EU Markets in Crypto-Assets Regulation

In 2024, the EU Markets in Crypto-Assets Regulation (MiCA) entered in force in two tranches. The first part relating to electronic money tokens (EMTs) and asset-referenced tokens (ARTs) entered into force on 30 June 2024, while the remainder of MiCA entered into force on 30 December 2024.

As a result of MiCA’s coming into force, the Virtual Financial Assets Act (VFAA) is no longer applicable, except in relation to those issuers and service providers that were authorised by the Malta Financial Services Authority (MFSA) before 30 December 2024, and will be fully repealed on 3 July 2026.

Digital Operational Resilience Act

Another very significant piece of legislation is the Digital Operational Resilience Act (DORA), which came into force in January 2023 and became applicable from 17 January 2025. DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties that provide ICT-related services to them, such as cloud platforms or data analytics services.

Network and Information Security Directive

Ancillary to DORA is the Network and Information Security Directive (NIS2), which aims to establish a higher level of cybersecurity and resilience within EU organisations. This new Directive updates the original NIS Directive of 2016, which was the EU’s first legislation on cybersecurity. It enhances the cybersecurity resilience of critical sectors across the EU by expanding its scope, strengthening security requirements and improving incident response co-ordination. The deadline to transpose NIS2 into national law was 17 October 2024.

Cyber Resilience Act

The Cyber Resilience Act is an EU regulation aimed at enhancing the cybersecurity of products with digital elements, ensuring they are secure throughout their lifecycle. It places the responsibility on manufacturers to ensure that such products meet stringent cybersecurity standards before they can be marketed within the EU. It entered into force in January 2024 and will become fully applicable within 36 months thereof.

Critical Entities Resilience Directive

The Critical Entities Resilience Directive on the other hand is an EU-wide framework designed to enhance the resilience of critical infrastructure against physical and cyber threats. It replaces the European Critical Infrastructure Directive (2008) and expands the scope to cover more sectors and risks. It entered into force in January 2023, and member states will have to identify the critical entities for the sectors set out in the Directive by 17 July 2026.

EU AI Act

The AI Act aims to foster responsible artificial intelligence development and deployment in the EU by introducing a uniform framework across all EU countries, based on a forward-looking definition of AI and a risk-based approach. It provides developers and deployers with clear requirements and obligations regarding specific uses of AI while reducing administrative and financial burdens for businesses. It entered into force on 1 August 2024, and most of its provisions will apply after a two-year implementation period.

The current prominent business models in the DLT sphere in Malta are:

• crypto-asset service providers (CASPs) or financial service providers that deal in crypto-assets qualifying as financial instruments in terms of MiFID;
• crypto-asset issuers;
• security token offerings; and
• investment funds set up to invest in crypto-assets.

With the full implementation of MiCA, the presence of these players is expected to continue to increase.

Malta is also an attractive jurisdiction for financial institutions, most notably electronic money institutions (EMIs), having been one of the first EU jurisdictions to launch a specific regulatory regime for standalone EMIs.

As of 30 December 2024, the issuance of crypto-assets and the provision of crypto-asset services in the EU is regulated by MiCA, which also regulates the issuance of electronic money tokens (EMTs) and asset-referenced tokens (ARTs).

On the other hand, payment services providers (PSPs) and EMIs are regulated under the Maltese Financial Institutions Act, which transposed the provisions of the Payment Services Directive and the Electronic Money Directive into Maltese law.

Maltese law contains no disclosure requirements regarding compensation models that industry participants use to charge customers. However, service providers must ensure that their fee structure is transparent, fair and non-discriminatory, and that there are no incentives in place that could contribute to disorderly trading conditions or market abuse.

While MiCA does not prescribe specific compensation models, its regulatory provisions necessitate that CASPs design their compensation structures in a manner that ensures compliance with conduct, governance and prudential requirements.

The VFAA provided new and legacy players with specific requirements and limitations when conducting business in this sector, and this has now been furthered through the implementation of MiCA. However, no distinction is made according to whether a player in this sphere is a new entrant or a legacy player.

The MFSA’s Fintech Regulatory Sandbox allows fintech operators to test their own innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The sandbox is open to fintech service providers and fintech suppliers, accepting start-ups, technology firms and established financial service providers that approve of technologically enabled innovation in their business models, applications or products.

The regulatory sandbox is intended to target technologically enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and the provision of financial services.

Since its launch, the sandbox has seen increased interest, with numerous proposals received with diverse innovative technologies for financial services, covering a range of investment service products, market infrastructures and regtech solutions.

The ITA Sandbox

The Malta Digital Innovation Authority (MDIA) also has its own Technology Assurance Sandbox (MDIA-TAS) to complement its innovative technology arrangement (ITA) full certification framework. Its aim is to be a key utility for start-ups and smaller companies developing solutions based on innovative technologies, by providing a safe environment to develop their technological solutions.

The MDIA-TAS aims to ensure that regulatory certainty can be given to ITAs developed by small entities and that a balance is reached between maintaining full certification and the adopted high-barrier entry approach, while addressing financial and technical barriers for smaller entities. The sandbox framework is intended to guide applicants in the proper development of their solution within the lines of recognised international guidelines and standards, and other regulatory and legal obligations. Applicants are guided for a maximum period of two years, with the end result of being in a position to obtain full MDIA certification.

