1 Legal and enforcement framework
1.1 In broad terms, which legislative and regulatory provisions govern virtual currencies in your jurisdiction?
Malta has a harmonised legislative and regulatory ecosystem governing blockchain and virtual currencies. Currently, the main legislative act governing cryptocurrencies in Malta is the Virtual Financial Assets (VFA) Act (Chapter 590 of the Laws of Malta). The relevant competent authority in Malta – the Malta Financial Services Authority (MFSA) – has also issued rulebooks governing crypto-asset service providers (CASPs) and issuers.
In general, the VFA Act distinguishes between four types of virtual assets:
- Virtual tokens: More commonly known as 'utility tokens', these can only be used within the distributed ledger technology (DLT) platform on which they are issued and cannot be traded on secondary markets (so they are a sort of closed-loop utility token). They are exempt from regulation.
- Electronic money tokens: These is e-money as we know it in tokenised form and includes stablecoins backed by fiat. If the token offers a claim against the issuer and is fully redeemable at par and backed by fiat currency, it will qualify as such; one must examine the specifics of the rights and obligations offered within the token.
- Financial instruments or security tokens: These are financial instruments governed by the Markets in Financial Instruments Directive and the European Securities and Markets Authority. They include equity, bonds and commodities.
- VFAs: If, by default, the token is not classified as any of the above, it will be classified as a VFA token. Tokens such as Ethereum, Bitcoin and Binance fall into this category.
As Malta is part of the European Union, it will be subject to the new Market in Crypto-Assets Regulation (MICAR), which has been adopted by the European Commission.
By April 2024, all member states will need to transpose the regulation into national law.
Luckily, when it comes to CASPs, the Maltese VFA Framework and rulebook are already quite aligned (90%) and therefore minimal impact is expected both within the supervisory teams at the MFSA and for locally regulated CASPs.
In terms of the minor alignment that remains to be done between the VFA rules for CASPS and MICAR, the MFSA has taken a proactive approach and has already released a public consultation on the updated rules. The MFSA is pushing to have its rules for CASPs fully aligned with MICAR by the end of 2023. This also means is that any regulated CASP in Malta will be grandfathered into MICAR.
1.2 In broad terms, which legislative and regulatory provisions govern entities that provide services relating to virtual currencies? Must they be registered or licensed by a regulatory authority?
Entities that provide services relating to digital assets or virtual currencies ('VFA services') must be registered or authorised (as applicable) by the MFSA under the VFA Act (and soon under MICAR).
Issuers under MICAR fall under one of the following three categories:
- Utility tokens: This is a type of crypto-asset that is only intended to provide access to goods or services supplied by its issuer. Initial coin offering issuers will need to register their white paper and incorporate an entity within the European Union; however, they will not need to obtain authorisation from an EU competent authority.
- Asset references tokens (ARTs) (stablecoins): This is a type of crypto-asset that is not an electronic money token and that aims to maintain a stable value by referencing another value, right or a combination thereof, including one or more official currencies. ART stablecoins will require authorisation if:
- they are offered in or from Europe; or
- they target Europeans.
- E-money tokens (EMTs) (stablecoins): This is a type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency. These stablecoin players:
- will be subject to the traditional EU e-money rules and regulations; and
- will need to obtain authorisation if the EMTs are offered in or from Europe or target Europeans.
Tokenised traditional financial instruments and ancillary services in relation to such security tokens will be governed by the Second Markets in Financial Instruments Directive (MIFID II) and will not be subject to MICAR. A new EU regulation called the DLT Pilot Regime governs market infrastructure players of tokenised financial instruments.
