Malta: The Centralised Bank Account Register ("CBAR") Regulations: A Register Of Information On IBAN Identifiable Accounts, Safe Deposit Boxes And Safe Custody Services Intended To Assist The FIAU In The Carrying Out Of Its Functions

Following the local transposition of the 5^th AML Directive¹ earlier on this year, the Centralised Bank Account Register Regulations came into force on the 20 October 2020 through Legal Notice 401 of 2020 (the "CBAR Regulations"). The 5^th AML Directive obliged Member States to establish centralised automated mechanisms allowing for the retrieval of information on anyone holding accounts identifiable by IBAN or making use of safe custody services².

The local mechanism is the CBAR which will be administered by the Financial Intelligence Analysis Unit ("FIAU"). As set out in a Notice issued by the FIAU (the "FIAU Notice")³, credit and financial institutions have an obligation to submit the required data under the CBAR Regulations as from 26 October 2020. The latter date has in fact been designated as the go-live date for the CBAR System. The first submission is to be uploaded into the CBAR System by not later than 1 November 2020.

Scope of CBAR Regulations

The CBAR Regulations apply in cases where a credit or financial institution provides an account identified by IBAN or where a credit institution provides safe custody services (including safety deposit boxes). All credit institutions and financial institutions that offer these products and services are therefore required to register and to upload relevant data through the CBAR System.

Electronic records to be held

Credit or financial institutions are obliged to maintain an electronic record of

• the customer and where applicable, the customer's agent thereof authorised and the beneficial owner of the customer;⁴
• the IBAN associated with any such account or the alphanumeric code used to identify safe deposit boxes or any items entrusted to a credit institution when providing any safe custody services;
• the length of time for which any account or safe custody services are provided; and
• any other data or information on bank or payment accounts or safe custody services as the FIAU may set out from time to time in relative procedures.

The electronic data must at all times be adequate, accurate and up to date and therefore the data needs to be updated immediately upon the credit or financial institution becoming aware of any changes.

CBAR System

The data maintained by credit and financial institutions shall be uploaded onto the CBAR System. This register shall contain an electronic record of the data and information that credit and financial institutions are required to hold as described above.

The FIAU Notice provides that credit and financial institutions are required to submit the relevant data once every seven (7) calendar days in XML format. It is important to note that this reporting obligation applies equally even if there are no changes to report within any 7 calendar days. In such cases, a file will still need to be uploaded to the CBAR System even if it is the same as the previous file uploaded seven days prior.

Any data or information contained in the CBAR shall be held for five years following the closure of the account or termination of the safe custody service. However, this period may be extended to a maximum retention period of ten years, where such extension is considered necessary for the purposes of the prevention, detection, analysis, investigation or prosecution of money laundering, associated predicate offences, funding of terrorism or any other serious criminal offence.

The CBAR XML Schema and Validation Rules (the "CBAR Rules")⁵ published on 21 October 2020 provide details as to the data field requirements for submissions which can be broadly categorised⁶ as follows:

1. CBAR Data: these data fields relate to the reporting entity including its name and entity code as well as information relating to the reporting date and timestamp;
2. Statistics: these data fields provide information as to the number of natural and non-natural persons reported in the file submitted to the CBAR System as well as the number of accounts reported by the reporting entity;
3. Natural Persons: these data fields contain information relating to natural persons including inter alia their unique account holder ID, name, surname, date of birth and also includes the submission of an identification document such as a passport or national ID;
4. Non-Natural Persons: these data fields include information relating to non-natural persons including their name and unique ID; and
5. Account: these data fields relate to account information including the account type (IBAN, safe custody or safe deposit box), number, opening and closing (where applicable) date and relationship data (such as agent, beneficial owner etc.).

The submission of data must be carried out through the CBAR Portal. The CBAR Rules establish that two main submission mechanisms will be provided to allow credit and financial institutions to make submissions, namely web submission and submission through an API. It is envisaged that submission through API will be made available in November 2020, however details are still to be published.

