Contributed By GTG Advocates
Malta’s first-of-its-kind legal framework (the DLT Framework) regulating virtual currencies (defined as 'virtual financial assets', or VFAs), distributed ledger technologies (DLTs) including blockchains, initial coin offerings (defined as 'initial VFA offerings', or IVFAOs), VFA-related service-providers, innovative technology arrangements (ITAs) such as smart contracts and innovative technology service-providers (ITSPs) was a substantial shaker and stimulus for the FinTech market in Malta over the last twelve months.
A considerable number of the world’s major DLT exchanges relocated to Malta, leading the jurisdiction to become colloquially dubbed 'The Blockchain Island'.
FinTech’s growth is in symbiosis with the DLT Framework, in particular the policy specifics of its implementation in practice and the procedures that are being implemented by the Malta Financial Services Authority (MFSA) in this regard, and the specific FinTech strategy rolled out by the MFSA this year. The Innovative Technology Arrangements and Services Act (Cap 592 of the Laws of Malta, ITASA) will further add certainty around the use of technology in financial services. This is also expected to be extended to cover artificial intelligence (AI) technologies in the short term and thereafter also to cover internet of things (IoT) in the short- to medium-term future, and, naturally, when this materialises, it is expected to have spill-over effects on the FinTech market.
Legal developments at a European level are expected to have similar effects to those in other EU Member States given that Malta is bound by EU legislation since it is a European Member State. Especially in the case of a hard Brexit, it is expected that Malta will be one of the main jurisdictions to be considered for relocation of FinTechs from the UK to continue benefiting from pass-portability of their services under the EU’s cross-border freedoms.
The current prominent business models in the DLT sphere in Malta are virtual currency-related service-providers, which in Malta are generally referred to as VFA services-providers or financial services-providers dealing in virtual currencies qualifying as financial instruments, initial coin offerings (ICOs) (or more typically IVFAOs), security token offerings (STOs) and crypto funds.
The introduction of the DLT Framework, specifically the VFAA, has brought in a new legislative framework applicable to a specific class of virtual currencies qualifying as VFAs. This new piece of legislation has addressed a lacuna under Maltese law, one that remains largely unaddressed at EU level. The classification of whether a cryptocurrency is deemed to be a VFA is dependent on the result of the Financial Instrument Test devised by the MFSA. The Financial Instrument Test can determine any DLT asset to qualify as a virtual token, a financial instrument, electronic money or a VFA. Following the result of the test, the DLT asset is then subject to the relevant rules depending on its legal classification.
The MFSA is the local regulator responsible for applications under the VFAA as well as under the traditional financial services regime where this relates to virtual currencies qualifying as financial instruments.
Where a person is providing VFA services in or from Malta as defined under the Maltese regime, that person needs to be licensed by the MFSA prior to conducting such activities and must also comply with the relevant rules and regulations.
Similarly, where a Maltese issuer under the same regime intends to offer a VFA to the public or admit it to trading on a DLT exchange, the issuer must register the White Paper with the MFSA and comply with the relevant rules and regulations.
On the other hand, where a service-provider is providing services in relation to virtual currencies that qualify as financial instruments, the service-provider must obtain a licence under the traditional investment services regime that transposed Directive 2014/65 on Markets in Financial Instruments (commonly known as MiFID II) into Maltese law.
Collective investment schemes (CIS) licensed in Malta can also be licensed to invest in virtual currencies through specific rules issued in this regard. The MFSA has in this respect issued specific rules on professional investor funds set up to invest in DLT assets recognised as VFAs.
If a local issuer wishes to offer a virtual currency qualifying as a financial instrument to the public, the process is very much akin to that of an IPO and a prospectus must thus be prepared and filed with the relevant authority in line with the prospectus directive. Where the issue of that financial instrument does not qualify as an offer to the public then this issue is deemed to be exempt from the requirement to issue a prospectus. Issuers that conduct crowdfunding under the relevant rules in Malta may also be exempt from preparing a prospectus and in this case they are instead required to prepare an information document.
Furthermore, it should be noted that the introduction of the VFAA and its rules and guidelines was intended to address a lacuna in the field of DLT and virtual currencies that previously left investors not adequately protected.
