The approval of the Markets in Crypto-Assets Regulation (MiCAR) has been hailed as a milestone for the regulation of crypto-assets, not simply because it aims to propel the European Union block as a prime regulator in this sector but notably as, on a global level, it constitutes the most advanced piece of legislation on crypto-assets to date.

MiCAR will provide a harmonised approach to this regulatory regime across the EU. Crypto-asset service providers (CASPs) will thus benefit from the important principle of passporting which significantly reduces regulatory and administrative burdens and costs to operate throughout the EU.

Entities seeking to be authorised as CASPs are required to have a registered office in a Member State where they carry out at least part of their crypto-asset services, with at least one director being resident in the EU.

However, while the application process will be the same across the EU Member States, are all EU regulatory authorities equal when it comes to the implementation of MiCAR?

Navigating the Uncharted Crypto Regulatory Sphere

In 2018, Malta introduced an innovative legal framework regulating:

  • virtual currencies (defined as “virtual financial assets” or VFAs);
  • distributed ledger technologies (DLTs), including blockchains;
  • initial coin offerings (ICOs, referred to under the framework as “initial VFA offerings” or IVFAOs);
  • VFA service providers;
  • innovative technology arrangements (ITAs), such as smart contracts; and
  • innovative technology service providers (ITSPs).

The VFA framework was recognised as an innovative body of laws and the first of its kind worldwide. Through the years since its implementation, Malta has proven to be a primary jurisdiction for issuers and service providers seeking to conduct their token issue or offer their crypto services from an established and law-abiding jurisdiction.

The Malta Financial Services Authority (MFSA) introduced a comprehensive body of rules to enhance the VFA Act and its Regulations, offering clear guidelines to issuers, service providers as well as collective investment schemes seeking to invest in VFAs, while also ensuring important principles of market integrity and consumer protection are observed.

The regime also sought to go beyond the provisions of the 5th AML Directive; this was intended not only to provide a proper AML framework for those issuing or offering services in relation to crypto-assets, but also to ensure that Maltese AML laws remain abreast of ever-evolving technologies and the ways in which such technologies could be used for money laundering and the funding of terrorism.

As the EU set out to draft its own crypto-assets framework, it was thus humbling for the Maltese regulator to note that the majority of the VFA framework is now emulated in the body of MiCAR.

Thus, while some EU regulatory authorities have only just started familiarising themselves with the concepts and implications of the MiCAR regime, the MFSA’s level of experience in guiding and authorising crypto issuers and service providers, as well as the similarities between the VFA Act and MiCAR, place the MFSA in a prime position to guide and authorise prospective CASPs and crypto-asset issuers.

Indeed, the similarities between the VFA Act and MiCAR also place Maltese authorised VFA Service Providers in an advantaged position as their transition from a VFA Service Provider to a CASP will be a seamless one.

Since the majority of EU Member States offered a mere registration process or a light regulatory regime (compared to the MFSA’s licensing regime), entities previously registered in such jurisdictions which intend to continue offering crypto-asset services in the EU following the coming into force of MiCAR, face a time-crunch as they seek to ensure they will be duly authorised to continue providing such services within MiCAR’s set timelines. Such entities may also face delays as they seek guidance and authorisation from regulators that to date have had little or no experience in the crypto-assets sector.

Entities which haven’t yet started making the necessary considerations and plans to align with MiCAR’s full implementation by 30th December 2024 are thus advised to consider their choice of EU home Member State wisely.

The Use of Sandboxes as a Helping Hand for Operators

Malta has always had a “first-country” approach to innovative technologies, and it has invested in continued development within numerous technological sectors.  Different regulators have also introduced different types of regulatory sandboxes to attract further interest from the fintech sector.

The MFSA launched its own Fintech Regulatory Sandbox in 2020, allowing fintech operators to test their innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The sandbox is open to fintech service providers and fintech suppliers, accepting start-ups, technology firms and established financial services providers that approve of technologically enabled innovation in their business models, applications or products.

The regulatory sandbox targets technologically-enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and the provision of financial services.

Since its launch, the sandbox has seen increased interest, with numerous proposals received with diverse innovative technologies for financial services, covering a range of investment service products, market infrastructures and regtech solutions.

In 2021, the Malta Digital Innovation Authority (MDIA) also launched the Technology Assurance Sandbox (MDIA-TAS) to complement its full certification framework for Innovative Technology Arrangements (ITAs). It is a key utility for start-ups and smaller companies developing solutions based on innovative technologies, by providing a safe environment to develop their technological solutions. The MDIA-TAS ensures that regulatory certainty can be given to ITAs developed by small entities and that a balance is reached between maintaining full certification and the adopted high-barrier entry approach, while addressing financial and technical barriers for smaller entities.

Another authority that implemented an equally important sandbox is the Malta Gaming Authority (MGA). The MGA launched a sandbox framework for the acceptance of cryptocurrencies and DLT through its licenses back in 2019. In January 2023, this was replaced with an updated policy on DLTs, regulating the inclusion of DLT assets, ITAs and smart contracts to fully strengthen the role of DLT in the gaming sphere. Gaming operators thus require prior approval from the MGA before accepting DLT assets.

DORA’s Important Role

The EU’s Digital Operational Resilience Act (DORA) has the potential of changing the financial services industry, compelling licensed entities and their management to fully comprehend how their IT systems function.

DORA sets uniform requirements for the security of network and information systems of companies and organisations operating in the financial sector as well as critical third parties which provide ICT-related services to them, such as cloud platforms or data analytics services. Within DORA’s aim to increase digital operational resilience, new requirements oblige certain financial entities to conduct advanced testing based on threat-led penetration testing (TLPT), thus requiring all EU member states to follow the TIBER-EU framework. Specifically, DORA requires authorities to identify financial entities subject to the obligation to perform TLPT.

DORA will force financial institutions and their management to consider ICT-related risks as a dynamic part of their existence where they should do their utmost to mitigate and reduce this risk throughout their existence as reasonable and prudent operators. This ‘outcome-based’ regulation not only imposes specific obligations and processes, but also focuses on principles and the results which the legislator aims to achieve, with the ultimate focus being the safety of the financial services industry, its members and users, and the prevention and mitigation of cyber threats.

Having foreseen the importance DORA would have on the financial services industry, the MFSA has long implemented guidelines, built on DORA’s principles, which were aimed not only to guide and reinforce Maltese financial services licensees, but also to prepare them for DORA’s eventual implementation. Indeed, while DORA will apply as from January 2025, it can be said that Maltese licensees and critical third parties are already at advanced stages in their implementation of its principles.

This is further enhanced by the role played by the MDIA, which, being ahead of its time, is able to quickly react given the broad spectrum of regulatory tools it has developed and which are at its disposal.

Malta as a Jurisdiction of Choice

Malta has cemented itself as a leader among EU Member States, not only in the crypto-assets field, but as a jurisdiction which continues to prioritise the Fintech sector as a whole.

As the final implementation date for MiCAR draws nearer, it is thus imperative that CASPs seek proper guidance from experienced regulators and advisors to ensure they remain abreast of ongoing changes, as well as wary of the licensing requirements and applicable timelines.

This article was first published in the FinanceMalta Insight Newsletter Highlights – Issue 1 2024.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content