Fintech 2023

Last Updated March 23, 2023


Law and Practice


GTG Advocates is considered a local thought leader in the fintech sector, especially in relation to blockchain and virtual currencies (and technology law generally). The firm is mostly known for advising regulators and public bodies in the fintech sphere, being counsel to the government of Malta, the Malta Financial Services Authority (MFSA) and the Malta Digital Innovation Authority (MDIA). The firm is particularly known for having been instrumental in drafting Malta’s fintech legislation, as well as the various rule books, guidelines and consultations. It is also known for its expertise in regulatory matters, especially cryptocurrency exchange licensing and initial coin offerings, technology, telecommunications, IP and data protection law generally. Dr Ian Gauci, the firm’s managing partner, was also a member of the National Blockchain Taskforce and a founding member of the Blockchain Malta Association.

Malta has an innovative legal framework regulating the following, which remains one of the prominent legal models for those seeking the ideal jurisdiction from which to launch their project:

  • virtual currencies (defined as “virtual financial assets” or VFAs);
  • distributed ledger technologies (DLTs), including blockchains;
  • initial coin offerings (ICOs, referred to under the framework as “initial VFA offerings” or IVFAOs);
  • VFA-related service providers;
  • innovative technology arrangements (ITAs), such as smart contracts; and
  • innovative technology service providers (ITSPs).

Amendments to the Virtual Financial Assets Act

While the Malta Financial Services Authority (MFSA) has not introduced any further changes to the Virtual Financial Assets Act (Cap 590 of the Laws of Malta) (VFAA), it is currently working to align the current Maltese VFA framework with the upcoming EU Regulation on Markets in Crypto Assets (MiCA). This Regulation is intended to harmonise the regulation of virtual currencies across the EU, to ensure a common approach to virtual currencies and related service providers across member states. As MiCA’s provisions appear to be in line with the general thinking behind the VFAA, the MFSA expects a smooth transition for authorised issuers and VFA service providers under the VFAA.

Fintech Regulatory Sandbox

The MFSA had also previously launched the Fintech Regulatory Sandbox, allowing fintech operators to test their innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The sandbox is open to fintech service providers and fintech suppliers, accepting start-ups, technology firms and established financial services providers that approve of technologically enabled innovation in their business models, applications or products.


As the EU reached a provisional agreement on MiCA as part of the Digital Finance package in October 2022, issuers and service providers are currently awaiting the confirmed final text of the Regulation to ensure a clear way forward once MiCA comes into force.

As the Maltese VFA framework was based on MiFID, and MiCA has been drafted in this same spirit, the MFSA has noted that there are very few discrepancies between the VFAA and MiCA. Indeed, in certain instances the current Maltese regime was deemed to be more rigid than that which is proposed under MiCA. Since the impact of the regulation’s implementation is expected to be minimal, there is expected to be a smooth transition not just for the MFSA but also for licence holders under the VFAA.

The current prominent business models in the DLT sphere in Malta are virtual currency-related service providers, which are generally referred to as VFA service providers or financial service providers and deal in virtual currencies qualifying as financial instruments, IVFAOs, security token offerings (STOs) and investment funds set up to invest in DLT assets recognised as VFAs.

The introduction of the DLT framework, specifically the VFAA, brought in a legislative framework applicable to a specific class of virtual currencies qualifying as VFAs. This legislation addressed a lacuna under Maltese law, and has now placed Malta in a prominent position with the prospect of the implementation of the upcoming MiCA Regulation. On the basis of the experience gained over past years, and bearing in mind the similarities between the VFAA and MiCA, the MFSA expects that the transition to the new regime will be smooth and efficient.

Compliance With the MFSA

Under the VFAA, deciding whether a cryptocurrency can be considered a VFA is dependent on the result of the Financial Instrument Test devised by the MFSA, which can determine whether any DLT asset qualifies as a virtual token, a financial instrument, electronic money or a VFA. Following the result of the test, the DLT asset is then subject to the relevant rules, depending on its legal classification.

The MFSA is the local regulator responsible for applications under the VFAA and under the traditional financial services regime where this relates to virtual currencies qualifying as financial instruments.

VFA service providers

A person providing VFA services in or from Malta as defined under the Maltese regime needs to be licensed by the MFSA prior to conducting such activities and must also comply with the relevant rules and regulations.

Offering or trading of VFAs

Similarly, where a Maltese issuer under the same regime intends to offer a VFA to the public or admit it to trading on a DLT exchange, the issuer must register the white paper with the MFSA and comply with the relevant rules and regulations.

Services relating to virtual currencies that qualify as financial instruments

On the other hand, where a service provider is providing services in relation to virtual currencies that qualify as financial instruments, the service provider must obtain a licence under the traditional investment services regime that transposed Directive 2014/65 on Markets in Financial Instruments (commonly known as MiFID II) into Maltese law.

Collective investment scheme (CIS) investment in virtual currencies

CIS licensed in Malta can also be licensed to invest in virtual currencies through specific rules issued in this regard. In this respect, the MFSA has issued specific rules on professional investor funds set up to invest in DLT assets recognised as VFAs.

Offering a virtual currency as a financial instrument to the public

If a local issuer wishes to offer a virtual currency qualifying as a financial instrument to the public, the process is very much akin to that of an IPO and the prospectus must thus be prepared and filed with the relevant authority in line with the prospectus regulation.

