The Malta Financial Services Authority (“MFSA“) is the competent authority in Malta charged with the licencing and supervision of credit institutions in terms of the Banking Act (Chapter 371 of the Laws of Malta) and financial institutions (including payment institutions and e-money issuers) in terms of the Financial Institutions Act (Chapter 376 of the Laws of Malta).  The Board of Governors of the MFSA also acts as the Resolution Authority for the purposes of the Bank Recovery and Resolution Directive (Directive 2014/59/EU, the “BRRD“) in terms of the Malta Financial Services Authority Act (Chapter 330 of the Laws of Malta).  The said Act also requires the Resolution Authority to appoint a Resolution Committee assigned all the powers of the Resolution Authority under the BRRD.

Supervision of anti-money laundering compliance by credit institutions vests in the Financial Intelligence Analysis Unit appointed in terms of the Prevention of Money Laundering Act (Chapter 373 of the Laws of Malta)

The business of banking transacted in or from Malta triggers the requirement of obtaining the issue of a licence in terms of the Banking Act, and it is an offence to carry out any business of banking without first being in possession of such a licence.  The business of banking for the purposes of the Banking Act is defined as (a) the acceptance of deposits of money from the public withdrawable or repayable on demand or after a fixed period or after notice, or (b) the borrowing or raising of money from the public, including the borrowing or raising of money by the issue of debentures, debenture stock or other instruments creating or acknowledging indebtedness), in either case for the purpose of employing such money in whole or in part by lending to others or otherwise investing for the account and at the risk of the person accepting such money.

The Banking Act provides that credit institution may, besides the business of banking, carry out a number of activities as listed to the schedule to the Banking Act, as may be determined by the MFSA.  The credit institution would not be issued with a different type of licence but would require MFSA authorisation in order to be able to carry out such additional activities.

The additional activities listed in the schedule to the Banking Act are (i) financial leasing; (ii) payment services as defined under the Financial Institutions Act; (iii) issuance and administration of other means of payment; (iv) guarantees and commitments; (v) trading on own account or for account of customers in (a) money market instruments, (b) foreign exchange, (c) financial futures and options, (d) exchange and interest rate instruments and (e) transferable securities; (vi) participation in securities issues and the provision of services related to such issues; (vii) advice to undertakings on capital structure, industrial strategy and relation questions and advice as well as services relating to mergers and the purchase of undertakings; (viii) money broking; (ix) portfolio management and advice; (x) safekeeping and administration of securities; (xi) credit reference services; (xii) safe custody services and (xiii) issuing of electronic money.

A number of the afore-mentioned activities, in the absence of the undertaking of the business of banking, constitute licensable activities for the purposes of the Financial Institutions Act. Where the activities undertaken by an entity do not involve the acceptance of deposits or the borrowing or raising of money from the public, such entity would (subject to applicable exemptions) be required to obtain a licence under the Financial Institutions Act in order to carry out the business of (i) lending; (ii) financial leasing; (iii) venture or risk capital; (iv) payment services; (v) issuance and administration of other means of payment; (vi) guarantees and commitments; (vii) trading on own account or for account of customers in (a) money market instruments, (b) foreign exchange, (c) financial futures and options, (d) exchange and interest rate instruments and (e) transferable securities; (viii) underwriting share issues and participation in such issues; (ix) money broking and (x) issuing of electronic money.

Account information services provided in or from Mala also require the person providing the same to be in possession of a registration granted by the MFSA under the Financial Institutions Act.

The business activities of a credit institution may include those additional activities which the MFSA may authorise.  Whilst a licenced credit institution will not require a separate licence under the Financial Institutions Act in order to carry out any of the “additional activities” which would, as separate services carried out independently of the business of banking, ordinarily require a licence under the Financial Institutions Act, the undertaking of such additional activities by a credit institution would require the authorisation of the MFSA under the Banking Act.

