Having chosen Malta as the place to set up an ICO given all the regulatory, language and the workforce talent benefits associated with this jurisdiction, ICO businesses need to be aware that there are a number of considerations which must be taken into account before the actual offering of their crypto-asset to the public.
These mostly relate to the regulatory aspect of ICOs, where Malta has chosen to be at the fore front of this sphere, leading the way for other countries where ICOs are unregulated to follow suit.
Functionaries of an ICO
First and foremost, and as required by Maltese Law, issuers of ICOs must appoint a VFA Agent in order to guide the ICO with respect to its responsibilities and obligations to ensure compliance with the law and to act as the middle-man between the ICO itself and the competent authority, which in this case is the Malta Financial Service Authority (MFSA).
The ICO needs the VFA Agent to facilitate the registration of the white paper, to advise the ICO on all matters relating to process of listing the crypto-asset to trading, and to assist with the on-going regulatory obligations that ICOs are required to meet during their operation.
If the ICO has an Innovative Technology Arrangement (ITA) in place (including any smart contracts), then the ICO needs to appoint a Systems Auditor that will review and audit the ITA as well as the ICO’s cyber security arrangements.
Before the ICO kicks off, the Systems Auditor needs to prepare a report which covers the review of all aspects of the ITA and must certify that nothing in the ITA shall contain any rights to unilaterally mutate, amend or destroy without leaving a trace of the ITA or smart contract involved.
Once the ICO is in operation, the Systems Auditor would then need to draft, on an annual basis, a systems audit report on the compliance of the ITA with any qualitative standards set and guidelines issued by the Malta Digital Innovation Authority (MDIA), applicable of course to the type of ITA in question.
The ICO would need to appoint a Custodian who ideally should be an independent third party in order to safekeep the ICOs assets as well as investors’ funds. If the funds in question are crypto-currencies, then such a custodian must be licenced under the VFA Act and Regulations to conduct such as service.
Alternatively, should the funds in question be fiat, then a central bank, a licenced banking institution in the EU or a third country, a money market fund, a licenced e‑money institution or a licenced payment institution can act as a custodian.
The role of the custodian could also be performed through the use of an ITA (smart contract) which has to be certified by a Systems Auditor.
An Auditor will also need to be appointed by the ICO and shall, for each annual accounting period, prepare a management letter in accordance with International Standards on Auditing.
Finally, the ICO shall appoint and have at all times in place a Money Laundering Reporting Officer (MLRO). This role cannot be taken likely, and the individual taking on such a role needs to be of good repute, competent and financially sound, and must also complete a course as approved by the MFSA, and subsequently sit for a mandatory interview with the MFSA in order to be deemed as fit for this role.
Board of Administration
The ICO will need to have a Board of Administration (BOA) which will need to be made up of two or more individuals respecting the dual control principle. Such persons will need to prove to the MFSA that they have the required knowledge and understanding of the ICO’s business to enable them to direct the business of the ICO. The BOA will also be obliged to ensure that the ICO complies with the Rules, Regulations and Guidelines applicable to them and will be required to conduct a fitness and properness test that will need to prove their competence, solvency and integrity to the MFSA.
As is the case with non-regulated ICOs, ICOs that are regulated in Malta need to draw up a whitepaper, with this whitepaper to be sent to the MFSA ten working days before its circulation to the public and must be signed off by the members of the BOA that are representing the ICO as well as the VFA Agent. Such a whitepaper needs to:
- Be dated;
- Contain all the information as specified in the First Schedule of the Virtual Financial Assets Act (VFA Act) and;
- Include a statement by the Board of the ICO in question confirming that the whitepaper complies with the requirements of Article 3 and Article 4 of the VFA Act.
If the ICO deploys a smart contract, the elements of the whitepaper shall be coded within the respective smart contract, with this being applicable to features such as transfer limitations, soft cap and hard cap, refund mechanisms, dispute resolutions, burning protocols, etc.
Compliance Certificate & AML/CFT Report
The ICO must, on an annual basis and reviewed by its VFA Agent, draw up a Compliance Certificate which will need to be submitted to the MFSA. Therefore, in order to comply with such a requirement, ICOs need to be sure that they:
- Satisfy all local AML/CFT requirements and that they have adequate systems in place to identify suspicious transactions and draw up suspicious transaction reports;
- Obtain confirmation from their Systems Auditor that their ITA complies with the qualitative standards and guidelines issued by the MDIA;
- Ensure that they pass a fitness and properness assessment as confirmed by their VFA Agent;
- Obtain a statement from the ICOs Board of Administration whether the ICO has been or is in breach of any clauses of the VFA Act, Regulations or Rules.
The ICO must also engage an independent auditor to draw up an AML/CFT Report on an annual basis. In order to fulfill such a requirement, the ICO needs to ensure that:
- The AML/CFT/KYC systems the ICO purports to have in place are actually in place;
- The Independent Auditor has reviewed the operations of the ICO from an AML/CFT perspective.
Policies and Procedures
In order to be compliant with the respective Regulations and Rules that govern ICOs in Malta, ICOs need to draw up a number of policies and procedures that will enable them to formalize many of the aspects that need to be considered when operating within a regulatory environment that caters for investors’ needs. Without getting into the detail of what should be contained within such policies and procedures (but please contact us should you wish to), ICOs need to draw up policies in relation to a number of factors, including but not limited to Record Keeping, Public Disclosures, Code of Dealing, Asset Control, Cyber Security, and IT Infrastructure.
Do not hesitate to get in touch with us today for a consultation if you are interested in setting up an ICO in Malta and wish to discuss the way forward towards achieving this goal.
Disclaimer: The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.