Issuance of a financial instrument not qualifying as an offer to the public

Where the issuance of that financial instrument does not qualify as an offer to the public, then this issue is deemed to be exempt from the requirement to issue a prospectus. The MFSA is currently amending its existing security offering regulatory framework to cater more specifically for STOs.

Maltese law contains no disclosure requirements regarding compensation models that industry participants use to charge customers.

The VFAA has provided new and legacy players with specific requirements and limitations when conducting business in this sector. However, no distinction is made according to whether a player in this sphere is a new entrant or a legacy player. The Malta Gaming Authority (MGA) has also contributed in this area.

The MGA's Sandbox Regulatory Framework

The MGA launched a sandbox framework for the acceptance of cryptocurrencies and the use of DLTs by its licensees in 2019. The first phase of the framework established the possibility of authorised persons being allowed to accept VFAs as a means of payment. During the second phase, the MGA started accepting applications for the use of ITAs, including DLT platforms and smart contracts.

It is to be noted that gaming operators rendering a licensable VFA activity within the parameters of the VFA sandbox must acquire a licence from the MFSA before being able to render such services. In cases where the gaming operator does not acquire an MFSA licence and instead outsources the VFA-related services, the third-party service provider must be in possession of a VFA licence from the MFSA.

Participants must submit a legal opinion drafted by a VFA agent, and they must have control verifications in place for the purpose of verifying ownership of a player’s wallet and that, effectively, the wallet used does belong to the registered player.

In March 2021, the MGA published an update to the sandbox guidelines by primarily extending the framework to 31 December 2022. The updated guidelines also introduced changes to the criteria to be assessed by operators when accepting VFAs, as well as a clarification relating to additional safeguards that may be imposed by the MGA in order to grant approval to participate in the sandbox framework.

This sandbox was extended once more, to 28 February 2023.

While the MGA remains distinct from the MFSA and the Malta Digital Innovation Authority (MDIA), through the launch of the Sandbox regulatory framework it has delved, in a limited way, into the field of DLT assets by offering an environment for its licensees to accept and use DLT assets.

The Fintech Regulatory Sandbox

The MFSA launched its own Fintech Regulatory Sandbox in July 2020, allowing fintech operators to test their innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The sandbox is open to fintech service providers and fintech suppliers, accepting start-ups, technology firms and established financial services providers that approve of technologically enabled innovation in their business models, applications or products.

The regulatory sandbox is intended to target technologically enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and the provision of financial services.

Since its launch, the sandbox has seen increased interest, with numerous proposals received with diverse innovative technologies for financial services, covering a range of investment service products, market infrastructures and regtech solutions.

The ITA Sandbox

In May 2021, the MDIA launched the Technology Assurance Sandbox (MDIA-TAS) to complement its ITA full certification framework. Its aim is to be a key utility for start-ups and smaller companies developing solutions based on innovative technologies, by providing a safe environment to develop their technological solutions. The MDIA-TAS aims to ensure that regulatory certainty can be given to ITAs developed by small entities and that a balance is reached between maintaining full certification and the adopted high-barrier entry approach, while addressing financial and technical barriers for smaller entities.

The sandbox framework is intended to guide applicants in the proper development of their solution within the lines of recognised international guidelines and standards, and other regulatory and legal obligations. Applicants are guided for a maximum period of two years, with the end result of being in a position to obtain full MDIA certification.

To participate in the MDIA-TAS, applicants must prove to the authority that their ITA has a reasonable element of substance relevant to Malta, either by proving that the development of the ITA will be carried out in Malta or that its operations will be carried out in or from Malta.


The MFSA is the primary regulator for entities engaging in VFA-related services, and its jurisdiction over industry participants is highly dependent on the nature of the services being offered. With respect to ICOs or IVFAOs, no issuer will offer a VFA to the public in or from within Malta, nor apply for a VFA’s admission to trading on a DLT exchange, unless the issuer draws up and registers a white paper in accordance with the VFAA. The MFSA’s jurisdiction in this regard therefore ends once the white paper is registered. However, the role of the VFA agent, who is ultimately answerable to the MFSA, remains in force until the issuer has met all the milestones listed in the white paper.

Furthermore, no entity will provide, or hold itself out as providing, a VFA service in or from within Malta without being in possession of a valid licence. The entity will then be subject to supervision and oversight from such authority until such licence is surrendered.

The Financial Intelligence Analysis Unit (FIAU)

VFA-related services are deemed to be “relevant activity” in terms of Malta’s anti-money laundering and combating the funding of terrorism (AML/CFT) legislative and regulatory framework. This factor therefore brings VFA service providers into the purview of the FIAU, which is the government agency tasked with the collection, collation, processing, analysis and dissemination of information with a view to combating money laundering and the funding of terrorism. The FIAU is also responsible for monitoring compliance with the relevant legislative provisions, so its remit is restricted to compliance with the AML/CFT legislative and regulatory framework.


The MDIA, on the other hand, has a mandate to regulate innovative technology arrangements such as smart contracts and ITSPs. The role of the MDIA can be distinguished from that of the MFSA, with the latter remaining the primary authority issuing licences and authorisations for service providers and public offerings of DLT assets. However, where a Maltese issuer wishes to offer a VFA to the public and is required to register the white paper with the MFSA, the innovative technology arrangement must be audited by a qualified systems auditor that is authorised and supervised by the MDIA.


