Published after the enactment of Act No. XXXV of 2025 on 14 November 2025
Malta’s recently reformed National Interest (Enabling Powers) Act (the “Act”) adopted on 14th November 2025, marks a significant overhaul of the country’s sanctions and compliance framework. The reform aligns domestic law with evolving EU and United Nations restrictive-measures regimes and imposes new compliance duties on businesses operating in or from Malta.
Among the most significant changes is the newly-introduced obligation to carry out a risk assessment as outlined in Article 32, sub-articles (5), (6) and (7). These sub-articles introduce a mandatory requirement for obliged entities to draw up a business-wide risk assessment, with a focus on restrictive measures (and not solely targeted financial sanctions) violations, proliferation financing and circumvention risks. They also explicitly require that crypto-asset service providers (“CASPs”) consider the risks associated with transfers involving self-hosted addresses when carrying out these assessments.
Under Article 32(5) of the revised Act, all persons, entities, or bodies listed in Schedule I — essentially those conducting relevant activity or relevant financial business under Malta’s AML/CFT framework – must take appropriate steps, proportionate to their business size and nature, to identify and assess the risks of violations of restrictive measures, proliferation financing, and circumvention of those measures (collectively referred to in this article as “sanctions risks”), that arise from their operations.
The Act specifies that this risk assessment must take into account standard risk factors such as those regarding customers, geographical exposure, products and services, transaction types, and delivery channels. Although it is not specified whether this business risk assessment needs to be a stand-alone assessment or whether it can be incorporated into the AML/CFT business risk assessment of the obliged entity, whichever way the obliged entity decides to formalise it, the sanctions risk element must be clearly articulated and a separate overall risk outcome for sanctions has to be determined. Implementing Procedures to be published in the coming months should provide more clarity on the matter.
The core concepts:
- Restrictive Measures
In the context of the Act, “restrictive measures” refers to sanctions and related prohibitions imposed by the European Union, the United Nations Security Council (UNSC), or Maltese domestic authorities on individuals, entities, goods, services, or jurisdictions. These typically include:
- Targeted financial sanctions such as asset freezes
- Economic sanctions such as arms embargoes
- Travel Bans
- Other economic measures such as restrictions on imports and export
Such measures aim to exert economic or political pressure in response to threats to international peace or national security, and Malta’s updated Act refines the wording used and aligns it further with that used by international bodies. Through this legislative instrument, domestic law making the sanctions immediately binding on persons and entities operating within Malta.
- Proliferation Financing
Proliferation financing refers to the provision or collection of funds intended to support the development, acquisition, or spread of weapons of mass destruction and their delivery systems, including nuclear, chemical, or biological weapons. This concept is a specialized form of financial risk that overlaps with broader anti-money laundering / countering the financing of terrorism concerns.
Malta’s inclusion of proliferation financing in Article 32 reinforces the jurisdiction’s commitment to prevent its financial system from being used, willingly or unwittingly, to support activities that enable the spread of weapons of mass destruction.
- Circumvention of Restrictive Measures
Circumvention of restrictive measures refers to attempts to evade or bypass sanctions by exploiting legal, operational, or technical gaps. This can include:
- Mislabelling of goods or services,
- Use of third-country intermediaries,
- Complex corporate structures to obscure ownership, or
- Routing transactions through jurisdictions with weak enforcement.
Businesses must not only guard against direct breaches, but also mitigate the risk that their products or services could be used to circumvent sanctions.
Crypto-Asset Service Providers and Self-Hosted Addresses
The proviso to Article 32(5) places a specific focus on crypto-asset transfers involving self-hosted addresses, recognising the following unique risks they pose:
- Self-hosted addresses are wallets controlled directly by users without the intervention of an intermediary, such as a regulated Crypto Asset Service Providers.
- Transactions involving such addresses can obscure identities and the flow of funds, making them attractive channels for sanctions evasion, money laundering, and proliferation financing.
This requirement mirrors similar obligations under the Transfer of Funds Regulation (RECAST)[1], the Prevention of Money Laundering and Funding of Terrorism Regulations[2] and the FIAU’s Implementing Procedures (Part II for CASPs Sector)[3], which require CASPs to identify and assess these risks and apply mitigating measures, such as enhanced due diligence and monitoring.
What do Obliged Entities Need to Do?
Article 32(5) – (6) of the 2025 National Interest (Enabling Powers) Act represents a significant shift toward risk-based compliance in the Maltese regulatory landscape. By explicitly requiring businesses to assess the full spectrum of sanctions risks — including proliferation financing and sanctions circumvention — and by directing crypto-asset providers to consider the unique challenges posed by self-hosted address transfers, Malta is signalling its further commitment to robust sanctions implementation in line with international standards.
For organisations operating in Malta, preparing comprehensive, documented, and ongoing risk assessments is no longer optional — it is an essential part of operating within a jurisdiction aligned with global sanctions conventions, standards and best practices.
How ARQ Can help
Understanding and applying the new requirements under Article 32(5) and (6) of the recently introduced Act can be challenging, particularly where sanctions, proliferation financing and crypto-assets risks are involved. ARQ can assist with incorporating the new obligations within your compliance framework, assisting with the carrying out of the sanctions business risk assessment and providing guidance on practical and proportionate measures that need to be introduced.
For more information contact us on compliance@arqgroup.com
[1] REGULATION (EU) 2023/1113 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (recast)
[2] PREVENTION OF MONEY LAUNDERING AND FUNDING OF TERRORISM REGULATIONS (S.L. 373.01)
Martina Mifsud
Head – Risk & Compliance (Advisory)
Martina Mifsud is the Head of Risk & Compliance (Advisory) within the ARQ Group. Prior to joining ARQ, she worked with the Financial Intelligence Analysis Unit, where her main role was to carry out both on-site and off-site AML/CFT reviews and inspections of financial services entities and DNFBPs.
