1 Legal and enforcement framework

1.1 In broad terms, which legislative and regulatory provisions govern virtual currencies in your jurisdiction?

Malta has a harmonised legislative and regulatory ecosystem governing blockchain and virtual currencies. The regulatory framework is comprised of three main statutes:

  • the Virtual Financial Assets Act (‘VFA Act');
  • the Innovative Technology Arrangements and Services Act (ITASA), which provides for the registration of technology service providers and the certification of technology arrangements; and
  • the Malta Digital Innovation Authority Act, which provides for the establishment of the Malta Digital Innovation Authority (MDIA), tasked with certifying and auditing distributed ledger technology (DLT) and blockchain systems.

The VFA Act regulates tokens, virtual currencies and virtual currency exchanges (‘VFA exchanges') set up in Malta. In general, the VFA Act differentiates between four types of tokens:

  • Virtual tokens: More commonly known as ‘utility tokens', these can only be used within the DLT platform they are issued on and cannot be traded on secondary markets (so they are sort of closed loop utility tokens). They are exempt from regulation.
  • Electronic money tokens: These is e-money as we know it in tokenised form and includes stablecoins backed by fiat. If the token offers a claim against the issuer and is fully redeemable at par and backed by fiat currency, it will qualify as such; one needs to look at the specifics of the rights and obligations offered within the token.
  • Financial instruments or security tokens: These are financial instruments governed by the Markets in Financial Instruments Directive and the European Securities and Markets Authority. They include equity, bonds and commodities.
  • Virtual financial assets (VFAs): If by default the token does not classify as any of the above, it will be classified as a VFA token. Tokens such as Ethereum, BTC and BNB fall into this category.

The VFA Act only allows VFAs to be admitted on VFA exchanges, which must fulfil all requirements relating to anti-money laundering/counter-terrorist financing, consumer and investor protection, data protection and privacy.

1.2 In broad terms, which legislative and regulatory provisions govern entities that provide services relating to virtual currencies? Must they be registered or licensed by a regulatory authority?

Entities that provide services relating to virtual currencies (‘VFA services') must be registered and licensed by the Malta Financial Services Authority (MFSA) under the VFA Act, the relevant rules and guidelines, and the ITASA, as applicable. In this regard, the VFA Act governs the provision of VFA services that require licensing.

VFA services include:

  • the initial issuing of VFAs, otherwise known as the initial coin offering (ICO). Initial VFA offerings to the public can be done in or from Malta only if the conditions of the VFA Act are met. In this regard, the VFA Act requires an issuer:
    • to be a legal person duly formed in Malta; and
    • to register the whitepaper with the MFSA before the initial offering.
  • The VFA Act includes specific provisions on the context of the whitepaper, such as:
    • the purpose of the initial offering;
    • due diligence requirements;
    • liability due to losses from the initial offering; and
    • the appointment of a VFA agent (a specialised company that deals with virtual currency service providers);
  • the placing of VFAs – otherwise known as private ICO – that includes the marketing of newly issued VFAs which are already in issue but not admitted to trading on an exchange to specified persons, with no offer to the public;
  • the set-up and operation of a VFA exchange (crypto-exchange) in or from Malta. Among other requirements, VFA exchanges must be duly registered legal persons in Malta, which requires several key appointments, including:
    • a board of administrators;
    • a VFA agent;
    • a money-laundering reporting officer;
    • an accountant; and
    • an auditor.
  • To operate a VFA exchange in Malta, an entity must apply for a Class 4 license and meet stringent ongoing regulatory and compliance requirements; and
  • other VFA services, including:
    • receipt and transmission of orders;
    • execution of orders on behalf of other persons;
    • dealing on own account;
    • portfolio management;
    • custodian (wallet management) or nominee services;
    • investment advice; and
    • transfer of VFAs.

1.3 Which bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The MFSA plays the central role with respect to the licensing of virtual currencies. Among other things, it has the power to:

  • issue rules and guidelines under the VFA Act;
  • investigate and appoint an inspector to investigate VFA agents and VFA service providers;
  • access information on DLTs, VFA services and VFA assets at any time, and enter related premises;
  • protect the public interest and take measures necessary to achieve its goals, including the appointment of a person to assume control of the business of a licence holder;
  • suspend or revoke the licence of a VFA assets from trading;
  • remove a VFA asset from the exchange; and
  • issue penalties to licence holders for non-compliance.

