Skip to content

An in-depth appreciation of the proposed changes to the CSP Sector in Malta


The Maltese islands benefit from the fact that they inherently rest on a relatively stable part of the African plate – with major earthquakes and tremors being all-but a rare occurrence. However, within the financial services industry, Malta’s seismic activity is predominantly very much alive and active. Major vicissitudes have been occurring throughout the past couple of months as the country struggles to uphold its reputation – with the nation holding its breath as an impending Moneyval report can either ‘make or break’ an industry which has contributed to much of the jurisdictionnewfound wealth and confidence.  

 It is within this context, at the behest and clamour of its European counterparts, that the Government has embarked on an ambitious plan to regalvanise its financial services sector by instilling a (i) Culture of Compliance and (ii) Good Governance – two ubiquitous terms that undoubtedly form the basis of any sound jurisdiction that seeks to avoid the ignominy of being ‘grey listed’. Whether or not Malta avoids its greatest financial nadir remains to be seen…. 

 These two adages have formed the bedrock of the recent upheaval in the Company Service Providers sector – wherein the MFSA has painstakingly endeavoured to introduce salient changes to the CSP Act with great alacrity (the Legal Notice containing all amendments is expected to be published within the coming months).  

 Throughout this article, mention will be made of the major reforms and how added compliance & risk can bring about further comfort to all investors willing to set-up shop in Malta. 

Legal Basis. 

As per Article 2 of the CSP Act, a Company Service Provider refers to ‘persons who by way of business1 provide any of the following services to thirdparties a) formation of companies or other legal entities b) acting as, or arranging for another person to act as, a director or secretary of a company, a partner of a partnership, or a similar position in relation to other legal entities; and c) the provision of registered office, a business correspondence or administrative address and other related services for a company…’ 

To date, there are approximately 588 CSPs on the island – 343 of which are warrant holders benefitting from an exemption (primarily lawyers/accountants/auditors). 

Whilst a few persons are actually exempt from both authorisation and regulation, the end-goal of the MFSA is to create a holistic framework which will ensure all legal & natural persons are licensed and/or registered to carry out the provision of these services. 

Scope & Rationale. 

 Throughout seminars, the Regulator has stated that only a small number of jurisdictions within the EU have a proper CSP Regime. Consequently, these changes will ostensibly ensure Malta’s standing within the International community considerably improves.  

Whereas previously. the CSP Act referred to ‘Registration’, the MFSA is now re-classifying this as ‘Authorisation’ – seeking to also cater for those individuals who will require licensing anew. The current (but soon to be ‘obsolete’) scenario catered for a situation wherein warrant-holders were exempt from Registration – but through the imminent legal notice which is yet to receive the blessing of Parliament – this colloquially known ‘warrant exemption’ will now be removed indefinitely.  

MFSA Expectations. 

Good Governance is at the core of what the MFSA expects every CSP to indefatigably maintain throughout all sectors of the organisation. Management of Information is essential and a CSP is expected to know and understand the types of threats and vulnerabilities it is being exposed to. From a purely AML (Anti-Money Laundering) perspective, understanding the Nature and Purpose of why entities are requesting CSP services will be crucial. 

A competent Board of Directors will be needed to properly manage the CSP  adhering to all norms of Independence and mitigating against possible Conflicts of Interest. The MFSA will also expect the firm to keep records of the services being offered to clients in terms of the principle of accountability.  

Already touched upon, a Culture of Compliance will be high on the Authority’s checklist and a commensurate policy of Risk Management will be of equal gravitas. Strict awareness of sector-specific legislation (such as the FIAU’s Implementing Procedures and the PMLFTR) also cannot be discounted.  

A practical application of the Rules. 

 From a practical point of view, the MFSA has clarified that there will be an internal process inviting all applicants to submit an application for licensing/authorisation accordingly. This process will be communicated in further details shortly but will be applicable to all and sundry. 

A CSP Rulebook will also be formally communicated (the current document is still subject to review) which will be principlebased and primarily reliant on capital requirements – where each tier will be proportionate to the size & nature of the activities being purported by the applicant. (The revised capital requirements are also crystallized in the MFSA’s Supplementary Rules). 

