MALTA: An Introduction to FinTech Legal

Malta's emergence as a top fintech hub can be attributed to its success in attracting a high number of Electronic Money Institutions (“EMIs”), Payment Institutions (“PIs”), and iGaming companies to the island. Being a member of the European Union, Malta permits straightforward passporting of harmonised financial services and offers favorable tax rates, effectively charging 5% tax for trading companies and 0% for holding companies for non-resident shareholders. Malta’s attraction is further underscored by its favourable tax regime which, because of its extensive double tax treaty network, allows investors to achieve considerable fiscal efficiency when using Malta as a base. Malta is home to an English-speaking populace and a talented pool of tech and finance professionals. The country also offers an uncomplicated process for bringing in overseas talent. In the digital sphere, Malta has earned a remarkable reputation by retaining its 2021 position and ranking as the sixth most advanced digital economy out of the 27 EU member states in the 2022 Digital Economy and Society Index (“DESI”).

What does Malta’s Virtual Financial Assets (“VFA”) Framework currently look like?

Malta's robust digital ecosystem has made it well-positioned to capitalise on the expansion of Distributed Ledger Technology (“DLT”) within its fintech industry. In fact, the country has taken proactive measures and was one of the first in Europe to enact dedicated legislation concerning cryptocurrencies and DLT, that emphasized the protection of consumers, the integrity of the market, and the stability of the financial system. Consequently, Malta is now widely recognised as the 'blockchain island'. The legal framework governing DLT and cryptocurrency services in Malta comprises three laws:

1. the Malta Digital Innovation Authority Act (“MDIAA”);

2. the Innovative Technology Arrangements and Services Act (“ITASA”); and

3. the Virtual Financial Assets Act (“VFAA”).

The MDIAA establishes the Malta Digital Innovation Authority (“MDIA”), which assumes oversight of the ITASA and holds the responsibility of promoting, regulating, and certifying innovative technology arrangements and technology service providers. Certifications issued by the MDIA remain valid for a duration of two years.

On the other hand, the ITASA facilitates the registration of technology service providers and the certification of technology arrangements, including smart contracts, Decentralised Autonomous Organisations (“DAOs”), and components of distributed or decentralised ledger technologies, with the Blockchain being a prominent example.

What does the VFAA Regulate?  

The VFAA regulates what is commonly referred to as cryptocurrencies. However, Maltese law does not employ the specific term "cryptocurrencies." Instead, it utilises the term VFA. The Malta Financial Services Authority (“MFSA”) is the sole regulator in Malta for financial services, VFA Services, and Initial Coin Offerings (“ICOs”). In the VFA framework, these ICOs are referred to as Initial Virtual Financial Asset Offerings (“IVFAOs”) alongside the regulation of VFA services.

According to the VFAA, certain requirements must be met by persons intending to engage in specific activities. Firstly, if someone wishes to launch an IVFAO to issue a VFA from or within Malta, they are obligated to register a Whitepaper with the MFSA. Secondly, anyone intending to provide a VFA service in or from Malta must obtain a license from the MFSA before commencing their operations. The VFAA encompasses a wide range of VFA service providers and services associated with VFAs. These services include activities such as reception and transmission of orders, execution of orders on behalf of other persons, dealing on own account, portfolio management, custodian or nominee services, investment advice, placing of virtual financial assets, the operation of a VFA exchange and transfer of virtual financial assets.

Malta’s Financial Instrument Test (a.k.a Token Classification test)

The MFSA has introduced a Financial Instrument Test with the objective to determine whether a DLT asset, based on its specific features, is encompassed under:

(i) the existing EU legislation and the corresponding national legislation,

(ii) the Virtual Financial Assets Act or

(iii) is otherwise exempt.