The VFAA has provided new and legacy players with specific requirements and limitations when conducting business in this sector. However, no distinction is made in terms of whether a player in this sphere is a new entrant. The Malta Gaming Authority (MGA) has also contributed in this area.
The MGA has to date launched the first of two phases of its Sandbox Framework for the acceptance of virtual currencies and the use of DLTs by its licensees. Licensees may make use of DLT assets directly or via third-party service-providers. New operators may thus apply for approvals for the use of DLT assets as part of a new licence application while existing licensees can apply to the MGA for approval of the use of such DLT assets. Existing licensees participating in the sandbox environment will also be able to report their crypto player liabilities; any failed return transactions with respect to invalid deposits will also need to be reported. Approval to participate in the Sandbox Framework is conditional upon the applicant holding the relevant MGA licence. The first phase of the framework is planned to last for ten months from its launch and may be extended by the MGA if deemed fit.
Under this new framework, the legislator has also seen fit to create a new authority entitled the Malta Digital Innovation Authority (MDIA), whose remit is to regulate innovative technology arrangements such as smart contracts and ITSPs. The role of the MDIA is to be distinguished from that of the MFSA; the latter remains the primary authority issuing licences and authorisations for service-providers and public offerings of DLT assets. However, where a Maltese issuer wishes to offer a VFA to the public, and thus is required to register the White Paper with the MFSA, the innovative technology arrangement must be audited by a qualified systems auditor authorised and supervised by the MDIA. Similarly, in the near future we will also see licensed financial services operators making use of innovative technology arrangements in their operations; these licensed operators may benefit from the ITA certification mechanism offered by the MDIA.
On the other hand, the MGA remains distinct from the MFSA and the MDIA, but through the launch of its Sandbox Framework, it has limitedly delved into the field of DLT assets by offering a limited environment for its licensees to accept and use DLT assets.
The rules issued by the MFSA for VFA service providers require service providers to ensure that when relying on a third party for the performance of any operational function, they must take reasonable steps to avoid undue additional operational risk for the provision of continuous and satisfactory service to clients and the performance of VFA services on a continuous and satisfactory basis. The outsourcing of important operational functions may not materially impair the quality of the provider’s internal control and the ability of the supervisory body to monitor the licensee’s compliance with all its obligations. Indeed, the licence-holder remains fully responsible for discharging all its obligations and properly managing the risks associated with outsourcing. The outsourcing arrangements may not result in the delegation of the licensee’s senior management’s responsibility.
The licence-holder must thus carry out an ongoing assessment of the operational risks and the concentration risk associated with all its outsourcing arrangements and it must inform the MFSA of any material developments.
The outsourcing arrangement must be based on a formal, clear, written contract that establishes the respective rights and obligations of the licence-holder and the service provider.
However, licence-holders may not outsource management functions such as the setting of strategies and policies in respect of its risk profile and control, the oversight of the operation of its processes and the final responsibility towards customers. Outsourcing services and activities concerning licensable activities are also subject to satisfying certain specific criteria.
Licence-holders must inform the MFSA of any material outsourcing arrangements and keep the authority updated with any material developments affecting these activities. In turn the Authority may impose specific conditions on the licensee.
The VFAA, together with its regulations and rulebooks, confer the minister responsible for the regulation of financial services and the MFSA with powers to protect investors’ interests while also overseeing the orderly transaction of business, primarily that of IVFAOs and VFA service-providers.
Issuers of VFAs are liable for damages sustained by a person as a direct consequence of such person having bought VFAs, either as part of an IVFAO by the issuer or on a DLT exchange, on the basis of any false information contained in a White Paper, on a website or in an advertisement. A statement included in a White Paper, on a website or in an advertisement is deemed to be untrue if it is misleading or otherwise inaccurate or inconsistent, either wilfully or in consequence of gross negligence, in the form and context in which it is included.
The MFSA may suspend or terminate the trading of a VFA if this is in the interest of the VFA exchange, investors or the general public. Conversely, to avoid causing significant damage to investors’ interests or the orderly functioning of a VFA exchange, the VFA exchange may suspend or remove from trading a VFA that no longer complies with the definition of a VFA or the by-laws of the VFA exchange.
