Fintech 2024 Comparisons

In 2018, Malta introduced an innovative legal framework regulating:

• virtual currencies (defined as “virtual financial assets” or VFAs);
• distributed ledger technologies (DLTs), including blockchains;
• initial coin offerings (ICOs, referred to under the framework as “initial VFA offerings” or IVFAOs);
• VFA service providers;
• innovative technology arrangements (ITAs), such as smart contracts; and
• innovative technology service providers (ITSPs).

The VFA framework was recognised as an innovative body of laws and the first of its kind worldwide. Through the years since its implementation, Malta has proven to be a primary jurisdiction for issuers and service providers seeking to conduct their issue or offer their services from an established and law-abiding jurisdiction.

MiCA

Building on the VFA framework, the EU Markets in Crypto-Assets Regulation (MiCA) was approved in April 2023. In the run-up to its implementation, the European Securities and Markets Authority (ESMA) is currently in the process of issuing draft guidelines, as parts of MiCA are expected to come into force in June 2024 while the remainder of the provisions will apply from December 2024.

As the Maltese VFA framework was based on MiFID, and MiCA was drafted in this same spirit, the MFSA noted that there are very few discrepancies between the Virtual Financial Assets Act (Cap 590 of the Laws of Malta) (VFAA) and MiCA, and the transition from one regime to the other is expected to be smooth. Indeed, in certain instances the current Maltese regime was deemed to be more rigid than under MiCA. The MFSA has thus commenced the process of transitioning from the VFA regime to MiCA by amending its relevant rulebook accordingly. Separately, a bill is currently being read in parliament to amend the provisions of the VFAA to effect the necessary legislative changes.

DORA

Another very significant piece of legislation is the Digital Operational Resilience Act (DORA), which came into force in January 2023 and will apply from January 2025. DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties that provide ICT-related services to them, such as cloud platforms or data analytics services.

Ancillary to DORA is the Network and Information Security Directive (NIS2), which aims to establish a higher level of cybersecurity and resilience within EU organisations. The EU has also reached an agreement on the Cyber Resilience Act, which is intended to bolster cybersecurity rules to ensure more secure hardware and software products.

The current prominent business models in the DLT sphere in Malta are virtual currency-related service providers, which are generally referred to as VFA service providers or financial service providers that deal in virtual currencies qualifying as financial instruments, IVFAOs, security token offerings (STOs) and investment funds set up to invest in DLT assets recognised as VFAs. The prominence of these models is expected to increase with the coming into effect of MiCA and the applicable licensing regime for crypto-asset service providers (CASPs).

The introduction of the DLT framework in Malta, specifically the VFAA, brought in a legislative framework applicable to a specific class of virtual currencies qualifying as VFAs. This legislation addressed a lacuna under Maltese law, and placed Malta in a prominent position at the time as the sole jurisdiction with such a comprehensive legal framework in place, and now, with MiCA Regulation soon coming into effect, as a jurisdiction of choice for crypto-asset issuers and service providers. On the basis of the experience gained over past years, and bearing in mind the similarities between the VFAA and MiCA, the MFSA expects that the transition to the new regime will be smooth and efficient.

Scope and Classification of Cryptocurrencies

Under the VFAA, deciding whether a cryptocurrency can be considered a VFA is dependent on the result of the Financial Instrument Test devised by the MFSA, which can determine whether any DLT asset qualifies as a virtual token, a financial instrument, electronic money or a VFA. Following the result of the test, the DLT asset is then subject to the relevant rules, depending on its legal classification.

The MFSA is the local regulator responsible for applications under the VFAA and under the traditional financial services regime where this relates to virtual currencies qualifying as financial instruments.

Under MiCA on the other hand, the classification of crypto-assets will likewise depend on the result of MiCA’s version of the financial instrument test, which will determine whether the crypto-asset qualifies as an asset-referenced token, an e-money token or a crypto-asset other than asset-referenced tokens or e-money tokens. The MFSA will remain the local regulator responsible for local implementation and supervision in relation to this new Regulation.

Crypto service providers

Under the VFAA, a person providing VFA services in or from Malta as defined under the Maltese regime needs to be licensed by the MFSA prior to conducting such activities, and must also comply with the relevant rules and regulations.

Similarly, under MiCA, a CASP (as defined) providing crypto-asset services in the EU is required to first submit an application for authorisation to the competent authority of their home member state.

Offering or trading of cryptocurrencies

Similarly, where a Maltese issuer under the same regime intends to offer a VFA to the public or admit it to trading on a DLT exchange, the issuer must register the white paper with the MFSA and comply with the relevant rules and regulations.

Under MiCA, the requirements differ depending on the type of crypto-asset being offered to the public. In the case of an offer of crypto-assets other than asset-referenced tokens and e-money tokens, a white paper must be drawn up in line with MiCA’s requirements and those of its ancillary rules (currently in draft form); such white paper must be notified to the competent authority of the issuer’s home member state before the issue.

Services relating to virtual currencies that qualify as financial instruments

On the other hand, where a service provider is providing services in relation to virtual currencies that qualify as financial instruments, the service provider must obtain a licence under the traditional investment services regime that transposed Directive 2014/65 on Markets in Financial Instruments (commonly known as MiFID II) into Maltese law.

Collective investment scheme (CIS) investment in virtual currencies

CIS licensed in Malta can also be licensed to invest in virtual currencies through specific rules issued in this regard. In this respect, the MFSA has issued specific rules on professional investor funds (PIFs), and notified PIFs set up to invest in DLT assets recognised as VFAs.

