Getting ready for an ICO in Malta

Hav­ing cho­sen Mal­ta as the place to set up an ICO giv­en all the reg­u­la­to­ry, lan­guage and the work­force tal­ent ben­e­fits asso­ci­at­ed with this juris­dic­tion, ICO busi­ness­es need to be aware that there are a num­ber of con­sid­er­a­tions which must be tak­en into account before the actu­al offer­ing of their cryp­to-asset to the pub­lic.

These most­ly relate to the reg­u­la­to­ry aspect of ICOs, where Mal­ta has cho­sen to be at the fore front of this sphere, lead­ing the way for oth­er coun­tries where ICOs are unreg­u­lat­ed to fol­low suit.

Functionaries of an ICO

First and fore­most, and as required by Mal­tese Law, issuers of ICOs must appoint a VFA Agent in order to guide the ICO with respect to its respon­si­bil­i­ties and oblig­a­tions to ensure com­pli­ance with the law and to act as the mid­dle-man between the ICO itself and the com­pe­tent author­i­ty, which in this case is the Mal­ta Finan­cial Ser­vice Author­i­ty (MFSA).

The ICO needs the VFA Agent to facil­i­tate the reg­is­tra­tion of the white paper, to advise the ICO on all mat­ters relat­ing to process of list­ing the cryp­to-asset to trad­ing, and to assist with the on-going reg­u­la­to­ry oblig­a­tions that ICOs are required to meet dur­ing their oper­a­tion.

If the ICO has an Inno­v­a­tive Tech­nol­o­gy Arrange­ment (ITA) in place (includ­ing any smart con­tracts), then the ICO needs to appoint a Sys­tems Audi­tor that will review and audit the ITA as well as the ICO’s cyber secu­ri­ty arrange­ments.

Before the ICO kicks off, the Sys­tems Audi­tor needs to pre­pare a report which cov­ers the review of all aspects of the ITA and must cer­ti­fy that noth­ing in the ITA shall con­tain any rights to uni­lat­er­al­ly mutate, amend or destroy with­out leav­ing a trace of the ITA or smart con­tract involved.

Once the ICO is in oper­a­tion, the Sys­tems Audi­tor would then need to draft, on an annu­al basis, a sys­tems audit report on the com­pli­ance of the ITA with any qual­i­ta­tive stan­dards set and guide­lines issued by the Mal­ta Dig­i­tal Inno­va­tion Author­i­ty (MDIA), applic­a­ble of course to the type of ITA in ques­tion.

The ICO would need to appoint a Cus­to­di­an who ide­al­ly should be an inde­pen­dent third par­ty in order to safe­keep the ICOs assets as well as investors’ funds. If the funds in ques­tion are cryp­to-cur­ren­cies, then such a cus­to­di­an must be licenced under the VFA Act and Reg­u­la­tions to con­duct such as ser­vice.

Alter­na­tive­ly, should the funds in ques­tion be fiat, then a cen­tral bank, a licenced bank­ing insti­tu­tion in the EU or a third coun­try, a mon­ey mar­ket fund, a licenced e‑money insti­tu­tion or a licenced pay­ment insti­tu­tion can act as a cus­to­di­an.

The role of the cus­to­di­an could also be per­formed through the use of an ITA (smart con­tract) which has to be cer­ti­fied by a Sys­tems Audi­tor.

An Audi­tor will also need to be appoint­ed by the ICO and shall, for each annu­al account­ing peri­od, pre­pare a man­age­ment let­ter in accor­dance with Inter­na­tion­al Stan­dards on Audit­ing.

Final­ly, the ICO shall appoint and have at all times in place a Mon­ey Laun­der­ing Report­ing Offi­cer (MLRO). This role can­not be tak­en like­ly, and the indi­vid­ual tak­ing on such a role needs to be of good repute, com­pe­tent and finan­cial­ly sound, and must also com­plete a course as approved by the MFSA, and sub­se­quent­ly sit for a manda­to­ry inter­view with the MFSA in order to be deemed as fit for this role.

Board of Administration

The ICO will need to have a Board of Admin­is­tra­tion (BOA) which will need to be made up of two or more indi­vid­u­als respect­ing the dual con­trol prin­ci­ple. Such per­sons will need to prove to the MFSA that they have the required knowl­edge and under­stand­ing of the ICO’s busi­ness to enable them to direct the busi­ness of the ICO. The BOA will also be oblig­ed to ensure that the ICO com­plies with the Rules, Reg­u­la­tions and Guide­lines applic­a­ble to them and will be required to con­duct a fit­ness and proper­ness test that will need to prove their com­pe­tence, sol­ven­cy and integri­ty to the MFSA.


