Risk-Based Supervisionshould neither be considered norconstrued as advice or in any way a commitment on the part of the MFSA. Should a conflict arisebetween this document and the applicable laws, regulations or rules, the laws regulations or rules shallprevail. The MFSA reserves the right to deviate from any of the processes set out in this document whereit deems it to be necessary or appropriate.Page 2 of 20

Risk-Based SupervisionCONTENTSGLOSSARY . 5EXECUTIVE SUMMARY. 61.INTRODUCTION. 72.PURPOSE . 73.RISK-BASED SUPERVISION . 84.THE MFSA APPROACH. 84.1 Key Principles. 84.2 Risk Assessment Framework . 104.3 ML & FT Risks. 115.SUPERVISORY ENGAGEMENT. 136.RESOURCE ALLOCATION. 137.AML/CFT RISK-BASED APPROACH . 137.1 Authorisations . 137.2 Supervision. 157.2.1 Ongoing supervision of higher risk firms . 157.2.2 Sampled review of other firms . 157.2.3 Thematic reviews of firms . 167.2.4 Event-driven reviews of firms . 168.FUTURE ENHANCEMENTS. 168.1 Risk Ranking Methodology . 168.2 Supervisory Quality Assurance . 179.AGENT OF THE FIAU . 1810. CONCLUDING REMARKS . 19Page 3 of 20

Risk-Based SupervisionREVISIONS LOGVERSIONDATE ISSUED1.004 June 2020DETAILSRisk-Based Supervision Initial versionPage 4 of 20

Risk-Based SupervisionGLOSSARYAMLAnti-Money LaunderingCASPARCompliance and Supervision Platform for Assessing RiskCFTCombatting the Financing of TerrorismEBAEuropean Banking AuthorityECBEuropean Central BankFCCFinancial Crime ComplianceFIAUFinancial Intelligence Analysis UnitFirm(s)Persons licensed and regulated by the MFSA including CreditInstitutions, Financial Institutions, Insurance Companies andInsurance Intermediaries, Investment Services Companies andCollectiveInvestmentSchemes, SecuritiesMarkets,Recognised Investment Exchanges, Trust ManagementCompanies, Company Services Providers, Pension Schemes,Virtual Financial Assets Agents and Virtual Financial AssetsService Providers.FTFinancing of TerrorismMFSAMalta Financial Services AuthorityMLMoney LaunderingNCA(s)National Competent AuthorityPQPersonal QuestionnairePMLAPrevention of Money Laundering Act, Cap. 373 of the Laws ofMaltaRisk AppetiteMFSA Risk Appetite Statement (link)SSMSingle Supervisory MechanismSupervisory PrioritiesMFSA Supervisory Priorities for 2020 (link)Page 5 of 20

Risk-Based SupervisionEXECUTIVE SUMMARYThe MFSA is responsible for continuously regulating, monitoring and supervising firms in thefinancial services industry in Malta. This is key to safeguarding the integrity, prosperity,innovation and trust in the Maltese financial services sector. To increase our supervisoryeffectiveness, we adopt a risk-based approach to supervision that considers potential macroand micro prudential, conduct and financial crime risks associated with the firms we oversee.Risk-based supervision revolves around the idea that as a regulator we have a finite number ofresources that must be deployed where they can make the greatest difference. Adopting a riskbased approach therefore allows us to allocate resources on firms which are most significantand on the risks that pose the greatest threat to consumers and financial market stability.Risk-based supervision is a dynamic and continuous process that involves planning, riskassessment, execution of the supervisory programme and regular monitoring and evaluationon a risk-based cycle. Our risk-based supervisory approach is based on three main principlesbeing supervisory judgement-based, forward-looking and focused on key risks. Across all ofthese principles we apply proportionality to ensure our interventions do not go beyond whatis necessary in order to achieve our objectives.The adoption of a risk-based approach to supervision provides us with a basis for assessing risksacross and within sectors. It allows us to assess, within a forward-looking perspective, the mostimportant prudential, conduct and ML/FT risks posed by firms to our supervisory objectives andthe extent to which firms can manage and contain these. AML and CFT now sits at the core ofour risk assessment framework.One of our key commitments is to increase our engagement with the industry and the public.This document is being published to increase our accountability and transparency, enablingindustry and consumers to better understand our supervisory work and priorities. Through thispublication we also aim to describe the principal features of risk-based supervision whilstcommunicating our risk-based supervisory approach, setting out the future work to beconducted for enhancing our risk-based approach and clarifying how AML and CFT has beenintegrated therein.Page 6 of 20

