed and implemented at the national level. For accounting firms, auditors, CFOs, and crypto-asset service providers operating in or through Malta, this is not background reading. The choices made during transposition will shape AML compliance obligations, supervisory expectations, and the practical demands placed on crypto bookkeeping software and compliance infrastructure for years ahead.
What Directive (EU) 2025/1 Is and Why Malta Is Moving Now
The Directive in Context
Directive (EU) 2025/1 sits within the EU's broader overhaul of its anti-money laundering and counter-terrorist financing architecture, a package that also includes the directly applicable AML Regulation and the establishment of the new EU Anti-Money Laundering Authority (AMLA). The Directive sets out the obligations member states must enshrine in national law, covering areas such as beneficial ownership transparency, customer due diligence standards, and the supervisory powers available to national competent authorities.
Malta is an early mover in opening a formal public consultation. The MFSA's decision to seek industry input at this stage reflects both the complexity of the transposition task and the regulator's recognition that obliged entities need lead time to adapt systems and processes. Firms that engage now can shape the detail; those that wait will simply inherit whatever emerges.
Malta's Position as an EU Crypto Hub
Malta was among the first EU jurisdictions to create a dedicated virtual financial assets framework, and a significant number of crypto-asset service providers hold Maltese authorisations or are in the process of obtaining MiCA licences through the MFSA. That concentration means the national transposition choices carry outsized weight: stricter or more prescriptive local rules will affect a disproportionately large slice of EU-registered CASPs. Firms using digital asset accounting software to manage compliance records need to understand which new data-capture or reporting fields may be mandated once the Directive is embedded in Maltese law.
Key Consultation Themes for Compliance and Finance Teams
Beneficial Ownership and Transparency Requirements
A central pillar of the EU AML package is enhanced beneficial ownership transparency. The consultation is expected to address how Malta will implement the Directive's provisions on registers, verification obligations, and access rights for competent authorities and obliged entities. For crypto firms, this translates directly into onboarding architecture: who must be identified, at what threshold, and how quickly information must be updated when structures change. Accounting and audit teams should review current client onboarding workflows against whatever enhanced standards emerge from this process.
Customer Due Diligence and Enhanced Measures
The Directive tightens and in some respects extends customer due diligence obligations. The consultation gives Malta the opportunity to decide where national discretion is exercised, for instance in defining higher-risk categories or specifying enhanced measures for particular business relationships. CASPs and their auditors should track these choices carefully because they determine the evidentiary standard that supervisors will apply during inspections. Firms already engaged with the MFSA CFT and TFS thematic review obligations for Malta firms will recognise the pattern: the regulator is building a layered compliance expectation, and each new instrument adds another tier.
Supervisory Powers and Sanctions Regime
The Directive also specifies minimum supervisory powers and sanctions that member states must make available to their competent authorities. Malta will need to assess whether existing MFSA enforcement tools already satisfy those minimums or whether legislative amendments are required. For firms, the practical implication is that the range of possible supervisory responses, from administrative measures through to significant financial penalties, may expand. CFOs and compliance officers should factor this into their risk-appetite assessments and ensure that crypto accounting software systems are capable of producing the audit trails that would be needed to demonstrate compliance in an enforcement scenario.
Practical Steps for Firms During the Consultation Period
Review and Respond
The consultation is a genuine opportunity to influence outcomes. Accounting firms advising Maltese-licensed entities, auditors conducting AML audits, and in-house compliance teams at CASPs should each read the consultation document and consider whether their operational experience gives them something useful to contribute. Trade associations active in the Maltese market are likely to coordinate responses, and individual firms with specific technical points are generally well-placed to submit those directly.
Gap-Analysis Against the Directive Text
Regardless of how the consultation plays out, the Directive itself is fixed EU law. Firms should not wait for final transposition legislation before beginning a gap analysis. Map current AML policies, procedures, and technology configurations against the Directive's requirements. Where crypto bookkeeping software or compliance platforms are involved, assess whether they can accommodate enhanced beneficial ownership data fields, generate the transaction monitoring records the Directive anticipates, and produce outputs compatible with supervisory reporting formats.
Coordinate with Legal Counsel on Timing
Transposition deadlines are set by the Directive and are non-negotiable. Malta must enact implementing legislation within the period specified. Firms should obtain legal advice on the expected timeline and build that into their project plans. Changes to compliance infrastructure, especially those involving digital asset accounting software integrations or data governance frameworks, rarely happen quickly, and the window between consultation close and legislative enactment can be shorter than it appears.
The Broader EU AML Architecture
It is worth placing this consultation in the wider context for firms with multi-jurisdictional footprints. The EU AML package is designed to create a genuinely harmonised framework across member states, with AMLA providing a centralised supervisory layer for the highest-risk obliged entities. For CASPs in particular, MiCA CASP authorisation now mandatory across the EU means that the AML obligations embedded through Directive 2025/1 will apply to an authorised, licensed population with clear supervisory accountability. There is no longer a gap between who is in scope for crypto regulation and who is in scope for AML supervision: they are, by design, the same firms.
Firms with operations across multiple EU jurisdictions should also monitor how peer regulators in other member states are approaching transposition. Where national choices diverge, firms may face materially different compliance requirements in different markets even under the same Directive. Tracking those divergences and reflecting them in compliance infrastructure, whether through configurable crypto accounting software rules or jurisdiction-specific policy annexes, will become a standard part of the compliance function.
Questions Firms Should Be Asking Right Now
For Accounting Firms and Auditors
Consider whether your current AML audit methodology for Maltese-licensed clients will need updating once transposition legislation is enacted. The Directive may introduce new requirements that your existing audit programs do not yet test for. Building those gaps into your next engagement planning cycle now is more efficient than retrofitting after the law changes.
For CFOs and In-House Finance Teams at CASPs
Think about the data architecture underpinning your AML compliance. If beneficial ownership requirements become more granular, or if transaction monitoring thresholds shift, your current systems, whether purpose-built digital asset accounting software or adapted general-ledger tools, may need configuration changes. Raising this with your technology providers during the consultation period gives you more leverage than raising it after the legislation passes.
FAQ
What is the MFSA consultation on Directive (EU) 2025/1?
The Malta Financial Services Authority has published a consultation document seeking industry views on how to transpose and implement Directive (EU) 2025/1, which forms part of the EU's revised AML/CFT legislative package, into Maltese national law.
Who does this affect?
Any entity that is an obliged entity under Malta's AML framework is potentially affected. This includes credit institutions, financial institutions, and crypto-asset service providers licensed or registered in Malta, as well as their auditors, accountants, and compliance advisers.
Does this change anything immediately?
Not immediately. The consultation is the precursor to draft legislation. However, the Directive's requirements are fixed, and firms should begin gap-analysis against those requirements now rather than waiting for Maltese implementing legislation to be enacted.
How does this interact with MiCA?
MiCA governs the authorisation and conduct of crypto-asset service providers. Directive (EU) 2025/1 governs AML/CFT obligations. They operate in parallel. A CASP licensed under MiCA and authorised by the MFSA will be subject to both frameworks simultaneously.
How should a firm respond to the consultation?
Read the MFSA consultation document, identify the questions or policy choices that affect your operations most directly, and prepare a written response. Engaging legal counsel familiar with Maltese financial services regulation is advisable. Trade associations may also coordinate collective responses on common industry points.