As previously mentioned (see 2.5 Regulatory Sandbox), the MGA also offers a platform for its existing licensed entities to use DLT assets in their operations.

An updated policy on DLTs by authorised persons was issued in January 2023, explaining the requirements and instances for application to the MGA. Regulating the inclusion of DLT assets, ITAs and smart contracts, this policy fully strengthens the role of DLT in the gaming sphere.

Gaming operators will require prior approval from the MGA before accepting DLT assets. Furthermore, in regard to VFAs, MGA approval will be required when:

  • a deposit is initiated by the payer in VFAs and received by the operator in VFAs;
  • a deposit is initiated by the player in VFAs and received by the operator in fiat; or
  • a deposit is initiated by the player in fiat and received by the operator in VFAs.

The policy also established a system for VFA exchange rates, stating that the rate to be used is that as at midnight (Central European Time) on the last day of the reporting month, in order to reduce the issue of fluctuating rates faced by VFAs worldwide.

The MFSA Rules

The rules issued by the MFSA for VFA service providers require them to ensure that, when relying on a third party for the performance of any operational function, they must take reasonable steps to avoid undue additional operational risk through the provision of a continuous and satisfactory service to clients and the performance of VFA services on a continuous and satisfactory basis.

Obligations of the Licence Holder

The outsourcing of important operational functions may not materially impair the quality of the provider’s internal control and the ability of the supervisory body to monitor the licensee’s compliance with all its obligations. Indeed, the licence holder remains fully responsible for discharging all its obligations and properly managing the risks associated with outsourcing. The outsourcing arrangements may not result in the delegation of the licensee’s senior management responsibility.

The licence holder must thus carry out an ongoing assessment of the operational risks and the concentration risk associated with all its outsourcing arrangements, and it must inform the MFSA of any material developments.

The outsourcing arrangement must be based on a formal, clear, written contract that establishes the respective rights and obligations of the licence holder and the service provider.

However, a licence holder may not outsource management functions such as the setting of strategies and policies in respect of its risk profile and control, the oversight of the operation of its processes and the final responsibility towards customers. Outsourcing services and activities concerning licensable activities are also subject to the satisfaction of certain specific criteria.

Licence holders must inform the MFSA of any material outsourcing arrangements and keep the authority updated with any material developments affecting these activities. In turn, the MFSA may impose specific conditions on the licensee.

Powers of the Minister and the MFSA

The VFAA, its regulations and rule books empower the minister responsible for the regulation of financial services and the MFSA to protect investors’ interests, while also overseeing the orderly transaction of business, primarily that of IVFAOs and VFA service providers.

Licensees under the VFAA are deemed to be subject persons for AML purposes in terms of the AML/CFT rules. To that end, licensees are required to conduct AML/CFT checks on all users on their platforms and all persons making use of their services. This has also been extended to those entities performing an ICO or IVFAO in terms of the VFAA.

On 31 January 2023, the FIAU published an administrative measure against two entities, one of which is licensed as a Class 3 VFA Services Provider, and the other is authorised as a Class 4 VFA Services Provider. The administrative penalties amounted to EUR242,243 and EUR220,992 respectively, due to multiple breaches of the Prevention of Money Laundering and Financing of Terrorism Regulations, including:

  • improper business risk assessment;
  • improper customer risk assessment;
  • improper collection of information regarding wallet addresses;
  • shortcomings in enhanced due diligence; and
  • failures in transaction scrutiny.

Powers of the MFSA

However, the VFAA stipulates that the MFSA has the power to unilaterally impose decisions on any issuer of an IVFAO and on any VFA agent or VFA service provider. The authority is empowered to:

  • request information from any person;
  • order the review of the determination of a DLT asset and submit this determination to a test;
  • appoint inspectors to investigate and report on the activities of an issuer, VFA agent or VFA service provider;
  • order an issuer or service provider to cease operations or appoint a person to advise them, take charge of their assets, or even control their business;
  • order the suspension or the discontinuation of the trading of a VFA; and
  • impose administrative penalties.

Liability of VFA Issuers

Issuers of VFAs are liable for damages sustained by a person as a direct consequence of such person having bought VFAs, either as part of an IVFAO by the issuer or on a DLT exchange, on the basis of any false information contained in a white paper, on a website or in an advertisement. A statement included in a white paper, on a website or in an advertisement is deemed to be untrue if it is misleading or otherwise inaccurate or inconsistent, either wilfully or as a consequence of gross negligence, in the form and context in which it is included.


Whenever a VFA licence holder breaches or contravenes the VFAA regulations or rules, including through a failure to co-operate in an investigation, the MFSA may impose an administrative penalty of up to EUR150,000 by notice in writing and without recourse to a court hearing.


Any such actions made by the MFSA are subject to appeal in front of the Financial Services Tribunal.

Cybersecurity Rules

Specific cybersecurity rules have been issued under the VFAA for issuers and VFA service providers. The rules stipulate that issuers are required to adopt a cybersecurity framework depending on the nature, scale and complexity of their business. The framework must be firmly in line with international and European cybersecurity standards, and must include the following:

  • a business continuity plan;
  • an access management policy;
  • a list of information and data security roles and responsibilities; and
  • a threats management plan.

From an EU perspective, the Digital Operational Resilience Act (DORA) was published at the end of 2022, strengthening cybersecurity regulations within the EU. The coming into force of this regulation is expected to have a great effect on the financial services and fintech industry, as it will push licensed entities and their management – who retain ultimate responsibility – to understand fully how their ICT, operational resilience, cyber and third-party risk management practices impact the resilience of their critical functions and to develop operational resilience capabilities. DORA shall be fully enforceable at the end of a 24-month implementation period.

