The Malta Financial Services Authority (MFSA) is committed to maintaining a robust regulatory environment for the virtual financial assets (VFA) sector. In line with this commitment, the MFSA has initiated a public consultation process to gather feedback on proposed changes to Chapter 3 of the Virtual Financial Assets Rulebook (the Rulebook).

The trigger causing these proposed changes is the Markets in Crypto-Assets Regulation (MiCAR), which came into effect in June 2023. MiCAR will apply to crypto-asset service providers as of December 30, 2024. To ensure a seamless transition for VFA Service Providers, the MFSA is proactively aligning the VFA Framework, (which namely comprises of the Virtual Financial Assets Act (Cap. 590, Laws of Malta), the Virtual Financial Asset Reulations (SL 590.01) and its respective Rules) with MiCAR before its date of application. As part of this effort, the MFSA has released a draft updated Chapter 3 of the above-mentioned Rulebook for consultation.

Below is a summary of the key proposed amendments that have been incorporated into the draft version of the Rulebook:

1. Changes to Title I of Chapter 3:

1.1 Systems & IT Audit Requirements: The requirement for Systems Audit has been removed. Instead, the draft outlines requirements related to the letter of engagement and defines the role and responsibilities of auditors within the IT Audit requirement section.

1.2 Initial Capital Requirement: The Initial Capital Requirement for Class 3 and Class 4 licence holders has been reduced to align with MiCAR. The Initial Capital Requirement for Class 3 will now be €125,000 and €150,000 for class 4 licence holders.

1.3 Other Matters Requiring Notification: The licence holder is no longer required to obtain professional indemnity insurance, as reference to the aforementioned has been removed.

2. Changes to Title III of Chapter 3:

2.1 Insurance Requirement: The licence holder is required to have an insurance policy in place, which would be disclosed to the public via the licence holder's website. Such policy shall contain at least the following characteristics:

  1. it has an initial term of not less than one year;
  2. the notice period for its cancellation is at least 90 days;
  3. it is taken out from an undertaking authorised to provide insurance in accordance with EU law;
  4. it is provided by a third-party entity.

Moreover, the insurance policy should also ensure coverage against the risk of inter alia: loss of documents and misrepresentations or misleading statements made.

The above insurance requirement has been relocated within the prudential requirements section to mirror MiCAR.

2.2 Outsourcing Requirement: The outsourcing requirements have been amended to directly reflect MiCAR requirements. The proposed section lays down several conditions that must be met in order to take all the reasonable steps to avoid additional operational risk. The conditions inter alia oblige the licence holder to ensure that outsourcing does not result in the delegation of the responsibility of the licence holder and that the licence holder has direct access to the relevant information of the outsourced services.

2.3 Orderly Wind-Down Plan: A new requirement for drawing up an orderly wind-down plan for licence holders offering specific virtual financial assets services, as listed below, has been introduced. Essentially, the aforementioned plan should ensure an orderly wind-down of their operations, including the continuity and recovery of critical activities. The plan's purpose is to demonstrate the license holders' capability to execute an orderly wind-down without causing undue economic harm to their clients.

Entities that are authorised to provide the following services must have an orderly wind-down plan in place:

  1. Custody Services
  2. Operation of a VFA Exchange
  3. Dealing on own account
  4. Execution of Orders
  5. Placing of VFAs

2.4 Supplementary Conditions: The draft incorporates service-specific requirements from Articles 75 to 81 (obligations in respect of crypto-asset services) of MiCAR, such as obligations on the provision of advice on crypto-assets and the provision of portfolio management of crypto-assets, replacing the rules currently applicable to VFA Exchanges. Additionally, rules regarding order execution and client suitability have been updated.

2.5 Prudential Requirements: This section now reflects the reduced initial requirement and allows for the prudential requirement to be fulfilled through an insurance policy, aligning with MiCAR.

2.6 Conduct of Business: Certain disclosures required by MiCAR have been added, such as the obligation that an authorised licence holder is prohibited from deliberately or negligently mislead a client in relation to the real or perceived advantage of any virtual financial assets. On the other hand, requirements concerning client categorisation have been removed.

2.7 Reporting Requirements: The Risk Management and Internal Capital Adequacy Assessment Report (RMICAAP) requirement has been removed.

The new Rulebook is intended to become effective upon publication. However, there will be an additional 3-month transitionary period for specific requirements related to the orderly wind-down plan, service-specific requirements (supplementary conditions), and whitepaper disclosure requirements. This extension aims to allow VFA Service Providers ample time to achieve compliance.

Stakeholders are encouraged to review the draft Rulebook and provide feedback on the proposed changes, alignment areas, and the suggested transitionary measures to the MFSA by Friday, September 15, 2023.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.