CMS Expert Guide to Crypto Regulation in Malta

In Malta, the Financial Intelligence Analysis Unit (FIAU) is the national central agency responsible for the collection, collation, processing, analysis and dissemination of information to combat money laundering and the funding of terrorism.

The FIAU operates under the powers given to it by the Malta’ Anti-Money-Laundering (“AML”) regime which principally consists of the Prevention of Money Laundering Act (Chapter 373 of the Laws of Malta) and its subsidiary legislation as well as FIAU implementing procedures.

Moreover, as an EU Member State Malta’s framework includes Regulation (EU) 2024/1624, dated 31 May 2024, which focuses on preventing financial system misuse for purposes of money laundering or terrorist financing, often called the “AMLR” which includes obligations for crypto services. Amongst other obligations, this sets out the requirement to “assess whether [the self-hosted] address is owned or controlled by the CASP customer where the transfer amount exceeds EUR 1000”.

In July 2024 the European Banking Authority issued a “travel rule” relating to AML prevention measures whilst transferring crypto which can be accessed here. It includes, inter alia, guidelines on how to assess transactions over EUR1000 by: a) individually identify a transfer; b) identify a transfer from or to self-hosted addresses; c) identify the originator and beneficiary; d) prove the ownership or controllership (when applicable); and e) put in place mitigating measures, where applicable.

Malta will also transpose into its laws Directive (EU) 2024/1640, issued on 31 May 2024, which is commonly known as AMLD6 and put into scope numerous crypto services.  As of October 2024, this has not yet been transposed into Maltese law.

The Malta Financial Services Authority (MFSA) is the single regulator of financial services in Malta. The MFSA regulates credit & financial institutions, insurance companies and insurance intermediaries, investment services companies and collective investment schemes, securities markets, recognised investment exchanges, trustees, company services providers and pension schemes. Since 2018, the MFSA is also responsible for regulating Virtual Financial Assets under Malta’s Virtual Financial Assets Act (Chapter 590 of the Laws of Malta).  As of 2024, the MFSA is the national competent authority in Malta which enforces the Markets in Crypto-Assets Regulation (MICA)(Regulation (EU) 2023/1114).

The Malta Business Registry (MBR) and the Commissioner for Revenue have jurisdiction over company incorporation and related corporate ongoing obligations, and tax-related matters, respectively. Any crypto licence requires the set-up of a legal person which is regulated in Malta under the Companies Act (Chapter 386 of the Laws of Malta). Tax matters are regulated by the Income Tax Act (Chapter 123 of the Laws of Malta).

In Chapter 3 of Part II of Virtual Financial Assets Sector  Section of the Implementing Procedures issued by the FIAU, directs sales of tokens by issuers mandates a proactive risk-based approach. Issuers must conduct a Business Risk Assessment (BRA) before launching any public offer to identify potential AML risks, with adjustments made if new risks emerge mid-offer.

Customer Due Diligence (CDD) is mandatory for all subscribers, regardless of transaction size, as each subscription is treated as an occasional transaction rather than a long-term business relationship. For higher-risk customers, Enhanced Due Diligence (EDD) is applied, focusing on verifying the source of funds and wealth. Furthermore, issuers are required to conduct a third-party AML review, which must be completed upon the offer’s conclusion, ensuring their AML controls are effective and aligned with FIAU requirement

As of June 2024, MICA’s rules on issuing and offering EMTs and ARTs are specifically regulated to enhance transparency, safeguard investors, and ensure market integrity within the EU. The process entails:

1. Whitepaper Requirement:. The whitepaper should cover essential information, such as the nature of the token, project objectives, financial risks, rights associated with the token, and the technical aspects of the crypto asset. The whitepaper must be submitted to the relevant national authority but is not pre-approved by the regulator.
    
2. Disclosure Obligations: The whitepaper must include disclosures on the token sale terms, including any limits on the issuance or potential restrictions on resale, to protect potential buyers and allow them to make informed investment decisions.Mandatory Notification: For public offerings, issuers must notify the relevant competent authority before launching a token sale.
    
3. Issuer Responsibilities: MiCA places ongoing obligations on issuers to act in good faith and communicate any changes in the token’s terms or associated rights, especially if material events occur post-issuance that could impact the value or function of the token.

For other tokens falling under Title II of MICA, as of December 2024, the process would largely be the same but there are numerous exemptions for utility tokens and other types of crypto assets.  

Exchange (buy/sell)

Custody (hold)

Borrowing/lending

As of October 2024, these activities are mostly regulated. The Virtual Financial Assets Act (Chapter 590 of the Laws of Malta) (VFA Act) provides a requirement to distinguish between different types of crypto assets. Assets that are intrinsically dependent on, or utilise, Distributed Ledger Technology (DLT asset) can be categorised into one of the below definitions. The regulation of such activity would depend on this definition determination, as outlined below.

1.  virtual token: Outside regulatory scope
   OR
2. a virtual financial asset: Regulated under the VFA Act
   OR
3. electronic money: Regulated under the Financial Institutions Act (Chapter 376 of the Laws of Malta)
   OR
4. a financial instrument: Regulated under the Investment Services Act (Chapter 370 of the Laws of Malta)

After December 2024, MICA would be the law which is applicable throughout the European Union.