The MFSA may impose unilateral decisions on any issuer of an IVFAO and on any VFA agent or VFA service-provider. It is thus empowered to request information from any person, order the review of the determination of a DLT asset and submit this determination to a test; appoint inspectors to investigate and report on the activities of an issuer, VFA agent or VFA service-provider; order an issuer or service provider to cease operations or appoint a person to advise him or her, take charge of his or her assets, or even control his or her business; order the suspension or the discontinuation of the trading of a VFA; and impose administrative penalties.
Where a VFA licence-holder or the secretary, a member of the board of administration or any other person responsible for a licence holder contravenes or fails to comply with any of the licence conditions, or he or she is deemed to be in breach of the VFAA, regulations or rules, including through a failure to co-operate in an investigation, the MFSA may impose an administrative penalty of up to EUR150,000 by notice in writing and without recourse to a court hearing.
In the public interest, most decisions made by the MFSA are subject to appeal in front of the Financial Services Tribunal.
The VFAA has also introduced specific cybersecurity rules for issuers and VFA service providers. Issuers of VFAs must have a cybersecurity framework in place depending on the nature, scale and complexity of their business. This is to include a business continuity plan, an access management policy, information and data security roles and responsibilities, and a threats management plan. The framework must be in line with internationally recognised cybersecurity standards and the General Data Protection Regulation (GDPR).
In turn, prior to a VFA exchange admitting a VFA to trading, it must assess the quality of the VFA and this includes considering the issuer’s anti-money laundering/countering the funding of terrorism (AML/CFT) and cybersecurity systems and controls in place.
The local regulator has also sought to address concerns of DLT assets being used for money laundering and funding of terrorism. Issuers of VFAs and VFA services-providers are thus now deemed to be subject persons for AML purposes and are required to comply with the EU AML directives and with the local AML rules. It is important to note that owing to their limited nature, issuers of VFAs were not deemed to be subject persons as they were not deemed to pose a large money laundering or funding of terrorism risk. Privacy law implications in Malta are equivalent to those in other EU jurisdictions given that Malta is subject to the GDPR. Local guidance on privacy implications in the context of DLTs is not yet present, albeit data protection considerations need to be taken into account by a systems auditor when auditing an ITA.
Furthermore, the VFAA imposes certain advertisement restrictions in the case of issuing a VFA or admitting it to trading on an exchange, which is primarily intended to protect retail investors, regardless of the type of media used. Advertisements must thus be clearly identifiable as such and the information contained therein may not be inaccurate or misleading. In the case of issuers of VFAs, the information must be consistent with the contents of the White Paper. Issuers may in fact be held liable for civil damages sustained by a person as a direct consequence of that person having bought a VFA on the basis of untrue information advertised (the term 'untrue' is deemed to refer to information that is misleading, or otherwise inaccurate or inconsistent).
The VFAA has introduced the role of an intermediary entitled the VFA agent who is to act as a liaison between an applicant for a VFA services licence or a VFA issuer and the MFSA. The VFA agent must be a person who is authorised to carry on the profession of advocate, accountant or auditor; or a firm of such professionals or a corporate services provider; or a legal organisation that is wholly owned and controlled by such persons.
The VFA agent must confirm that the issuer or the VFA services licence applicant (including its officers and ultimate beneficial owners, or UBOs) is competent in that field, and fit and proper. Particularly in the case of IVFAOs, the VFA agent is also responsible to ensure that the DLT asset qualifies as a VFA and that the White Paper is compliant with the requirements of the act.
Where a DLT asset is classified as a financial instrument, electronic money or as a VFA, all these areas are regulated in Malta, whether an issuer wishes to offer the DLT assets to the public or whether a service-provider wishes to conduct activities related thereto.
Where a DLT asset is classified as a virtual token, any issue of such tokens and any services related thereto are unregulated under Maltese law. This is primarily because virtual tokens are limited in their nature, having no value outside the DLT platform on which they operate and not being exchangeable on third-party platforms. In view of these limitations, virtual tokens were not deemed to pose a big risk and indeed do not render the issuer or service-provider to be a subject person under AML rules.
