Dear CEO Letter outlines supervisory observations, regulatory expectations and good practices in countering the financing of terrorism (“CFT”), counter proliferation financing (“CPF”) and targeted financial sanctions (“TFS”).

The Malta Financial Services Authority (MFSA) has issued a Dear CEO Letter outlining the outcomes of its Thematic Review on Terrorist Financing (TF), Proliferation Financing (PF) and Targeted Financial Sanctions (TFS) evasion risks within Credit Institutions.

The publication sets out key supervisory observations, highlights examples of sound industry practices and clarifies the Authority’s regulatory expectations. This exercise forms part of broader national effort and builds on a previous iteration issued in March 2025, which assessed industry practices among Financial Institutions and Crypto-Asset Service Providers.

TF, PF and TFS evasion remain significant and evolving threats to the integrity of the financial system. Recent publications by the Financial Action Task Force (FATF) highlight an increasing convergence between traditional financing channels and emerging digital technologies. At the same time, the FATF underscores the growing sophistication with which illicit actors seek to evade sanctions and circumvent controls aimed at preventing PF.

Against this backdrop, and in light of Malta’s national risk profile, it is critical that Credit Institutions maintain robust, adaptive, and forward-looking frameworks capable of effectively identifying, assessing, and mitigating TF, PF, and TFS evasion risks, thereby safeguarding the financial system and supporting broader international efforts to combat illicit finance.

Key Supervisory Observations

The Dear CEO Letter highlights a range of sound practices currently adopted across the sector and encourages Authorised Entities to maintain these standards while continuing to strengthen key areas to achieve full alignment with regulatory expectations. The observations below represent a non-exhaustive set of high‑level themes identified by the Authority:

• Authorised Entities demonstrated strong alignment with Malta’s National Risk Assessment and are expected to continue integrating this, together with relevant Supranational Risk Assessments, into their business-wide and jurisdictional risk assessments.
• Authorised Entities are expected to ensure that TF, PF and TFS evasion risks are given appropriate and distinct consideration within their internal frameworks.
• Authorised Entities are expected to continue applying proportionate, risk-based measures to identify and mitigate risks of breaches and circumvention of restrictive measures, including those related to PF, across their activities.
• Authorised Entities implementing or considering artificial intelligence solutions must demonstrate a clear understanding of their design, functionality, and limitations, including maintaining comprehensive audit trails of alerts and decisions.
• Authorised Entities are expected to maintain robust, risk-sensitive, and role-specific training programmes, ensuring staff, particularly in higher-risk roles, receive ongoing and practical training.

Next Steps

The MFSA encourages Authorised Entities to review these findings alongside relevant guidance, including the MFSA’s Guidance for MLROs in the Financial Services Sector and publications issued by the Financial Intelligence Analysis Unit (FIAU). Entities are expected to leverage this guidance to assess and further strengthen their CFT, CPF, and TFS frameworks, ensuring continued alignment with regulatory expectations. The insights from this exercise may inform the Authority’s future outcomes-based supervisory approach in the area of financial crime compliance.

The MFSA extends its appreciation to all participating Credit Institutions and reiterates its commitment to supporting the sector through continued guidance aimed at promoting robust governance and compliance standards. The Authority remains available to provide further clarification where required.