The Malta Financial Services Authority (MFSA) has published a Virtual Financial Assets (VFA) Rulebook specifically pertaining to the regulation of Issuers of VFAs under the Virtual Financial Assets Act (VFAA).

The Rulebook is intended to supplement the provisions of the VFAA, providing further guidance to issuers who issue or propose to issue any VFAs in or from Malta.

The salient features include the requirements for issuers, regulations relating to initial VFA Offerings (more commonly known as ICOs) and trading on DLT Exchanges, and the enforcement and sanctions that can be meted out by the Authority.

The basic principles put forward in the regulations are those binding the issuers to act in an ethical manner and in Malta’s best interest whilst always ensuring that investor protection remains of paramount importance in the carrying out of their activity. Furthermore, the Regulations bind issuers to act honestly, fairly, and professionally and to cooperate in an open and honest manner.

Requirements for Issuers and Functionaries

As a basic rule, an Issuer must be a legal person duly formed under Maltese law. In offering a VFA to trade or purchase, the issuance must be made within six months from the date of registration of the Whitepaper with the Authorities. Before issuing a DLT asset, the Issuer must undertake a financial instrument test which must be signed by the Administrators and endorsed by the VFA Agent. The MFSA shall rely on the determinations made by the Issuer and the VFA Agent insofar as the nature of the DLT asset.

The Issuer must also have a Board of Administration that is responsible for ensuring complies with these obligations. The Board shall adhere to certain rules, such as the obligation to always act honestly and in good faith and in the best interests of the Issuer and its investors, to exercise reasonable care, skill and diligence, and to continuously monitor the execution of the functions delegated to the Issuer’s functionaries, amongst others.

Issuers may also be held liable for damages incurred if resulting from willful misconduct or negligence.

An Issuer needs to appoint a Systems Auditor, a VFA Agent, an Auditor and a Money Laundering Reporting Officer (MLRO). They may also opt to appoint a Custodian for the safekeeping of assets and investors’ funds. These appointed functionaries must have sufficient knowledge and experience in the field of information technology and DLT, as well as being able to maintain sufficient knowledge and understanding of the Issuer’s business in order to ensure that their functions are discharged in a diligent manner.

Role Function & Appointment
Systems Auditor


The Systems Auditor shall be responsible for the review and audit of the Issuer’s Innovative Technology Arrangement/s. The Systems Auditor shall sign a letter of engagement with the Issuer in order to clearly define the extent of their responsibilities and the terms of their appointment as Systems Auditor.

Before appointing or replacing a Systems Auditor, the Issuer shall seek consent from the MFSA.

VFA Agent The VFA Agent shall be the point of contact between the Issuer and the MFSA. The Issuer shall ensure that all communications, meetings, notifications or submissions to the MFSA are made through such Agent. The Issuer must, at all times, collaborate openly and honestly with its VFA agent.

Before appointing or replacing a VFA Agent, the Issuer shall seek consent from the MFSA.

Custodian The Issuer shall appoint a custodian which is a legal person in possession of a licence to provide the services of a custodian under the VFAA. The Custodian must be independent from the Issuer and must have appropriate systems and controls to ensure that investors’ funds are reimbursed if the Initial VFA Offering is cancelled.

Before appointing or replacing a Custodian, the Issuer shall seek consent from the MFSA.

Auditor The Auditor shall have adequate business organisation, systems, experience and expertise to act as an auditor to an Issuer. The Auditor shall sign a letter of engagement with the Issuer in order to clearly define the extent of their responsibilities and the terms of their appointment.

The Issuer shall require its auditor to prepare a management letter in accordance with International Standards on Auditing at the end of each annual accounting period.

Before appointing an Auditor, the Issuer shall seek consent from the MFSA.

MLRO The Issuer shall appoint an MLRO who shall be a senior employee of the Issuer.


The Issuer must establish a Cyber Security Framework which shall include:

  • Information and data security roles and responsibilities
  • Access management policy
  • Sensitive data management policy
  • Threats management policy
  • Business continuity plan
  • Response and recovery plan; and
  • Security education and training

Record Keeping

The Issuer must ensure that records are kept at the disposal of the MFSA for at least 5 years in order for the Authority to monitor compliance with the requirements under these Rules. The Authority may request that such records are kept for a period of 7 years.

IT Infrastructure

The Issuer’s IT Infrastructure shall ensure:

  • Integrity and security of any data stored therein
  • Availability, traceability and accessibility of data; and
  • Privacy and confidentiality

Application to the MFSA

The infrastructure is to be located in Malta, any EU/EEA member state or any third country jurisdiction that satisfies the Authority’s requirements. Should the infrastructure be located outside of Malta or in a cloud environment, the Issuer must ensure that data is replicated through a live replication server located in Malta.

The Rules also reiterate the requirements necessary to offer a VFA from Malta or to apply for their admission to trading on a DLT Exchange. This can only take place after the drawing up of a Whitepaper which is in compliance with the VFAA and registered with the MFSA. Furthermore, at least 10 working days prior to the circulation of the whitepaper, the Issuer must submit certain documents to the MFSA. These include: the whitepaper signed by its Administrator and endorsed by the VFA Agent, a confirmation of compliance from the Systems Auditor, a copy of the Issuer’s audited annual accounts and the consolidated accounts of the Group which the Issuer is a member of (if that is the case) for the previous three years (if the Issuer has been established for a shorter period of time then the audited accounts are due on such shorter period), a certified copy of its constitutional documents; and the applicable registration fee.


The Whitepaper is to serve as a source of information on the Issuer and the proposed activities. It must also be dated, signed by the Issuer’s administrators, endorsed by the VFA agent and include a statement from the Issuer’s administrators that it complies with all regulatory requirements.

Enforcement and Sanctions

The Authority has the right to impose administrative penalties where an Issuer breaches or infringes a Rule, without recourse to a court of law, up to a maximum of €150,000. In its determination of the penalty or sanction to be imposed, the MFSA shall primarily be guided by the principle of proportionality, but shall also take into consideration other factors such as the gravity of the infringement, the degree of responsibility of the issuer, and the level of cooperation of the Issuer with the Authority, amongst others. Such Issuers have a right of appeal before the Financial Services Tribunal.

For more information on ICOsVirtual Financial AssetsBlockchainSmart Contracts and related areas please contact Dr Ian Gauci on and Dr Emma Portelli Bonnici on

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content