Skip to content

Summary to the MFSA Circular regarding Amendments to Chapter 3 of the Rulebook

Chapter 3 of the VFA Rulebook applies to VFA Service Providers who are seeking to obtain their license within the VFA sphere as per the laws and regulations of Malta.

The MFSA issued a circular addressed to VFA Service Providers in support of innovation of the sector adapting a more principles-based approach. The new amendments shall be effective as at 1st February of 2020.

1. Systems Auditor 

The Authority shall require the engagement of a Systems Auditor when there is an Innovative Technology Arrangement (ITA) in place or where the operations interact with an ITA in some way or another. Consent must be obtained from the MFSA before engagement or replacement of the auditor of the system.

The Systems Auditor shall be registered with the MDIA.

Responsibility of Systems Auditor: To review and audit the ITA.

IT Auditor Requirement 

If there is no ITA in place, the MFSA has introduced an IT Auditor Requirement.

The IT Auditor shall be responsible to review and audit the systems of the applicant. Upon application, the applicant shall submit an IT Audit Report to the Authority. Such Report shall confirm that there is no ITA in place and shall be submitted at the application stage and then on an annual basis.

Forensic Note Guidelines 

The Applicant shall have a Live Audit Log and there shall be an appointed person responsible for legal compliance and operational behaviour of the system (similar to the role of a Technical Administrator) in line with the Forensic Node Guidelines ( This shall be notified to the MFSA given that the Authority may object to the proposed appointment or replacement.

Deletion of Proviso 

The following proviso of R3- has been deleted: “Provided that where the Licence Holder’s IT Infrastructure is not located in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta.”

Additional Information 

Service providers operating in transitory who wish to continue with the provision of their services following the expiration of the transitory periods or applicants commencing their application before 1st February 2020 shall submit the first Systems Audit Report or IT Audit Report within 6 months from the granting of the license or commencement of business.

2. Live Replication Server 

The Live Replication Server shall be understood as the machine connected to the rest of the system of the service provider and thus to avoid confusion this is now being referred to as ‘Live Audit Log’.

The Live Audit Requirement shall apply to all service providers irrespective of whether there is an ITA in place or not.

3. Fitness and Properness 

The Fitness and Properness shall apply to every:

  • A person having a qualifying holding;
  • Beneficial owner;
  • Member of the BOA;
  • Senior Manager;
  • MLRO;
  • Compliance Officer;
  • Any other person which the Authority may deem necessary.

This still applies a case-by-case basis.

Also, since there are limited approved courses for Compliance Officers and/or MLRO, they are no longer required to complete an approved course before the license. These individuals shall still be subject to a mandatory interview.

To fulfil the competency requirements, both Compliance Officer and MLRO are to attend the training which is relevant to their role.

The Authority shall amend its FAQs to indicate accepted courses.

4. Exercising a European Right 

The Rulebook shall now refer to the provision of services in other jurisdictions. The service provider shall be required to list the countries in which they are providing their VFA Services. The requirement to obtain a legal opinion from other jurisdictions is no longer required, however, the service provider shall still be responsible to comply with the rules and regulations of such jurisdictions.

5. Approval 

The engagement of administrators, senior managers and/or other employees engaged in portfolio management or investment advice shall now be notified to the MFSA and the written consent is no longer required.

6. Cyber Security 

Cybersecurity architecture shall be in line with the guidelines of the cybersecurity (issued by the Authority). For this reason, the following has been removed: “Pursuant to R3-, the Licence Holder shall ensure that its Cybersecurity Framework complies with internationally recognised cyber security standards, any guidelines issued by the Authority and shall also be in line with the provisions of the GDPR.”

7. Board of Administration (BOA)  

The BOA shall no longer be required to oversee policies on the VFAs and VFA Services concerning the risk tolerance and characteristics/needs of clients to whom they will be offered or provided.

8. Compliance Certificate 

The Compliance Certificate shall be based on the Compliance Monitoring Plan which is to be carried out by the Compliance Officer.

