Following the issue of a consultation document which presented the Malta Financial Services Authority’s (“MFSA”) proposals on the Systems Audit and Live Replication Server requirements laid down in Chapter 3 of the Virtual Financial Assets Rulebook and subsequent feedback from the industry, the MFSA has today issued a Circular setting out amendments to such requirements in terms of Chapter 3 of the VFA rulebook.
The MFSA has also addressed feedback on other obligations emanating from the Rulebook and has taken the decision to revisit certain obligations
The proposed requirements for a systems audit have been altered slightly so as to ensure a fairer playing field and appropriate time for applicants to comply with the requirements set out therein. Where an applicant or licence holder either has innovative technology arrangements in place as part of its operations or operates a technological infrastructure which interacts with innovative technology arrangements in some way or form, the MFSA shall require the applicant or licence holder to appoint a Systems Auditor registered with the Malta Digital Innovation Authority (“MDIA”).
The Systems Auditor shall be responsible for reviewing and auditing the applicant’s or licence holder’s systems in line with the MDIA’s Systems Auditor Report Guidelines and Systems Auditor Control Objectives, as well as the MFSA’s Guidance Notes on Cyber Security, both at application stage and on annual basis thereafter.
Where an applicant or licence holder does not have innovative technology arrangement in place as part of their operations, the MFSA requires such applicant or licence holder to carry out an IT Audit instead of a Systems Audit. The applicant or Licence holder shall ensure that the its IT Auditor prepares an IT Audit Report which shall be submitted to the MFSA, both at application stage and on annual basis thereafter. The said IT Audit Report shall also include a confirmation from the IT Auditor that the applicant or licence holder, as applicable, does not have any innovate technological arrangements in place as part of its operations or operate a technological infrastructure which interacts with innovative technology arrangements in some way or form.
Furthermore, entities operating under the transitory provisions of the Virtual Financial Assets (“VFA”) Act commencing the VFA Act Services Licence application process prior to 1 February 2020 shall be required to submit the first System Audit Report within six (6) months from the granting of licence or commencement of business as the case may be.
2. Live Replication Server
It has been determined that all applicants shall be required to establish a live replication server in line with the MDIA’s Forensic Node Guidelines, and will further fall within the scope of the respective type of audit (either Systems Audit or IT Audit).
Applicants or licence holders as applicable, will also be required to appoint a person with the necessary seniority, skills, knowledge and experience to ensure that any request for information regarding legal compliance and the operational behaviour of the system can be acted upon satisfactorily. The person chosen to undertake such role may engage in other roles within the entity. Furthermore, such person shall be required to be notified to the MFSA.
The requirement to establish a Live Replication Server shall come into effect on 1 February 2020 for all operators apart from those currently operating under the transitory provisions and those commencing licensing process prior to the stated date.
3. Fitness and Properness
Under the new rulebook, Risk Managers and other persons effectively directing the VFA business of Applicant are no longer required to undergo the Fitness and Properness Assessment. This notwithstanding, the Authority may, on a case-by-case basis, still request that other persons which it may deem necessary undergo such assessment.
Furthermore, individuals proposed as Compliance Officers and/or Money Laundering Reporting Officers shall no longer be required to complete a course approved by the Authority prior to licensing. However, and within the context of the competence assessment of such persons, the Authority denotes that these are still expected to have undergone training relevant to the proposed post.
4. Exercise of European Rights
Licence holders wishing to provide, or hold themselves out to provide VFA services in other jurisdictions will no longer be required to obtain a legal opinion from a lawyer in such other jurisdiction. Furthermore, the licence holder shall also be required to maintain a list of countries in which they are providing, or holding themselves out as providing, their services.
5. Matters requiring approval
Pursuant to the current Rulebook, licence holders are obliged to obtain the written consent of the MFSA before inter alia engaging any persons, whether Administrators, Senior Managers or other employees, who are engaged in portfolio management activities or the provision of investment advice. This has now been amended to a notification.
6. Cybersecurity Framework
The current rules required that licence holder’s establish a cybersecurity framework, comprising a number of policies and plans. Following internal review, it was noted that the rule was too prescriptive, and it has therefore been amended. The rule has been reworded such that licence holders are now required to ensure that their cybersecurity architecture is in line with inter alia any cybersecurity guidelines issued by the Authority.
7. Material in Compliance Certificates
The requirements relating to the contents of the Compliance Certificate have been revised. Compliance Certificates shall now include inter alia:
8. Board of Administration
The requirement to have a board of administration to “define, approve and oversee a policy on the virtual financial assets and VFA Services offered or provided in accordance with the risk tolerance of the licence holder and the characteristics and needs of the clients of the licence holder to whom they will be offered or provided has been removed.
9. The Financial Instrument Test
Following feedback from the industry, the MFSA understands that it is not always feasible for a Compliance Officer to endorse the Financial Instrument Test (‘FIT’), and therefore assume such responsibility, especially where one does not have the required legal background. In this regard, the rule has been amended so that the FIT shall now be required to be signed by the person responsible for carrying out the said test, in line with a licence holder’s business model, and counter-signed by at least one Administrator.
10. Insurance Requirements
The current prescriptive insurance requirements will be amended to read that “The licence holder shall ensure that the Professional Indemnity Insurance cover is in line with market standards and adequately covers the risks associated with the business of the licence holder.
The updates included in the Circular will come into force on 1 February 2020
Article written by Dr Luke Mizzi.
This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.