Back to all insights

Central Bank of Malta Issues Notice on Instant Payment Fraud Risk: Two-Month Deadline

On 23 June 2026, the Central Bank of Malta (the "CBM") published a Notice on the Supervisory Expectations on Fraud Risk Mitigation in the Instant Payments Environment (the "Notice"), addressed to payment service providers ("PSPs") providing instant payment services in Malta.

The Notice follows the entry into force of Regulation (EU) 2024/886 on instant credit transfers in euro (the "Instant Payments Regulation"), which introduces measures aimed at strengthening security and consumer protection within the context of instant payments. The CBM frames eleven supervisory expectations regarding the implementation of the relevant requirements, as outlined below.

1. Adjustment of Spending Limits: While PSPs are expected to establish default spending limits, Payment Service Users ("PSUs") should be able to modify their instant credit transfer limits at their full discretion. For adjustments requested through remote channels (e.g. mobile banking), the CBM tolerates the implementation of a temporary delay of up to six hours before the adjustment takes effect. Such a delay can only be applied where objectively justified by identifiable risk factors.

2. New Device Registration: The CBM considers the registration of a new device to be a high-risk event. Accordingly, PSPs are encouraged to: (i) apply a temporary delay of up to six hours for payment initiation following new device registration; and (ii) send an out-of-band notification informing the PSU that a new device has been registered.

3. Customer Interaction and Staff Preparedness: PSPs must ensure that staff who interact with PSUs are trained to recognise and respond to potential fraud scenarios. PSPs should be able to identify common warning signs and take reasonable steps to alert PSUs of potentially fraudulent transactions.

4. Transaction Monitoring: Transaction monitoring must operate in real time, covering both pre- and post-transaction stages. Payment transactions must also be made visible to PSUs through digital channels.

5. High-Risk Indicators and Enhanced Monitoring: PSPs must identify and monitor specific events or behaviours which may indicate an increased risk of fraud. Non-exhaustive examples include: registration of a new device followed by immediate payment activity; abnormal use of an access device; payment to a new payee shortly after registration; access from an unusual location; a recent adjustment of spending limits followed by high-value transactions; and the detection of remote access or screen-sharing tools during a session. Indicators must be assessed collectively.

6. Automated Controls and PSU Interaction: PSPs should not rely on routine or systematic manual contact with PSUs (e.g. telephone calls) as primary control mechanisms. Instead, PSPs should implement automated controls (such as real-time fraud monitoring) to detect and mitigate risks.

7. Remote Access, Screen-Sharing and Similar High-Risk Tools: The CBM has acknowledged fraud typologies where victims are induced to install remote access applications or screen-sharing software. PSPs are expected to assess risks posed by such tools and, where technically feasible, implement controls to detect indicators of such activity. 

8. Verification of Payee: PSPs must ensure that the Verification of Payee ("VoP") service is available on a 24/7/365 basis. VoP unavailability may, depending on the circumstances, indicate non-compliance with the Instant Payments Regulation. This unavailability shall not justify the systematic delay or blocking of payment transactions.

9. Fraud Information Sharing: PSPs are encouraged to share relevant information to assist in the detection and prevention of fraudulent activity. Noting ongoing developments at EU level, PSPs should ensure they have the operational capabilities to participate in emerging frameworks in this regard.

10. PSU Awareness and Fraud Prevention Communication: PSPs are expected to implement ongoing communication measures to increase PSU awareness of fraud risks. This includes communications on how to identify and avoid common fraud typologies. In addition, PSPs are expected to undertake targeted awareness campaigns using appropriate channels designed to reach different user segments, focusing on high-risk scenarios and emerging fraud trends.

11. Liability Considerations in Authorised Fraud Scenarios:  The Notice provides that in authorised push payment fraud cases, liability must be assessed on a case-by-case basis under the applicable law. In this respect, a PSP that can demonstrate effective application of the Notice will be better placed when liability is assessed.

Next Steps

PSPs are expected to review their current practices in light of the Notice and to conduct a gap analysis, submitting to the CBM a clear implementation plan with defined timelines within two months of the date of publication of the Notice. Thereafter, PSPs must provide bi-monthly progress updates until full alignment is achieved, and in any event no later than 1 July 2027.

For more information on the Notice and its implications for your business, feel free to contact Tristan Said (tristan.said@camilleripreziosi.com).


 

Tristan Said

On 23 June 2026, the Central Bank of Malta (the "CBM") published a Notice on the Supervisory Expectations on Fraud Risk Mitigation in the In...

set up a meeting