The MFSA has not issued specific rules on the regulation of robo-advisers. However, reference must be made to the European Securities and Markets Authority’s (ESMA) Guidelines on certain aspects of the MiFID II suitability requirements, which define the concept of robo-advice and provide further clarity on the information to be provided to clients when making use of robo-advice.
Nevertheless, if the provision of robo-advice is deemed a licensable activity as the provision of traditional investment advice then a licence is required under the Investment Services Act, Cap 370 of the Laws of Malta (ISA).
It has been estimated that by 2020, between USD2.2 trillion and USD3.7 trillion in assets will be managed with the support of robo-advisory services. This figure is expected to rise to USD16 trillion by 2025, surpassing the amount of assets managed by the world’s biggest asset manager to date.
Wealth managers will thus need to assess the integration of robo-advisers in their business models. However, bearing in mind Malta’s investment culture, a high level of financial literacy needs to be reached among Maltese investors to introduce robo-advisers in the local market successfully.
Owing to the nature of the service being provided, robo-advisers may be seen as a means to be used for long-term investment rather than day trading.
Trading may be halted in certain instances of extreme uncertainty in the markets but this should only be done if the possibility was previously communicated to clients in order for them to make an informed decision prior to making use of this service.
Online lending is not common in Malta and traditional lending remains the absolute norm. Indeed, the Maltese lending market is dominated by retail banks that adopt a traditional risk-averse approach and allocate most of their lending capacity to real estate transactions.
The act of lending is a regulated activity that if done regularly or habitually, and not intra-group, requires a licence from the MFSA under the Financial Institutions Act (Cap 376 of the Laws of Malta) (FIA) or, if the activity includes financing from consumer deposit-taking, a licence under the Banking Act (Cap 371 of the Laws of Malta) (BA) would be required. Lending is, however, regulated without distinction as to the type of recipient of the loan.
Peer-to-peer (P2P) online lending is not specifically regulated under Maltese law and to date, there are no tailor-made regulatory requirements for P2P lending platforms. However, P2P lending platforms should still consider whether their specific activities trigger licensing requirements under the generic financial services framework, particularly the FIA, and in this respect amongst others it should be noted that a money-broking activity would be deemed to be a licensable activity.
P2P platform users who act as lenders within the platform may be deemed to be carrying out a regulated activity if they engage in lending on a regular or habitual basis.
Furthermore, it should be noted that underwriting processes for online lenders are not dictated by law.
Given that online lending is uncommon, syndication of such loans is also very rare.
Payment processors are licensable in Malta under the FIA. However, payment processors of VFAs are, as at today, not licensable under the VFAA.
There is no prohibition for payment processors against creating or implementing new payments rails, or payments infrastructure generally; nevertheless, in practice this is not common.
Fund administrators do not require a licence under Maltese law but any person wishing to provide such services to CIS in or from Malta needs to obtain a recognition certificate from the MFSA. This applies regardless of whether the fund administrator is appointed by the fund itself or by the fund manager.
A recognised fund administrator is required to conduct its business relating to a scheme by means of a written agreement, which clearly sets out the basis on which the services are to be provided. This agreement with the scheme or its manager should include the following:
The administrator is required to determine the net asset value of the scheme in accordance with the constitutional documents or prospectus of the scheme.
These requirements imposed on recognised fund administrators are intended to provide clarity and assurance on the administrator’s operations.
Fund administrators are required to notify the MFSA in writing of any evidence of fraud or dishonesty by a member of the recognised fund administrator’s staff immediately upon becoming aware of the matter. The fund administrator must also establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the recognised fund administrator. Responsibility for compliance obligations also rests with the board of administrators and the fund administrator must have a compliance officer in place at all times as well as a money laundering reporting officer.
Under the traditional financial services regime in Malta, the major trading platforms for assets are regulated markets (in Malta this is the Malta Stock Exchange), multilateral trading facilities (MTFs) and organised trading facilities (OTFs). In Malta, the Prospects Market is an example of an MTF providing a market for SMEs to raise capital by issuing bonds or equity.
