1 Legal framework

1.1 Which legislative and regulatory provisions govern the banking sector in your jurisdiction?

Malta has been a Member State of the European Union (the "EU") since 2004. As a consequence, the banking sector is regulated by domestic laws including transposed applicable Directives which have been implemented at an EU level, as well as applicable EU Regulations.

On a national level, the main banking legislation is the Banking Act (Chapter 371 of the laws of Malta) which defines the "business of banking" as the business of a person who:

"…accepts deposits of money from the public withdrawable or repayable on demand or after a fixed period or after notice or who borrows or raises money from the public(including the borrowing or raising of money by the issue of debentures or debenture stock or other instruments creating or acknowledging indebtedness), in either case for the purpose of employing such money in whole or in part by lending to others or otherwise investing for the account and at the risk of the person accepting such money."

The business of banking is further regulated through the implementation of subsidiary legislation emanating from the main act, which caters for more specific matters.

By virtue of the Banking Act, the Malta Financial Services Authority (the "MFSA" or the "Authority") is also empowered to issue, amend or revoke Banking Rules. Banking Rules serve as an essential tool by which the MFSA, being the competent authority in Malta, oversees the activities of market participants and carries out its functions.

1.2 Which bilateral and multilateral instruments on banking have effect in your jurisdiction? How is regulatory cooperation and consolidated supervision assured?

Aside from national laws, Maltese banks are subject to the provisions of Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC (the "Capital Requirements Directive" or the "CRD") and to the provisions of the Regulation (EU) No 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for institutions and investment firms and amending Regulation (EU) No 648/2012 (the "Capital Requirements Regulation" or the "CRR"), as both may be amended from time to time. The CRD and CRR are commonly collectively referred to as the CRD package and they implement the Basel framework within the EU.

Whilst the CRR is directly applicable to Maltese banks, the CRD has been transposed into local legislation via several amendments carried out to the Banking Act, to the several Banking Rules issued by the MFSA, as well as other subsidiary legislation, allowing the Maltese legal framework to fully align with the CRD as well as guidelines issued by the European Banking Authority (the "EBA").

Other applicable laws which may have an effect on the Maltese banking sector include, for instance, the Directive 2014/59/EU of the European Parliament and of the Council of 15 May 2014 establishing a framework for the recovery and resolution of credit institutions and investment firms and amending Council Directive 82/891/EEC, and Directives 2001/24/EC, 2002/47/EC, 2004/25/EC, 2005/56/EC, 2007/36/EC, 2011/35/EU, 2012/30/EU and 2013/36/EU, and Regulations (EU) No 1093/2010 and (EU) No 648/2012, of the European Parliament and of the Council (the "Bank Recovery Resolution Directive" or the "BRRD"). By means of the BRRD, the Single Supervisory Mechanism (the "SSM"), the Single Resolution Mechanism (the "SRM") and the Deposit Guarantee Scheme (the "DGS"), the several Member States and the respective credit institutions operating within are being subject to a uniform procedure whereby the interests of the depositor, credit institutions and the economy in general are constantly safeguarded. Collectively, the aforementioned pieces of legislation strive to prevent banks all over the EU from failing and impede such failures from systemically impacting the financial environment within which they operate. In scenarios where failure is impending, the mechanism lays down a plan of action for the authorities' timely intervention, intended to avoid or mitigate adverse repercussions.

All of the above create a sense of community amongst the Member States in a way that allows the respective jurisdictions (and the market participants within) to operate freely and independently, yet they strengthen the notion that each and every Member State co-exists within an extensive macro-economy under the supervision of one common authority (the European Central Bank (the "ECB")), whilst keeping the depositor at the very heart of the process. The harmonisation of banking regulation in the aforementioned manner creates concrete processes and procedures to be followed whenever regulatory co-operation is required within the EU. By means of the CRD, particularly Article 6, Competent Authorities allow for open communication between one another whilst placing the European Systemic Risk Board at the very centre of the process.

Furthermore, it should be noted that the MFSA is a party to several memoranda of understanding ("MoU"), some of which are bilateral, whilst others are multilateral. Bilateral MoUs are typically entered into with international regulators of financial services. The MFSA is also a signatory to specialised multilateral MoUs facilitated by organisations such as the International Organization of Securities Commissions ("IOSCO") and the European Securities and Markets Authority ("ESMA"). The MFSA has also concluded agreements with a number of domestic regulators with whom it cooperates in order to achieve its public policy goals.

The aim of concluding bilateral and multilateral MoUs is to facilitate the exchange of information and to create a formal framework for regulatory collaboration and co-operation between various regulatory authorities. The aim of such instruments is to provide for clearer channels for collaboration including increased mutual co-operation, the exchange of regulatory and technical information as well as investigative assistance between the regulators that executed the instrument.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers (including sanctions) do they have?

The central authority responsible for enforcement within the banking sector in Malta is the MFSA; the role it occupies is two-fold. It has the role of issuing, revoking or suspending licences, which role is exclusively entrusted to the MFSA as Malta's national competent authority, in co-operation with the ECB whenever the SSM requires joint co-operation. The second function which the MFSA serves is that of carrying out supervision over market participants operating within the Maltese jurisdiction and the way they conduct business.

The legal framework within which the MFSA exists furnishes the authority with an extensive set of tools allowing the MFSA to ensure that local legislation is consistent with European legislation and that the latter is implemented and subsequently enforced within the jurisdiction. The MFSA is empowered not only to issue its own Rules (mostly based on ECB regulations, guidelines and general instructions), which are just as binding as any other applicable law but is also empowered to carry out both on and off-site inspections, impose sanctions and administrative penalties and most importantly, it retains access to any files held by the licence holders, allowing it to maintain an accurate and detailed record of the market's position.

Despite the wide array of powers granted to the MFSA, the MFSA does not operate in isolation. With Malta participating in the European Banking Union, the SSM and the SRM are directly applicable to the Maltese jurisdiction and consequently, the MFSA works in tandem with the ECB as mandated by the aforementioned mechanisms.

As a result of the SSM, the MFSA constantly cooperates with the ECB. The MFSA and the ECB are also obliged to exchange any information they hold.

Whilst most powers are delegated to the MFSA to carry out functions on behalf of the ECB, the ECB is also empowered to act directly where the respective credit institution is one which, in terms of the SSM, is considered to be of significant relevance to the domestic economy, based on criteria emanating from the aforementioned legislation, or because they are considered to be one (out of the three) of the key players within the economy of a given Member State. Such institutions are commonly referred to as Systemically Important Banks (SIBs).

The ECB is vested with additional powers which allow it to take over the functions which are usually exercised by the MFSA on its behalf, with respect to institutions whose failure could have wide-reaching effects.

The ECB, for instance, retains exclusive jurisdiction over the authorisation (licencing) or the withdrawal of such authorisation relating to any credit institutions which are considered to be of significant systemic importance, despite the MFSA being the competent authority dealing with licencing domestically. Similarly, any notification of acquisitions or disposals of qualifying holdings in the aforementioned credit institutions is assessed by the ECB directly.

Additionally, the ECB may utilise its extended investigatory powers at any time, particularly in situations where financial assistance would have been requested (or received) by a given credit institution.

The Central Bank of Malta is an independent institution which, despite being the former central authority (and regulator), nowadays has the primary objective of maintaining price stability. The Central Bank is entrusted with undertaking macro-economic supervision.

Its duties include the carrying out of economic and financial research and statistics used in the decision-making process of the Governing Council of the ECB, advising the Government on economic and financial policies, implementing the ECB's monetary policy through market operations, acting as banker to the Government of Malta, as well as ensuring that there is a sufficient supply of banknotes and coins which meets the demands of the public.

Furthermore, the Central Bank of Malta actively participates in the European System of Central Banks, the Eurosystem and other European Union bodies. The Central Bank of Malta also operates a payment system (TARGET2-Malta) which forms part of the larger network known as the TARGET2, being the European System of Central Banks' ("ESCB") Real-Time Gross Settlement system for the euro. Furthermore, it oversees domestic and cross-border payment and securities settlement systems.

The Central Bank of Malta is also responsible for the coordination of the Single Euro Payments Area (‘SEPA') project. It is also involved in the domestic introduction of the International Bank Account Number (‘IBAN').

The Central Bank of Malta also provides facilities in relation to clearance systems.