Offering a virtual currency as a financial instrument to the public

If a local issuer wishes to offer a virtual currency qualifying as a financial instrument to the public, the process is very much akin to that of an IPO and the prospectus must thus be prepared and filed with the relevant authority in line with the prospectus regulation.

Issuance of a financial instrument not qualifying as an offer to the public

Where the issuance of that financial instrument does not qualify as an offer to the public, then this issue is deemed to be exempt from the requirement to issue a prospectus.

Maltese law contains no disclosure requirements regarding compensation models that industry participants use to charge customers. However, service providers must ensure that their fee structure is transparent, fair and non-discriminatory, and that there are no incentives in place that could contribute to disorderly trading conditions or market abuse.

The VFAA provided new and legacy players with specific requirements and limitations when conducting business in this sector, and this shall be furthered following the implementation of MiCA. However, no distinction is made according to whether a player in this sphere is a new entrant or a legacy player.

The Fintech Regulatory Sandbox

The MFSA launched its own Fintech Regulatory Sandbox in July 2020, allowing fintech operators to test their innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The sandbox is open to fintech service providers and fintech suppliers, accepting start-ups, technology firms and established financial services providers that approve of technologically enabled innovation in their business models, applications or products.

The regulatory sandbox is intended to target technologically enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and the provision of financial services.

Since its launch, the sandbox has seen increased interest, with numerous proposals received with diverse innovative technologies for financial services, covering a range of investment service products, market infrastructures and regtech solutions.

The ITA Sandbox

In May 2021, the MDIA launched the Technology Assurance Sandbox (MDIA-TAS) to complement its ITA full certification framework. Its aim is to be a key utility for start-ups and smaller companies developing solutions based on innovative technologies, by providing a safe environment to develop their technological solutions. The MDIA-TAS aims to ensure that regulatory certainty can be given to ITAs developed by small entities and that a balance is reached between maintaining full certification and the adopted high-barrier entry approach, while addressing financial and technical barriers for smaller entities.

The sandbox framework is intended to guide applicants in the proper development of their solution within the lines of recognised international guidelines and standards, and other regulatory and legal obligations. Applicants are guided for a maximum period of two years, with the end result of being in a position to obtain full MDIA certification.

To participate in the MDIA-TAS, applicants must prove to the authority that their ITA has a reasonable element of substance relevant to Malta, either by proving that the development of the ITA will be carried out in Malta or that its operations will be carried out in or from Malta.

The MFSA

The MFSA is the primary regulator for entities engaging in VFA-related services, and its jurisdiction over industry participants is highly dependent on the nature of the services being offered. With respect to ICOs or IVFAOs, no issuer will offer a VFA to the public in or from within Malta, nor apply for a VFA’s admission to trading on a DLT exchange, unless the issuer draws up and registers a white paper in accordance with the VFAA.

Furthermore, no entity will provide, or hold itself out as providing, a VFA service in or from within Malta without being in possession of a valid licence. The entity will then be subject to supervision and oversight from such authority until such licence is surrendered.

The MFSA will remain the primary regulator once MiCA comes into force and supersedes the VFAA.

The Financial Intelligence Analysis Unit (FIAU)

VFA-related services are deemed to be “relevant activity” in terms of Malta’s anti-money laundering and combating the funding of terrorism (AML/CFT) legislative and regulatory framework. This factor therefore brings VFA service providers into the purview of the FIAU, which is the government agency tasked with the collection, collation, processing, analysis and dissemination of information with a view to combating money laundering and the funding of terrorism. The FIAU is also responsible for monitoring compliance with the relevant legislative provisions, so its remit is restricted to compliance with the AML/CFT legislative and regulatory framework.

The MDIA

The MDIA, on the other hand, has a mandate to regulate ITAs such as smart contracts and ITSPs. The role of the MDIA can be distinguished from that of the MFSA, with the latter remaining the primary authority issuing licences and authorisations for service providers and public offerings of DLT assets. The MDIA’s role on the other hand goes beyond the licensing regime, offering a voluntary regime for the registration and certification of ITAs.

The Malta Gaming Authority (MGA)

The MGA issued an updated policy on DLTs by authorised persons in January 2023, explaining the requirements and instances for application to the MGA. Regulating the inclusion of DLT assets, ITAs and smart contracts, this policy fully strengthens the role of DLT in the gaming sphere.

Gaming operators require prior approval from the MGA before accepting DLT assets. Furthermore, in regard to VFAs, MGA approval is required when:

• a deposit is initiated by the payer in VFAs and received by the operator in VFAs;
• a deposit is initiated by the player in VFAs and received by the operator in fiat; or
• a deposit is initiated by the player in fiat and received by the operator in VFAs.

The policy also established a system for VFA exchange rates, stating that the rate to be used is that as at midnight (Central European Time) on the last day of the reporting month, in order to reduce the issue of fluctuating rates faced by VFAs worldwide.

The MFSA Rules

The rules issued by the MFSA for VFA service providers require them to ensure that, when relying on a third party for the performance of any operational function, they take reasonable steps to avoid undue additional operational risk through the provision of a continuous and satisfactory service to clients and the performance of VFA services on a continuous and satisfactory basis.