CASPs under MICAR are entities that provide the following services:
- the operation of a trading platform for crypto-assets, which means "the management of one or more multilateral systems, which bring together or facilitate the bringing together of multiple third-party purchasing and selling interests in crypto-assets, in the system and in accordance with its rules, in a way that results in a contract, either by exchanging crypto-assets for funds or by the exchange of crypto-assets for other crypto-assets";
- the provision of custody and administration of crypto-assets on behalf of clients, which means "the safekeeping or controlling of crypto-assets on behalf of clients, or of the means of access to such crypto-assets, where applicable in the form of private cryptographic keys";
- the exchange of crypto-assets for funds or other crypto-assets, which means "the conclusion of purchase or sale contracts concerning crypto-assets with clients for funds or other crypto-assets by using proprietary capital". This is similar to 'dealing on own account' under MIFID II, which involves trading against the firm's proprietary capital;
- the execution of orders for crypto-assets on behalf of clients, which means "the conclusion of agreements, on behalf of clients, to purchase or sell one or more crypto-assets or the subscription on behalf of clients for one or more crypto-assets and includes the conclusion of contracts to sell crypto-assets at the moment of their offer to the public or admission to trading";
- the receipt and transmission of orders for crypto-assets on behalf of clients, which means "the reception from a person of an order to purchase or sell one or more crypto-assets or to subscribe for one or more crypto-assets and the transmission of that order to a third party for execution". In this case, CASPs do not become a party to the contractual arrangement or interpose themselves in the transaction;
- the provision of advice on crypto-assets, which means "offering, giving or agreeing to give personalised recommendations to a client, either at the client's request or on the initiative of the crypto-asset service provider providing the advice, in respect of one or more transactions relating to crypto-assets, or the use of crypto-asset services". This service involves CASPs giving personal recommendations to clients;
- the placing of crypto-assets, which means "the marketing, on behalf of or for the account of the offeror or a party related to the offeror, of crypto-assets to purchasers". This service involves providing marketing for or on behalf of a token issuer;
- portfolio management of crypto-assets, which means "managing portfolios in accordance with mandates given by clients on a discretionary client-by-client basis where such portfolios include one or more crypto-assets"; and
- the provision of transfer services for crypto-assets on behalf of clients, which means "providing services of transfer, on behalf of a natural or legal person, of crypto-assets from one distributed ledger address or account to another". This essentially means the transfer of crypto-assets from one wallet address to another in connection with the settlement of transactions in crypto-assets.
Capital Requirements Regulation credit institutions, Credit Servicers Directive institutions, MIFID investment firms, e-money institutions and undertakings for collective investment in transferable securities managers may provide the same services they are authorised to provide but also in relation to crypto-assets. Therefore, they will automatically fall within the scope of MICAR simply by notifying the relevant competent authority at least 40 working days before providing those services for the first time, but in relation to crypto-assets in addition to financial instruments.
1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?
The MFSA plays a central role with respect to the authorisation and supervision of CASPs and crypto-asset issuers. Among other things, it has the power to:
- issue rules and guidelines;
- investigate and appoint an inspector to investigate service providers;
- access information on DLT, VFA services and VFA assets at any time, and enter related premises;
- protect the public interest and take such measures as are necessary to achieve its goals, including the appointment of a person to assume control of the business of a licence holder;
- suspend or revoke the licence of a VFA asset from trading;
- remove a VFA asset from the exchange; and
- issue penalties to licence holders for non-compliance.
Additionally, the Financial Intelligence Analysis Unit (FIAU), the information and data protection commissioner and the courts have the power to enforce applicable rules and regulations.
1.4 What is the regulators' general approach to virtual currencies?
Malta was one of the first countries in the world to enact a VFA Framework, in November 2018. The VFA Framework is closely aligned with the CASP rules found in MICAR. The MFSA has a solid technical VFA team in place within the Crypto-Asset Supervision Department. The MFSA has been applying the VFA rules for the last five years and these are practically identical to MICAR when it comes to service providers, so the transition both for the MFSA and for regulated CASPs should be relatively seamless.
The MFSA has an open-door policy and is very business friendly when it comes to welcoming interested CASPs to Malta. For this reason, Malta is one of the top two jurisdictions (along with France) that big crypto-players choose when jurisdiction shopping.
1.5 Has there been any notable enforcement action relating to virtual currencies?
Yes. The MFSA and the FIAU have been at the forefront of enforcing EU and local regulations applicable to virtual currencies. In 2021, crypto bank Paytah was fined €435,576 for various money-laundering breaches. The MFSA has twice issued a warning to crypto giant Binance, as it is not licensed to provide services in or from Malta. A plethora of other warnings and fines have been issued by the MFSA since the adoption of the regulatory regime for virtual currencies.
2.1 How are 'virtual currencies' defined in your jurisdiction? Have there been any judicial decisions which have helped to define virtual currencies or their interplay with the existing body of laws (eg, contracts law, property law)?
'Virtual currencies' in Malta are defined as 'virtual financial assets' (VFAs) – that is, any digital medium that is used as an exchange unit or an account or store of value, but which is not electronic money, a financial instrument or a virtual token (eg, Bitcoin, Ether). Judicial decisions on virtual currencies in Malta primarily focus on fraud and licensing non-compliance. To date, there have been no judicial findings in relation to smart contract law or cryptocurrencies.
2.2 How are 'initial coin offerings' and 'security token offerings' defined in your jurisdiction?
'Initial coin offerings' in Malta are defined as 'initial virtual financial asset offerings' and include:
- offering a VFA to the public in or from within Malta; and
- applying for a VFA's admission to trading on a distributed ledger technology (DLT) exchange.
Once Malta has fully aligned its VFA Framework to the Market in Crypto-Assets Regulation (MICAR), the issuance of 'other crypto-assets' or 'utility tokens' found in MICAR will apply. In this regard, "a 'utility token' is a crypto-asset that is intended to provide access to a good or service supplied by the issuer". Unlike stablecoins (e-money tokens (EMTs) and asset referenced tokens (ARTs)), utility tokens do not require any licence or authorisation before any launch, issuance or admission to trading. Utility tokens will require notification to an EU national competent authority, which will consist of presenting a white paper drafted in line with certain requirements found in MICAR and to be issued/admitted by an EU incorporated entity.
