Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

The Malta Financial Services Authority (MFSA) has taken an active role in issuing consultations and discussion papers in connection with the fintech industry. Over the past few years Malta had already become an attractive jurisdiction for fintech start-ups, and this was increased by the promulgation of the EU First Payment Services Directive (2007/64/EC) and the EU Electronic Money Directive (2009/110/EC). As a result, Malta has experienced an influx of fintech start-ups, whose businesses are based on providing payment services. This momentum is expected to be sustained following the transposition of the EU Second Payment Services Directive (2015/2366/EU).

In November 2017 the MFSA issued a discussion paper on initial coin offerings, virtual currencies and related service providers, further reaffirming its welcoming approach and commitment to growing the fintech industry in Malta. As the MFSA becomes more aware of the risks and innovation in the fintech world, it is also expected to enhance its expertise in the sector, thus placing Malta on par with other global financial services hubs (eg, the United Kingdom, Germany, the United States, Singapore, Russia, the United Arab Emirates and Gibraltar), which have taken steps to regulate fintech initiatives to different extents.

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

Malta has not as yet enacted any fintech-specific laws or regulations. Nevertheless, the Malta Financial Services Authority (MFSA) has been actively working with stakeholders in the fintech industry in order to introduce regulations, rules and policies which address the specific risks connected to fintech innovations. In this respect, the government has taken the approach that the regulation should strike a balance between the protection of investors and the encouragement of fintech innovation. This resonates with the attitude that authorities have taken to date, insofar as the financial services industry is concerned. The MFSA, for example, prides itself in adopting a firm but flexible approach to regulation, which is adaptable to different businesses and which develops alongside industry players.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

The Malta Financial Services Authority and Malta’s economic development agency Malta Enterprise are responsible for regulating fintech products and services in Malta.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

Malta's financial services legislation is organised under four main acts, together with the rules and regulations made thereunder:

  • the Banking Act (Cap 371 of the Laws of Malta);
  • the Investment Services Act (Cap 370 of the Laws of Malta);
  • the Insurance Business Act (Cap 403 of the Laws of Malta); and
  • the Financial Institutions Act (Cap 376 of the Laws of Malta).

Provided that they fall within the scope of the regulatory perimeter, fintech businesses which conduct alternative activities to the traditional regulated activities relating to credit institutions, financial institutions, investment services and insurance would most probably be regulated by one or more of the above acts.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

Banking Act Fintech businesses are subject to licensing requirements under the Banking Act if, as their main activity, they:

  • accept deposits of money from the Maltese public, withdrawable or repayable:
    • on demand;
    • after a fixed period; or
    • after notice; and
  • borrow or raise money from the Maltese public, for the purpose of employing such money in whole or in part by lending to others or otherwise investing for, and at the risk of, the party accepting the money.

Further, fintech businesses must notify the Malta Financial Services Authority (MFSA) in order to extend their banking licences to cover additional services, such as:

  • payment services;
  • issuing and administering other means of payment (eg, travellers cheques and bankers’ drafts);
  • trading in various financial instruments, for customers or on their own account;
  • portfolio management and advice;
  • safe custody;
  • guarantees and commitments;
  • underwriting share issues and participation in such issues;
  • money broking services;
  • credit referencing services;
  • safekeeping and administrative of securities; and
  • issuing of electronic money.

Investment Services Act 

The Investment Services Act governs the provision of investment services in or from within Malta, in relation to certain instruments. The services and products caught under the act reflect the provisions of Annex 1 of the EU Directive on Markets in Financial Instruments II (2014/65/EU) (MiFID II). Therefore, fintech businesses conducting an investment service in or from within Malta in relation to certain instruments are subject to licensing conditions under the Investment Services Act.

Financial Institutions Act 

The Financial Institutions Act governs the business of a financial institution in or from Malta. The business of a financial institution is defined as being:

a person that regularly or habitually acquires holdings or undertakes the carrying out of any activity listed in the First Schedule of the Financial Institutions Act for the account and at the risk of the person carrying out the activity.

