Background
On May 21, 2024, the Malta Financial Services Authority ("MFSA" or "the Authority") issued a Consultation Document addressing the updated Chapter 3 of the Financial Institutions Rulebook ("FIR/03"). This initiative was part of the Authority's commitment to establishing a robust regulatory framework for payment and e-money institutions aimed at aligning Maltese financial regulations with evolving EU standards and best practices. The consultation invited input from stakeholders on the proposed rules, which aim to provide a comprehensive set of ongoing obligations for licensed institutions. Subsequently, on June 12, 2024, the MFSA released a follow-up consultation focused on the FI Return, a specialised regulatory reporting tool designed to enhance supervisory oversight. This consultation included draft guidance notes and a prototype of the FI Return.
On October 3, 2024, the Authority announced the publication of the finalised FIR/03, accompanied by: (i) the FI Return and related Guidance Notes, and (ii) a Feedback Statement summarising key stakeholder insights and the Authority's responses.
Key Objectives of FIR03
The revised framework focuses on:
- Regulatory Clarity: Simplifying compliance requirements for EMIs and PIs by providing clearer guidance on governance, safeguarding and reporting obligations.
- Proportionality: Tailoring requirements based on the scale, complexity, and risk profile of financial institutions.
- Governance Strength: Enhancing internal structures, accountability, and safeguarding measures.
- Compliance Culture: Promoting a robust culture of transparency, risk management, and adherence to regulatory standards across the financial sector.
Implementation Timeline
- Stage 1: Effective 15 October 2024
Introduction of new reporting obligations, including the updated Financial Institution (FI) Return format.
- Stage 2: Effective 15 December 2024
Enforcement of revised governance and safeguarding requirements to ensure full compliance with FIR/03.
Key Updates
1. Governance and Compliance
Based on the MFSA Corporate Governance Code and European Banking Authority ("EBA") Guidelines on internal governance, FIR/03 strengthens the roles and responsibilities of boards and senior management:
- Board Composition Requirements:
- Minimum three (3) board members, including at least one Independent Non-Executive Director ("INED").
- At least (two) 2 individuals directing the business must be based in Malta.
- Board Responsibilities:
- Strategic oversight of the institution's operations and objectives.
- Effective risk management and mitigation strategies.
- Management of conflicts of interest to ensure impartial decision-making.
- Development and implementation of business continuity plans to maintain operational resilience.
- Compliance Function:
- Appointment of an independent compliance officer.
- Submission of an Annual Compliance Report detailing regulatory breaches, remediation actions, and progress on compliance initiatives.
- Internal Audit Function:
- Optional outsourcing, provided oversight is maintained by at least one (1) director.
2. Safeguarding of Funds
- No Commingling: Client funds must be segregated from operational funds.
- Safeguarding Accounts: Held with EU-based credit institutions or equivalent custodians.
- Audit Requirements: Regular reconciliations and external audits of safeguarding mechanisms.
- Notification Rules: Prior MFSA notification required for changes in safeguarding arrangements.
3. Outsourcing
- Aligned with the Digital Operational Resilience Act ("DORA"), FIR/03 emphasises operational resilience in outsourcing arrangements:
- Critical Functions Identification: Institutions must classify outsourced activities as critical or non-critical.
- Comprehensive Policies: Institutions must maintain detailed outsourcing policies that address oversight and risk management.
- Contractual Provisions: Agreements must include robust clauses on supervision, reporting, and compliance with DORA requirements.
4. Capital and Prudential Requirements
Minimum Capital Thresholds:
- Electronic Money Institutions: €350,000 or 2% of average daily outstanding e-money.
- Payment Institutions: €125,000 (for activities 2a-2e).
- Money Remittance Providers: €20,000.
- Payment Initiation Services: €50,000.
5. Reporting Requirements
FIR/03 introduces enhanced reporting obligations:
- FI Returns: Quarterly returns must be submitted within one (1) month of the reporting date.
- Annual Financial Reports ("AFR"): Institutions must submit audited financial statements within set deadlines.
- Key Data Points: Reporting now encompasses governance, safeguarding, client accounts, own funds, and conduct.
Consultation and Feedback
- MFSA consulted 12 key stakeholders. Major changes incorporated include:
- Clarifications on board governance.
- Adjustments to outsourcing rules to align with DORA.
- Safeguarding provisions revised for practicality.
- Elimination of overlap between FIR/03 and the FI Act.
Feedback received included concerns about the direct application of EBA Guidelines, the retention of the Annual Compliance Report ("ACR"), and the outsourcing of internal audit. In response, the rules were updated to clarify that license holders should follow EBA Guidelines, the ACR was retained with a focus on the Compliance Monitoring Program ("CMP") and regulatory breaches, and outsourcing internal audit was permitted provided one director oversees it.
Feedback highlighted operational challenges in avoiding overnight commingling, safeguarding funds with EU branches of third-country credit institutions, and difficulties in guaranteeing specific safeguarding account titles. In response, the rules now require non-safeguarded funds to be moved out of safeguarding accounts as frequently as practicable, retained the framework for EU branches due to lack of harmonisation, and amended the safeguarding account title requirement to a best-endeavours basis.
Feedback sought clarification on the safeguarding notification requirement and raised difficulties in obtaining a safeguarding acknowledgment letter. In response, the rulebook now mandates notification prior to changes in safeguarding arrangements, and license holders may provide equivalent evidence confirming the safeguarding account is held in favour of clients. Feedback included queries about the interaction between DORA and outsourcing requirements, as well as the applicability of DORA on ICT risk. In response, a new rulebook clarifies that outsourcing rules are without prejudice to DORA, and a reference to DORA was added in light of its applicability in January 2025. Additionally, the MFSA introduced a reference to E-Money Tokens in preparation for the Markets in Crypto-Assets Regulation ("MiCA Regulation").
Future Developements
The MFSA has outlined its upcoming plans, including:
- FIR/01 Consultation: Early 2025.
- FIR/02 Consultation: Mid-2025.
- FIR/04 Consultation: Late 2025.
These updates aim to further align Malta's framework with evolving EU regulations, including the Payment Services Directive 3 ("PSD3") and MiCA Regulation.
Action Points
To ensure compliance, we recommend the following:
- Assess Governance Structures: Ensure board composition and oversight mechanisms meet FIR/03 requirements.
- Review Safeguarding Processes: Confirm compliance with segregation, reconciliation, and audit rules.
- Update Outsourcing Agreements: Align contracts and policies with the updated guidelines.
- Prepare for Reporting Changes: Familiarise yourself with the new FI Return format and submission timelines.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.