Summary to the MFSA Circular regarding Amendments to Chapter 3 of the Rulebook

Chap­ter 3 of the VFA Rule­book applies to VFA Ser­vice Providers who are seek­ing to obtain their license with­in the VFA sphere as per the laws and reg­u­la­tions of Mal­ta.

The MFSA issued a cir­cu­lar addressed to VFA Ser­vice Providers in sup­port of inno­va­tion of the sec­tor adapt­ing a more prin­ci­ples-based approach. The new amend­ments shall be effec­tive as at 1st Feb­ru­ary of 2020.

1. Systems Auditor 

The Author­i­ty shall require the engage­ment of a Sys­tems Audi­tor when there is an Inno­v­a­tive Tech­nol­o­gy Arrange­ment (ITA) in place or where the oper­a­tions inter­act with an ITA in some way or anoth­er. Con­sent must be obtained from the MFSA before engage­ment or replace­ment of the audi­tor of the sys­tem.

The Sys­tems Audi­tor shall be reg­is­tered with the MDIA.

Respon­si­bil­i­ty of Sys­tems Audi­tor: To review and audit the ITA.

IT Auditor Requirement 

If there is no ITA in place, the MFSA has intro­duced an IT Audi­tor Require­ment.

The IT Audi­tor shall be respon­si­ble to review and audit the sys­tems of the appli­cant. Upon appli­ca­tion, the appli­cant shall sub­mit an IT Audit Report to the Author­i­ty. Such Report shall con­firm that there is no ITA in place and shall be sub­mit­ted at the appli­ca­tion stage and then on an annu­al basis.

Forensic Note Guidelines 

The Appli­cant shall have a Live Audit Log and there shall be an appoint­ed per­son respon­si­ble for legal com­pli­ance and oper­a­tional behav­iour of the sys­tem (sim­i­lar to the role of a Tech­ni­cal Admin­is­tra­tor) in line with the Foren­sic Node Guide­lines ( This shall be noti­fied to the MFSA giv­en that the Author­i­ty may object to the pro­posed appoint­ment or replace­ment.

Deletion of Proviso 

The fol­low­ing pro­vi­so of R3‑ has been delet­ed: “Pro­vid­ed that where the Licence Holder’s IT Infra­struc­ture is not locat­ed in Mal­ta, or is locat­ed in a cloud envi­ron­ment, the Licence Hold­er shall ensure that data is repli­cat­ed real time by virtue of a live repli­ca­tion serv­er locat­ed in Mal­ta.”

Additional Information 

Ser­vice providers oper­at­ing in tran­si­to­ry who wish to con­tin­ue with the pro­vi­sion of their ser­vices fol­low­ing the expi­ra­tion of the tran­si­to­ry peri­ods or appli­cants com­menc­ing their appli­ca­tion before 1st Feb­ru­ary 2020 shall sub­mit the first Sys­tems Audit Report or IT Audit Report with­in 6 months from the grant­i­ng of the license or com­mence­ment of busi­ness.

2. Live Replication Server 

The Live Repli­ca­tion Serv­er shall be under­stood as the machine con­nect­ed to the rest of the sys­tem of the ser­vice provider and thus to avoid con­fu­sion this is now being referred to as ‘Live Audit Log’.

The Live Audit Require­ment shall apply to all ser­vice providers irre­spec­tive of whether there is an ITA in place or not.

3. Fitness and Properness 

The Fit­ness and Proper­ness shall apply to every:

  • A per­son hav­ing a qual­i­fy­ing hold­ing;
  • Ben­e­fi­cial own­er;
  • Mem­ber of the BOA;
  • Senior Man­ag­er;
  • MLRO;
  • Com­pli­ance Offi­cer;
  • Any oth­er per­son which the Author­i­ty may deem nec­es­sary.

This still applies a case-by-case basis.

Also, since there are lim­it­ed approved cours­es for Com­pli­ance Offi­cers and/or MLRO, they are no longer required to com­plete an approved course before the license. These indi­vid­u­als shall still be sub­ject to a manda­to­ry inter­view.

To ful­fil the com­pe­ten­cy require­ments, both Com­pli­ance Offi­cer and MLRO are to attend the train­ing which is rel­e­vant to their role.

The Author­i­ty shall amend its FAQs to indi­cate accept­ed cours­es.

4. Exercising a European Right 

The Rule­book shall now refer to the pro­vi­sion of ser­vices in oth­er juris­dic­tions. The ser­vice provider shall be required to list the coun­tries in which they are pro­vid­ing their VFA Ser­vices. The require­ment to obtain a legal opin­ion from oth­er juris­dic­tions is no longer required, how­ev­er, the ser­vice provider shall still be respon­si­ble to com­ply with the rules and reg­u­la­tions of such juris­dic­tions.

5. Approval 

The engage­ment of admin­is­tra­tors, senior man­agers and/or oth­er employ­ees engaged in port­fo­lio man­age­ment or invest­ment advice shall now be noti­fied to the MFSA and the writ­ten con­sent is no longer required.

6. Cyber Security 

Cyber­se­cu­ri­ty archi­tec­ture shall be in line with the guide­lines of the cyber­se­cu­ri­ty (issued by the Author­i­ty). For this rea­son, the fol­low­ing has been removed: “Pur­suant to R3‑, the Licence Hold­er shall ensure that its Cyber­se­cu­ri­ty Frame­work com­plies with inter­na­tion­al­ly recog­nised cyber secu­ri­ty stan­dards, any guide­lines issued by the Author­i­ty and shall also be in line with the pro­vi­sions of the GDPR.”

