Skip Navigation
Sanctions Risk Assessment Obligations Under Article 32
Sanctions risk assessment is now a defined regulatory obligation for subject persons operating in Malta. Under Article 32 of the National Interest Enabling Powers Act, organisations must identify, assess, and document their exposure to financial sanctions and restrictive measures.
This obligation sits within Malta’s national sanctions framework and applies independently of anti-money laundering controls. It requires businesses to understand how sanctions risks arise from their activities and how those risks are governed.
A2CO provides structured sanctions risk assessment services in Malta, supporting organisations that need clarity, defensible documentation, and proportionate governance aligned with Article 32 requirements.
Article 32 Sanctions Risk Assessment Requirements in Practice
What the Law Requires Under Article 32
Article 32 requires subject persons operating in Malta to take appropriate and proportionate steps to identify and assess the risks of breaches of applicable sanctions.
This includes risks linked to:
-
Financial sanctions and targeted financial sanctions
-
Sanctions evasion and circumvention
-
Proliferation financing and related restrictive measures
The assessment must reflect the nature, size, and complexity of the organisation and must be formally documented. Documentation may be requested by the Sanctions Monitoring Board or other competent authorities.
Who Is Required to Carry Out a Sanctions Risk Assessment
The obligation applies to subject persons and other entities listed in Schedule I of the Act that operate in or from Malta.
This includes:
-
Regulated and supervised entities
-
Financial institutions and service providers
-
Crypto asset service providers and businesses with virtual asset exposure
-
Legal persons with cross border operations connected to Malta
Where group level sanctions frameworks exist, Maltese entities remain responsible for assessing their own sanctions risk exposure and maintaining local documentation.
What a Sanctions Risk Assessment Covers
A sanctions risk assessment examines how an organisation could be exposed to sanctions related risks through its ordinary activities.
Key areas typically assessed include:
-
Client and counterparty risk: Exposure arising from customer profiles, ownership structures, and control arrangements linked to sanctioned persons or entities.
-
Geographic exposure: Jurisdictions connected to clients, suppliers, transactions, or operations that may be subject to EU or international sanctions.
-
Products and services: How specific products or financial services could be misused to breach or circumvent restrictive measures.
-
Transactions and delivery channels: How services are delivered and transactions executed, including non face to face channels.
-
Crypto related exposure: For crypto asset service providers, Article 32 requires specific consideration of risks associated with transfers involving self hosted addresses, given the heightened risk of sanctions evasion.
The assessment focuses on identifying and mitigating sanctions risk, not on implementing technical controls.
What the Law Requires Under Article 32
Article 32 requires subject persons operating in Malta to take appropriate and proportionate steps to identify and assess the risks of breaches of applicable sanctions.
This includes risks linked to:
-
Financial sanctions and targeted financial sanctions
-
Sanctions evasion and circumvention
-
Proliferation financing and related restrictive measures
The assessment must reflect the nature, size, and complexity of the organisation and must be formally documented. Documentation may be requested by the Sanctions Monitoring Board or other competent authorities.
Who Is Required to Carry Out a Sanctions Risk Assessment
The obligation applies to subject persons and other entities listed in Schedule I of the Act that operate in or from Malta.
This includes:
-
Regulated and supervised entities
-
Financial institutions and service providers
-
Crypto asset service providers and businesses with virtual asset exposure
-
Legal persons with cross border operations connected to Malta
Where group level sanctions frameworks exist, Maltese entities remain responsible for assessing their own sanctions risk exposure and maintaining local documentation.
What a Sanctions Risk Assessment Covers
A sanctions risk assessment examines how an organisation could be exposed to sanctions related risks through its ordinary activities.
Key areas typically assessed include:
-
Client and counterparty risk: Exposure arising from customer profiles, ownership structures, and control arrangements linked to sanctioned persons or entities.
-
Geographic exposure: Jurisdictions connected to clients, suppliers, transactions, or operations that may be subject to EU or international sanctions.