Obligations of the Licence Holder

The outsourcing of important operational functions may not materially impair the quality of the provider’s internal control and the ability of the supervisory body to monitor the licensee’s compliance with all its obligations. Indeed, the licence holder remains fully responsible for discharging all its obligations and properly managing the risks associated with outsourcing. The outsourcing arrangements may not result in the delegation of the licensee’s senior management responsibility.

The licence holder must thus carry out an ongoing assessment of the operational risks and the concentration risk associated with all its outsourcing arrangements, and it must inform the MFSA of any material developments.

The outsourcing arrangement must be based on a formal, clear, written contract that establishes the respective rights and obligations of the licence holder and the service provider.

However, a licence holder may not outsource management functions such as the setting of strategies and policies in respect of its risk profile and control, the oversight of the operation of its processes and the final responsibility towards customers. Outsourcing services and activities concerning licensable activities are also subject to the satisfaction of certain specific criteria.

Licence holders must inform the MFSA of any material outsourcing arrangements and keep the authority updated on any material developments affecting these activities. In turn, the MFSA may impose specific conditions on the licensee.

MiCA Requirements

The requirements under MiCA echo what was already set out under the MFSA rules in this regard. Crypto-asset service providers are required to have a policy on their outsourcing, including on contingency plans and exit strategies, taking into account the scale, nature and range of crypto-asset services provided. These requirements are also intended to work hand in hand with the provisions of DORA.

Licensees under the VFAA are deemed to be subject persons for AML purposes in terms of the AML/CFT rules. To that end, licensees are required to conduct AML/CFT checks on all users on their platforms and all persons making use of their services. This is also applicable to those entities performing an ICO or IVFAO in terms of the VFAA.

With the coming into force of MiCA, CASPs will also be captured as subject persons and will thus be required to comply with AML/CFT requirements.

In January 2023, the FIAU published an administrative measure against two entities, one of which was licensed as a Class 3 VFA Services Provider, and the other was authorised as a Class 4 VFA Services Provider. The administrative penalties amounted to EUR242,243 and EUR220,992 respectively, due to multiple breaches of the Prevention of Money Laundering and Financing of Terrorism Regulations (PMLFTR), including:

• improper business risk assessment;
• improper customer risk assessment;
• improper collection of information regarding wallet addresses;
• shortcomings in enhanced due diligence; and
• failures in transaction scrutiny.

Both entities have appealed the FIAU’s decision.

Powers of the MFSA

However, the VFAA stipulates that the MFSA has the power to unilaterally impose decisions on any issuer of an IVFAO and on any VFA service provider. The authority is empowered to:

• request information from any person;
• order the review of the determination of a DLT asset and submit this determination to a test;
• appoint inspectors to investigate and report on the activities of an issuer or VFA service provider;
• order an issuer or service provider to cease operations or appoint a person to advise them, take charge of their assets, or even control their business;
• order the suspension or the discontinuation of the trading of a VFA; and
• impose administrative penalties.

Liability of VFA Issuers

Issuers of VFAs are liable for damages sustained by a person as a direct consequence of such person having bought VFAs – either as part of an IVFAO by the issuer or on a DLT exchange – on the basis of any false information contained in a white paper, on a website or in an advertisement. A statement included in a white paper, on a website or in an advertisement is deemed to be untrue if it is misleading or otherwise inaccurate or inconsistent, either wilfully or as a consequence of gross negligence, in the form and context in which it is included.

Penalty

Whenever a VFA licence holder breaches or contravenes the VFAA regulations or rules, including through a failure to co-operate in an investigation, the MFSA may impose an administrative penalty of up to EUR150,000 by notice in writing and without recourse to a court hearing.

Appeal

Any such actions made by the MFSA are subject to appeal in front of the Financial Services Tribunal.

Cybersecurity Rules

Specific cybersecurity rules were issued under the VFAA for issuers and VFA service providers. The rules stipulate that issuers are required to adopt a cybersecurity framework depending on the nature, scale and complexity of their business. The framework must be firmly in line with international and European cybersecurity standards, and must include the following:

• a business continuity plan;
• an access management policy;
• a list of information and data security roles and responsibilities; and
• a threats management plan.

From an EU perspective, DORA aims to strength cybersecurity regulations within the EU. The coming into force of this Regulation is expected to have a great effect on the financial services and fintech industry, as it will push licensed entities and their management – who retain ultimate responsibility – to understand fully how their ICT, operational resilience, cyber and third-party risk management practices impact the resilience of their critical functions and to develop operational resilience capabilities. DORA shall be fully enforceable from 17 January 2025.

General Data Protection Regulation

With respect to privacy law implications, Malta is subject to the General Data Protection Regulation and the general considerations thereunder.

Systems auditors that are registered with the MDIA are required to abide by the relevant rules and guidelines issued by the MDIA.

Under the VFA framework, when a DLT asset is classified as a virtual token (VT), its issuance and related services remain unregulated under Maltese law. VTs are limited in their nature and have no value outside the DLT platform on which they operate, and are not exchangeable on third-party platforms.

A VT may be offered through the same entity that offers VFAs or security tokens, given that the offering of VTs is unregulated. Furthermore, VTs are not deemed to be a big AML risk, and offerors of VTs are thus not considered to be “subject persons” under the AML/CFT rules.

MiCA also excludes certain types of crypto-assets from its scope. These include most types of NFTs (see 12.9 Non-fungible Tokens (NFTs)) and digital assets that are accepted only by the issuer or the offeror and that are technically impossible to transfer directly to other holders.