To participate in the MDIA-TAS, applicants must prove to the authority that their ITA has a reasonable element of substance relevant to Malta, by proving either that the development of the ITA will be carried out in Malta or that its operations will be carried out in or from Malta.

The MFSA

The MFSA is the primary regulator for entities issuing crypto-assets, EMTs and ARTs in terms of MiCA, and also for CASPs. It is also the regulator responsible for financial institutions.

The Financial Intelligence Analysis Unit (FIAU)

CASPs are deemed to be “subject persons” in terms of Malta’s anti-money laundering and combatting the funding of terrorism (AML/CFT) legislative and regulatory framework. This factor therefore brings CASPs into the purview of the FIAU, which is the government agency tasked with the collection, collation, processing, analysis and dissemination of information with a view to combatting money laundering and the funding of terrorism. The FIAU is also responsible for monitoring compliance with the relevant legislative provisions, so its remit is restricted to compliance with the AML/CFT legislative and regulatory framework.

The MDIA

The MDIA, on the other hand, has a mandate to regulate ITAs such as smart contracts and internet telephony service providers (ITSPs). The role of the MDIA can be distinguished from that of the MFSA, with the latter remaining the primary authority issuing licences and authorisations for service providers and public offerings of crypto-assets. The MDIA’s role, on the other hand, goes beyond the licensing regime, offering a voluntary regime for the registration and certification of ITAs.

The Malta Gaming Authority (MGA)

The MGA issued an updated policy on DLTs by authorised persons in January 2023, explaining the requirements and instances for application to the MGA. Regulating the inclusion of DLT assets, ITAs and smart contracts, this policy fully strengthens the role of DLT in the gaming sphere. Gaming operators require prior approval from the MGA before accepting DLT assets. Furthermore, in regard to crypto-assets, MGA approval is required when:

• a deposit is initiated by the payer in crypto-assets and received by the operator in crypto-assets;
• a deposit is initiated by the player in crypto-assets and received by the operator in fiat; or
• a deposit is initiated by the player in fiat and received by the operator in crypto-assets.

The policy also established a system for exchange rates, stating that the rate to be used is that as at midnight (Central European Time) on the last day of the reporting month, in order to reduce the issue of fluctuating rates faced by crypto-assets worldwide.

The MFSA does not formally issue “no-action” letters in the same manner as certain other jurisdictions.

MiCA includes specific requirements regarding outsourcing arrangements for crypto-asset service providers. These requirements are designed to ensure that:

• outsourcing does not compromise the quality of internal controls or the ability of supervisory authorities to monitor compliance;
• outsourcing does not result in the delegation of the responsibility of the CASPs;
• outsourcing does not alter the relationship between the CASPs and their clients, nor the obligations of the CASPs towards their clients;
• outsourcing does not alter the conditions for the authorisation of the CASPs;
• third parties involved in the outsourcing co-operate with the competent authority of the CASPs’ home member state, and the outsourcing does not prevent the exercise of the supervisory functions of competent authorities, including on-site access to acquire any relevant information needed to fulfil those functions;
• CASPs retain the expertise and resources necessary for evaluating the quality of the services provided, for supervising the outsourced services effectively and for managing the risks associated with the outsourcing on an ongoing basis;
• CASPs have direct access to the relevant information of the outsourced services; and
• CASPs ensure that third parties involved in the outsourcing meet the data protection standards of the EU.

CASPs must establish a comprehensive outsourcing policy that includes contingency plans and exit strategies, considering the scale, nature and range of services provided.

In addition, DORA (effective from 17 January 2025) introduced further requirements for financial entities, including CASPs, concerning ICT-related outsourcing. DORA emphasises the need for thorough risk assessments, due diligence and specific contractual provisions to ensure transparency and control over subcontractors.

CASPs and financial institutions are deemed to be subject persons for AML purposes in terms of the AML/CFT rules. To that end, they are required to conduct AML/CFT checks on all their customers.

In January 2023, the FIAU published an administrative measure against two entities, one of which was licensed as a Class 3 VFA Services Provider, and the other was authorised as a Class 4 VFA Services Provider. The administrative penalties amounted to EUR242,243 and EUR220,992 respectively, due to multiple breaches of the Prevention of Money Laundering and Financing of Terrorism Regulations, including:

• improper business risk assessment;
• improper customer risk assessment;
• improper collection of information regarding wallet addresses;
• shortcomings in enhanced due diligence; and
• failures in transaction scrutiny.

Both entities appealed the FIAU’s decision.

Powers of the MFSA

Under MiCA, the MFSA retains the authority to impose decisions on any issuer of crypto-assets and on any CASP falling within the scope of the Regulation. The MFSA is empowered to, inter alia:

• suspend or require a CASP to suspend its services or prohibit the provision of services;
• disclose or require a CASP to disclose material information having an effect on the provision of services in order to ensure the protection of the interests of clients or the smooth operation of the market;
• require the transfer of existing contracts to another CASP where a CASP’s authorisation is withdrawn;
• require offerors, issuers or persons seeking admission to trading to amend their white paper or their marketing communications;
• suspend an offer to the public or an admission to trading for a maximum of 30 consecutive working days;
• suspend a CASP operating a trading platform for up to 30 consecutive working days; or
• impose administrative penalties.

