- within Corporate/Commercial Law topic(s)
- with Inhouse Counsel
- with readers working within the Securities & Investment industries
MFSA Quarterly Fintech Update
Financial Institutions Circulars for period October-December 2025
October 14, 2025: Circular to the Industry on Publication of Chapter 1 of the Financial Institutions Rulebook.
Introduction
On August 11, 2025, the Malta Financial Services Authority (MFSA) published a Consultation Document regarding the revised Chapter 1 of the Financial Institutions Rulebook (FIR/01). This Consultation aims to create a robust regulatory framework for payment institutions and e-money institutions and seeks feedback from stakeholders on the proposed rules.
The revised FIR/01 along with Annex I and Annex II outlines application procedures and requirements for entities seeking authorisation under the Financial Institutions Act. It details the activities covered, obligations of exempted entities, and processes for license extension, surrender, and prudential assessments for acquisitions and increased holdings. Additionally, it includes information collection annexes for authorisation and criteria for determining minimum professional indemnity insurance amounts.
The new FIR/01 aims to enhance the regulatory landscape for financial institutions operating in Malta, ensuring that entities that apply for authorisation meet stringent criteria to maintain industry standards. This will promote trust and stability in the financial services sector.
Applicability and Transitory period
The FIR/01 will take effect immediately upon publication, and future updates regarding the Financial Institutions framework will be made available on the MFSA's website. Queries can be directed to fintechpolicy@mfsa.mt.
October 17, 2025 New Email Addresses for FinTech Supervision
This circular notifies the financial services market of changes to the official email addresses for FinTech Supervision at the Malta Financial Services Authority (MFSA). Effective immediately, all communications should be directed to the designated email addresses listed below.
Link to the new emails: New Email Addresses for FinTech Supervision
November 20, 2025: Circular to the Industry on Publication of Chapter 3 of the Financial Institutions Rulebook
Introduction
The Authority has published the revised Chapter 3 of the Financial Institutions Rulebook FIR/03, with an updated Financial Institutions Return expected to be released in the coming weeks.
Outline of Changes
1. Rules for Account Information Service Providers (AISPs): AISPs are now included in the regulatory framework, providing legal clarity and supervisory guidelines. This ensures these institutions adhere to standardised practices, which protects consumers and fosters trust in the financial sector.
- Rules R3-1.1.1-2 now clearly define that AISPs providing only paragraph 2(h) services must comply with the chapter except for safeguarding requirements, remuneration policies, compliance reporting, critical outsourcing obligations, client funds provisions, and prudential capital calculations. This bifurcated approach recognises AISPs' distinct risk profile that being that they access account data but never custody funds. The amendments to R3-2.1.1-2 reinforce this framework, establishing that while AISPs remain subject to core governance, risk management, and cybersecurity requirements, they're exempt from rules designed for institutions handling monetary value.
- The notification requirements under R3-2.2.1(ii) now explicitly exclude AISPs from reporting non-qualifying shareholder changes, acknowledging their reduced systemic importance, while R3-2.2.2-3 exempt them from safeguarding arrangement notifications but maintain their obligation to provide 60-day advance notice of material outsourcing changes, ensuring regulatory oversight of their critical data processing arrangements.
- The board responsibility requirements under R3-2.7.14 were substantially revised to exempt AISPs from liquidity management targets, formal remuneration procedures, board performance assessments, and succession planning processes, recognising their simpler organisational structures and lower prudential risks compared to payment execution or e-money issuance institutions. Most significantly, R3-2.13.14 now mandates that AISPs submit professional indemnity insurance documentation and the EBA PII Tool annually within one month of their accounting reference date, creating ongoing supervisory oversight of their primary prudential safeguard.
- This insurance requirement under R3-3.4.4 must cover liability from unauthorised account access, fraudulent transactions, and operational failures, with coverage amounts calibrated to transaction volumes and accounts accessed.
2. Enhanced Supervisory Expectations: Revisions to various rules aim to improve supervisory effectiveness and tackle recurring issues observed during supervisory reviews. These changes are designed to enhance governance without imposing unnecessary burdens or hindering the competitiveness of the local payment framework.