On the basis of Malta’s experience as a corporate and financial centre, the Maltese regulator sought to implement AML rules throughout the fintech sector even before the EU’s 5th AML Directive came into force.

While certain companies operating in the fintech sphere were already deemed to be subject persons under local legislation, upon the coming into force of the VFAA the regulator also sought to extend the definition of “subject person” to capture VFAs and the operations of VFA service providers and issuers of VFAs. This was further supplemented by specific implementing procedures issued by the local AML authority, the FIAU, which set out specific additional AML rules to regulate such entities.

This was intended not only to provide a proper AML framework for issuing or offering services in relation to virtual currencies but also to ensure that Maltese AML laws remain abreast of ever-evolving technologies and the ways in which such technologies could be used for money laundering and the funding of terrorism.

This has also meant that operators seeking to operate in or from Malta are required to adhere to such rules, backed by the experience gained by the local regulator over past years.

With the coming into force of MiCA, CASPs will also be captured as subject persons and will thus be required to comply with AML/CFT requirements.

Furthermore, Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (the Transfer of Funds Regulation) gives effect to the recommendations of the Financial Action Task Force (FATF) on virtual assets. These new rules are aimed to prevent, detect and investigate money laundering and terrorist financing where at least one of the CASPs involved in the transfer of crypto-assets is established in the EU. These service providers are required to accompany transfers of crypto-assets with information on the originator and the beneficiary. The information should be submitted in a secure manner and in advance of, or simultaneously or concurrently with, the transfer of crypto-assets. The Regulation will apply from 30 December 2024.

Unregulated entities are not typically captured by AML rules but are nevertheless encouraged to keep abreast of changes to such rules.

The MFSA has yet to issue tailor-made rules regulating robo-advisers. However, ESMA has issued guidelines on certain aspects of the MiFID II suitability requirements, which define the concept of robo-advice and provide further clarity on the information to be provided to clients when making use of robo-advice. It appears that the provision of robo-advice may be deemed a licensable activity, like the provision of traditional investment advice under the Investment Services Act, Cap 370 of the Laws of Malta (ISA).

Furthermore, in October 2021 the European Commission requested advice from ESMA on preparing a legislative proposal in relation to several focused areas, including robo-advisers. A final report was provided by ESMA in April 2022, with a specific section detailing the effects of robo-advisers. Acknowledging the risks posed by robo-advisers for investors (including limited access to information due to limited human interaction), ESMA analysed the advantages and disadvantages posed by such systems through a call for evidence. Robo-advisory services have not taken off in the EU due to barriers on investor reliance on human interaction and the cost of implementation. Furthermore, while investors may be more honest without the human element (as they do not feel judged), impulsivity and biased choices are heightened due to the faster access.

As a result of such report, ESMA found that the current regulatory framework is appropriate due to the limited growth and lack of significant evolution, with no need for specific provisions addressing robo-advisers.

Companies exploring the use of robo-advisory services may also benefit from the MFSA’s Fintech Regulatory Sandbox (see 2.5 Regulatory Sandbox).

No information is available in this jurisdiction on legacy players’ implementation of solutions introduced by robo-advisers.

No information is available in this jurisdiction on the best execution of customer trades.

Online lending remains uncommon in Malta, with more traditional forms of lending being used. The Maltese lending market continues to be dominated by retail banks, which adopt a risk-averse approach to transactions.

The regulation of lending occurs without distinction as to the recipient of the loan.

The act of regular or habitual lending is regulated and requires a licence from the MFSA under the Financial Institutions Act (Cap 376 of the Laws of Malta) (FIA). However, if the activity includes financing from consumer deposit-taking, a licence under the Banking Act (Cap 371 of the Laws of Malta) (BA) would be required.

It should also be noted that underwriting processes for online lenders are not dictated by law.

The EU Crowdfunding Regulation (Regulation (EU) 2020/1503) includes within its scope both investment-based crowdfunding and lending-based crowdfunding. Specifically in relation to lending-based crowdfunding, the Regulation applies to crowdfunding services that consist of the facilitation of the granting of loans, including services such as presenting crowdfunding offers to clients and pricing or assessing the credit risk of crowdfunding projects or project owners.

The definition of crowdfunding services is aimed to accommodate different business models enabling a loan agreement between one or more investors and one or more project owners to be concluded through a crowdfunding platform. Loans included within the scope of the Regulation are those with unconditional obligations to repay an agreed amount of money to the investor, whereby lending-based crowdfunding platforms merely facilitate the conclusion by investors and the project owner of loan agreements without the crowdfunding service provider at any moment acting as a creditor of the project owner.

Due to the limited adaptability of online lending in Malta, the syndication of such loans is very rare.

Payment processors are licensable in Malta under the FIA.

There is no prohibition on payment processors creating or implementing new payments rails, or payments infrastructure generally, but this is not common in practice.

The provisions of the Value Added Tax (Reporting Obligations for Payment Service Providers) Regulations [S.L. 406.22] came into effect on 1 January 2024. These new Regulations introduced certain new reporting requirements for Payment Service Providers (PSPs) (which term includes mainly credit institutions, e-money institutions, payment institutions and post-office giro institutions), mainly concerning cross-border payments originating from EU member states. PSPs with Malta as either their home member state or host member state will be required to register with the Malta Tax and Customs Administration (MTCA) as an in-scope PSP for the Central Electronic System of Payment information (CESOP). In-scope PSPs will be required to keep sufficiently detailed information on payees and payments, and to submit certain quarterly detailed information to the Malta Commissioner for Tax and Customs concerning certain cross-border payments provided in Malta.