Under the new regime introduced by MiCAR, tokens are separated in two groups:
- The first group includes:
- currency tokens;
- utility tokens; and
- Tokens in this group will be subject to MiCAR.
- The second group includes security tokens and token-derivatives, which will be subject to the bespoke framework composed of:
- the DLT Pilot Regime; and
- the Second Markets in Financial Instruments Directive.
2.3 Are stablecoins treated as virtual currencies in your jurisdiction or do they fall under an existing category (eg, electronic money)?
Since Malta is part of the European Union, it is subject to MICAR. All member states must align their national laws with MICAR by April 2024.
Under MICAR, stablecoins consist of two main groups:
- EMTs: A type of crypto-asset that purports to maintain a stable value by referencing the value of one official currency.
- ARTs: A type of crypto-asset that is not an EMT and that aims to maintain a stable value by referencing another value or right or a combination thereof, including one or more official currencies.
EMTs: Firms that wish to issue and offer EMTs must be authorised as either a credit institution or an e-money institution under the E-money Directive. The issuance and redeemability of EMTs are subject to requirements under MiCAR and not the E-money Directive. EMTs must:
- deposit at least 30% of their funds in separate accounts with credit institutions; and
- invest the remaining funds in secure, low-risk assets that qualify as highly liquid financial instruments.
Issuers of EMTs must also provide information in the form of a white paper in line with MICAR. Unfavourable provisions in relation to EMTs include the following:
- EMTs are prohibited from granting interest; and
- If an EMT grows to a certain size, it will be deemed as 'significant' and will be supervised directly by the European Banking Authority (EBA). Significant EMTs will be burdened with complying with additional risk, liquidity and capital requirements.
ARTs: Issuers of ARTs must obtain authorisation before issuing tokens or admitting tokens for trading. Issuers must:
- submit a white paper in line with certain requirements;
- maintain own funds requirements;
- have a reserve of assets that meets certain composition requirements; and
- comply with custody requirements.
If ARTs exceed a certain size, they will be classified as 'significant' and will be subject to additional capital, risk and liquidity requirements and be supervised directly by the EBA.
3 Virtual currencies market
3.1 Which virtual currencies have become most embedded in your jurisdiction? Does this vary depending on the specific use?
Some companies and merchants in Malta – including law firms, real estate companies and restaurants – have started to accept cryptocurrencies as a means of payment. The most popular cryptocurrencies are stablecoins such as USDC and Tether; however, popular cryptocurrencies such as Bitcoin and Ethereum are also commonly accepted. Since stablecoins offer a stable store of value, these are the most popular choice of currency among service providers and merchants.
3.2 What different products and services are offered?
Bitcoin and Ethereum are accepted as a means of payment for the purchase of goods and services by some merchants in Malta (eg, restaurants, hotels, co-working spaces, legal services, cars, insurance, e-commerce).
A few big players deal in cryptocurrencies or have blockchain-based products which are licensed or registered in Malta. These include VAIOT, Exante, Everest and crypto-giant Crypto.com.
We believe that Malta is one of the few jurisdictions in the world where it is possible to successfully obtain a licence for any cryptocurrency service. That said, any potentially interested player must have a decent budget to be able to cover all relevant fees and charges (eg, the Malta Financial Services Authority (MFSA) fees, systems audit fees, legal fees and capital requirements). Becoming regulated is not cheap, but it is a good investment, as it makes your project or platform more reliable. Besides the obvious benefits of regulation, having a licence is the best marketing tool for potential clients.
3.3 How are virtual currency service providers generally structured? How are they generally financed?
Crypto-asset service providers (CASPs) are generally structured as limited liability companies, but it is also possible to opt for a foundation in some cases (eg, utility token issuers). Virtual currency service providers are usually financed through a mix of:
- private equity;
- angel investors;
- venture capital; and
- initial coin offerings.
3.4 Are virtual currency trading platforms subject to a specific regulatory regime in your jurisdiction? Must they be registered or licensed by a regulatory authority? Does this vary depending on whether the platform accepts legal currency or whether the platform is custodial? Are virtual currency trading platforms subject to any form of 'market abuse' regulation?
Under the Market in Crypto-Assets Regulation (MICAR), the market players operating in the crypto-asset space include:
- portfolio managers;
- investment advisers;
- market makers; and
- exchanges/trading platforms.
Certain market players – such as custodians and trading venues – must abide by additional requirements pertaining to their licensing activities.
