-
What are the sources of payments law in your jurisdiction?
Payment services and payment services providers are regulated under the Financial Institutions Act (chapter 376 of the laws of Malta) and its subsidiary legislation. The Maltese legislator has also directly transposed EU directives regulating payment services into the Financial Institutions Act, including implementing the changes introduced through directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending directives 2002/65/EC, 2009/110/EC and 2013/36/EU and regulation (EU) No 1093/2010, and repealing directive 2007/64/EC, more commonly referred to as PSD2.
The Banking Act (chapter 371 of the laws of Malta) provides the legislative framework for credit institutions, referencing the Financial Institutions Act. The Civil Code (chapter 16 of the laws of Malta) also regulates the civil law private aspect of payments.
The licensing of payment services providers falls within the remit of the Malta Financial Services Authority (MFSA) which in turn issues rules for licensees. The Central Bank of Malta also oversees and regulates the operation of, and the participation in, both domestic and cross-border payment and securities settlement systems. Approval must first be authorised by the Bank before new payment and securities settlement systems can operate. Furthermore, the Bank may also issue directives in respect of payment and securities settlement systems, cross-border credit transfer services and electronic payment services.
-
Can payment services be provided by non-banks, and if so, on what conditions?
Yes. The Financial Institutions Act sets out the different types of payment services that can be provided by licensed institutions. These are:
- Services enabling cash to be placed on a payment account and withdrawn from a payment account as well as all the operations required for operating a payment account;
- Execution of payment transactions, including transfers of funds on a payment account with the user’s payment service provider or with another payment service provider: execution of direct debits (including one-off direct debits), of payment transactions through a payment card or a similar device, and of credit transfers (including standing orders);
- Execution of payment transactions where the funds are covered by a credit line for a payment service user for the executions listed above;
- Issuing of payment instruments and/or acquiring of payment transactions;
- Money remittance;
- Payment initiation services; and
- Account information services.
The term payment service provider on the other hand includes credit institutions, electronic money institutions, post office giro institutions, payment institutions and account information service providers.
Electronic money institutions and payment institutions that seek to offer payment services must be duly licensed by the MFSA before offering such services.
As a leader in the regulation of cryptocurrencies, the Maltese legislator also sought to regulate the provision of payment services where this involves virtual financial assets (VFAs) (as defined under the Maltese act). The Maltese Virtual Financial Assets Act (chapter 590 of the laws of Malta) provides that any person conducting a transaction on behalf of a third party that moves a VFA from one VFA address or account to another must be in possession of a VFA licence issued by the MFSA. These operators will now need to assess the impact of the EU’s Markets in Crypto-assets (MiCA) Regulation and whether a financial institution licence as well as a MiCA licence are required to continue offering such services.
-
What are the most popular payment methods and payment instruments in your jurisdiction?
Over the last decade, the collective shift to the digital sphere has led most individuals to seek faster and more efficient payment methods. This change in mentality brought about a rise in internet banking use, and more recently, mobile banking. The use of payment services providers has also increased, more commonly seen as offering efficiency in making online purchases. However, on a day-to-day basis, the use of cash still remains strong in Malta and the use of cheques is still common, particularly in certain sectors.
-
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so, to which entities, and what is state of implementation in practice?
As an EU member state, PSD2 was transposed into Maltese legislation in 2019. This did not trigger any obligation for a bank or financial institution already licensed by the MFSA as a home state regulator to provide payment services to seek any re-authorisation of these activities in terms of passporting rights exercised by the operator prior to the implementation of these amendments.
Nevertheless, despite banks taking the necessary steps to permit open banking by making their application programming interface (API) technologies available, the practical use of open banking in Malta remains limited. This is due to the small number of live and operative account information service providers (AISPs) or payment initiation service providers (PISPs) operating within Malta.