Additionally, the Financial Intelligence Analysis Unit (FIAU), the Information and Data Protection Commissioner and the courts have the powers to enforce applicable rules and regulations.

1.4 What is the regulators' general approach to virtual currencies?

The MFSA takes an active role in enacting virtual currency laws, issuing fines and ensuring the overall stability of the industry, which maintains high entry standards. In general, the laws on virtual currencies establish a legal cooperation mechanism between authorities.

The MDIA, which is responsible for certifying and auditing DLTs and blockchain systems, cooperates with the MFSA in terms of registration of whitepapers and licensing of crypto asset service providers that use DLT and blockchain technology. This approach ensures the highest standards of consumer protection and security.

1.5 Has there been any notable enforcement action relating to virtual currencies?

Yes. The MFSA and the FIAU have been at the forefront of enforcing EU and local regulations applicable to virtual currencies. In 2021, crypto bank Paytah was fined €435,576 for various money-laundering breaches. The MFSA has twice issued a warning to crypto giant Binance, as it is not licensed to provide services in or from Malta. A plethora of other warnings and fines have been issued by the MFSA since the adoption of the regulatory regime for virtual currencies.

2 Definitions

2.1 How are ‘virtual currencies' defined in your jurisdiction? Have there been any judicial decisions which have helped to define virtual currencies or their interplay with the existing body of laws (eg, contracts law, property law)?

Virtual currencies in Malta are defined as ‘virtual financial assets' (VFAs). ‘VFAs' are further defined as any digital medium that is used as a digital medium of exchange unit or an account or store of value, but which is not electronic money, a financial instrument or a virtual token (eg, Bitcoin, Ether). Judicial decisions on virtual currencies in Malta primarily focus on fraud and licensing non-compliance. To date, there have been no judicial findings in relation to smart contract law or cryptocurrencies.

2.2 How are ‘initial coin offerings' and ‘security token offerings' defined in your jurisdiction?

‘Initial coin offerings' in Malta are defined as ‘initial VFA offerings' and include:

  • offering a VFA to the public in or from within Malta; and
  • applying for a virtual financial asset's admission to trading on a distributed ledger technology exchange.

‘Security token offerings' (STOs) in Malta are defined as traditional securities as set out in the second schedule of the Investment Services Act. STOs include instruments such as transferable securities, commodities, shares, money market instruments, units in collective investment schemes and bonds, whereby the rights and obligations of token holders are embedded in token form and transactions are recorded on the blockchain.

2.3 Are stablecoins treated as virtual currencies in your jurisdiction or do they fall under an existing category (eg, electronic money)?

Currently, Maltese legislation treats tokens backed by fiat (stablecoins), which exhibit similar characteristics to e-money, in the same way as e-money. E-money is subject (and the relevant token set-up will thus be subject) to e-money regulations such as the EU Second Electronic Money Directive and the Second Payment Services Directive. It may thus be necessary to apply for a financial institution licence. Notably, Stasis (which has ties to Malta) is a regulated e-money token which launched the first euro-backed stablecoin, EURS.

When evaluating whether a token qualifies as e-money, it is imperative to conduct a technical analysis of its management and custody function. Does the stablecoin offer a claim against the issuer? Is the token redeemable at par? If the answer to either of those questions is ‘no', the token may fall between the cracks of the regulatory regime. The reserve asset management function is another important aspect that the regulator will consider: what collateral or reserves does the token have or offer?

In this regard, the new EU Markets in Crypto-Assets Regulation (MiCA) makes the same points as the Maltese VFA framework in relation to stablecoins. Notably, MiCA aims to prohibit stablecoins from bearing interest, for the obvious reason that they present a direct threat to central bank-issued currency, as stablecoins would be more attractive if this prohibition were lifted. This is indirectly monopolising state-issued currency and indirectly restricting privately issued currency.

3 Virtual currencies market

3.1 Which virtual currencies have become most embedded in your jurisdiction? Does this vary depending on the specific use?