For a CASP to obtain authorisation in Malta from the Malta Financial Services Authority, it will need to submit an application. The licensing process involves:
- having a Maltese registered entity;
- submitting an application form;
- submitting a business plan and financial projections (three years);
- submitting certain policies (eg, anti-money laundering, IT and security); and
- passing fit and proper tests for all shareholders, directors and key personnel.
The requirements for cryptocurrency exchanges/trading venues under MICAR include:
- listing procedures;
- non-discretionary rules;
- custody arrangements and policies; and
- market abuse policies.
Operating a crypto exchange/trading venue under MICAR will require the applicant to provide proof of holding €150,000 as share capital.
4 Crossover with banking
4.1 How are virtual currencies positioned within the broader banking landscape in your jurisdiction?
Traditional banks both in Europe and in Malta have been very slow to adapt to new technologies, including virtual currencies such as Bitcoin. Often, this presents obstacles for blockchain businesses. However, Malta is nonetheless popular with crypto-friendly payment service providers and a few Maltese banks are slowly opening up and considering opening accounts for regulated crypto-players. The Malta Financial Services authority has no objection to regulated crypto-asset service providers having a bank account with any bank in the European Union.
4.2 What impact could mainstream adoption of virtual currencies have on the ability to control inflation in your jurisdiction?
Due to the rise and threat of stablecoins, central banks all over the world – including the European Central Bank – are working towards the creation of central bank digital coins (CBDCs). CBDCs are central bank-issued money as we know it today, still subject to all relevant monetary policies relating to inflation and interest rates, but in token form, running on distributed ledger technology. Stablecoins, on the other hand, are fiat or asset-backed tokens which satisfy the three characteristics needed to be used as money (ie, medium of exchange, unit of account, stable store of value), but which are not subject to the same monetary policies.
This is why the EU Markets in Crypto-Assets Regulation (MiCAR) prohibits interest-bearing stablecoins. Stablecoins (fiat-backed tokens issued by a private issuer which allow users to generate passive income) will obviously be more attractive than CBDCs (state-owned and regulated money on which interest is charged). This will be the case even if stablecoin issuers adhere to all relevant regulatory requirements.
For this reason, MICAR limits stablecoins from growing to a size which could threaten the public interest. If stablecoins exceed a certain size (eg, by exceeding 500 transactions per day or having a market cap of at least €1 billion), they will have to:
- abide by additional capital, risk and liquidity requirements; and
- be supervised directly by the European Banking Authority (EBA).
If the EBA deems that they are a becoming a threat to monetary policy, it has the power to force an 'orderly winding down'. This could drive stablecoin issuers to set up shop outside of the eurozone, resulting in their European set-up catering solely to EU citizens and their set-up outside Europe being a truly global stablecoin.
4.3 What other implications could the mainstream adoption of virtual currencies have for the banking system in your jurisdiction (eg, with respect to payment services)?
The adoption of cryptocurrencies and stablecoins as a means of payment can result in competition for banks. Money remittance is one area where cryptocurrencies – especially stablecoins – are proving to be a fantastic use case, since all that is needed for workers to send money home is a mobile phone, an internet connection and a wallet. Cryptocurrencies can be sent instantly with no or very low fees.
Certain traditional players such as MoneyGram are adopting cryptocurrencies in order to remain relevant and competitive. In fact, MoneyGram has launched its own wallet to give clients the option to send money through cryptocurrencies. Some banks are also offering certain products and services in cryptocurrencies due to their realisation that cryptocurrency adoption is on the increase. Some prominent banks in Germany, Switzerland and the United States are now offering cryptocurrency custody services.
We are also seeing an increase in the number of merchants in the e-commerce space allowing consumers to pay in cryptocurrencies through the use of crypto-processors.
4.4 Regarding decentralised finance, do the banking regulations in your jurisdiction apply to loans of virtual currencies or interest-bearing deposits of virtual currencies? Does this vary depending on whether stablecoins are loaned or deposited?
So far, the European Union has taken the position that it will only regulate centralised players. MICAR does not regulate decentralised finance (DeFi), so this remains a grey area. That said, if a regulated centralised player has a component of its platform or operations that uses DeFi, it will still fall under the scope of MICAR.
The European Commission has stated that once MICAR has been transposed and implemented across Europe, it will focus on drafting the Markets in Crypto-Assets Regulation 2.0, which will focus on regulating DeFi players.
5.1 Is blockchain technology in itself regulated in your jurisdiction and what specific legal issues are associated with its use?
Blockchain technology in and of itself is not regulated; nor is its use. The only activities related to blockchain technology which are regulated are licensed activities under the Markets in Crypto-Assets Regulation. Also of significance is the Innovative Technology Arrangements and Services Act, enacted in 2018, which established a certification framework for innovative technology arrangements and services (ITAS). ITAS include:
- software and architecture that are used in designing various blockchain or distributed ledger technology (DLT) systems;
- smart contracts; and
- other related systems that may:
- pose risk to life; or
- lead to significant asset loss or damage or significant damage to the environment.
