What are the MFSA’s latest Fintech and Cybersecurity updates?

In this Article

Staying updated with regulatory changes is crucial for industry stakeholders. Joeline Barbara provides an insightful overview of the latest updates from the Malta Financial Services Authority (MFSA). Covering the period from March to June, the MFSA’s updates include significant amendments to the Virtual Financial Assets (VFA) Act in preparation for the Markets in Crypto-Assets (MiCA) Regulation and the integration of the Digital Operational Resilience Act (DORA). These updates introduce new classifications for financial institutions and VFA entities, redefine the roles of VFA agents, and launch applications for asset-referenced tokens. Additionally, the MFSA emphasizes the importance of ICT risk management and robust cybersecurity practices within the financial sector.

USHouseofRepresentatives ArtificialIntelligence AIRegulation USLegislation FintechIndustry

Digital Finance: FinTech and Innovation Circulars

March 1, 2024: Establishing and Classifying the Organisation Size of Financial Institutions

In light of new European Union legislation, specifically Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector , the MFSA will begin collecting data on the organisational size classification of applicants and existing Authorized
Persons. Financial institutions must classify their organization size as one of the following:

  • Microenterprise
  • Small Enterprise
  • Medium-sized Enterprise
  • Non-SME

Guidance for classification will follow Commission Recommendation 2003/361/EC and additional material from the European Commission, including the User Guide to the SME Definition and the SME Self-Assessment Questionnaire.

Process

Financial institutions are required to update their Corporate Profile on the Licence Holder Portal by selecting the appropriate SME classification and uploading a matching Self-Declaration form. The MFSA will not validate or approve this information but reserves the right to verify it at any time.

Impact

Prospective applicants must classify their organisation size as part of the authorization process. The MFSA will update relevant authorisation materials to include the self-declaration form.

Deadline

Financial institutions must update their Corporate Profile by 31 March 2024.

Digital Finance: FinTech and Innovation Circulars

April 1, 2024: Establishing and Classifying the Organisation Size of Entities Within the Virtual Financial Assets Framework

In response to new European Union legislation, such as Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector , the MFSA will start collecting data on the organizational size classification of applicants and existing Authorized Persons within the VFA Framework. Entities must classify their organization size as one of the following:

  • Microenterprise
  • Small Enterprise
  • Medium-sized Enterprise
  • Non-SME

Classification will follow Commission Recommendation 2003/361/EC and additional guidance from the European Commission, including the User Guide to the SME Definition and the SME Self-Assessment Questionnaire.

Process

Entities within the VFA Framework must update their Corporate Profile on the Licence Holder Portal by selecting the appropriate SME classification and uploading a matching self-declaration form. The MFSA will not validate or approve this information but reserves the right to verify it at any time.

Impact

Prospective applicants must classify their organization size as part of the authorization process. The MFSA will update relevant authorization materials to include the self-declaration form.

Deadline

Entities within the VFA Framework must update their Corporate Profile by 30 April 2024.

#MiCA #MichaelKyprianouLawFirm #MKFintechMalta #ObligedEntities #RiskAssessment #SanctionsandPenalties #SubjectPersons #Supervisors #TFR #TransferOfFunds

Digital Finance: FinTech and Innovation Circulars​

​April 18, 2024: Circular in Relation to Amendments to the Virtual Financial Assets Act in Preparation for the Markets in Crypto-Assets Regulation

The Markets in Crypto-Assets (MiCA) Regulation, which came into force in June 2023, will become applicable to issuers of asset-referenced tokens (ARTs) and electronic money tokens (EMTs) on June 30, 2024, and to crypto-asset service providers on December 30, 2024. To align with MiCA, the MFSA has published amendments to the VFA Act through the ACT No. XIV of 2024, on April 17, 2024.

Key Amendments

  1. Removal of VFA Agent Role:

The VFA Agent’s responsibilities in the application process and ongoing requirements for Issuers will now be directly assigned to Virtual Financial Asset Service Providers (VFASPs) and Issuers of Virtual Financial Assets (VFAs).

Transitional provisions include:

  • VFA Agents who submitted an application or requested whitepaper registration before the amendment’s effective date can continue offering services for that application until a decision is made or within three months, whichever is earlier. VFA Agents must submit a VFA Deregistration Form within three months.
  • Applicants who submitted applications under Article 14 of the VFA Act before the amendment’s effective date must notify the competent authority within one month whether they wish to proceed with their application, or it will be presumed withdrawn.