Ethereum and Bitcoin are the most embedded virtual currencies in Malta and are accepted by some merchants on the island. There is also interest in in security coins and non-fungible tokens in general; while other virtual currencies are used only within the crypto community.

3.2 What different products and services are offered?

Bitcoin and Ethereum are accepted as a means of payment for the purchase of goods and services by some merchants in Malta (eg, restaurants, hotels, co-working spaces, legal services, cars, insurance, e-commerce).

A few big players deal in cryptocurrencies or have blockchain-based products which are licensed or registered in Malta. These include VAIOT, Exante, Everest and crypto-giant Crypto.com.

We believe that Malta is one of the few jurisdictions in the world where it is possible to successfully obtain a licence for any cryptocurrency service. That said, any potentially interested player must have a decent budget to be able to cover all relevant fees and charges (eg, the Malta Financial Services Authority (MFSA) fees, systems audit fees, legal fees and capital requirements). Becoming regulated is not cheap, but it is a good investment, as it makes your project or platform more reliable. Besides the obvious benefits of regulation, having a licence is the best marketing tool for potential clients.

3.3 How are virtual currency service providers generally structured? How are they generally financed?

Virtual currency service providers are generally structured as limited liability companies, but it is also possible to opt for a foundation. Virtual currency service providers are usually financed through a mix of private equity, angel investors, venture capital and initial coin offerings.

3.4 Are virtual currency trading platforms subject to a specific regulatory regime in your jurisdiction? Must they be registered or licensed by a regulatory authority? Does this vary depending on whether the platform accepts legal currency or whether the platform is custodial? Are virtual currency trading platforms subject to any form of ‘market abuse' regulation?

Virtual currency trading platforms under the Maltese regulatory framework are known as virtual financial asset (VFA) exchanges. VFA exchanges are subject to a specific regulatory regime and must be registered and licensed under the VFA Act. VFA exchanges must apply for a Class 4 licence and fulfil several requirements, including:

  • being a legal person incorporated in Malta;
  • appointing an approved VFA agent and applying for the licence through the VFA agent;
  • conducting the financial instrument test;
  • appointing a money-laundering reporting officer; and
  • complying with all relevant regulations under the VFA Act and the accompanying laws and rules.

The Maltese legal framework requires the segregation of all licensed activities; thus, no other licensed activity may be carried out by the same entity. This is especially relevant when offering services under both the VFA Act and the financial services laws. This segregation aims to:

  • facilitate stronger investor protection;
  • protect investors from market abuse; and
  • combat money laundering and terrorist financing.

Finally, the Maltese legal framework requires that exchanges:

  • have in place systems that can effectively detect possible market abuse; and
  • report any potential market abuses to the MFSA, including market manipulation, unlawful disclosure of information or insider dealing.

4 Crossover with banking

4.1 How are virtual currencies positioned within the broader banking landscape in your jurisdiction?

Traditional banks both in Europe and in Malta have been very slow to adapt to new technologies, including virtual currencies such as Bitcoin. Often, this presents obstacles for blockchain businesses. However, the island is nonetheless popular with fintech banks that have set up shop, such as Revolut. Maltese Agribank is another popular institution that deals with virtual currencies. Payment platform crypto.com is the first firm to have been granted an electronic money institution licence, allowing it to issue payment cards and offer customers direct bank transfers. Finally, Founders Bank – a project between Binance and Polychain – is applying for an EU banking licence. Swiss banks are also happy to service Maltese regulated entities. The adoption of virtual currencies by banks in Malta is thus promising.

4.2 What impact could mainstream adoption of virtual currencies have on the ability to control inflation in your jurisdiction?

Due to the rise and threat of stablecoins, central banks all over the world – including the European Central Bank (ECB) – are working towards the creation of central bank digital coins (CBDCs). CBDCs are central bank-issued money as we know it today, still subject to all relevant monetary policies relating to inflation and interest rates, but in token form, running on distributed ledger technology. Stablecoins, on the other hand, are fiat or asset-backed tokens which satisfy the three characteristics needed to be used as money (ie, medium of exchange, unit of account, stable store of value), but which are not subject to the same monetary policies, and which could thus drive up inflation.