The certificate shall now include the outcome of the compliance monitoring plan which shall also list identified breaches. The certificate shall confirm that all local AML/CFT requirements are satisfied as per the confirmation of the MLRO, and it shall also list the disciplinary actions taken against clients; describing the breaches and actions taken.

9. Financial Instrument Test (FIT)  

The FIT shall no longer be the responsibility of the Compliance Officer but of the person responsible for carrying out the FIT in line with the business model and endorsed by at least one administrator.

10. Insurance Requirement 

The Service Provider shall ensure that it has a Professional Indemnity Cover which is in line with market standards and covers business associated risks.

11. Supplementary Conditions 

  • Presence of Systems Auditor: The Systems Auditor is not required at all times but shall be appointed to carry out the Systems Audit concerning the ITA.
  • Listing Criteria: The Listing Criteria was decreased to two (2) criteria:
  1. (i) The Technological experience, track record and reputation of the issuer and the development team thereof;
  2. (iv) The determination under the FIT and its endorsement.
  • Custody: Custody Requirements shall now apply to all Service Providers.
  • Suspension/Removal of VFAs from Trading: Notification regarding the suspension/removal of a VFA from trading shall only be required when such suspension/removal has regulatory implications.
  • Systems Resilience: There is no longer a requirement to report the parameters for halting trading and any material changes thereof. Also, there is no longer the requirement of identification of orders by algorithmic trading.
  • Bye-Laws: There shall be guidelines about the bye-laws.
  • Inability to discharge functions: Where a Licence Holder is unable to discharge its functions it shall notify the Authority without undue delay instead of on the day of occurrence (given that it may not always be feasible to do so.)

Disciplinary Action: The list of disciplinary actions shall now be included in the Compliance Certificate and not notified every time an action is taken.

12. Capital Requirements

Additional capital requirements were deemed too prescriptive and thus have been removed.

13. Inducement Rules 

Inducement Rules shall apply across the board given that there may be further implications when carrying out activities. (These were only applicable to investment advice and portfolio management).

14. Sales Processes and Selling Practices 

The requirements of the Licence Holder dealing with a person who is acting under a power of attorney have been removed and the FIAU’s Implementing Procedures shall apply instead.

The rule covering the reception of client money has been revised as follows: ‘The Licence Holder shall acknowledge receipt to the Client of all money received in connection with a virtual financial asset or VFA Service and that any charge or fee imposed shall be disclosed separately.

With regards to the Assessment of Appropriateness, the Licence Holder, when providing a VFA Service which is not investment advice or portfolio management shall warn the clients of associated risks through a Risk Disclosure Document which shall deal with the risks involved when investing in VFAs.

15. Disclosure Requirements and Transitory 

The Disclosure requirements laid down in the Rulebook shall be disclosed to the Authority instead of the general public.

Article 62 of the VFA Act which covers the transitory provision has been removed since the transitory period has ended.

16. Glossary 

The Glossary shall be updated by the Authority to reflect new definitions.



Share on facebook
Share on twitter
Share on linkedin
Share on skype
Share on whatsapp
Share on telegram
Share on email

More posts of the author

Ordinary Legislative Procedure

How decisions are made at an EU Level

The standard decision-making procedure is known as ‘Ordinary Legislative Procedure’, meaning that the directly elected European Parliament has to approve EU legislation together with the Council of Europe. The EU

Read More »
Malta as the Blockchain Island – Again?

Malta as the Blockchain Island – Again?

It is finally happening!   On 24th September of last year, the EU Commission published a proposal for the regulation of crypto assets: the “Markets in Crypto-Assets Regulation” (also known as: MiCA).

Read More »

Ask your question now! Send a message to the author.

Author of the post

Dr. Rebecca Mifsud

More Expert Articles

Ordinary Legislative Procedure

How decisions are made at an EU Level

The standard decision-making procedure is known as ‘Ordinary Legislative Procedure’, meaning that the directly elected European Parliament has to approve EU legislation together with the Council of Europe. The EU

Read Expert Articles