Skip to content

Skip Navigation

Back to All Insights

Article 32 Sanctions Risk Assessment

Compliance
John Caruana
February 6, 2026
6 min read
Abstract close-up of curved blue metal panels forming a modern architectural surface.
John Caruana

John Caruana

Contributions
1 articles published
Compliance
February 6, 2026
6 min read
Share on social:

Sanctions Risk Assessment: What Article 32 of the National Interest Act Requires in Practice 

Sanctions compliance has developed into a defined governance obligation for organisations operating in Malta. What was previously treated as an operational or screening matter is now recognised under Maltese law as a risk assessment requirement in its own right. 

Article 32 of the National Interest Enabling Powers Act requires certain organisations to identify and assess their exposure to sanctions and restrictive measures. This obligation applies independently of anti-money laundering controls and forms part of Malta’s sanctions compliance framework. 

This article explains, in practical terms, what Article 32 requires organisations to do, who the obligation applies to, and how a sanctions risk assessment should be understood in practice. It is intended for compliance aware readers who need clarity on requirements rather than theory. 

This article provides general information on Article 32 requirements and does not constitute legal advice. 

What Is Article 32 of the National Interest Act 

Article 32 establishes a sanctions compliance obligation within Malta’s sanctions regime. It requires organisations to assess the risk of breaches of applicable sanctions measures that may arise from their activities or business relationships. 

The focus of Article 32 is not limited to identifying sanctioned persons. Instead, it requires a broader assessment of how sanctions risk could arise, including risks linked to sanctions evasion, circumvention, or proliferation financing.

The Act does not prescribe how organisations must implement a sanctions risk assessment. Responsibility rests with each organisation to demonstrate that its assessment is reasoned, proportionate, and aligned with its actual risk profile. 

Who Article 32 Applies To in Malta 

Article 32 applies to subject persons and other legal persons listed in Schedule I of the Act that operate in or from Malta. 

This includes, among others: 

  • Financial institutions and financial services providers 
  • Regulated and supervised entities 
  • Crypto asset service providers and businesses providing virtual asset related services 
  • Organisations with cross border activities linked to Malta 
  • All other Subject Persons 

Where an organisation forms part of a wider group, reliance on a group level sanctions compliance programme does not remove the obligation to assess sanctions risk locally. Maltese entities remain responsible for assessing their own exposure and maintaining appropriate documentation. 

What a Sanctions Risk Assessment Means in Practice 

A sanctions risk assessment is a comprehensive risk assessment focused on identifying and assessing sanctions risk at an organisational level. 

In practice, this means considering whether the nature of the business, its clients, counterparties, ownership and control structures, and delivery channels could expose the organisation to sanctions restrictions or potential sanctions breaches. 

Article 32 explicitly refers to proportionality. The assessment should reflect the size, complexity, and activities of the organisation. A financial institution with international exposure will face different sanctions risks from a smaller services business operating domestically. 

Documentation is a key requirement. Organisations must be able to demonstrate that sanctions risk has been assessed in accordance with Article 32 and that the assessment reflects their actual operations. 

Key Sanctions Risk Areas Organisations Must Consider 

Article 32 requires organisations to consider how sanctions risk may arise across different areas of their activities. 

Client and Counterparty Exposure 

Risks linked to customers, counterparties, and beneficial ownership structures, including situations where a natural or legal person may be owned or controlled, directly or indirectly, by a sanctioned party. 

Geographic Exposure 

Connections to jurisdictions subject to sanctions measures, including links arising from clients, transactions, or service delivery. 

Products and Services 

Whether specific products or financial services could be misused to facilitate breaches of sanctions or restrictive measures. 

Transactions and Delivery Channels 

How services are delivered and transactions executed, including non face to face arrangements that may increase sanctions risk. 

For crypto asset service providers, Article 32 requires consideration of sanctions risks associated with transfers involving self hosted addresses. This reflects the heightened risk of sanctions evasion in certain virtual asset scenarios, without prescribing specific technical controls. 

How This Differs From Business Risk Assessments (BRA) 

Sanctions risk assessments are separate from BRA risk assessments and are based on different legal obligations. 

BRA risk assessments focus on money laundering and terrorism financing risks. Sanctions risk assessments focus on sanctions, sanctions designations, and the risk of sanctions breaches or circumvention. 

While some information may overlap, BRA documentation alone does not satisfy Article 32. Organisations must demonstrate that sanctions risk has been assessed explicitly and independently within Malta’s sanctions framework. 

Common Areas of Confusion Around Article 32 

A common misunderstanding is the belief that sanctions screening systems are sufficient to meet Article 32 requirements. Screening is an important control, but it does not replace the need for a documented sanctions risk assessment. 

Another area of confusion is over reliance on group level sanctions policies without assessing whether they adequately address local exposure in Malta. 

Some organisations also assume that sanctions obligations fall entirely within BRA frameworks. Article 32 makes clear that sanctions risk must be assessed as a standalone compliance obligation. 

When Organisations Should Seek Support 

Organisations may consider seeking support where sanctions exposure is complex, where ownership and control structures are difficult to assess, or where operations span multiple jurisdictions. 

Changes in business activities, expansion into new markets, or updates to applicable sanctions regimes may also justify reviewing how sanctions risk is assessed and documented. 

In these situations, a structured and proportionate approach can help organisations ensure that their sanctions compliance obligations are met in a defensible manner. 

Final Thoughts 

Article 32 reflects a broader emphasis on effective sanctions compliance and governance. For organisations operating in Malta, understanding how sanctions risk arises and how it should be assessed is now an essential part of compliance oversight

A clear and documented sanctions risk assessment allows organisations to demonstrate adherence to sanctions obligations and to maintain confidence that their exposure has been appropriately considered. 

For further information on sanctions risk assessments in Malta, readers may refer to A2CO’s Sanctions Risk Assessment Malta service page

Tags:
article 32
compliance obligations
crypto asset service providers
financial sanctions
national interest enabling powers act
proliferation financing
restrictive measures
sanctions compliance malta
sanctions governance
sanctions risk assessment
subject persons
LET'S BUILD YOUR SUCCESS—TOGETHER.

Article 32 Sanctions Risk Assessment

A practical overview of Article 32 obligations and what sanctions risk assessment means for organisations operating in Malta.
John Caruana
John Caruana

Compliance Director

Anton Dalli
Anton Dalli

Partner

We're on Socials:

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
Consent*