This is why the EU Markets in Crypto-Assets Regulation (MiCA) – which is expected to come into force in 2024 – aims to prohibit interest-bearing stablecoins. Stablecoins (fiat-backed tokens issued by a private issuer which allow users to generate passive income) will obviously be more attractive than CBDCs (state-owned and regulated money on which interest is charged). This will be the case even if stablecoin issuers adhere to all relevant regulatory requirements. This could drive such stablecoin issuers outside of the Eurozone.

Malta's financial industry is subject to EU regulations. It is evident that the ECB does not consider virtual coins such as stablecoins as instruments that could fulfil public interest objectives such as inflation control.

In this respect, the Maltese Central Bank will need to follow the ECB's lead with regard to the adoption or implementation of CBDCs vis-à-vis the euro. This would be reflected and impacted by normal monetary policies.

Virtual financial assets such as BTC and ETH (which do not offer a stable store of value) are not regulated in the same way that stablecoins will be regulated, because they do not offer a stable store of value and thus lack the third component to qualify as ‘money' or a ‘currency'. In terms of how this might affect inflation, it is only in countries such as El Salvador – where President Nayib Bukele decided to make Bitcoin legal tender – that inflation may be affected.

4.3 What other implications could the mainstream adoption of virtual currencies have for the banking system in your jurisdiction (eg, with respect to payment services)?

If the proposals for the regulation of crypto-assets and relevant transfers at the EU level are adopted (see question 4.2), this may create the necessary incentives for traditional banking to adopt virtual currencies alongside fiat currencies for standard banking transactions, or to work with crypto-asset service providers.

Once there is greater legal certainty and less fragmentation in the markets, banks may relax and become less risk averse towards cryptocurrencies. The market is also maturing, so we are seeing more crypto insurance providers, automated anti-money laundering tools for crypto and more tools which enhance traceability (eg, chain analysis).

Some large banks (eg, JP Morgan) have already created their own coins/tokens, embracing the technology, leveraging its benefits and gaining first-mover advantage. However, most do not yet understand the technology and therefore fear it. Some banks are also required to comply with the agendas of corresponding banks and the ECB, and thus have little say in terms of risk appetite. Meanwhile, the biggest card issuers in the world – Visa and Mastercard – appear to be more open to cryptocurrencies, issuing cards for Crypto.com, Binance and Wirex, and partnering up with payment giant PayPal. Therefore, although limited, the fiat gateway through these fintech companies is now open, which is a major step forward.

4.4 Regarding decentralised finance, do the banking regulations in your jurisdiction apply to loans of virtual currencies or interest-bearing deposits of virtual currencies? Does this vary depending on whether stablecoins are loaned or deposited?

The regulation of deposit taking, lending and borrowing activities in relation to virtual financial assets (VFAs) will depend on the type of virtual financial asset. It is not yet certain whether the Maltese VFA regulations regulate borrowing and lending. However, if a platform deals in lending and borrowing of fiat-backed stablecoins and thus requires a financial services licence, its activities will be akin to those of a bank.

When MiCA comes into force, lending and borrowing platforms such as Aave and Compound will most likely qualify as traditional banking institutions in Malta, since they deal in lending and borrowing. These activities may also involve the receipt and transmission of orders, and the transfer and custody of VFAs, which are currently regulated activities under the VFA Act. Depending on the activity and business model of the platform offering borrowing and lending, and the type of virtual asset (specifically, where fiat-backed tokens qualify as e-money), the entity may require a banking licence.

As outlined in question 4.2, once adopted, the proposed MiCA will prohibit stablecoins from bearing interest.

Decentralised finance (DeFi) is currently the Wild West, as there is either no regulation or significant legal uncertainty in most countries around the world. Many of the biggest DeFi platforms are based in the United States, where the regulations are severely fragmented due to federal law. Furthermore, many states have not yet taken a stance on how DeFi activities should be regulated. It is thus very easy for a service provider to set up shop without needing to obtain any regulatory approval, since many jurisdictions are ‘grey markets'. It is for this reason that 75% of crypto-related hacks are from DeFi platforms.

5 Technology

5.1 Is blockchain technology in itself regulated in your jurisdiction and what specific legal issues are associated with its use?