Fund administrators do not require a licence under Maltese law but any person wishing to provide fund administration services to a CIS in or from within Malta needs to obtain a certificate of recognition from the MFSA. This applies regardless of whether the fund administrator is appointed by the fund itself or by the fund manager.

Certified fund administrators are required to carry out any business relating to a CIS through a written agreement setting out the basis on which such services are to be provided. This agreement with the scheme or its manager should include the following:

• whether the administrator is appointed by the scheme or its manager;
• the nature of the services to be provided by the administrator;
• information on the charges to be paid by the customer;
• the fact that the administrator is recognised by the MFSA; and
• arrangements to bring the agreement to an end.

Furthermore, the administrator is required to determine the net asset value of the scheme in accordance with the constitutional documents or prospectus of the scheme. The requirements imposed on recognised fund administrators are intended to provide clarity and assurance on the administrator’s operations.

Traditional Financial Services

Under the traditional financial services regime in Malta, the major trading platforms for assets are regulated markets (the sole regulated market in Malta is the Malta Stock Exchange, or MSE), multilateral trading facilities (MTFs) and organised trading facilities (OTFs). In Malta, the Prospects Market is an example of an MTF providing a market for SMEs to raise capital by issuing equity or bonds. These types of exchanges are primarily regulated under the Financial Markets Act and relevant EU regulations. Issuers on such platforms are required to abide by the relevant rules – eg, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

Virtual Currencies

However, the introduction of virtual currencies has led to the rise of new trading platforms, such as VFA exchanges and security token exchanges, and this has also brought to light the rise of P2P exchanges.

In the virtual currency sphere, trading platforms depend on the legal classification of a DLT asset/crypto-asset. Under the VFAA, a DLT asset that qualifies as a VFA can be admitted to trading on a VFA exchange. On the other hand, if the DLT asset qualifies as a financial instrument, such as a security token, then it may not be traded on a VFA exchange and instead must be traded on a trading platform, such as an MTF.

Prior to admitting a VFA to listing, a VFA exchange is required to carry out appropriate research to assess the quality of the VFA, taking into consideration a number of factors, including:

• the technological experience, track record and reputation of the issuer and its development team;
• the issuer’s AML/CFT and cybersecurity systems and controls;
• the relevant consensus protocol;
• the completeness and reliability of information included on the project website and/or in the white paper, including whether an ethical or professional code of conduct exists;
• whether the VFA has any inbuilt anonymisation functions;
• whether the VFA has used or was used with any smurfing technology or mixers, or has been traded, or is traded on any dark-net marketplace(s);
• whether the VFA is or has been traded on any sidechains; and
• whether the VFA has an inbuilt mechanism that caters for settlement failure, such as a resolution mechanism.

On the other hand, under MiCA, CASPs operating a trading platform for crypto-assets are required to lay down, maintain and implement clear and transparent operating rules for the trading platform. Before admitting a crypto-asset to trading, such CASPs must ensure that the crypto-asset complies with the operating rules of the trading platform and assess the suitability of the crypto-asset concerned. Similar to under the VFAA, admission to trading of crypto-assets that have an inbuilt anonymisation function is prevented unless the holders of those crypto-assets and their transaction history can be identified by the CASP. Such CASPs may also not deal on own account on their own platform, and must have effective systems, procedures and arrangements in place to ensure that their trading system operates in line with MiCA’s requirements.

As set out in 2.2 Regulatory Regime, the VFAA produced the Financial Instrument Test, which helps to assess whether a DLT asset qualifies as a VT, a financial instrument, electronic money or a VFA.

Where a DLT asset qualifies as a VT, its offering is not regulated under Maltese law, but the issuing of VFAs and the offering of services in relation to VFAs are regulated under the VFAA.

On the other hand, the issuing and offering of services in relation to financial instruments and electronic money are primarily regulated under MiFID II and the Electronic Money Directive, both as transposed under Maltese law.

On the other hand, the classification of crypto-assets under MiCA will likewise depend on the result of MiCA’s version of the financial instrument test, which will determine whether the crypto-asset qualifies as an asset-referenced token, an e-money token or a crypto-asset other than asset-referenced tokens or e-money tokens.

The passing of the VFAA and the establishment of supplementary regulations, rules and guidelines promoted Malta as one of the first countries to have regulated cryptocurrency exchanges and other cryptocurrency-related services.

The VFAA regulates VFA exchanges – ie, exchanges that list and trade DLT assets that are classified as VFAs in terms of the Financial Instrument Test. See 7.1 Permissible Trading Platforms for additional information on the regulation of VFA exchanges and expected regulatory changes with the coming into force of MiCA.

Issuers of VFAs listing on VFA exchanges are required to abide by the listing rules adopted by each respective VFA exchange. Under MiCA, CASPs operating a trading platform for crypto-assets should also have detailed operating rules, be subject to pre-trade and post-trade transparency requirements, and set transparent and non-discriminatory rules governing access to their platforms, based on objective criteria.

Issuers of traditional financial instruments (eg, equity securities or debt securities) listing on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

When VFA licence holders and CASPs under MiCA handle client orders, they are required to implement procedures and arrangements that seek to provide an expeditious execution of such orders. There are also obligations imposed on licence holders/CASPs not to misuse information relating to pending client orders, and to take all reasonable steps to prevent the misuse of such information.