The first schedule of the act refers to a number of activities, including:

  • lending;
  • financial leasing;
  • payment services under the EU Second Payment Services Directive (2015/2366/EU);
  • issuing of electronic money;
  • trading in various financial instruments, for customers or on one’s own account;
  • underwriting share issues and participation in such issues;
  • money broking services;
  • guarantees and commitments; and
  • issuing and administering other means of payment (eg, travellers cheques and bankers’ drafts).

Fintech businesses that regularly or habitually provide the above services in or from Malta are subject to a Financial Institutions Act licence.

Exemptions 

The Banking Act, the Investment Services Act and the Financial Institutions Act provide no specific licensing exemptions for parties carrying out the above services. Nevertheless, fintech businesses should carry out the following activities in order to mitigate the chances of triggering licensing requirements under the acts:

  • Regarding the Investment Services Act, and pursuant to the EU Regulation on Markets in Financial Instruments (600/2014) (MiFIR), a fintech business may provide investment services or perform investment activities with or without any ancillary services to eligible counterparties and to professional clients within the meaning of Section I of Annex II of MiFID II (ie, ‘de facto professional clients’) established in Malta without the establishment of a branch, provided that the requirements of Article 46 of MiFIR are met. Further, where a retail client or a professional client within the meaning of Section II of Annex II of MiFID II (ie, an ‘elective professional client’) that is established or situated in Malta initiates on its own initiative the provision of an investment service or activity by a fintech business, the fintech business shall not be required to establish a branch or otherwise obtain a licence in Malta.
  • Regarding the Banking Act, a licence is triggered where the business of banking is provided in or from Malta. A license is also triggered if the business of banking is advertised or solicited. Hence, the acceptance of deposits should not be carried out in or from Malta as a regular feature of business and no advertising or solicitation should be carried out. The decision regarding whether the business of banking is being carried out in or from Malta is determined by the MFSA.
  • Regarding the Financial Institutions Act, a company must not carry out of any of the activities covered by the act in or from within Malta habitually or regularly, as this would trigger a licence requirement.

Are any fintech products or services prohibited in your jurisdiction?

No specific types of fintech business are presently prohibited in Malta. However, the MFSA issued a warning in July 2017 whereby it advised the public to exercise caution and be vigilant when dealing with virtual currencies and to ensure that they have understood the risks involved. Further, the MFSA has consistently cautioned investors and potential investors to exercise caution and be vigilant when seeking to invest in contracts for difference, binary options, forex and other highly speculative products. The provision of fintech services would also be prohibited if this would constitute a licensable activity in terms of the Banking Act, Financial Institutions Act or Investment Services Act, and the service provider does not obtain authorisation to provide such services from the MFSA.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

In terms of data processing and transfer, fintech activities are subject to the same rules and regulations that govern non-fintech businesses. Since Malta is a member of the European Union, Maltese data protection law is in line with EU legislation. The applicable rules and regulations are the Data Protection Act (Cap 440 of the Laws of Malta) and its subsidiary legislation, including the Electronic Communications Networks and Services (General) Regulations (SL 399.28).

What cybersecurity regulations or standards apply to fintech businesses?

Malta does not have a general cybersecurity framework in place as yet. However, Chapter V of the Criminal Code of Malta (Cap 9 of the Laws of Malta) refers to computer misuse.

The Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01) states that data retained under the provisions of this act must be:

  • of the same quality and subject to the same security and protection as the data on the network;
  • subject to appropriate technical and organisational measures to protect it against:
    • accidental or unlawful destruction;
    • accidental loss or alteration; or
    • unlawful storage, processing, access or disclosure; and
  • subject to appropriate technical and organisational measures to ensure that it can be accessed by specially authorised personnel only.

Malta has also been a signatory to the Council of Europe Cybercrime Convention since 2001.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

Malta's main legislation regarding fraud, money laundering and other financial crimes are:

  • the Prevention of Money Laundering Act (Cap 373 of the Laws of Malta); and
  • the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01).