Yes. The Innovative Technology Arrangements and Services Act (ITASA), enacted in 2018, established a certification framework for innovative technology arrangements and services (ITAS). ITAS include:

  • software and architecture that are used in designing various blockchain or distributed ledger technology (DLT) systems;
  • smart contracts; and
  • other related systems that may pose risk to life or lead to a significant asset loss or damage, or significant damage to the environment.

In general, ITAS are certified on a voluntary basis; although the competent authority may require certain ITAS to go through the certification process to ensure the quality of the system. Generally, ITAS that are certified will be permitted to operate in or from Malta upon the registration of a systems audit report, conducted in Malta by an appointed and registered systems auditor.

Usually, the decentralised and transparent nature of blockchain solutions creates legal problems ranging from data protection and confidentiality to contractual issues in case of blockchain-based smart contracts and the development of artificial intelligence (AI) and its impact on blockchains and DLT. However, the Maltese legal ecosystem has already addressed some of these issues. For instance, the ITASA requires an in-built technological feature enabling a technical administrator to intervene in case of material breach. The ITAS itself must also specify that any claims will be subject to the jurisdiction of the Maltese courts.

Lastly, the Maltese framework encompasses a technological sandbox which provides a safe environment in which to develop ITAS based on blockchain and/or AI deployed in critical environments, to ensure that such solutions are in line with recognised standards.

5.2 What other implications could the mainstream adoption of virtual currencies have from a technological perspective?

Some potential positive implications include:

  • the need for the development of underlying technical infrastructure that would allow interoperability between current virtual currencies and traditional banking systems;
  • the need to address scalability; and
  • cybersecurity issues.

Notably, in terms of sustainability, with the EU Green Deal in mind, any underlying virtual currency technologies will be expected to incorporate cutting-edge clean energy technological innovation (eg, mining using solar).

The decentralised finance (DeFi) community is working on some very advanced technological solutions such as the concept of bridging (mBridge platform and project) and cross-chain interoperability. Another issue which must be addressed is customer and human interactivity and the usability of DeFi. Many aspects of DeFi are too complex for users who lack a certain amount of technical knowledge and understanding. For example, many users are not aware that certain cryptocurrencies run on certain networks/chains and end up losing money when transferring to different chains. This is why the community is now building cross-chain/multi-party solutions. Some new blockchain solutions, such as Algorand and Avalanche, are addressing these issues.

Furthermore, cybersecurity is inexorably on the rise. This could be directly correlated to the lack of regulation combined with a lack of user understanding (eg, especially when it comes to non-custodial wallets). Clearer regulation will strengthen confidence in the market through greater protection and the proliferation of regulated players such as custodians and insurance companies.

6 Data security and cybersecurity

6.1 What is the applicable data protection regime in your jurisdiction and what specific implications does this have for virtual currencies?

The applicable data protection regime in Malta is the EU General Data Protection Regulation (GDPR). The GDPR sets out specific requirements on the protection of personal data. In this respect, virtual currency service providers must comply with the requirements of the GDPR, which may include:

  • the carrying out of a data protection impact assessment (DPIA); and
  • the incorporation of technical and organisational methods – otherwise known as data protection by design and by default – both in the structure of the organisation and in the technical solution itself, to secure personal data from breaches.

Virtual currency service providers should also be aware of ongoing issues related to the use of blockchain and the GDPR (eg, the right to be forgotten), and thus ensure that their technical solutions do not deny the rights of users enshrined in the GDPR. The Malta Financial Services Authority (MFSA) has also issued specific cybersecurity guidance for virtual currency providers which includes certain provisions on data protection.

6.2 What is the applicable cybersecurity regime in your jurisdiction and what specific implications does this have for virtual currencies?

The applicable cybersecurity regime is based on the European cybersecurity legislation and includes the transposed Network and Information Security Directive (LN 216/2018) (NIS), as well as EU Regulation 2019/881, which is directly applicable to Malta and is known as the Cybersecurity Act. The Cybersecurity Act establishes common cybersecurity certification at the EU level, while the NIS aims to ensure a high common level of security of networks and information systems across the European Union. Other transposed EU regulations include:

  • the GDPR, which ensures the protection of personal data;
  • the Payment Services Directive (EU) 2016/679;
  • the Payment Services Directive 2015/2366 (EU) (PSD2); and
  • Regulation 1093/2010 (EU) regarding the European Banking Authority.