AML Directives and Rules

As stated in 2.8 Gatekeeper Liability, VFA-related activity must also comply with EU AML directives and with the local AML rules. It is important to note that, owing to the limited nature of VFAs, issuers of VFAs making a private offer (ie, an offer of VFAs that is not deemed to be an offer to the public) are not deemed to be subject persons as they are not regarded as posing a large money laundering or funding of terrorism risk.

General Data Protection Regulation

With respect to privacy law implications, Malta is subject to the General Data Protection Regulation and the general considerations thereunder. Data protection considerations need to be taken into account by a systems auditor when auditing an ITA.

Advertising Restrictions

Furthermore, the VFAA imposes certain advertising restrictions when it comes to issuing a VFA or admitting it to trading on an exchange, which are primarily intended to protect retail investors, regardless of the type of media used. Advertisements must be clearly identifiable as such, and the information contained therein may not be inaccurate or misleading. For issuers of VFAs, the information must be consistent with the contents of the white paper. Issuers may in fact be held liable for civil damages sustained by a person as a direct consequence of that person having bought a VFA on the basis of untrue information advertised (the term “untrue” is deemed to refer to information that is misleading or otherwise inaccurate or inconsistent).

VFA Agent

The VFAA has introduced the role of an intermediary, referred to as the VFA agent, who will act as a liaison between the MFSA and an applicant for a VFA services licence or a VFA issuer. The VFA agent must be:

  • a person who is authorised to carry on the profession of advocate, accountant or auditor;
  • a firm of such professionals or a corporate services provider; or
  • a legal organisation that is wholly owned and controlled by such persons.

The VFA agent must confirm that the issuer or the VFA services licence applicant (including its officers and ultimate beneficial owners) is competent in that field, as well as fit and proper. For IVFAOs in particular, the VFA agent is also responsible for ensuring that the DLT asset qualifies as a VFA and that the white paper is compliant with the requirements of the act.

While a certain level of competence and experience in the field is required by the MFSA, particularly given the relative novelty of operating in the DLT sphere, no distinction is made in terms of whether a player is either a new entrant or a legacy player.

Systems auditors that are registered with the MDIA are required to abide by the relevant rules and guidelines issued by the MDIA.

When a DLT asset is classified as a virtual token (VT), its issuance and related services remain unregulated under Maltese law. VTs are limited in their nature and have no value outside the DLT platform on which they operate, and are not exchangeable on third-party platforms.

A VT may be offered through the same entity that offers VFAs or security tokens, given that the offering of VTs is unregulated. Furthermore, VTs are not deemed to be a big AML risk, and offerors of VTs are thus not considered to be “subject persons” under the AML/CFT rules.

On the basis of Malta's experience as a corporate and financial centre, the Maltese regulator sought to implement AML rules throughout the fintech sector even before the EU’s 5th AML Directive came into force.

While certain companies operating in the fintech sphere were already deemed to be subject persons under local legislation, upon the coming into force of the VFAA the regulator also sought to extend the definition of “subject person” to capture VFAs and the operations of VFA service providers, VFA agents and issuers of VFAs. This was further supplemented by specific implementing procedures issued by the local AML authority, the FIAU, which set out specific additional AML rules to regulate such entities.

This was intended not only to provide a proper AML framework for issuing or offering services in relation to virtual currencies but also to ensure that Maltese AML laws remain abreast of ever-evolving technologies and the ways in which such technologies could be used for money laundering and the funding of terrorism.

This has also meant that operators seeking to operate in or from Malta are required to adhere to such rules, backed by the experience gained by the local regulator over past years. Although fintech start-ups need to consider the costs they have to bear in order to be compliant with Maltese and EU AML laws, the rules are ultimately intended to safeguard the subject persons themselves from being used as a vehicle for money laundering and the financing of terrorism.

Unregulated entities are not typically captured by such AML rules but are nevertheless encouraged to keep abreast of changes to such rules.

The MFSA has yet to issue tailor-made rules regulating robo-advisers. However, the European Securities and Markets Authority (ESMA) has issued guidelines on certain aspects of the MiFID II suitability requirements, which define the concept of robo-advice and provide further clarity on the information to be provided to clients when making use of robo-advice. It appears that the provision of robo-advice may be deemed a licensable activity, like the provision of traditional investment advice under the Investment Services Act, Cap 370 of the Laws of Malta (ISA).

Furthermore, in October 2021, the European Commission requested advice from ESMA on preparing a legislative proposal in relation to several focused areas, including robo-advisers. A final report was provided by ESMA on 29 April 2022, with a specific section detailing the effects of robo-advisers. Acknowledging the risks posed by robo-advisers for investors (including limited access to information due to limited human interaction), ESMA analysed the advantages and disadvantages posed by such systems through a call for evidence. Robo-advisory services have not taken off in the EU due to barriers on investor reliance on human interaction and the cost of implementation. Furthermore, while investors may be more honest without the human element (as they do not feel judged), impulsivity and biased choices are heightened due to the faster access.

As a result of such report, ESMA found that the current regulatory framework is appropriate due to the limited growth and lack of significant evolution, with no need for specific provisions addressing robo-advisers.

