FIAU Issues Guidance On AML/CFT Obligations In The Context Of Instant Payments

In December 2025, the Financial Intelligence Analysis Unit (FIAU), together with the Central Bank of Malta, issued a Question and Answers document providing interpretative guidance on the interaction between anti-money laundering and counter-financing of terrorism (AML/CFT) obligations and the requirements imposed by Regulation (EU) 2024/886 on instant credit transfers in euro. This publication offers valuable direction to payment service providers (PSPs) navigating the operational and legal challenges associated with real-time payments.

We have summarised the main positions set out in that guidance, examining how PSPs should balance the regulatory mandate to offer instant payments with their duty to detect, assess, and report suspicious activity.

1. Mandatory Provision of Instant Payment

2024/886 obliges PSPs that already provide standard credit transfers to also offer instant credit transfers to all payment service users (PSUs). The FIAU underscores that this obligation does not permit PSPs to exclude entire customer segments such as those rated as high ML/TF risk from accessing instant payments. Any refusal must be assessed individually and must relate to the specific transaction in question, not to an entire customer category.

This reinforces the principle that AML/CFT risk assessment must remain transaction-based and risk-sensitive, not blanket or discriminatory.

2. Customers previously subject to Suspicious Transaction Reports

A history of suspicious transaction reporting does not justify the automatic rejection of subsequent instant payment orders. The FIAU clarifies that previous STRs should not trigger a permanent or systematic denial of instant payment services. Instead, each new payment request must be examined on a case-by-case basis to determine whether a fresh suspicion arises and whether a temporary refusal is necessary to facilitate further assessment.

This position reflects established AML/CFT principles: once a suspicion arises, the subject person may reassess risk classification and apply enhanced due diligence, but routine service provision cannot be terminated absent a justified decision regarding the ongoing business relationship.

3. Pre-Transaction monitoring within the 10-second window.

One of the most operationally challenging aspects of instant payments is the 10-second execution requirement. The FIAU confirms that AML/CFT rules do not prescribe particular monitoring technologies; however, PSPs must undertake a level of pre-transaction monitoring sufficient to detect clear indications of suspicious activity prior to execution. Relying exclusively on post-transaction monitoring is not acceptable.

The guidance acknowledges, however, that due to the nature of instant payments, PSPs will necessarily depend more heavily on post-transaction monitoring systems. The appropriate balance between pre- and post-transaction controls must be determined on a risk-sensitive basis, consistent with the risk-based approach.

4. Terms & Conditions Cannot Be Used to Suspend Instant Payment Services

Some PSPs have queried whether it is permissible to include contractual clauses allowing the temporary suspension of instant payment services in high-risk situations. The FIAU's position is unequivocal: 2024/886 does not permit exceptions to the requirement to offer instant payments to all PSUs. Therefore, contractual terms that allow general suspension of the service would conflict with the Regulation's intent.

Nonetheless, PSPs may include clauses explaining that individual transactions may take longer than 10 seconds or may be rejected where necessary to comply with legal obligations, including AML/CFT requirements.

5. Handling alerts that do not necessarily indicate suspicion.

Operational realities mean that numerous instant payment alerts will arise solely because a transaction does not align with the customer's usual profile. Some PSPs have proposed relying primarily on post-transaction checks to avoid unnecessary rejections. The FIAU refers back to its earlier guidance: while post-transaction monitoring plays a larger role, PSPs must still conduct targeted pre-transaction monitoring to detect transactions that exhibit clear and immediate signs of suspicion.

6. The Payee v. Payer Scenarios when AML/CFT concerns arise.

A substantial portion of the FIAU's guidance focuses on the contrasting obligations of the payer's and payee's PSPs when suspicions emerge.

a. When the payer's PSP detects suspicion

• The PSP must refuse the payment order and inform the payer that execution is not possible (without disclosing suspicions to avoid tipping off).
• Where a suspicion of ML/TF exists, the PSP must file an STR.
• If the account has been debited, the balance must be restored.

b. When the payee's PSP detects suspicion

Two approaches are permitted:

• Reject the transaction and inform the payer's PSP (again without disclosing suspicion).
• Execute the transaction within 10 seconds, then immediately block the funds, preventing the payee from accessing them until AML checks are completed. An STR must be filed if suspicion is confirmed.

How BDO Can Help

BDO Malta is well positioned to support clients in navigating the evolving AML/CFT and instant payments framework with precision and confidence. Leveraging deep regulatory expertise and a thorough understanding of both EU-level requirements and local supervisory expectations, BDO Malta assists clients in assessing their compliance obligations, enhancing internal controls, and implementing risk-sensitive monitoring frameworks aligned with the latest FIAU guidance. The firm provides comprehensive advisory services from reviewing and strengthening existing policies and procedures to supporting the design of governance structures, transaction monitoring processes, and escalation protocols that withstand regulatory scrutiny.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.