1.4 What are the current priorities of regulators and how does the regulator engage with the banking sector?

In fulfilment of its supervisory and regulatory functions, the MFSA endeavours to maintain a healthy and stable economy which allows room for financial expansion whilst ensuring that the interests of market players are preserved throughout.

In reaching its goals, the MFSA is constantly on the lookout for market changes which translate to further financial opportunities, to which the MFSA proactively reacts, namely by means of the implementation of up-to-date rules and guidelines in that respect.

One of the main missions of the MFSA remains that of depositor and, or investor protection. Whilst the MFSA takes into consideration the needs of the industry and strives to propose a sustainable regulatory environment, this is balanced out by the fact that it keeps depositor and investor interests as its priority. This can be seen through, amongst other measures, the level of transparency required from credit institutions (amongst others) and the stringent processes implemented, ultimately rendering such credit institutions a more viable and safer option for the end-consumer.

Needless to say, the MFSA, together with the ECB, particularly following the aftermath of the 2008 financial crisis, persistently emphasises the importance of monitoring and following up on the three most systemically important credit institutions operating within the Maltese jurisdiction, with the ultimate aim of avoiding a systemic collapse within the economy.

It can be said that as regulator, the MFSA takes a rather versatile, yet assertive approach in the way it regulates the banking sector. A predominant feature which has allowed the MFSA to successfully implement changes throughout the years is the open communication channel which it maintains with shareholders, depositors and the credit institutions alike.

Its most far-reaching tool in communicating with the banking sector is through the issuing of rules, circulars and guidelines, which steer away from the lengthy, complicated language used in laws, to be replaced by more direct, straight to the point jargon, which practitioners can easily access and adopt. In addition to the aforementioned, the MFSA also holds frequent seminars and Q&A sessions whereby participants are encouraged to voice their opinions and concerns.

2 Form and structure

2.1 What types of banks are typically found in your jurisdiction?

Any entity, the activities of which fall within the definition of the business of banking (as described above) are deemed to be banks.

The main type of banks which are typically found in Malta are Retail, Commercial Banks and Corporate Banks.

As the industry evolved (particularly from the 1980's onwards) and became more sophisticated, Malta witnessed the establishment and introduction of other types of banks offering a variety of services, such as trade finance, marine finance services, factoring and forfaiting, payment services, project finance and wealth management. Other services include trust business, trade finance, treasury operations and syndicated loans as aforementioned.

As a consequence of this shift in the types of services offered, whilst the notion of banking remained intact (in line with the definition of business of banking), the services offered by banks broadened, giving rise to the need for Malta-based banks to obtain additional authorisations to carry out activities which technically fall outside of the scope of business of banking.

It must be noted that the notion of ‘Investment Banks' is not applicable in Malta, and any such entities would be referred to as ‘Investment Firms'.

2.2 How are these banks typically structured?

To ensure that an adequate degree of safety is maintained in the structure of banks, the MFSA provides pre-determined criteria which set out a skeletal internal governance structure which credit institutions subject to the supervision of the MFSA are to abide by. Nevertheless, the MFSA Rules are comprehensive enough to cater for different types of banks, taking into consideration the credit institutions' size, scale, nature and complexity.

The aforementioned requirements, include for instance, the establishment of a Board of Directors composed of both executive and non-executive directors, the establishment of a Risk Committee, a Nomination Committee, a Remuneration Committee, and an AML/CFT Committee, amongst others. The MFSA Rules, do, however, differentiate between entities of a more sophisticated and extensive nature, as opposed to less complex structures.

It is common practice that an entity licenced as a credit institution would be incorporated either as a Maltese public limited liability company or as a private limited liability company. The Maltese financial system also allows for EU credit institutions to passport their services to Malta, possibly through the establishment of an agency or branch within the Maltese territory.

Notwithstanding the chosen corporate structure, initial and ongoing regulatory requirements apply equally to banks, and therefore, there is no difference in practice between a bank structured as a private company as opposed to one that is structured as a public company. In the event that a bank wishes to offer securities to the public, or to list its securities on a trading venue, such as a regulated market, the public company structure would become mandatory.

2.3 Are there any restrictions on foreign ownership of banks?

The Maltese banking sector has gone through a complete overhaul which has allowed Malta to position itself as a financial services centre. Malta's accession to the European Union in 2004, followed by Malta joining the eurozone in 2008 have been great contributors to the banking sector shifting from a tightly controlled publicly owned sector to a diversified and efficiently regulated sector which promotes and encourages foreign ownership.

Whilst approximately half of the credit institutions operating within the Maltese territory are supported by domestic capital, the remaining banks are foreign owned.

The Banking Act provides that any person, or persons acting together, who intend to acquire or increase a qualifying shareholding in a credit institution (subject to certain pre-determined criteria being satisfied) are to notify the MFSA of their intent to become involved within a given credit institution. Following notification, the application submitted by the prospective shareholder would be subject to an assessment carried out (within 60 days from notification) by the MFSA, subject to a final approval to be provided by the ECB.

The implication is that the above procedure applies to all prospective qualifying shareholders and does not make any distinction between local and/or foreign shareholders. Regardless of this last statement, factors such as nationality, as well as the jurisdiction and industry within which a given prospective shareholder operates may be of particular relevance when assessing applications from an AML/CFT perspective. Other factors considered in the assessment process include the reputation of the proposed shareholder, the reputation and experience of those directing the business of the credit institution as well as the financial soundness (means) of the proposed shareholder. Nevertheless, AML/CFT screening takes place on a risk-based approach, independent of whether the proposed shareholders are Maltese or otherwise.

In line with the strategy applied to attract foreign investment towards Malta, one of the most appealing features of establishing (or moving) one's business to Malta, is the corporate tax model, whereby companies are taxed at a standard corporate rate of 35%. Malta adopted a full imputation system, meaning that dividends received by shareholders are not taxed in their hands. Furthermore, the Maltese tax framework and fiscal policy can prove extremely appealing to manage liquidity.

2.4 Can banks with a foreign headquarters operate in your jurisdiction on the basis of their foreign licence?

In terms of the CRD, credit institutions established in other Member States may extend their banking operations to Malta by establishing a branch (which would be subject to the authorisation process) or via provision of cross-border services, without the need of re-obtaining authorisation (licence) given that requirements would have already been satisfied at authorisation stage by the competent authority within the Member State from which such credit institution wishes to passport their services.

This would trigger a procedure whereby the competent authority of the home Member State of a given credit institution, would look into the credit institution's application to passport its services.

Similarly, credit institutions subject to Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61 ("MiFID II") would also be able to passport their services under the MiFID II.

Should passporting not be an option, or in the event that another option is preferred, a foreign group may establish a subsidiary in Malta which seeks authorisation from the MFSA to operate in Malta.

3 Authorisation

3.1 What licences are required to provide banking services in your jurisdiction? What activities do they cover?

As per the Banking Act, no business of banking shall be transacted by a company, in or from Malta, unless it is in possession of a licence granted by the MFSA under the said Act.

The activities covered by a banking licence in terms of the Banking Act are as follows:

  • Business of banking, being defined as the business of accepting "deposits of money from the public withdrawable or repayable on demand or after a fixed period or after notice or who borrows or raises money from the public (including the borrowing or raising of money by the issue of debentures or debenture stock or other instruments creating or acknowledging indebtedness), in either case for the purpose of employing such money in whole or in part by lending to others or otherwise investing for the account and at the risk of the person accepting such money".
  • The business activities of a credit institution (i.e., banks) may, besides the business of banking, include any or all of the additional activities listed in the First Schedule to the Banking Act. The list of additional activities as provided for in the First Schedule to the Banking Act is as follows:
    1. Financial leasing;
    2. Payment services as defined in the Financial Institutions Act (Chapter 376 of the laws of Malta);
    3. Issuing and administering other means of payment (travellers' cheques, bankers' drafts and similar instruments) insofar as this activity is not covered by activity 2 above;
    4. Guarantees and commitments;
    5. Trading for own account or for account of customers in: (a) money market instruments (cheques, bills, certificates of deposit, and similar instruments); (b) foreign exchange; (c) financial futures and options; (d) exchange and interest-rate instruments; (e) transferable securities;
    6. Participation in securities issues and the provision of services related to such issues;
    7. Advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to merges and the purchase of undertakings;
    8. Money broking;
    9. Portfolio management and advice;
    10. Safekeeping and administration of securities;
    11. Credit reference services;
    12. Safe custody services;
    13. Issuing electronic money.