In general, ITAS are certified on a voluntary basis; although the competent authority may require certain ITAS to go through the certification process to ensure the quality of the system.
Further, the Maltese framework encompasses a technological sandbox which provides a safe environment in which to develop ITAS based on blockchain and/or AI deployed in critical environments, to ensure that such solutions are in line with recognised standards.
5.2 What other implications could the mainstream adoption of virtual currencies have from a technological perspective?
Some potential positive implications include:
- the need for the development of underlying technical infrastructure that would allow interoperability between current virtual currencies and traditional banking systems;
- the need to address scalability; and
- enhanced cybersecurity and awareness.
Notably, in terms of sustainability, with the EU Green Deal in mind, any underlying virtual currency technologies will be expected to incorporate cutting-edge clean energy technological innovation (eg, mining using solar or different consensus mechanisms).
The decentralised finance (DeFi) community is working on some advanced technological solutions such as the concept of bridging (mBridge platform and project) and cross-chain interoperability. Another issue which must be addressed is customer and human interactivity and the usability of DeFi. Many aspects of DeFi are too complex for users who lack a certain amount of technical knowledge and understanding. For example, many users are not aware that certain cryptocurrencies run on certain networks/chains and end up losing money when transferring to different chains. This is why the community is now building cross-chain/multi-party solutions. Some new blockchain solutions, such as Algorand and Avalanche, are addressing these issues. Another interesting development, which could solve blockchain's underlying data protection issues, is that of zero knowledge proof, which provides for the technological security of the blockchain while securing data. Examples include Mina and Aleo.
The mainstream adoption of virtual currencies will fuel the technological aspects of blockchain, allowing developers to innovate and thus making the technology even more accessible. This can also encourage the application of blockchain technology to existing systems, which can lead to much greater efficiencies and effectiveness.
6 Data security and cybersecurity
6.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for virtual currencies?
The applicable data protection regime in Malta is the EU General Data Protection Regulation (GDPR). The GDPR sets out specific requirements on the protection of personal data. In this respect, virtual currency service providers must comply with the requirements of the GDPR, which may include:
- the carrying out of a data protection impact assessment (DPIA); and
- the incorporation of technical and organisational methods – otherwise known as data protection by design and by default – both in the structure of the organisation and in the technical solution itself, to secure personal data from breaches.
Virtual currency service providers should also be aware of ongoing issues related to the use of blockchain and the GDPR (eg, the right to be forgotten), and thus ensure that their technical solutions do not deny the rights of users enshrined in the GDPR. The Malta Financial Services Authority (MFSA) has also issued specific cybersecurity guidance for virtual currency providers which includes certain provisions on data protection.
6.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for virtual currencies?
The applicable cybersecurity regime is based on the European cybersecurity legislation and includes the Network and Information Security Directive 2 (NIS2), as well as EU Regulation 2019/881, which is directly applicable to Malta and is known as the Cybersecurity Act. The Cybersecurity Act establishes common cybersecurity certification at the EU level, while NIS2 aims to ensure a high common level of security of networks and information systems across the European Union.
Other transposed EU regulations include:
- the GDPR, which protects personal data;
- the Payment Services Directive (2015/2366) (PSD2); and
- EU Regulation 1093/2010 on the European Banking Authority.
Digital Operational Resilience Act: The Digital Operational Resilience Act (EU Regulation 2022/2554) (DORA) was ratified by the European Parliament in November 2022. DORA mandates certain entities, including crypto-asset service providers (CASPs), to address information and communications technology (ICT) related incidents comprehensively, covering:
- recovery; and
- restoration of capabilities.
DORA emphasises ICT risk, establishing rules for:
- incident reporting;
- resilience testing; and
- third-party risk monitoring.
DORA recognises that ICT incidents and operational resilience gaps can jeopardise the financial system, regardless of capital allocation. DORA will become applicable in Q4 2024, meaning that entities which are subject to it are expected to be in full compliance with DORA's requirements by that time.
DORA is based on five key pillars, which set out obligations for subject entities, outlined below.
ICT risk management: DORA's ICT risk management framework requires firm leadership to take full responsibility for:
- ICT risk management;
- resilience strategy; and
- third-party provider policies.
Competent authorities can impose penalties for regulatory breaches.
These rules are aligned with European Bank Authority and European Insurance and Occupational Pensions Authority guidelines but now have legal weight, increasing supervisory scrutiny.
- define ICT disruption tolerances;
- identify critical functions;
- understand dependencies; and
- conduct business impact analyses for severe disruptions, driving more sophisticated scenario testing and system redundancy for critical functions.