The MFSA formally launched its Fintech Regulatory Sandbox in July 2020 following the conclusion of an industry-wide consultation process.  The aim of the Fintech Regulatory Sandbox is that of fostering sustainable innovation and is aimed at start-ups, technology firms and established financial services providers which endorse technologically-enabled financial innovation in their business models, applications or products.  The sandbox is intended to operate as a testing environment for innovative and technologically-enabled solutions demonstrating a need for testing within a controlled environment, and must have identifiable benefits to consumers.   A non-exhaustive list of areas identified by the MFSA for such purposes includes APIs, AI, Smart Contracts and New Encryption Methodologies, amongst others.  It is noted that where an applicant clearly falls within the financial services legislative framework currently in force in Malta, such applicant would require a full authorization in terms of the applicable law.  There is no concept of “licence light” for the activities constituting the business of banking.

The issuance and custody of crypto assets which can be classified as virtual financial assets would be an activity which is licenceable in terms of the Virtual Financial Assets Act (Chapter 590 of the Laws of Malta) which came into force in Malta on the 1 November 2018.  For the purposes of the Act, a virtual financial asset is any form of digital medium recordation that is used as a digital medium of exchange, unit or account or store of value and that is not electronic money for the purposes of the Financial Institutions Act, a financial instrument for the purposes of the Investment Services Act (Chapter 370 of the Laws of Malta), or a virtual token being a form of digital medium recordation whose utility, value or application is restricted solely to the acquisition of goods or services, either solely within the DLT platform (excluding DLT exchanges) on or in relation to which it was issued or within a limited network of DLT platforms.

The issuance of a crypto currency which qualifies as a virtual finance asset in or from within Malta, and the admission to trading of such virtual financial assets on a DLT exchange would require the drawing up and registration with the MFSA as the competent authority for the purposes of the Virtual Financial Assets Act of a white paper satisfying the requirements of the Act.

The provision of custody or nominee services relative to virtual financial assets is also an activity which requires a licence in terms of the Virtual Financial Assets Act.  Licenceable custody and nominee services include (a) acting as custodian or nominee holder of a virtual financial asset and/or private cryptographic key; and (b) the holding of a virtual financial asset and/or private cryptographic key as nominee where the person acting as nominee is so acting on behalf of another person who is providing another service licenceable under the Virtual Financial Assets Act, or on behalf of a client of such person.

It is noted that a credit institution, or indeed any other holder of a licence or authorisation issued by the MFSA under any other law, cannot also hold a licence to provide services under the Virtual Financial Assets Act (including custody or nominee services of virtual financial assets).  Any such services would need to be provided via a separate legal entity properly licenced.

Very importantly, reference should also be made to the newly introduced EU Markets in Crypto-Assets Regulation (MiCAR) in June 2023, which will become applicable in full by end 2024.

Crypto assets do not fall under the definition of “deposits” (being a sum of money) for the purposes of the Banking Act and would therefore fall outside of scope of the Depositor Compensation Scheme Regulations implemented under the Banking Act.  The provision of custody services relative to crypto assets which qualify as virtual financial assets for the purposes of the Virtual Financial Assets Act, would be a licenceable activity in terms of the said Act, which activity cannot be carried out by an entity which holds a credit institution licence in terms of the Banking Act.

In the Maltese market, local credit institutions have been increasingly, if not totally, risk averse from holdings or exposures to cryptos and as a result the local regulatory framework has so far followed the applicable position and developments at European Union level, most notably in terms of the CRR and CRDV package generally as now due to be amended under the legislative acts approved in December 2023 by the preparatory bodies of the EU Council and Parliament (CRR III/CRD VI).

The recent FTX debacle has however brought in more urgent focus how industry and regulators alike have been struggling to address the evident lacunae in the existing prudential rules and risks relating to the holding of crypto assets and exposures thereto.

In December 2022 the Basel Committee on Banking Supervision published a standard on the direct exposures of credit institutions to crypto assets and the prudential treatment of crypto assets exposure. Later in January 2023 the Economics and Monetary Affairs Committee of the European Parliament approved a new draft piece of legislation to implement Basel III rules on capital and liquidity requirements for credit institutions with the proposed introduction of a new rule requiring, as an interim measure before the European Commission presents more detailed proposals by June 2023, that a credit institution holds one Euro in balance sheet for every one Euro of crypto assets held.

A new requirement will need to be transposed across the European Union by January 2025 categorising crypto-assets in two groups: firstly, tokenised traditional assets and stablecoins to meet certain conditions, and secondly, crypto-assets. In the case of the first category the assets will need to meet certain conditions and result in requiring own funds to the same level as the relative reserve or reference asset, subject to discretionary regulatory add-ons in certain circumstances. In case of the second category a risk-weighting of 1250% will be imposed thus requiring capital resources cover for the entire exposure.