 Considerably weighting will be given to the Risk Management function – a new component that will be introduced to all CSPs (though familiar to all practitioners who are already involved with a licensed entity). The Regulator has noted that CSPs, as Gatekeepers, are vulnerable to Money Laundering schemes (as appreciated during the latest National Risk Assessment) so a proper (and ideally independent) Risk Management structure will need to be catered for.  

Since ‘Raising the bar’ for CSPs is high on the agenda, the Authority will seek to increase the Compliance and Risk-Management processes for even the smallest of service providers – which is why the Under Threshold Classes are being introduced. These new tiers will probably also cater for new entrants in the market wherein the CSP business might not form the core of their revenue/operations. These two tiers are not deemed to be High Risk by the Regulator.  

There is also the obligation of Professional Indemnity Insurance (PII) depending on the class being pursued and generally applicability of the rules will be dependent on the Nature, Scale and Complexity of the business being undertaken in addition to the service provided. In this connection, much will depend on the preliminary (and mandatory) interview between the applicant and the Authority. 


For every rule, there is an exemptionInasmuch as the proposed regulations may seem somewhat Byzantine & tedious, the Authority has afforded some exclusions for specific categories of persons from Authorisation under the Act. 

Exemptions will only apply persons who either offer CSP services as ancillary to other services which they are already licensed/authorised to carry out, or where the nature of the services is limited as detailed in the Regulations.  

A number of persons are being proposed as being exempt for Authorisation (in terms of Article 3 of the CSP Act) which inter alia include (i) license holders in terms of the Trusts and Trustees Act (ii) a person registered to act as a VFA Agent – provided that the activity shall not include acting as a Director/Secretary (merely restricted to company formation) and (iii) a person who only offers the services of acting as director or secretary of a company, where such legal person is licensed, registered or otherwise authorised by the MFSA. 

Classes of Applicants.  

Perhaps the most pertinent amendment is the introduction of Classes of CSPs which will form the basis of the Authorisation Process. Each class will be linked to specific types of risks, operations, and complexity of business – the process of which will be reflected in the Share Capital Requirements. To mitigate against any inexactitude, the Authority has sought to define each Class accordingly. 

In this connection,  

  • Class A CSPs need to have an initial capital requirement of EUR 10,000(Under threshold Class A CSPs need a share capital of EUR 2,500). 
  • Class B CSPs will need a EUR 15,000 + Mandatory PII. (Under threshold Class B CSPs – need an initial share capital of EUR 5,000). 
  • Class C CSPs will need to prove at least EUR 25,000 + Mandatory PII. 

To summarise, the Class A regime will capture persons who by way of business are offering company formation services or the provision of registered office facilities.  Class B scenarios will seek to regulate persons who ‘by way of business’ are acting as Directors for third-parties or arranging to act as Director/Secretaries. Finally, Class C will cater for applicants who by way of business, provide, all the services of a company service provider. 

On the other hand, Under threshold Class A CSPs refers to individuals in possession of a warrant (e.g., Advocates, Accountants), whose revenue from CSP forms or will form 35% of the combined total revenue of all services offered OR EUR 100,00 whichever is the higher. (As long as this does not include the provision of registered/business/administrative address facilities). 

Under threshold Class B CSPs refers to individuals who hold an aggregate of not more than five (5) involvements (Company Director or Secretary). What is important to note is that sole practitioners are (following consultation & feedback statement) not necessarily required to form a body corporate. Therefore, individuals may apply for a CSP License in their personal & individual capacity. To this end, the MFSA has introduced a ‘capital’ rather than ‘share capital/equity’ requirement, wherein sufficient funds should be either (i) available in a Bank Account or (ii) proven through the issuance of a Bank Guarantee letter. 

Risk Management & Compliance. 

The MFSA has clarified that is not solely interpreting risk within the context of the traditional AML/CFT Framework. Rather, it is extending its scrutiny across a wider scope which will most probably involve Enterprise Risk Management – which at times can be more complex & ambiguous. It is within this context, that the efficacy of novel Risk Management framework should be discussed.  

During on-site inspections, the MFSA expects to see assessments which encapsulate other prevalent risks including for example cybersecurity, reputational risk, provisions dealing with lost contact scenarios, information technology, record keeping, complaints managements and legal risk (to name but a few!). As subject persons, it might make sense for the CSP to also incorporate ancillary risks within the wider Business Risk Assessment (BRA) which is submitted to the FIAU on an annual basis. 