As virtual currencies are essentially financial instruments, the European Banking Authority (EBA) has published several cybersecurity guidelines that must be observed, including:

  • guidelines on internet payment security;
  • guidelines on the assessment of information and communication technology (ICT) risk; and
  • guidelines on security measures for operational and security risks under the Second Payment Services Directive.

At the national level, the MFSA has issued guidance on cybersecurity specifically in relation to virtual currencies. The Supervisory ICT Risk and Cybersecurity function of the MFSA is responsible for supervising licence holders in the areas of ICT risk and cybersecurity, in order to ensure digital operational resilience. Generally, applicants for licences are required by the MFSA to implement IT infrastructure which ensures that the master data is retained in Malta. The virtual financial asset (VFA) rulebooks also require licensed entities:

  • to establish and maintain an operational framework that includes cybersecurity considerations at all levels (eg, technical and organisational); and
  • appoint a chief information security officer (CISO) tasked exclusively with promoting a corporate culture that encompasses an active approach to cybersecurity, cybersecurity education and training.

Each licensed entity is advised to establish a cybersecurity framework considering its specific set-up and the nature of its business. It should provide for the following, among other things:

  • information and data security roles and responsibilities, including the designation of the CISO;
  • a privileged access management policy;
  • a sensitive data management policy;
  • a threat management policy;
  • security education and training;
  • an ongoing monitoring policy;
  • risk assessments, the frequency and extent of which should be determined by the entity;
  • maintenance of audit trails to detect and respond to cybersecurity events;
  • an incident response and recovery plan;
  • a business continuity plan; and
  • a security policy for third-party service providers.

Further, licensed entities should carry out a self-assessment of the deployed cybersecurity architecture and ensure that internal and external audits are carried out at regular intervals to ensure compliance. The guidance also requires them to ensure that payment transactions are conducted in a secure manner by continuously monitoring and enforcing the use of controls specified in the relevant technical standards and guidelines (eg, the Payment Card Industry Data Security Standard, the Cryptocurrency Security Standard and the EBA guidelines on internet payment security).

Issuers of VFAs are advised to:

  • conduct advanced ex ante analysis of possible threat agents and risk factors affecting their cybersecurity, specifically focusing on the identification of possible risks associated with the initial VFA offerings;
  • perform checks vis-à-vis the cybersecurity requirements included in the whitepaper; and
  • implement threat and attack mitigation tools (eg, kill-switch, safe mode, encryption).

Finally, regarding VFA service providers, the guidance sets out the specific cybersecurity requirements for each respective licence class:

  • Class 1 licence holders should implement suitable cybersecurity architecture to safeguard the respective data held and defend against data breaches;
  • Class 2 and Class 3 licence holders should establish adequate mitigation controls to safeguard clients' funds and consider several security risks regarding wallet creation (eg, geographical distribution of keys or multiple keys for signing); and
  • Class 4 licence holders should, among other things, ensure that:
    • the back-up key is access controlled and encrypted;
    • keys are accessed securely (eg, with two-factor authentication set as a minimum, key management procedures and mitigation actions, and a key compromise protocol); and
    • ensure authenticated communication channels.

7 Financial crime

7.1 What provisions govern money laundering and other forms of financial crime in your jurisdiction and what specific implications do these have for virtual currencies?

The inherent characteristics of virtual currencies (eg, anonymity of transactions) pose difficulties for virtual currency businesses in ensuring compliance with their obligations. When it comes to anti-money laundering and combating financing terrorism (AML/CFT), the EU Fifth Anti-money Laundering Directive applies in Malta, together with local regulations such as:

  • the Prevention of Money Laundering Act;
  • the Prevention of Money Laundering and Funding of Terrorism Regulations (SL 373.01) (PMLFTR); and
  • the regulatory framework for virtual financial assets (VFAs).

These laws set out a plethora of rules to ensure a high level of compliance in the industry. In this regard, all virtual currency issuers and service providers fall under the definition of a ‘subject person' under the PMLFTR and are thus required to ensure compliance with the applicable rules.