In terms of the Banking Act, a company wishing to carry out the business of banking in or from Malta is required to submit a formal written application to the MFSA and is not authorised to commence or carry out any such business prior to the licence being issued.

All applications for a licence must be submitted in the form prescribed by the MFSA and must be accompanied by such information, including a programme of operations setting out the types of business envisaged and the structural organisation of the credit institution, and shall conform with such requirements as may be prescribed from time to time.

Article 7 of the Banking Act provides that no company will be granted a licence under the same unless:

• The entity has an initial capital amounting to no less than five million Euro (€5,000,000) or an equivalent amount in another currency;
• At least two (2) individuals effectively direct the business of the entity;
• The MFSA is notified of the identities of the shareholders or members direct or indirectly holding a qualifying holding (of ten per cent or more of the capital or voting rights, enabling the shareholder or member to exercise a significant influence) in the entity. Where there are no such qualifying holdings, the MFSA needs to be advised of the twenty largest shareholders or members;
• The MFSA is satisfied that the shareholders or members, controllers and/or persons responsible for the direction of the business of the credit institution are suitable persons to ensure the sound and prudent management of the institution; and
• Where there are close links between the applicant and another person(s), such links do not, through any law, regulation, administrative provision or in any other manner, prevent the MFSA from exercising effective supervision of the credit institution once licenced.

The MFSA is required to determine an application for a licence within six (6) months from receipt of the application or, where the application has not been submitted in complete form, or additional information is required, within six (6) months of the submission of such additional information. An application must be determined within twelve months of its receipt.  Such time-period does not include any time elapsed prior to the submission of the formal application documents, including during the pre-application phase when the promoters of the applicant are in discussions with the MFSA.

The MFSA is required to notify the European Banking Authority of every licence issued to a credit institution in terms of the Banking Act.

It is noted that with effect from the 4 November 2014, the date of implementation of the Single Supervisory Mechanism, the European Central Bank (ECB) has exclusive competence to authorise all credit institutions established in the Member States, including Malta.  Such competence is exercised in close cooperation with the national competent authorities such that when an application for the issuance of a credit institution licence is submitted to the MFSA, this is reviewed jointly by the MFSA and the ECB.

The provision of cross-border services by a credit institution licenced in terms of the laws of another European regulatory authority is permissible without the requirement of obtaining a specific licence issued in terms of the Banking Act, subject to compliance with the passporting provisions of the European Passport Rights for Credit Institutions Regulations (Legal Notice 129 of 2015).  It is noted that such right does not extend to non-Maltese credit institutions which are not authorised in another European Member State.

In order to benefit from its European passport rights and provide services in Malta on a cross-border basis, the credit institution must limit its activities to those which it is authorised to undertake in its home member state, and must, prior to commencing to provide cross-border services in Malta, give the home Member State regulatory authority a services passport notification to provide services in Malta.  The European home Member State regulatory authority will, in turn, be required to directly notify the MFSA of such passport notification.

Upon receipt of such notification, the MFSA shall notify the European credit institution seeking to provide cross-border services on the basis of its European passport rights, of any applicable conditions.

Only a company in possession of a licence granted under the Banking Act by the MFSA can undertake the business of banking in or from Malta. For the purpose of the Banking Act, a company is a limited liability company constituted in Malta in accordance with the Commercial Partnerships Ordinance (Chapter 168 of the Laws of Malta) or the Companies Act (Chapter 386 of the Laws of Malta), or any law which may from time to time be in force, or a company registered, licensed or holding an equivalent authorisation in another country outside Malta under the laws of any country provided that such company, if not constituted in Malta, would qualify to be so registered or licensed under the laws of Malta.

In terms of the laws currently in force in Malta, a company may be set up as a private limited liability company or a public limited liability company, including as a Societas Europea (SE) in terms of Council Regulation (EC) No 2157/2001.

Credit institutions are required to have in place robust governance arrangements, including a clear organisational structure, well defined lines of responsibility, effective risk management processes, control mechanisms and remuneration policies.