With the rise of virtual currencies, Malta has seen the emergence of different trading platforms, primarily VFA exchanges and security-token exchanges, which has also brought to light the rise of peer-to-peer exchanges. Although it can be said that decentralised exchanges are not fully operational to date, they present a new reality that will require a shift in regulatory mentality in comparison to that found in the traditional financial markets.
In the virtual currency sphere, trading platforms depend on the legal classification of a DLT asset. If a DLT asset is deemed to be a virtual token, it cannot be exchanged on a third-party trading platform as its non-tradability is one of the essential features of this type of DLT asset.
If a DLT asset qualifies as a VFA, the VFA regime has created the concept of a VFA exchange, which refers to an exchange where DLT assets qualifying as VFAs can be admitted for trading.
On the other hand, if the DLT asset qualifies as a financial instrument, such as a security token, then this may not be traded on a VFA exchange and instead requires a trading platform, such as an MTF, to be traded.
Prior to admitting a VFA to listing, a VFA exchange is required to carry out appropriate research to assess its quality. The following factors are thus to be taken into consideration.
Furthermore, the exchange may not admit a VFA to trading if it has an inbuilt anonymisation function unless the holder of the VFA can be identified.
The disintermediation element offered by the blockchain brings about a new reality to the handling of client orders, executing and settling trades. In the traditional markets various parties form part of the settlement chain, including a broker, a clearing member and a settlement agent. Through the use of the blockchain, exchanges tend to settle trades without relying on third parties, making the process far more efficient and at the same time transparent.
The nature of the blockchain also allows the possibility of doing away with the role of the broker, who in traditional markets might make a financial gain for directing orders to different parties for trade execution.
Algorithmic trading and high-frequency trading are regulated in Malta in line with MiFID II. A Maltese investment firm that engages in algorithmic trading must have the following procedures in place:
The term 'Maltese investment firm' refers to a person licensed under the ISA, whose head office is in Malta and who is entitled to carry out an activity in an EU or EEA state other than Malta in exercise of a European right, which thus includes investment funds that are licensed under the same Act.
Firms engaging in algorithmic trading in Malta or another EU or EEA state must notify their competent authority and the European regulatory authority of the trading venue at which the firm engages in algorithmic trading as a member or participant of a trading venue where this is not established in Malta.
Firms that engage in algorithmic trading and high-frequency trading must also keep sufficient records and make these available to the MFSA.
It is also important to note that where a person is dealing on own account and does not provide any other investment services then that person is exempt from the need for an investment services licence. This exemption applies unless such person is a market maker or deals on own account outside a regulated market or a multilateral trading facility on an organised, frequent and systematic basis by providing a system accessible to third parties in order to engage in dealings with them.
The rules refer to firms that engage in algorithmic trading and high-frequency algorithmic trading on a trading venue, which includes regulated markets, MTFs and OTFs.
A Maltese investment firm that engages in algorithmic trading to pursue a market-making strategy must take into account the liquidity, scale and nature of the specific market, and the characteristics of the instruments traded. The firm is considered to be pursuing a market-making strategy when, as a member or participant of one or more trading venues, its strategy, when dealing on own account, involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.
A Maltese investment firm that acts as a general clearing member for other persons must have in place effective systems and controls to ensure clearing services are only applied to persons who are suitable and meet clear criteria, and that appropriate requirements are imposed on those persons to reduce risks to the investment firm itself and to the market. The firm must also ensure that there is a binding written agreement between the firm and the person regarding the essential rights and obligations arising from the provision of that service.
MiFID II introduced new standards on firms that charge payment for order flow (PFOF) because such arrangements are deemed to introduce a conflict of interest that is likely to cause harm to clients and markets. MiFID II thus reinforced restrictions on third-party payments when executing orders on behalf of retail and professional clients, and strengthened the conflicts of interest requirements. Firms are thus required to place explicit emphasis on avoiding or preventing conflicts of interest from arising in the first place.
