On 28 May 2025, the Malta Financial Services Authority (MFSA)
issued a circular announcing amendments to Chapters 2 and 3 of the
Financial Institutions Rulebook (FIR/02 and FIR/03).
These updates align national rules with the latest EU legislative
developments, namely Regulation (EU) 2024/886 on instant credit
transfers and the European Banking Authority's (EBA) revised
Guidelines on ICT and security risk management, in the context of
the Digital Operational Resilience Act (DORA).
New Conditions for Access to Designated Payment Systems
To support the implementation of Regulation (EU) 2024/886, the MFSA
has amended FIR/03 to set out a formal procedure for Payment
Institutions and Electronic Money Institutions (EMIs) applying to
participate in designated payment systems under Directive
98/26/EC.
Institutions are now required to compile a self-assessment and
submit a declaration, signed by their Board of Directors,
confirming whether they meet the following conditions:
- Measures in place for safeguarding users' funds
- Robust governance and internal controls, including administrative, risk management, and accounting procedures, as well as ICT arrangements aligned with Articles 6 (ICT risk management framework) and 7 (ICT systems, protocols and tools) of DORA (Regulation (EU) 2022/2554)
- A detailed winding-up plan in the event of institutional failure
This communication must be submitted to the relevant payment
system, with a copy forwarded to the MFSA within 30 business days
from the date of the circular. The MFSA clarified that receipt of
this documentation does not constitute formal approval of
compliance.
FIR/02 and FIR/03 Adjusted for Revised EBA ICT Guidelines
The MFSA has also amended both FIR/02 and FIR/03 to reflect the
EBA's updated Guidelines on ICT and security risk management
(EBA/GL/2025/02), which have been narrowed in scope following the
full application of DORA:
- References to the previous guidelines have been removed from FIR/02, while retaining references to the MFSA's own guidance on ICT, security risk, and outsourcing arrangements.
- A new rule has been introduced requiring payment institutions and EMIs to comply with the EBA's Guidelines on ICT and Security Management.
Preparing for Compliance
These amendments mark another step in the MFSA's continued
transposition of EU-level obligations into national frameworks.
Payment institutions and EMIs are encouraged to assess their
governance, ICT systems, and safeguarding practices in light of the
new rules, and ensure timely submission of the required
documentation where applicable.
How BDO Malta Can Help
BDO Malta supports payment institutions and electronic money
institutions in meeting their regulatory obligations under FIR/02
and FIR/03. Our multidisciplinary teams can assist with drafting
and reviewing self-assessments, evaluating ICT and governance
frameworks in line with DORA, and preparing winding-up plans. We
also provide guidance on board declarations and liaising with the
relevant authorities to ensure timely and accurate submissions.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