Penalties

Following the implementation of MiCA, any person found to be in breach thereof would be guilty of an offence. Where such person is a natural person, they shall be liable, on conviction, to imprisonment for a term not exceeding six years or to a fine not exceeding EUR5 million, or both. Where the office is committed by a legal person, they shall be liable, on conviction, to a fine not exceeding EUR15 million.

The Maltese MiCA implementation regulations also include specific provisions that empower the MFSA to issue administrative penalties ranging from EUR7,000 to EUR5 million in the case of a natural person and from EUR5 million to EUR15 million in the case of a legal person, or 15% of the total annual turnover of such legal person.

Appeals

Any such actions made by the MFSA are subject to appeal in front of the Financial Services Tribunal.

DORA

DORA became fully enforceable on 17 January 2025, with the aim of strengthening the IT security of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. DORA was intended to push financial entities and their management – who retain ultimate responsibility – to understand fully how their ICT, operational resilience, cyber and third-party risk management practices impact the resilience of their critical functions and to develop operational resilience capabilities.       

General Data Protection Regulation (GDPR)

With respect to privacy law implications, Malta is subject to the GDPR and the general considerations thereunder.

CASPs and financial institutions authorised in Malta are required to audit their financial statements annually. Financial auditors typically need to be pre-vetted by the MFSA before being in a position to service such authorised entities, and carry out their own verifications, not solely from their perspective as a subject person for AML/CFT purposes but also in their role as auditor.

It is important to note that financial institutions also fall within the regulatory remit of the Maltese Central Bank, which among other functions oversees and regulates the operation of, and the participation in, both domestic and cross-border payment and securities settlement systems. In this context, the Bank has also entered into agreements with the MFSA concerning the exchange of information and payment and securities settlement systems.

Where an authorised person is seeking to offer additional services through the same entity, even if non-regulated, this entity will need to be pre-vetted and approved by the competent authority. Even though there might not be an express legal or regulatory limitation in this regard, the competent authority may consider that the provision of such additional services could lead to a conflict of interest, or could add additional risks or instability that could hamper consumer protection and the authorised person’s financial or risk position and thus it may not allow the provision of such additional services on this basis.

In relation to MiCA specifically, one type of crypto-asset that falls outside of MiCA’s scope is non-fungible tokens (NFTs). It is important to note, however, that MiCA clearly specifies what characteristics a crypto-asset must have in order for it to be classified as an NFT, so it is essential to determine the correct legal classification of the crypto-asset.

AML and sanctions regulations significantly impact both regulated and unregulated fintech companies in Malta. Since 2022, the EU has imposed significant sanctions in relation to the Russian invasion in Ukraine and thus service providers are required to remain updated as to the specific limitations and requirements in relation to the services they can offer to Russian companies and persons.

Furthermore, robust AML frameworks to combat financial crimes are implemented under Maltese law. These regulations require fintech companies to implement stringent customer due diligence, monitor transactions for suspicious activity, and report any such activities to the FIAU. This all aligns with international standards set by organisations like the Financial Action Task Force (FATF).

Non-compliance with AML regulations can lead to severe penalties, including administrative fines, criminal charges, revocation of licences, and reputational damage. The MFSA has the authority to impose sanctions on entities that fail to adhere to AML requirements.

Overall, AML and sanctions rules in Malta impose significant compliance obligations on both regulated and unregulated fintech companies. Adherence to these regulations is crucial to avoid legal penalties and to maintain the integrity and reputation of the financial sector.

Malta’s AML and sanctions rules closely follow the standards set by the FATF. As a member of the EU, Malta aligns its AML framework with both FATF recommendations and EU directives, particularly the EU’s Anti-Money Laundering Directives (AMLD).

The principle of reverse solicitation is implemented in Malta in line with its interpretation under the MiFID II Directive. With the implementation of MiCA, it is also important to note that this principle is also recognised in relation to the provision of services by CASPs. However, through issued guidelines, the European Securities and Markets Authority (ESMA) has hardened its stance on the applicability of this concept. MiCA makes it clear that reverse solicitation cannot be overridden by contractual terms or disclaimers, and also introduces a time limit on the validity of a reverse solicitation request.

The MFSA has yet to issue tailor-made rules regulating robo-advisers. However, ESMA has issued guidelines on certain aspects of the MiFID II suitability requirements, which define the concept of robo-advice and provide further clarity on the information to be provided to clients when making use of robo-advice. It appears that the provision of robo-advice may be deemed a licensable activity, like the provision of traditional investment advice under the Investment Services Act, Cap 370 of the Laws of Malta (ISA).

Furthermore, in October 2021 the European Commission requested advice from ESMA on preparing a legislative proposal in relation to several focused areas, including robo-advisers. A final report was provided by ESMA in April 2022, with a specific section detailing the effects of robo-advisers. Acknowledging the risks posed by robo-advisers for investors (including limited access to information due to limited human interaction), ESMA analysed the advantages and disadvantages posed by such systems through a call for evidence.