MiFID II applies in Malta and at a local level is transposed via the ISA. Firms falling within the scope of MiFID II are thus bound by requirements that are harmonised at an EU level, including, but not limited to, not inducing clients to trade by bundling research within their execution services and the obligation of providing unbundled costs separately identifying and charging for execution, research and other advisory services. Investment firms need to make explicit payments for research and be able to show that the research contributes to better investment decisions and is therefore not an inducement.
Services such as an approved publication arrangement (the service of publishing trade reports on behalf of investment firms), an approved reporting mechanism (the service of reporting details of transactions to competent authorities) and a consolidated tape provider (the service of collecting trade reports for financial instruments from various markets and consolidating the same into a continuous electronic live data stream providing price and volume data per financial instrument) are also regulated activities.
In terms of MiFID II, investment research and financial analysis or other forms of recommendations are considered 'ancillary services' and no authorisation can be granted solely for the provision of ancillary services. Naturally, if the financial research platform also provides transactions in investment products or financial instruments then such would be deemed to amount to a regulated activity.
The MAR and the Market Abuse Directive (EU) 2014/57 (MAD) apply in Malta. Accordingly, where there are market rumours or speculation, an issuer is bound to assess whether a public disclosure of inside information is necessary. It should also be noted that EU directives such as the Shareholder Rights Directive and the Transparency Directive (including the respective revisions) apply in Malta and thus the disclosures required thereunder also need to be made.
Curation of user postings may expose a platform to liability if certain conditions are met, leading the platform to be deemed a publisher of such content by extension. A duty to report suspicious or unlawful behaviour such as market manipulation and pump and dump schemes is in place in respect of any person who arranges or executes transactions.
If the financial research platform utilises an ITA then such platform might be capable of voluntarily certifying the ITA under the ITASA.
Data processing and particularly automated decision-making, profiling and data mining need to be carefully assessed, especially given that the GDPR applies in Malta.
Generally speaking, however, and other than in the context of MiFID II, in Malta there are no ad hoc provisions specific to the regulation of software or technology used for the purposes of financial research and it must be highlighted that except for some elements of the DLT Framework, Maltese laws are technology neutral.
Underwriting processes in Malta are carried out directly with the insurance company itself or through a broker, a tied insurance intermediary or an insurance agent. All these processes are subject to the relevant insurance legislation and MFSA rules, in line with EU legislation.
Long-term insurance, such as life insurance, is regulated in a different manner to other insurance classes. This is primarily due to insolvency issues and a higher degree of knowledge required from those engaging in this type of insurance business. However, there is no distinction in the treatment of the different insurance classes by industry participants.
There is no local regulation on annuities to date but this is expected to be introduced in Malta soon.
RegTech providers become regulated or otherwise depending on their activities. In this respect, it should be noted that Maltese laws apply in a technology neutral manner (bar some exceptions in relation to DLTs) and thus it is the activity of the RegTech provider that triggers regulatory implications, not the specific technologies utilised. Furthermore, if a RegTech provider utilises an ITA as defined by the ITASA then the RegTech provider may submit the ITA for recognition by the MDIA.
RegTech providers do not by default act as 'gatekeepers' such that when they see unlawful or suspicious behaviour they have a duty to report the activity. Such a duty is triggered depending on whether the activity of the RegTech provider renders the provider a 'subject-person' in terms of anti-money laundering legislation or the RegTech provider professionally arranges or executes transactions. Thus, when RegTech providers simply provide their software as a product, no such duty can be triggered. Software-as-a-service (SaaS) RegTech providers may, however, be subject to such duties depending on the specific services provided.
Typically, financial services would seek to impose service level agreements (SLAs) on technology-providers that require availability of support, such as through a call centre, points of contact, and quality and accuracy levels depending on the type of service rendered. Escalation levels, onsite auditing and obligations to provide information upon request are not uncommon.
As noted under 1.1 FinTech Market, Malta has promulgated the DLT Framework, which came into effect on 1 November 2018 and which provided for a first-of-its-kind legal framework addressing VFAs, DLTs, IVFAOs, ITAs and ITSPs. From a high-level perspective, the DLT Framework consists of the following pieces of legislation (each substantiated by various rules, guidelines and subsidiary legislation):
The following activities are deemed to qualify as VFA services under the VFAA:
Conducting any of the above activities in or from within Malta in relation to VFAs requires a licence from the MFSA.
