The Malta Financial Services Authority (‘MFSA’) has released a circular regarding the issuance of an updated version of the Frequently Asked Questions (‘FAQs’) to Chapter 3 of the Virtual Financial Assets (‘VFAs’) Rulebook (‘the Rulebook’) on the 25thMarch 2020. This article will outline the salient changes brought about by this update, which added FAQs 5.26-5.29 and Section 10, and amended FAQ 9.1.
Quality Assessment of a VFA
R3-18.104.22.168.2 of Chapter 3 of the VFA Rulebook states that when assessing the quality of a VFA, the license holder must consider the technological experience and reputation of the issuer and its development team as well as the result of the Financial Instrument Test.
Through the addition of FAQ-5.26, the license holder must also take into account a number of other factors, including, inter alia;
- The issuer’s AML/CFT and cybersecurity systems and controls at the time of the initial virtual financial asset offering;
- Whether a multi-signature hardware wallet solution is available;
- The protocol of the underlying infrastructure;
- The consensus protocol;
- The Systems Auditor’s report on the Issuer’s Innovative Technology Arrangement (‘ITA’);
- Market developments;
- Geographic distribution of the VFA and any trading pairs;
- Accuracy of information included in the project website and/or whitepaper;
- Built-in anonymization functions;
- Potential illicit use of the VFA such as trading on Dark Net marketplaces;
- Built-in mechanisms for settlement failure;
- Other DLT exchanges on which the VFA is traded; and
- Social media information.
Information in the Bye-Laws
Through the addition of FAQ-5.27, the Bye-Laws should include sections of information on the following;
- License Holder’s administration;
- License Holder’s procedures with regards to client onboarding, listing of VFAs, and trading, and information on operations including pre-and post trade transparency, market monitoring, custody and safekeeping arrangements, record keeping and fees;
- Reporting of suspicious transactions;
- Settlement and resolution mechanisms in case of settlement failure;
- Suspension and removal from trading;
- Periodic tests carried out on License Holder’s systems;
- Business continuity; and
- Disciplinary action taken against clients.
Additional Capital Requirement
R3-22.214.171.124 of the Rulebook states that License Holders must maintain own funds equal to their capital requirement which amount to the higher of either the permanent minimum requirement or the fixed overheads requirement.
FAQ-5.28 substantiates this rule by clarifying that the Authority may require the License Holder to hold additional capital to that mentioned in this rule in two instances. The first instance is where a material change in the business of the License Holder occurs, and the second is where the Authority concludes through its supervision that the License Holder:
- Is exposed to risks which are not covered by the capital requirement set out in the rule;
- Is not meeting the requirements pertaining to the Internal Capital Adequacy Assessment Process and Risk Management, and other administrative measures are unlikely to improve the situation;
- Is unable to sell or hedge out its positions within a short period of time without incurring material losses under normal market conditions due to insufficient prudential valuation of the trading book; or
- Repeatedly fails to establish or maintain adequate additional capital to ensure that economic fluctuations and potential losses and risks may be withstood without resulting in non-compliance to capital requirements.
R3-126.96.36.199.4 states the Authority can request the proposed Compliance Officer and/or the Money Laundering Reporting Officer (‘MLRO’) to complete certain courses in order to be deemed fit to carry out such functions. Through the introduction of FAQ-5.29, the MFSA has clarified that such courses would need to be completed prior to licensing. Furthermore, the approved courses are the CAMS certification and any other course which the Authority may approve from time to time.
Company Registration Procedure
Prior to these amendments, FAQ-9.1 stated that the registration of a company to perform activity under the VFA would need to be registered with the Registry of Companies and conduct a legal assessment stating whether the activity is licensable. This legal assessment would then be submitted to the registry of companies prior to submitting the documentation for incorporation. By virtue of the amendments to FAQ-9.1, companies must now be registered with the Malta Business Registry (‘MBR’) and a Letter of Intent which must also be submitted to the MFSA as part of the application process, must be submitted together with the legal assessment to the MBR.
Systems Audit and IT Audit Requirements
Through the addition of Section 10 to the FAQ document, further information has been provided on the Systems Audit and IT Audit Requirements. FAQ-10.2 provides that an IT Audit involves an assessment of the operator’s information technology infrastructure, policies, and operations, in line with nationally or internationally recognized audit standards. This should be accompanied by the IT Auditor’s confirmation that the infrastructure does not materially interact with an Innovative Technology Arrangement (‘ITA’).
FAQ-10.3 provided information on the applicable timelines for the submission of the first Systems Audit Report by Applicants for a VFA Service Providers license. VFA Service Providers operating under the transitory provisions who have an ITA or systems interacting with an ITA in place must submit the Systems Audit Report drawn up by a registered Systems Auditor within 6 months from licensing, while those who do not must submit an IT Audit Report drawn up by an IT Auditor as elaborated upon in FAQ-10.2 within 6 months from licensing. On the other hand, VFA Service Providers submitting the Letter of Intent after 1stFebruary 2020 must submit a Systems Audit Report or a Systems IT Audit Report, depending on whether an ITA or system interacting with an ITA is utilized or not respectively, as part of the application pack.
Finally, FAQ-10.4 provides more detail on the minimum information to be stored and made available on the Live Audit Log latest ten minutes after the transaction or event occurs as required under R3-188.8.131.52. This information includes, inter alia:
- Transaction records required by Part II of the Implementing Procedures of the Financial Intelligence Analysis Unit (‘FIAU’) such as customer’s identification details, bank account or wallet addresses, and type and value of the VFA involved;
- Client records;
- Customers’ accounting records;
- Suitability assessments carried out on clients; and
- Information on failed transactions.