-
Products and services: How specific products or financial services could be misused to breach or circumvent restrictive measures.
-
Transactions and delivery channels: How services are delivered and transactions executed, including non face to face channels.
-
Crypto related exposure: For crypto asset service providers, Article 32 requires specific consideration of risks associated with transfers involving self hosted addresses, given the heightened risk of sanctions evasion.
The assessment focuses on identifying and mitigating sanctions risk, not on implementing technical controls.
How A2CO Supports Sanctions Risk Assessments
A2CO provides sanctions risk assessment support designed for organisations that need practical compliance solutions without unnecessary complexity. We provide compliance and governance support only, and do not provide legal advice, and responsibility for implementation remains with the client.
Our service includes:
-
A structured sanctions risk assessment methodology aligned with Article 32
-
Identification of inherent and residual sanctions risk based on the business model
-
Clear documentation suitable for internal governance and regulatory review
-
Alignment with existing compliance and risk management frameworks
How Sanctions Risk Assessments Differ From Business Risk Assessments
How This Differs From Business Risk Assessments (BRA)
Sanctions risk assessments are distinct from BRA risk assessments.
They differ in:
-
Legal basis
-
Risk focus
-
Regulatory expectations
BRA risk assessments address risks of money laundering and terrorism financing.
Sanctions risk assessments focus specifically on financial sanctions, restrictive measures, and sanctions evasion.
Relying on BRA documentation alone does not meet Article 32 requirements. Organisations must demonstrate that sanctions risks have been assessed separately within Malta’s sanctions framework.
Ongoing Review and Governance Support
Sanctions risk assessments must be reviewed regularly to remain effective.
Reviews may be triggered by:
-
Changes in products, services, or delivery channels
-
Expansion into new jurisdictions
-
Updates to applicable sanctions regimes
-
Material changes to client or counterparty profiles
A2CO can support ongoing governance by assisting with periodic review and documentation updates where required.
How This Differs From Business Risk Assessments (BRA)
Sanctions risk assessments are distinct from BRA risk assessments.
They differ in:
-
Legal basis
-
Risk focus
-
Regulatory expectations
BRA risk assessments address risks of money laundering and terrorism financing.
Sanctions risk assessments focus specifically on financial sanctions, restrictive measures, and sanctions evasion.
Relying on BRA documentation alone does not meet Article 32 requirements. Organisations must demonstrate that sanctions risks have been assessed separately within Malta’s sanctions framework.
Ongoing Review and Governance Support
Sanctions risk assessments must be reviewed regularly to remain effective.
Reviews may be triggered by:
-
Changes in products, services, or delivery channels
-
Expansion into new jurisdictions
-
Updates to applicable sanctions regimes
-
Material changes to client or counterparty profiles
A2CO can support ongoing governance by assisting with periodic review and documentation updates where required.
Why Choose A2CO
A2CO supports regulated and compliance sensitive organisations operating in Malta across financial services, crypto, and other regulated sectors. Our approach prioritises clarity, accuracy, and regulatory alignment.
Clients choose A2CO for:
-
Malta specific sanctions compliance experience
-
Practical understanding of Article 32 obligations
-
Proportionate and defensible assessment methodologies
-
Integrated compliance and governance capability
Frequently Asked Questions
Yes. Article 32 of the National Interest Enabling Powers Act requires subject persons operating in Malta to carry out and document a sanctions risk assessment.
Yes. Crypto asset service providers must assess sanctions risks, including risks linked to self hosted address transfers.
The Act requires regular review. The appropriate frequency depends on the organisation’s risk profile and changes in exposure.
Failure to maintain a sanctions risk assessment may expose an organisation to regulatory findings or enforcement action.
No. They are separate obligations with different legal bases and risk focuses.
Speak to Our Compliance Team
Speak to our compliance team to discuss your sanctions risk assessment obligations in Malta and how A2CO can support your organisation.
Get Free Consultation
Compliance Director
Partner
"*" indicates required fields