7. Board of Administration (BOA)  

The BOA shall no longer be required to over­see poli­cies on the VFAs and VFA Ser­vices con­cern­ing the risk tol­er­ance and characteristics/needs of clients to whom they will be offered or pro­vid­ed.

8. Compliance Certificate 

The Com­pli­ance Cer­tifi­cate shall be based on the Com­pli­ance Mon­i­tor­ing Plan which is to be car­ried out by the Com­pli­ance Offi­cer.

The cer­tifi­cate shall now include the out­come of the com­pli­ance mon­i­tor­ing plan which shall also list iden­ti­fied breach­es. The cer­tifi­cate shall con­firm that all local AML/CFT require­ments are sat­is­fied as per the con­fir­ma­tion of the MLRO, and it shall also list the dis­ci­pli­nary actions tak­en against clients; describ­ing the breach­es and actions tak­en.

9. Financial Instrument Test (FIT)  

The FIT shall no longer be the respon­si­bil­i­ty of the Com­pli­ance Offi­cer but of the per­son respon­si­ble for car­ry­ing out the FIT in line with the busi­ness mod­el and endorsed by at least one admin­is­tra­tor.

10. Insurance Requirement 

The Ser­vice Provider shall ensure that it has a Pro­fes­sion­al Indem­ni­ty Cov­er which is in line with mar­ket stan­dards and cov­ers busi­ness asso­ci­at­ed risks.

11. Supplementary Conditions 

  • Pres­ence of Sys­tems Audi­tor: The Sys­tems Audi­tor is not required at all times but shall be appoint­ed to car­ry out the Sys­tems Audit con­cern­ing the ITA.
  • List­ing Cri­te­ria: The List­ing Cri­te­ria was decreased to two (2) cri­te­ria:
  1. (i) The Tech­no­log­i­cal expe­ri­ence, track record and rep­u­ta­tion of the issuer and the devel­op­ment team there­of;
  2. (iv) The deter­mi­na­tion under the FIT and its endorse­ment.
  • Cus­tody: Cus­tody Require­ments shall now apply to all Ser­vice Providers.
  • Suspension/Removal of VFAs from Trad­ing: Noti­fi­ca­tion regard­ing the suspension/removal of a VFA from trad­ing shall only be required when such suspension/removal has reg­u­la­to­ry impli­ca­tions.
  • Sys­tems Resilience: There is no longer a require­ment to report the para­me­ters for halt­ing trad­ing and any mate­r­i­al changes there­of. Also, there is no longer the require­ment of iden­ti­fi­ca­tion of orders by algo­rith­mic trad­ing.
  • Bye-Laws: There shall be guide­lines about the bye-laws.
  • Inabil­i­ty to dis­charge func­tions: Where a Licence Hold­er is unable to dis­charge its func­tions it shall noti­fy the Author­i­ty with­out undue delay instead of on the day of occur­rence (giv­en that it may not always be fea­si­ble to do so.)

Dis­ci­pli­nary Action: The list of dis­ci­pli­nary actions shall now be includ­ed in the Com­pli­ance Cer­tifi­cate and not noti­fied every time an action is tak­en.

12. Capital Requirements

Addi­tion­al cap­i­tal require­ments were deemed too pre­scrip­tive and thus have been removed.

13. Inducement Rules 

Induce­ment Rules shall apply across the board giv­en that there may be fur­ther impli­ca­tions when car­ry­ing out activ­i­ties. (These were only applic­a­ble to invest­ment advice and port­fo­lio man­age­ment).

14. Sales Processes and Selling Practices 

The require­ments of the Licence Hold­er deal­ing with a per­son who is act­ing under a pow­er of attor­ney have been removed and the FIAU’s Imple­ment­ing Pro­ce­dures shall apply instead.

The rule cov­er­ing the recep­tion of client mon­ey has been revised as fol­lows: ‘The Licence Hold­er shall acknowl­edge receipt to the Client of all mon­ey received in con­nec­tion with a vir­tu­al finan­cial asset or VFA Ser­vice and that any charge or fee imposed shall be dis­closed sep­a­rate­ly.

With regards to the Assess­ment of Appro­pri­ate­ness, the Licence Hold­er, when pro­vid­ing a VFA Ser­vice which is not invest­ment advice or port­fo­lio man­age­ment shall warn the clients of asso­ci­at­ed risks through a Risk Dis­clo­sure Doc­u­ment which shall deal with the risks involved when invest­ing in VFAs.

15. Disclosure Requirements and Transitory 

The Dis­clo­sure require­ments laid down in the Rule­book shall be dis­closed to the Author­i­ty instead of the gen­er­al pub­lic.

Arti­cle 62 of the VFA Act which cov­ers the tran­si­to­ry pro­vi­sion has been removed since the tran­si­to­ry peri­od has end­ed.

16. Glossary 

The Glos­sary shall be updat­ed by the Author­i­ty to reflect new def­i­n­i­tions.



About Dr. Rebecca Mifsud

Dr Rebec­ca Mif­sud, born 6th May 1994, attend­ed the Uni­ver­si­ty of Mal­ta and is an LLB Hon­ours grad­u­ate. She also grad­u­at­ed in the Mas­ters in Advo­ca­cy and will be sit­ting for her Mal­ta War­rant Exam in 2019. She suc­cess­ful­ly defend­ed her dis­ser­ta­tion enti­tled: ‘Imput­ing respon­si­bil­i­ty for foot­ball injuries inflict­ed by minors in the Mal­tese sce­nario,’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.