Robo-advisory services have not taken off in the EU due to barriers on investor reliance on human interaction and the cost of implementation. Furthermore, while investors may be more honest without the human element (as they do not feel judged), impulsivity and biased choices are heightened due to the faster access.

In its report, ESMA found that the current regulatory framework is appropriate due to the limited growth and lack of significant evolution, with no need for specific provisions addressing robo-advisers. Companies exploring the use of robo-advisory services may also benefit from the MFSA’s Fintech Regulatory Sandbox.

It is also important to bear in mind that the implementation of the EU’s AI Act is likely to have an impact on service providers utilising robo-advisers, and an assessment of the Regulation’s impact on their operations is thus essential.

No information is available in this jurisdiction on legacy players’ implementation of solutions introduced by robo-advisers.

No information is available in this jurisdiction on the best execution of customer trades.

Online lending remains uncommon in Malta, with more traditional forms of lending being used. The Maltese lending market continues to be dominated by retail banks, which adopt a risk-averse approach to transactions. The regulation of lending occurs without distinction as to the recipient of the loan.

The act of regular or habitual lending is regulated and requires a licence from the MFSA under the Financial Institutions Act, Cap 376 of the Laws of Malta (FIA). However, if the activity includes financing from consumer deposit taking, a licence under the Banking Act, Cap 371 of the Laws of Malta (BA) would be required. It should also be noted that underwriting processes for online lenders are not dictated by law.

The EU Crowdfunding Regulation (Regulation (EU) 2020/1503) includes within its scope both investment-based crowdfunding and lending-based crowdfunding. In relation to lending-based crowdfunding specifically, the Regulation applies to crowdfunding services that consist of the facilitation of the granting of loans, including services such as presenting crowdfunding offers to clients and pricing or assessing the credit risk of crowdfunding projects or project owners. The definition of crowdfunding services is aimed to accommodate different business models enabling a loan agreement between one or more investors and one or more project owners to be concluded through a crowdfunding platform.

Loans included within the scope of the Regulation are those with unconditional obligations to repay an agreed amount of money to the investor, whereby lending-based crowdfunding platforms merely facilitate the conclusion by investors and the project owner of loan agreements without the crowdfunding service provider at any moment acting as a creditor of the project owner.

Due to the limited adaptability of online lending in Malta, the syndication of such loans is very rare.

Payment processors are licensable in Malta under the FIA. There is no prohibition on payment processors creating or implementing new payment rails, or payment infrastructure generally, but this is not common in practice.

Cross-border payments and remittances are regulated to ensure compliance with AML and CFT standards, focusing on transparency, preventing money laundering, and combatting terrorism financing. In this regard, it is important to consider Regulation (EU) 2023/1113 on information accompanying transfers of funds and certain crypto-assets (the Transfer of Funds Regulation), which gives effect to the recommendations of the FATF on virtual assets. These rules are aimed to prevent, detect and investigate money laundering and terrorist financing where at least one of the CASPs involved in the transfer of crypto-assets is established in the EU. These service providers are required to accompany transfers of crypto-assets with information on the originator and the beneficiary. The information should be submitted in a secure manner and in advance of, or simultaneously or concurrently with, the transfer of crypto-assets.

The provisions of the Value Added Tax (Reporting Obligations for Payment Service Providers) Regulations [S.L. 406.22] came into effect on 1 January 2024 and introduced certain new reporting requirements for PSPs (which include mainly credit institutions, e-money institutions, payment institutions and post-office giro institutions), mainly concerning cross-border payments originating from EU member states. PSPs with Malta as either their home member state or host member state were required to register with the Malta Tax and Customs Administration (MTCA) as an in-scope PSP for the Central Electronic System of Payment information (CESOP). In-scope PSPs were required to keep sufficiently detailed information on payees and payments, and to submit certain quarterly detailed information to the Malta Commissioner for Tax and Customs concerning certain cross-border payments provided in Malta.

In the crypto-asset sphere, it is also important to consider DAC8 (Directive on Administrative Cooperation 8), which is an EU directive aimed at improving tax transparency and combatting tax evasion related to crypto-assets and digital currencies. It introduces new reporting obligations for CASPs, requiring them to share information with tax authorities about transactions and holdings of EU taxpayers. DAC8 aligns with the OECD's Crypto-Asset Reporting Framework and expands existing rules on automatic exchange of information to include digital assets. It also enhances co-operation between EU tax authorities to detect tax fraud and non-compliance more effectively.

Traditional Financial Services

Under the traditional financial services regime in Malta, the major trading platforms for assets are regulated markets (the sole regulated market in Malta is the Malta Stock Exchange, or MSE), multilateral trading facilities (MTFs) and organised trading facilities (OTFs). In Malta, the Prospects Market is an example of an MTF providing a market for SMEs to raise capital by issuing equity or bonds. These types of exchanges are primarily regulated under the Financial Markets Act and relevant EU regulations. Issuers on such platforms are required to abide by the relevant rules – eg, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

Crypto-Assets

However, the increasing prominence of crypto-assets has led to the rise of new trading platforms, such as crypto exchanges and security token exchanges, and this has also brought to light the rise of P2P exchanges.

