The Malta Financial Services Authority’s (“MFSA”) recent Dear CEO Letter on the third edition of the Payment Services Directive (“PSD3”) preparedness is a supervisory communication about forthcoming regulatory change. Read more practically, it is a reminder that PSD3 should not be approached as a simple policy-mapping; it is readiness for reorganisation. For Maltese Payment Institutions (“PI”) and Electronic Money Institutions (“EMI”), the transition to PSD3 will require more than familiarity with the new legislative text. It will require financial institutions to consider whether their governance arrangements, safeguarding measures, ICT resilience, business continuity planning, and wind-up arrangements are sufficiently developed to support a smooth reauthorisation process.
This is because the proposed payment services package is expected to alter the regulatory footing of existing licence holders. The proposed framework separates matters currently dealt with under the Second edition of the Payment Services Directive (“PSD2”) into two instruments:
PSD3 also brings PIs and EMIs into a single authorisation framework. For firms already operating in Malta, the key point is not simply that the rulebook is changing, but that existing authorisations must be reassessed against the actual business being conducted. This is coupled with the classification exercise that EMIs should already have undertaken in the wake of the CJEU ruling in ABC Projektai UAB v Lietuvos bankas.
Importantly, these requirements also extend to Crypto-Asset Service Providers (“CASPs”) that have already obtained, or are in the process of seeking, a PI licence for the purpose of offering the custody and/or transfer of E-Money Tokens (EMTs). Even if such CASPs do not seek to provide additional (non-DLT related) payment services, they remain fully subject to the changes being introduced through PSD3 and the PSR.
The MFSA expects the reauthorisation process to be more of a substantive exercise with set expectations to be met. Boards are expected to understand the implications of PSD3, financial institutions are expected to undertake and document a gap analysis, implementation plans are to be approved at board level, and institutions are encouraged to monitor the development of the forthcoming Regulatory Technical Standard on authorisation and registration and, where appropriate, seek external expertise to support their preparations. In practical terms, this requires PIs and EMIs to move beyond asking whether their policies refer to the right legal provisions because the more useful question is whether the institution can demonstrate that it is genuinely prepared to operate under the new framework.
This places PSD3 preparedness firmly within the remit of the board and senior management to show that regulatory change is being absorbed at decision-making level. It should not be viewed as a matter reserved solely for the compliance function, nor as an exercise to be addressed only once the final legislative text is published. A properly engaged board will need to understand how PSD3 affects the institution’s business model, its internal allocation of responsibility, its risk appetite and the resources required to achieve compliance. In this sense, the board’s role is not merely to be informed of PSD3 developments, but to be able to show that it has considered them in a structured and commercially meaningful way.
An area where the practical implications of PSD3 are particularly evident is safeguarding. The MFSA highlights requirements relating not only to the safeguarding of clients’ funds, but also to transparency on how those funds are safeguarded, the applicable insolvency law, the jurisdiction in which claims would need to be raised, and the management of concentration risk where funds are held with credit institutions. These are not merely operational details; they affect the rights and expectations of payment services users and shape the way institutions communicate and manage their relationship with customers. A financial institution’s safeguarding arrangements, customer disclosures, contractual terms, banking relationships, and reconciliation processes should therefore tell a consistent story.
The same approach applies to ICT resilience and business continuity. Although DORA is already applicable and many institutions should therefore have undertaken significant work in this area, PSD3 brings those arrangements back into focus for payment institutions and electronic money institutions. The MFSA’s letter expressly links PSD3 preparedness with arrangements for the use of ICT services, incident reporting mechanisms, ICT business continuity plans and ICT response and recovery plans. The point is therefore not that PIs and EMIs should treat ICT resilience as a new compliance project, but that they should be able to show how their existing DORA framework supports their continued authorisation under PSD3.
PSD3 preparedness also requires institutions to look at a less comfortable but important question: what happens if the business can no longer continue operating in an orderly manner? The MFSA’s letter refers to the new requirement for a winding-up plan under PSD3, including arrangements for the return of safeguarded funds in the event of a disorderly wind-up. This is significant because a credible wind-up plan is not simply an insolvency document prepared for a remote scenario. It should reflect how the institution would protect users, reconcile funds, communicate with stakeholders, preserve records, and manage dependencies on third-party providers if difficulties arise. In that sense, planning for adverse scenarios becomes part of demonstrating that the business is being operated responsibly.
The institutions best placed for PSD3 will not be those that wait for the final text and then react quickly. They will be those that use the transition period to test whether their legal, governance, operational and contractual arrangements are already capable of supporting the business they conduct. The MFSA’s Dear CEO Letter should therefore be read less as an administrative reminder and more as an invitation for financial institutions to look at their own readiness.
For any additional information or assistance, please contact us at info@gtg.com.mt
Author: Dr Neil Gauci