The increase in cryptocurrency exchanges has highlighted the advantages of P2P trading platforms. While this has not impacted the regulation of traditional trading platforms, regulators have sought to cater for such platforms, locally through the enactment of the VFAA, and now on an EU-wide basis through MiCA.

Under both the VFAA and MiCA, VFA licence holders/CASPs are required to take all necessary steps to obtain the best possible result for their clients, taking into account the best execution factors of price, costs, speed, likelihood of execution and settlement, size, nature, conditions of custody of the crypto-assets or any other consideration relevant to the execution of the order.

The MFSA’s rulebook supplementing the VFAA distinguished between the provision of services to experienced and non-experienced investors. Following recent changes to such rulebook, the requirement for this client categorisation has been removed to be in line with MiCA, which also does not set out any such categorisation.

Indeed, MiCA requires CASPs to establish and implement effective execution arrangements, particularly by having an order execution policy in place. This policy must, amongst others, provide for the prompt, fair and expeditious execution of client orders and prevent the misuse by the CASP’s employees of any information relating to client orders. The policy must provide clear information to clients on how client orders are to be executed, and CASPs are required to obtain prior consent from each client regarding the policy.

There is no information available in this jurisdiction.

Marketplaces, exchanges and trading platforms are required to abide by the principles of the Market Abuse Regulation, which aims to prevent and detect market abuse, market manipulation and insider dealing.

These principles have also been enshrined in Malta’s VFA framework, and VFA service providers are required to have systems and procedures in place to identify and curb market abuse. These same principles have been enshrined in MiCA as well.

Furthermore, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules. Both of these sets of rules include specific provisions on inside information and fair disclosure of information to the market.

Algorithmic trading and high-frequency trading are regulated in Malta under MiFID II. Any person licensed under the ISA whose head office is in Malta and who is entitled to carry out an activity in an EU or EEA state other than Malta, in exercise of a European right, must have the following in place:

• effective systems and risk controls suitable to the business it operates, to ensure that its trading systems are resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the malfunctioning of systems in a way that may create or contribute to a disorderly market;
• effective systems and risk controls to ensure the trading systems cannot be used for any purpose that is contrary to the Market Abuse Regulation (EU) 596/2014 (MAR) or the rules of the trading venue to which it is connected; and
• effective business continuity arrangements to deal with any failure of its trading systems, to which end it must ensure that its systems are fully tested and properly monitored, and meet the requirements laid down in the relevant regulations.

Firms engaging in algorithmic trading in Malta or another EU or EEA state must notify their competent authority and the European regulatory authority of the trading venue at which the firm engages in algorithmic trading as a member or participant, where this is not established in Malta.

Firms that engage in algorithmic trading and high-frequency trading must also keep sufficient records and make these available to the MFSA.

It is also important to note that a person dealing on their own account who does not provide any other investment services is exempt from the need for an investment services licence. This exemption applies unless such person is a market maker or deals on their own account outside a regulated market or a multilateral trading facility on an organised, frequent and systematic basis by providing a system accessible to third parties in order to engage in dealings with them.

The rules refer to firms that engage in algorithmic trading and high-frequency algorithmic trading on a trading venue, which includes regulated markets, MTFs and OTFs.

Investment Firms That Engage in Algorithmic Trading to Pursue a Market-Making Strategy

A Maltese investment firm that engages in algorithmic trading to pursue a market-making strategy must take into account the liquidity, scale and nature of the specific market, and the characteristics of the instruments traded.

The firm is considered to be pursuing a market-making strategy when, as a member of or participant in one or more trading venues, its strategy (when dealing on its own account) involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

Investment Firms That Act as a General Clearing Member

A Maltese investment firm that acts as a general clearing member for other persons must have effective systems and controls in place to ensure clearing services are only applied to persons who are suitable and meet clear criteria, and that appropriate requirements are imposed on those persons to reduce risks to the investment firm itself and to the market.

The firm must also ensure that there is a binding written agreement between the firm and the person regarding the essential rights and obligations arising from the provision of that service.

There is no information available in this jurisdiction.

There is no information available in this jurisdiction.

Although the term DeFi is not defined under Maltese law, the MFSA refers to DeFi as a technology that utilises DLT, encompassing the elements of composability, competition and automation, to offer autonomous and decentralised financial services. The main body of law that includes references to DLT in Malta is the VFAA. This is also augmented by the certification mechanism offered under the Innovative Technology Arrangements and Services Act, Cap 592 of the Laws of Malta (ITASA). However, neither of these laws can be deemed to regulate DeFi itself.

Service providers intending to use DeFi can avail of the use of the MFSA’s regulatory sandbox, which allows them to test their innovation for a specific period of time in the financial services markets under certain prescribed conditions.

MiFID II was transposed into Maltese legislation via the ISA. Any firm falling within the scope of MiFID II is bound by requirements that are harmonised at EU level, such as not inducing clients to trade by methods involving the bundling of research and the obligation of providing unbundled costs separately identifying and charging for execution, research and other advisory services. There is also an obligation for investment firms to make explicit payments for research, and to be able to show that research contributes to better investment decisions and is therefore not an inducement.

The following services are also regulated activities:

• offering an approved publication arrangement (the service of publishing trade reports on behalf of investment firms);
• offering an approved reporting mechanism (the service of reporting details of transactions to competent authorities); and
• offering a consolidated tape provider (the service of collecting trade reports for financial instruments from various markets and consolidating the same into a continuous electronic live data stream providing price and volume data per financial instrument).