As is the case with non-reg­u­lat­ed ICOs, ICOs that are reg­u­lat­ed in Mal­ta need to draw up a whitepa­per, with this whitepa­per to be sent to the MFSA ten work­ing days before its cir­cu­la­tion to the pub­lic and must be signed off by the mem­bers of the BOA that are rep­re­sent­ing the ICO as well as the VFA Agent. Such a whitepa­per needs to:

  • Be dat­ed;
  • Con­tain all the infor­ma­tion as spec­i­fied in the First Sched­ule of the Vir­tu­al Finan­cial Assets Act (VFA Act) and;
  • Include a state­ment by the Board of the ICO in ques­tion con­firm­ing that the whitepa­per com­plies with the require­ments of Arti­cle 3 and Arti­cle 4 of the VFA Act.

If the ICO deploys a smart con­tract, the ele­ments of the whitepa­per shall be cod­ed with­in the respec­tive smart con­tract, with this being applic­a­ble to fea­tures such as trans­fer lim­i­ta­tions, soft cap and hard cap, refund mech­a­nisms, dis­pute res­o­lu­tions, burn­ing pro­to­cols, etc.

Compliance Certificate & AML/CFT Report

The ICO must, on an annu­al basis and reviewed by its VFA Agent, draw up a Com­pli­ance Cer­tifi­cate which will need to be sub­mit­ted to the MFSA. There­fore, in order to com­ply with such a require­ment, ICOs need to be sure that they:

  • Sat­is­fy all local AML/CFT require­ments and that they have ade­quate sys­tems in place to iden­ti­fy sus­pi­cious trans­ac­tions and draw up sus­pi­cious trans­ac­tion reports;
  • Obtain con­fir­ma­tion from their Sys­tems Audi­tor that their ITA com­plies with the qual­i­ta­tive stan­dards and guide­lines issued by the MDIA;
  • Ensure that they pass a fit­ness and proper­ness assess­ment as con­firmed by their VFA Agent;
  • Obtain a state­ment from the ICOs Board of Admin­is­tra­tion whether the ICO has been or is in breach of any claus­es of the VFA Act, Reg­u­la­tions or Rules.

The ICO must also engage an inde­pen­dent audi­tor to draw up an AML/CFT Report on an annu­al basis. In order to ful­fill such a require­ment, the ICO needs to ensure that:

  • The AML/CFT/KYC sys­tems the ICO pur­ports to have in place are actu­al­ly in place;
  • The Inde­pen­dent Audi­tor has reviewed the oper­a­tions of the ICO from an AML/CFT per­spec­tive.

Policies and Procedures

In order to be com­pli­ant with the respec­tive Reg­u­la­tions and Rules that gov­ern ICOs in Mal­ta, ICOs need to draw up a num­ber of poli­cies and pro­ce­dures that will enable them to for­mal­ize many of the aspects that need to be con­sid­ered when oper­at­ing with­in a reg­u­la­to­ry envi­ron­ment that caters for investors’ needs. With­out get­ting into the detail of what should be con­tained with­in such poli­cies and pro­ce­dures (but please con­tact us should you wish to), ICOs need to draw up poli­cies in rela­tion to a num­ber of fac­tors, includ­ing but not lim­it­ed to Record Keep­ing, Pub­lic Dis­clo­sures, Code of Deal­ing, Asset Con­trol, Cyber Secu­ri­ty, and IT Infra­struc­ture.

Do not hes­i­tate to get in touch with us today for a con­sul­ta­tion if you are inter­est­ed in set­ting up an ICO in Mal­ta and wish to dis­cuss the way for­ward towards achiev­ing this goal.

Dis­claimer: The above-men­tioned arti­cle is sim­ply based on inde­pen­dent research car­ried out by Dr. Wern­er and Part­ner and can­not con­sti­tute any form of legal advice. If you would like to meet with up with any of our rep­re­sen­ta­tives to seek fur­ther infor­ma­tion, please con­tact us for an appoint­ment.

About Malcom Wallbank

Mr. Mal­colm Wall­bank, born on 12.04.1991, read for a Bach­e­lor of Com­merce (Hon­ours) degree at the Uni­ver­si­ty of Mal­ta, spe­cial­is­ing in Bank­ing and Finance and Man­age­ment, and grad­u­at­ed with Sec­ond Class Upper Degree in 2013. In the fol­low­ing year, he grad­u­at­ed with Dis­tinc­tion in M.Sc. Finance from the Uni­ver­si­ty of Strath­clyde, Scot­land.

View All Posts

Leave a Reply

Your email address will not be published.