ICT-related incident reporting: DORA's incident reporting framework simplifies EU obligations in the financial sector, but introduces new requirements for classifying and reporting ICT-related incidents. Firms need to enhance their capabilities to collect and analyse such incidents, which they often lack today.
While DORA adds 'significant cyber threats' to the reportable events list, reporting remains optional, with a requirement to notify affected clients or counterparties. Firms must record all significant cyber threats, necessitating improved incident management.
For ICT-related incident reporting, specific deadlines are delegated to European supervisory authorities (ESAs) in technical standards, causing uncertainty for firms.
ESAs are set to assess the feasibility of centralising incident reporting through a single EU hub. Streamlining reporting aims to reduce the compliance burden and enhance cross-border threat understanding.
Digital operational resilience testing: DORA mandates regular digital operational resilience tests for all relevant firms, excluding microenterprises. They must assess their 'critical ICT systems and applications' comprehensively at least annually, addressing any identified vulnerabilities. Additionally, firms with specific significance and maturity levels must perform 'advanced' threat-led penetration testing every three years, guided by the European Central Bank's TIBER-EU framework.
DORA also requires financial sector firms to include all third-party providers (TPPs) supporting critical functions in their advanced testing. If a TPP cannot participate, it can conduct its own TLPT. This collaborative approach is an evolving practice that demands industry-wide cooperation.
ICT third-party risk management: DORA's third-party risk management (TPRM) requirements are in alignment with the existing guidelines of the ESAs. However, DORA expands the scope to encompass non-cloud service provider (CSP) ICT outsourcing, going beyond the ESAs' focus on CSPs.
Under DORA, these TPRM requirements introduce specific contractual terms that financial firms must incorporate into their ICT outsourcing agreements by the end of Q4 2024. The fact that these terms become legally binding under DORA increases the pressure on financial sector firms to successfully negotiate these terms with their service providers. Notably, some of these terms – such as providing 'unrestricted access to premises' in contracts supporting critical functions – may present practical challenges.
DORA also encourages the development of a 'holistic multi-vendor strategy' within the ICT risk management framework. While this aspect is optional, supervisors still have tools at their disposal to encourage its adoption. Additionally, firms are now obliged to conduct concentration risk assessments for all outsourcing contracts supporting the delivery of critical functions. This task not only is challenging in itself but may also compel firms to consider multi-vendor strategies or establish resilient frameworks to demonstrate why an alternative approach is not required.
Oversight framework: The revised DORA largely retains the enhanced oversight authority of the ESAs as proposed in the original text. This means that TPPs designated as 'critical' (CTPPs) will be subject to extensive regulatory powers, allowing ESAs to:
- request security practice changes; and
- impose penalties when necessary.
As a result, CTPPs are compelled to demonstrate their capacity to enhance the resilience of their operations, particularly when critical or important functions of financial sector firms are involved.
The final version of DORA introduces several new safeguards regarding the ESAs' ability to instruct financial sector firms to suspend or terminate their contracts with CTPPs. This inclusion offers assurance that these powers will be invoked:
- only in exceptional circumstances; and
- with careful consideration of their sector-wide implications.
Furthermore, the revised DORA significantly augments the role of the Joint Oversight Forum (JOF), a collaborative body comprising:
- relevant authorities;
- supervisors; and
- independent experts.
The JOF will play an expanded role in shaping consistent best practices for overseeing CTPPs, potentially establishing a more defined standard for their expected level of resilience over time.
DORA and NIS 2: The European Commission Guidelines, published in the Official Journal of the European Union on 18 September 2023, address key concerns for entities determining their compliance obligations under NIS 2 and DORA, along with other sector-specific EU legal acts.
Article 4(1) of the NIS 2 states that when sector-specific EU legal acts (eg, DORA, applicable in the financial sector) require essential or important entities to implement cybersecurity risk-management measures or report significant incidents equivalent in effect to NIS 2, the provisions of NIS 2 will not apply to such entities; instead, sector-specific rules will take precedence. However, where sector-specific EU legal acts do not cover all entities in a specific sector, the relevant provisions of NIS 2 will apply to the entities that are not covered.
Additionally, Article 4(2)(a) of NIS 2 deems cybersecurity risk management measures mandated for essential or important entities under sector-specific EU legal acts equivalent in effect to the obligations in NIS 2 when they are at least as effective as those outlined in Articles 21(1) and (2) of NIS 2.
Until DORA takes effect, virtual currencies are still subject to a number of obligations with regard to cybersecurity. The European Banking Authority (EBA) has published several cybersecurity guidelines that must be observed, including guidelines on:
- internet payment security;
- the assessment of ICT risk; and
- security measures for operational and security risks under the Second Payment Services Directive.