Specifically, the test will determine whether a DLT Asset qualifies as:

(i) Electronic Money (“EM”) as defined under the Financial Institutions Act (Chapter 376 Laws of Malta) (“FIA”) which transposes the second Electronic Money Directive 2009/110/EC (“EMD”);

(ii) a Financial Instrument (“FI”) as defined under the Investment Services Act (Chapter 370 laws of Malta) (“ISA") which transposes Markets in Financial Instruments Directive 2014/65/EU (“MiFID”); or

(iii) a Virtual Token (“VT”) (ie a utility token) or a VFA (ie a DLT asset that isn’t EM, a FI or a VT) as defined under the VFA Act.

The Test is applicable to:

(i) issuers offering DLT assets to the public or wishing to admit such DLT assets on a DLT exchange in or from within Malta; and

(ii) persons providing any service and/or performing any activity, within the context of either the VFA Act or traditional financial services legislation, in relation to DLT assets whose classification has not been determined.

The Arrival of MICA  

The European Union (“EU”) Parliament and the EU Council endorsed the EU Markets in Crypto-assets Regulation (“MiCA”) on the 20th of April 2023 and 16th of May 2023 respectively. The MiCA represents a standardised legal framework designed for crypto-asset markets within the EU. Its primary objective is to establish a unified set of regulations across the EU that govern the issuance and provision of services related to crypto assets that are not currently covered by existing financial services legislation.

This includes three main categories:

(i) Asset Referenced Tokens (“ARTs”), commonly known as stablecoins;

(ii) Electronic Money Tokens (“EMTs”); and

(iii) other types of tokens such as Bitcoin and Ether, along with various investment and utility tokens.

The introduction of the EU passporting rules will enable Crypto Asset Service Providers (“CASPs”) to operate across borders, benefitting from a simplified regulatory framework. This will help overcome the complexities associated with navigating through the diverse national regimes of the 27 different EU member states, that currently exist within the EU regulatory landscape.

Following MiCA’s endorsement by the EU Parliament and EU Council and publication in the EU Official Journal, MiCA superseded the existing legislations (including Malta's VFA framework,) that were previously endorsed by EU Member States in recent years. MiCA will be implemented in two phases: The first phase, which focuses on regulations concerning the offering of ARTs and EMTs, will take effect 12 months after MiCAs entry into force. The second phase, which establishes a new authorisation framework for Crypto Asset Service Providers (“CASPs”) operating in the EU, will come into effect after the 18-month transitional period expires (expected to be around Q4 2024). CASPs that already provide services in Europe under the current licensing regimes will benefit from grandfathering provisions, allowing them to continue operating under certain conditions. These grandfathering periods can be shortened or waived by EU Member States at their discretion.

It is worth highlighting that Malta's VFA framework was originally based on the MiFID. The fact that MiCA is also built upon this directive is significant because it implies that there are minimal discrepancies between the VFA framework and MiCA. In fact, in certain cases, Malta's current VFA framework is even more stringent than MiCA. Therefore, the impact of the MFSA revisiting the VFA framework requirements to ensure better alignment will be minimal.

Additionally, under MiCA there are certain exemptions where already licensed entities can offer crypto-assets services without needing additional authorization. To qualify for this exemption, the following licensed entities must notify the relevant regulatory authority at least 40 days before commencing such services for the first time:

(i) Credit institutions - permitted to offer all types of crypto-assets services;

(ii) Investment firms - allowed to provide crypto-assets services that are equivalent to investment services as defined by MiCA. Essentially, the only crypto-asset service that does not have an equivalent MiFID activity/service is providing transfer services for crypto-assets;

(iii) Electronic money institutions - authorized to engage in the custody and administration of crypto-assets on behalf of third parties, as well as provide transfer services for crypto-assets on behalf of third parties specifically related to the e-money tokens it issues;

(iv) Management companies of Undertakings for the Collective Investment in Transferable Securities (“UCITS”) - eligible to offer crypto-assets portfolio management services; and

(v) Alternative fund managers - granted permission for the portfolio management of crypto-assets, offering advice on crypto-assets, and receiving and transmitting orders for crypto-assets on behalf of third parties.

What else does Malta’s Fintech space have to offer?

