Skip to content

Setting up a Crypto Exchange in Malta


The popularity of Crypto-Exchanges is on the rise. With more entrepreneurs willing to set up these platforms, it makes sense to analyse the important role Malta [now ubiquitously known as ‘Blockchain Island’] is playing in this new realm of innovative cryptocurrency-based services.

Quite frankly, given the perceived ‘high risk’ when dealing with Exchanges, Malta has taken the ground-breaking step to guarantee ‘legal certainty’. This is being done by comprehensively promulgating a set of laws which primarily seek to offer investor protection based on Malta’s already-sound and robust financial services legislation.

Throughout this article, Dr. Werner & Partner will attempt to elucidate why ‘setting up shop’ in Malta is the best option for any prospective VFA Exchange Operator and how DWP VFA Agent Ltd. will be your best bet when attempting to ensure that the process is manged and completed as smoothly as possible.

Class 4 License.

VFA [Virtual Financial Asset] Operators seeking to acquire accreditation to manage and operate a Crypto-Exchange will need to acquire a license in terms of Article 8(1) of Subsidiary Legislation 590.01 of the Virtual Financial Assets Act. In fact, the MFSA ‘shall set out in the license, the nature of the activities which particular license holders may carry out’. In this connection, to operate an Exchange, customers will require a Class 4 License which also implies that ‘holders may hold or control clients’ assets or money in conjunction with the provision of a VFA Service’. This is an important point, especially when the MFSA considers the clients’ ‘segregation of assets’ to be of paramount importance.

The essence of operating from Malta.

The Legislator places a strong emphasis on ensuring that a prospective license holder has some form of ‘presence’ on the island. Whilst the issue of ‘substance’ will be dealt with later, the law states that a ‘person wishing to be licensed to provide a VFA service shall be a legal person established in Malta’. This clause automatically implies that the Service Holder shall be a Limited Liability Company. In fact, the objects of the company will be expected to reflect that the body corporate will be operating a VFA Exchange in terms of the Virtual Financial Assets Act, Cap. 590 of the Laws of Malta. As VFA Agents, our team of experts will also be able to guide you vis-à-vis the setting up and establishment of a Company, and this in terms of the Companies Act, Cap. 386 of the Laws of Malta.

The VFA Agent Requirement.

A person seeking to obtain a License to operate a VFA Exchange ‘shall appoint a VFA Agent registered with the MFSA in terms of Chapter 1 of the MFSA’s Fintech Rulebook. Notice how the legislator has placed an emphasis on the mandatory obligation to use an agent with the word ‘shall’. Therefore, the onus is on the License Holder to seek & engage an Agent accordingly[1]. In this connection, as stated in Rulebook 3, ‘the applicant shall ensure that all communications, meetings, notifications and submissions to the MFSA are made through its VFA Agent’.

In previous DWP articles, mention was made that a VFA Agent appointed in terms of Article 7 of the VFA Act [dealing with Initial VFA Offerings], has an on-going obligation/relationship with the Issuer. However, in terms of Article 14 [which is what operators of a VFA Exchange will notice], the VFA Agent’s relationship with the License Holder technically ends upon the granting and approval of a license. This is the fundamental difference between an ICO/IVFAO and a VFA Exchange. However, as stated in R3- ‘the Applicant may appoint its VFA Agent to undertake the Compliance function’ accordingly.

The Auditing obligation.

For the purposes of this write-up, the ‘Auditing’ function will be divided into 1) Internal/External Auditors and 2) Systems Auditors.

Article 50(1) of the VFA Act states that the ‘Licence Holder shall appoint an auditor who shall the duty to report immediately to the competent authority any fact or decision which e.g. is likely to lead to a serious qualification or refusal of the auditor’s report on the accounts of a license’.

Moreover, the Auditor has an obligation to ‘report annually to the competent authority on the licence holder’s systems and security access protocols in the manner and format required by the competent authority’. The MFSA’s consent is required prior to the appointment or replacement of an auditor.

