On 28 May 2025, the Malta Financial Services Authority (MFSA) issued a circular announcing amendments to Chapters 2 and 3 of the Financial Institutions Rulebook (FIR/02 and FIR/03).
These updates align national rules with the latest EU legislative developments, namely Regulation (EU) 2024/886 on instant credit transfers and the European Banking Authority's (EBA) revised Guidelines on ICT and security risk management, in the context of the Digital Operational Resilience Act (DORA).
New Conditions for Access to Designated Payment Systems
To support the implementation of Regulation (EU) 2024/886, the MFSA has amended FIR/03 to set out a formal procedure for Payment Institutions and Electronic Money Institutions (EMIs) applying to participate in designated payment systems under Directive 98/26/EC.
Institutions are now required to compile a self-assessment and submit a declaration, signed by their Board of Directors, confirming whether they meet the following conditions:
- Measures in place for safeguarding users' funds
- Robust governance and internal controls, including administrative, risk management, and accounting procedures, as well as ICT arrangements aligned with Articles 6 (ICT risk management framework) and 7 (ICT systems, protocols and tools) of DORA (Regulation (EU) 2022/2554)
- A detailed winding-up plan in the event of institutional failure
This communication must be submitted to the relevant payment system, with a copy forwarded to the MFSA within 30 business days from the date of the circular. The MFSA clarified that receipt of this documentation does not constitute formal approval of compliance.
FIR/02 and FIR/03 Adjusted for Revised EBA ICT Guidelines
The MFSA has also amended both FIR/02 and FIR/03 to reflect the EBA's updated Guidelines on ICT and security risk management (EBA/GL/2025/02), which have been narrowed in scope following the full application of DORA:
- References to the previous guidelines have been removed from FIR/02, while retaining references to the MFSA's own guidance on ICT, security risk, and outsourcing arrangements.
- A new rule has been introduced requiring payment institutions and EMIs to comply with the EBA's Guidelines on ICT and Security Management.
Preparing for Compliance
These amendments mark another step in the MFSA's continued transposition of EU-level obligations into national frameworks. Payment institutions and EMIs are encouraged to assess their governance, ICT systems, and safeguarding practices in light of the new rules, and ensure timely submission of the required documentation where applicable.
How BDO Malta Can Help
BDO Malta supports payment institutions and electronic money institutions in meeting their regulatory obligations under FIR/02 and FIR/03. Our multidisciplinary teams can assist with drafting and reviewing self-assessments, evaluating ICT and governance frameworks in line with DORA, and preparing winding-up plans. We also provide guidance on board declarations and liaising with the relevant authorities to ensure timely and accurate submissions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