At the national level, the MFSA has issued guidance on cybersecurity specifically in relation to virtual currencies. The Supervisory ICT Risk and Cybersecurity function of the MFSA is responsible for supervising licence holders in the areas of ICT risk and cybersecurity, in order to ensure digital operational resilience. Generally, applicants for licences are required by the MFSA to implement IT infrastructure which ensures that the master data is retained in Malta.
The virtual financial asset (VFA) rulebooks also require licensed entities to:
- establish and maintain an operational framework that includes cybersecurity considerations at all levels (eg, technical and organisational); and
- appoint a chief information security officer (CISO) tasked exclusively with promoting a corporate culture that encompasses an active approach to cybersecurity, cybersecurity education and training.
Each licensed entity is advised to establish a cybersecurity framework considering its specific set-up and the nature of its business. It should provide for the following, among other things:
- information and data security roles and responsibilities, including the designation of the CISO;
- a privileged access management policy;
- a sensitive data management policy;
- a threat management policy;
- security education and training;
- an ongoing monitoring policy;
- risk assessments, the frequency and extent of which should be determined by the entity;
- maintenance of audit trails to detect and respond to cybersecurity events;
- an incident response and recovery plan;
- a business continuity plan; and
- a security policy for third-party service providers.
Further, licensed entities should:
- carry out a self-assessment of the deployed cybersecurity architecture; and
- ensure that internal and external audits are carried out at regular intervals to ensure compliance.
The guidance also requires them to ensure that payment transactions are conducted in a secure manner by continuously monitoring and enforcing the use of controls specified in the relevant technical standards and guidelines (eg, the Payment Card Industry Data Security Standard, the Cryptocurrency Security Standard and the EBA guidelines on internet payment security).
Issuers of VFAs are advised to:
- conduct advanced ex ante analysis of possible threat agents and risk factors affecting their cybersecurity, specifically focusing on the identification of possible risks associated with the initial VFA offerings;
- perform checks vis-à-vis the cybersecurity requirements included in the white paper; and
- implement threat and attack mitigation tools (eg, kill-switch, safe mode, encryption).
Finally, regarding VFA service providers, the guidance sets out the specific cybersecurity requirements for each respective licence class:
- Class 1 licence holders should implement suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches;
- Class 2 and Class 3 licence holders should establish adequate mitigation controls to safeguard clients' funds and consider several security risks regarding wallet creation (eg, geographical distribution of keys or multiple keys for signing); and
- Class 4 licence holders should, among other things, ensure that:
- the back-up key is access controlled and encrypted;
- keys are accessed securely (eg, with two-factor authentication set as a minimum, key management procedures and mitigation actions and a key compromise protocol); and
- ensure authenticated communication channels.
However, once the Markets in Crypto-Assets Regulation and DORA are in full effect, the obligations of CASPs will be those set out in DORA, so firms are advised to perform gap analyses to ensure their compliance beforehand.
7 Financial crime
7.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for virtual currencies?
The inherent characteristics of virtual currencies (eg, anonymity of transactions) pose certain difficulties for virtual currency businesses in ensuring compliance with their obligations.
When it comes to anti-money laundering and combating the financing of terrorism, the EU Fifth Anti-money Laundering Directive applies in Malta, together with local regulations such as:
- the Prevention of Money Laundering Act;
- the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01); and
- the regulatory framework for virtual financial assets (VFAs).
In addition, the Financial Action Task Force has made the so-called 'travel rule' applicable to nearly all virtual currency-related activities, including:
- payment providers; and
- arguably, decentralised applications and decentralised finance.
The travel rule requires that:
- customer due diligence be carried out for certain virtual currency transactions, including occasional transactions which are equivalent to or over $1,000 in value; and
- originator and beneficiary information on the parties to the transactions be retained.
The Travel Rule Regulation was passed together with the Market in Crypto-Assets Regulation last April 2023 and will become applicable to all regulated crypto-asset services providers regulated in the European Union by December 2024.
Finally, further to the findings of police investigation units, the Financial Intelligence Analysis Unit under the Malta Financial Services Authority and the courts have the power to enforce the applicable rules and regulations.
8 Consumer protection
8.1 What consumer protection provisions apply to virtual currencies in your jurisdiction?
In general, the Malta Financial Services Authority is responsible for the regulation of the virtual currency sphere. In this respect, the regulatory framework for virtual financial assets (VFAs) addresses certain consumer protection issues.
However, consumer protection is addressed on a case-by-case basis when it comes to virtual currencies. In the case of initial VFA offerings, the VFA framework provides that the white paper must include a refund mechanism in case of failure. VFA exchanges must have a dedicated team that handles customer relations, including complaints and incident reporting.
Further, under the VFA Framework, virtual currency offerings, exchanges and service providers must comply with specific rules on the advertising of virtual currencies, which include a requirement to provide clear, consistent and accurate information and services in order to protect consumer interests.
