Author: Joseph F.Borg - WH Partners

The Malta Financial Services Authority (the “MFSA”) has published a Discussion Paper on Decentralised Finance (DeFi), subtitled “Strengthening Malta’s Position as a Jurisdiction for Next Generation Financial Services.” Dated 12 June 2026 and bearing reference number 03-2026, the paper is open for public consultation until 10 July 2026. This marks a significant moment not only for Malta’s financial services sector, but also for the wider European conversation on how to regulate one of the most disruptive corners of finance. At WH Partners, we welcome the initiative and ncourage every stakeholder in the DeFi ecosystem to make use of the consultation window while it remains open.

Malta's Regulatory Pedigree

In 2018, the enactment of the Virtual Financial Assets Act, the Malta Digital Innovation Authority Act, and the Innovative Technology Arrangements and Services Act gave legal certainty to activities that had previously operated in a regulatory vacuum. The VFA Act attracted serious international attention and helped earn Malta its “Blockchain Island” reputation. This early engagement also built considerable supervisory experience, supporting a smooth transition to the EU’s Markets in Crypto-Assets Regulation (MiCA), which has been in force since 30 December 2024. In spirit, the DeFi Discussion Paper reads as the intellectual successor to the VFA Act: just as Malta was among the first movers in 2018, it is among the first movers in 2026 in tackling a genuinely hard question: how do you regulate finance when there is no intermediary to regulate?

The DeFi Challenge

DeFi seeks to provide financial services using distributed ledger technology without traditional intermediaries, typically through smart contracts, thereby replicating the functions of the traditional financial system within a decentralised protocol structure. MiCA excludes from its scope crypto-asset services provided in a fully decentralised manner, without the involvement of any intermediary. While this is the right call for genuinely decentralised protocols, it also creates a regulatory gap that could become either an opportunity or a vulnerability depending on how it is managed. The MFSA’s paper is a direct, considered response to that gap, covering six substantive areas: the MiCA perimeter, financial crime risk, software-based organisational models, Segregated Cell Companies, Guardian Agents, and Account Abstraction.

Where the Paper Earns the Closest Reading

The Decentralisation Threshold

The paper rightly treats “fully decentralised” as one of the most complex questions in DeFi regulation, but its proposed indicator list (admin keys, governance concentration, custody, and so on) risks being applied too mechanically. A protocol with open-source code and governance distributed among thousands of token holders should not be treated the same as one controlled by a founding team holding admin keys. We urge a graduated, spectrum-based scoring framework rather than a binary classification, alongside proportionate guidance on the technical due diligence CASPs should be expected to carry out on the decentralised components they integrate.

Software-based Organisations

This is the most exciting part of the paper. Generalising the DAO concept into a broader legal category, a “Software-based Organisation” or SBO, would be a meaningful competitive differentiator, capable of attracting the next generation of DeFi projects and AI-enabled financial entities to Malta, much as the VFA Act attracted centralised crypto businesses in 2018 and 2019. We would encourage the MFSA to move quickly, to make it clear that the framework is built for the digital economy broadly rather than financial services alone, and to require every SBO to designate an identifiable, accountable function at incorporation so that supervisors have somewhere to direct a question, even where operational control is genuinely distributed.

SCCs and the Decentralisation Trade-off

Segregated Cell Companies offer a credible legal containment mechanism for the contagion risk inherent in modular, composable DeFi systems. The paper is commendably candid; however, adopting an SCC could itself be read as evidence of centralisation, potentially undermining a project’s claim to fall outside MiCA altogether. For many protocols, decentralisation is a business model, not a compliance choice; if using an SCC automatically jeopardises that status, projects will rationally remain unincorporated, which helps no one. We recommend the MFSA legislate a dedicated, DeFi-tailored SCC framework, addressing inter-cell technical dependencies such as bridges and oracles, and publish guidance confirming that electing to use one does not, by itself, defeat a decentralisation claim.

Guardian Agents and Account Abstraction

Both sections represent genuinely frontier thinking. Guardian Agents, protocol-level mechanisms that monitor and constrain other autonomous systems, point to a new regulatory philosophy in which risk containment is performed from within the architecture itself; we would recommend a multi-stakeholder working group to develop model design principles, while watching for guardian powers being used by incumbents to foreclose competition. Account Abstraction’s compliance-by-design potential, building identity verification or sanctions screening into the wallet layer as a precondition for execution, may be the paper’s single most consequential idea, and any resulting guidance should stay outcomes-based rather than prescriptive given how quickly the technology is moving.

Financial Crime

The AML/CFT risks of paper documents, including the striking finding that stablecoins accounted for roughly 84% of illicit virtual asset transaction volume in 2025, are real and well evidenced. The response must nonetheless be proportionate: a compliance architecture calibrated for systemically significant institutions would be fatal to start-up-stage protocols.

Our Recommendations

1. Adopt a spectrum-based decentralisation framework, co-ordinated with ESMA, paired with proportionate CASP due diligence guidance.

2. Enact the SBO framework swiftly, with simplified start-up registration and a defined accountability mechanism.

3. Legislate a DeFi-specific SCC framework and confirm by guidance that adopting one does not, of itself, amount to centralisation.

4. Establish a Guardian Agent working group to develop model design principles that can be adopted at the European level.

5. Develop principles-based Account Abstraction guidance for paymasters, bundlers and AI agents under MiCA and the AML framework.

6. Calibrate AML/CFT expectations proportionately to the scale and risk profile of the entity in question.

Conclusion

The MFSA’s DeFi Discussion Paper is a statement of intent. Eight years after the VFA Act, Malta is once again stepping forward to confront difficult questions, in consultation with industry, with an evident commitment to frameworks that support both innovation and integrity. The consultation closes on 10 July 2026, and the outcome remains genuinely open. At WH Partners, we are preparing a detailed response across all six thematic areas and would welcome views from protocol developers, DAO contributors, institutional participants, technology service providers and start-up founders across the DeFi ecosystem.

Reach us at [email protected] if you would like us to take your feedback into account in our response.