Malta is witnessing notable investments in fintech sectors that revolve around payment and EM services. To align with EU directives such as the second Payment Services Directive 2015/2366/EU (“PSD 2”) and the EMD, the country has introduced Directive No.1 under the Central Bank Act and the FIA. Directive No.1, along with subsidiary legislation and regulations established under the FIA, effectively transposes the provisions of PSD 2 and EMD into Maltese law.

Within the FIA, PIs, and EMIs are categorised as Financial Institutions (“FIs”). Unlike banks, FIs are not permitted to engage in the "business of banking," which involves accepting deposits, borrowing or raising money from the public for lending purposes, or investing on behalf of the entity accepting the funds. However, FIs can carry out various activities, such as lending, financial leasing, providing guarantees and commitments, foreign exchange services, and money brokering. It's important to note that these activities are not harmonised across the EU and therefore do not benefit from EU passporting rules.

PIs are authorized to offer a range of payment services throughout the EU. In addition to providing payment services throughout the EU, EMIs have the additional authority to issue electronic money. Electronic money is defined under the FIA as a digital representation of value that is issued on receipt of funds for the purpose of making payment transactions, such as electronically stored monetary value, prepaid cards and electronic wallets.

E-Money Tokens (“EMTs”) and MICA  

Pursuant to the MiCA:

(i) EMIs and credit institutions can generate electronic money through EMTs. Under MiCA, while issuers are subject to regulation, EMIs and credit institutions are exempt from obtaining a new license to issue new EMTs as long as they comply with the specified formalities; and

(ii) an issuer of EMTs must be authorised as a credit institution or EMI, and it must notify the competent authority and publish a white paper.

Malta's existing laws governing EMIs have not been modified to reflect the changes introduced by MiCA. Therefore, there is no need for amendments in the FIA concerning EMIs because the EMD remains unchanged, and MiCA has direct applicability.

Peer-to-peer (P2P) Lending  

At present, there isn't a designated regulation within Maltese legislation that directly addresses the issue of peer-to-peer ("P2P") online lending. Consequently, P2P lending platforms are not subject to any exclusive regulatory duties. However, it's essential for these platforms to consider whether their unique operations might fall within the licensing requirements set out in the overarching financial services framework, particularly the FIA. Notably, engaging in licensable money-broking activities (ie, introducing counterparties that wish to deal at mutually agreed terms with respect to wholesale and retail financial products). Furthermore, persons who frequently utilise P2P platforms as lenders may find their activities classified as regulated if they engage in lending on a regular or consistent basis. Moreover, if the activity involves procuring finance via consumer deposit-taking, it becomes necessary to secure a license as stipulated under the Banking Act.

Malta’s Insurance Space 

In Malta, insurance is underwritten either by the insurance company or through intermediaries such as brokers, tied insurance intermediaries, or insurance agents. These processes are governed by relevant Maltese insurance legislation and MFSA rules, which are aligned with EU law. The Insurance Business Act (Chapter 403, Laws of Malta) (“IBA) oversees insurance operations, encompassing the implementation and execution of long-term and general insurance contracts as defined in the legislation. On the other hand, the Insurance Distribution Act (Chapter 487, Laws of Malta) (“IDA”) is applicable to individuals and entities involved in insurance distribution activities within Malta, including insurance agents, brokers, and tied insurance intermediaries.

Malta's insurance sector has also introduced innovative structures like Protected and Incorporated Cell Companies. These structures allow companies to underwrite risks through individual cells within a central company, offering a cost-effective solution and a mechanism for separating and safeguarding assets, as an alternative to establishing standalone insurance companies. The cell model is also applicable to insurance managers and brokers. Malta's well-established and distinctive legislation surrounding cell companies has attracted insurers and technology companies seeking to develop and implement solutions using blockchain, smart contracts, artificial intelligence, and machine learning. Currently, numerous insurance and reinsurance companies, intermediaries, and cells are registered in Malta, with the majority being international players and only a few companies actively operating in the local market.