3.2 What requirements must be satisfied to obtain a licence?

Article 7 of the Banking Act provides a list of requirements that must be satisfied in order for a banking licence to be granted. These requirements include, inter alia, the following conditions:

  • an initial capital of not less than five million euro (€5,000,000);
  • at least two individuals effectively directing the company's business;
  • the Authority is notified with the identity of the shareholders/members having qualifying holdings (if applicable), or of the twenty largest shareholders/members;
  • the Authority is satisfied that the shareholders/members mentioned in the previous point, as well as the controllers and all individuals who will effectively direct the business are suitable persons;
  • the Authority is satisfied that if there are close links with the company and another person/s, such links do not prevent it from exercising effective supervision;
  • the Authority is satisfied that the arrangements, processes and mechanisms required to be in place by the bank enable sound and effective risk management.

The aforementioned is supplemented by banking rules issued by the MFSA which provide details on how the above would need to be satisfied. In practice, the specific requirements will depend on the size, scale, nature and complexity of the proposed bank's business and it is typically expected for a bank to have more available capital than the minimum indicated in the law. Furthermore, it would be expected for the bank's board of directors to be composed by a number of directors (made up of executive and non-executive directors) that would be adequate depending on its size, scale, nature and complexity.

3.3 What is the procedure for obtaining a licence? How long does this typically take?

MFSA's Banking Rule BR/01 lays down the procedure for obtaining a licence in terms of the Banking Act. For an applicant to be granted a banking licence, certain minimum criteria must be met (i.e., those provided for via Article 7 of the Banking Act). The MFSA must also be satisfied that the minimum criteria relating to prudent conduct, fit and proper persons, integrity and professional staff and safety of potential depositors are fulfilled with respect to the applicant.

BR/01 provides that with the establishment of the SSM Framework Regulation, the ECB has the power to grant an authorisation to a credit institution in collaboration with the MFSA (being the national competent authority ("NCA") in Malta). The SSM Framework Regulation has established common procedures, which ultimately are decided on by the ECB, regardless of the significance of the credit institution concerned. Applications for authorisations to take up the business of a credit institution are sent by the applicant to the MFSA for the granting of a new banking licence. MFSA is to then notify the ECB of its receipt of the said application, and this within fifteen (15) working days. The MFSA reviews the application, and should there be any omissions and/or inconsistencies, it would request the applicant to ensure the completeness of the said application. Once an application is completed, it is subject to a complementary assessment by the MFSA, the ECB and any other NCAs concerned (if applicable). If the MFSA is satisfied that the application complies with national conditions for authorisations, it proposes to the ECB a draft decision containing its assessment and recommendations. Once a final decision has been reached, this will be communicated to the applicant by the MFSA.

An application for authorisation for a banking licence must be filed in accordance with the MFSA's official application forms, whilst being accompanied by the following documentation: (i) a copy of the institution's Memorandum and Articles of Association; (ii) audited financial statements for the last three (3) years (if applicable); (iii) a business plan, including, inter alia, the structure, organisation, management systems, governance arrangements and internal control systems of the prospective bank, whereby it must be demonstrated that these arrangements, control mechanisms and procedures are proportionate, appropriate, sound and adequate to the business model proposed for the prospective bank. The business plan is to, inter alia, also delve into the prospective bank's internal governance and its compliance function, whilst also accounting for operational risk, the assessment of conduct risk, and money laundering risks. Along with the applicant's internal control framework, an outline of several policies and procedures, including, inter alia, the whistleblowing policy, conflicts of interests policy, and market abuse policy are also to be made available.

In terms of Article 10 of the Banking Act, an applicant who is aggrieved by a decision of the MFSA with respect to the granting of a licence has a right of appeal to an independent Financial Services Tribunal.

The MFSA must determine an application for a licence within six (6) months of receipt. If an application is submitted, but is not complete, or if the MFSA would require any additional information, then determination of the application must be made within six (6) months of the submission of the said information. In any event, the MFSA is bound to determine an application for a licence in terms of the Banking Act within twelve (12) months.

4 Regulatory capital and liquidity

4.1 How are banks typically funded in your jurisdiction?

The banking sector in Malta can essentially be split into three groups; i.e., core domestic banks, non-core domestic banks and internationally-oriented banks. Core domestic banks rely predominantly on resident deposits for their funding, whereby their investment portfolios would typically be widely diversified in well-rated securities. Non-core domestic banks have a Tier 1 capital adequacy ratio well in excess of that required and thus, more funding is generated from shareholders' equity when contrasted with their core domestic counterparts. As regards to internationally-oriented banks, funding is generated mainly through the wholesale market or through their parent banks.

4.2 What minimum capital requirements apply to banks in your jurisdiction?

The Banking Act provides that a credit institution may not have an initial capital being less than five million euro (€5,000,000). Nevertheless, prudential ratios apply, and therefore, it is likely that minimum capital requirements for a specific proposed banking operation exceed the €5,000,000 established by law.

Moreover, with respect to capital requirements, banks are to ensure that the rules provided by the CRR and any other applicable EU legislation that becomes applicable from time to time, are also abided by. In line with the said regulation, banks are required to abide by own funds requirements laid down therein, and therefore the required capital may exceed the minimum given the size of the institution's business.

4.3 What legal reserve requirements apply to banks in your jurisdiction?

The Central Bank of Malta has adopted the ECB's minimum reserve system and requires banks to maintain reserve deposits in accounts held by it. The legal framework for this minimum reserve system is provided for via Article 19 of the Statute of the ESCB and of the ECB, and via Regulation (EU) 2021/378 of the European Central Bank of 22 January 2021 on the application of minimum reserve requirements (recast) (ECB/2021/1).

The reserve requirement for each bank is determined as a proportion of certain liability items on its balance sheet. Balance sheet data referring to the end of a given calendar month is used to determine the reserve base for the maintenance period starting in the calendar month two (2) months later.

5 Supervision of banking groups

5.1 What requirements apply with regard to the supervision of banking groups in your jurisdiction?

With respect to the supervision of banking groups in Malta, the MFSA is tasked with supervising credit institutions on a consolidated basis. When it comes to the supervision of credit institutions on a consolidated basis, on a local level, one has to look at, inter alia, the Supervisory Consolidation Regulations (Subsidiary Legislation 371.15 of the laws of Malta), the Banking Act (Supervisory Review) Regulations (Subsidiary Legislation 371.16 of the laws of Malta), and the Supervisory Consolidated (Credit Institutions) Regulations (Subsidiary Legislation 371.22 of the laws of Malta); whereas, at a European level, credit institutions are to abide by the provisions of the CRR. The EU Capital Requirements Directive is transposed into local legislation.

The EU, in recent years, has introduced the CRDV Package, consisting of the CRRII and the CRDV, and which continues to build on the existing CRDIV and CRR legislative package. The CRDV Package establishes the prudential framework for credit institutions authorised or licensed in the EU.

The MFSA has been working on the transposition of the CRDV into national legislation, which is now in the final stages. The transposition of the CRDV Package introduces a new approval requirement for holding companies which fall within the definitions of a Financial Holding Company ("FHC") and a Mixed Financial Holding Company ("MFHC"). This specific approval procedure, along with direct supervisory powers granted to the MFSA in relation to certain (Mixed) Financial Holding Companies will ensure that FHCs/MFHCs are held directly responsible for ensuring compliance with consolidated prudential requirements. A MFHC or FHC will be able to apply for an exemption if certain criteria are met

FHCs/MFHCs which have a credit institution as a subsidiary and fulfil the conditions stipulated in the CRDV are required to seek the approval or the exemption from approval of the consolidating supervisor, or the MFSA, as applicable. FHCs/MFHCs are to also ensure compliance with the conditions for approval or exemption on an ongoing basis, whilst adhering to any supervisory measures that the consolidating supervisor/the MFSA may impose.

5.2 How are systemically important banks supervised in your jurisdiction?

Malta forms part of the EU's SSM. Joint Supervisory Teams (JSTs) comprising of the ECB and national supervisors (i.e., the MFSA in the case of Malta), take on an ongoing supervisory role to ensure the safety and soundness of the European banking system, whilst increasing financial integration and stability and ensuring consistent supervision. Each Systemically Important Institution ("SII") has its own designated JST, whereby, in line with the provisions of Council Regulation (EU) No 1024/2013 of 15 October 2016 conferring specific tasks on the European Central Bank concerning policies relating to the prudential supervision of credit institutions, prudential supervision requirements are carried out by the said JSTs.