 2. MiCA Transitory Provisions:

  • Carve-out of EMTs and ARTs: EMTs and ARTs will no longer fall under the definition of a VFA or DLT Asset as they will be regulated under MiCA from June 30, 2024.
  • New Applications: Those wishing to submit applications for VFA services must do so by August 1, 2024. These applicants will be considered under the existing Article 14 of the VFA Act.

UK ​Digital Finance: FinTech and Innovation Circulars​

June 26, 2024: Publication of Applications for Issuers of Asset-Referenced Token

MiCA Regulation, effective since June 2023, will apply to issuers of ARTs from June 30, 2024. The Malta Financial Services Authority (MFSA) has introduced a new application form for individuals and entities wishing to offer ARTs to the public or admit them to trading in Malta, seeking authorization under Article 18 of the MiCA Regulation.

Prospective applicants should consult the MFSA’s Authorisations Process Service Charter, which details the application process stages and the Authority’s expectations.

Supervisory ICT Risk and Cybersecurity Circulars

March 26, 2024: Update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements

In December 2020, the MFSA issued a principle-based, cross-sectoral Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements. This Guidance Document is based on guidelines from European Supervisory Authorities (ESAs).

Since then, significant legislative changes have occurred, notably the adoption of Regulation (EU) 2022/2554 (the DORA Regulation), as detailed in the Authority’s January 2023 circular. The DORA Regulation, effective from January 17, 2025, sets cross-sectoral standards for digital operational resilience but excludes certain sectors and financial entities per Article 2.

Applicability of the Guidance Document:

  • As of January 17, 2025, the Guidance Document will no longer apply to Authorized Persons covered by the DORA Regulation.
  • It will continue to apply to Authorized Persons not covered by the DORA Regulation, as listed in Annex 1 of the Circular.

Annex 1 – Updated Applicability and Scope of the Guidance Document as of 17 January 2025

  • Trustees and other Fiduciaries.
  • Company Service Providers.
  • Professional Investor Funds (‘PIFs’), including self-managed PIFs.
  • Investment Service Providers that are Custodians and Depositories.
  • Recognized Fund Administrators.
  • Managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU (‘De Minimis alternative investment fund managers’).
  • Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises.
  • Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total.
  • Insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC.
  • Personal Retirement Schemes and Administrators of Personal Retirement Schemes.
  • Financial Institutions that solely provide activities of the first schedule of the Financial Institutions Act (Cap. 376 of the Laws of Malta).
  • Authorised Credit Servicers in terms of the Credit Services and Credit Purchasers Act.

Supervisory ICT Risk and Cybersecurity Circulars

April 16, 2024: Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector: ‘Dry-Run’ 2024 ad hoc Exercise on the Data Collection of Registers of Information

This circular builds upon the MFSA’s January 2023 circular titled Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal. The DORA Regulation requires financial entities to maintain a Register of Information (RoI) detailing all arrangements with ICT Third-Party Service Providers (ICT TPPs). Entities must provide this RoI, or parts of it, to the competent authority upon request.

The RoI helps financial entities monitor ICT TPP risks and assists European Supervisory Authorities (ESAs) in designating Critical ICT TPPs for EU-level oversight. The RoI will be standardised by an Implementing Technical Standard template. The latest draft version of such standard template can be found in the Final Report on Draft Implementing Technical Standards on the standard templates for the purposes of the register of information in relation to all contractual arrangements on the use of ICT services provided by ICT third-party service providers under Article 28(9) of Regulation (EU) 2022/2554

To support industry preparations, the ESAs and MFSA will conduct a voluntary ‘dry run’ data collection exercise in mid-2024. This Preparatory Exercise aims to help financial entities establish, maintain, and report RoIs, test reporting processes, address data quality issues, and improve internal procedures.

#Fintech #Cybersecurity #MFSA

Supervisory ICT Risk and Cybersecurity Circulars

April 26, 2024: ESAs Joint Committee Public Consultation on the Harmonisation of Conditions Enabling the Conduct of the Oversight Activities under Article 41(1) Point (c) of Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector

This circular updates the January 2023 circular Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal.

  • Technical Standards Development:

The first set of Technical Standards, due January 2024, was open for public consultation from June to September 2023.

The second set, due July 2024, was open for public consultation from December 2023 to March 2024.

  • Current Consultation:

The European Supervisory Authorities (ESAs) are now consulting on a draft Regulatory Technical Standard (RTS) to harmonise oversight                  activities under Article 41(2)(c) of the Regulation. This RTS focuses on the composition of joint examination teams for the Oversight                        Framework established under Chapter V Section II.