Malta’s Booming Investment Services Space  

The objective of the ISA is, in part, to transpose and implement the provisions of the Alternative Investment Fund Managers Directive 2011/61/EU, the Bank Recovery and Resolution Directive 2014/59/EU, the Capital Requirements Directive 2013/36/EU, the MIFID, Markets in financial instruments Regulation 600/2014/EU and the UCITS Directive 2009/65/EC, and any EU Regulations or Directives on financial services and consequently the ISA and any regulations adopted thereunder shall be interpreted and applied accordingly.

Malta has gained a strong reputation as a sought-after destination for investment service providers, funds, and asset managers in Europe. Being a member of the European Union, Malta is home to a significant number of MiFID firms, fund managers, and administrators, making it a popular choice among fund service providers. The island currently hosts around, 145 MiFID firms, 114 Alternative Investment Funds (“AIFs”), 106 Notified AIFs, 218 Professional Investor Funds, and 114 UCITS, with a combined Net Asset Valuation of 21.2 billion.

Malta offers several legal structures for establishing funds which can be either self-managed or third-party managed with its operations being outsourced to local or foreign administrators. Additionally, collective investment schemes licensed in Malta can obtain authorisation to invest in virtual currencies through specific regulations governing this area. In this regard, the MFSA has issued rules concerning professional investor funds established to invest in DLT assets recognized as VFAs.

Crowdfunding  

Investment-based crowdfunding is regulated by a separate licensing and regulatory framework that specifically addresses crowdfunding platform service providers in accordance with the European Crowdfunding Service Providers for Business Regulation (EU) 2020/1503 (“ECSPR”). The ECSPR applies directly in Malta and mandates that entities offering crowdfunding services must obtain authorization from the MFSA.

On May 17, 2023, the Crowdfunding Service Providers Bill began its journey through Parliament, reaching the First Reading stage. This bill seeks to enact regulations outlined in the ECSPR. Its objective is to establish a regulatory framework for these service providers, referred to as CSPs, encompassing their organization, authorization, and supervision.

Privacy Laws and Cybersecurity  

There are no regulations or guidelines on the use of personal data that are specific to FinTech companies. However, Malta is bound by the General Data Protection Regulation (EU) 2016/679 which has been implemented into Maltese law by virtue of the Data Protection Act (Chapter 586, Laws of Malta).

In terms of cybersecurity, different standards are applicable to various sectors within the financial industry. Within the realm of digital assets regulated by the VFA Act, issuers and license holders are required to establish risk management policies within their cybersecurity framework.

The Digital Operational Resilience Act (“DORA”) is an EU regulation implemented to bolster cybersecurity regulations within the European Union. It was published in late 2022 and is set to be fully enforced following a 24-month implementation period. Consequently, the DORA will be adopted as law in each EU member state.

AML/CFT Laws 

The EU’s 5th AML Directive 2015/849/EU encompasses digital currencies. The 5th AML Directive has been transposed into Malta’s regulatory framework governing anti-money laundering and combatting funding of terrorism (“AML/CFT”). The framework is established by the Prevention of Money Laundering Act (Chapter 373, Laws of Malta) and the Prevention of Money Laundering and Funding of Terrorism Regulations (Chapter 373.01, Laws of Malta).

The Financial Intelligence Analysis Unit (“FIAU”), which serves as Malta's AML/CFT regulator, has issued guidance notes/implementing procedures that encompass VFA issuers, VFA service providers, and the activities related to safe custody services, even if offered by entities not licensed or authorised under the Banking Act or the Investment Services Act. These implementing procedures mandate that VFA issuers and service providers establish policies and procedures to address identified risks.

Security Token Offering or Public Offering 

When a local issuer intends to offer a virtual currency that qualifies as a financial instrument to the public, the procedure is like conducting an initial public offering. In this case, a prospectus must be prepared and submitted to the MFSA in accordance with the Prospectus Regulation 2017/1129/EU. On the other hand, if the issuance of the financial instrument does not meet the criteria for being considered an offer to the public, it is exempt from the obligation to provide a prospectus. The MFSA is presently in the process of amending its existing regulatory framework for security offerings to specifically accommodate Security Token Offerings.