The EU’s MiCA provides rules for issuing three types of digital assets:

• Utility Token: This category of crypto-asset is designed solely to grant access to a product or service offered by the entity that issues it.
• Asset-referenced Token (ART): This variant of crypto-asset, distinct from electronic money tokens, strives to preserve a consistent value by linking to another value or entitlement, or a combination of these, including one or multiple recognised currencies, assets, or technologies.
• E-Money Token (EMT): A crypto-asset type that claims to sustain a stable value by mirroring the value of a single official central-bank-issued currency.

The ESMA Q&A dated June 20, 2024 (link here) having number  2067 addresses whether MiCA prohibits staking-related services or if staking is exempt from MiCA.

 The ESMA Q&A clarifies that MiCA does not prohibit staking itself, defined as the act of immobilizing crypto-assets to support PoS (Proof-of-Stake) or similar blockchain mechanisms. However, when staking is offered as a service by intermediaries—who stake clients’ assets on their behalf—these services fall under MiCA's custody regulations. In such cases, providers must have authorization under MiCA (Article 75) for custody and administration of crypto-assets, ensuring protections like asset segregation, liability for losses, and client consent for staking activities that could impact asset accessibility. This guidance aims to clarify existing MiCA requirements for entities providing staking-as-a-service.

Malta's NFT guidelines (link here) clarify that most NFTs are excluded from the Virtual Financial Assets (VFA) framework, as their unique, non-fungible nature generally prevents them from being classified as virtual financial assets. However, NFTs could fall under other regulatory categories if they do not meet strict uniqueness criteria.

 Key tests include substance-over-form assessments and the Financial Instrument Test to confirm classification. NFTs issued in large series, those with fractional ownership, or those assigned only unique identifiers may not qualify as non-fungible.

Under Malta’s current regime, any crypto service involving advice or recommendation or placing of virtual assets within or from Malta requires a licence. Thus, offshore business cannot provided services to local customers on active solicitation basis.

Reverse solicitation for crypto services is not defined in the current Maltese rulebook.

However, in MICA, reverse solicitation is interpreted restrictively and most scenarios fall outside of the reverse solicitation definition.

Under Article 61(1) of MiCA, the principle of reverse solicitation permits third-country crypto-asset service providers (CASPs) to offer services to EU clients without authorisation, provided the client initiates the service independently. However, this principle strictly limits marketing activities, as Article 61(1) specifies that if a CASP solicits or promotes its services within the EU, it no longer qualifies as “own exclusive initiative,” and authorisation becomes mandatory. Echoing MiFID II’s interpretation of reverse solicitation, this provision aligns with Recital 75 of MiCA, confirming that EU clients may access services independently, but that solicitation by CASPs requires MiCA authorisation. Moreover, Article 61(1)(paragraph 2) imposes an implicit marketing ban, extending to entities with close ties to the CASP, and paragraph 3 explicitly prohibits any disclaimer or clause asserting that services were initiated solely by the client’s own exclusive initiative. This prohibition, influenced by ESMA’s MiFID II guidance, addresses previous issues where firms used disclaimers or “I agree” clauses to claim compliance. Additionally, Article 61 raises questions regarding the timing of the marketing ban's effectiveness, particularly concerning whether past CASP marketing efforts could impact future reverse solicitation claims. MiCA’s non-retroactivity suggests past conduct should not impact reverse solicitation; however, national regimes may impose stricter views. Notably, MiCA’s marketing ban applies uniformly to all clients, whether retail or professional, as it does not distinguish between client types, unlike MiFID II, requiring all CASPs to ensure their approach to reverse solicitation aligns strictly with MiCA’s requirements across the EU.

Fees depend on the licence type and the services provided.

Authorisation Fees under Malta’s Virtual Financial Assets Regulations are as follows:

• Whitepaper registration: EUR 8,000
• VFAA Class 1: EUR 6,000
• VFAA Class 2: EUR 10,000
• VFAA Class 3: EUR 14,000
• VFAA Class 4: EUR 24,000

Authorisation Fees under the Investment Services Act are outlined under the Schedule of the Investment Services Act (Fees) Regulations.

Authorisation Fees under the Financial Institutions Act are outlined under the Financial Institutions Act (Fees) Regulations.

All licences carry an annual supervisory fee, which is dependent on the licence type. Legal and other professional fees will be necessary.

The extent of the requirements will depend on the licence type. In general, requirements relate to the licensing process, processes for appointed persons, local substance, capital and liquidity, organisational requirements including governance, risk management, compliance and safeguarding of client assets, conduct of business obligations, record keeping, reporting and disclosure obligations etc.

The MFSA mandates robust cybersecurity and risk management frameworks. CASPs must implement risk assessment, management, and internal controls to ensure the integrity of their operations. This includes safeguarding against technological and operational risks, protecting client assets, and maintaining detailed contingency plans including adherence to the EU’s Digital Operational Resilience Act (DORA), officially Regulation (EU) 2022/2554.