Skip to main content

Company Service Providers: Building a Compliance Culture

By April 28, 2021August 3rd, 2023No Comments

On 9 March 2021, the MFSA issued a Guidance Note outlining what a strong and effective governance framework should contain, which includes creating a compliance culture from the top, embedding this culture across the organisation.

Policies and Procedures

The Guidance Note specifies that CSPs are expected to have in place, in line with the nature and size of the organisation, (i) tailor made policies and procedures (ii) clear reporting lines, and (iii) documented compliance and AML/CFT functions which are reported to the board on a regular basis.  Furthermore, senior management should have a thorough understanding of the organisation’s control structures as well as purposes and requirements of the applicable CSP rules.

Three Lines of Defence

Staff should also be trained in relation to the CSP rules and procedures, to be able to apply them in practise through business continuity protocols and regular testing.  CSPs should employ the “three lines of defence model” which includes:

  • Officers who directly face the clients and carry out CSP activities;
  • Monitoring and oversight by the organisation’s Compliance and the AML/CFT functions; and
  • Assessments performed on the organisation’s internal controls and the monitoring/oversight functions in place through the internal audit function or compliance department.

The organisation’s policies and procedures need to accurately identify who is responsible for what, board minutes needs to be retained as well as any complaints and/or breaches in law.  The organisation should ensure that client agreements are in place and signed by those responsible and recorded in line with the firm’s records keeping procedures.  CSPs should also have a clear fee structure which is communicated to their clients, and records and management information needs to be retained and made available and ACCESSIBLE allowing for the timely reporting to supervisory authorities.  Accessibility to information also aides reporting and dealing with onsite visits.

Speak to us for any assistance with:

  • Developing your AML/CFT framework, including drafting of policies and procedures, provision of business risk assessment and customer risk assessment models, compliance monitoring programmes;
  • CDD testing in line with current regulatory requirements; and
  • Onboarding support and remedial work.

We would love to help:

Contact us at – or

For the MFSA guidance note –