Companies exploring the use of robo-advisory services may also benefit from the MFSA’s Fintech Regulatory Sandbox (see 2.5 Regulatory Sandbox).

No information is available in this jurisdiction on legacy players' implementation of solutions introduced by robo-advisers.

No information is available in this jurisdiction on best execution of customer trades.

Online lending remains uncommon in Malta, with more traditional forms of lending being used. The Maltese lending market continues to be dominated by retail banks, which adopt a risk-averse approach to transactions.

The regulation of lending occurs without distinction as to the recipient of the loan.

The act of regular or habitual lending is regulated and requires a licence from the MFSA under the Financial Institutions Act (Cap 376 of the Laws of Malta) (FIA). However, if the activity includes financing from consumer deposit-taking, a licence under the Banking Act (Cap 371 of the Laws of Malta) (BA) would be required.

It should also be noted that underwriting processes for online lenders are not dictated by law.

Peer-to-peer (P2P) online lending is not specifically regulated under Maltese law and, to date, there are no tailor-made regulatory requirements for P2P lending platforms. However, P2P lending platforms should still consider whether their specific activities trigger licensing requirements under the generic financial services framework, particularly the FIA, and in this respect, among others, it should be noted that a money-broking activity would be deemed to be a licensable activity.

P2P platform users who act as lenders within the platform may be deemed to be carrying out a regulated activity if they engage in lending on a regular or habitual basis.

Due to the limited adaptability of online lending in Malta, the syndication of such loans is very rare.

Payment processors are licensable in Malta under the FIA. Following recent changes to the VFAA, the transfer of VFAs is also captured as a VFA service. This covers the service of conducting a transaction on behalf of a third party that moves a VFA from one VFA address or account to another.

There is no prohibition on payment processors creating or implementing new payments rails, or payments infrastructure generally, but this is not common in practice.

There is no information available in this jurisdiction.

Fund administrators do not require a licence under Maltese law but any person wishing to provide fund administration services to a CIS in or from within Malta needs to obtain a certificate of recognition from the MFSA. This applies regardless of whether the fund administrator is appointed by the fund itself or by the fund manager.

Certified fund administrators are required to carry out any business relating to a CIS through a written agreement setting out the basis on which such services are to be provided. This agreement with the scheme or its manager should include the following:

  • whether the administrator is appointed by the scheme or its manager;
  • the nature of the services to be provided by the administrator;
  • information on the charges to be paid by the customer;
  • the fact that the administrator is recognised by the MFSA; and
  • arrangements to bring the agreement to an end.

Furthermore, the administrator is required to determine the net asset value of the scheme in accordance with the constitutional documents or prospectus of the scheme. The requirements imposed on recognised fund administrators are intended to provide clarity and assurance on the administrator’s operations.

Traditional Financial Services

Under the traditional financial services regime in Malta, the major trading platforms for assets are regulated markets (the sole regulated market in Malta is the Malta Stock Exchange, or MSE), multilateral trading facilities (MTFs) and organised trading facilities (OTFs). In Malta, the Prospects Market is an example of an MTF providing a market for SMEs to raise capital by issuing equity or bonds. These types of exchanges are primarily regulated under the Financial Markets Act and relevant EU regulations. Issuers on such platforms are required to abide by the relevant rules – eg, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

Virtual Currencies

However, the introduction of virtual currencies has led to the rise of new trading platforms, such as VFA exchanges and security token exchanges, and this has also brought to light the rise of P2P exchanges.

In the virtual currency sphere, trading platforms depend on the legal classification of a DLT asset. If a DLT asset is deemed to be a virtual token, it cannot be exchanged on a third-party trading platform as its non-tradability is one of the essential features of this type of DLT asset. Where a DLT asset qualifies as a VFA, the VFA regime has created the concept of a VFA exchange, where DLT assets qualifying as VFAs can be admitted for trading.

On the other hand, if the DLT asset qualifies as a financial instrument, such as a security token, then it may not be traded on a VFA exchange and instead must be traded on a trading platform, such as an MTF.

Prior to admitting a VFA to listing, a VFA exchange is required to carry out appropriate research to assess the quality of the VFA, taking the following factors into consideration:

  • the technological experience, track record and reputation of the issuer and its development team;
  • the issuer’s AML/CFT and cybersecurity systems and controls;
  • the availability of a reliable multi-signature hardware wallet solution for the asset;
  • the determination of the VFA in accordance with the Financial Instrument Test and the endorsement thereof;
  • the protocol and the underlying infrastructure, including whether it:
    1. is a separate blockchain with a new architecture system and network, or if it leverages an existing blockchain for synergies and network effects;
    2. is scalable, new and/or innovative; or
    3. has an innovative use or application;
  • the relevant consensus protocol;
  • the systems auditor’s report on the issuer’s ITA, including any reservations that may have been expressed;
  • developments in markets in which the issuer operates;
  • the geographic distribution of the VFA and the relevant trading pairs, if any;
  • the completeness and reliability of information included on the project website and/or in the white paper, including whether an ethical or professional code of conduct exists;
  • whether the VFA has any inbuilt anonymisation functions;
  • whether the VFA has used or was used with any smurfing technology or mixers, or has been traded, or is traded on any dark-net marketplace(s);
  • whether the VFA is or has been traded on any sidechains;
  • whether the VFA has an inbuilt mechanism that caters for settlement failure, such as a resolution mechanism;
  • whether the VFA is traded on any other DLT exchanges; and
  • whether the VFA has social media information, including an official website, Telegram and/or Twitter account and Facebook page.