-
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
Since the General Data Protection Regulation (2016/679 – the GDPR) came into force in May 2018, the protection of personal data that is processed by financial services providers, and also generally, gained more prominence in Malta. The GDPR itself did not produce any new obstacles concerning the processing of personal data by financial services providers, at least within the context of the contractual relationship for a financial services product / service between the financial service provider and the respective consumer. Rather, the GDPR introduced more complex and demanding data protection accountability and compliance obligations together with more enhanced transparency disclosure requirements.
Specifically with regards to banks, it should be noted that data protection guidelines were issued locally by the Malta Banker’s Association in consultation with the Information and Data Protection Commissioner.
-
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
The MFSA released a Fintech Regulatory Sandbox in 2020, making it possible for fintech operators to test their innovations in a regulated environment for a set time frame, under specific prescribed conditions. It is available for (regulated and unregulated) fintech service providers and technology providers, including start-ups, technology firms and established financial services providers using technology-enabled innovations.
The sandbox has four main objectives: innovation, sustainability, legal certainty, and knowledge. Technological solutions that can utilise the sandbox include: APIs, AI, machine learning and biometrics. In 2023 the MFSA issued the revised FinTech Regulatory Sandbox, taking into consideration the lessons learned since the sandbox’s inception. The revised framework introduced a simplified MFSA Sandbox lifecycle, aimed to be clearer and more efficient.
Similarly, the Malta Gaming Authority (MGA) launched a sandbox framework for the acceptance of cryptocurrencies and DLT through its licenses back in 2019. This established the possibility of MGA licensees to accept payment in VFAs, while also starting applications for the use of Innovative Technology Arrangements (ITAs). These include DLT platforms and smart contracts. Following the release of the “Guidance on the use of Innovative Technology Arrangements and the acceptance of Virtual Financial Assets and Virtual Tokens through the implementation of a Sandbox Environment” in 2021, the MGA published its Policy on the use of Distributed Ledger Technology by Authorised Persons in January 2023.The policy is intended to provide a comprehensive and updated outline of the MGA’s position with respect to DLT applications and, where possible, streamline the requirements previously applicable by way of the sandbox Framework in light of the regulatory experience gained over its period of operation, while maintaining continual congruence with the MGA’s regulatory objectives.
Furthermore, in July 2020, the Malta Digital Innovation Authority (MDIA) released a consultation document inviting stakeholders to comment on the ITA Sandbox, finishing the MDIA’s ITA full certification framework, with the intention to set up an ITA sandbox to complement Malta’s certification framework. This resulted in the creation of the Technology Assurance Sandbox (MDIA-TAS) Version Two, effective 1st of June 2022, catering for start-ups and smaller players seeking to correctly develop their innovative digital product or service (IDPS) through analysis by MDIA-recognized technical experts and monitoring by the Authority.
-
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
The enactment of the VFA Act and the Innovative Technology Arrangements and Services Act in 2018, as well as the setting up of the MDIA saw an increased interest as to what Malta could offer, not only in the virtual currencies sphere, but also as a fintech hub. In its Fine-Tuning Strategy for 2022/2023, the MFSA solidified its intentions to focus on innovative and technological activities (specifically Malta’s payment and electronic money service industry) and be forward-thinking in its supervisory techniques while allowing innovation. This was once again confirmed by the MFSA in February 2023 in its Strategic Statement.
As the MiCA Regulation has now come into force and is being implemented across the EU Member States, Malta’s experience and strength in this sector is expected to attract more players in this sector who seek to be regulated in order to continue offering their services within the EU. Bearing in mind the similarities between the Maltese VFA framework and the provisions of the MiCA Regulation, it is expected that the Maltese regime will evolve in a seamless manner into the new regulation.
-
What tax incentives exist in your jurisdiction to encourage fintech investment?
Malta Enterprise, Malta’s economic development agency has issued various incentives offering access to finance schemes, investment aid as well as schemes specifically targeted to start-ups.