Provisions applicable to Risk Management are catered for in the Rulebook and the Authority has also introduced a derogation (wherein the Authority may allow the CSP to establish and maintain a risk management function which does not operate independently), provided this does not give rise to conflicts of interest and the CSP demonstrates to the MFSA that an independent risk manager/function is not appropriate and proportionate as per the size & nature of operations.

Nevertheless, the Authority is requesting that whenever a CSP is granted this derogation, that notification is submitted to the Authority stating the identity of the person in question. It is worth mentioning the MFSA will be expecting a Risk Register containing (i) a list of all clients onboarded with the relevant risk score per client & (ii) identification of the risks inherent in the business model of each client.  

Unsurprisingly, mention must also be made of the Compliance Department. The proposed Compliance Officer is to ensure that the Licensed entity follows both the applicable laws (including ‘primarily’ the CSP Act & MFSA Rulebook) and the Company’s internal compliance procedures. Expecting the highest degree of probity, the Authority has reiterated that the Compliance officer will be viewed as the extended arm of the Regulator and must record his work being done, undertake a Compliance Risk Assessment, adhere to any byelaws as applicable, present reports to the Board and more significantly report any deficiencies to the MFSA.  

Transitory Provisions. 

What will certainly be of interest is the way in which the Authority will be slowly implementing and adopting this bespoke legislation. As already seen within the Virtual Financial Assets function, the adoption of this new regime will be tantamount to Transitory provisions being adhered to. Seeking to avoid any equivocation, the MFSA has introduced this period for CSPs to be authorised provided that all applicants also strive to comply with these rules on a ‘best efforts’ basis. 

In simple terms, once the CSP Act Amendments (through the relevant Legal Notice) are formally passed & adopted into law, there will be a two-month grace period wherein all CSPs (not already authorised by the MFSA) will need to apply for Authorisation. Once this is submitted, the Regulator will permit the applicant to operate for a period not exceeding six months ‘in transitory’. This will be the first phase of the application. It is envisaged that during this period, the MFSA will authorise all ‘Under Threshold’ applicants accordingly (these persons will be authorised within a period not exceeding eight months) whilst the rest will receive a ‘provisional authorisation’. 

The second phase will afford the Authority one year wherein applications will be scrutinised, and a determination made as to whether a CSP may proceed or not with its services to the public. (‘Over threshold Class A and/or B applicants will be authorised within eight months subject to further amendments/clarifications). Therefore, it is imperative that once the Legal Notice is in force, that all prospective service providers apply within the first two months. 

Way forward? 

Some legislative reforms are still in the pipeline, including a determination as to when the removal of the exemption for warrant holders will come into force. Following this process, the MFSA has not discounted the proposed CSP Rulebook being further amended wherein prospective providers may still contact the Authority to receive any guidance needed.  

For smaller firms, once Due Diligence is submitted to the Authority – the key officials will need to submit a Personal Questionnaire (PQ) and await approval. As hinted, for larger firms, following the provisional authorisation the Regulator will be scrutinising the business in greater detail and will rely on any necessary exchange of information/clarifications with the service provider. Applicants are, in fact, already encouraged to ensure that data is collated and easily extracted in case the MFSA requests further guidance/clarifications. 

The whole process is envisaged to take roughly eighteen months and the MFSA will also be introducing an FAQ section on its website for further clarifications. 


Whilst more regulation is often interpreted as an unnecessary burden, this CSP Regime is certainly bound to instil much needed clarity and compliance which will ensure a propitious future for the island.  

In turn, it is envisaged that any clients willing to relocate to Malta will be comforted by the fact that the CSP of their choosing is not only fully licensed but equally scrutinised by the Regulator which will bring about legal certainty, mitigate against any misleading information, and ultimately increase the quality of services being provided. It certainly seems like a win-win situation for all parties concerned as the country seeks to reach its apogee of financial excellence.   


The above-mentioned article is simply based on independent research carried out by DWP Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment. 

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

Ask your question now! Send a message to the author.

Author of the post

Dr. Michael Calleja

More Expert Articles