Following the issue of a Consultation Document (the 'Consultation Document'), on the 15th October 2019, presenting the MFSA's proposals on the Systems Audit and Live Replication Server requirements laid down in Chapter 3 of the Virtual Financial Assets Rulebook and subsequent feedback from participants and interested parties, the MFSA, has, on the 10th December 2019, issued a Circular aimed at revisiting certain obligations and setting out amendments to such requirements in terms of Chapter 3 of the VFA rulebook.
The Circular addresses and revisits the following obligations:
- Systems Audit
The proposed requirements have been altered slightly so as to ensure a fair playing field and an appropriate time for applicants to comply with the requirements set out in the Consultation Document.
Where an applicant or Licence Holder has an Innovative Technology Arrangement ('ITA') in place, as part of its operations or operates a technological infrastructure which interacts with an ITA in some way or another, the Authority shall require the said applicant to appoint a Systems Auditor registered with the Malta Digital Innovation Authority ('MDIA') as of the 1st February 2020.
Where an applicant or Licence Holder, does not have an ITA in place as part of its operations or operate a technological infrastructure which interacts with an ITA in some way or form, the Authority requires the applicant or Licence Holder to carry out an IT Audit instead of a Systems Audit.
Entities operating under the transitory provisions of the Virtual Financial Assets Act (Chapter 590 of the Laws of Malta) or commencing VFA Services Licence Application process prior to 1st February 2020, shall be required to submit the first Systems Audit Report or the IT Audit Report, within six month from the granting of licence or commencement of business, as the case may be.
- Live Replication Server
The Authority requires that all applicants are to establish a live replication server in line with the MDIA's Forensic Node Guidelines and shall further fall within the scope of the relevant type of audit, either being Systems Audit or IT Audit.
Furthermore, applicants or Licence Holders, shall be required to appoint a person having the necessary seniority, knowledge and experience in order to ensure satisfactory operational behaviour and information regarding legal compliance.
On the 1st February 2020, the requirement to establish a Live Replication Server shall come into force for all operators apart from those currently operating under the transitory provisions and those commencing licensing process prior to the stated date.
- Fitness and Properness
Risk Managers and other persons effectively directing the VFA business of the Applicant are no longer required, by default, to undergo the Fitness and Properness Assessment. The Authority may still on a case-by-case basis, request that other persons (which it may deem necessary) undergo such an assessment.
Moreover, Compliance Officers and/or Money Laundering Reporting Officers, shall no longer be required to complete a course approved by the Authority prior to licensing. However, with regards to the competence assessment of such persons, the Authority notes that these are still expected to have undergone training relevant to their post.
- Exercising a European Right
Licence Holders wishing to provide or hold themselves out to provide VFA services in other jurisdictions, will no longer be required to obtain a legal opinion from a lawyer in such other jurisdiction. The Licence Holder shall also be required to maintain a list of countries in which they are providing or holding themselves out as providing, their services.
- Matters requiring Approval
Licence Holders are obliged to obtain the written consent, of the MFSA before inter alia engaging any persons, whether Administrators, Senior Managers or other employees, who are engaged in portfolio management activities or the provision of investment advice. This has been amended to a notification.
Licence Holders are now required to ensure that their cybersecurity architecture is in line with inter alia any cybersecurity guidelines issued by the Authority, as opposed to the current rules requiring Licence Holders to establish a cybersecurity framework, comprising of several policies and plans.
Board of Administration
The requirement to have a board of administration to "define, approve and oversee a policy on the virtual financial assets and VFA Services offered or provided in accordance with the risk tolerance of the licence holder and the characteristics and needs of the clients of the licence holder to whom they will be offered or provided has been removed.
- The Financial Instrument Test
Following feedback from the industry, the Authority understands that it is not always feasible for a Compliance Officer to endorse the Financial Instrument Test ('Fit'), and assume responsibility therefor, especially where one does not have the required legal background. In this regard, the said rule has been amended so that the FIT shall now be required to be signed by the person responsible for carrying out the said test, in line with a licence holder's business model, and counter signed by at least one Administrator.
- Insurance Requirement
The current prescriptive insurance requirements will be amended to read as follows:
"The Licence Holder shall ensure that the Professional Indemnity Insurance cover is in line with market standards and adequately covers risks associated with the business of the Licence Holder".
Further decisions to revisit certain obligations have also been addressed with regards to Supplementary Conditions, including inter alia Custody, Suspension and removal from trading, System resilience, bye-laws and disciplinary actions, Capital Requirements, Inducement Rules, Sale Processes and Selling Practices and Disclosure Requirements and Transitory Provisions.
The updates included in this Circular will come into force on the 1st of February 2019.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.