MALTA Law and Practice Contributed by: Andrew J Zammit, James Bartolo and Nicholas Scerri, GVZH Advocates
ity (MDIA) oversees blockchain technology pro - viders, ensuring security, ethical AI integration and certification of technology arrangements. The FIAU enforces AML and counter-financing of terrorism regulations, requiring crypto busi - nesses to implement due diligence, transaction monitoring and fraud detection mechanisms. 2. Cloud and Edge Computing 2.1 Highly Regulated Industries and Data Protection Highly Regulated Industries and Data Protection Cloud computing is not yet expressly or spe - cifically regulated in Malta; however, rules gov - erning a standard level of network security and many industries, especially the banking and gaming sectors, address cloud computing. These sectors are discussed below. Financial Services The financial services sector is a wide sector, with different sub-sectors such as banking, insurance and investment services, all of which are subject to broadly similar rules in relation to the outsourcing of a material service or activity. Such rules are issued by the MFSA, the com - petent authority to regulate all matters relating to banking and finance in Malta. Generally, the use of a cloud service would be considered as material, and notification is required to be given to the MFSA prior to engaging in the use of that service. A risk assessment of the arrangement, as well as the necessary due diligence, would normally also be required to ensure that the service provider is suitable. The MFSA has also released the “Guidance on Technology Arrange - ments, ICT and Security Risk Management and Outsourcing Arrangements”, which would more
generally apply to the financial services sector as a whole. These guidelines take cloud computing into account and provide a practical framework for licence holders and requirements for differ - ent cloud computing service models – such as software as a service (SaaS) or platform as a service (PaaS) – requiring communication and information systems to protect the data they handle in transit and at rest; this data must only be accessible to authorised parties as and when needed. It is also worth noting that the MFSA places significant importance on ensuring that data stored in cloud environments is adequately secured against cyber threats, and that third- party providers undergo continuous monitoring and periodic audits to verify compliance with these standards. They further provide that confidentiality, integ - rity, availability, authentication and non-repudi - ation should form the five pillars in the design of any technology arrangement implemented by a licensed institution. Additionally, institu - tions are expected to maintain a robust incident response plan that includes notification to the MFSA within specified timeframes if a breach or data loss occurs in the cloud environment. Cloud computing systems must also take into consideration the ISACA’s Guiding Principles for Cloud Computing Adoption and Use. Gaming Law The use by a Malta-licensed gaming provider of managed information technology services is reg - ulated in accordance with the Gaming Authori - sations Regulations (Chapter 583.05, Laws of Malta) as well as the “Policy on Outsourcing by Authorised Persons”, issued by the Malta Gam - ing Authority (MGA), the authority which regu - lates the gaming sector in Malta. These legal instruments state that cloud computing services would be considered a material gaming supply,
254 CHAMBERS.COM
Powered by FlippingBook