Fintech 2025

MALTA Law and Practice Contributed by: Ian Gauci and Cherise Abela Grech, GTG Legal

2.12 Review of Industry Participants by Parties Other than Regulators CASPs and financial institutions authorised in Malta are required to audit their financial state - ments annually. Financial auditors typically need to be pre-vetted by the MFSA before being in a position to service such authorised entities, and carry out their own verifications, not solely from their perspective as a subject person for AML/ CFT purposes but also in their role as auditor. It is important to note that financial institutions also fall within the regulatory remit of the Mal - tese Central Bank, which among other functions oversees and regulates the operation of, and the participation in, both domestic and cross- border payment and securities settlement sys - tems. In this context, the Bank has also entered into agreements with the MFSA concerning the exchange of information and payment and secu - rities settlement systems. 2.13 Conjunction of Unregulated and Regulated Products and Services Where an authorised person is seeking to offer additional services through the same entity, even if non-regulated, this entity will need to be pre- vetted and approved by the competent authority. Even though there might not be an express legal or regulatory limitation in this regard, the com - petent authority may consider that the provision of such additional services could lead to a con - flict of interest, or could add additional risks or instability that could hamper consumer protec - tion and the authorised person’s financial or risk position and thus it may not allow the provision of such additional services on this basis. In relation to MiCA specifically, one type of crypto-asset that falls outside of MiCA’s scope is non-fungible tokens (NFTs). It is important to note, however, that MiCA clearly specifies what

they shall be liable, on conviction, to a fine not exceeding EUR15 million. The Maltese MiCA implementation regulations also include specific provisions that empower the MFSA to issue administrative penalties rang - ing from EUR7,000 to EUR5 million in the case of a natural person and from EUR5 million to EUR15 million in the case of a legal person, or 15% of the total annual turnover of such legal person. Appeals Any such actions made by the MFSA are sub - ject to appeal in front of the Financial Services Tribunal. 2.11 Implications of Additional, Non- Financial Services Regulations DORA DORA became fully enforceable on 17 January 2025, with the aim of strengthening the IT secu - rity of financial entities such as banks, insurance companies and investment firms and making sure that the financial sector in Europe is able to stay resilient in the event of a severe opera - tional disruption. DORA was intended to push financial entities and their management – who retain ultimate responsibility – to understand ful - ly how their ICT, operational resilience, cyber and third-party risk management practices impact the resilience of their critical functions and to develop operational resilience capabilities. General Data Protection Regulation (GDPR) With respect to privacy law implications, Malta is subject to the GDPR and the general considera - tions thereunder.

536 CHAMBERS.COM

Powered by