These legislative instruments transpose the requirements of the EU Fourth Anti-money Laundering Directive (2015/849/EU). Fintech businesses carrying out either a ‘relevant financial business’ or ‘relevant activity’ shall be considered as subject persons under the Prevention of Money Laundering Act and the Prevention of Money Laundering and Funding of Terrorism Regulations. In addition, subject persons must also comply with the Implementing Procedures, and other guidance as issued and updated by the financial crime regulator in Malta, the Financial Intelligence and Analysis Unit.

What precautions should fintech businesses take to ensure compliance with these provisions?

Fintech businesses that are considered to be subject persons under the Prevention of Money Laundering Act and the Prevention of Money Laundering and Funding of Terrorism Regulations must comply with the following obligations, among others:

  • to take appropriate steps, proportionate to the nature and size of the business, to identify and assess the risks of money laundering and funding of terrorism that arise out of its activities or business, taking into account:
    • risk factors relating to customers, countries or geographical areas, products, services, transactions and delivery channels, among others; and
    • any national or supranational risk assessments relating to risks of money laundering and the funding of terrorism;
  • to implement measures, policies, controls and procedures proportionate to the nature and size of the business, such as:
    • customer due diligence measures, record-keeping procedures and reporting procedures; and
    • risk-management measures, including customer acceptance, internal control, compliance management, communications and employee-screening policies and procedures;
  • to appoint, where appropriate with regard to the nature and size of the business, an officer at management level whose duties shall include the monitoring of the day-to-day implementation of the measures, policies, controls and procedures adopted under the Prevention of Money Laundering Act and the Prevention of Money Laundering and Funding of Terrorism Regulations;
  • to implement, where appropriate with regard to the size and nature of the business, an independent audit function to test the internal measures, policies, controls and procedures;
  • from time to time, to provide employees with training in the recognition and handling of operations and transactions which may be related to proceeds of criminal activity, money laundering or the funding of terrorism; and
  • to monitor and, where appropriate, enhance the measures, policies, controls and procedures adopted better to achieve their intended purpose.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

In terms of consumer protection, fintech activities are subject to the same rules and regulations that govern non-fintech businesses. Since Malta is a member of the European Union, Maltese consumer protection law is in line with EU legislation. The applicable rules and regulations are the Consumer Affairs Act (Cap 378 of the Laws of Malta) and its subsidiary legislation, including the Consumer Credit Regulations (SL 378.12).

Competition

Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

The mere fact that a product or service is a fintech product or service not raise any particular competition regulatory concerns, provided that it complies with general EU and domestic competition law.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

Where a fintech company is a licensable entity within the European Union or the European Economic Area and it is seeking to provide its services by carrying out its activities in Malta in exercise of an EU passport right, it is exempt from acquiring a banking or investment licence in Malta. However, the activities that may be carried out in Malta by a fintech company in exercise of an EU passport right are limited to those it may undertake in its home member state.

Further, a fintech company may exercise an EU passport right to provide services by carrying out its activities in Malta, provided that:

  • it has given the EU regulatory authority of the home member state a services passport notification to provide services in Malta; and
  • the Maltese Financial Services Authority (MFSA) has received such notification from the EU regulatory authority of the home member state.

If the fintech company is established in a third country (ie, outside the European Union) and seeks to offer services in or from within Malta, it must be authorised by the MFSA and must establish a branch in Malta, provided that it does not qualify for any of the exemptions to the relevant laws.

Exchange control limitations have been abolished in Malta and Maltese persons may enter into foreign currency transactions without limitation. The only requirement is that statistical data relating to certain foreign currency transactions is submitted by Maltese credit institutions in the appropriate forms to the Central Bank of Malta, in terms of the External Transactions Act (Cap 233 of the Laws of Malta). Failure to so notify will not impinge on the ability of the non-Maltese counterparty to claim payment and will have no impact on the validity of the underlying transaction. However, in the event that a party needs to prove or claim in a Maltese liquidation, the solvent party’s claim must be expressed in euros and the rate of exchange will generally be the rate applicable when the underlying obligation was due.

Click here to view the full article.