In terms of Article 39(d) of the act, the MFSA may also require ‘an audit of a person regulated under this Act’ accordingly. Also, in terms of Rulebook 3 [specifically R3-], the Licence Holder ‘shall establish and maintain an internal audit function which is separate and independent from the other functions and activities of the Licence Holder’. Essentially, the Internal Audit will seek to ensure that the Service Provider has a proper audit plan in place to ensure the Licence Holder’s effective management of internal control mechanisms, issue recommendations, verify compliance with recommendations and to report in relation to internal audit matters.

System-controls and having a robust cyber-security framework are imperative considerations for the MFSA. It goes without saying that the technologies deployed will certainly be subject to an external technical audit which [generally speaking] is best provided through the engagement of a Systems Auditor.

The laws also specify that ‘whenever’ an Innovative Technology Arrangement[2] is in place, the Authority ‘may’ require the Licence Holder to appoint a Systems Auditor. (The MFSA’s approval will be required prior to the appointment and/or replacement of a Systems Auditor). Moreover, the Licence Holder shall ensure that its ‘Systems Auditor prepares a systems audit report on its own ITAS and that a copy is also forwarded to the MFSA’.

Licensing Considerations.

The MFSA will consider certain key factors when determining whether or not a license will be granted. These considerations will include (i) the protection of investors and the general public (ii) the protection of Malta’s reputation (iii) the promotion of innovation & competition (iv) suitability of the application etc. These points also tie in with the next salient provision which entails that the Authority will also consider a license based on a Fitness and Properness examination and the ‘onus’ of providing sufficient to the MFSA that the proposed applicant is Fit and Proper will primarily rest with the Applicant and its VFA Agent.

The Fitness and Properness Test

In this connection, in terms of Rulebook 3, all prospective Licence Holders will be required to prove to the satisfaction of the MFSA, that they have passed a Fitness and Properness test (F&P). The test itself will be based on the following three key facets: (i) Integrity (ii) Solvency and (iii) Competence.

The F&P is also linked with the overall management of the company/service provider. So much so, that the test is applicable to every person that has a qualifying holding share, beneficial owner, member of the board of Administration, Senior Manager, MLRO, Compliance Officer, Risk Manager and any other person who will be directing the business of the Applicant.

Given these requirements, it is undeniably obvious that the MFSA will require several key persons who will form part of the Business and Management administration of the Company to be properly vetted. Moreover, as already seen during the setting up of the VFA Agent structure, the Authority will most certainly emphasize that at a minimum, an applicant will be able to demonstrate that the business will be managed by a group of individuals in strict adherence with the ‘Dual Control’ principle.

This robust framework is aimed at nothing else but ensuring that the management of the Service Provider is ‘tailor-made’ to ensure that investor protection is at the forefront of the day-to-day operations.

Policies and Procedures

Whilst an in-depth analysis of the required policies and procedures will be tackled in another article, applicants should be made aware of the fact that the Authority has placed a strong emphasis on the Licence Holder ensuring that robust ‘Policies and Procedures’ are in place. To this end, in terms of R3- the Licence Holder ‘shall establish implement and maintain’ inter alia documents such as a: Cybersecurity Policy, Accounting Policy, Business Continuity Procedure, Key Management Policy etc. The Licence Holder shall also ‘take into account the nature, scale and complexity of its business’ accordingly.

Initial Capital Requirements & Annual Fees.

VFA Exchange operators will need to note that the company will need to ‘maintain an amount equal to the initial capital required for the authorisation’ and vis-à-vis Exchanges, this amount should be not less than 730,000 EUR [fully paid-up][3].

Rulebook 3 specifies that ‘the Licence Holder shall promptly pay all amounts due to the MFSA’ including an Annual Supervisory Fee which shall be payable by the Service Provider on the day that the audited financial statements are submitted to the Authority. Upon authorisation, the company will be required to pay the minimum annual supervisory fee for the first year of operation ‘upon receipt of the License’.

