MALTA: An Introduction to FinTech Legal

Background 

Malta’s emergence as a top fintech hub can be attributed to its success in attracting a high number of electronic money institutions (EMIs), payment institutions (PIs), and iGaming companies to the island. Being a member of the European Union (EU), Malta permits straightforward passporting of harmonised financial services and offers favourable tax rates, effectively charging 5% tax for trading companies and 0% for holding companies for non-resident shareholders.

Malta’s attractiveness is further underscored by its favourable tax regime which, because of its extensive double tax treaty network, allows investors to achieve considerable fiscal efficiency when using Malta as a base. Malta is home to an English-speaking populace and a talented pool of tech and finance professionals. The country also offers an uncomplicated process for bringing in overseas talent.

In the digital sphere, Malta has earned a remarkable reputation, as can be witnessed by its rankings in the 2023 Digital Economy and Society Index. Malta is the only country to have 100% coverage for Fixed Very High-Capacity Network and is one of two countries to have 100% 5G coverage. Malta also ranks first in Big Data, fourth in digital public services for businesses, and sixth in SMEs with at least a basic level of digital intensity.

What Does Malta’s Virtual Financial Assets (VFA) Framework Currently Look Like?

Malta’s robust digital ecosystem has made it well-positioned to capitalise on the expansion of distributed ledger technology (DLT) within its fintech industry. The country has taken proactive measures and was one of the first in Europe to enact dedicated legislation concerning cryptocurrencies and DLT, which emphasised the protection of consumers, the integrity of the market and the stability of the financial system. Consequently, Malta is now widely recognised as the “blockchain island”. The legal framework governing DLT and cryptocurrency services in Malta comprises three laws:

• the Malta Digital Innovation Authority Act (MDIAA);

• the Innovative Technology Arrangements and Services Act (ITASA); and

• the Virtual Financial Assets Act (VFAA). 

The MDIAA establishes the Malta Digital Innovation Authority (MDIA), which assumes oversight of the ITASA and holds the responsibility of promoting, regulating and certifying innovative technology arrangements and technology service providers. Certifications issued by the MDIA remain valid for two years.

On the other hand, the ITASA facilitates the registration of technology service providers and the certification of technology arrangements, including smart contracts, decentralised autonomous organisations (DAOs), and components of distributed or decentralised ledger technologies, with blockchain being a prominent example.

What Does the VFAA Regulate?  

The VFAA regulates what is commonly referred to as cryptocurrencies. However, Maltese law does not employ the specific term “cryptocurrencies”. Instead, it utilises the term VFA. The Malta Financial Services Authority (MFSA) is the sole regulator in Malta for financial services, VFA services, and initial coin offerings (ICOs). In the VFA framework, these ICOs are referred to as initial virtual financial asset offerings (IVFAOs) alongside the regulation of VFA services.

According to the VFAA, certain requirements must be met by persons intending to engage in specific activities. Firstly, if someone wishes to launch an IVFAO to issue a VFA from or within Malta, they are obligated to register a White Paper with the MFSA. Secondly, anyone intending to provide a VFA service in or from Malta must obtain a licence from the MFSA before commencing their operations.

The VFAA encompasses a wide range of VFA service providers and services associated with VFAs. These services include activities such as:

• reception and transmission of orders;

• execution of orders on behalf of other persons;

• dealing on own account;

• portfolio management;

• custodian or nominee services;

• investment advice;

• placing of virtual financial assets;

• the operation of a VFA exchange; and

• transfer of virtual financial assets.

Malta’s Financial Instrument Test (aka Token Classification Test)

The MFSA has introduced a financial instrument test with the objective of determining whether a DLT asset, based on its specific features, is encompassed under the existing EU legislation and the corresponding national legislation or under the Virtual Financial Assets Act, or whether it is otherwise exempt.

