To improve our website and provide more personal services to you, we would like to store cookies on your device. View our updated Privacy Policy.

Wait, don't go!

Sign up to our newsletter to be the first to know about new developments at Diligex!

    Name

    Surname

    Email

    I consent to Diligex storing my personal data provided for the sole purpose of responding to my enquiry and administering my request.


    ×
    0
    Call the incident response team of our strategic cybersecurity partner, Thomas Murray, on the emergency 24/7 UK line +44 (0) 2074594888, for immediate help from their experts.
    The New EU AML Regulation in Malta: What Is Really Changing for Subject Persons?
    Article

    The New EU AML Regulation in Malta: What Is Really Changing for Subject Persons?

    2 May, 2026 June 1st, 2026

    The New EU AML Regulation in Malta: What Is Really Changing for Subject Persons?

     

    The EU Anti-Money Laundering legislative package marks the most significant structural reform of Europe’s AML/CFT framework in over a decade. Comprising the Anti-Money Laundering Regulation (AMLR), the Sixth AML Directive (AMLD6) and the establishment of the Anti-Money Laundering Authority (AMLA), the package aims to introduce a more harmonised EU AML/CFT framework while strengthening supervisory coordination across the Union.

    For Maltese licensed subject persons, these developments do not introduce a fundamentally new AML/CFT philosophy. Instead, they formalise, at EU level, a number of concepts that have already featured prominently in local supervision, while providing greater legal clarity around customer due diligence (CDD), business relationships, beneficial ownership and governance expectations.

     

    From Directives to a Single Rulebook

    The most consequential shift introduced by the AMLR is that core AML/CFT obligations applicable to subject persons will now be set out in a directly applicable EU Regulation, commonly referred to as the Single Rulebook. This is intended to reduce divergence in interpretation and application of how AML/CFT rules are applied across Member States by establishing a more consistent legal framework at EU level.

    While national competent authorities and FIUs will continue to play a central supervisory and enforcement role, the underlying legal requirements applicable to subject persons will increasingly derive directly from the AMLR and related technical standards.

     

    Customer Due Diligence: Greater Precision, Not Reinvention

    The AMLR retains the risk-based approach as the cornerstone of customer due diligence. However, the AMLR and the draft RTS introduce more granular and harmonised requirements regarding the application and content of CDD measures.

    The draft RTS under Article 28(1) are central in this respect. They aim to support more consistent application of CDD requirements by clarifying:

    • the information to be obtained for different customer types;
    • the requirements applicable to standard, simplified and enhanced due diligence measures; and
    • expectations relating to the verification, updating and ongoing monitoring of customer information.

    Key developments include strengthened and more standardised identification and verification requirements, greater reliance on reliable and independent information sources and electronic identification methods, and a more structured approach to customer risk information such as the purpose of the business relationship, source of funds and ownership structures and enhanced expectations regarding transaction monitoring and the assessment of customer activity within the context of the overall business relationship.

    In parallel, separate draft RTS under Article 19(9) AMLR provide further guidance on the criteria for determining business relationships, occasional transactions and linked transactions.

     

    Business Relationships: A Clarified Concept

    While Article 19 clarifies the circumstances in which a customer interaction constitutes a business relationship, the draft RTS under Article 28(1) specify the information and measures required to understand, verify and monitor that relationship on an ongoing basis. In particular, they provide greater detail on

    • obtaining information regarding the purpose and intended nature of the business relationship,
    • expected customer activity and
    • the ongoing review of customer information.

     

    Ongoing Monitoring and Periodic Reviews

    The AMLR framework introduces more explicit expectations regarding the ongoing monitoring of customer relationships and the updating of customer information throughout the lifecycle of the relationship.

    Higher-risk relationships subject to enhanced due diligence are expected to be reviewed more frequently, while all business relationships remain subject to ongoing monitoring on a risk-sensitive basis. The broader framework also contemplates periodic updating obligations alongside event-driven reviews.

    This does not replace event-driven monitoring but reinforces the expectation that Subject persons maintain frameworks capable of ensuring customer information remains accurate, relevant and up to date throughout the lifecycle of the relationship. Subject persons must therefore ensure that their systems, procedures and policies support both continuous risk-based monitoring and appropriate periodic updating of customer due diligence information.

     

    Beneficial Ownership: A More Structured Framework

    Key features include:

    • a harmonised 25% ownership or control threshold, as the starting point for beneficial ownership identification, supported by more detailed provisions on the assessment of ownership and control structures;
    • a clearer hierarchy of ownership, control through other means, and senior managing official fallback; and
    • a more harmonised look-through approach for trusts and similar legal arrangements.

    Subject persons also required to identify and report discrepancies between beneficial ownership information obtained through CDD measures and information held in central registers, in accordance with applicable reporting obligations. While this obligation already exists under Maltese law, the AMLR further harmonises its application across Member States.

     

    Governance, Accountability and Internal Controls

    Beyond customer due diligence requirements, the new EU AML package also strengthens the governance and control framework applicable to subject persons. Through a combination of AMLR and AMLD6 provisions, greater emphasis is placed on clearly defined responsibilities, effective oversight and documented governance arrangements.

    Among other things, they:

    • reinforce the role, responsibilities and independence of the AML/CFT Compliance Officer;
    • clarify management body responsibilities for AML/CFT compliance; and
    • introduce more structured requirements regarding the outsourcing of AML/CFT functions and controls.

    While many of these expectations are already reflected in existing guidance and supervisory practice, their incorporation into the EU legislative framework promotes greater consistency across Member States and provides a more harmonised basis for supervisory assessment. In practice, subject persons may therefore expect increased focus on governance structures, the effectiveness of oversight arrangements and the ability to demonstrate how AML/CFT responsibilities are discharged across the organisation.

     

    AMLA’s Role for Maltese Subject Persons

    AMLA is intended to serve as the centre of EU AML/CFT supervisory framework. Its functions include developing regulatory and implementing technical standards, issuing guidelines, coordinating supervisory practices and, for a limited number of selected high-risk cross-border financial institutions, exercising direct supervisory powers

    For most Maltese licensed subject persons, AMLA’s impact is likely to be indirect, at least initially.

    In practice, this impact will primarily be felt through the technical standards, guidelines and supervisory approaches that will shape the expectations of national competent authorities and supervisory practices across the EU.

     

    Preparing for Change Without Over-Correction

    While the direction of travel is increasingly clear, a number of RTS and implementation measures remain in draft form. Subject persons should therefore focus on:

    • understanding how key concepts, particularly business relationships and CDD requirements, are framed under the AMLR;
    • mapping existing frameworks against forthcoming requirements to identify operational gaps; and
    • ensuring policies, procedures and systems remain sufficiently adaptable as the final RTS texts are adopted.

    A measured and informed approach is essential, particularly given the phased application of the new framework.

    Although the AMLR introduces a more harmonised and prescriptive framework, it does not fundamentally alter the core principles underpinning AML/CFT compliance. Rather, it provides greater clarity and consistency in how those principles are expected to be applied across the EU.

    As further technical standards and guidance are finalised, subject persons should focus on understanding the practical implications of the new requirements and assessing where targeted enhancements to existing frameworks may be required.