In terms of MiFID II, investment research and financial analysis or other forms of recommendations are considered “ancillary services”. It is worth noting that no authorisation may be granted solely for the provision of ancillary services. Naturally, if the financial research platform also provides transactions in investment products or financial instruments, then this would be deemed to amount to a regulated activity.

In this aspect, it is worth referring to the MAR and the Market Abuse Directive (EU) 2014/57, which have been transposed in Malta. When speculation and market rumours begin to spread, an issuer is obliged to assess whether a public disclosure of inside information is necessary.

Further obligations in this regard also emanate from the Shareholder Rights Directive and the Transparency Directive, which stipulate further standards of disclosure.

Generally speaking, other than in the context of MiFID II, in Malta there are no ad hoc provisions specific to the regulation of software or technology used for the purposes of financial research, and it must be highlighted that Maltese laws are technology-neutral, except for some elements of the DLT framework.

The curation of user postings may expose a platform to liability if certain conditions are met, leading the platform to be deemed a publisher of such content by extension. There is a duty to report suspicious or unlawful behaviour, such as market manipulation and pump-and-dump schemes, in respect of any person who arranges or executes transactions.

In Malta, underwriting processes are carried out directly with the insurance company itself or through a broker, a tied insurance intermediary or an insurance agent. Such processes are subject to the relevant Maltese insurance legislation and MFSA rules, in line with EU legislation.

Long-term insurance, such as life insurance, is regulated in a different manner to other insurance classes, primarily due to insolvency issues and the higher degree of knowledge required by those engaging in this type of insurance business. However, there is no distinction between the treatment of the different insurance classes by industry participants.

The regulation of regtech providers depends on the nature of their activities. It must be noted that Maltese laws in this respect apply in a technology-neutral manner (bar some exceptions in relation to DLTs). It is therefore the activity of the regtech provider that triggers regulatory implications and not the specific technologies used.

Furthermore, if a regtech provider utilises an ITA as defined by the ITASA, then the regtech provider may submit the ITA for recognition by the MDIA.

There is no information available in this jurisdiction.

While local banks have been cautious in their approach to implementing the use of DLT in their current systems, the Malta Business Registry (MBR), which is responsible for the registration of commercial partnerships and companies in Malta, is expected to roll out its online system operating on the blockchain. The development of the new system is intended to overhaul the registry’s data scheme to allow for a more accurate and efficient representation of all companies and parties involved.

Malta’s DLT framework came into effect in 2018 and addresses VFAs, DLTs, IVFAOs, ITAs and ITSPs. In summary, the DLT regulatory framework consists of the following pieces of legislation (each substantiated by various rules, guidelines and subsidiary legislation):

• the VFAA, which establishes regulations in relation to IVFAOs, VFAs and related service providers;
• the Malta Digital Innovation Authority Act, Cap 591 of the Laws of Malta, which sets up the MDIA (the Maltese authority primarily responsible for promoting digital innovation); and
• the ITASA, which provides for certification by the MDIA of ITAs and authorisations for innovative technology service providers.

The VFAA is in the process of being amended to be brought in line with the provisions of MiCA.

Under the VFAA, if the asset in question qualifies as a VFA, any person that conducts any of the following activities in or from within Malta in relation to VFAs requires a licence from the MFSA:

• the receipt and transmission of orders;
• the execution of orders on behalf of other persons;
• dealing on own account;
• portfolio management;
• custodian or nominee services (of VFAs including cryptographic keys);
• the provision of investment advice;
• the placing of VFAs;
• the operation of a VFA exchange; and
• the transfer of VFAs.

MiCA on the other hand regulates the provision of crypto-asset services – ie, any of the following services and activities relating to any crypto-asset:

• the provision of custody and administration of crypto-assets on behalf of clients;
• the operation of a trading platform for crypto-assets;
• the exchange of crypto-assets for funds;
• the exchange of crypto-assets for other crypto-assets;
• the execution of orders for crypto-assets on behalf of clients;
• the placing of crypto-assets;
• the receipt and transmission of orders for crypto-assets on behalf of clients;
• the provision of advice on crypto-assets;
• the provision of portfolio management on crypto-assets; and
• the provision of transfer services for crypto-assets on behalf of clients.

As stated in 2.2 Regulatory Regime, if a DLT asset is deemed to be a VFA under the terms of the Financial Instrument Test, then the issue of the VFA as an offer to the public is regulated in terms of the VFAA. The issuer of the IVFAO is required to draw up and register the white paper with the MFSA prior to the launch of the IVFAO.

On the other hand, if the Financial Instrument Test determines the DLT asset to be a financial instrument, then this is regulated under the traditional financial services legislation. The issue of a DLT financial instrument as an offer to the public is regulated in terms of the Prospectus Regulation, and the prospectus must be approved by the MFSA prior to issue.

MiCA will also adopt a similar test to determine the classification of a crypto-asset as either an asset-referenced token, an e-money token or a crypto-asset other than an asset-referenced token or e-money token. Similar to the VFAA, financial instruments fall outside the scope of MiCA, and thus the issue of a crypto-asset classified as a financial instrument will continue to be regulated under the Prospectus Regulation.

Specifically with regards to an issue to the public of crypto-assets being neither asset-referenced tokens nor e-money tokens, the issuer must be a legal person and draw up the white paper in line with the requirements set out in the Regulation and ancillary guidelines (currently in draft form).