The following four classes of VFA licences are available.
An application for a VFA licence can only be made through a VFA agent, namely an agent who is duly registered with the MFSA.
CIS wishing to invest in VFAs do not require an additional licence for this purpose, although in such cases there are some VFA-specific supplementary conditions that CIS are expected to comply with on an ongoing basis. As at the date of writing, only professional investor funds (PIFs) are permitted to invest in VFAs. Nevertheless, it should be noted that the MFSA has been considering whether to permit alternative investment funds (AIFs) and notified alternative investment funds (NAIFs) to invest in VFAs by extending the supplementary conditions that apply to PIFs to cover AIFs and NAIFs.
Issuers of IVFAOs (typically known as ICOs) are also regulated under the VFAA, in terms of which, no issuer may offer a VFA to the public in or from within Malta, nor apply for a VFA's admission to trading on a DLT exchange, unless a White Paper drawn up in accordance with the VFAA has been registered with the MFSA. Similar to a VFA licence holder, the issuer is, amongst others, required to appoint, and have at all times in place, a VFA agent.
In simplistic terms, the VFA agent’s role and function is generally to advise and guide his or her client, perform a fit and proper assessment prior to onboarding the client, act as a point of liaison between the MFSA and his or her client, and co-operate with the MFSA as may be required.
The MFSA has also established a Financial Instrument Test (FIT) that sets out the methodology on the basis of which the classification of a DLT asset and relative laws that apply is determined. In terms of the FIT, a DLT asset can be determined to be:
It should be noted that a substance over form approach is mandated by the MFSA in respect of the carrying out of a FIT.
The FIT determines DLT assets as financial instruments or electronic money depending on the features that constitute the same under existing EU legislation. Crucially, the FIT takes into consideration the following when determining whether a DLT asset is to be deemed a VT:
Various players, from new entrants to legacy players including the government of Malta itself, have taken active steps of implementing blockchain systems within their service offering or operations.
Regarding the ITASA, it should be noted that the certification of ITAs is a voluntary endeavour that (amongst others) requires a positive assurance from a systems auditor. That said, where an ITA is used in the context of an IVFAO, the auditing by a systems auditor becomes mandatory.
ITAs that can be certified by the MDIA under the ITASA, as at today, consist of the following.
The service of a systems auditor reviewing an ITA for the purposes of the ITASA as well as technical administration services rendered with respect to an ITA are considered to constitute an ITSP and as an ITSP require an authorisation from the MDIA to be able to render services in terms of the ITASA.
Malta does not have specific laws or case law precedents in relation to data privacy in the context of DLTs. Nor have guidelines or position papers been issued to date by the Information and Data Protection Commissioner, the authority tasked with oversight over data protection, privacy and freedom of information in Malta. That said, it should be noted that the GDPR applies in Malta (together with all other EU data privacy regulations) and, thus, any position that develops at an EU level in relation to privacy will in turn be applied in Malta.
Additionally, the system audit control objectives of security, processing integrity, availability, confidentiality and protection of personal data need to be followed for the purposes of a systems audit in terms of the ITASA.
As an EU member state, Payment Services Directive (EU) 2015/2366 (PSD 2) became effective in Malta on 13 January 2018. Consultations have been issued by the MFSA in relation to proposed amendments to the FIA and to the BA that are necessary for transposition of the PSD 2. The Central Bank of Malta Directive No 1 has also been issued in terms of the Central Bank of Malta Act (Cap 204 of the Laws of Malta). However, as at the date of writing, the PSD 2 remains partially transposed in Malta.
Nevertheless, open banking is in practical terms supported in Malta given that the major Maltese banks have taken the necessary steps to permit open banking by making available their API technologies.
Barely, if any, account information service-providers (AISPs) or payment initiation service providers (PISPs) are live and operative in Malta as at today. Accordingly, PSD 2’s effects remain largely unfelt in Malta, be it from the perspective of banks coping with data privacy or data security concerns, or PSD 2 practical concerns on a more generic basis.