The MFSA is also responsible for supervising Less Significant Institutions (LSIs), by carrying out general on-site responsibilities, as well as requiring supervisory reporting. This supervision is done in close cooperation with the ECB.

5.3 What is the role of the central bank?

The Central Bank of Malta, being a member of the ESCB and the Eurosystem, has the primary role to maintain price stability in Malta, whilst contributing to that of the euro area. In furtherance to this principal role, the Central Bank of Malta has several other functions, including, inter alia, (i) managing Malta's official reserves, which consist of a portfolio of foreign and domestic financial assets; (ii) acting as the banker to the Government and to local credit institutions, whilst providing liquidity through open market operations and collateralised intra-day lending, whenever this is required; (iii) formulates and implements macro-prudential policy, with the main objective being that of reducing the build-up of risks in the financial sector, aiming to mitigate systemic risk; (iv) assuming responsibility for the issuance and control of currency notes and coins in Malta, whilst also ensuring the quality and authenticity of the banknotes and coins in circulation, as well as issuing euro coins on behalf of the Government of Malta; (v) maintaining international relations with international economic and financial institutions of which Malta is a member, including, inter alia, the International Monetary Fund ("IMF") and the World Bank Group ("WBG"); (vi) conducting economic analysis and research, and preparing projections of the main macroeconomic variables for the Maltese economy by means of its econometric model and other tools; (vii) collecting and compiling a wide variety of monetary, financial and other macroeconomic statistics in accordance with European and other international standards; and (viii) operating a payment system, which forms part of TARGET2; (ix) overseeing and regulating the operation of, and the participation in, both domestic and cross-border payment and securities settlement systems.

6 Activities

6.1 What specific regulations apply to the following banking activities in your jurisdiction: (a) Mortgage lending? (b) Consumer credit? (c) Investment services? and (d) Payment services and e-money?

(a) Mortgage lending?

Credit institutions licenced under the Banking Act may provide lending services, including the financing of immovable property. Furthermore, mortgage lending in Malta (as a member of the EU) is regulated by Directive 2014/17/EU of the European Parliament and of the Council of 4 February 2014 on credit agreements for consumers relating to residential immovable property and amending Directives 2008/48/EC and 2013/36/EU and Regulation (EU) No 1093/2010 (the "Mortgage Credit Directive") and has been transposed domestically by means of the Residential Immovable Property Regulations (Legal Notice 415 of 2011).

Malta has also adopted a domestic framework enabling an entity which is not a bank to carry out lending activities through its own funds provided that a licence under the Financial Institutions Act, is obtained.

(b) Consumer credit?

Activities relating to the granting of consumer credit are captured in the definition of the "business of banking" provided by the Banking Act, which as established, regulates the business of banking domestically. As a credit institution, a bank typically operates by adopting the traditional financial intermediation model; it accepts deposits from its clients and utilises part thereof to lend funds to other clients.

The Banking Act provides that the business of banking allows for the use of money deposited with a given bank to be utilised "…in whole or in part by lending to others" – a characteristic which lies at the very core of the business of banking.

Credit may also be extended by an institution licenced under the Financial Institutions Act (which also transposes Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (the "Payment Services Directive" or "PSD II")) provided that such credit is granted through own funds.

(c) Investment services?

The main applicable EU legislation is MiFID II the provisions of which have been transposed into Maltese law by means of the Investment Services Act (Chapter 370 of the laws of Malta) and the several rules issued by the MFSA. A credit institution is allowed to provide the following investment services without requiring an additional licence:

  • trading for own account or for account of customers in:
    1. money market instruments (cheques, bills, certificates of deposit, and similar instruments);
    2. foreign exchange;
    3. financial futures and options;
    4. exchange and interest-rate instruments;
    5. transferable securities.
  • participation in securities issues and the provision of services related to such issues;
  • advice to undertakings on capital structure, industrial strategy and related questions and advice as well as services relating to mergers and the purchase of undertakings;
  • money broking;
  • portfolio management and advice; and
  • safekeeping and administration of securities.

Nevertheless, it is not uncommon for banks wanting to also provide a full suite of investment services in addition to their traditional banking operations, to also obtain a licence under the Investment Services Act. Given that the authorisation requirements for banks require a high standard of governance and operational resilience, a bank would not be typically difficult for a banking group to satisfy the requirements for an investment services licence.

(d) Payment services and e-money?

Payment services are regulated by means of the Payment Services Directive whereas e-money is regulated by means of Directive 2009/110/EC (the "EMD"). The two have been transposed into domestic legislation through the Financial Institutions Act. A bank may ask for authorisation to provide payment and e-money issuance services within the remit of the same licence it obtains to provide banking services.

7 Reporting, organisational requirements, governance and risk management

7.1 What key reporting and disclosure requirements apply to banks in your jurisdiction?

Article 19 of the Banking Act deals with information to be submitted to the MFSA and to the Central Bank of Malta. Banks are required to submit to the MFSA periodic statements showing the assets, liabilities and profit and loss position on an individual and, where appropriate, on a consolidated basis, including an analysis thereof. Moreover, they are to submit any information that the MFSA may require for prudential supervision, conduct supervision and/or statistical purposes.

Banks are to submit to the MFSA all the information necessary for the assessment of their compliance with the Banking Act, and any regulation made thereunder, as well as the Banking Rules, the Conduct of Business Rules, and any binding legal instruments issued under the CRD and the CRR.

Banks are also required to submit to the Central Bank of Malta any such information which the latter requires in the discharge of its duties, and which it may enquire into and seek clarification about.

Moreover, Banking Rule BR/23 has been introduced, following the EBA Guidelines on reporting and disclosure of exposures subject to measures applied in response to the COVID-19 crises (EBA/GL/2020/07). BR/23 lists down reporting requirements in relation to payment moratoria, other COVID-19 related forbearance measures and public guarantees.

7.2 What key organisational and governance requirements apply to banks in your jurisdiction?

Article 17B of the Banking Act dealing with, inter alia governance, provides that "[e]very credit institution shall put in place robust governance arrangements which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, adequate internal control mechanisms including sound administrative and accounting procedures, and remuneration policies and practices that are consistent with and promote sound and effective risk management". Any such arrangement, process or mechanism is to be comprehensive and proportionate to the nature, scale, and complexity of the risks inherent in the bank's business model and activities.

Banks are to ensure that internal control mechanisms and administrative and accounting procedures, at all times, permit the checking of compliance with the rules adopted in accordance with the Banking Act, Banking Rules, Conduct of Business Rules and with any binding legal instruments issued under the CRD and the CRR.

Moreover, Banking Rule BR/24, having transposed provisions of the CRD and implemented the EBA Guidelines on internal governance (EBA/GL/2017/11), as amended by the EBA Guidelines on internal governance under Directive 2013/36/EU (EBA/GL/2021/05) further provides credit institutions with rules concerning, inter alia, internal governance requirements.

7.3 What key risk management requirements apply to banks in your jurisdiction?

Article 17B of the Banking Act provides that credit institutions shall, inter alia, put in place robust governance arrangements that are consistent with and promote sound and effective risk management.

The board of directors ("Board") of a credit institution shall approve and periodically review the strategies and policies for taking up, managing, monitoring and mitigating the risks that the credit institution is or might be exposed to. The Board shall be actively involved in and ensure that adequate resources are allocated to the management of all material risks addressed in the Banking Act, the Banking Rules, the CRD and the CRR.

Credit institutions shall have a risk management function, being independent from the operational functions. This risk management function shall ensure that all material risks are identified, measured and properly reported. The risk management function shall also be actively involved in elaborating the credit institution's risk strategy and in all material risk management decisions.

Furthermore, credit institutions that are significant in nature are to establish a risk committee, which shall advise the Board of its understanding of the credit institution's risk strategy and risk appetite.

7.4 What are the requirements for internal and external audit in your jurisdiction?

Banking Rule BR/24 provides that credit institutions shall have an audit committee which shall, inter alia, inform the Board of the outcome of the statutory audit (i.e., the external audit) and monitor the effectiveness of¸ inter alia, its internal audit function and process. It shall also provide oversight to the financial reporting process of the credit institution. Giving due regard to maintaining its independence, it is tasked with approving and monitoring the internal auditor's work programme, and receive internal audit reports, review the effectiveness of the external audit process, and act as the principal point of contact between the internal auditors, the statutory auditor and the Board.