Specifically, the test will determine whether a DLT asset qualifies as:

• electronic money (EM) as defined under the Financial Institutions Act (Chapter 376 Laws of Malta) (FIA) which transposes the second Electronic Money Directive 2009/110/EC (EMD2);

• a financial instrument (FI) as defined under the Investment Services Act (Chapter 370 laws of Malta) (ISA) which transposes the Markets in Financial Instruments Directive 2014/65/EU (MiFID); or

• a virtual token (VT) (ie, a utility token) or a VFA (ie, a DLT asset that is not EM, a FI or a VT) as defined under the VFA Act.

The test is applicable to:

• issuers offering DLT assets to the public or wishing to admit such DLT assets on a DLT exchange in or from within Malta; and

• persons providing any service and/or performing any activity, within the context of either the VFA Act or traditional financial services legislation, in relation to DLT assets whose classification has not been determined.

The Arrival of MiCA  

The EU Markets in Crypto-Assets Regulation (MiCA) entered into force on 29 June 2023, precisely 20 days following its publication in the Official Journal of the EU. MiCA represents a standardised legal framework designed for crypto-asset markets within the EU. Its primary objective is to establish a unified set of regulations across the EU that govern the issuance and provision of services related to crypto-assets that are not currently covered by existing financial services legislation.

This includes three main categories:

• asset-referenced tokens (ARTs), commonly known as stablecoins;

• electronic money tokens (EMTs); and

• other types of tokens such as Bitcoin and Ether, along with various investment and utility tokens.

The introduction of the EU passporting rules will enable crypto-asset service providers (CASPs) to operate across borders, benefitting from a simplified regulatory framework. This will help overcome the complexities of the current EU regulatory landscape associated with navigating through the diverse national regimes of the 27 different EU member states.

Following its endorsement by the EU Parliament and EU Council, and publication in the EU Official Journal, MiCA superseded the existing legislations (including Malta’s VFA framework,) that were previously endorsed by EU member states in recent years. MiCA will be implemented in two phases:

�� the first phase, which focuses on regulations concerning the offering of ARTs and EMTs, will take effect 12 months after MiCA’s entry into force; and

• the second phase, which establishes a new authorisation framework for CASPs operating in the EU, will come into effect after the 18-month transitional period expires (expected to be around Q4 2024).

CASPs that already provide services in Europe under the current licensing regimes will benefit from grandfathering provisions, allowing them to continue operating under certain conditions. These grandfathering periods can be shortened or waived by EU member states at their discretion.

It is worth highlighting that Malta’s VFA framework was originally based on the MiFID. The fact that MiCA is also built upon this directive is significant because it implies that there are minimal discrepancies between the VFA framework and MiCA. In fact, in certain cases, Malta’s current VFA framework is even more stringent than MiCA. Therefore, the impact of the MFSA revisiting the VFA framework requirements to ensure better alignment will be minimal. To ensure a smooth transition for VFA service providers, the authority has already taken steps to align the VFA framework to the MiCA prior to its date of application, by issuing, on 18 September 2023, a draft updating Chapter 3 as applicable to VFA service providers for consultation. A summary of the proposed amendments, which have been reflected in the draft version of the rulebook attached to this communication, may be found below.

Additionally, under MiCA there are certain exemptions where already licensed entities can offer crypto-asset services without needing additional authorisation. To qualify for this exemption, the following licensed entities must notify the relevant regulatory authority at least 40 days before commencing such services for the first time.

• Credit institutions – permitted to offer all types of crypto-asset services.

• Investment firms – allowed to provide crypto-asset services that are equivalent to investment services as defined by MiCA. Essentially, the only crypto-asset service that does not have an equivalent MiFID activity/service is that providing transfer services for crypto-assets.

• EMIs – authorised to engage in the custody and administration of crypto-assets on behalf of third parties, as well as to provide transfer services for crypto-assets on behalf of third parties specifically related to the e-money tokens it issues.

• Management companies of undertakings for collective investment in transferable securities (UCITS) – eligible to offer crypto-asset portfolio management services.

