Malta has updated its sanctions legislation through Act No. XXXV of 2025, replacing the previous National Interest (Enabling Powers) Act. This reform aligns domestic law with recent European Union (“EU”) directives and regulations, while introducing significant compliance obligations for businesses operating in Malta. The changes reflect a growing emphasis on harmonisation with EU standards and on strengthening enforcement mechanisms to address sanctions violations effectively. Organisations subject to this legislation must understand the new requirements and update their compliance frameworks accordingly. In this article organisations will find some of the most important areas covered in the revised Act that were either added or modified.
Applicability
The previous Act applied broadly to persons in Malta, Maltese citizens wherever they were located, and to vessels, aircraft, or other means of transport registered in Malta. Its scope was primarily territorial and nationality-based, ensuring that sanctions obligations extended to Maltese individuals and entities regardless of their physical location. The Act retains this foundation but introduces a significant expansion. It now explicitly covers legal persons, entities, and bodies registered in Malta, as well as their branches and majority-owned subsidiaries established in third countries. Where local legislation in those jurisdictions does not permit the implementation of Malta’s restrictive measures, these entities are required to adopt additional measures to mitigate the risk of violations and circumvention.
Sanctions Risk Assessment
One of the most notable innovation is the introduction of mandatory sanctions risk assessments for obliged entities listed under Schedule I, which includes credit and financial institutions, designated non-financial businesses and professions, gaming and crypto-asset service providers. These obliged entities must identify and assess risks related to sanctions violations, proliferation financing, and circumvention. The assessment must consider factors such as client profiles, geographic exposure, products, services, transactions, and delivery channels. Crypto-asset service providers are required to pay particular attention to transfers involving self-hosted wallets, given the heightened risk of anonymity and sanctions evasion. The Act requires obliged entities to document these assessments, keep them updated, and make them available to the Sanctions Monitoring Board (“SMB”) or relevant supervisory authorities upon request.
Sanctions Screening
Under the former Act, obliged entities conducting relevant activity or relevant financial business, were already required to screen their client databases against official sanctions lists on a regular basis and immediately after any update to those lists. The revised Act retains these core requirements but introduces two important provisions. It has been clarified that screening must be carried out prior to onboarding a client, making sanctions checks an integral part of the initial due diligence process. Additionally, companies have the obligation to perform sanctions screening when it becomes aware of changes in the circumstances surrounding a client or its operations that could affect sanctions exposure.
Record-Keeping
The revised framework introduces explicit record-keeping obligations. Entities must retain documentation demonstrating compliance with sanctions obligations for a minimum of five years from the end of the business relationship or from the date of verification, depending on the nature of the records. The SMB may extend this retention period where necessary for enforcement purposes.
Alignment with Instant Payments obligations
The Act imposes specific obligations on payment service providers offering instant credit transfers. These providers must verify whether any of their clients are subject to EU restrictive measures immediately after such measures enter into force and at least once every calendar day. While screening during the execution of an instant credit transfer is not required, payment service providers must have processes to check whether their clients are subject to restrictive measures on a daily basis and immediately after any changes to the official EU sanctions lists.
Administrative Penalties
The enforcement regime under the revised Act introduces a structured system of administrative penalties that provides clearer thresholds and proportional consequences compared to the previous framework. For breaches classified as administrative failures, penalties are calculated as a percentage of the value of the transaction or activity in breach, with natural persons liable for up to fifteen percent and legal persons for up to thirty-five percent. In cases involving payment service providers providing instant credit transfers, penalties may reach ten percent of annual net turnover. The SMB is empowered to impose penalties without recourse to court proceedings and may publish penalties exceeding specified thresholds.
Whistleblower Protection
The Act introduces explicit protections for individuals who report suspected sanctions violations or circumvention, whether internally or directly to the SMB. It prohibits detrimental action against whistleblowers and mandates confidentiality of their identity. These provisions aim to encourage reporting and strengthen detection of breaches. Entities should incorporate whistleblower protection into their compliance programs, ensuring that reporting channels are secure, accessible, and supported by clear policies.
Conclusion
Organisations operating in Malta or with Maltese connections must act promptly to align their policies, systems, and controls with these requirements. This includes conducting comprehensive sanctions risk assessments, implementing robust screening and record-keeping processes, enhancing governance frameworks, and fostering a culture of compliance supported by whistleblower protections. Failure to adapt could result in severe financial and reputational consequences, given the scale of administrative penalties and the increased scrutiny from the SMB. The reform underscores Malta’s commitment to international standards and signals a clear expectation that businesses adopt proactive measures to prevent sanctions violations and ensure the integrity of the financial system.
KPMG Malta is on top of the regulatory developments in the AML/CFT and sanction domains. With our regulatory expertise and rich experience in the market, we can offer you a wide array of services in the sanctions environment.
If you would like to learn more about the developments in the AML/CFT and sanction domains and their potential impact on your organisation, we would be pleased to assist you.