CASPs seeking to operate a trading platform for crypto-assets are required to hold a Class 3 CASP licence. They are also required to lay down, implement and maintain clear and transparent operating rules for the trading platform. Before admitting a crypto-asset to trading, such CASPs must ensure that the crypto-asset complies with the operating rules of the trading platform and assess the suitability of the crypto-asset concerned. Similar to the previous requirements under the VFAA, admission to trading of crypto-assets that have an inbuilt anonymisation function is prevented unless the holders of those crypto-assets and their transaction history can be identified by the CASP. Such CASPs may also not deal on own account on their own platform, and must have effective systems, procedures and arrangements in place to ensure that their trading system operates in line with MiCA’s requirements.

The VFAA previously utilised the Financial Instrument Test to determine the legal classification of any particular virtual asset, which in turn would determine the applicable regulatory regime.

In the same vein, ESMA also issued specific guidelines to facilitate consistency in the regulatory classification of crypto-assets under MiCA. The guidelines provide a standardised test to determine whether a particular crypto-asset qualifies as an ART, an EMT or a crypto-asset other than ARTs or EMTs.

Where a crypto-asset is deemed to be a financial instrument in terms of MiFID, MiCA does not apply – rather, the issue and provision of services in relation to such financial instrument is regulated by traditional financial services legislation.

The passing of the VFAA and the establishment of supplementary regulations, rules and guidelines promoted Malta as one of the first countries to have regulated cryptocurrency exchanges and other cryptocurrency-related services.

With MiCA now being fully applicable, operators of cryptocurrency exchanges seeking to offer services in the EU are required to apply for a licence. The specific licensing category depends on the operations of the service provider and thus, in the context of an exchange platform, whether the exchange qualifies as a trading platform or not. The operation of a trading platform refers to multilateral systems that bring together or facilitate the bringing together of multiple third-party purchasing and selling interests in crypto-assets, in the system and in accordance with its rules, in a way that results in a contract, either by exchanging crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets. The operation of this type of platform triggers the requirement for a Class 3 CASP licence.

Where on the other hand a CASP is not operating this type of platform, even if prima facie, it may look like a cryptocurrency exchange, it is crucial for that applicant, together with their legal adviser, to determine the specific services to be offered before proceeding with submitting an application for authorisation under MiCA. See 6.1 Permissible Trading Platforms for additional information on the regulation of crypto exchanges and new regulatory changes with the coming into force of MiCA.

Issuers of VFAs listing on VFA exchanges are required to abide by the listing rules adopted by each respective VFA exchange. Under MiCA, CASPs operating a trading platform for crypto-assets should also have detailed operating rules, be subject to pre-trade and post-trade transparency requirements, and set transparent and non-discriminatory rules governing access to their platforms, based on objective criteria.

Issuers of traditional financial instruments (eg, equity securities or debt securities) listing on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules.

When VFA licence holders and CASPs under MiCA handle client orders, they are required to implement procedures and arrangements that seek to provide the expeditious execution of such orders. There are also obligations imposed on licence holders/CASPs not to misuse information relating to pending client orders, and to take all reasonable steps to prevent the misuse of such information.

The increase in cryptocurrency exchanges has highlighted the advantages of P2P trading platforms. While this has not impacted the regulation of traditional trading platforms, regulators have sought to cater for such platforms, (previously) locally through the enactment of the VFAA, and now on an EU-wide basis through MiCA.

There is no information available in this jurisdiction.

Marketplaces, exchanges and trading platforms are required to abide by the principles of the Market Abuse Regulation, which aims to prevent and detect market abuse, market manipulation and insider dealing.

These principles were enshrined in Malta’s VFA framework, and VFA service providers were required to have systems and procedures in place to identify and curb market abuse. These same principles have been enshrined in MiCA as well.

Furthermore, issuers on the MSE are required to abide by the Listing Rules, whereas those listing on the Prospects Market are required to abide by the Prospects MTF Rules. Both of these sets of rules include specific provisions on inside information and fair disclosure of information to the market.

Algorithmic trading and high-frequency trading are regulated in Malta under MiFID II. Any entity licensed under the ISA whose head office is in Malta and who is entitled to carry out an activity in an EU or EEA state other than Malta, in exercise of a European right, must have the following in place:

• effective systems and risk controls suitable to the business it operates, to ensure that its trading systems are resilient and have sufficient capacity, are subject to appropriate trading thresholds and limits, and prevent the sending of erroneous orders or the malfunctioning of systems in a way that may create or contribute to a disorderly market;
• effective systems and risk controls to ensure the trading systems cannot be used for any purpose that is contrary to the Market Abuse Regulation (EU) 596/2014 (MAR) or the rules of the trading venue to which it is connected; and
• effective business continuity arrangements to deal with any failure of its trading systems, to which end it must ensure that its systems are fully tested and properly monitored, and meet the requirements laid down in the relevant regulations.

Any service providers utilising such technologies are required to assess whether they need to align and/or are impacted by the upcoming implementation of the EU’s AI Act.

Firms engaging in algorithmic trading in Malta or another EU or EEA state must notify their competent authority and the European regulatory authority of the trading venue at which the firm engages in algorithmic trading as a member or participant, where this is not established in Malta.