The VFAA defines a DLT exchange as any trading and/or exchange platform or facility on which any form of DLT asset may be transacted. A DLT asset is any VT, VFA, electronic money or financial instrument that is intrinsically dependent on or utilises DLT.

The term “VFA exchange” refers to a DLT exchange for VFAs, within which multiple third-party buying and selling interests for VFAs can interact in a manner that results in a contract, by exchanging one VFA for another or a VFA for fiat currency that is legal tender, or vice versa. Therefore, exchanges on which only financial instruments are traded are not licensable in terms of the VFAA but fall within the remit of the ISA.

The operation of a VFA exchange is one of the VFA services for which a person would need a licence from the MFSA, as outlined in the VFAA.

Under MiCA, the operation of a trading platform for crypto-assets is deemed to be a crypto-asset service. This refers to the management of one or more multilateral systems that bring together or facilitate the bringing together of multiple third-party purchasing and selling interests in crypto-assets, in the system and in accordance with its rules, in a way that results in a contract, either by exchanging crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets.

CIS wishing to invest in VFAs do not require an additional licence for this purpose, although CIS are expected to comply with some VFA-specific supplementary conditions on an ongoing basis.

At the time of writing, only PIFs and notified PIFs are permitted to invest in VFAs. Nevertheless, it should be noted that the MFSA has been considering whether to permit alternative investment funds (AIFs) and notified alternative investment funds (NAIFs) to invest in VFAs by extending the supplementary conditions that apply to PIFs to cover AIFs and NAIFs.

See 2.2 Regulatory Regime.

Discussions have arisen over the past few years on the concept of decentralised finance (DeFi), calling for public awareness of the possible major changes that can be brought about by decentralised blockchain platforms, such as decentralised applications (dApps). The subject warrants further exploration into the risks and liabilities such platforms may carry, such as avoiding centralised control, which could be abused to the detriment of consumers.

However, much more research is required in order to implement a legal framework for such an innovation. The upcoming MiCA Regulation has failed to implement rules applicable to DeFi; however, in October 2022 the European Commission published a report that discusses the need to adapt existing policy frameworks to account for the changes brought about by DeFi by evaluating the positive role that appropriate public policies can have on the development of the DeFi ecosystem and its contribution to the economy.

More recently, in October 2023, ESMA issued its own analysis on the development and risks surrounding decentralised financed in the EU. It highlights that, although investors’ exposure to DeFi remains small overall, there are serious risks to investor protection, due to the highly speculative nature of many DeFi arrangements, important operational and security vulnerabilities, and the lack of a clearly identified responsible party.

Maltese law does not define or specifically refer to NFTs or the use of NFT platforms. However, the VFAA does refer to DLT assets, which may be determined to be either a VT, a financial instrument, electronic money or a VFA. This classification is determined after conducting the Financial Instrument Test (see 12.3 Classification of Blockchain Assets).

MiCA's definition of “crypto-assets” as “a digital representation of a value or of a right that is able to be transferred and stored electronically, using distributed ledger technology or similar technology”, excludes NFTs from being considered as crypto-assets. However, this does not completely remove NFTs from falling within the scope of MiCA, with the following types of crypto-assets falling within its scope:

• fractional NFTs;
• NFTs issued in a large series/collection;
• crypto-assets that possess a sole NFT element as a unique identifier; and
• crypto-assets that, although unique and non-fungible, have de facto features linked to de facto uses making them fungible and/or not unique.

In a bid to ease the transition to MiCA, the MFSA issued a set of guidelines on NFTs. The guidelines identify numerous criteria that can assist stakeholders in determining whether their NFT and activities carried out in relation thereto might fall within the scope of the VFA framework or another financial services regulatory framework.

As an EU member state, Malta fully transposed the Payment Services Directive (EU) 2015/2366 (PSD2) into its legislation in August 2019. Said implementation did not trigger any obligation for a bank or financial institution already licensed by the MFSA as a home state regulator to provide payment services to seek any re-authorisation of these activities in terms of the passporting rights exercised by the operator prior to the implementation of these amendments. Nevertheless, despite banks taking the necessary steps to permit open banking by making their application programming interface (API) technologies available, the practical use of open banking in Malta remains limited.

The proposed PSD3 and Payment Services Regulation are expected to improve the functioning of open banking, by removing the remaining obstacles to providing open banking services and improving customers' control over their payment data, enabling new innovative services to enter the market.

The number of live and operative account information service providers (AISPs) or payment initiation service providers (PISPs) operating within Malta is small. Therefore, the effects of PSD2 are yet to be felt in Malta, from the perspective of banks coping with data privacy or data security concerns, or with practical concerns on a more generic basis.

While the MFSA’s role is to educate consumers about scams involving financial products and services, it is unable to investigate perpetrators as this role lies with the police. Nevertheless, the MFSA plays a substantial role in preventing harm to consumers from unauthorised activities. Indeed, as soon as the MFSA is aware of an unlicensed entity, it warns the general public to make sure they refrain from entering into any transactions or dealings with such entity.

In all instances, Maltese regulators are primarily concerned with consumer protection and thus most policies and initiatives are imposed with this overarching principle in mind.

One of the primary types of fraud on which regulators focus is cybersecurity and data breaches. This includes protecting customer data and ensuring secure transactions. Other main causes for concern include payment fraud, identity theft, phishing attacks and investment scams.