In this regard, the VFA Act requires, among other things, the appointment of a VFA agent by those dealing with virtual currencies – a specialised agent who serves as a first line of defence in assessing AML/CFT requirements. Further, the VFA Act sets out the minimum transparency requirements for initial VFA offerings and licence holders. With regard to the use of blockchain and distributed ledger technology in virtual currencies, Innovative Technology Arrangements and Services Act certification requires the establishment of a forensic node in the system to facilitate AML/CFT compliance, providing a data trail of the system's activities.

Under the PMLFTR, subject persons are required, among other things, to:

  • establish systems to prevent, detect and disclose financial crimes (eg, money laundering);
  • implement robust know your customer onboarding procedures to verify customers' identities and the source of funds; and
  • collect relevant customer due diligence information depending on the risk level of the customer (low to high).

Also, those dealing with virtual currencies must:

  • have a system in place which allows for the continuous monitoring of transactions;
  • file a suspicious transaction report in case of suspicious activities; and
  • keep records accordingly.

The Financial Action Task Force has made the so-called ‘travel tule' applicable to nearly all virtual currency-related activities, including issuers, exchanges, payment providers and, arguably, decentralised applications and decentralised finance. The travel rule requires that:

  • customer due diligence be carried out for certain virtual currency transactions, including occasional transactions which are equivalent to or over $1,000 in value; and
  • originator and beneficiary information on the parties to the transactions be retained.

Finally, further to the findings of police investigation units, the Financial Intelligence Analysis Unit under the Malta Financial Services Authority and the courts have the power to enforce the applicable rules and regulations.

8 Consumer protection

8.1 What consumer protection provisions apply to virtual currencies in your jurisdiction?

In general, the Malta Financial Services Authority is responsible for the regulation of the virtual currency sphere. In this respect, the regulatory framework for virtual financial assets (VFAs) addresses certain consumer protection issues.

However, consumer protection is addressed on a case-by-case basis when it comes to virtual currencies. In case of initial VFA offerings, the VFA framework provides that the whitepaper must include a refund mechanism in case of failure. VFA exchanges must have a dedicated team that handles customer relations, including complaints and incident reporting.

Further, under the VFA framework, virtual currency offerings, exchanges and service providers must comply with specific rules on the advertising of virtual currencies, which includes a requirement to provide clear, consistent and accurate information and services in order to protect consumer interests.

8.2 What other implications could the mainstream adoption of virtual currencies have from a consumer perspective?

There are many. Among other things, the mainstream adoption of virtual currencies would:

  • afford consumers greater access to financial services; and
  • facilitate faster and higher-frequency transactions.

At the same time, if not regulated properly, mainstream adoption could also lead to increased fraud in the virtual currency industry.

9 Competition

9.1 Do virtual currencies present any specific challenges or concerns from a competition perspective?

Given the current state of the industry, which is still in its infancy, it is difficult to assess competition challenges. The market is highly competitive and is constantly evolving (eg, consider the competition between the biggest virtual currency exchanges). As the industry matures, we may expect to see companies that deal with virtual currencies trying to consolidate their market share, which could have potential competition law implications that will need to be addressed.

Competition issues will also largely depend on:

  • whether the service provider or issuer is subject to regulatory approval; and
  • their choice of jurisdiction from which to operate.

If a company is operating in a grey market where activities are not licensed, compliance and competition regulations will not apply. However, circumventing regulation could also work against a provider, as it may not be viewed as safe or reputable and fiat on ramp will be close to impossible. Competition issues will depend on the type of activity conducted and the types of clients/users in that market.

10 Taxation

10.1 How are transactions in virtual currencies treated from a tax perspective in your jurisdiction?

Tax guidelines issued by the Malta commissioner for revenue deal with the income tax, value added tax (VAT) and stamp duty treatment of transactions in virtual currencies. For tax purposes, tokens are divided into:

  • financial tokens;
  • utility tokens; and
  • hybrid tokens.

