On 5 December 2024, the MFSA issued a proposed Rulebook for Trustees and Other Fiduciaries, applicable to trustees, administrators of private interest foundations, and mandatories in terms of the Trusts and Trustees Act (TTA). The MFSA’s initiative to issue a Rulebook, which specifically caters for trustees and other fiduciaries seeks to enhance legal clarity, standardize obligations, and align with international standards like FATF guidelines. Once the Rulebook is officially published, it will replace the current Code of Conduct under the TTA.
The proposed Rulebook is supplemented by specific rules applicable to:
- Authorised Persons providing company services in terms of the Company Service Providers (Exemption) Regulations, 2021;
- Authorised Persons acting as qualified persons in terms of 43(9) of the Act, and
- Notaries authorised to act as qualified persons in terms of the applicable regulations;
- Authorised Persons established as bodies corporate; and
- Individuals acting as private trustees because they are related to the settlor, by consanguinity or affinityin the direct line up to any degree or in the collateralline up to the fourth degree inclusively or have known the settlor for at least ten years in terms of Article 43A of the TTA.
Risk Management
As anticipated, the MFSA’s proposed Rulebook aims to align the regulatory regime for entities licensed under the TTA with the regulatory regime for Company Service Providers (CSP) also in view of the fact that a number of those licensed under the TTA carry out CSP services under the Company Service Provider (Exemption) Regulations. In particular, Authorised Persons under the proposed Rulebook are expected to adopt a comprehensive approach to risk management on the same level playing filed as licensed CSPs. Consequently, this approach should not be limited to AML/CFT risks but should also take into consideration the nature, scale, and complexity of the business and the range of activities undertaken in the course of that business. Specifically, under the proposed Rulebook, Authorised Persons should:
- Risk Assessment
Undertake an assessment to understand and identify all risks associated with its business model and target markets.
- Risk Management Policies and Procedures
Establish, implement, and maintain adequate risk management policies and procedures.
- Regular Review
Regularly review risk management policies and procedures, including the business risk assessment to reflect internal or external changes.
- Effective Controls
Adopt effective controls, processes, and mechanisms to manage and mitigate risks relating to the Authorised Person’s activities, processes, and systems.
- Risk Register
Maintain a Risk Register that includes, as a minimum:
(a) A list of all onboarded clients with their respective risk classification/rating.
(b) The risks inherent to the business model of each client.
(c) All other risks the Authorised Person is exposed to.
Risk Management Function
Moreover, the Authorised Persons who are authorised to act as trustees and Authorised Persons who have notified the Authority of their provision of CSP services, under the Company Service Provider (Exemption) Regulations must establish and maintain an independent risk management function. In parallel with the CSP regulatory regime, the MFSA may, upon submission of a specific request for derogation allow the risk management function to operate without full independence.
Authorised Persons and stakeholders are invited to submit their feedback on the proposed Rulebook on tcspsupervision@mfsa.mt by no later than 31 January 2025.