Firms that engage in algorithmic trading and high-frequency trading must also keep sufficient records and make these available to the MFSA.

It is also important to note that a person dealing on their own account who does not provide any other investment services is exempt from the need for an investment services licence. This exemption applies unless such person is a market maker or deals on their own account outside a regulated market or a multilateral trading facility on an organised, frequent and systematic basis by providing a system accessible to third parties to engage in dealings with them.

The rules refer to firms that engage in algorithmic trading and high frequency algorithmic trading on a trading venue, which includes regulated markets, MTFs and OTFs.

There is no information available in this jurisdiction.

There is no information available in this jurisdiction.

In Malta, underwriting processes are carried out directly with the insurance company itself or through a broker, a tied insurance intermediary or an insurance agent. Such processes are subject to the relevant Maltese insurance legislation and MFSA rules, in line with EU legislation.

Long-term insurance, such as life insurance, is regulated in a different manner to other insurance classes, primarily due to insolvency issues and the higher degree of knowledge required by those engaging in this type of insurance business. However, there is no distinction between the treatment of the different insurance classes by industry participants.

The regulation of regtech providers depends on the nature of their activities. It must be noted that Maltese laws in this respect apply in a technology-neutral manner (bar some exceptions in relation to DLTs). It is therefore the activity of the regtech provider that triggers regulatory implications and not the specific technologies used.

Furthermore, if a regtech provider utilises an ITA as defined by the Innovative Technology Arrangements and Services Act (ITASA), then the regtech provider may submit the ITA for recognition by the MDIA.

Financial entities impose strict performance, accuracy and compliance requirements on technology providers. While regulation dictates the baseline, many terms are shaped by risk management best practices and industry standards to safeguard financial stability and client trust.

The specific provisions set out in contractual arrangements are conditioned by the requirements emanating from MiFID II, the GDPR, MiCA, DORA and the upcoming AI Act, among others. Common inclusions in these contracts include:

• audit rights for financial entities to verify compliance;
• performance and service level agreements (SLAs) with uptime and availability guarantees, latency and execution speed commitments and remedies for service failures;
• indemnity clauses;
• cybersecurity obligations; and
• business continuity and disaster recovery requirements to ensure resilience.

While local banks have been cautious in their approach to implementing the use of DLT in their current systems, the Malta Business Registry (MBR), which is responsible for the registration of commercial partnerships and companies in Malta, is expected to roll out a Central Data Repository. This is intended to be a secure, digital platform that will store key documents and identity credentials in an easily accessible single e-wallet, which will enable individuals and businesses to share important documents quickly and securely with government entities, eliminating repetitive bureaucratic processes and speeding up compliance tasks.

MiCA does not regulate blockchain technology directly but instead governs crypto-assets, issuers and CASPs operating within the EU. However, it indirectly impacts blockchain by setting rules on how crypto-assets are issued, traded and used within DLT environments.

It is also important to bear in mind that Malta’s DLT framework, which came into effect in 2018, includes the following pieces of legislation (each substantiated by various rules, guidelines and subsidiary legislation), which remain applicable despite MiCA’s coming into force:

• the Malta Digital Innovation Authority Act, Cap 591 of the Laws of Malta, which sets up the MDIA (the Maltese authority primarily responsible for promoting digital innovation); and
• the ITASA, which provides for certification by the MDIA of ITAs and authorisations for innovative technology service providers.

Under the VFAA, if the asset in question qualified as a VFA, any person that conducted any of the following activities in or from within Malta in relation to VFAs required a licence from the MFSA:

• the receipt and transmission of orders;
• the execution of orders on behalf of other persons;
• dealing on own account;
• portfolio management;
• custodian or nominee services (of VFAs including cryptographic keys);
• the provision of investment advice;
• the placing of VFAs;
• the operation of a VFA exchange; and
• the transfer of VFAs.

MiCA regulates the provision of crypto-asset services – ie, any of the following services and activities relating to any crypto-asset:

• the provision of custody and administration of crypto-assets on behalf of clients;
• the operation of a trading platform for crypto-assets;
• the exchange of crypto-assets for funds;
• the exchange of crypto-assets for other crypto-assets;
• the execution of orders for crypto-assets on behalf of clients;
• the placing of crypto-assets;
• the receipt and transmission of orders for crypto-assets on behalf of clients;
• the provision of advice on crypto-assets;
• the provision of portfolio management on crypto-assets; and
• the provision of transfer services for crypto-assets on behalf of clients.

Similar to the VFA regime, persons seeking to provide such services are required to apply for authorisation from the competent authority of their home member state before offering any such services.

Please see 6.2 Regulation of Different Asset Classes regarding the legal classification of crypto-assets under MiCA.

The VFAA regulated the issuers of offers to the public of VFAs.

MiCA regulates the issue of offers to the public in relation to ARTs, EMTs and crypto-assets that are not regulated as ARTs and EMTs.

Offerors of ARTs must either be authorised as a credit institution or be a legal person or other undertaking that is established in the EU and has been authorised in terms of MiCA. Offerors of EMTs, on the other hand, must be either a credit institution or an electronic money institution. In both cases, offerors are required to draw up a crypto-asset white paper and notify this to the competent authority of their home member state. MiCA and the applicable guidelines and regulatory standards clearly outline the specific information that needs to be included in the white paper.