Risk-Based Supervision1. INTRODUCTIONThe MFSA is responsible for the regulation, monitoring and supervision of firms in the financialservices sector in Malta. This is key to safeguarding the integrity, prosperity, innovation and trustin the Maltese financial services sector. To increase effectiveness, we adopt a risk-basedapproach to financial supervision considering the potential macro and micro prudential,conduct and financial crime risks associated with the firms it oversees.The MFSA focuses its supervisory and regulatory activities on those areas which pose thegreatest risk to the financial market with the aim of minimising the occurrence of breaches andultimately protecting consumer interests and safeguarding integrity and confidence in thefinancial market. Supervision is guided by the proportionality principle and the extent ofsupervision depends on the nature and scope of the business activities and the correspondingoverall risk profile.Our regulatory and supervisory processes are not aimed at achieving a zero-failure regime, butrather to ensure that we minimise impacts of failure and that any failures occurring in themarket, are handled in a systematic way, thereby ensuring minimal harm to the financial marketand its consumers.2. PURPOSEThe aim of this document is to describe the principal features and objectives of risk-basedsupervision whilst also communicating the risk-based supervisory approach adopted by theMFSA. It also sets out the future work to be conducted for enhancing this approach andstrengthening our supervisory framework.Through the publication of this document, we also aim to provide an overview of how AML andCFT have been integrated into our risk-based approach to supervision. In Malta, the FIAU is thegovernment agency responsible for monitoring compliance with the relevant AML and CFTlegislative provisions. Our primary remit in this respect, is to ensure that regulated firms have inplace broader, overarching systems and controls. AML and CFT arrangements are, however, acrucial component of these systems and controls, and one set cannot be considered withoutt and prudential arrangements are oftena symptom of AML and CFT shortfalls, too. We therefore have an obligation to consider ML andFT risks in authorised firms with our supervisory work, as well as cooperating with the FIAU aspart of joint AML and CFT supervision.One of our key commitments is to increase our engagement with industry and the public. Byvirtue of this publication we are increasing accountability and transparency, enabling industryand consumers to better understand our supervisory work and priorities.Page 7 of 20

Risk-Based Supervision3. RISK-BASED SUPERVISIONRisk-based supervision is a continuous process that involves planning, risk assessment,execution of a supervisory plan and regular monitoring and evaluation. The concept behindrisk based supervision is that we can increase our supervisory effectiveness and efficiency byfocusing our efforts on those firms and on the risks that pose the greatest threat to consumersof financial services and financial stability without ignoring less significant or lower risk firms.As the single regulator of financial services in Malta, we need to allocate our limited number ofresources to the areas of greatest risk. Allocating resources in a risk-driven manner is a moreeffective way to safeguard the stability of our financial markets, since the various firms weregulate pose different risks to our financial services sector.Therefore, firms with the potential of having the greatest potential adverse impact onconsumers of financial services and financial stability will receive a high level of supervisionunder structured engagement plans, leading to early intervention measures necessary tomitigate potential risks. Conversely, those firms having the lowest potential adverse impact willbe supervised reactively or through thematic assessments, with targeted enforcement actionbeing taken against firms across all impact categories, whose poor behaviour puts the4. THE MFSA APPROACH4.1 Key PrinciplesOur supervisory risk-based approach is based on three main principles:Supervisory Judgement BasedWe rely on an element of human decision-making when taking decisions.Forward-LookingFirms are assessed not just against current risks, but also against anypossible future risks.Focused on Key RisksThe focus is on those firms that are likely to impose the greatest riskstowards the achievement of our supervisory objectives.Page 8 of 20

Risk-Based SupervisionMoreover, our risk-based approach to supervision is: consistent in its application. Although firms receive different amounts of supervisoryattention depending on their impact and the risks they pose, decisions about thesematters are taken on a consistent and systematic basis; taking account of relevant information both from within and outside of the MFSA. Someexamples include information about the wider economy which may have a bearing onrisk, intelligence regarding the wider industry or sector and supervisory informationabout the wider financial group which the firm may form part of; supported by a common framework throughout the organisation. This consists of thetools, documentation and decision-making processes that support risk-basedsupervision along with the approach to assessing and acting upon identified risks; supplemented with oversight and quality control mechanisms enabling peers andmanagers to review assessments and decisions in order to ensure consistency ofapproach; that risks are classified in accordanceto supervisory priorities. This allows resources to be allocated appropriately andremedial action to be proportionate to the risk identified; used to address prudential, conduct and ML and FT risks; concerned with outcomes. The focus is more broadly on the promotion of goodoutcomes (such as ensuring that customers are treated fairly) and the avoidance of badones (such as losses to users of financial services resulting from firm failures). Risk isassessed in this broad context and remedial tools are more often used pre-emptively topromote desired outcomes; supported by enforcement action. The MFSA has over the past year significantlyincreased resources in this area, seeking to enhance and facilitate such action.We apply the above principles proportionately to ensure that our interventions do not gobeyond what is necessary to achieve our objectives. The adoption of a risk-based approach tosupervision provides us with a basis for assessing risks across and within sectors. Through ourrisk-based supervisory approach we seek to assess, within a forward-looking perspective, themost important prudential, conduct and ML/FT risks posed by firms to our supervisoryobjectives and the extent to which firms can manage and contain these.Page 9 of 20