It is important to note that in the case where virtual currency meets the criteria of being a financial instrument and is to be traded, it should be traded on a Regulated Market (“RM”), Multilateral Trading Facility (“MTF”), or an Organised Trading Facility (“OTF”) (together a RM, MTF and OTF are referred to as “Capital Markets”) in accordance with the traditional financial services framework as opposed to being traded on a VFA Exchange.

However, the current laws regulating Capital Markets in Malta and the EU are not tailored to accommodate emerging technologies like DLT market infrastructures. There are regulatory gaps because the legal, technological, and operational intricacies associated with using DLT and crypto-assets as financial instruments are not adequately addressed. To address these challenges, the EU has devised the Pilot Regime for Market Infrastructures based on DLT Regulation 2022/858/EU (the “DLT Pilot Regulation”) to foster the growth of DLT and crypto assets that qualify as financial instruments.

The DLT Pilot Regulation 

On a European level, the DLT Pilot Regulation created a regime in which market infrastructures can obtain exemptions from the legal obligations applied under MiFID II/MiFIR and CSDR, obligations deemed too restrictive to allow authorised financial market infrastructures using DLT to provide trading services or securities settlement, or a combination of these services, on financial instruments.

The DLT Pilot Regulation introduces three new types of DLT market infrastructures:

1. A DLT MTF operated by an investment firm or a market operator, which only admits to trading DLT financial instruments.

2. A DLT securities settlement system (“DLT SS”) operated by a central securities depository (“CSD”) that settles transactions in DLT financial instruments.

3. A DLT trading and settlement system (“DLT TSS”) refers to a DLT MTF or DLT SS that combines services by a DLT MTF or DLT SS operated by an investment firm, market operator, or CSD.

It should be noted that the pilot regime applies directly to Malta.

The MFSAs Fintech Strategy – FinTech Hub & Beyond

The MFSA is driving the long-term fintech strategy by targeting both start-ups and industry scale-ups with the aim of establishing Malta as an international FinTech hub while promoting the infusion of technology solutions in the financial world.

This strategy is based on the following six pillars:

(i) Regulations;

(ii) Ecosystem;

(iii) Architecture;

(iv) International Links;

(v) Knowledge; and

(vi) Security.

Sandboxes  

In Malta, the MFSA, the MDIA, and the MGA have established individual 'sandbox' strategies as part of their approach to fostering and managing technological innovation. Each of these sandboxes has a specific purpose, aiming to cater to different sectors and types of organisations, and they're unique in their strategies and the way they handle innovation.

The MFSA has devised a FinTech strategy that is centred on a FinTech Regulatory Sandbox. This structured environment is a space for FinTech operators to pilot their ground-breaking solutions within the financial sector, under conditions and for a predetermined timeframe. This initiative's primary objective is to stimulate lasting innovation, without compromising consumer protection. It has been designed to accommodate a host of technological solutions, including APIs, AI, machine learning, and biometrics. Since its inception, the sandbox has drawn considerable interest, receiving an array of proposals featuring diverse innovative technologies in the financial services sector, covering everything from investment service products and market infrastructures to regulatory technology solutions.

In 2019, the MGA initiated a sandbox framework to allow its licensees to examine the acceptance of cryptocurrencies and explore DLTs. The framework has seen multiple extensions, with the most recent one concluding on February 28, 2023. It initially permitted authorised entities to accept VFAs as a payment method. Later, the MGA began accepting applications for the use of ITAs, which include DLT platforms and smart contracts. It is imperative to note that gaming operators willing to engage in licensable VFA activities within the VFA sandbox framework must secure a license from the MFSA before providing such services. Alternatively, if the gaming operator decides to outsource VFA-related services, the third-party service provider is required to hold a VFA license from the MFSA.

Lastly, the MDIA has established a Technology Assurance Sandbox, known as the MDIA-TAS. This setup is specially tailored to accommodate start-ups, smaller entities, and other organisations aiming to advance their Innovative Digital Product or Service ("IDPS") responsibly.