The NIA introduces a strengthened regulatory and enforcement framework with significant implications for Subject Persons and their international operations. A number of articles enhance or introduce new obligations, and formalise expectations around controls, reporting, and risk management.
Obligations for Legal Persons with Foreign Branches and Subsidiaries
Legal persons and entities with branches or majority-owned subsidiaries in third countries where restrictive measures are not aligned with this Act must ensure that those branches and subsidiaries implement the provisions of the Act to the extent allowed by local law. Where local legislation does not allow such implementation, the entity is required to apply additional measures designed to effectively manage the risk of violations and prevent circumvention of restrictive measures.
Distinction Between Criminal Offences and Administrative Breaches
The revised framework introduces a major structural change by clearly distinguishing between criminal offences and administrative breaches based on a financial threshold. Breaches such as making funds available, failing to freeze assets, or circumventing sanctions are treated as administrative failures rather than criminal offences when the value involved is below €10,000. These cases follow specific administrative procedures. To prevent repeated small-value violations from escaping criminal liability, the “linked series rule” allows authorities to aggregate related actions of the same nature by the same person. If the combined value exceeds €10,000, the conduct may qualify for criminal prosecution
Extended Liability for Officers and Senior Management
Liability is extended to officers, including directors and senior management, who may now be held personally responsible for compliance failures within their organisation. Sub-article (5) underscores this accountability and reinforces the expectation that organisational breaches can trigger individual consequences.
Enhanced Powers of Competent Authorities
The Act also grants competent authorities enhanced powers enabling them to request information from entities. Failure to respond may lead to penalties, and professional secrecy cannot be invoked to refuse such requests. Any information disclosed is legally deemed to be provided to a public authority compelled by law, consistent with Article 257 of the Criminal Code.
Expanded Internal Compliance Obligations (Article 32)
A significant expansion of internal compliance obligations is introduced under Article 32, which requires Subject Persons to implement and maintain internal controls, policies, and procedures to ensure compliance with this Act, EU restrictive measures, UN Security Council Resolutions, and domestic restrictive measures. Compliance obligations have been broadened, introducing more detailed requirements for customer due diligence. New rules specifically address the verification of customers’ ownership and control structures. For payment service providers and crypto-asset service providers, such controls must also align with Chapter IV of Regulation (EU) 2023/1113 on transfers of funds and crypto assets.
Mandatory Notifications to the Board
The Article also requires immediate notification to the Board when targeted funds or economic resources are identified, including attempted transactions, or when the entity becomes aware of suspected violations of EU, UN, or domestic restrictive measures. While third-party reliance is permitted, the entity retains ultimate responsibility and must ensure that third parties are able to provide all relevant data and documentation upon request.
Reinforced Risk Assessment Obligations
Risk assessment obligations are reinforced, with Subject Persons required to identify and assess risks of violations and proliferation financing, taking into account clients, geography, products, services, transactions, and delivery channels. Crypto-asset providers must additionally assess risks associated with self-hosted addresses. These assessments must be comprehensively documented, made available to the Sanctions Monitoring Board or any supervisory authority on request, and kept up to date through regular reviews.
Record-Keeping Requirements
Record-keeping requirements stipulate that entities listed in Schedule I must retain records demonstrating compliance for five years following the end of the business relationship. Records tied to onboarding obligations must be retained from the date the entity ceases to service the client, those relating to verification obligations from the date verification occurs, and all other records from the date the entity no longer falls within the categories listed in Schedule I.
Daily Screening Obligations for Instant Credit Transfers
The recent amendments to the National Interest (Enabling Powers) Act require payment service providers offering instant credit transfers to conduct daily checks to verify whether their payment service users are subject to EU restrictive measures. These verifications must also be carried out immediately following the introduction or amendment of any EU sanctions. Importantly, screening cannot occur during the execution of an instant credit transfer to preserve the 10-second processing requirement, but providers remain responsible for implementing all other compliance measures, such as freezing sanctioned accounts.
Appointment of a Temporary Administrator (Article 34)
Finally, Article 34 introduces the possibility of appointing a temporary administrator in cases of severe non-compliance or where there is a risk to financial stability. The Sanctions Monitoring Board may make such an appointment when EU, UN, or domestic restrictive measures apply to a legal person, its owner, or controlling person, and where the appointment is necessary to avoid adverse social, economic, ecological, or other significant consequences for Malta or the public.
Eligibility and Assessment of the Temporary Administrator
The temporary administrator must be of good repute. A natural person must be of age, have legal capacity, and have no legal impediment; a legal person must be in good standing and have corporate objects that include the administration of legal persons. The legal person under administration may propose a candidate, whose suitability is then assessed by the Board, taking into consideration qualifications, experience, and any conflicts of interest.
Term, Powers, and Conditions of Appointment
The Board’s decision will define the term of appointment (up to one year, extendable only in exceptional cases) and specify the administrator’s powers, functions, and required actions. These may include the suspension or overriding of powers held by the entity’s governing bodies. The contractual terms will set out conditions, remuneration, expenses, liability provisions, and procedures for resignation or removal, with the costs borne by the legal person under administration.
Responsibilities and Operational Powers of the Temporary Administrator
A temporary administrator is granted the ability to engage service providers for legal, accounting, auditing, or management support, and may open deposit accounts in Malta to ensure the continuity of operations. They are required to act prudently and in good faith, must avoid using their powers for personal or third-party benefit, and are obligated to provide financial and activity reports to the Board within agreed timeframes.
At Diligex, we are well positioned to support organisations in meeting these enhanced regulatory expectations. Our team can assist with the implementation of appropriate screening tools, the review and development of internal policies, the execution of comprehensive risk assessments, and the performance of international due diligence.
For further information, please contact us at [email protected]
