The Malta Financial Services Authority (“MFSA”) and the Financial Intelligence Analysis Unit (“FIAU”) have joined forces and recently issued a consultation document providing guidance for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for FinTechs thus encouraging the formulation of more thorough risk assessments measures, controls, policies and complement their due diligence procedures.

Industry participants have been invited, via the Consultation Document, to submit their feedback in relation to the Guidance Document by 30 April 2019.

The term FinTechs or Fintech Operators incorporates all those persons operating in the financial services sector and utilising smart contracts, AI, DLT and cloud technologies for the development of a financial product to provide a financial service.

The five titles of the consultation paper

The consultation paper is split in 5 different titles, title 1 is a general description of the paper’s scope and application, title 2 provides guidance for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for Fintechs, title 3 sets out the supplementary guidance for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for issuers of DLT assets and title 4 provides guidance for opening accounts for Fintechs, specifically those which are authorised or seeking to be authorised by the MFSA, as VFA service providers. Title 5 provides insight for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for Fintechs accepting DLT assets as a means of payment.

Guidance for credit, payment and electronic money institutions

Credit, payment and electronic money institutions are being encouraged to start considering the risk factors referred to in the FIAU Implementing Procedures by looking at the regulatory status, activities and technology applied by Fintech operators. Institutions should obtain information on the business activity and projected volume of business that will be transacted using the products and services, an organisational chart listing the key individual within the FinTech set up, details as to whether the operator will have substance in Malta and where it will be undertaking its activities. Institutions should also consider whether the technology being used was subject to a systems audit, the background of individuals responsible for the development of such technology. With these details in hand, institutions will allow them to perform a better risk assessment and thus detect any abnormal activities which would merit further attention.

FinTechs acting as a DLT Exchange

The consultation paper also looks at the case where the FinTech in question is a DLT Exchange – institutions should ensure that they are also provided with details on the DLT Exchange’s operational set-up, a copy of the bye-laws and whether the DLT Exchange is linked to other exchanges.

In the case of institutions opening accounts for issuers offering their DLT assets to the public or through private placements, they should consider not only the regulatory status of the issuer but also the status of the market on which the assets may be traded, the nature of the DLT assets, target investors but also reliability of the issue and of the project financed through the issue and the technology used.

VFA Service Providers

The consultation paper also provides guidance for institutions opening accounts for FinTechs specifically those which are authorised by the MFSA as VFA Service Providers. In assessing the risk presented by the customer’s activities, institutions should also consider the VFAs that the service provider is willing to deal/transact in – some VFAs have features which increase the risk associated and the dependence on other VFA service providers in the course of providing the services for which it is licensed where reliance is made on third parties that will also impact the service provider’s overall risk. Credit, payment and Electronic money institutions should obtain details of any material outsourcing agreements entered into by the FinTech operator, financial projections, details of services provided by the FinTech operator, a list of VFA assets the FinTech operator provides, where the FinTech operator holds clients’ monies or assets, details of the arrangements it has in this regard, declarations from the FinTech operator that they are aware of its regulatory obligations also as a subject person under the Prevention of Money Laundering and Funding of Terrorism Regulations.

FinTechs accepting DLT assets as a means of payment

The document also provides guidance for institutions opening accounts for FinTechs accepting DLT assets as a means of payment. The paper provides that VFA business should be segregated from traditional financial services activity and accounts opened by institutions for FinTechs accepting DLT assets as a means of payment shall not directly receive or any at any time hold any VFAs. Institutions should seek information from the FinTech operator on any DLT exchange being used by the operator, any custodian or wallet provider being used, whether the DLT exchange or custodian are licensed and subject to AML/CFT obligations, obtain a list of DLT assets which are accepted by the FinTech operator and the frequency of conversion into fiat currencies of DLT assets accepted as a means of payment.