The Micro Invest programme, which is one of the tax incentive plans offered, grants eligible undertakings the possibility to claim a tax credit of 45% of eligible expenditure and wage costs. Eligible undertakings include start-ups, female-owned undertakings, family businesses and single undertakings. Additional incentives are offered to undertakings operating from Gozo.
Malta also offers attractive tax residency rules for certain levels of employees in particular sectors whereby they can benefit from a flat rate of 15% on income tax on particular income streams provided that certain requirements are met.
-
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
The most prominent areas that have seen an increased interest are the payments sector as well as a continued interest in start-ups and companies (Series A and B) looking to venture into the cryptocurrency sphere. This includes established gaming companies (Series C) that seek to introduce an element of virtual tokens or cryptocurrency acceptance into their operations. On the tech front there is also a significant interest from market players as well as regulators with regards to the peer-to-peer economy and decentralised finance (DeFi).
-
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
While Malta has made a name for itself in the cryptocurrency sphere, one cannot forget that for many years prior to the enactment of the VFA framework, Malta had already established itself as a prominent financial services jurisdiction.
Operators wishing to establish themselves in Malta can thus benefit from a knowledgeable regulator that has always prided itself with being open to meet and discuss different projects and their licensable elements. Innovative projects may also benefit from the opportunity of working within the ambit of a sandbox (please refer to question 6 above for more information). As the MiCA Regulation is currently being implemented across the EU Member States, Malta’s established record in the cryptocurrency sphere has already garnered interest by operators who wish to ensure they continue operating in the EU. The MFSA’s experience offers more peace of mind to service providers and issuers who seek to ensure they are fully compliant with applicable legislation.
Start-ups, especially those in the fintech sector, find Malta a particularly attractive jurisdiction due to the concentration of industry players, talent, and suppliers on the island. Malta offers the right conditions for tech companies to develop, launch and scale their products within affordability.
The local labour pool caters for the needs of ICT employers across the range of technical and creative skills, while specialist knowledge can easily be sourced from overseas due to an incentive program for foreign workers. Salaries are lower than in other Western European IT centers, thus enabling small and medium-sized companies to afford the development of new products.
-
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
As an EU Member State Malta respects the principle of freedom of movement. EU citizens thus do not require a work permit to work and reside in Malta. EU citizens are however required to apply for a Maltese residence permit after having resided in Malta for 3 months. On the other hand, non-EU nationals are required to obtain a single-work permit to work and reside in Malta; this permit is valid for one year and is renewable for further 1-year periods. Certain occupations in particular sectors are also exempt from the requirement of employers having to open vacancies locally and within the EU before submitting an application for a prospective non-EU employee. This list changes depending on the exigencies of the Maltese labour market but currently includes computer network professionals, IT consultants, engineers, systems analysts and tech developers.
-
If there are gaps in access to talent, are regulators looking to fill these and, if so, how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
In a bid to attract more foreign talent, Malta implemented the EU directive 2014/66/EU on the Conditions of Entry and Residence of Third-Country Nationals in the Framework of an Intra-Corporate Transfer. This allowed the secondment of non-European managers/specialists/trainee employees within the EU as an intra-corporate transfer. As Malta’s aim is to establish itself as a FinTech hub, the Maltese government has launched various work/residence schemes to improve accessibility as well as advantages to foreign talent wishing to relocate to Malta.
One such scheme is the Key Employee Initiative (KEI) which is available to highly specialised non-EU nationals wanting to work in Malta. Its goal is to speed up the permit application process, placing a 5-working day approval process from the submission of the application. This initiative is only available to applicants who have an annual gross salary of at least €30,000. This is also available to innovators involved in start-up projects endorsed by Malta Enterprise. Once approved, applicants receive a residence permit valid for a year which may be renewed for a maximum period of three years (subject to conditions).
