A new way forward

The changes to the CSP Framework

2 minute read
November 07, 2025

The Company Service Providers (‘CSPs’) Act was updated with the main aim of sharpening the focus of the regulatory framework applicable to CSPs through the introduction of two new categories of CSPs: Restricted (Notified) and Limited (Registered), which will be regulated under the same Act.

Restricted CSPs (notification)

Any natural person who, broadly:

Acts as a director and/or a company secretary in a company and/or a partner in a partnership and/or holds a similar position in relation to other legal entities; and
Does not do so by way of business; and
Meets other prescribed requirements but mainly, does not hold an aggregate of more than five (5) involvements (including a maximum of two (2) groups of companies, where involvements of the same person within the same group of companies to be considered as one involvement).

The MFSA issued a guidance note outlining the process for completing and submitting the relevant notification form applicable to individuals acting as Restricted CSPs. Such notification should be made within fourteen (14) days from the date when the Restricted CSP first holds the position of a director or company secretary in a company, or a partner in a partnership, or a similar position in relation to other legal entities.

Limited CSPs (registration)

Any natural person who:

By way of business, acts as a director and/or a company secretary in a company and/or a partner in a partnership and/or holds a similar position in relation to other legal entities; and
Has or intends to have ten (10) or less involvements at any point in time.

Besides the amendments to the CSP Act, its subsidiary legislation and the MFSA Company Service Providers Rulebook, a new rulebook for Limited CSPs has also been introduced, which will solely be applicable to such Limited CSPs.

Under Threshold Class B CSP (authorisation)

The MFSA’s CSPs Rulebook was updated to reflect the change to the maximum number of involvements permissible by Under Threshold Class B CSPs from ten (10) to twenty (20). Individuals who prior to these changes were authorised as Under Threshold (‘UT’) Class B CSPs, now had the following options:

Convert their current authorisation to become a Limited CSP.

Convert their current authorisation to become a Restricted CSP.

Remain an Under Threshold Class B CSP.

Exemptions

There are however, some instances where exemptions from authorisation/registration/notification (as set above) do apply. There are three specific instances in which exemptions apply, as outlined within the ‘Company Service Providers (Exemption) Regulations’. Furthermore, the following three instances are not considered as ‘involvements’ for the purposes of the CSP Act and the Rulebook: an individual who acts as director or company secretary of a company, a partner in a partnership or in a similar position in relation to other legal entities:

i) in virtue of contract of employment

ii) due to a beneficial interest in such company, partnership or other legal entity, or

iii) due to a family relationship.

FIAU guidance note

On 26 October 2025, Malta’s Financial Intelligence Analysis Unit (‘FIAU’) issued a guidance note addressed to CSPs subject to Registration (Limited CSPs). The following is an overview of some of its key points:

The FIAU highlighted that Restricted CSPs are not deemed to be carrying out relevant activity and hence, are not subject to the related anti-money laundering (AML) obligations and accordingly, the guidance note is only applicable to Limited CSPs.

In terms of ‘Risk’ - given that the current anti-money laundering and countering the financing of terrorism (AML/CFT) framework is based on the ‘risk-based approach’, the FIAU stated that given the structure of Limited CSPs, they will no longer be required to have a documented Business Risk Assessment (BRA), a documented methodology to risk-assess individual engagements and a documented Customer Risk Assessment (CRA).

In terms of ‘Policies & Procedures’ – Limited CSPs are no longer required to have documented measures, policies, controls, and procedures as such, though they will still be expected to describe the AML/CFT mitigating measures they adopt, the rationale behind them.

In terms of CASPAR and the Risk Evaluation Questionnaire (‘REQ’) – Limited CSPs will not need to register on CASPAR and they must submit an annual return to the MFSA, which information will be shared with FIAU (to capture data and information relevant to both the FIAU and the MFSA for risk understanding and risk assessment purposes). Therefore, Limited CSPs will no longer be required to complete and submit the REQ.

Limited CSPs are still required to comply with the reporting obligations emanating from the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) (as elaborated on in the Implementing Procedures (IPs)). Therefore, Limited CSPs are still required to register on goAML.

FIAU specified that the guidance note is not a derogation or an exemption from any of the actual AML/CFT measures that subject persons are required to carry out in terms of the PMLFTR, as further elaborated upon in the Implementing Procedures. The measures emanating from Regulation 7 of the PMLFTR onwards continue to be binding in their totality over Limited CSPs. The application of these measures and their outcomes must be documented, and adequate records kept on file.

Stay up to date

with our latest Thought leadership

Contact us

Mark Lautier

Partner, PwC Malta

Tel: +356 2564 6744

Chris Mifsud Bonnici

Partner, PwC Malta

Tel: +356 79757005

Louise Cini

Manager, Tax, PwC Malta

Tel: +356 7973 9031

Clive Cocks

Manager, Tax, PwC Malta

Tel: +356 7975 7068

© 2019 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.