Furthermore, the exchange may not admit a VFA to trading if it has an inbuilt anonymisation function, unless the holder of the VFA can be identified.

The VFAA produced the Financial Instrument Test, which helps to assess whether a DLT asset qualifies as a VT, a financial instrument, electronic money or a VFA.

Where a DLT asset qualifies as a VT, its offering is not regulated under Maltese law, but the issuing of VFAs and the offering of services in relation to VFAs are regulated under the VFAA.

On the other hand, the issuing and offering of services in relation to financial instruments and electronic money are primarily regulated under MiFID II and the Electronic Money Directive, both as transposed under Maltese law.

The passing of the VFAA and the establishment of supplementary regulations, rules and guidelines have promoted Malta as one of the first countries to have regulated cryptocurrency exchanges and other cryptocurrency-related services.

The VFAA regulates VFA exchanges – ie, exchanges that list and trade DLT assets that are classified as VFAs in terms of the Financial Instrument Test. See 7.1 Permissible Trading Platforms for additional information on the regulation of VFA exchanges.

Issuers of VFAs listing on VFA exchanges are required to abide by the listing rules adopted by each respective VFA exchange.

Issuers of traditional financial instruments (eg, equity securities or debt securities) listing on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

When VFA licence holders handle client orders, they are required to implement procedures and arrangements that seek to provide an expeditious execution of such orders. There are also obligations imposed on licence holders not to misuse information relating to pending client orders, and to take all reasonable steps to prevent the misuse of such information. Furthermore, licence holders may not carry out client orders for their own account in aggregation with another client order, unless certain conditions are met.

The increase in cryptocurrency exchanges has highlighted the advantages of P2P trading platforms. While this has not impacted the regulation of traditional trading platforms, the regulator has sought to cater for such platforms through the enactment of the VFAA.

When executing orders, VFA licence holders are required to take all necessary steps to obtain the best possible result for their clients, taking into account the best execution factors of price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. Licence holders must also check the fairness of the proposed price by collecting market data used in the estimation of the price of such VFA and by comparing it with similar VFAs.

Experienced Investors

If there are specific instructions from clients, the licence holder is required to follow such instructions when executing the order. A licence holder is deemed to have satisfied its obligations in terms of the rules to the extent that it executes an order, or a specific aspect of an order, following specific instructions from a client relating to the order or a specific aspect of the order.

Non-experienced Investors

With respect to non-experienced VFA investors, a clear and prominent warning must be provided by licence holders, stating that any instructions from such clients may prevent the steps specified in the execution policy to obtain the best possible result for the execution of those orders in respect of the elements covered by those instructions. When considering the execution of orders for non-experienced investors, licence holders must also consider other factors in order to determine the best possible result, such as the total consideration and the costs relating to execution.

There is no information available in this jurisdiction.

Marketplaces, exchanges and trading platforms are required to abide by the principles of the Market Abuse Regulation, which aims to prevent and detect market abuse, market manipulation and insider dealing.

These principles have also been enshrined in Malta’s VFA framework, and VFA service providers are required to have systems and procedures in place to identify and curb market abuse.

Furthermore, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules. Both of these sets of rules include specific provisions on inside information and fair disclosure of information to the market.

Algorithmic trading and high-frequency trading are regulated in Malta under MiFID II. Any person licensed under the ISA whose head office is in Malta and who is entitled to carry out an activity in an EU or EEA state other than Malta, in exercise of a European right, must have the following procedures in place:

  • effective systems and risk controls suitable to the business it operates, to ensure that its trading systems are resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the malfunctioning of systems in a way that may create or contribute to a disorderly market;
  • effective systems and risk controls to ensure the trading systems cannot be used for any purpose that is contrary to Market Abuse Regulation (EU) 596/2014 (MAR) or the rules of the trading venue to which it is connected; and
  • effective business continuity arrangements to deal with any failure of its trading systems, to which end it must ensure that its systems are fully tested and properly monitored, and meet the requirements laid down in the relevant regulations.

Firms engaging in algorithmic trading in Malta or another EU or EEA state must notify their competent authority and the European regulatory authority of the trading venue at which the firm engages in algorithmic trading as a member or participant, where this is not established in Malta.

Firms that engage in algorithmic trading and high-frequency trading must also keep sufficient records and make these available to the MFSA.

It is also important to note that a person dealing on their own account who does not provide any other investment services is exempt from the need for an investment services licence. This exemption applies unless such person is a market maker or deals on their own account outside a regulated market or a multilateral trading facility on an organised, frequent and systematic basis by providing a system accessible to third parties in order to engage in dealings with them.

The rules refer to firms that engage in algorithmic trading and high-frequency algorithmic trading on a trading venue, which includes regulated markets, MTFs and OTFs.

Investment Firms That Engage in Algorithmic Trading to Pursue a Market-Making Strategy

A Maltese investment firm that engages in algorithmic trading to pursue a market-making strategy must take into account the liquidity, scale and nature of the specific market, and the characteristics of the instruments traded.

The firm is considered to be pursuing a market-making strategy when, as a member of or participant inf one or more trading venues, its strategy (when dealing on its own account) involves posting firm, simultaneous two-way quotes of comparable size and at competitive prices relating to one or more financial instruments on a single trading venue or across different trading venues, with the result of providing liquidity on a regular and frequent basis to the overall market.