Issuers of other crypto-assets must be legal persons and must draw up a crypto-asset white paper in terms of MiCA. The white paper must be notified to the competent authority of their home member state at least 20 working days before publication.

An important principle under MiCA is that retail holders who purchase crypto-assets either directly from an offeror or from a CASP placing crypto-assets on behalf of that offeror have a right of withdrawal of 14 calendar days without incurring any fees or costs and without being required to give reasons. The period of withdrawal begins from the date of the agreement of the purchase of the crypto-assets.

Upon exercise of withdrawal, all payments received from a retail holder including, if applicable, any charges are to be reimbursed without undue delay and in any event no later than 14 days from the date on which the offeror or the CASP is informed of the retail holder’s decision to withdraw.

However, the right of withdrawal does not apply where the crypto-assets have been admitted to trading prior to their purchase by the retail holder.

MiCA exempts various offers to the public from its requirements, including:

• an offer to fewer than 150 natural or legal persons per member state where such persons are acting on their own account;
• an offer to the public for which, over a period of 12 months starting with the beginning of the offer, the total consideration does not exceed EUR1 million or the equivalent amount in another official currency or in crypto-assets;
• an offer of a crypto-asset addressed solely to qualified investors where the crypto-asset can only be held by such qualified investors;
• instances where the crypto-asset is offered for free;
• when the crypto-asset is automatically created as a reward for the maintenance of the distributed ledger or the validation of transactions;
• when the offer concerns a utility token providing access to a good or service that exists or is in operation; and
• when the holder of the crypto-asset has the right to use it only in exchange for goods and services in a limited network of merchants with contractual arrangements with the offeror.

Please see 10.12 Non-Fungible Tokens (NFTs) regarding NFTs.

The VFAA defines a DLT exchange as any trading and/or exchange platform or facility on which any form of DLT asset may be transacted. A DLT asset is any virtual token, VFA, electronic money or financial instrument that is intrinsically dependent on or utilises DLT.

The term “VFA exchange” refers to a DLT exchange for VFAs, within which multiple third-party buying and selling interests for VFAs can interact in a manner that results in a contract, by exchanging one VFA for another or a VFA for fiat currency that is legal tender, or vice versa. Therefore, exchanges on which only financial instruments are traded are not licensable in terms of the VFAA but fall within the remit of the ISA.

Under MiCA, the operation of a trading platform for crypto-assets is deemed to be a crypto-asset service. This refers to the management of one or more multilateral systems that bring together or facilitate the bringing together of multiple third-party purchasing and selling interests in crypto-assets, in the system and in accordance with its rules, in a way that results in a contract, either by exchanging crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets.

Put simply, the term “staking” refers to the process of immobilising crypto-assets to support the operations of proof-of-stake and similar blockchain consensus mechanisms in exchange for the granting of validator privileges that can generate block rewards.

MiCA does not contain specific provisions on staking. Thus, staking is not prohibited, but at the same time it is not subject to specific requirements or licensing.

Where staking services are provided to clients for a consideration by intermediaries that undertake to stake the clients’ crypto-assets on their behalf, the crypto assets – or the private keys giving access to them – are held by the staking service provider in custody. Thus, the provision of staking services is ancillary to custody services, which are fully regulated under MiCA, and triggers the requirements of a licence.

It follows from these obligations that, where staking services are provided in combination with the provision of custody, CASPs should ensure that the assets held on behalf of clients can be returned to the clients in accordance with the custody agreement. CASPs should also remain liable to their clients for any loss of crypto-assets attributable to them.

Where staking services are provided in combination with any other crypto-asset services, CASPs should obtain the clients’ explicit consent to stake their crypto-assets, as it may have an impact on their clients' ability to access them.

Crypto-asset lending refers to a provider (lender) transferring a certain value of crypto-assets or funds to a user (borrower) in exchange for the user placing a certain value of crypto-assets or funds as collateral and a commitment that the borrower will return to the lender a value equivalent to the transferred value of crypto-assets or funds and potential additional interests on a future date (or in the event of some other trigger event).

Crypto lending is not specifically regulated under MiCA, and on the basis of a recent joint report by ESMA and the EBA, it has also been noted that this activity is not regulated in all EU member states.

Derivatives are financial contracts whose value is derived from an underlying asset such as a reference rate or index. They encompass rights and obligations, while the definition of crypto-asset within the meaning of MiCA only makes reference to the digital representation of a value or a right.

The ESMA Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments clearly state that derivative contracts relating to a crypto-asset, a basket of crypto-assets or an index on crypto-assets as an underlying should be qualified as financial instruments within the meaning of MiFID II as it captures derivative contracts, which refer to an underlying such as assets, rights, obligations or indices. As the term “asset” is not defined within MiFID II, such notion should be interpreted in broad terms, thus also capturing crypto-assets.

Recital 22 of MiCA explicitly states that “Where crypto-asset services are provided in a fully decentralised manner without any intermediary, they should not fall within the scope of this Regulation”. However, what truly constitutes “fully decentralised” has not been clarified.

