The Malta Financial Services Authority (‘MFSA’), following consultation with the Malta Digital Innovation Authority (‘MDIA’), has issued a consultation document setting out proposed amendments to the Systems Audit and live replication server requirements provided for in the Virtual Financial Asset Act Chapter 3 Rulebook (‘Rulebook’).
The proposed changes, applicable to Virtual Financial Asset (‘VFA’) Licence Applicants (‘Applicants’), are to come into effect on the 1st of February 2020 (‘the Effective Date’).
It is being proposed that as from the Effective Date, all Applicants having in place an innovative technology arrangement (‘ITA’) must engage an MDIA registered Systems Auditor in terms of article 9 of the Innovative Technology Arrangements and Services Act (Chapter 592 of the Laws of Malta) (‘ITAS Act’).
The main role of the Systems Auditor is to issue an audit report in line with the MDIA’s Systems Auditor Report Guidelines, Systems Auditor Control Objectives and the MFSA’s Guidance Notes on Cybersecurity (collectively the ‘Guidelines’), both at VFA Services Licence application stage and on an annual basis thereafter. The audit report in conjunction with the Systems Auditor’s opinion are to be submitted both to the MFSA and to the MDIA.
Applicants without an Innovative Technology Arrangement
In cases where the Applicant does not have an ITA in place, it is proposed that a Systems Auditor registered with the MDIA in accordance with the ITAS Act is appointed for the purpose of carrying out an audit on the Applicant’s IT infrastructure. An audit report will have to be submitted both to the MFSA and to MDIA, together with the Systems Auditors’ opinion. Such audit is to be carried out in adherence to the aforementioned Guidelines.
Live Replication Server
The Rulebook, under rule R3-220.127.116.11.6, currently states that, ‘where the Licence Holder’s IT infrastructure is not based in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta’. It is being proposed that from the Effective Date onwards, the said live replication server requirement will be applicable to all Applicants, irrespective of where their IT infrastructure is based.
The live replication server must be set up in adherence to the MDIA’s Forensic Node Guidelines and will be within scope of the audits carried out by Systems Auditors. In addition, it is proposed that a person of seniority and with the necessary skills, knowledge and experience within the Applicant’s entity, must also be appointed in order to ensure that any request for information regarding legal compliance and the operational behaviour of the live replication server can be acted upon satisfactorily.
Entities under Transitory Provision
Further to the Circular to Virtual Financial Asset Service Providers, issued on the 6th of September 2019, entities operating under a transitory provision in terms of Article 62 of the VFA Act and wishing to continue offering their services after the end of the transitory provision, along with those commencing the VFA Services Licence application process prior to the Effective Date, must in the case of the:
- requirement to appoint a Systems Auditor, appoint a registered Systems Auditor and submit an audit report within six (6) months from the granting of licence or commencement of business, as the case may be. It is proposed that this will only be applicable when no audit report would have been submitted during application stage; and
- live replication server requirement have in place such server upon submission of the VFA Licence Application Form. The live replication server will have to be audited by a registered Systems Auditor and any findings are to be presented in an audit report to be submitted both to the MFSA and MDIA within six (6) months from the granting of licence or commencement of business, as the case may be.
The MFSA may introduce further requirements for the purpose of certifying ITAs depending on the nature, scale and complexity of business, the risk profile, and, or the criticality of the ITA in the operations of the VFA Service Provider.