Investment Firms That Act as a General Clearing Member

A Maltese investment firm that acts as a general clearing member for other persons must have effective systems and controls in place to ensure clearing services are only applied to persons who are suitable and meet clear criteria, and that appropriate requirements are imposed on those persons to reduce risks to the investment firm itself and to the market.

The firm must also ensure that there is a binding written agreement between the firm and the person regarding the essential rights and obligations arising from the provision of that service.

There is no information available in this jurisdiction.

There is no information available in this jurisdiction.

MiFID II was transposed into Maltese legislation via the ISA. Any firm falling within the scope of MiFID II is bound by requirements that are harmonised at EU level, such as not inducing clients to trade by methods involving the bundling of research and the obligation of providing unbundled costs separately identifying and charging for execution, research and other advisory services. There is also an obligation for investment firms to make explicit payments for research, and to be able to show that research contributes to better investment decisions and is therefore not an inducement.

The following services are also regulated activities:

  • offering an approved publication arrangement (the service of publishing trade reports on behalf of investment firms);
  • offering an approved reporting mechanism (the service of reporting details of transactions to competent authorities); and
  • offering a consolidated tape provider (the service of collecting trade reports for financial instruments from various markets and consolidating the same into a continuous electronic live data stream providing price and volume data per financial instrument).

In terms of MiFID II, investment research and financial analysis or other forms of recommendations are considered “ancillary services”. It is worth noting that no authorisation may be granted solely for the provision of ancillary services. Naturally, if the financial research platform also provides transactions in investment products or financial instruments, then this would be deemed to amount to a regulated activity.

In this aspect, it is worth referring to the MAR and the Market Abuse Directive (EU) 2014/57, which have been transposed in Malta. When speculation and market rumours begin to spread, an issuer is obliged to assess whether a public disclosure of inside information is necessary.

Further obligations in this regard also emanate from the Shareholder Rights Directive and the Transparency Directive, which also stipulate further standards of disclosure.

Generally speaking, other than in the context of MiFID II, in Malta there are no ad hoc provisions specific to the regulation of software or technology used for the purposes of financial research, and it must be highlighted that Maltese laws are technology-neutral, except for some elements of the DLT framework.

The curation of user postings may expose a platform to liability if certain conditions are met, leading the platform to be deemed a publisher of such content by extension. There is a duty to report suspicious or unlawful behaviour, such as market manipulation and pump-and-dump schemes, in respect of any person who arranges or executes transactions.

In Malta, underwriting processes are carried out directly with the insurance company itself or through a broker, a tied insurance intermediary or an insurance agent. Such processes are subject to the relevant Maltese insurance legislation and MFSA rules, in line with EU legislation.

Long-term insurance, such as life insurance, is regulated in a different manner to other insurance classes, primarily due to insolvency issues and the higher degree of knowledge required by those engaging in this type of insurance business. However, there is no distinction between the treatment of the different insurance classes by industry participants.

The regulation of regtech providers is dependent on the nature of their activities. It must be noted that Maltese laws in this respect apply in a technology-neutral manner (bar some exceptions in relation to DLTs). It is therefore the activity of the regtech provider that triggers regulatory implications and not the specific technologies used.

Furthermore, if a regtech provider utilises an ITA as defined by the Innovative Technology Arrangements and Services Act, Cap 592 of the Laws of Malta (ITASA), then the regtech provider may submit the ITA for recognition by the MDIA.

There is no information available in this jurisdiction.

While local banks have been cautious in their approach to implementing the use of DLT in their current systems, the Malta Business Registry (MBR), which is responsible for the registration of commercial partnerships and companies in Malta, is expected to roll out its online system operating on the blockchain.

The development of the new system is intended to overhaul the registry’s data scheme to allow for a more accurate and efficient representation of all companies and parties involved.

Malta’s DLT framework came into effect in 2018 and addresses VFAs, DLTs, IVFAOs, ITAs and ITSPs.

In summary, the DLT regulatory framework consists of the following pieces of legislation (each substantiated by various rules, guidelines and subsidiary legislation):

  • the VFAA, which establishes regulations in relation to IVFAOs, VFAs and related service providers;
  • the Malta Digital Innovation Authority Act, Cap 591 of the Laws of Malta, which set up the MDIA, which is the Maltese authority primarily responsible for promoting digital innovation; and
  • the ITASA, which provides for certification by the MDIA of ITAs and authorisations for innovative technology service providers.

As stated in 2.2 Regulatory Regime, the classification of an asset as a VFA is dependent on the result of the Financial Instrument Test devised by the MFSA, which can determine whether a DLT asset qualifies as a VT, a financial instrument, electronic money or a VFA. Following the result of the test, the DLT asset is then subject to the relevant rules depending on its legal classification.

If the asset in question qualifies as a VFA, any person that conducts any of the following activities in or from within Malta in relation to VFAs requires a licence from the MFSA:

  • the receipt and transmission of orders;
  • the execution of orders on behalf of other persons;
  • dealing on own account;
  • portfolio management;
  • custodian or nominee services (of VFAs including cryptographic keys);
  • investment advice;
  • the placing of VFAs;
  • the operation of a VFA exchange; and
  • the transfer of VFAs.

If a DLT asset is deemed to be a VFA under the terms of the Financial Instrument Test, then the issue of the VFA as an offer to the public is regulated in terms of the VFAA. The issuer of the IVFAO is required to draw up and register the white paper with the MFSA prior to the launch of the IVFAO.