Malta also offers attractive tax residency schemes to employees in specific sectors such as the ICT industry and financial services. Subject to satisfying the requirements, employees would be eligible to benefit a flat tax rate of 15% with no further tax chargeable on income in excess of €5,000,000.
-
What protections can a fintech use in your jurisdiction to protect its intellectual property?
A Fintech can rely in Malta on essentially the same intellectual property protections which are generally available under generally recognised intellectual property rights for any industry.
Trademarks are mostly relevant for protection of apps, brand names, website domains, company names, and logos. Registered trademark rights are granted in Malta against successful trademark registration, although the concept of an unregistered trademark right also exists.
Copyright protection is also possible under the Maltese Copyright Act (chapter 415 of the Laws of Malta) and tends to be the main source of intellectual property protection relied upon by fintechs. Copyrights protect creative expressions, including source code of software and the way graphics, images, texts or designs are displayed. Database rights are also recognised in Malta as a sub-category under the Copyright Act.
Design rights are sometimes also used in Malta, as an addition to copyrights, especially for protection of user interfaces.
Generally, patents are unlikely to be the focus for fintechs since under the Maltese Patents and Designs Act (chapter 417 of the Laws of Malta), software programs as such are expressly excluded from patent protection.
Otherwise, the protection of know-how and trade secrets has recently been subject to specific legislative recognition, namely through the Trade Secrets Act (chapter 589 of the Laws of Malta), which was promulgated mid-2019 and to date has not been tested by Malta’s courts.
-
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
The enactment of the VFA Act in 2018 sought to regulate cryptocurrencies that are deemed to be VFAs under the Maltese legal framework. The Act distinguished between four different types of DLT assets, namely, virtual tokens, financial instruments, electronic money, and VFAs.
The term VFA refers to any form of digital medium recordation that is used as a digital medium of exchange, unit of account or store of value, and that is not electronic money, a financial instrument or a virtual token.
To offer legal clarity regarding this distinction, the MFSA created the Financial Instrument Test. The test must be applied to each DLT asset to determine its nature and the respective applicable legal framework based on the token’s features.
Once the type of DLT asset is determined, the following legal regime would be applicable:
- virtual tokens are not regulated by any specific body of law in Malta;
- financial instruments are defined as set out in the MiFID and thus regulated by financial services legislation;
- electronic money is regulated in Malta by the Financial Institutions Act; and
- VFAs are regulated by the VFA Act.
The VFA Act also regulates the provision of VFA services including the custody of VFAs, operating a VFA exchange, providing advice in relation to investment in VFAs, and dealing on own account. VFA service providers are deemed to be subject persons under AML rules and regulations, and are thus required to conduct AML/CFT checks on users of their platforms.
As the MiCA Regulation comes fully into force, the VFA Act will be repealed and the provision of cryptocurrency-related services will be fully regulated by MiCA. Under the EU Regulation, “Crypto-Asset Service Providers” (CASPs) are defined as an approved “legal person or other undertaking whose occupation or business is the provision of one or more crypto-asset services to clients on a professional basis.” In turn, the Regulation defines “crypto-assets” as “a digital representation of a value or of a right that is able to be transferred and stored electronically using distributed ledger technology or similar technology”. The list of crypto-asset services is practically identical to the list of VFA services. Prospective CASPs are required to obtain prior authorisation in their home member state before being able to provide such services. A long-standing principle of the EU’s freedom of establishment and freedom to provide services, the MiCA Regulation also establishes the ‘passporting’ mechanism, allowing CASPs to obtain authorisation from a single Member State while still having the possibility to provide services throughout the entire EU. This important advantage will undoubtedly solidify the EU’s position as a leading market for the provision of crypto-asset services. Additional rules are expected to be issued to supplement the provisions of the Regulation, leading up to MiCA’s full implementation.
The MFSA has already started updating its internal rules to align its procedures with the implementation of MiCA, with certain provisions becoming applicable from 1st January 2024 while the remaining provisions becoming applicable from 1st July 2024.