• Alternative fund managers – granted permission for the portfolio management of crypto-assets, offering advice on crypto-assets, and receiving and transmitting orders for crypto-assets on behalf of third parties.

What Else Does Malta’s Fintech Space Have to Offer?

Malta is witnessing notable investments in fintech sectors that revolve around payment and EM services. To align with EU Directives such as the second Payment Services Directive 2015/2366/EU (PSD2) and EMD2, the country has introduced Directive No 1 under the Central Bank Act and the FIA. Directive No 1, along with subsidiary legislation and regulations established under the FIA, effectively transposes the provisions of PSD2 and EMD2 into Maltese law.

Within the FIA, PIs and EMIs are categorised as financial institutions (FIs). Unlike banks, FIs are not permitted to engage in the “business of banking”, which involves:

• accepting deposits;

• borrowing or raising money from the public for lending purposes; or

• investing on behalf of the entity accepting the funds. 

However, FIs can carry out various activities, such as:

• lending;

• financial leasing;

• providing guarantees and commitments;

• foreign exchange services; and

• money brokering.

It is important to note that these activities are not harmonised across the EU and therefore do not benefit from EU passporting rules.

PIs are authorised to offer a range of payment services throughout the EU. In addition to providing payment services throughout the EU, EMIs also have the authority to issue electronic money. Electronic money is defined under the FIA as a digital representation of value that is issued on receipt of funds to make payment transactions, such as electronically stored monetary value, prepaid cards and electronic wallets.

E-Money Tokens (EMTs) and MiCA  

The following applies pursuant to MiCA.

• EMIs and credit institutions can generate electronic money through EMTs. Under MiCA, while issuers are subject to regulation, EMIs and credit institutions are exempt from obtaining a new licence to issue new EMTs as long as they comply with the specified formalities.

• An issuer of EMTs must be authorised as a credit institution or EMI, and must notify the competent authority and publish a White Paper. 

Malta’s existing laws governing EMIs have not been modified to reflect the changes introduced by MiCA. Therefore, there is no need for amendments in the FIA concerning EMIs as the EMD2 remains unchanged, and MiCA has direct applicability.

The Anticipation of PSD3, PSR and FIDAR  

On 28 June 2023, the European Commission (the “Commission”) proposed a legislative overhaul merging PSD2 and EMD2 into a unified framework, introducing the Third Payment Services Directive (PSD3) and the EU Payment Services Regulation (PSR). Simultaneously, the Commission introduced the Regulation on a Framework for Financial Data Access (FIDAR), focusing on financial data access beyond payment accounts.

FIDAR aims to establish clear obligations, featuring specialised data access interfaces and eliminating the need for dual access interfaces in banks. This represents a substantial step towards comprehensive “open finance”. The proposed changes target:

• user protection;

• open banking competitiveness;

• harmonisation across EU member states; and

• improved access for non-bank payment service providers.

The new payment services package will introduce technical and regulatory standards, subject to evaluation by the European Parliament and the Council, with amendments expected by 2025. Preparatory measures are advised for PSPs anticipating changes, including licence reapplications and updates to documentation and procedures to align with evolving regulatory expectations.

Peer-to-Peer (P2P) Lending  

At present, there is no designated regulation in Maltese legislation that directly addresses the issue of peer-to-peer (P2P) online lending. Consequently, P2P lending platforms are not subject to any exclusive regulatory duties. However, these platforms need to consider whether their unique operations might fall within the licensing requirements set out in the overarching financial services framework (particularly the FIA), and notably when engaging in licensable money-broking activities (ie, introducing counterparties that wish to deal on mutually agreed terms concerning wholesale and retail financial products).

Furthermore, persons who frequently utilise P2P platforms as lenders may find their activities classified as regulated if they engage in lending on a regular or consistent basis. Moreover, if the activity involves procuring finance via consumer deposit-taking, it becomes necessary to secure a licence as stipulated under the Banking Act.

