Building Audit-Ready CDD for Malta’s for Estate Agents, Notaries, and Law Firms

In June 2025, Malta’s Financial Intelligence Analysis Unit (FIAU) reported an 80% year-on-year rise in suspicious transaction reports (STRs) from the real estate sector, the largest jump of any sector it supervises last year. For a market where most agencies run with fewer than ten staff and no dedicated compliance officer, that kind of attention lands heavily.

Estate agents, notaries, and property lawyers handling Maltese conveyancing are all “subject persons” under the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). Customer due diligence (CDD) is not optional, and the FIAU can inspect your paper trail.

The rest of this article walks through what an audit-ready CDD for Malta looks like in property transactions, where small firms most often slip, and the workflow you can run without a dedicated compliance team.

A subject person under Maltese law is a business or professional that must apply anti-money laundering obligations directly. For property transactions, that list includes real estate agents, notaries, and legal practitioners acting on conveyancing mandates. The PMLFTR gives each of them the same four core duties. Identify the customer, assess the risk, monitor the transaction, and report suspicions to the FIAU.

Why has the real estate sector moved to the top of the FIAU’s list?

Real estate agents are filing more STRs in Malta because two things changed at once. The FIAU put the sector through targeted outreach, thematic reviews, and sectoral training for the first time in years, and agents are acting on what they were shown. The 2024 FIAU Annual Report captures both the volume increase and the quality improvement, landing alongside 187 supervisory interventions and more than 70 enforcement actions across all supervised sectors.

The headline numbers frame the scale. Malta’s FIAU received 9,430 STRs in 2024, a 3% rise year-on-year. Remote gaming still files the most reports, but the 80% jump in real estate filings is the sharpest sector-level increase on the FIAU’s list. Most of that jump reflects better awareness, better training, and more confident filing by agents who had previously under-reported, not a sudden rise in underlying typologies.

Malta spent twelve months on the Financial Action Task Force (FATF) grey list and came off it in June 2022 after a concentrated AML reform programme. Post-greylisting, the compliance culture has not softened. From 10 July 2027, the EU Anti-Money Laundering Regulation (AMLR) drops the occasional-transaction CDD threshold from €15,000 to €10,000, which means more Maltese property deals will trigger full CDD, not fewer. The direction of travel is one way.

What an audit-ready property CDD file actually looks like?

A CDD file that survives an FIAU inspection is not a folder of copied ID cards. It is a documented chain of decisions with evidence at each step. The FIAU Implementing Procedures Part II for the real estate sector is specific about what the chain must contain, and missing any link means the whole file fails. Six elements do the heavy lifting, and each one needs evidence that can be pulled months after the deal closes.

Identify and verify both parties

Both buyer and seller count as customers for CDD purposes under the AMLR. For residential deals with foreign buyers, that is the step where most files break down. Identity verification needs a government-issued ID checked for authenticity, a proof of address that matches the ID record, and a liveness check where the customer is not present in person. For remote onboarding, the file needs evidence of the check, not just the pass or fail result.

Cover beneficial owners when the buyer is a company

Foreign corporate buyers routing purchases through holding structures are a known laundering typology in Malta. The 2023 National Risk Assessment flagged corporate service providers as a sector of concern for exactly this reason. For any corporate buyer, the file needs a ultimate beneficial ownership (UBO) check that walks every layer of the structure down to the natural persons holding 25% or more. A register extract is a starting point, not an ending point.

Screen, capture the source of funds, and retain the trail

Sanctions, politically exposed persons (PEP), and adverse media screening need to run against every party at onboarding, not only at closing.

Source of funds evidence matters most when the buyer is paying outside a bank mortgage, which is a frequent pattern in Malta’s cash-heavy property market and in Special Designated Areas where high-net-worth foreign buyers are common.

Bank statements covering the full deposit period, sale documentation from the previous property, gift letters with the donor’s own identity checked, and inheritance paperwork with a grant of probate for each land with a different weight in the file.

The evidence does not have to be perfect. It does have to be consistent with the price, the buyer profile, and the timing. The full audit trail, timestamped and retained for at least five years under PMLFTR, is what the FIAU asks for during a thematic review.

Where small firms most often get tripped up?

The failure modes in Maltese property CDD are not exotic. They cluster around four patterns that the FIAU repeatedly cites in enforcement notices, and each one is avoidable with a standard workflow. Administrative fines dropped to around €750,000 in 2024 from €3.2 million the year before (FIAU 2024 Annual Report), even as supervisory interventions and enforcement actions rose. Enforcement has broadened, not narrowed.

Four failure patterns account for most of those notices, and each one is avoidable. Here is what the FIAU sees:

How does Shufti help Malta’s property professionals build audit-ready CDD?

A small agency or two-partner notary practice does not need to build a compliance function from scratch. What it needs is one workflow that captures the full chain, from buyer ID to source-of-funds retention, in a way the FIAU can pull on demand.

Shufti’s customer due diligence for Malta runs on a single API and covers the moving parts that a small firm does not have the capacity to stitch together. Document verification works on more than 10,000 document types across 220+ countries, which handles the foreign-buyer problem at source.

AML screening runs against 3,500+ global watchlists and 2.6 million PEP profiles, with the data refreshed on a 15-minute cycle so a sanctions list change during conveyancing is caught, not missed. Every check sits inside an audit trail that maps to the PMLFTR record-keeping duty, and the same file is ready for FIAU review months after the deed is closed.

FIAU inspectors check for evidence, not intent, and a CDD file either shows the full chain or it does not. Shufti runs identity, UBO, and AML screening for Maltese property professionals inside one workflow, with a retention trail that matches the Implementing Procedures Part II checklist. Start a workspace on the Shufti Self-Service Portal to run your first check without a procurement cycle, or request a demo and start verifying in minutes.