Risk-Based Supervision4.2 Risk Assessment FrameworkOur risk assessment framework is both qualitative and quantitative in nature, necessitating anelement of human decision-making and supervisory judgement to be applied at some stageof the process. Such judgement will partly reflect our supervisory risk appetite.The key factors taken into consideration when forming our judgements include the type oforganisation, thegovernance. However, the use of databases and dashboards identifying trends, risk exposuresand shifts in exposures to key markets, sectors, products or activities are integrated into ourqualitative decision-making process and are usually one of the departure points in arriving atsound risk-based judgements.Diagram 1: MFSA Risk Assessment FrameworkThe objective of our risk assessment process is to identify those activities within firms posingthe greatest risk. These differ across sectors. For example, for the banking sector, credit andmarket risk usually constitute the key risks. For life insurers, key risks will include the possibilitythat returns on assets fail to match those on its long-term obligations to policy holders and theliquidity risk arising from uncertainty about the timing of redemptions. On the other hand, anyfirm, from whatever sector, with retail customers runs the risk of its products being mis-sold.This risk is particularly critical where products are complex and/or of long maturity so that theconsequences of mis-selling may not be apparent for several years. Similarly, firms in all sectorsare susceptible to financial crime or being used for money laundering.Page 10 of 20

Risk-Based SupervisionSupervisory judgement is then exercised to assess the severity of each risk and to manuallyadjust the risk score for each of these risks necessary for establishing an updated entity riskranking. This is conducted on an annual basis. To facilitate the process, supervisory functionsmake use of their own risk assessment systems which seek to capture a mix of prudential,conduct and ML and FT risk variables. Diagram 2 below depicts our risk assessment model.Diagram 2: Risk Assessment Model4.3 ML & FT RisksOur risk assessment framework originally addressed prudential and conduct risks. This has beenrevamped with the aim of minimising the ML and FT risks posed to the safety of our society, theintegrity of our financial system and the stability of our economy. AML and CFT now sits at thecore of our risk assessment framework.Our prudential and conduct risk assessment models now incorporate the ML and FT CASPAR 1risk scores provided by the FIAU, for those subject persons who are regulated and supervisedby the MFSA. These scores have been integrated within our risk assessment models on the basisof a weighting reflecting the vulnerability of the different sectors under our supervision to MLand FT. The MFSA conducted an additional sectoral risk assessment with the objective ofdetermining sector specific susceptibility to a set of vulnerabilities, including inter alia AML andCFT. Further detail on this risk assessment is provided under Section 8.1. This has been used asa basis for determining the weighting to be adopted for inclusion of the FIAU CASPAR risk scoreinto our prudential and conduct risk assessment models.1CASPAR is a risk-scoring system which gathers information from multiple sources. It incorporates an integrated, tailor-maderisk engine which translates the information gathered from various sources into risk indicators. It provides inherent risk an dcontrol effectiveness scores which result in the overall residual risk of each subject person. Throughout the year, re-evaluatio nof the risk is done in response to new information received.Page 11 of 20