Malta’s Insurance Space  

In Malta, insurance is underwritten either by the insurance company or through intermediaries such as brokers, tied insurance intermediaries or insurance agents. These processes are governed by relevant Maltese insurance legislation and MFSA rules, which are aligned with EU law. The Insurance Business Act (Chapter 403, Laws of Malta) (IBA) oversees insurance operations, encompassing the implementation and execution of long-term and general insurance contracts as defined in the legislation. Conversely, the Insurance Distribution Act (Chapter 487, Laws of Malta) (IDA) applies to individuals and entities involved in insurance distribution activities within Malta, including insurance agents, brokers and tied insurance intermediaries.

Malta’s Investment Services Space  

The objective of the ISA is, in part, to transpose and implement the provisions of:

• the Alternative Investment Fund Managers Directive 2011/61/EU;

• the Bank Recovery and Resolution Directive 2014/59/EU;

• the Capital Requirements Directive 2013/36/EU;

• the MiFID;

• the Markets in Financial Instruments Regulation 600/2014/EU; and

• the UCITS Directive 2009/65/EC.

Any EU Regulations or Directives on financial services, and consequently the ISA and any regulations adopted thereunder, shall be interpreted and applied accordingly.

Malta has gained a strong reputation as a sought-after destination for investment service providers, funds and asset managers in Europe. Being a member of the EU, Malta is home to a significant number of MiFID firms, fund managers and administrators, making it a popular choice among fund service providers. In this regard, the MFSA has issued rules concerning professional investor funds established to invest in DLT assets recognised as VFAs.

Crowdfunding  

Investment-based crowdfunding is regulated by a separate licensing and regulatory framework that specifically addresses crowdfunding platform service providers in accordance with the EU’s Crowdfunding Service Providers for Business Regulation (EU) 2020/1503 (ECSPR). The ECSPR applies directly in Malta and mandates that entities offering crowdfunding services must obtain authorisation from the MFSA.

On 14 July 2023, the Crowdfunding Service Providers Act (Act No XXV of 2023) was officially enacted to align with the provisions of the ECSPR. Intended to be interpreted alongside the ECSPR, and with any implementing and regulatory technical standards derived from it, the MFSA issued the Crowdfunding Rules on 25 January 2022. These rules are designed to offer additional specifics regarding the stipulations outlined in the Regulation.

Privacy Laws and Cybersecurity 

There are no regulations or guidelines on the use of personal data that are specific to fintech companies. However, Malta is bound by the General Data Protection Regulation (EU) 2016/679, which has been implemented into Maltese law by virtue of the Data Protection Act (Chapter 586, Laws of Malta).

The Digital Operational Resilience Act (DORA) aims to establish a regulatory framework requiring financial institutions to ensure their resilience, responsiveness and recovery capabilities in the face of various ICT-related disruptions and threats. The primary goal is to proactively prevent and reduce the impact of cyber threats. It was published in late 2022 and is set to be fully enforced following a 24-month implementation period. Consequently, DORA will be adopted as law in each EU member state.

The MFSA’s most recent Circular, released on September 5th, holds significance for the leadership of financial entities. This is particularly notable concerning the benchmarking exercise, an activity that the authority expects financial entities to have completed by this point in their preparations towards achieving compliance with DORA.

AML/CFT Laws 

The EU’s Fifth AML Directive 2015/849/EU encompasses digital currencies. The Fifth AML Directive has been transposed into Malta’s regulatory framework governing anti-money laundering and combating funding of terrorism (AML/CFT). The framework is established by the Prevention of Money Laundering Act (Chapter 373, Laws of Malta) and the Prevention of Money Laundering and Funding of Terrorism Regulations (Chapter 373.01, Laws of Malta).

