Strengthening Risk Management: MFSA's Expectations For CSPs

On the 25^th of November 2025, the Malta Financial Services Authority ("MFSA") issued a 'Dear CEO letter' to communicate the results of a thematic review of the risk management function of Class C Company Service Providers("CSPs"). This letter forms part of the MFSA's wider supervisory drive to enhance governance, culture and resilience across the sector. Although the review is focused on a selected sample, the expectations outlined are relevant to all CSPs authorised in Malta.

Under the Company Service Provider Rulebook ("the Rulebook"), CSPs must maintain a risk management framework that allows them to identify, analyse and evaluate risk, by distinguishing between preventive controls designed to reduce the likelihood of risks occurring and recovery controls intended to mitigate their impact. Due to this, each CSP must appoint a Risk Officer who dedicates sufficient time and expertise to the function. The MFSA expects CSPs to assess and document the commitment of time and to ensure adequate hours, especially during periods requiring intensive testing. Internal policies should clearly describe the Risk Officer's role, tools and methodologies, frequency of assessments and reporting lines. These details provide evidence that the function is effective and accountable.

Moreover, CSPs are required to establish, implement and maintain risk management policies and procedures that set their risk appetite and describe how risks are identified, assessed, monitored and managed. The MFSA's guidance suggests such policies should cover the role of the Risk Officer and the Board of Directors, risk culture, risk assessments, controls and their testing, contents of the risk register, assignment of risk owners, reporting lines, internal escalations and training. Policies must be reviewed at least annually or when trigger events occur, and staff at all levels should receive training. CSPs must monitor compliance with policies and address deficiencies.

The Rulebook also obliges CSPs to carry out a Business Risk Assessment covering all services they are authorised to provide. This assessment should identify and evaluate risks associated with the business model and target markets, not just money‑laundering and terrorist‑financing risks and should consider the context in which services are delivered. CSPs must document their methodology, conduct qualitative and quantitative analysis of likelihood and impact, and regularly update the assessment. Controls should be tailored to each risk since applying the same measure across different services is not acceptable.

The risk register must provide a snapshot of client risk and include a list of clients with their risk ratings along with the risks inherent to each client's business model. It should also capture non‑ML/FT risks such as outsourcing, compliance, recruitment, capital adequacy, operational and information‑technology risks, cybersecurity, reputational risks and strategic risks. The MFSA expects CSPs to assess these risks qualitatively and quantitatively, determine residual risk after controls, assign risk owners with relevant expertise and review the assessment at least annually or upon trigger events. Risk owners must bring potential threats to the Board's attention. CSPs are required to test the effectiveness of controls, document the methods and outcomes and address any deficiencies.

The MFSA notes that many CSPs rely heavily on outsourced IT providers and lack internal expertise in cybersecurity. The MFSA expects CSPs to develop knowledge to identify, assess and mitigate cybersecurity risks and to provide training to staff. CSPs must maintain policies and procedures on cybersecurity, considering guidance on technology arrangements and security risk management. Appropriate controls may include strong firewalls, two‑factor authentication, segregation of servers, access rights based on need and third‑party audits. CSPs should test their systems at least annually and document the results. Formal escalation procedures for cyber incidents must be documented.

Furthermore, effective controls must be tested regularly. CSPs are expected to describe testing methods, outcomes and recommendations in risk reports. The frequency and content of reports to the Board should reflect the business model and risk appetite, with higher‑risk CSPs providing more frequent and detailed updates. Reports should cover current and emerging risks, new controls, changes to risk appetite and results of control testing. The Board of Directors remains ultimately responsible for ensuring compliance and must obtain regular updates, follow-up on recommendations and document discussions.

The MFSA expects all CSPs to conduct a gap analysis of their risk management function against the expectations set out in the letter. The analysis should be documented but would need to be made available to the MFSA only upon request therefrom.

This will help CSPs by addressing deficiencies in risk identification, controls, testing, documentation and board reporting, whilst enhancing their resilience to meet regulatory expectations.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.