The internal governance arrangements are not pre-determined in number or scale and will vary depending on what is deemed appropriate to the nature, scale and complexity of the business of the relevant credit institution. The main responsibility for internal governance lies with the Board of Directors, which is subject to specific suitability requirements in terms of Article 91 of the Directive 2013/36/EU of the European Parliament and of Council on the access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms (the “CRD“), including a requirement that the directors both on an individual and collective basis, be of good repute and possess sufficient knowledge, skills and experience to perform their duties.   Limitations are also imposed on the number of other directorships each director can hold.

The Board of Directors must act with honesty, integrity and independence of mind and effectively assess and challenge the decisions of the senior management where necessary as well as effectively oversee and monitor management decision-making.

The MFSA implemented Banking Rules providing for remuneration policies and practices that are required to be adopted by licenced credit institutions. Banking Rule 21/2022 governs sound remuneration policies for all the credit institutions’ staff and for staff whose professional activities have a material impact on a credit institution’s risk profile in compliance with the requirements of the CRD in this regard.

The remuneration policy of a credit institution is required to be consistent with and promote sound and effective risk management and not encourage risk-taking that exceeds the level of tolerated risk of the credit institution.

Such remuneration policy must be in line with the business strategy, objectives, values and long-term interests of the credit institution, and incorporate measures to avoid conflicts of interest.

Responsibility for the adoption, periodic review and implementation of such remuneration policy vests in the Board of Directors, with the policy being subject to central and independent review annually.

Staff engaged in control functions are required to be remunerated in accordance with the achievement of the objectives linked to their functions, independent of the performance of the business areas they control.

Remuneration policies adopted by credit institutions must take into account national criteria on wage setting, and make a clear distinction between criteria for setting (a) basic fixed remuneration, which should primarily reflect relevant professional experience and organisational responsibility as set out in an employee’s job description; and (b) variable remuneration which should reflect a sustainable and risk adjusted performance as well as performance in excess of that required to fulfil the employee’s job description.

Additional restrictions as to the manner of calculation of the variable remuneration element apply.  By way of example, no variable remuneration should be paid to directors unless this is justified, and the variable component of an employee’s remuneration cannot exceed 100% of the fixed component of the total remuneration of the said employees unless otherwise authorised by the shareholders who may resolve to increase the variable component of an employee’s remuneration up to a maximum of 200% of the fixed component of remuneration for an individual employee (amongst others).

Banking Rule 21/2022 further details the component factors of variable remuneration as well providing for the implementation of deferral arrangements.

Regulation 575/2013 of the European Parliament and Council on prudential requirements for credit institutions and investment firms (the “CRR“), together with the CRD (the “CRD Package“) setting out the legal framework for the prudential supervision of credit institutions, has been implemented as necessary and applies to credit institutions in Malta.  The CRD Package is complemented by binding regulatory technical standards issued by the EU Commission which apply in Malta without the need for additional implementation.

No significant deviations have been implemented and the credit institutions are advised to refer to the relevant provisions of the CRR, regulatory technical standards and other Guidelines and EU legislation applicable from time to time in this regard.

The so-called “banking package” in the EU is due to fully implement Basel III with the CRR III / CRD VI iteration endorsed by the preparatory bodies of the EU Council and Parliament in December 2023 to enter into force, in case of the CRD following local transposition, by January 2025.

Credit institutions are required to report to the MFSA prudential information under the Common Reporting (COREP) framework and the Financial Reporting (FINREP) framework established under CRR and the applicable Implementing Technical Standards.

As part of such reporting, credit institutions are required to report on applicable leverage ratios. Maltese credit institutions are required to abide by the CRR (soon to be amended by CRR III) relative to the leverage ratio, the net stable funding ratio, requirements for own funds and eligible liabilities, counterparty credit risk, market risk, exposures to central counterparties, exposures to collective investment undertakings, large exposures, reporting and disclosure requirement as applicable.

The MFSA considers continuous liquidity monitoring vital to the prudential operation of credit institutions and requires credit institutions to establish an active treasury management operation whose functions include the monitoring of the maturity structure of credit institutions’ receivables and payables as well as their assets and liabilities taking into account the type, scope and risks of the institution’s activities.