The Financial Intelligence Analysis Unit (FIAU), which serves as Malta’s AML/CFT regulator, has issued guidance notes/implementing procedures that encompass VFA issuers, VFA service providers and the activities related to safe custody services, even if offered by entities not licensed or authorised under the Banking Act or the Investment Services Act. These implementing procedures mandate that VFA issuers and service providers establish policies and procedures to address identified risks.

Security Token Offering or Public Offering  

When a local issuer intends to offer a virtual currency that qualifies as a financial instrument to the public, the procedure is similar to conducting an initial public offering. In this case, a prospectus must be prepared and submitted to the MFSA in accordance with the Prospectus Regulation 2017/1129/EU. On the other hand, if the issuance of the financial instrument does not meet the criteria for being considered an offer to the public, it is exempt from the obligation to provide a prospectus. The MFSA is presently in the process of amending its existing regulatory framework for security offerings to specifically accommodate security token offerings.

It is important to note that in the case where virtual currency meets the criteria of being a financial instrument and is to be traded, it should be traded on a regulated market (RM), multilateral trading facility (MTF) or an organised trading facility (OTF) (together referred to as “Capital Markets”) in accordance with the traditional financial services framework, as opposed to being traded on a VFA exchange.

However, the current laws regulating Capital Markets in Malta and the EU are not tailored to accommodate emerging technologies such as DLT market infrastructures. There are regulatory gaps as the legal, technological and operational intricacies associated with using DLT and crypto-assets as financial instruments are not adequately addressed. To address these challenges, the EU has devised the Pilot Regime for Market Infrastructures based on DLT Regulation 2022/858/EU (the “DLT Pilot Regulation”) to foster the growth of DLT and crypto-assets that qualify as financial instruments.

The DLT Pilot Regulation 

On a European level, the DLT Pilot Regulation created a regime in which market infrastructures can obtain exemptions from the legal obligations applied under MiFID II/MiFIR and CSDR, obligations deemed too restrictive to allow authorised financial market infrastructures using DLT to provide trading services or securities settlement, or a combination of these services, on financial instruments.

The DLT Pilot Regulation introduces three new types of DLT market infrastructures:

• a DLT MTF operated by an investment firm or a market operator, which only admits to trading DLT financial instruments;

• a DLT securities settlement system (DLT SS) operated by a central securities depository (CSD) that settles transactions in DLT financial instruments; and

• a DLT trading and settlement system (DLT TSS), which refers to a DLT MTF or DLT SS that combines services by a DLT MTF or DLT SS operated by an investment firm, market operator or CSD.

It should be noted that the pilot regime applies directly to Malta.

The MFSA’s Fintech Strategy – Fintech Hub and Beyond

The MFSA is driving long-term fintech strategy by targeting both start-ups and industry scale-ups to establish Malta as an international fintech hub, while promoting the infusion of technology solutions into the financial world.

This strategy is based on the following six pillars:

• regulations;

• ecosystem;

• architecture;

• international links;

• knowledge; and

• security.

Sandboxes  

In Malta, the MFSA, MDIA and MGA have established individual “sandbox” strategies as part of their approach to fostering and managing technological innovation.

In 2019, the MGA initiated a sandbox framework to initially permit MGA-licensed operators to accept VFAs as a payment method. Later, the MGA began accepting applications for the use of ITAs, which include DLT platforms and smart contracts. On 30 January 2023, the MGA issued a fresh policy regarding the utilisation of DLT and the endorsement of cryptocurrency by its licensed operators, replacing the existing sandbox framework.

The MFSA has devised a fintech strategy that is centred on a fintech regulatory sandbox. This structured environment is a space for fintech operators to pilot their ground-breaking solutions within the financial sector, under conditions and for a predetermined timeframe. It has been designed to accommodate a host of technological solutions, including APIs, AI, machine learning and biometrics.

Lastly, the MDIA has established a technology assurance sandbox, known as the MDIA-TAS. This setup is specially tailored to accommodate start-ups, smaller entities and other organisations aiming to advance their innovative digital product or service (IDPS) responsibly.