-
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
The concept of an initial coin offering under the VFA Act is termed as an Initial Virtual Financial Asset Offering (IVFAO). Any person wishing to offer a VFA to the public in or from Malta, or wishing to apply for the VFA’s admission to trading on a DLT exchange, must draw up a white paper in line with the VFA Act and register it with the MFSA at least 10 working days before the date of its circulation in any way whatsoever.
The white paper issued for an IVFAO must include information that, according to the particular nature of the issuer and of the VFAs offered to the public, is necessary to enable investors to make an informed assessment of the prospects of the issuer, the proposed project and the features of the VFA.
The MiCA Regulation will repeal and replace the VFA framework, thus overhauling (in principle) the IVFAO process. Under MiCA, there are three types of crypto-assets: asset-referenced tokens, e-money tokens and other types of crypto-assets. MiCA will have its own version of the Financial Instrument Test which will aid in the determination of the classification of each type of crypto-asset. Specifically with regards to issuers of other crypto-assets, just like under the VFA framework, issuers will be required to publish a white paper in line with the MiCA Regulation. Any marketing communication must be fair and not misleading, while clients will have a 14-day period within which to ask for a refund. Issuers are required to be legal persons and clients’ funds will also be protected. Additional rules are expected to be issued to supplement the provisions of the Regulation, leading up to MiCA’s full implementation.
-
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
The Malta Business Registry (MBR) which is the Maltese companies house has over the past few years been developing a system based on the Hyperledger Fabric to allow submission of companies’ documents via DLT. This new system is intended to improve transparency and management in the workflow, while increasing efficiency and reducing paperwork through a document management system. Its aim is to also facilitate the use of AI within the MBR.
The Maltese Government has also launched a project whereby academic credentials, such as diplomas and school leaving certificates will be issued to Maltese students via an international, instantly-verifiable digital format. Educational institutions are to receive official accreditation certificates on the blockchain for instant verification status. This minimises bureaucracy and provides instant access and better protection.
The government has also launched additional projects using blockchain technology including the provision of digital labelling through the use of DLT which provides further information to customers on the provision of Gozitan products including their manufacturing cycle, as well as strengthening the Maltese Planning Authority through the use of DLT, by improving the security of documents and allowing added transparency.
-
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
Currently AI technologies are being given a push for development by the Maltese government in the hopes of increasing foreign investment and improving both the public and private sector, including the financial sector. The Maltese AI Strategy is in place to establish Malta as a leading global hub for financial and digital industries. The Maltese government thus appointed a task force to establish a plan and timeline with the goal of AI integration, legalisation and research. AI is currently being used in the Maltese financial sector through AI-driven based solutions for intelligent financial planning, investment and money management services for consumers. They are also helping financial institutions create smarter credit and risk analysis applications and streamline operational performance. The Maltese Government also plans to establish a Digital Innovation Hub, with a focus on AI alluring both public and private stakeholders to access sector-specific, technological and financial expertise.
The EU’s AI Act is also expected to establish a framework for the development, modification and use of AI products with the potential to foster the development and uptake of safe and trustworthy AI across the EU’s single market by both private and public actors. As the first legislative proposal of its kind in the world, it can set a global standard for AI regulation in other jurisdictions, thus promoting the European approach to tech regulation in the world stage.
-
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
Insurtech is one area that has seen an element of increased interest and growth over the past few years. A 2017 start-up proposed a new way for personal insurance to be delivered by offering a personal insurance account with unbiased guidance and personalised insurance through a digital mobile-friendly interface.
In 2018 one of the largest insurance players on the island launched a platform to promote the innovations of insurance-related solutions. Its focus was to help entrepreneurs get their innovative business ideas off the ground or to help already mature start-ups in consolidating their business. It included a collaborative model with universities and business schools for joint development of innovative projects while also acting as an investment vehicle for private equity companies that invest in innovation within the insurance world.