Risk-Based SupervisionThe MFSA contributes to the ML and FT CASPAR risk scores, through the ongoing submissionof data to the FIAU, both through the provision of prudential information as well as when actingas an agent of the FIAU. Diagram 3 below illustrates how our supervisory work in relation to AMLand CFT integrates with the work of the FIAU. Further detail on the role of the MFSA as agent ofthe FIAU is provided under Section 9 of this document.Diagram 3: MFSA input to FIAU CASPAR Risk ScoreIn the case of the banking sector, the implementation of the SSM (in November 2014) createda new system of banking supervision comprising the ECB and the NCAs of participating EUupervises significant banks while less significant bankscontinue to be supervised by NCAs, such as the MFSA.Following money laundering issues which recently arose in Europe, the ECB has been workingclosely with the EBA on including AML and CFT considerations in the prudential risk assessmentof banks. The MFSA follows closely the work being carried out in this respect, also through ouractive participation on an ECB working group discussing such matters. In this regard, we havedecided to extend the ECB risk assessment (where possible) on less significant institutions thatare under our direct supervision. Consequently, our Business Model Analysis Procedures for lesssignificant institutions now incorporate the ECB AML and CFT risk assessment.Further tbrought the three pillars of our supervisory strategy - prudential, conduct and financial crimecompliance (FCC) supervision - within the remit of the Supervision Directorate. This wasconsidered crucial towards our holistic approach to supervision. Our prudential and conductsupervision teams have intensified their collaboration with the FCC Function and jointsupervisory work has become standard practice. Any findings in relation to AML and CFT areshared and such information would inform our overall entity risk score.Page 12 of 20

Risk-Based Supervision5. SUPERVISORY ENGAGEMENTThe extent and frequency of our supervisory work, both onsite and offsite, is guided by our riskbased supervisory framework. We will engage with firms at a level that corresponds to their riskgrading category: the higher the risk, the higher the level of engagement. This engagementconsists of a variety of reviews, assessments and meetings. This is our means of obtaining soundintelligence about a firm in order to accurately assess the risks that it poses.Different sets of engagement tasks are adopted for: [i] high risk firms; [ii] medium risk firms; and[iii] low risk firms. These would vary in the depth of assessment required to obtain anthe risk category of the respective firm. While there is commonality of engagement tasks wherethis makes sense (e.g. submission of data through statutory return), the intensity and frequencyof these tasks are proportionate to the amount of resources available based on the riskclassification.Further detail on the structure of the risk-based approach adopted by the MFSA, is providedunder Section 7. Although this Section is focused on explaining our risk-based approach interms of AML/CFT, the same approach is applied for prudential and conduct supervision. Inaddition, enforcement action will be taken by the MFSA against any firm that fails to meetappropriate prudential and consumer protection standards.6. RESOURCE ALLOCATIONThe number of staff resources allocated to the supervision of a firm depends on the level of riskposed by that firm. A high-risk firm requires more staff to be focused thereon than a firm with alower risk profile. That being stated, resource allocation is dependent on our supervisorypriorities, budgetary constraints and/or new demands.7. AML/CFT RISK-BASED APPROACHdeterring ML and FT is reflected in ourauthorisation and supervision arrangements. These arrangements work together with thebroader national institutional framework to minimise the risk that ML and FT pose to the safetyof our society, the integrity of our financial system, and the stability of our economy. A risk-basedapproach is also adopted for ML and FT risks associated to the firms we authorise and oversee.7.1 AuthorisationsThe assessment ofof the MFSA with respect to AML and CFT sits at the heart of our evaluation processes, and ourconditions for authorisation. The MFSA seeks to ensure that only fit and proper firms andindividuals enter our financial system. We are responsible for carrying out probity screenings inPage 13 of 20

Risk-Based Supervisionrelation to all qualifying beneficial owners as well as key functionaries within a licensed firm. Arisk-based approach is adopted, both at on-boarding and on an ongoing basis, to verify thatapplicants and approved persons are of good repute.In light of the above, we have implemented a risk rating calculator to establish an overall riskrating for an applicant at onboarding. This combines checks performed to ensure that anindividual is fit for the role as well as results from checks performed to ensure that an individualis proper for a role. Checks performed to ensure that an individual is fit for a role predominantlyrelate to educational background, work experience, reputation and time commitment. On theother hand, checks performed to ensure that an individual is proper for a role include duediligence checks done through a combination of third-party risk intelligence tools, general websearches, FIAU reports and internal databases held by our supervision functions. These checksare now being conducted by a newly set up specialised Due Diligence function housed withinour Enforcement Directorate.As part of our improved authorisation arrangements, our Authorisation teams have alsointensified their collaboration with the FCC function, prior to onboarding an applicant entity.Indeed, it has become standard practice for our Authorisation teams to consult our FCC team,at authorisation stage, on the business and operating models of an applicant entity.Subsequently, there is also cooperation with the FIAU. Therefore, at authorisation stage,applications are inter alia being assessed in terms of the wider ML and FT implications of themodels being proposed.Diagram 4: Risk Assessment Onboarding of Applicants - Individual InvolvementsPage 14 of 20