- The amendment clarifies that FIR/01 specifically includes processes relating to three critical areas: modification of licence, change in participation or control, and surrender of authorisation/cessation of business.
- This cross-referencing is essential because it prevents duplication of detailed procedural requirements across rulebook chapters while ensuring licence holders understand that ongoing obligations in Chapter 3 operate alongside the lifecycle processes in Chapter 1.
- For further information kindly read our article on FIR/01.
3. Reporting Requirements: Amendments to reporting requirements mandate that institutions submit an organisational structure chart annually as part of their reports.
- The Licence Holder must ensure compliance with Directive 5 of the Central Bank of Malta. Thus they must submit annual reporting within 4 months of the accounting reference date and this must include audited financial statements, an audited Annual Financial Institutions Return, an auditor's management letter and an organizational chart.
- Additionally, the Licence Holder shall prepare and submit a soft copy of the automated Annual FI Return within one month of the accounting reference date, followed by Interim FI Returns at three, six, and nine months after the accounting reference date, with all returns prepared according to the MFSA's Guidelines to the FI Return.
Applicability and Transitory Period
The revised FIR/03 and the new version of the Financial Institutions Return will take effect upon publication. Institutions must use the latest version for their next submissions, following the guidelines provided by the Authority. Additional updates to the Financial Institutions framework will be posted on the MFSA's website. Queries can be directed to fintechpolicy@mfsa.mt.
Supervisory ICT Risk and Cybersecurity Circulars for period October-December 2025
November 03, 2025: Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector – Register of Information Reporting Timelines for the Year 2026 and Onwards
This Circular outlines the requirements for financial entities under the DORA Regulation (EU) 2022/2554 regarding the maintenance and submission of a register of Information (RoI) related to their arrangements with ICT Third-Party Service Providers (ICT TPPs). Key points include:
1. RoI Maintenance: Financial entities must keep an RoI, making it available to Competent Authorities and the European Supervisory Authorities (ESAs), which will identify Critical ICT TPPs for oversight.
2. Annual Reporting: From 2026 onwards, entities must submit their RoI annually to the Malta Financial Services Authority (the Authority) between January 1 and March 21, using December 31 of the previous year as the reference date.
3. Submission Procedure: The RoI must be submitted via the LH Portal. Individuals with complaints regarding access or submission issues should direct their email to roi@mfsa.mt requesting access and include the following details:
- Authorised Person's Name
- Name and Surname of the individual requesting access to the LH Portal RoI Project
- Individual's designation (CEO, Compliance Officer etc.)
- Individual's email address as shown in the individual's LH Portal Account
4. Compliance Responsibility: Entities are responsible for ensuring their RoI is compliant and submitted in the correct 'plain-csv' format. Non-compliance may lead to regulatory actions.
5. Resources for Guidance: The Circular provides resources for entities to aid in RoI preparation, including links to relevant webpages and technical packages, encouraging ongoing alignment with updates.
6. Contact Information: For issues regarding RoI submission, entities can reach out to the Supervisory ICT Risk and Cybersecurity function (roi@mfsa.mt) or ESAs' support teams (Technical Support – DORA-Technical-Support@eba.europa.eu; Business Support – ESA-DORA-Reporting@eba.europa.eu). Overall, adherence to these guidelines is crucial for ensuring compliance with digital operational resilience regulations and avoiding potential penalties.
Overall, adherence to these guidelines is crucial for ensuring compliance with digital operational resilience regulations and avoiding potential penalties.
Crypto-Assets Circulars for period October-December 2025
October 6, 2025: Circular on the Position of the Comision Nacional Del Mercado del Valores' ("CNMV") regarding the Advertisement of Crypto Assets by Crypto Asset Service Providers ("CASPs") in Spain
The Malta Financial Services Authority (MFSA) is informing Crypto-Asset Service Providers (CASPs), particularly those carrying out cross-border marketing and targeting clients in Spain, of the Spanish regulator CNMV's position on the marketing of crypto-assets and related client acquisition and promotional activities. The MFSA reminds CASPs that CNMV Circular 1/2022 has been repealed as of 28 December 2024 and replaced by Circular 1/2024. Crypto-assets in Spain are now regulated under the MiCA Regulation, the Spanish Securities Market Law (Law 6/2023), and CNMV Circular 2/2020 on advertising of investment products and services.