This fee is payable proportionate to the period remaining between the date of licensing grant and the submission of the annual accounts. For persons operating a Class 4 License, the Application/Notification fee is that of EUR 24,000 and the Annual Supervisory fee will depend on revenue accordingly. For revenue up to EUR 1 million, the fee will be 50,000 EUR and for ‘further tranches of EUR 1 million up to a maximum of EUR 100 million, the fees will be 5,000 EUR per tranche or part thereof’.

The Business Plan

The MFSA has made its intentions clear regarding having in place proper management structures and this via the exigency of ensuring that the Service Provider has a properly structured Business Plan. It would be recommended that the Board of Administration would be heavily involved in the plan’s set up but not without also involving the VFA Agent’s expertise.

Here at DWP VFA Agent Ltd, our team of experts can recommend an approved structure which will form an essential barometer when disseminating information to the relevant authority. Moreover, the Agent can help the applicant ‘tailor-make’ the Business Plan by also suggesting and vetting proposed persons who will be involved in the day-to-day management of the Company [and this of course on a case-by-case basis].

The essence of ‘substance’.

Based on prior experience with existing and regulated entities, ‘substance’ will certainly be a key element when determining whether or not the MFSA will grant a license to any applicant to act as a VFA Service Provider. There will certainly be the requirement for ‘residence’ of the key person/official involved in the Company [in an analogous model used by Gaming Companies] which conclusively also suggests that an office will be required to formally ‘set up shop’ in Malta.

In this connection, the overall and anticipated approach of the MFSA will certainly equate to ‘physical presence’ on Blockchain Island– as this would be the best option for the Authority to monitor and regulate all applicants accordingly. Apart from the aforementioned facts, is the general regulatory requirements imposed by local banks and Tax Authorities that substance goes hand in hand with a physical presence – which, more often than not, implies having some senior management present in Malta, a Company Secretary who is also resident on the island and genuine fiscal substance.


DWP VFA Agent Ltd. is already in possession of the In-Principle Approval and has already commenced advising various applicants accordingly [although fully-fledged services will be offered once the Certificate of Registration is granted by Fintech].

The importance of the VFA Agent can never be discounted especially in light of the seemingly cumbersome regulations that are already in place. Whilst some might be dissuaded by the fact that the requirements could be tedious and taxing, the ‘legal certainty’ that Malta has enshrined in its VFA Laws ensures that ‘investor protection’ and ‘good governance’ are at the forefront of any business endeavour.

In this connection, a reputable VFA Agent and a sound business plan should certainly be the key ingredients in a promising application that will eventually be presented to the MFSA.


The above-mentioned article is simply based on independent research carried out by Dr. Werner and Partner and cannot constitute any form of legal advice. If you would like to meet with up with any of our representatives to seek further information, please contact us for an appointment.

[1] Although, strictly speaking, more than one Agent may be appointed provided that prior notification is granted to the MFSA explaining the different responsibilities that will be undertaken by the respective Agents.

[2] In terms of the First Schedule of the ITAS Act, this arrangement is defined as either being ‘software and architectures which are used in designing and delivering Distributed Ledger Technology and smart contracts & related applications.

[3] As established in Subsidiary Legislation 590.01, the capital requirements are commensurate to the type of license obtained. In this connection, a VFA Class 1 Licence [primarily dealing with Investment Advice and reception and transmission of orders is EUR 50,000 or 25,000 EUR + Insurance. A Class 2 Licence [primarily dealing with the holding and controlling of clients’ funds] is 125,000 EUR and a Class 3 Licence [for operators willing to deal on own account] is priced at 730,000 EUR.

Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

Ask your question now! Send a message to the author.

Author of the post

Dr. Michael Calleja

More Expert Articles