In general, the treatment of virtual currencies depends on the classification under the tax guidelines. In this respect:

  • the proceeds from token generation events such as initial coin offerings are not taxed;
  • financial tokens, such as security tokens, issued in crypto or in fiat are treated as income;
  • the tax treatment of the transfer of tokens depends on whether the transfer is a trading transaction or can be considered as a capital asset;
  • trading profits are taxable under the standard tax regime, while capital gains are taxable only insofar as the token meets the definition of a ‘security' set out in the Income Tax Act (eg, Bitcoin and Ethereum do not qualify as securities);
  • security token offerings that are aimed at raising capital do not give rise to any VAT implications, as raising capital is not considered as the supply of goods or services; and
  • virtual financial asset exchanges fall under the standard Maltese tax regime applicable to companies. For VAT purposes, the provision of a trading or exchange service against payment for a user transaction fee constitutes the supply of services for consideration, falling under the Maltese VAT regime, unless an exemption applies. Tax exemptions for trading/exchange platforms depend on the nature of the service being supplied. Relevant factors include whether the service being provided is purely technological.

11 Trends and predictions

11.1 How would you describe the current landscape and prevailing trends in your jurisdiction as regards virtual currencies? Are any new developments anticipated in the next 12 months, including any proposed legislative reforms?

The current landscape as regards virtual currencies is expanding from the simple issue and exchange of virtual currencies to the application of blockchain and distributed ledger technology in all types of industries, including traditional banking, gaming and healthcare. We also expect to see the development of artificial intelligence technologies alongside blockchain and a mixture of both, due to the technological and regulatory sandboxes available in Malta.

Non-fungible tokens (NFTs) are evidently on the rise; however, to date it would appear that they will be exempt from the EU Markets in Crypto-Assets Regulation (MiCA), as MICA exempts ‘non-fungible tokens' from the regulation. That said, this will depend on how the NFT is structured and what it represents. If the NFT offers a ratio of 1:1 and does not represent some financial instrument, then as things currently stand it would be exempt from MiCA. However, if the NFT is divided into fractional ownership providing returns or represents a financial instrument, it would be classified as a security. MiCA was drafted before NFTs took off and is subject to change. It is impossible for regulators to keep up!

NFTs and cryptocurrencies now play a large part in gaming and the metaverse. These new worlds, concepts and creations are converging in a new space which many have coined ‘Web 3'.

The regulation of virtual currencies has thus far relied extensively on traditional financial markets regulations, which have proved insufficient to address issues stemming from technologies such as blockchain. The Maltese regulatory regime has sought to address some of the issues; but it is clear that there is a need for more sensible regulation (eg, issues relating to the travel rule (see question 7.1)) that does not stifle innovation.

Finally, at the regulatory level, we expect the proposed MiCA to be adopted in 2024, which will have a direct effect on the Maltese regulatory framework. That, said, for entities established in Malta, the transition to the new regulatory regime would be easier, as the Maltese framework already covers a substantial number of the new requirements proposed in MiCA.

12 Tips and traps

12.1 What are your top tips for virtual currency providers seeking to enter your jurisdiction and what potential sticking points would you highlight?

  • Do not underestimate the importance of regulatory compliance – it can facilitate the more mainstream adoption of virtual currencies.
  • Following from the above point, becoming regulated is not cheap. Fees include legal and systems audit costs, and the regulator's fee. One should think of regulation as a smart investment for long-term operation in the crypto space. The true pioneers have opted for the regulatory route. If you want a good reputation and need certain partners (eg, banks and insurers), regulation is essential.
  • Ensure that you have technological solutions in place that mitigate risk relating to privacy and data protection, and that ensure cybersecurity. As the regulatory process involves a systems audit, ensuring compliance with cybersecurity requirements is key.
  • In Malta, it is possible to communicate directly with the relevant authorities and obtain confirmations, tax rulings and letters from them on specific business cases before commencing operations. It will thus be clear whether your business activities fall within or outside any licensing regime.
  • Another benefit of choosing Malta as a jurisdiction is that it offers the lowest corporate tax rate in Europe.
  • Malta's regulatory framework for virtual financial assets is very similar to the new EU Markets in Crypto-Assets Regulation (MiCA). Therefore, when MiCA comes into force, any firm which is regulated in Malta will be way ahead competitors regulated in jurisdictions whose laws are not closely modelled on MiCA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.