Following the issue of a consultation document which presented the Malta Financial Services Authority’s (“MFSA”) proposals on the Systems Audit and Live Replication Server requirements laid down in Chapter 3 of the Virtual Financial Assets Rulebook and subsequent feedback from the industry, the MFSA has today issued a Circular setting out amendments to such requirements in terms of Chapter 3 of the VFA rulebook.

The MFSA has also addressed feedback on other obligations emanating from the Rulebook and has taken the decision to revisit certain obligations

  1. Systems Audit 

The proposed requirements for a systems audit have been altered slightly so as to ensure a fairer playing field and appropriate time for applicants to comply with the requirements set out therein. Where an applicant or licence holder either has innovative technology arrangements in place as part of its operations or operates a technological infrastructure which interacts with innovative technology arrangements  in some way or form, the MFSA shall require the applicant or licence holder to appoint a Systems Auditor registered with the Malta Digital Innovation Authority (“MDIA”).

The Systems Auditor shall be responsible for reviewing and auditing the applicant’s or licence holder’s systems in line with the MDIA’s Systems Auditor Report Guidelines and Systems Auditor Control Objectives, as well as the MFSA’s Guidance Notes on Cyber Security, both at application stage and on annual basis thereafter.

Where an applicant or licence holder does not have innovative technology arrangement in place as part of their operations, the MFSA requires such applicant or licence holder to carry out an IT Audit instead of a Systems Audit. The applicant or Licence holder shall ensure that the its IT Auditor prepares an IT Audit Report which shall be submitted to the MFSA, both at application stage and on annual basis thereafter. The said IT Audit Report shall also include a confirmation from the IT Auditor that the applicant or licence holder, as applicable, does not have any innovate technological arrangements in place as part of its operations or operate a technological infrastructure which interacts with innovative technology arrangements in some way or form.

Furthermore, entities operating under the transitory provisions of the Virtual Financial Assets (“VFA”) Act commencing the VFA Act Services Licence application process prior to 1 February 2020 shall be required to submit the first System Audit Report within six (6) months from the granting of licence or commencement of business as the case may be. 

2. Live Replication Server

It has been determined that all applicants  shall be required to establish a live replication server in line with the MDIA’s Forensic Node Guidelines, and will further fall within the scope of the respective type of audit (either Systems Audit or IT Audit).

Applicants or licence holders as applicable, will also be required to appoint a person with the necessary seniority, skills, knowledge and experience to ensure that any request for information regarding legal compliance and the operational behaviour of the system can be acted upon satisfactorily. The person chosen to undertake such role may engage in other roles within the entity. Furthermore, such person shall be required to be notified to the MFSA. 

The requirement to establish a Live Replication Server shall come into effect on 1 February 2020 for all operators apart from those currently operating under the transitory provisions and those commencing licensing process prior to the stated date.

3. Fitness and Properness

Under the new rulebook, Risk Managers and other persons effectively directing the VFA business of Applicant are no longer required to undergo the Fitness and Properness Assessment. This notwithstanding, the Authority may, on a case-by-case basis, still request that other persons which it may deem necessary undergo such assessment.

Furthermore, individuals proposed as Compliance Officers and/or Money Laundering Reporting Officers shall no longer be required to complete a course approved by the Authority prior to licensing. However, and within the context of the competence assessment of such persons, the Authority denotes that these are still expected to have undergone training relevant to the proposed post.

4. Exercise of European Rights 

Licence holders wishing to provide, or hold themselves out to provide VFA services in other jurisdictions will no longer be required to obtain a legal opinion from a lawyer in such other jurisdiction. Furthermore, the licence holder shall also be required to maintain a list of countries in which they are providing, or holding themselves out as providing, their services.

5. Matters requiring approval

Pursuant to the current Rulebook, licence holders are obliged to obtain the written consent of the MFSA before inter alia engaging any persons, whether Administrators, Senior Managers or other employees, who are engaged in portfolio management activities or the provision of investment advice. This has now been amended to a notification.

