The Malta Financial Services Authority (MFSA), jointly with the Malta Digital Innovation Authority (MDIA), has issued a consultation document regarding the proposed adoption of Innovative Technology Arrangement certification vis a vis applicants and license holders of a Virtual Financial Asset Services license (Virtual Financial Asset Service Providers/VFASPs). The underlying intention of this consultation document is to obtain feedback from industry participants on the Ideal way forward in this regard.
The concept of the certification of Innovative Technology Arrangements would provide an additional level of regulatory certainty whilst also enhancing investor protection. Furthermore, since the MDIA would be the regulator responsible for the certification of Innovative Technology Arrangements (ITA), it would also provide an additional layer of regulatory oversight. ITAs essentially consist of software architectures that make use of distributed ledger technology.
Where a particular Virtual Financial Asset Service Provider has an ITA in place as part of its operations, the MFSA will require such a VFASP to obtain an ITA certification from the MDIA. Where a VFASP does not have an ITA in place, it would need a ruling by the MDIA confirming that its technological infrastructure does not qualify as an ITA so as to be exempt from MDIA certification. However, even though a VFASP may be exempt from MDIA certification, it would still be required to undertake an IT Audit as per the VFA Rulebook.
Where a VFASP has a technological setup deemed to be fully or partially based on an ITA, it would need to comply with the MDIA’s certification requirements. Among these requirements, one may find the establishment of a ‘Forensic Node’ and the appointment of a ‘Technical Administrator’ duly registered with the MDIA. This role may be carried out by a current employee of the VFASP.
Upon the completion of the consultation period (30th March 2021), the newly proposed certification requirements will be added to the VFA Rulebook, save any changes that may be implemented following the public implementation. These new requirements will be rendered applicable to all applicants of VFA Services starting their application process after the publication of the newly transposed rules. A transitionary period shall be put in place for current License Holders and applicants who have already commenced their application process prior to the coming into force of these requirements.
License holders are to be given a 3 month period within which they are required to obtain an MDIA ruling verifying whether they have an ITA in place. Where a license holder does not have an ITA in place, he will be required to submit an IT Audit Report to the MFSA on the applicable date. The license holder shall continue doing so on an annual basis thereafter. On the other hand, where a license holder is found to have an ITA in place by virtue of an MDIA ruling, the license holder will be required to submit a ‘Systems Audit Report’ to the Authorities and obtain MDIA certification within 9 months of the aforementioned MDIA ruling.
Applicants of a VFA services license who commenced their application prior to the entering into force of these rules would not need to abide by them during the licensing phase. However, upon being validly licensed, they are deemed to be ‘License Holders’ and thus subject to the aforementioned requirements for license holders. The MDIA will be waiving the fees associated with the ITA certification process for year 1 and year 2.
In conclusion, the consultation paper proposes that the requirement of MDIA certification becomes an essential pre-requisite of any Virtual Financial Asset Service Provider. Thus, non-adherence to it would prevent an applicant from finalising its licensing process. Naturally, non-adherence would also result in a VFASP being asked to cease all operations in relation to Virtual Financial Assets following the repeated failure of a remediation plan.