The Commission Delegated Regulation (EU) 2015/61 adopted by the European Commission for the purposes of supplementing the CRR with regard to liquidity coverage requirements for credit institutions applies in Malta such that credit institutions are required to maintain an LCR of at least 100% in line with the said delegated regulation such that credit institution should hold sufficient liquid assets to meet their net liquidity outflows during a 30-day stress period.

Maltese credit institutions are required to abide by the CRR as applicable, including therefore with the NSFR provisions imposed by the same.

Credit institutions in Malta are set up as limited liability companies and are generally subject to at least the same requirements relative to the drawing up and publication of audited financial statements as apply to other limited liability companies in terms of the Companies Act.

This is subject to the additional requirements imposed by the CRR and applicable to banks in Malta, as well as the provisions of the Banking Act which require (amongst others) that credit institutions make available to the public, in paper or in electronic form, a copy of their audited financial statements by no later than four months from the closing of their financial year.

In addition, Maltese credit institutions are subject to the disclosure requirements laid down in the CRR and the Guidelines issued by the EBA and are required to assess the need to publish some or all disclosures more frequently than annually depending on, amongst others, the scale of their operations, range of activities, presence in different countries, involvement in different financial sectors, and participation in international financial markets and payment, settlement and clearing systems.

Furthermore, credit institutions whose shares or debt securities are admitted to listing in terms of Maltese law, are also required to publish half-yearly financial reports in terms of the Listing Rules published by the MFSA in its capacity as the Listing Authority.

Supervision of credit institutions on a consolidated basis is currently required in Malta in terms of the Supervisory Consolidation (Credit Institutions) Regulations (Legal Notice 494 of 2021, as amended by Legal Notice 148 of 2023). In terms thereof, the criteria on the basis of which the MFSA exercises supervision on a consolidated basis implement the relevant requirements of Directive (EU) 2019/878 of the European Parliament and of the Council of 20 May 2019 amending Directive 2013/36/EU (“CRD V”).

Malta transposed the CRD Package principally through the Banking Act and MFSA Banking Rule 13 on the Prudential Assessment of Acquisitions and Increase of Qualifying Shareholdings in Credit Institutions (“Rule 13”). Any person who acquires directly or indirectly at least 5% of the voting rights or capital in a credit institution or increases his holding above the 5% threshold, but does not exceed 10%, is required to inform the MFSA in writing indicating the size of the shareholding and generally providing relevant information to the Authority. Any person or persons acting in concert may not acquire or increase participation to a “qualifying shareholding” (i.e. 10% or more of the capital or of the voting rights or which makes it possible to exercise a significant influence over the management of the credit institution) directly or indirectly unless with the prior approval of the MFSA. Regulatory approval is also required in the case such qualifying shareholding reaches or exceeds 20%, 30% or 50% of the voting rights or capital in the credit institution. Based on the proportionality principle, and the   authority has been guided by the Joint Guidelines on the prudential assessment of acquisitions and increases of qualifying holdings in the financial sector JC/GL/2016/01 issued by the Joint Committee of the European Supervisory Authorities on 20 December 2016, the list of information required to be submitted to the MFSA varies depending on whether the qualifying shareholding being acquired is less than 20%, more than 20% but less than 50%, or if the proposed acquisition constitutes a change in control.

Under Rule 13 the assessment process by the MFSA to determine whether to allow a person or persons to acquire a qualifying shareholding in a credit institution is designed to ensure the sound and prudent management of the credit institution in which the acquisition is proposed and is divided in five assessment criteria: (a) the reputation of the proposed acquirer; (b) the reputation and experience of any person who will direct the business of the credit institution; (c) the financial soundness of the proposed acquirer; (d) ability to comply with prudential requirements; and (e) money laundering or terrorist financing risks.

No such restrictions apply as long as the five assessment criteria applicable to eligible owners of banks are satisfied.

Yes. Central Bank of Malta Directive No. 11 and MFSA Banking Rule 15 transpose the higher capital buffer requirements of the CRD Package imposed on global and other systemically important institutions (G_SIIs and O-SIIs) which are considered to pose a greater risk to financial stability. Currently there are four Maltese credit institutions which are identified as O-SIIs and therefore required to have in place an additional capital buffer.