Risk-Based SupervisionDiagram 5: Risk Assessment Onboarding of Applicants Business & Operational Models7.2 Supervisionprudential arrangements often pave the way tofinancial crime risk, making firms more vulnerable targets for criminals seeking to disguiseproceeds of crime or to support the financing of terrorism. The MFSA therefore has an obligationto consider ML and FT risks in authorised firms as part of our supervisory work.Our risk-based approach to AML and CFT supervision, established with the FIAU, in principlereflects the risk-based approach adopted by the MFSA for prudential and conduct supervisionacross sectors. This is structured as follows:7.2.1 Ongoing supervision of higher risk firmsConsistent with our risk-based approach to prudential and conduct supervision, where a firm isidentified as being associated with a higher level of ML and FT risk, it is included within theregime of ongoing supervision. As previously noted, the AML and CFT risk assessment of firmsis carried out jointly with the FIAU and feeds into the risk assessment models operated by bothinstitutions. This regime includes major firms with large customer bases, firms which aremodels or customer bases and firms where systems or control weaknesses relating to AML orCFT are identified.Ongoing supervision includes regular touchpoints with the firm (including regular supervisoryinteractions) as well as the regular provision by the firm of management and other relevantinformation. Where firms undertake remedial or corrective action plans to remedy identifiedAML and CFT deficiencies, ongoing supervision envisages the conduct of onsite inspections.7.2.2 Sampled review of other firmsIn addition to ongoing supervision of high-risk firms, reviews of other firms are also carried out,to enable all parts of the financial services industry to be covered through the risk-basedsupervisory cycle. Firms are selected subject to a tailored review of the highest risk areas of theirPage 15 of 20

Risk-Based Supervisionbusiness model whereas other firms are selected on a randomised basis. Review of AML andCFT arrangements is a key part of our reviews and our members of staff are trained to identifyindicators of AML and CFT weaknesses within broader corporate arrangements.7.2.3 Thematic reviews of firmsFrom time to time, thematic reviews are conducted across firms operating within a particularsector of the financial services industry, or in relation to a particular aspect of AML and CFT.Thematic reviews typically include onsite inspections of multiple firms and requests for data.Consistent with our principle of open communication, and in the interests of promoting aculture of best practice within the financial services industry, we, in conjunction with the FIAU,may make use of the results of thematic reviews to provide guidance to firms.7.2.4 Event-driven reviews of firmsEvent-driven supervision consists of as-needed reviews of firms where specific controlweaknesses have been identified or breaches have occurred. Event-driven reviews may bemandated where the aforementioned reviews have identified the need for further information other regulatory or law enforcement bodies within the National InstitutionalFramework;overseas regulators;whistle-blowers;self-reporting by firms; andpublicly available information.These reviews may result in a regulatory or law enforcement action against the firm concernedwithin the National Institutional Framework, and potentially a recommendation thatenforcement action be taken against the firm or any individuals involved in the event.The above approach allows us to respond in an agile way to emerging ML and FT risks, andanticipate and counteract new methods, products and markets being employed by moneylaunderers and funders of terrorism.8. FUTURE ENHANCEMENTS8.1 Risk Ranking MethodologyAs part of our continuous efforts to strengthen our supervisory approach and enhance the riskassessment process, the MFSA has, late last year, conducted a sectoral risk assessment wherebysupervisory priorities. These vulnerabilities include susceptibility of the sector to:Page 16 of 20

Risk-Based Supervision money laundering and terrorism financing;duty of care;cyber risk;effectiveness of governance and risk management practices;adverse reputational impact from exposure outside Malta; andcriticality of services offered.The output from the sectoral risk assessment will act as a critical input to our wider risk -basedsupervision approach.The MFSA is also currently working to develop one holistic entity level risk ranking methodologythat stratifies firms into a five-point scale to determine the level of risk associated with each firm.This model will allow the MFSA to score firms both upon their authorisation as well as on an ongoing basis in line with our supervisory work. This will allow further consistency acrosssupervisory functions in the way of thinking about risk. The entity risk score will be determinedon pre-defined key risk indicators that align with the vulnerabilities used for establishing thesectorial risk score and risk weightings that reflect the perceived importance of the riskindicators. The model to be developed will encompass data that is currently not being takeninto consideration by the MFSA in its risk-based approach such as information on cyber security.These developments will provide the MFSA with a more consistent approach for, analysing therisk scores by comparing entities to peers, looking at specific sectors of

between this document and the applicable laws, regulations or rules, the laws regulations or rules shall . This is key to safeguarding the integrity, prosperity, innovation and trust in the Maltese financial services sector. To increase our supervisory . Risk-based supervision is a dynamic and continuous process that involves planning, risk