On the other hand, if the Financial Instrument Test determines the DLT asset to be a financial instrument, then this is regulated under the traditional financial services legislation. The issue of a DLT financial instrument as an offer to the public is regulated in terms of the Prospectus Regulation, and the prospectus must be approved by the MFSA prior to issue.

The VFAA defines a DLT exchange as any trading and/or exchange platform or facility on which any form of DLT asset may be transacted. A DLT asset is any VT, VFA, electronic money or financial instrument that is intrinsically dependent on or utilises DLT.

The term “VFA exchange” refers to a DLT exchange for VFAs, within which multiple third-party buying and selling interests for VFAs can interact in a manner that results in a contract, by exchanging one VFA for another or a VFA for fiat currency that is legal tender, or vice versa. Therefore, exchanges on which only financial instruments are traded are not licensable in terms of the VFAA but fall within the remit of the ISA.

The operation of a VFA exchange is one of the VFA services for which a person would need a licence from the MFSA, as outlined in the VFAA.

CIS wishing to invest in VFAs do not require an additional licence for this purpose, although CIS are expected to comply with some VFA-specific supplementary conditions on an ongoing basis.

At the time of writing, only professional investor funds (PIFs) are permitted to invest in VFAs. Nevertheless, it should be noted that the MFSA has been considering whether to permit alternative investment funds (AIFs) and notified alternative investment funds (NAIFs) to invest in VFAs by extending the supplementary conditions that apply to PIFs to cover AIFs and NAIFs.

See 2.2 Regulatory Regime.

Discussions have recently arisen on the concept of decentralised finance (DeFi), calling for public awareness of the possible major changes that can be brought about by decentralised blockchain platforms, such as decentralised applications (dApps). The subject warrants further insight into the risks and liabilities such platforms may carry, such as avoiding centralised control, which could be abused to the detriment of consumers.

However, much more research is required in order to implement a legal framework for such an innovation. The upcoming MiCA Regulation has failed to implement rules applicable to DeFi; however, in October 2022 the European Commission published a report that discusses the need to adapt existing policy frameworks to account for the changes brought about by DeFi by evaluating the positive role that appropriate public policies can have on the development of the DeFi ecosystem and its contribution to the economy.

It is worth mentioning that the Founders Bank Project is currently in the process of applying for a banking licence. If approved, this will be the first licensed decentralised bank in Malta owned by virtual currency investors.

Maltese law does not define or specifically refer to NFTs or the use of NFT platforms. However, the VFAA does refer to DLT assets, which may be determined to be either a VT, a financial instrument, electronic money or a VFA. This classification is determined after conducting the Financial Instrument Test (see 12.3 Classification of Blockchain Assets).

MiCA's definition of “crypto-assets” as “a digital representation of a value or a right which may be transferred and stored electronically, using distributed ledger technology or similar technology”, excludes NFTs from being considered as crypto-assets. However, this does not completely remove NFTs from falling within the scope of MiCA, with the following types of crypto-assets falling within its scope:

  • fractional NFTs;
  • NFTs issued in a large series/collection;
  • crypto-assets that possess a sole NFT element as a unique identifier; and
  • crypto-assets that, although unique and non-fungible, have de facto features linked to de facto uses making them fungible and/or not unique.

In the spirit of what is being proposed under MiCA, the MFSA has issued a public consultation aimed at determining stakeholders’ opinions on the proper regulation of NFTs – with the same core element of examining the non-fungible nature and uniqueness of the DLT asset.

As an EU member state, Malta fully transposed the Payment Services Directive (EU) 2015/2366 (PSD2) into its legislation in August 2019.

The implementation of PSD2 into Maltese law did not trigger any obligation for a bank or financial institution already licensed by the MFSA as a home state regulator to provide payment services to seek any re-authorisation of these activities in terms of the passporting rights exercised by the operator prior to the implementation of these amendments.

Nevertheless, despite banks taking the necessary steps to permit open banking by making their application programming interface (API) technologies available, the practical use of open banking in Malta remains limited.

The number of live and operative account information service providers (AISPs) or payment initiation service providers (PISPs) operating within Malta is small.

Therefore, the effects of PSD2 are yet to be felt in Malta, from the perspective of banks coping with data privacy or data security concerns, or practical concerns on a more generic basis.

GTG Advocates

66 Old Bakery Street
Valletta VLT 1454

+356 2124 2713
Author Business Card

Law and Practice


GTG Advocates is considered a local thought leader in the fintech sector, especially in relation to blockchain and virtual currencies (and technology law generally). The firm is mostly known for advising regulators and public bodies in the fintech sphere, being counsel to the government of Malta, the Malta Financial Services Authority (MFSA) and the Malta Digital Innovation Authority (MDIA). The firm is particularly known for having been instrumental in drafting Malta’s fintech legislation, as well as the various rule books, guidelines and consultations. It is also known for its expertise in regulatory matters, especially cryptocurrency exchange licensing and initial coin offerings, technology, telecommunications, IP and data protection law generally. Dr Ian Gauci, the firm’s managing partner, was also a member of the National Blockchain Taskforce and a founding member of the Blockchain Malta Association.

Compare law and practice by selecting locations and topic(s)


Select Topic(s)

loading ...

Please select at least one chapter and one topic to use the compare functionality.