Being in line with Article 16 of Regulation (EU) No 537/2014 of the European Parliament and Council of 16 April 2014 on specific requirements regarding statutory audit of public-interest entities and repealing Commission Decision 2005/909/EC, credit institutions are to appoint statutory auditors or audit firms, to undertake the external audit function. Moreover, credit institutions are to have an internal audit function that is to operate independently so as to provide effective and objective assurance. Both the external audit and internal audit functions are to be guaranteed free access to the credit institution's Board.

8 Senior management

8.1 What requirements apply with regard to the management structure of banks in your jurisdiction?

Banks licenced in terms of the Banking Act are required to have in place a Board, being empowered to define, oversee and be accountable for the implementation of governance arrangements so as to ensure the bank's effective and prudent management, whilst also managing the bank's segregation of duties and the prevention of conflicts of interest.

The Board shall ensure that the bank's internal control functions are independent of the business lines they control. Reporting lines and the allocation of responsibilities, most particularly with respect to the bank's key functionaries, are required to be clear, well defined, coherent, enforceable and duly documented.

The Board shall be comprised of executive directors and non-executive directors. Executive directors sitting on the board shall engage actively in the bank's business and shall take decisions on a sound and well-informed basis. On the other hand, non-executive directors shall, inter alia, be responsible for monitoring and constructively challenging the bank's strategy. The chairperson of the Board shall ensure that there is an effective flow of information within the Board and between the Board and the bank's committees. Several committees are required to be set up, however, depending on whether a bank is deemed to be a SII or a LSIs, different rules apply. Whereas SIIs shall establish risk, nomination and remuneration committees to advise and prepare non-executive directors in taking decisions at Board level, LSIs shall decide to establish such committees whilst taking into consideration their internal organisation, as well as the nature, scale and complexity of their activities.

8.2 How are directors and senior executives appointed and removed? What selection criteria apply in this regard?

In terms of the Companies Act (Chapter 386 of the laws of Malta) public companies shall have at least two (2) directors, whereas private companies shall have at least one (1) director. Although there is no rule specifying that banks must be set up as either public or private companies, Article 7 of the Banking Act provides that there must at least be two (2) persons who effectively direct the company's business. This is to be considered in conjunction with the Banking Rules and best practice. Thus, a bank is expected to be managed by a board of directors which would typically include more than two (2) persons. The Board should be composed of both executive and non-executive directors, who are to have varied expertise that is relevant for the management of a bank, whilst including persons that are also independent of the bank.

Interdicted or incapacitated persons, undischarged bankrupts, persons convicted of any of the crimes affecting public trust, theft or fraud or knowingly receiving property by theft or fraud, minors who have not been emancipated, persons under a disqualification order, and persons who have not obtained the necessary authorisation by the MFSA to act as a director of a company as part of company service provider services (as per the Company Service Providers Act (Chapter 529 of the laws of Malta)), may not act as directors of a company in Malta. The Banking Act further provides that no person who, inter alia, has been adjudged bankrupt or has made a composition with his creditors or has been an officer of a bank which has had its licence withdrawn, and who has not been exempted in writing by the MFSA; or who has been involved in money laundering shall act or continue to act as a director of a bank.

Prior to being appointed, directors must personally sign the company's memorandum of association (or submit a signed letter to the Registrar of Companies), whereby consent to act as such is indicated. The appointment of directors other than the first directors is typically regulated by the company's articles of association, nevertheless, this notification procedure to the Registrar outlining a director's consent must still take place.

A company may remove a director before the expiration of his term, by a resolution taken at a general meeting and passed by the at least fifty percent (50%) of the eligible votes.

With respect to directors of banks, more stringent rules are applicable. A prospective director of a bank must undergo an assessment process enabling the institution and the MFSA to conclude that the person is fit and proper for the role. The number of directorships which may be held by a director at the same time shall take into account individual circumstances and the nature, scale and complexity of the activities of the bank. Without prejudice to any other applicable rules, a director of a bank deemed significant in terms of its size, internal organisation and nature, scope and complexity of its activities, shall not hold more than one of the following combinations of directorships at the same time: (i) one (1) directorship having an executive role with two (2) directorships having a non-executive role; or (ii) four (4) directorships having a non-executive role.

As aforementioned, given that banks are regulated entities, directors of banks must prove that they are fit and proper persons to the authority, prior to being appointed as such. The appointment of directors of banks in Malta must be pre-cleared by the MFSA, whereby if the authority feels that a person is not suitable to be a director, or does not fulfil the requirements expected of a director, it may give an order restraining said person from becoming a director (or an order requesting said person to cease from acting as a director).

As regards to any senior executives to be appointed within a bank's organisational structure, these would be typically decided by the bank's board of directors, albeit, always being subject to the MFSA's approval thereof. Senior management is also to undergo the aforementioned fit and proper process which would be kicked off with the MFSA through the submission of a personal questionnaire (PQ).

8.3 What are the legal duties of bank directors and senior executives?

In terms of the Companies Act, directors of companies in Malta are bound to act honestly and in good faith, whilst carrying out their duties in the best interests of the company. It is to be noted that the Companies Act makes no distinction between executive and non-executive directors, and thus, any and all applicable duties assigned to directors shall be imposed on all directors; albeit the Banking Act does make reference to executive and non-executive directors. Moreover, senior executives who although not appointed as directors themselves, but in accordance with whose directives, directions or instructions the directors of a company are, or have been accustomed to act, shall also be treated in the same way as a director.

Whilst promoting the company's well-being, directors shall be responsible for overseeing the company's general governance, proper administration and management, whilst also undertaking the general supervision of the company's affairs.

Directors must exercise a degree of care, diligence and skill which would be exercised by a reasonably diligent person having the knowledge, skill and experience that may reasonably be expected of a person carrying out the functions of a director.

Furthermore, directors are not to make secret or personal profits from their position without the consent of the company, nor are they to make any personal gain from confidential information obtained as a result of their position within said company. In addition to this, directors are not to use any property, information or opportunity of the company for their own (or anyone else's) benefit, nor are they to obtain any benefit in connection with the exercise of their powers, unless consent is granted by the company, or unless this is allowed via the company's memorandum or articles of association. They must ensure that personal interests do not conflict with the interests of the company. Directors must not misuse their powers but are to use them for the purposes for which they were conferred.

Other duties imposed unto directors relate to statutory registers and minute books; the filing of returns and documents; board and general meetings; record-keeping and financial statements; liquidation of the company; and other miscellaneous duties. The Companies Act also provides that certain specific duties may be entrusted to one or more directors.

Maltese case law has established that directors, and in certain cases even other senior management officials, are to be considered as fiduciaries of the company, resulting with directors also being subject to fiduciary obligations in line with the provisions of the Companies Act. Directors have also been traditionally regarded as being mandatories of the company, leading to them also being subject to duties imposed unto mandatories via the Civil Code (Chapter 16 of the laws of Malta).

The Banking Act provides that it shall be the duty of directors to notify the MFSA in writing upon becoming aware that the bank intends to sell or dispose of its business or any significant part thereof; merge with any other company; undergo any reconstruction or division; or increase or reduce its nominal or issued share capital or effect any material change in the voting rights. Directors of banks shall take all reasonable steps to secure compliance by the bank with its licence and with the provisions of the Banking Act and any regulations made and, or Banking Rules and, or Conduct of Business Rules issued thereunder, and to ensure that no incorrect information is provided to the MFSA either wilfully or as the result of gross negligence. The board of directors, therefore, is collectively responsible for all the operations of the bank.

8.4 How is executive compensation in the banking sector regulated in your jurisdiction?

Banking Rule BR/21, having transposed certain provisions of the CRDV and having implemented the revised EBA/GL/2021/04 Guidelines on Sound Remuneration provides rules relating to remuneration policies and practices provides for remuneration policies to be implemented. Banks deemed to be significant in nature shall also establish a remuneration committee that shall be responsible for the preparation of decisions regarding remuneration. With respect to remuneration committees, the chair and members thereof shall be directors who would not have an executive role in the concerned bank.

The remuneration of the members of the management body in its management function shall be consistent with their powers, tasks, expertise, and responsibilities.