More recently another prominent insurance agency launched a health insurance management platform to allow companies to manage group health policies online. This pushes the focus onto digitalisation, reducing carbon footprint and increasing customers’ ease of access.
-
Are there any areas of fintech that are particularly strong in your jurisdiction?
Being one of the front-runners in enacting comprehensive legislation regulating the issue of cryptocurrencies and the provision of crypto-related services, Malta quickly became recognised as one of the main crypto-friendly jurisdictions globally. This builds on Malta’s already established presence as a strong player in the financial services industry with a knowledgeable and experienced financial regulator. Malta’s strength in this sector is expected to solidify as the MiCA Regulation enters fully into application.
-
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
As the Maltese government has chosen to prioritise the fintech sector, financial institutions are encouraged to explore the benefits offered by newer technologies. While long-standing credit and financial institutions may have been wary of exploring more innovative technological solutions, established players in the local financial services industry have shown an increased interest in embracing such changes to their business models.
-
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
The larger banks have over the past few years developed their own fintech products such as through the introduction of mobile banking and digitising the customer onboarding process. This has also included making upgrades to internal systems to provide simpler access to information and services.
-
Are there any strong examples of disruption through fintech in your jurisdiction?
The biggest impact that can be witnessed is primarily from e-money and payment institutions that have disrupted the more traditional relationship that customers were typically accustomed to with credit institutions. This has inevitably led banks to re-evaluate their services and to embrace newer technologies.
Malta: Fintech
This country-specific Q&A provides an overview of Fintech laws and regulations applicable in Malta.
-
What are the sources of payments law in your jurisdiction?
-
Can payment services be provided by non-banks, and if so, on what conditions?
-
What are the most popular payment methods and payment instruments in your jurisdiction?
-
What is the status of open banking in your jurisdiction (i.e. access to banks’ transaction data and push-payment functionality by third party service providers)? Is it mandated by law, if so, to which entities, and what is state of implementation in practice?
-
How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
-
What are regulators in your jurisdiction doing to encourage innovation in the financial sector? Are there any initiatives such as sandboxes, or special regulatory conditions for fintechs?
-
Do you foresee any imminent risks to the growth of the fintech market in your jurisdiction?
-
What tax incentives exist in your jurisdiction to encourage fintech investment?
-
Which areas of fintech are attracting investment in your jurisdiction, and at what level (Series A, Series B etc)?
-
If a fintech entrepreneur was looking for a jurisdiction in which to begin operations, why would it choose yours?
-
Access to talent is often cited as a key issue for fintechs – are there any immigration rules in your jurisdiction which would help or hinder that access, whether in force now or imminently? For instance, are quotas systems/immigration caps in place in your jurisdiction and how are they determined?
-
If there are gaps in access to talent, are regulators looking to fill these and, if so, how? How much impact does the fintech industry have on influencing immigration policy in your jurisdiction?
-
What protections can a fintech use in your jurisdiction to protect its intellectual property?
-
How are cryptocurrencies treated under the regulatory framework in your jurisdiction?
-
How are initial coin offerings treated in your jurisdiction? Do you foresee any change in this over the next 12-24 months?
-
Are you aware of any live blockchain projects (beyond proof of concept) in your jurisdiction and if so in what areas?
-
To what extent are you aware of artificial intelligence already being used in the financial sector in your jurisdiction, and do you think regulation will impede or encourage its further use?
-
Insurtech is generally thought to be developing but some way behind other areas of fintech such as payments. Is there much insurtech business in your jurisdiction and if so what form does it generally take?
-
Are there any areas of fintech that are particularly strong in your jurisdiction?
-
What is the status of collaboration vs disruption in your jurisdiction as between fintechs and incumbent financial institutions?
-
To what extent are the banks and other incumbent financial institutions in your jurisdiction carrying out their own fintech development / innovation programmes?
-
Are there any strong examples of disruption through fintech in your jurisdiction?