Whilst acknowledging Recital 22, ESMA also noted that the precise scope of this exemption remains unclear and suggested that each system should be assessed on a case-by-case basis, considering its specific features. ESMA further emphasised that decentralisation is not an absolute concept but exists on a spectrum, ranging from centralisation to varying degrees of decentralisation. There is no definitive threshold that signifies “full decentralisation”, as the degree of decentralisation can always vary and evolve.

With regards to security tokens, it is important to note that, under MiCA and its applicable guidelines and technical standards, it has been determined that a crypto-asset that is classified as a financial instrument is regulated under traditional financial services legislation, and thus under MiFID II.

However, in contrast to the exclusion under MiCA, under MiFID there is no exemption for fully decentralised crypto-asset services. The primary criterion for determining MiFID's applicability is whether a crypto-asset is classified as a financial instrument. Thus, if a fully decentralised protocol offers custody services or facilitates the trading of crypto-assets that qualify as transferable securities, it engages in regulated activities under MiFID. This can therefore create a complex regulatory scenario where, depending on the legal classification of the crypto-asset, different rules will apply in the case of fully decentralised protocols.

Collective investment schemes wishing to invest in crypto-assets do not require an additional licence for this purpose, although funds are expected to comply with some crypto-asset-specific supplementary conditions on an ongoing basis. At the time of writing, only professional investor funds (PIFs) and notified PIFs are permitted to invest in crypto-assets. Nevertheless, it should be noted that the MFSA has been considering whether to permit alternative investment funds (AIFs) and notified alternative investment funds (NAIFs) to invest in crypto-assets by extending the supplementary conditions that apply to PIFs to cover AIFs and NAIFs.

See 2.2 Regulatory Regimes.

Much like the VFA Framework, MiCA does not provide a specific definition of an NFT. It defines the concept of a “crypto-asset” as “a digital representation of a value or a right which may be transferred and stored electronically, using distributed ledger technology or similar technology”. According to this definition, it would be reasonable to say that NFTs are captured within MiCA.

However, MiCA goes on to exclude the following types of crypto-assets from its scope:

• crypto-assets that are unique and not fungible with other crypto-assets, including digital art and collectibles, whose value is attributable to each crypto-asset’s unique characteristics and the utility it gives to the token holder;
• crypto-assets that represent assets or rights that are unique and not fungible; and
• crypto-assets representing services or physical assets that are unique and not fungible, such as product guarantees or real estate – this exclusion is on the basis that these crypto-assets are not readily interchangeable and the relative value of one crypto-asset in relation to another, each being unique, cannot be ascertained by means of comparison to an existing market or equivalent asset.

Despite this exemption being clearly set out, it is important to note that MiCA does not exclude NFTs from its scope altogether, and indeed the following types of crypto-assets fall within the scope of MiCA:

• fractional NFTs – ie, the fractional parts of an NFT are not considered to be unique and non-fungible in and of themselves;
• NFTs issued in a large series or collection – the terms “large series” and “collection” are not defined;
• crypto-assets whose sole non-fungible element is a unique identifier; and
• crypto-assets that appear unique and not fungible but whose de facto features linked to de facto uses would make them either fungible or not unique – this assessment needs to be undertaken on the basis of substance over form.

Undertaking a legal classification assessment of every crypto-asset is thus essential to determine whether or not it falls within MiCA’s scope.

As an EU member state, Malta fully transposed the Payment Services Directive (EU) 2015/2366 (PSD2) into its legislation in August 2019. Said implementation did not trigger any obligation for a bank or financial institution already licensed by the MFSA as a home state regulator to provide payment services to seek any re-authorisation of these activities in terms of the passporting rights exercised by the operator prior to the implementation of these amendments. Nevertheless, despite banks taking the necessary steps to permit open banking by making their application programming interface (API) technologies available, the practical use of open banking in Malta remains limited.

The proposed PSD3 and Payment Services Regulation are expected to improve the functioning of open banking by removing the remaining obstacles to providing open banking services and improving customers' control over their payment data, enabling new innovative services to enter the market.

The number of live and operative account information service providers (AISPs) or payment initiation service providers (PISPs) operating within Malta is small. Therefore, the effects of PSD2 are yet to be felt in Malta, from the perspective of banks coping with data privacy or data security concerns, or with practical concerns on a more generic basis.

While the MFSA’s role is to educate consumers about scams involving financial products and services, it is unable to investigate perpetrators as this function lies with the police. Nevertheless, the MFSA plays a substantial role in preventing harm to consumers from unauthorised activities. Indeed, as soon as the MFSA is aware of an unlicensed entity, it warns the general public to make sure they refrain from entering into any transactions or dealings with such entity.

In all instances, Maltese regulators are primarily concerned with consumer protection, with most policies and initiatives being imposed with this overarching principle in mind.

One of the primary types of fraud on which regulators focus is cybersecurity and data breaches. This includes protecting customer data and ensuring secure transactions. Other main causes for concern include payment fraud, identity theft, phishing attacks and investment scams.

In Malta, a fintech service provider may be held responsible for customer losses under certain conditions, depending on the nature of the service, the terms of the agreement and the applicable regulations. Key situations where a provider might be liable include:

• breach of contract or terms of service;
• negligence; and
• failure to comply with regulatory requirements.