9 Change of control and transfers of banking business

9.1 How are the assets and liabilities of banks typically transferred in your jurisdiction?

Typically, banks' assets and liabilities are transferred via a merger or an acquisition. Article 13C of the Banking Act provides that the MFSA's consent shall be required before any credit institution may lawfully: (i) sell or dispose of its business (or any significant part thereof); (ii) undergo a merger with any other company; (iii) undergo any reconstruction or division; or (iv) increase/reduce its nominal/issued share capital or effect any material change in the voting rights (provided that the CRR's conditions for reducing own funds shall not be prejudiced). In any such case, the directors and qualifying shareholders of the credit institution shall be obliged to notify the MFSA of the intended action to be taken. The MFSA shall, within three (3) months of receipt of such notification or receipt of such information as the MFSA may lawfully require, issue a notice: (i) granting unconditional consent to the taking of the action; or (ii) granting consent to the taking of the action subject to such conditions as the MFSA may deem appropriate; or (iii) refuse consent to the taking of the action.

9.2 What requirements must be met in the event of a change of control?

Article 13 of the Banking Act provides that when it comes to a person having taken the decision to either: (i) directly/indirectly acquire or dispose of a qualifying shareholding (i.e., a direct or indirect holding which represents ten percent (10%) or more of the capital and, or voting rights, or which makes it possible to exercise a significant influence over the undertaking's management) in a credit institution; or (ii) directly or indirectly increase an existing shareholding which is not a qualifying shareholding in a credit institution so as to cause it to become one, or directly or indirectly reduce an existing qualifying shareholding so as to cause it to cease to be one; or (iii) directly or indirectly increase or reduce] a qualifying shareholding in a credit institution, as a result of which the proportion of the voting rights or of the capital held would reach, exceed or fall below twenty percent (20%), thirty percent (30%), or fifty percent (50%) or so that the credit institution would become or cease to be its subsidiary, said person is to notify the MFSA of any such decision, indicating the size of the intended shareholding and providing any relevant information that may be required.

Banking Rule BR/13 provides that in relation to a proposed acquirer of a credit institution with respect to a qualifying shareholding in terms of Article 13(1) of the Banking Act, said proposed acquirer must also obtain the approval of the MFSA following notification thereof. In such cases, the MFSA would be required to make an assessment in terms of Article 13A of the Banking Act, prior to approving the proposed acquisition.

In furtherance to the above, a person who intends to: (i) directly or indirectly acquire at least five percent (5%) but less than ten percent (10%) of the share capital and, or voting rights in a credit institution; (ii) directly or indirectly increase an existing shareholding so that the proportion of the voting rights/capital held would amount to at least five percent (5%) but less than ten percent (10%) shall also inform the MFSA of such.

It is possible that although a proposed acquisition falls below the ten percent (10%) threshold, such acquisition would still make it possible for significant influence to be exercised over the credit institutions management, in which case, the approval of the MFSA would also be required.

The assessment process laid down in Article 13A of the Banking Act provides that following completion of the assessment made, the MFSA shall issue a notice which shall either grant unconditional approval to the proposed acquisition, or grant approval of the proposed acquisition subject to conditions which the MFSA shall deem appropriate, or refuse the proposed acquisition if there are reasonable grounds for doing so, or if the information provided is incomplete. A change in control process would require the institution to present an updated business plan indicating how it intends to carry on its business following the change in control. The said process also includes a final approval or rejection from the ECB.

10 Consumer protection

10.1 What requirements must banks comply with to protect consumers in your jurisdiction?

As part of their core values, credit institutions in Malta are to act honestly, professionally and in accordance with the best interest of the client. The MFSA's Conduct Supervisory Department supervises, inter alia, the way in which credit institutions design their products and services, and the way they manage client relationships. Thus, the MFSA is responsible for setting up a regulatory framework that secures appropriate consumer protection in relation to the banking sector; addresses potential or emerging risks for consumers; and strengthens the responsibilities of credit institutions so that they treat consumers in a fair manner.

Amongst the applicable rules that provide for further consumer protection, we find Banking Rule BR/20 which applies to all credit institutions in terms of the Recovery and Resolution Regulations (Subsidiary Legislation 330.09 of the laws of Malta), having implemented the relevant provisions of the BRRD. Credit institutions are required to draw up and maintain a recovery plan providing for measures to be taken so as to restore their financial position following a significant deterioration thereof. As per the Recovery and Resolution Regulations, there exist tools, including, inter alia, the bail-in tool, that may be utilised in the event that a credit institution has failed or is likely to fail. These tools indirectly provide for further consumer protection.

Credit institutions are also required to be members of the Depositor Compensation Scheme. The first €100,000 worth of deposits per bank's customer are safeguarded through the said scheme.

10.2 How are deposits protected in your jurisdiction?

The provisions of the Directive 2014/49/EU of the European Parliament and of the Council of 16 April 2014 on deposit guarantee schemes have been implemented into Maltese legislation by means of the Depositor Compensation Scheme Regulations (Subsidiary Legislation 371.09 of the laws of Malta). The Depositor Compensation Scheme is a rescue fund for depositors of failed banks licenced by the MFSA. The Depositor Compensation Scheme is managed by a single Management Committee which is comprised of members from the MFSA, the Central Bank of Malta, investment firms, banks and customers alike.

Article 10 of the Depositor Compensation Scheme Regulations provides that the maximum compensation sum payable for the aggregate deposits of each depositor is one hundred thousand euro (€100,000), save that in addition to the maximum compensation sum payable by the Depositor Compensation Scheme, the maximum compensation sum payable for a temporary high balance is five hundred thousand euro (€500,000).

11 Data security and cybersecurity

11.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for banks?

With Malta being one of the 27 Member States, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") is applicable in Malta as of May 25th, 2018.

Its provisions apply to all entities alike and its main objective is that of protecting information and data concerning individuals (data subjects) from being misused for purposes other than that for which they were originally meant.

In addition to the provisions listing the duties of data controllers and processors and the rights of data subjects, the GDPR harmonises data privacy laws across Europe.

Domestically, the provisions of the GDPR are further enshrined in Maltese legislation by virtue of the Data Protection Act (Chapter 586 of the laws of Malta).

Maltese-based credit institutions are consequently required to have in place a set of policies and notices to comply with the provisions of the GDPR. These include, amongst others, a Personal Data Protection Policy, a Privacy Notice, an Employee Privacy Notice, a Data Retention Policy and a Data Breach Register. Certain entities may furthermore be required to appoint a Data Protection Officer ("DPO").

In line with the GDPR, Malta's supervisory body is the Information and Data Protection Commissioner (the "IDPC"), which apart from having a supervisory role, takes on an advisory role in relation to practitioners and all other entities subject to its supervision. The IDPC also deals with any notifications of personal data breaches, the filing of data protection complaints as well as the registration of DPOs (where required).

11.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for banks?

Given the rise of FinTech, information and communications technology ("ICT") is a crucial component of the business for any type of institution, on which most entities, including credit institutions, heavily depend. As a consequence, in the last decade or so, ICT risk and cybersecurity have become a priority on the EU's agenda.

In an effort to ensure that ICT products, processes and services retain an adequate standard, Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) has been enacted (the "Cybersecurity Act"). Aside from strengthening the mandate given to the European Agency for Cybersecurity ("ENISA"), the Cybersecurity Act establishes an EU-wide cybersecurity certification framework, which requires any entity seeking certification to satisfy a set of technical requirements, consequently upholding the qualities which ENISA deems to be necessary for the establishment of a framework capable of preventing, deterring and responding to cybersecurity attacks. The Cybersecurity Act also positions ENISA as a supervisory authority to which cybersecurity incidents may be escalated to, in collaboration with the Computer Security Incidents Response Teams ("CSIRTs") Network, as established by Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (the "NIS Directive"), with the latter focusing on network security and information systems.

Guidelines issued by the EBA, the European Insurance and Occupational Pensions Authority (‘EIOPA') and ESMA as well as the GDPR (particularly articles 32 and 33) have also had a material bearing on the way the MFSA treats ICT and Security Risk Management.

In line with the aforementioned, the MFSA's strategy (as implemented through soft law, generally guidelines) requires firms and entities under its supervision to have adequate measures in place, namely the implementation of a cybersecurity programme, aimed at mitigating the risk of cyber-attacks, disruption of service, data breaches and loss of data, amongst others. Particular importance is given to situations whereby part or the whole of the ICT function is outsourced.

The system implemented by the MFSA requires licence holders (including credit institutions) to periodically carry out a self-assessment questionnaire (tailor made according to the industry within which the reporting entity operates) in which they describe their ICT governance system, any outsourcing arrangements they may have in place and the measures taken to mitigate any possible breaches and/or loss of data.