8.2 What other implications could the mainstream adoption of virtual currencies have from a consumer perspective?
Among other things, the mainstream adoption of virtual currencies would:
- afford consumers greater access to financial services; and
- facilitate faster and higher-frequency transactions.
At the same time, if not regulated properly, mainstream adoption could also lead to increased fraud in the virtual currency industry.
9.1 Do virtual currencies present any specific challenges or concerns from a competition perspective?
Given the current state of the industry, which is still in its infancy, it is difficult to assess competition challenges. The market is highly competitive and is constantly evolving (eg, consider the competition between the biggest virtual currency exchanges). As the industry matures, we may expect to see companies that deal with virtual currencies trying to consolidate their market share, which could have potential competition law implications that will need to be addressed.
Competition issues will also largely depend on:
- whether the service provider or issuer is subject to regulatory approval; and
- the choice of jurisdiction from which to operate.
If a company is operating in a grey market where activities are not licensed, compliance and competition regulations will not apply. However, circumventing regulation could also work against a provider, as it may not be viewed as safe or reputable and fiat on ramp will be close to impossible. Competition issues will depend on:
- the types of activities conducted; and
- the types of clients/users in that market.
10.1 How are transactions in virtual currencies treated from a tax perspective in your jurisdiction?
Tax guidelines issued by the Malta commissioner for revenue deal with the income tax, value-added tax (VAT) and stamp duty treatment of transactions in virtual currencies. For tax purposes, tokens are divided into:
- financial tokens;
- utility tokens; and
- hybrid tokens.
In general, the treatment of virtual currencies depends on the classification under the tax guidelines. In this respect:
- the proceeds from token generation events such as initial coin offerings are not taxed;
- financial tokens, such as security tokens, issued in crypto or in fiat are treated as income;
- the tax treatment of the transfer of tokens depends on whether the transfer is a trading transaction or can be considered as a capital asset;
- trading profits are taxable under the standard tax regime (5% corporate tax for non-Maltese shareholders after the applicable exemptions), while capital gains are taxable only insofar as the token meets the definition of a 'security' set out in the Income Tax Act (eg, Bitcoin and Ethereum do not qualify as securities);
- security token offerings that are aimed at raising capital do not give rise to any VAT implications, as raising capital is not considered as the supply of goods or services; and
- virtual financial asset exchanges fall under the standard Maltese tax regime applicable to companies. For VAT purposes, the provision of a trading or exchange service against payment for a user transaction fee constitutes the supply of services for consideration, falling under the Maltese VAT regime, unless an exemption applies. Tax exemptions for trading/exchange platforms depend on the nature of the service being supplied. Relevant factors include whether the service being provided is purely technological.
11 Trends and predictions
11.1 How would you describe the current landscape and prevailing trends in your jurisdiction as regards virtual currencies? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?
In Malta and Europe, the landscape of virtual currencies and digital assets regulation will be completely transformed over the next three years.
To date, there has been a lot of fragmentation across Europe when it comes to cryptocurrency regulation, with most crypto-asset service providers (CASPs) regulated only under anti-money laundering legislation in most EU member states (except Malta and France, which have had comprehensive licensing regimes in place for a while now). The Market in Crypto-Assets Regulation must be transposed by all EU member states by June 2023. Regarding transitional periods:
- stablecoin issuers will need to obtain authorisation by June 2024; and
- CASPs will need to obtain authorisation by December 2024.
Once a CASP or issuer is authorised in one member state, it will be able to passport its service across all other EU member states. This will result in harmonisation of crypto-asset rules across all of Europe.
When it comes to the tokenisation of securities and securities market infrastructure players, EU Regulation 2022/858 – the Distributed Ledger Technology (DLT) Pilot Regime – came into force on 23 March 2023, allowing market infrastructure players to apply for authorisation to trade tokenised financial instruments on DLT platforms in accordance with the DLT Pilot Regime. In addition, the European Securities and Markets Authority recently issued its latest guidelines on applications for authorisation to manage market infrastructure based on DLT. This means that the securities market infrastructure players will be able to legally leverage DLT technology to offer their products and services which may result in a complete transformation of financial markets infrastructure as we know it.
12 Tips and traps
12.1 What are your top tips for virtual currency providers seeking to enter your jurisdiction and what potential sticking points would you highlight?
The Malta Financial Services Authority (MFSA) has an open-door policy and is very business friendly when it comes to crypto players interested in setting up shop in Malta.
The benefits include the following:
- Malta is already nearly fully aligned with the Market in Crypto-Assets Regulation, so crypto-asset service providers will be grandfathered into the regulation.
- Tax optimisation: Malta offers an attractive effective tax rate of 5% on corporate profit tax if companies are owned by non-residents or by residents without domicile in Malta (after the relevant tax refunds); and
- Malta forms part of the European Union and has the English Language as its official language.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.