Supervisory ICT Risk and Cybersecurity Circulars

April 30, 2024: Information Sharing Arrangements under Regulation (EU) 2022/2554 on Digital Operational Resilience for the Financial Sector

This circular updates the January 2023 circular Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal.

Chapter VI Information-Sharing Arrangements (Article 45) of the DORA Regulation

Obligations and Implementation:

  • Notification Requirement: Authorised Persons within scope of the DORA Regulation must notify competent authorities of their voluntary participation in Information-Sharing Arrangements. This becomes mandatory on 17 January 2025.
  • Purpose: These arrangements facilitate the exchange of cyber threat information and intelligence, including indicators of compromise, tactics, techniques, and procedures, cybersecurity alerts, and configuration tools.

Notification Process:

  • Voluntary Notification: Effective 25 April 2024, Authorised Persons may voluntarily notify the MFSA of their participation or cessation in an Information-Sharing Arrangement upon membership validation.
  • Mandatory Notification: From 17 January 2025, notifying participation becomes mandatory for Authorised Persons within scope, while remaining voluntary for others.

Resources Provided:

  1. Information-Sharing Arrangements Notification Process: Detailed process for notifying participation or cessation.
  2. Information-Sharing Arrangements Notification Form: Form for Authorised Persons to notify the MFSA about their Information-Sharing Arrangement status.

These resources are available on the MFSA website under “Our Work > Supervisory ICT Risk and Cybersecurity.”

Supervisory ICT Risk and Cybersecurity Circulars

June 18, 2024: The Supervisory ICT Risk and Cybersecurity (‘SIRC’) Function’s Contact Points

This circular summarises the contact points of the Supervisory ICT Risk & Cybersecurity (‘SIRC’) Function within the MFSA and the purpose/s of each contact point:

Electronic Mail

  1. mirt@mfsa.mt – to be used for correspondence related to: reporting of Major ICT Related Incidents; notification of Significant Cyber Threats; and participation in Information-sharing Arrangements; as defined by Regulation (EU) 2022/2554 on digital operational resilience (the DORA Regulation), as well as any underlying information systems used for these processes.
  2. roi@mfsa.mt – to be used for correspondence related to the Register of Information (RoI) as defined by the DORA Regulation, as well as any underlying information systems used for this process.
  3. tlpt@mfsa.mt – to be used for correspondence related to Threat-Led Penetration Testing (TLPT) as defined by the DORA Regulation.
  4. sirc@mfsa.com – this is the generic electronic mailbox of the SIRC function and is to be used for any other correspondence not related to 1, 2 or 3 above. This contact point should be used, for instance, for correspondence related to ongoing supervision and legislation and policy management.

Telephone Number

The SIRC Function can be reached via telephone, by dialing (+356) 2548 5260.

Supervisory ICT Risk and Cybersecurity Circulars

Concluding Remarks

As we navigate the intricate landscape of financial technology and cybersecurity, staying informed on the latest regulatory updates is more important than ever. The MFSA’s circulars provide essential guidance and clarity on several critical areas. These updates are vital for ensuring compliance and operational resilience in a constantly changing environment.

Key Contact

Dr. Matteo Alessandro

Senior Associate

More about MK Fintech Partners Ltd.

Michael Kyprianou Fintech Partners Ltd. is a Maltese company providing services in the FinTech sector. It comprises a team of dedicated experts who provide services such as Legal Advisory, Crypto Licensing, Token Issuers’ Licensing, Investment Services Licensing, and registrations of activities related to Fintech, Crypto, Blockchain & Data Protection, Investment Funds Services & Banking, Company Incorporations, and M&As.

MK Fintech Partners forms part of the Michael Kyprianou Group, a top tier international legal and advisory firm. It has established an enviable reputation as a broad-based legal practice over the years. Mainly by keeping at heart its principle to always exceed its clients’ expectations. MK has grown to become one of the largest law firms in Cyprus with offices in Nicosia, Limassol and Paphos. The MK Group’s international presence also includes fully-fledged offices in Greece (Athens and Thessaloniki), Malta (Birkirkara), Ukraine (Kiev), the United Arab Emirates (Dubai), United Kingdom (London), Israel (Tel Aviv), and Germany (Frankfurt).

The content of this article is valid  at the date of its first publication. It intends to provide a general guide to the subject matter and does not constitute legal advice. We recommend that you seek professional advice on a specific matter before acting on any information you read. For further information, contact us at MK Fintech Partners via email at contactmkfintech@kyprianou.com or by telephone +356 2016 1010.

Share this article:
Facebook
Twitter
WhatsApp
LinkedIn