Fintech 2025

MALTA Law and Practice Contributed by: Ian Gauci and Cherise Abela Grech, GTG Legal

the risks associated with the outsourcing on an ongoing basis; • CASPs have direct access to the relevant information of the outsourced services; and • CASPs ensure that third parties involved in the outsourcing meet the data protection standards of the EU. CASPs must establish a comprehensive out - sourcing policy that includes contingency plans and exit strategies, considering the scale, nature and range of services provided. In addition, DORA (effective from 17 January 2025) introduced further requirements for finan - cial entities, including CASPs, concerning ICT- related outsourcing. DORA emphasises the need for thorough risk assessments, due diligence and specific contractual provisions to ensure transparency and control over subcontractors. 2.9 Gatekeeper Liability CASPs and financial institutions are deemed to be subject persons for AML purposes in terms of the AML/CFT rules. To that end, they are required to conduct AML/CFT checks on all their customers. 2.10 Significant Enforcement Actions In January 2023, the FIAU published an adminis - trative measure against two entities, one of which was licensed as a Class 3 VFA Services Provider, and the other was authorised as a Class 4 VFA Services Provider. The administrative penalties amounted to EUR242,243 and EUR220,992 respectively, due to multiple breaches of the Prevention of Money Laundering and Financing of Terrorism Regulations, including: • improper business risk assessment; • improper customer risk assessment;

• improper collection of information regarding wallet addresses; • shortcomings in enhanced due diligence; and • failures in transaction scrutiny. Both entities appealed the FIAU’s decision. Powers of the MFSA Under MiCA, the MFSA retains the authority to impose decisions on any issuer of crypto-assets and on any CASP falling within the scope of the Regulation. The MFSA is empowered to, inter alia: • suspend or require a CASP to suspend its services or prohibit the provision of services; • disclose or require a CASP to disclose mate - rial information having an effect on the provi - sion of services in order to ensure the protec - tion of the interests of clients or the smooth operation of the market; • require the transfer of existing contracts to another CASP where a CASP’s authorisation is withdrawn; • require offerors, issuers or persons seeking admission to trading to amend their white paper or their marketing communications; • suspend an offer to the public or an admis - sion to trading for a maximum of 30 consecu - tive working days; • suspend a CASP operating a trading platform for up to 30 consecutive working days; or • impose administrative penalties. Penalties Following the implementation of MiCA, any per - son found to be in breach thereof would be guilty of an offence. Where such person is a natural person, they shall be liable, on conviction, to imprisonment for a term not exceeding six years or to a fine not exceeding EUR5 million, or both. Where the office is committed by a legal person,

535 CHAMBERS.COM

Powered by