CNMV Criteria applicable to Crypto-Asset Services
Under this framework, the CNMV considers that marketing and client acquisition activities may amount to participation in the provision of crypto-asset services and therefore may only be carried out by authorised CASPs. While non-authorised collaborators or affiliates may be engaged for advertising purposes, they may not be used to market or provide crypto-asset or investment services. CASPs remain responsible for the selection of collaborators and the content of advertising messages. Remuneration structures based on the number of clients or transaction volumes are viewed as indicators of unauthorised service provision, and even fixed remuneration may raise concerns where collaborators interact with potential clients, provide recommendations, or help establish client relationships. By contrast, activities limited to the dissemination of public information without any client interaction may be considered pure advertising and not subject to authorisation.
In light of these expectations, the MFSA requires CASPs to review and, where necessary, update their marketing and client acquisition policies for Spain to ensure alignment with CNMV criteria. Any queries may be directed to csuinvestments@mfsa.mt.
October 17, 2025: New Email Addresses for FinTech Supervision
The Malta Financial Services Authority (MFSA) is informing the financial services market that the official email addresses for FinTech Supervision have changed. With immediate effect, all communications must be sent to the appropriate designated email address, depending on the nature of the matter. The MFSA is updating its official publications to reflect these changes. Communications sent to any other email addresses may not receive a timely response. For the correct and updated email addresses, follow this link.
December 15, 2025: Circular to the Industry on the Publication of the MiCA XBRL Taxonomy
The Malta Financial Services Authority (MFSA) is informing market participants about the upcoming application of Commission Implementing Regulation (EU) 2024/2984, which sets out the technical standards for the forms, formats, and templates of crypto-asset white papers under the MiCA Regulation (EU) 2023/1114. The Regulation will apply from 23 December 2025.
To support implementation, ESMA has published the MiCA XBRL taxonomy on its website, which specifies the structured data requirements for preparing white papers in Inline XBRL (iXBRL) format. All entities issuing white papers for asset-referenced tokens, e-money tokens, or other crypto-assets must ensure compliance with these requirements, including the use of XHTML with embedded iXBRL tags, the ESMA taxonomy, and the standardised templates prescribed by the Regulation.
The MFSA also reminds entities that, in line with the Markets in Crypto-Assets Rulebook, all white papers submitted to the Authority must meet MiCA regulatory and technical standards, including those on machine-readability, templates, and sustainability disclosures. Market participants are encouraged to familiarise themselves with these obligations well in advance to ensure timely and compliant submissions.
Any queries in relation to the above, or any other related or ancillary matter, may be sent via email to SUFintechMICA@mfsa.mt.
December 15, 2025: Circular to the Industry on the Submission of Independent Practitioner's Assurance Report
In March 2025, the Malta Financial Services Authority (MFSA) published the Markets in Crypto-Assets Rulebook applicable to Crypto-Asset Service Providers (CASPs) licensed under the Markets in Crypto-Assets Act. This was followed, on 4 April 2025, by a circular announcing the publication of the Crypto-Asset Service Provider Return (CASP Return).
Under Rule R3-2.6 of the MiCA Rulebook, authorised CASPs are required to submit their audited financial statements, together with the related documentation, in the form and manner prescribed by the Rulebook. As part of this obligation, CASPs must also submit an Independent Practitioner's Assurance Report, signed by an external independent auditor in line with the International Standards on Assurance Engagements. This report must provide limited assurance on the consistency between the information disclosed in the CASP Return and the audited financial statements for the relevant financial year.
To support a smooth transition for entities previously licensed as Virtual Financial Assets Service Providers, the MFSA clarifies that these entities are likewise required to submit an Independent Practitioner's Assurance Report in accordance with R3-3.5.4.2 of Chapter 3 of the VFA Rulebook. Links to the Proposed MIA Limited Assurance Reports are below:
Any questions on these requirements may be addressed to SUFintechMICA@mfsa.mt.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
