The MFSA has launched the FinTech Regulatory Sandbox, allowing FinTech Operators to test their innovations within a regulatory environment for a specified period of time and under certain prescribed conditions. The Sandbox applies to all FinTech Service Providers and FinTech Suppliers, allowing start-ups, technology firms and established financial service providers that approve of technologically-enabled innovation in their business models, applications or products.

The term “FinTech Service Provider” refers to a person who is duly licensed or otherwise authorised to provide or who intends to provide a service/s requiring a licence or other authorisation in terms of applicable financial services legislation currently in force in Malta and who utilises FinTech in its operations. A person may not refer to itself as being a FinTech Service Provider unless duly licenced or authorised by the Authority.

On the other hand, the term “FinTech Supplier” refers to a person who provides or intends to provide a FinTech Solution which does not require any authorisation whatsoever in terms of any financial services law currently in force in Malta.

The Regulatory Sandbox is intended to target technologically-enabled financial innovation that could result in new business models, applications, processes or products with an associated material effect on financial markets and the provision of financial services.

Moreover, its objectives, that consist of supporting financial innovation, ensuring regulatory certainty and promoting knowledge sharing, are split up in 4 different categories:

  1. Innovation;
  2. Sustainability, in the sense that the MFSA will monitor Participants in order to see whether their innovations legitimately offer value to the consumer and the financial sector;
  3. Certainty, it being legal certainty within the financial services market; and
  4. Knowledge, it being an opportunity for the MFSA to enhance its capacity in regard to the regulatory implications and gaps of FinTech Solutions.

The Sandbox is open on an ongoing basis, meaning that interested Applicants can submit their Proposal to the Authority at any time they deem appropriate. The MFSA may, at its discretion, open a special purpose cohort to focus on a sector-specific Solution, after giving due notice to the public.

Sandbox participants will be designated a Participant Development Lead to act as a dedicated contact point between the Applicant and the MFSA and to provide the Applicant with the necessary regulatory guidance throughout the Sandbox lifecycle. The MFSA will also be using other regulatory tools such as toolkits, waivers and no enforcement action letters which will be applied on a case-by-case basis at the discretion of the Authority, and as applicable by legislation.

In order for a person to apply to the Sandbox, the person must demonstrate that the Solution that he is providing, allows for:

  1. Innovation;
  2. Need, for it to be tested in a controlled environment;
  3. Benefit (whether direct or indirect) to consumers of financial services and the financial services sector; and
  4. Readiness, meaning that the Solution is ready for testing in the Sandbox and that the Applicant has adequate resources to operate throughout the duration of the Sandbox.

Such sections need to be proven by the Applicant in the Proposal Stage, which is the first stage out of six stages of the entire Sandbox Lifecycle. During the first stage the Applicant has to give a detailed description of the Solution, as well as the testing objective/s and performance measures. The proposal is subject to an administrative fee of EUR 500 payable to the MFSA, which is non-refundable. The process then moves on to the Selection Stage, where the Applicant will be duly notified whether he can proceed to the next stage, it being the Application Stage.

Here, we have to differentiate between FinTech Service Providers and FinTech Suppliers. The Sandbox indicates that if the Service Provider is already licenced or authorized by the MFSA under any financial services law in Malta and the proposed Solution falls within the ambit of such licence or authorisation, then the Applicant is required to apply for a variation of the licence or authorisation. If the Applicant is not so licensed or authorised, , then he is required to seek authorisation in accordance to the current financial services legislation as applicable in Malta. On the other hand, if during the Sandbox lifecycle, the FinTech Supplier is carrying out any activity that requires a licence or authorisation, such person is required to seek a licence or the necessary authorisation first and has to immediately suspend such activity. Selected Applicants are also required to be fit and proper on an ongoing basis. The Fitness and Properness Assessment conducted by the Authority determines the Applicant’s Competence, Reputation, Conflicts of Interests and Independence of Mind and Time Commitment. The Selected Applicant also has to ensure that he determines the testing period (six months or twelve months), the testing objectives and performances measures, the exit strategy (either by means of discontinuation or Continuation outside the Sandbox) and disclosures, including inter alia the regulatory status of the Applicant.

This prompts the next stage, which is the Testing Stage, where the Participant has to ensure continuity and regularity in the delivery of its Solution, while also implementing measures to protect the interest of the client. In the situation of an early termination, the Participant will immediately move to the next stage, being the Evaluation Stage, where the Participant is required to submit a report to the MFSA. Such report shall outline the performance of its Solution, while also indicating its exit strategy or in the case where the Participant does not indicate an early termination, then a request to extend the testing period to six or twelve months can be made. 

Once all of this is considered, then the final stage shall take place, it being the Exit Stage, where after the Authority notifies the Participant, the Participant shall either commence its exit strategy as agreed with the MFSA in the Application Stage, or if it is possible, continue its operations within the Sandbox.

The MFSA has issued a non-exhaustive list of technological solutions which the Applicant may utilise within the Proposal:

  1. Application Programming Interface (APIs)
  2. Artificial Intelligence (AI)
  3. Big data
  4. Biometrics
  5. Cloud Computing
  6. Data Analytics
  7. Deep Learning
  8. Distributed Ledger Technology (DLT)
  9. Internet of Things
  10. Machine Learning
  11. Natural Language Processing
  12. New Encryption Methodologies
  13. Quantum Computing
  14. Smart Contracts
  15. Robotic Process Automation

In order to promote transparency and knowledge sharing, the Authority will be issuing a list of the participants together with a yearly report providing an aggregate overview.

Article written by Dr Cherise Abela Grech and Legal Trainee Mr Steve Vella.

For further information on how to apply for the MFSA’s Fintech Regulatory Sandbox you may contact Dr Ian Gauci on

This article is not intended to impart legal advice and readers are asked to seek verification of statements made, from an advocate or law firm, before acting on them.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content