ICT risks and cybersecurity will be thrust even more into the spotlight once the proposed EU Digital Operational Resilience Act (DORA), forming part of the proposed Digital Finance Package, is enshrined into EU law.

12 Financial crime and banking secrecy

12.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for banks?

In Malta, anti-money laundering and the combatting of financial terrorism are primarily governed by the Prevention of Money Laundering Act (Chapter 373 of the laws of Malta), the Criminal Code (Chapter 9 of the laws of Malta), as well as ancillary subsidiary legislation, including, inter alia, the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01 of the laws of Malta) ("PMLFTR").

Moreover, the Maltese financial intelligence unit, namely the Financial Intelligence Analysis Unit ("FIAU") has issued Implementing Procedures, being issued in terms of Regulation 17 of the PMLFTR, which are binding on all persons carrying out relevant financial business or relevant activity, as further defined in the PMLFTR. Seeing that the business of banking as carried out in terms of the Banking Act falls under the definition of relevant financial business, credit institutions are also subject to follow the rules stipulated in the said Implementing Procedures, which are further divided into two parts. Whilst Part I is applicable to all sectors, certain sectors are also to refer to a Part II, which would specifically apply to said sector. The FIAU had published, albeit being repealed, the Implementing Procedures Part II applicable to the Banking Sector. Nevertheless, an updated Part II applicable to Banks and Financial Institutions is in the progress of being drafted, and once published by the FIAU, would also become applicable to banks in Malta.

As regards to EU anti-money laundering legislation, Malta has as at the time of writing, fully transposed the Fifth Money Laundering Directive ("5AMLD") into national legislation.

12.2 Does banking secrecy apply in your jurisdiction?

Article 2(3) of the Professional Secrecy Act (Chapter 377 of the laws of Malta), defines the term ‘professional secret' as being "information which falls under any of the following categories: (a) information which is to be considered secret under a specific provision of the law; (b) information which is described as secret by the person communicating the information to a person falling within the scope of article 257 of the Criminal Code; (c) information which has reasonably to be considered as secret in view of – (i) the circumstances in which the information has been communicated and received, and (ii) the nature of the information, and (iii) the calling, profession or office of the person receiving the information, and of the person giving the information, where applicable."

Article 3(1) of the Professional Secrecy Act stipulates that "employees and officers of … credit institutions" are amongst the persons who fall within the scope of Article 257 of the Criminal Code.

Moreover, Article 3(2) of the Professional Secrecy Act goes on to provide that, notwithstanding that it shall be a defence to a charge of disclosing secret information contrary to Article 257 of the Criminal Code to show that, at the time the information was revealed, the information had entered the public domain and had done so legitimately, persons having ceased to exercise their calling, profession, or office shall still remain subject to the provisions of Article 257 of the Criminal Code.

Article 257 of the Criminal Code, which deals with the disclosure of professional secrets, provides that "[i]f any person, who by reason of his calling, profession or office, becomes the depositary of any secret confided in him, shall, except when compelled by law to give information to a public authority, disclose such secret, he shall on conviction be liable to a fine (multa) not exceeding forty-six thousand and five hundred and eighty-seven euro and forty-seven cents (46,587.47) or to imprisonment for a term not exceeding two years or to both such fine and imprisonment …". This article also includes provisos which grant a defence to certain individuals in certain circumstances, including, inter alia, if a disclosure was made to a competent public authority in or outside Malta investigating acts or omissions constituting an offence of money laundering.

Article 6A of the Professional Secrecy Act provides that "[n]o offence shall be committed against section 257 of the Criminal Code or this Act by – (a) a person disclosing in good faith secret information in the course of and for the purpose of obtaining advice or directions from the body regulating his profession; (b) a person disclosing in good faith secret information to a public authority or before a court or tribunal to the extent that is proportionate and reasonably required for the specific purpose of: (i) defending himself against any claim with regard to professional work in connection with which the secret information has been obtained by him; or (ii) initiating and maintain judicial proceeding seeking the recovery of fees or other sums due to him or the enforcement of other lawful claims or interests; (c) saving … [certain] provisionsa person, who in good faith discloses secret information to a competent public authority in Malta in the reasonable belief that such disclosure is reasonably necessary for the purpose of preventing, revealing, detecting or prosecuting the commission of acts that amount or are likely to amount to a criminal offence, or to prevent a miscarriage of justice."

Furthermore, Article 32(2) of the Banking Act, which deals with confidentiality provides that "no person, including past and present officers or agents of a bank … shall disclose any information relating to the affairs of a bank or of a customer of a bank … which he has acquired in the performance of his duties or the exercise of his functions under this Act or any regulations made or Banking Rules or Conduct of Business Rules issued thereunder except – (a) when authorised to do so under any of the provisions of [the Banking Act] or any regulations made or Banking Rules or Conduct of Business Rules issued thereunder; or (b) for the purpose of the performance of his duties or the exercise of his functions; (c) when lawfully required to do so by any court or tribunal or under a provisions; (d) for the purpose of enabling the Central Bank or the competent authority, as the case may be, to satisfy their respective obligations arising under Malta's international commitments; or (e) when the customer expressly consents, in writing, to the disclosure of information relating to his affairs, to the extent authorised by the customer".

13 Competition

13.1 What specific challenges or concerns does the banking sector present from a competition perspective? Are there any pro-competition measures that are targeted specifically at banks?

The main restrictions which apply to the banking sector emanate from Articles 101 and 102 of the Treaty on the Functioning of the European Union ("TFEU").

Article 101 prohibits undertakings, decisions by associations of undertakings and concerted practices which may lead to the prevention, restriction or distortion of competition within the internal market. Such prohibitions include the fixing of purchase and/or selling prices, the limitation or control of production, markets, technical development or investment and the application of dissimilar conditions to equivalent transactions with other trading parties, thereby placing them at a competitive disadvantage.

The same article, whilst applying the aforementioned restrictions (provided they have a negative impact on the single market) does, however, allow them in the event that their intention is to improve the production or distribution of goods or to promote technical or economic progress.

Article 102, on the other hand, applies similar restrictions, focusing on undertakings of a dominant position which due to the dimensions of their activity are more likely to influence the internal market.

The above is further enshrined in European Union law by means of Council Regulation (EC) No 1/2003 of 16 December 2002 on the implementation of the rules on competition laid down in Articles 81 and 82 of the Treaty, (now Articles 101 and 102 respectively) of the TFEU. The aforementioned is enabled in Malta by virtue of the provisions of the Competition Act (Chapter 379 of the laws of Malta).

Concentrations are regulated by the Control of Concentrations Regulations (Subsidiary Legislation 379.08 of the laws of Malta) and a merger or acquisition of one or more banks that would lead to a ‘concentration' (as the term is defined therein) would need to be approached in accordance with the rules contained therein, provided that in certain cases the competent authority (the Director General (Competition) appointed in terms of the Malta Competition and Consumer Affairs Authority Act (Chapter 510 of the laws of Malta)) may prohibit the merger or acquisition.

14 Recovery, resolution and liquidation

14.1 What options are available where banks are failing in your jurisdiction?

In this regard, the most evident measures taken at EU-level ensue as a result of the preventive approach which has been adopted by EU institutions. As a consequence of reporting standards being strengthened, the respective institutions, particularly the ECB and the domestic competent authorities, are nowadays in a better position to follow the progress (or otherwise) of credit institutions within their remit. This ethos allows the ECB and, or the respective domestic authority to step in at an earlier stage, consequently increasing the odds of a given credit institution to recover from any financial turmoil it may be facing at a given point in time.

In terms of Article 5 of the BRRD, credit institutions are to have in place a recovery plan which lays down a course of action to be taken in the eventuality of its financial situation significantly deteriorating. The BRRD also requires that recovery plans are updated periodically and that they mirror the credit institution's actual situation at all times. Credit institutions are explicitly prevented from relying on extraordinary public financial support as part of their recovery plan.

In the eventuality that the execution of a recovery plan may not suffice for a given credit institution to recover from its financial situation and such bank is still likely to fail, one may consider opting for resolution.

Resolution is triggered when the MFSA (being the resolution authority appointed locally) deems that a given credit institution is failing or likely to fail, the credit institution has exhausted other measures, and where such a resolution is necessary in the public interest.

