Regulatory Updates On Instant Credit Institutions And ICT Guidelines

Instant Credit Institutions - ICT Guidelines

The Malta Financial Services Authority (MFSA) and the Central Bank of Malta (CBM) are conducting an implementation exercise to transpose Regulation (EU) 2024/886 amending Regulations (EU) No 260/2012 and (EU) 2021/1230 and Directives 98/26/EC and (EU) 2015/2366 as regards instant credit transfers in euro (the "Amending Regulations") into national law.

Amendments to Chapter 3 of the Financial Institutions Rulebook (FIR/03) were recently published, introducing procedures to ensure compliance with the newly established requirements.

The Amending Regulations modify the Payment Services Directive and establish the following conditions for payment institutions and electronic money institutions to request participation in, and participate in, the designated payment systems set out in the Directive on settlement finality in payment and securities settlement systems:

1. A description of the measures taken to safeguard payment service users' funds;
2. A description of the governance arrangements and internal control mechanisms in place for the provision of payment or e-money services by the relevant entity; and
3. A winding-up plan in the event of failure.

Additionally, the Amending Regulations assign responsibility to Member States to define the procedure by which compliance with the above conditions shall be assessed. In accordance with FIR/03, the relevant financial institution must carry out a self-assessment to determine whether the conditions are being met. This assessment must also be signed by the Board of Directors, confirming the entity's compliance or otherwise.

Payment institutions and e-money institutions participating in designated payment systems have been requested to comply with this procedure and to provide an update on the progress made to the MFSA by 9 July 2025.

This circular also introduces amendments to the MFSA's rulebooks FIR/02 and FIR/03 to implement the updated Guidelines on ICT and Security Risk Management (the "Guidelines") issued by the European Banking Authority (EBA). Following the narrowing of scope of the Digital Operational Resilience Act (DORA) by the EBA through these updated Guidelines, the MFSA is amending Chapter 2 of the Financial Institutions Rulebook (FIR/02) and FIR/03 as follows:

• Remove the reference to the outdated guidelines from FIR/02, while retaining the reference to the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, as applicable; and
• Introduce a rule requiring payment institutions and electronic money institutions to comply with the updated EBA Guidelines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.