Chapter 3 of the VFA Rulebook applies to VFA Service Providers who are seeking to obtain their license within the VFA sphere as per the laws and regulations of Malta.
The MFSA issued a circular addressed to VFA Service Providers in support of innovation of the sector adapting a more principles-based approach. The new amendments shall be effective as at 1st February of 2020.
1. Systems Auditor
The Authority shall require the engagement of a Systems Auditor when there is an Innovative Technology Arrangement (ITA) in place or where the operations interact with an ITA in some way or another. Consent must be obtained from the MFSA before engagement or replacement of the auditor of the system.
The Systems Auditor shall be registered with the MDIA.
Responsibility of Systems Auditor: To review and audit the ITA.
IT Auditor Requirement
If there is no ITA in place, the MFSA has introduced an IT Auditor Requirement.
The IT Auditor shall be responsible to review and audit the systems of the applicant. Upon application, the applicant shall submit an IT Audit Report to the Authority. Such Report shall confirm that there is no ITA in place and shall be submitted at the application stage and then on an annual basis.
Forensic Note Guidelines
The Applicant shall have a Live Audit Log and there shall be an appointed person responsible for legal compliance and operational behaviour of the system (similar to the role of a Technical Administrator) in line with the Forensic Node Guidelines (https://mdia.gov.mt/wp-content/uploads/2019/09/Forensic-Node-Guidelines.pdf). This shall be notified to the MFSA given that the Authority may object to the proposed appointment or replacement.
Deletion of Proviso
The following proviso of R3-18.104.22.168.6 has been deleted: “Provided that where the Licence Holder’s IT Infrastructure is not located in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta.”
Service providers operating in transitory who wish to continue with the provision of their services following the expiration of the transitory periods or applicants commencing their application before 1st February 2020 shall submit the first Systems Audit Report or IT Audit Report within 6 months from the granting of the license or commencement of business.
2. Live Replication Server
The Live Replication Server shall be understood as the machine connected to the rest of the system of the service provider and thus to avoid confusion this is now being referred to as ‘Live Audit Log’.
The Live Audit Requirement shall apply to all service providers irrespective of whether there is an ITA in place or not.
3. Fitness and Properness
The Fitness and Properness shall apply to every:
- A person having a qualifying holding;
- Beneficial owner;
- Member of the BOA;
- Senior Manager;
- Compliance Officer;
- Any other person which the Authority may deem necessary.
This still applies a case-by-case basis.
Also, since there are limited approved courses for Compliance Officers and/or MLRO, they are no longer required to complete an approved course before the license. These individuals shall still be subject to a mandatory interview.
To fulfil the competency requirements, both Compliance Officer and MLRO are to attend the training which is relevant to their role.
The Authority shall amend its FAQs to indicate accepted courses.
4. Exercising a European Right
The Rulebook shall now refer to the provision of services in other jurisdictions. The service provider shall be required to list the countries in which they are providing their VFA Services. The requirement to obtain a legal opinion from other jurisdictions is no longer required, however, the service provider shall still be responsible to comply with the rules and regulations of such jurisdictions.
The engagement of administrators, senior managers and/or other employees engaged in portfolio management or investment advice shall now be notified to the MFSA and the written consent is no longer required.
6. Cyber Security
Cybersecurity architecture shall be in line with the guidelines of the cybersecurity (issued by the Authority). For this reason, the following has been removed: “Pursuant to R3-22.214.171.124.8, the Licence Holder shall ensure that its Cybersecurity Framework complies with internationally recognised cyber security standards, any guidelines issued by the Authority and shall also be in line with the provisions of the GDPR.”
7. Board of Administration (BOA)
The BOA shall no longer be required to oversee policies on the VFAs and VFA Services concerning the risk tolerance and characteristics/needs of clients to whom they will be offered or provided.
8. Compliance Certificate
The Compliance Certificate shall be based on the Compliance Monitoring Plan which is to be carried out by the Compliance Officer.
The certificate shall now include the outcome of the compliance monitoring plan which shall also list identified breaches. The certificate shall confirm that all local AML/CFT requirements are satisfied as per the confirmation of the MLRO, and it shall also list the disciplinary actions taken against clients; describing the breaches and actions taken.
9. Financial Instrument Test (FIT)
The FIT shall no longer be the responsibility of the Compliance Officer but of the person responsible for carrying out the FIT in line with the business model and endorsed by at least one administrator.
10. Insurance Requirement
The Service Provider shall ensure that it has a Professional Indemnity Cover which is in line with market standards and covers business associated risks.
11. Supplementary Conditions
- Presence of Systems Auditor: The Systems Auditor is not required at all times but shall be appointed to carry out the Systems Audit concerning the ITA.
- Listing Criteria: The Listing Criteria was decreased to two (2) criteria:
- (i) The Technological experience, track record and reputation of the issuer and the development team thereof;
- (iv) The determination under the FIT and its endorsement.
- Custody: Custody Requirements shall now apply to all Service Providers.
- Suspension/Removal of VFAs from Trading: Notification regarding the suspension/removal of a VFA from trading shall only be required when such suspension/removal has regulatory implications.
- Systems Resilience: There is no longer a requirement to report the parameters for halting trading and any material changes thereof. Also, there is no longer the requirement of identification of orders by algorithmic trading.
- Bye-Laws: There shall be guidelines about the bye-laws.
- Inability to discharge functions: Where a Licence Holder is unable to discharge its functions it shall notify the Authority without undue delay instead of on the day of occurrence (given that it may not always be feasible to do so.)
Disciplinary Action: The list of disciplinary actions shall now be included in the Compliance Certificate and not notified every time an action is taken.
12. Capital Requirements
Additional capital requirements were deemed too prescriptive and thus have been removed.
13. Inducement Rules
Inducement Rules shall apply across the board given that there may be further implications when carrying out activities. (These were only applicable to investment advice and portfolio management).
14. Sales Processes and Selling Practices
The requirements of the Licence Holder dealing with a person who is acting under a power of attorney have been removed and the FIAU’s Implementing Procedures shall apply instead.
The rule covering the reception of client money has been revised as follows: ‘The Licence Holder shall acknowledge receipt to the Client of all money received in connection with a virtual financial asset or VFA Service and that any charge or fee imposed shall be disclosed separately.’
With regards to the Assessment of Appropriateness, the Licence Holder, when providing a VFA Service which is not investment advice or portfolio management shall warn the clients of associated risks through a Risk Disclosure Document which shall deal with the risks involved when investing in VFAs.
15. Disclosure Requirements and Transitory
The Disclosure requirements laid down in the Rulebook shall be disclosed to the Authority instead of the general public.
Article 62 of the VFA Act which covers the transitory provision has been removed since the transitory period has ended.
The Glossary shall be updated by the Authority to reflect new definitions.