The Arbiter for Financial Services (the “Arbiter”) has issued a follow-up guidance document on relationship-based financial fraud, commonly known as ‘pig butchering’ (“Technical Note”). The document supplements its earlier technical note through outlining capitalising on more recent casework, appeal decisions, and European Regulatory initiatives to better shape and identify expectations.
This article is Part 1 of a 2-part series on the Technical Note published by the Arbiter. This first part shall delve into the case-law influencing the Technical Note and the second part of this series shall cover the Arbiter’s implanted conclusions on the basis of the below case-law.
The Technical Note is aimed at banks and credit institutions licensed under the Banking Act and financial and payment institutions licensed under the Financial Institutions Act.
Since the issuance of February 2025’s technical note, the Court of Appeal (the “COA”) has decided on an appeal from the Arbiter’s decision that involved ‘pig butchering’ and in such context and through other developments, the Arbiter issued this Technical Note.
The CoA in this above-referenced judgement in the names Bonnici v. BOV p.l.c[1] confirmed the decision of the Arbiter. In its judgement, the CoA took consideration of Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 (“PSD2”) whilst also referencing the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (the “RTS”).
The defendant company brought forward the defence that all card and online payments were duly authenticated under PSD2 using 3D Secure and secure customer authentication whilst pointing out that the PSD2 only imposes liability when the customer did not give its consent for a transaction and not for instances such as ‘pig butchering’ where the customer is scammed into giving his consent. The CoA however, disagreed with this line of argument and agreed with the reasoning adopted by the Arbiter in saying that:
“Il-Qorti taqbel pjenament mal-osservazzjoni li għamel l-Arbitru, li l-bank kellu obbligu jagħmel moniteraġġ sħiħ tal-pagamenti li kienu qegħdin jiġu effettwati, sabiex kif ikun hemm l-iċken indizji ta’ frodi, jaġixxi fuqhom u kemm jista’ jkun jipprevjenihom[2]”
Further to the regulatory analysis surrounding PSD2, the Court accepted the reasoning of the Arbiter, in that the customer was a long-standing retail customer with a savings account, modest income, and no prior history of crypto investments. Therefore, there is no doubt that this matter was a genuine fraud victim. The CoA also acknowledged the Arbiter’s correct understanding of the facts and surrounding factors to determine that this case had characteristics which would be considered as ‘pig butchering’.
This CoA judgement is therefore recognising the following main points:
More recently the CoA faced another appeal[3] involving ‘pig butchering’ whereby the service provider was a virtual crypto-asset service provider (“VASP”) who hosted the wallets for the fraudster’s external wallet. The CoA considered the VFA framework in its considerations and particularly the provisions mandating the licensee’s duty to act honestly, fairly, and professionally which result in the licensee having fiduciary duties towards its customers.
The CoA took very seriously the fiduciary duties and duty of care owed by a VASP. Reference was made to Chapter 3 of the Malta Financial Services Authority’s Virtual Financial Assets Rulebook in that VASPs shall consider the best interests of their clients and the integrity of Malta’s financial system.
Acknowledgement was given to regulations mandating appropriate safeguards to clients’ funds from a systematic and fraudulent point of view, and the appropriate due diligence by the VASP on the fraudster’s service provider. In line with the facts of this case, the obligation under Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 (the “Travel Rule Regulation”) to identify the beneficial owner of an unhosted wallet recipient in relation to transactions effected by them came into force on the 31st of January 2024.Therefore, the defendant company at that point in time need not have conducted due diligence.
In this context, the complainant was given multiple warnings by other financial entities other than the service provider. This was crucial background to the judgement of the CoA because whilst noting “the Service Provider failed to adequately intervene. This is when clearly there were various red flags cumulatively piling up throughout the course of operation of the wallet/account”, it acknowledged that:
“It is difficult to determine the impact that could have resulted from the Service Provider’s issuing due warning about suspicions of fraud. Even if the possibility of the Complainant’s heeding an appropriate warning issued to him by the Service Provider is, in the circumstances, considered low, it does not exempt the Service Provider from their obligations.”
Pursuant to the above, the CoA stated that “Il-Qorti m’għandha l-ebda dubju, li s-soċjetà appellata ma tista’ qatt tkun responsabbli għal tali aġir min-naħa tal-appellant[4]” and agreed with the Arbiter that the complainant was a victim of ‘pig butchering’ and that the defendant company in line with its obligations could have done more; however the CoA ultimately still decided that liability to the damages incurred by the complainant was due to his negligence.
This judgment underscores that, notwithstanding the regulatory obligations imposed on service providers, particularly in the context of ‘pig butchering’ schemes, a finding of negligence, and consequently liability towards the complainant, is not automatic.
Considering the effects of these judgements on the Technical Note, the new guidance and appeal judgments sharpen the compliance baseline for fraud scenarios like ‘pig-butchering’. Regulated entities must evidence real-time monitoring, documented escalation, and proportionate customer warnings based on transaction risk and profile. Liability outcomes will turn on how convincingly those controls were applied in the specific facts, balanced against the customer’s own conduct.
For any further information or assistance, please contact us at info@gtg.com.mt
Author: Dr Neil Gauci
[1] Court of Appeal (Inferior Jurisdiction), Judge Lawrence Mintoff, Arthur Bonnici v. Bank of Valletta p.l.c, inferior appeal number 7/2025LM, 19th November 2025.
[2] English translation: The Court concurs with the Arbitrator’s observation that the bank was under an obligation to carry out comprehensive monitoring of the transactions being effected, so that, upon the emergence of even the slightest indications of fraud, it would act upon them and, insofar as possible, prevent them.
[3] Court of Appeal (Inferior Jurisdiction), Judge Lawrence Mintoff, Alan Coggs v. Foris Dax MT Limited, inferior appeal number 35/2025LM, 28th of January 2026.
[4] English translation: The Court has no doubt that the respondent company cannot, in any circumstances, be held responsible for such conduct on the part of the appellant.