Access to and use of the CBAR

The data held in the register shall be directly accessible, in line with procedures set out by FIAU by the following authorities:

1. the FIAU;
2. national authorities conducting criminal investigations into or prosecutions of money laundering, associated predicate offences, funding of terrorism or any other serious criminal offence, including when supporting investigations concerning any of the said offences;
3. the Asset Recovery Bureau;
4. the Commissioner for Revenue;
5. the Sanctions Monitoring Board; and
6. the Security Service.

Access shall be on a case-by-case basis and to the extent that this may be necessary for the prevention, detection, investigation or prosecution of money laundering, associated predicate offences funding of terrorism or any other serious criminal offence, and for the avoidance of any doubt this shall include supporting investigations concerning any such offence, including the identification, tracing and freezing of the assets related to such investigation. The said authorities may also access and make use of the data and information contained in the CBAR to reply to justified requests for information received from foreign or supranational bodies having similar functions upon ascertaining that the requesting body applies confidentiality and data protection requirements equivalent to those applicable to them.

Enforcement and Penalties

The FIAU is responsible for monitoring compliance with the obligations set out under the CBAR Regulations and amongst others, it is empowered to carry out data quality checks on the data and information provided by credit and financial institutions and to give such directions as may be necessary to address any issues.

Contraventions of the provisions of the Regulations or any FIAU guidance are liable to an administrative penalty of not less than 250 EUR and not more than 46,500 EUR in respect of every breach in accordance with Article 13 of the PMLA. This notwithstanding, the FIAU may:

• with respect to minor contraventions and where circumstances so warrant, impose an administrative penalty below the minimum established in the CBAR Regulations but not less than 250 EUR or issue a reprimand in writing instead of an administrative penalty;
• with respect to serious, repeated or systematic contraventions, impose administrative sanctions that in total are not to exceed 1,000,000 EUR;
• instead of or in conjunction with the imposition of any administrative penalty, require the credit or financial institution to take any action or measure to remedy such contravention or to ensure compliance with the provisions of these regulations or any procedures issued by the FIAU.

Administrative measures under the CBAR Regulations are imposed by the FIAU without recourse to a court hearing in accordance with the policies and procedures established by the FIAU Board of Governors, either as a one-time fixed penalty or as a daily cumulative penalty, or both: provided that an administrative penalty imposed on a daily cumulative basis shall not be less than two hundred and fifty euro (250 EUR) and the accumulated penalty shall not exceed the maximum amounts set out above. An appeal from the administrative penalty on both points of law and fact may be filed in the Court of Appeal (Inferior Jurisdiction).

Preparedness by Credit and Financial Institutions

It is essential that credit and financial institutions which fall within the scope of the CBAR Regulations are adequately prepared to comply with their obligations and to ensure continued and timely compliance with their ongoing reporting obligations. The credit or financial institution concerned should be cognisant at all times of any directors or technical specifications communicated by the FIAU from time to time either directly to the institution concerned or through the FIAU website. It furthermore important to emphasize that any procedures and guidance issued by the FIAU in terms of Regulation 5 of the CBAR Regulations are binding on the institutions and any contravention of such procedures and guidance is subject to enforcement measures.

Footnotes 

1 Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 and amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU

2 "Safe custody services" is defined to mean the holding of tangible assets on behalf of customers. The FIAU Notice which provides details as to data requirements, specifies that a distinction needs to be made between safety deposit boxes and safe custody services (see Section on CBAR System below).

3 In terms of the CBAR Regulations, any procedures or guidance issued by the FIAU are binding on credit and financial institutions and enforceable under the CBAR Regulations. To this end, the FIAU Notice is therefore binding and failure to comply may result in enforcement action.

4 Under the CBAR Regulations, the terms "customer" and "beneficial owner" have the same meaning as that assigned to them under the PMLFTR.

5 Version 1.5, downloadable as part of a ZIP file from the FIAU website: https://fiaumalta.org/wp-content/uploads/2020/10/XML-Schema-Validation-Rules-CBAR.zip

6 Please note that these are indicative and reference should be made to the CBAR Rules which contain the full list of information to be included and specify the data format and other requirements for each data field.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.