Depending on the nature and severity of the breach the MFSA can impose administrative penalties (a) up to twice the amount of the benefit derived from the breach where that benefit can be determined; (b) in the case of a natural person, up to EUR 5 million; and (c) in the case of a legal person, up to 10% of total annual turnover in the preceding business year according to a calculation set out in the Banking Act. The MFSA also has wide-ranging powers to restrict or withdraw (in conjunction with the ECB in terms of the SSM) a licence in certain cases, order the removal of officers or the divestment of a shareholding, appoint a competent person to take control of the credit institution, order the winding up of the business, amongst others. Criminal prosecution in the case of certain breaches is also possible with the sanction of the Attorney General. Any person found guilty of a criminal offence under the Banking Act risks up to three years imprisonment and/or a maximum fine of EUR 2 million.

The Recovery and Resolution Regulations (Legal Notice 301 of 2015, as amended) implement the relevant provisions of the BRRD into Maltese Law and empower the Resolution Committee to intervene, via a number of statutory tools such as bail-in and asset and liability transfer powers, in the event a credit institution that has failed or is likely to fail. The resolution regime also imposes certain obligations on the credit institutions themselves such as the maintaining by relevant credit institutions in terms of the said Recovery and Resolution Regulations, of updated recovery and resolution plans.

Cash deposits are protected under the Depositor Compensation Scheme, which grants protection of up to EUR 100,000 per eligible depositor, as well as a function of the BRRD, by giving eligible depositors, subject to certain exceptions, a preferential ranking at law before ordinary, unsecured creditors such as unsecured bondholders. Deposits may also be protected up to EUR 500,000 in case of a temporary high balance. Client assets are protected through prudential obligations such as segregation of assets by credit institutions when acting in a custodial function.

Yes. The Resolution Committee is empowered under the Recovery and Resolution Regulations, to apply the bail-in tool to, subject to a number of conditions and criteria: (a) recapitalize a credit institution (and other entities); (b) convert to equity or reduce the principal amount of claims or debt instruments that are transferred to a bridge institution or under the sale of business tool or asset separation tool. The excluded liabilities include: (a) covered deposits; (b) certain secured liabilities; (c) certain UCITS assets which are other otherwise protected under insolvency laws; (d) liabilities arising under a fiduciary relationship; (e) liabilities owned to institutions, excluding entities that are part of the same group,  with an original maturity of less than seven days; (f) liabilities  with  a  remaining  maturity  of  less  than seven days, owed to systems or operators of systems designated according to Directive 98/26/EC or their participants and arising from the participation in such a system, or to central counterparties authorized in another Member State pursuant to Regulation EU) No 648/2012 and third-country central counterparties recognised by ESMA; (g) certain liabilities connected with the salary of employees, amounts due to critical suppliers, service providers, tax authorities and under a deposit compensation scheme; (h) liabilities  to  financial holding companies or parent financial holding companies, mixed financial holding companies or  parent mixed financial holding companies, or subsidiaries of credit institutions, investment firms or such holding entities  that  are  part  of  the  same  resolution group  but not resolution  entities, regardless  of  their  maturities,  except where  these liabilities  rank  below  ordinary  unsecured  liabilities under article 29A of the Banking Act. The Resolution Committee also has some limited powers to exceptionally exclude other liabilities from the application of write-down or conversion powers as laid down in the Recovery and Resolution Regulations.

The harmonised minimum level of the Total Loss-Absorbing Capacity (TLAC) Term Sheet for global systemically important institutions (G-SIIs) applies in Malta in virtue of Regulation (EU) 2019/876 of the European Parliament and of the Council amending Regulation (EU) No 575/2013.  Whilst credit institutions are required to report TLAC-related data (amongst others), no Maltese credit institution is currently identified as being a globally systemic important institution.

In its Strategic Statement of February 2023 the MFSA set out its strategic objectives for the financial services sector divided into five pillars: (i) delivering agile and proactive regulation; (ii) sustaining a resilient, internationally networked financial sector; (iii) promoting good governance and compliance; (iv) embracing innovation; and (v) engaging with the public.  It is to be expected that throughout 2024 efforts will be channeled into transposing CRD IV into the Maltese legal framework

Stricter anti-money laundering compliance and pursuing the highest governance standards are priorities which Malta shares with innumerable other established jurisdictions. The continuing de-risking of international banks has also put stress on the local credit institutions to maintain US clearing relationships which are vital to the wider domestic economy highly dependent on the service industries.