On 23rd December 2025, the Financial Intelligence Analysis Unit (“FIAU”) published a practical guidance (“Guidance”) for collective investment schemes (“CISs”) when dealing with customers carrying out relevant financial business. The Guidance is the outcome of a thematic review carried out during the last quarter of 2023 on CISs.

Scope

The main scope of the thematic review was to determine how CISs appropriately assess and obtain due diligence information when dealing with customers carrying out relevant financial business, be it when the customers are investing on their own behalf or when they invest on behalf of underlying investors. Specifically, the thematic review focused on the application of simplified due diligence (“SDD”) measures, including transaction monitoring practices, as well as the related policies, procedures, systems and controls put in place, including the Customer Risk Assessment (“CRA”) procedure.

The thematic review involved 20 CISs predominantly servicing customers classified as regulated entities and adopting SDD measures and consisted of interviews with Money Laundering Reporting Officers (“MLROs”) of each of the CISs as well as customers’ profiles reviews.

Key Findings

Whilst the findings identified following the thematic review demonstrated that in general CISs follow a good level of compliance with respect to SDD and relating obligations, the FIAU highlighted certain improvements and recommendations to be addressed by CISs, including the following:

i. Customer Risk Assessment

• CISs should consider and include all the known risk factors pertaining to their client base when setting-up and assessing the CRA, and the assessment carried out should be well-documented. The CRA should therefore cater for factors which are relevant to all types of investors, including building a risk profile of a nominee investor. Factors which would be relevant to rating nominee investors include, but are not limited to, understanding whether the nominee investor is regulated, the location of its operations, determination of its underlying customer base location (i.e the customer base which would be investing in the CIS through the regulated entity), and whether there is adverse media in relation to the nominee investor.
• When a CIS outsources the implementation of the AML/CFT risk assessment procedures to a third-party service provider, an analysis should be carried out to ensure that these assessments adopted by the provider dovetail with the CIS’ particular circumstances and ensure that the CRA is carried out based on the CIS’s own risk understanding and risk appetite. The CIS should also maintain a level of oversight over the implementation of the CRA.
• The CRA adopted by the CIS should be adequate to the business model and client-base of the CIS as well as backed up with a methodology document which is well understood and approved by the senior management of the CIS.

ii. Policies and procedures

• When a CIS applies the AML/CFT policies and procedures of its fund administrator, it should ensure that these are adequate for the CIS’s risk profile and are ultimately in line with the Maltese AML/CFT framework, whereby such checks should be well-documented and retained on record.

iii. Customer’s business and risk profile

• When building a business and risk profile, CISs should refrain from obtaining generic information in relation to the customer’s source of funds. Rather the focus should be to understand the customer’s business and risk profile, including, by understanding the type of customers the nominee investor is acting for. This would enable the CIS/fund administrator to set-up a robust risk profile and be able to perform a more calibrated transaction monitoring process.
• The building of a risk profile should also involve understanding the services and products offered by the CISs’ customers and insight on the type of customer-base.
• CISs should obtain an indication of the expected transaction levels at the onboarding stage, as well as the jurisdictions from where the funds will be channelled and invested within the CIS.
• CISs should obtain sufficient insight in cases where there are inconsistent or suspicious inflows of funds that are not in line with the information held on record, including information regarding the source of funds, and explanations on whether there have been any changes in the business strategy of the underlying customer, such as targeting new customer types, or new jurisdiction exposures.

iv. Application of SDD

• CISs should determine and document the scenarios when applying SDD to clearly verify that a business relationship presents a low ML/FT risk.
• AML comfort letters and confirmations should be obtained directly from the customer itself and not from a service provider. However, the Guidance also caters for certain alternatives in this respect such as when a nominee investor and its service provider sign declarations and undertakings jointly..
• CISs should ensure that they are proactively being informed by the nominee investors when there are changes in the information provided at the inception of the business relationship, such as when the nominee investor targets new jurisdictions or new categories of customers. A declaration to this effect should be obtained from the investor. On the other hand undertakings from a nominee investor declaring that they will only provide information and/or documentation upon request from authorities in their jurisdiction, or report suspicions to the FIU of that jurisdiction, would not suffice.
• CISs should periodically undertake ongoing monitoring to determine if a low ML/FT risk business relationship still merits SDD measures.

v. Transaction monitoring

• Transaction monitoring remains a key cornerstone. In this respect, CISs should ensure that they adopt a transaction monitoring system that triggers alerts based on risk-based detection rules catered for the CISs’ business model, including values and/or volumes of thresholds and parameters depending on the type of underlying customers services by the nominee investor. The CIS should set parameters or factors which are deemed normal, and monitor for any outliers. Detection rules must be tested and fine-tuned periodically from both a technical aspect and an effectiveness standpoint.
• Alert management systems are also important to ensure proper escalations in a timely manner. CISs should have an adequate process for the notification, prioritisation, handling and recording of the alerts generated by the monitoring system and the subsequent actions undertaken relating thereto.
• From a transaction monitoring perspective, CISs should consider transactions taking place over a given period to be able to assert whether the customer’s transaction activity is in line with its business and risk profile.
• In case of subscriptions made by nominee investors, the CIS should obtain sufficient information to establish and understand whether the volume and value of transactions are plausible, especially in cases where outlier transactions are observed.

Moving Forward

CISs are encouraged to consider the findings emanating from this thematic review and ensure that the adopted policies, procedures, systems and controls, specifically those pertaining to SDD measures, are in line with the recommended areas for improvements. CISs are reminded that SDD is not an exemption from performing CDD, but it involves adjusting the scope and timing of due diligence for customers assessed as posing a low ML/FT risk.

---

Should you require any clarifications on the above or on the design and implementation of systems, processes, policies and procedures, feel free to contact Mario Zerafa or Jonathan Camilleri.