6. Cybersecurity Framework

The current rules required that licence holder’s establish a cybersecurity framework, comprising a number of policies and plans. Following internal review, it was noted that the rule was too prescriptive, and it has therefore been amended. The rule has been reworded such that licence holders are now required to ensure that their cybersecurity architecture is in line with inter alia any cybersecurity guidelines issued by the Authority.

7. Material in Compliance Certificates 

The requirements relating to the contents of the Compliance Certificate have been revised. Compliance Certificates shall now include inter alia:

  • the outcome of the Compliance Officer’s Compliance Monitoring Plan, including a list of breaches identified thereof;
  • a confirmation that all the local AML/CFT requirements have been satisfied, which should be obtained from the licence holder’s MLRO; and
  • a list of Clients against which disciplinary action has been taken by the licence holders along with a brief description of the breach, and the actions taken by the licence holder

8. Board of Administration

The requirement to have a board of administration to “define, approve and oversee a policy on the virtual financial assets and VFA Services offered or provided in accordance with the risk tolerance of the licence holder and the characteristics and needs of the clients of the licence holder to whom they will be offered or provided has been removed.

9. The Financial Instrument Test 

Following feedback from the industry, the MFSA understands that it is not always feasible for a Compliance Officer to endorse the Financial Instrument Test (‘FIT’), and therefore assume such responsibility, especially where one does not have the required legal background. In this regard, the rule has been amended so that the FIT shall now be required to be signed by the person responsible for carrying out the said test, in line with a licence holder’s business model, and counter-signed by at least one Administrator.

10.  Insurance Requirements

The current prescriptive insurance requirements will be amended to read that “The licence holder shall ensure that the Professional Indemnity Insurance cover is in line with market standards and adequately covers the risks associated with the business of the licence holder.

11. Supplementary Conditions 

  • The MFSA has clarified that a Systems Auditor is not required to be present at all times but is appointed solely for the purpose of carrying out the Systems Audit in relation to a licence holder’s innovative technology arrangements 
  • The rules relating to the requirements for the licence holder to create bye laws have been simplified to state that a licence holder shall issue clear and transparent bye-laws in order to ensure that any virtual financial asset being traded on its platform is being traded in a fair, orderly and efficient manner.
  • The rules relating to Custody requirements are now applicable to all licence holders. 
  • The insurance requirement relating to hot storage has now been removed 
  • The requirement for licence holders to retain their clients’ public keys has been removed since it is understood that this modus operandi may not be applicable to every licence holder providing such service.
  • The notification requirement relating to the suspension or removal of a VFA from trading has been amended so that notification shall only be required when the suspension or removal of a VFA from trading carries regulatory implications.
  • With respect to the notification requirement where a licence holder is unable to discharge its function. It has been noted that the requirement to submit such notification ‘on the day of such occurrence’ may not always be feasible, and the rule has therefore been amended to read ‘without undue delay’ instead. 
  • Going forward, a list of clients against which disciplinary action has been taken by the licence holder is to be included in the Compliance Certificate, this removes the somewhat cumbersome requirement to notify the MFSA whenever disciplinary action is taken against any of its clients. 
  • The conditions under which it may request the licence holder to hold additional capital are deemed as too prescriptive, and as such have thus been removed by the MFSA 
  • Under the new rulebook, the licence holder shall acknowledge receipt to the Client of all money received in connection with a virtual financial asset or VFA Service and that any charge or fee imposed shall be disclosed separately.
  • The MFSA has amended the definition of ‘Experienced Investor’ found in the Glossary to cater for both Initial VFA Offerings as well as licence holders. 
  • The rules prohibiting licence holders that provide investment advice or portfolio management from accepting and retaining fees, commissions or any monetary or non-monetary benefits paid or provided by any third party or a person acting on behalf of a third party in relation to the provision of VFA Services to Clients have been extended to all licence holders.

The updates included in the Circular will come into force on 1 February 2020

Article written by Dr Luke Mizzi.

For more information on Virtual Financial Assets please contact Dr Ian Gauci on Dr Terence Cassar on and Dr Luke Mizzi on

This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content