In this regard the MFSA, by means of the BRRD, is given a set of tools which it is empowered to utilise for the purposes of resolution. In terms of the BRRD, the tools available to the MFSA are:

  1. the sale of business tool: involving the transfer of shares or assets, rights or liabilities to a purchaser without shareholder consent;
  2. the bridge institution tool: involving the transfer of shares or assets, rights or liabilities to a bridge institution (public authority controlled by resolution authority) temporarily without shareholder consent;
  3. the asset separation tool: involving the transfer of assets, rights or liabilities to a specially created asset management entity (owned by public authority and controlled by resolution authority) – the aim of which is to maximise the value and/or limit losses;
  4. bail-in: which essentially allows the resolution authority to write-down debt or that such debt be converted into equity.

A distinctive feature of the BRRD is that it shifts the burdens borne by taxpayers throughout the 2008 financial crisis onto creditors of the bank. Regardless, the provisions of the BRRD provide multiple layers which ultimately enhance the level of protection afforded to depositors.

14.2 What insolvency and liquidation regime applies to banks in your jurisdiction?

Whilst the option of resolution may be equivalent to insolvency and liquidation, given that creditors of failing banks may be required to endure similar consequences (and treatment) as if such bank had entered into normal insolvency proceedings, Malta has its own insolvency and liquidation regime.

The Companies Act envisages the possibility of having an entity wound up either voluntarily or following an application to the Court. In addition, the process of a voluntary winding up may be set in motion by means of a members' winding up or by means of a creditors' winding up. The main difference is that the former would only apply in the case where the bank is solvent; the latter applies in a case of insolvency. Nevertheless, given the regulatory environment surrounding banks, when a bank is insolvent the aforementioned rules emanating from the BRRD would apply.

In a members' voluntary winding up, the directors of a given entity would draft a formal declaration (declaration of solvency) whereby the entity declares that it is capable of paying off its debts and other liabilities within the following twelve (12) months. This course of action is of particular use where, albeit the entity still being deemed to be solvent, the entity is for one reason or another no longer required. The appointment of a liquidator is required for this process to take place, and if not appointed, the governing board of such entity shall submit an application to the Court for the appointment of a liquidator.

In general, a creditors' voluntary winding up applies in situations where a given entity does not satisfy the solvency criterion and as such, is not capable of paying off its debts and liabilities. Consequently, in such cases it would be the creditors of the entity who would demand that the entity be wound up. Given the rules of the BRRD, the process to liquidate an insolvent bank would be heavily overseen by the MFSA.

The Companies Act also envisages the possibility of a compulsory liquidation ordered by the Court which would require an application by the shareholders and/or directors and/or creditors of a given entity. In such case, a receiver appointed on behalf of the court would assess the entity's assets and liabilities and most importantly, the cause of insolvency. Whilst acting on behalf of the Court, the assessor would act as liquidator and attempt to find a way which minimises creditor detriment. Once again, when the said process is applied to companies that are banks, the MFSA would have a very central and important role.

15 Trends and predictions

15.1 How would you describe the current banking landscape and prevailing trends in your jurisdiction? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The banking industry, whilst evolving and becoming more sophisticated, is being exposed to ever-changing types of risks, to which the legal framework is constantly trying to adapt. This has led to a series of actions, all aimed at increasing safety and security within the banking sector.

The last decade has seen the traditional physical banks shift towards a stronger, online presence allowing users to bank directly through an online platform. Other business models have opted to maintain their physical presence (mainly to cater for retail clients) whilst developing an online presence which would increase the entity's outreach with respect to other segments of society, for instance, through the development of mobile applications allowing one to access his/her account at any given time or place. This was also aided by the fact that the use of cash is dropping at a constant rate whilst the use of plastic money and mobile payment applications is on the rise. The rise of FinTech has therefore brought about a new risk; the risk posed by the potential failure of IT systems. The proposed EU Digital Operational Resilience Act (DORA), forming part of the proposed Digital Finance Package, is expected to bring about requirements imposed on banks and other entities to ensure the safeguarding of their operations carried out by means of technology.

15.2 Does your jurisdiction regulate cryptocurrencies? Are there any legislative developments with respect to cryptocurrencies or fintech in general?

In 2018, Malta introduced the Virtual Financial Assets Act (Chapter 590 of the laws of Malta) ("Act") which regulates distributed ledger technology ("DLT") assets (i.e., cryptocurrencies) being determined to be virtual financial assets ("VFAs") in terms of said Act. VFAs are DLT assets which are not financial instruments, electronic money, or virtual tokens, as further defined in the Act. In the event, that a DLT asset is determined to be a financial instrument or electronic money, traditional securities, or electronic money laws shall apply. The Act provides that issuers intending to offer a VFA to the public in or from within Malta, or intending to apply a VFA's admission to trading on a DLT exchange shall be required to draw up a whitepaper with respect to said VFA and obtain said whitepaper's registration with the MFSA. Moreover, service providers intending to provide any of the VFA services listed in the Second Schedule to the Act, including, inter alia, operating a VFA exchange, shall be required to obtain the necessary VFA service provider's licence, which is also to be issued by the MFSA.

Apart from the Act, one finds the Virtual Financial Assets Regulations (Subsidiary Legislation 590.01 of the laws of Malta) and the MFSA's VFA Rulebooks, which continue to regulate the VFA space in Malta.

As regards to FinTech, the MFSA has introduced a FinTech Regulatory Sandbox framework which enables applicants to test their solutions for a specified period of time, and this within a regulatory environment, whilst providing an overview of their performance measures to the MFSA. Start-ups, technology firms and established financial services providers which endorse technologically-enabled financial innovation in their business models, applications or products, are welcomed to form part of this sandbox whereby successful applicants, who have demonstrated that their innovations truly offer value to consumers and to the wider financial services sector, are provided with a space to determine the appropriate requirements needed to operate within the financial services sphere. Through collaboration with the sandbox's participants, the MFSA will also have the opportunity to enhance its capacity in assessing the regulatory implications and gaps of such solutions and identify the appropriate responses, as necessary.

16 Tips and traps

16.1 What are your top tips for banking entities operating in your jurisdiction and what potential issues would you highlight?

Malta boasts a large financial services industry when considering the country's economy and GDP. It has established a robust framework enabling institutions to operate within a flexible environment such that they may carry on a sustainable business whilst safeguarding consumer protection measures. Given that Malta is an EU Member State, Malta's rules applicable to the banking sector provide clear regulation enabling financial stability and the prevention of systemic effects. Although this comes at a cost for institutions, it should be perceived as a value-added which will enable the establishment of sustainable business models enhancing customer trust within a pan-European market.

Furthermore, Malta has achieved an excellent economic track record with sustained growth, economic and political stability, a modern and competitive tax regime providing an excellent operational base. The industry is supported by a robust ICT infrastructure that backed by a strong IT workforce hosting the regional training centres for the likes of Cisco, Microsoft and Oracle.

Regulators exercise constant scrutiny to ensure that all operations are run in strict adherence to anti-money laundering and counter funding of terrorism rules, aside from the afore-referenced supervision of banks. Compliance with the applicable rules is mandated and enforced on an ongoing basis.

Whilst the high standards imposed may appear challenging, the Maltese financial services industry boasts expert and experienced resources (internal and external) that would aide any potential credit institution in establishing itself in Malta. External resources, offering high-end expert consultancy services have also flourished over the past years; the said expertise may be complemented by hiring local talent directly within the institution.

With more than 58,000 people across 138 countries, and a local team of experts hailing from different professions: accountants, auditors, economists, financial advisors, lawyers and IT consultants, Grant Thornton delivers solutions to all business challenges. The team at Grant Thornton goes above and beyond business as usual, listening to customers and challenging them to achieve their ambitions with innovative solutions; if it matters to them, it matters to the team. Collaboration and coordination remain at the heart of Grant Thornton's culture, with all member firms working towards a shared global strategy, delivering consistent best-in-class solutions across the globe. Clients choose Grant Thornton because the breadth of financial and business services they need is available, delivered innovatively and always to the highest standards. When choosing Grant Thornton as your partner and service provider, you will discover what so many companies and organisations have already discovered - the power of enthusiasm and certainty. Visit www.grantthornton.com.mt or contact us at info@grantthornton.com.mt for further details.

Co-authored by Nathan Catania, Senior Executive – Regulatory, corporate and financial services and Luca Lepre, Executive – Regulatory, corporate and financial services.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.