VFA Service Providers
Any person who wishes to provide a VFA Service in or from within Malta as defined under the Second Schedule of the Virtual Financial Assets Act (VFAA) in relation to a Virtual Financial Asset, is required to obtain a licence from MFSA through a VFA Agent. Chapter 3 of the VFA Rulebook applies to VFA Services Providers licensed in terms of the Virtual Financial Assets Act (VFAA). This Chapter is sub-divided into four titles
1. High-level Principles: VFA Service Providers must act ethically, honestly, fairly and professionally, cooperate fully with the Malta Financial Services Authority (MFSA) and provide the necessary information required;
2. Licensing Requirements for VFA Service Providers: This title provides for four licence classes, the requirement to appoint a VFA Agent, the possibility of the Authority requiring the appointment of a Systems Auditor, the criteria taken into consideration by the MFSA prior to granting a licence, including fitness and properness, as well as capital requirements;
3. Ongoing Obligations for VFA Service Providers: This title provides for inter alia which includes but is not limited to organisational requirements, prudential requirements, conduct of business obligations as well as record keeping and disclosure requirements; and
4. Enforcement and Sanctions: This title provides for administrative penalties and sanctions.
1. High Level Principles
VFA Service Providers shall act in an ethical manner and in the best interest of Malta taking into consideration investor protection, market integrity and financial soundness in carrying out their activity. They should also act honestly, fairly and professionally and shall comply with the relevant provisions of the Act, any regulations issued there under and other relevant legal and regulatory requirements. They should also cooperate with the MFSA in an open and honest manner and provide the Authority with any information it may require.
2. Authorisation Requirements of VFA Service Providers
A person who would like to provide a VFA service in or from within Malta shall be required to apply for a licence in accordance with the VFAA and the requirements set out in Chapter 3. A person seeking licensing under the VFAA to provide a VFA service, must appoint a VFA Agent who must be registered with the MFSA.
Classes of Licence
VFAA Class 1
Licence holders authorised to receive and transmit orders and, or provide investment advice in relation to one or more virtual financial assets and, or the placing of virtual financial assets. Class 1 Licence Holders are not authorised to hold or control clients’ assets or money.
VFAA Class 2
Licence holders authorised to provide any VFA service and to hold or control clients’ money, but not to operate a VFA exchange or deal for their own account. Class 2 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA Service
VFAA Class 3
Licence holders authorised to provide any VFA service and to hold or control clients’ money, but not to operate a VFA exchange. Class 3 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA Service
VFAA Class 4
Licence holders authorised to provide any VFA service. Class 4 Licence Holders may hold or control clients’ assets or money in conjunction with the provision of a VFA Service
Systems Auditor Requirement
The Authority may require an Applicant to appoint a Systems Auditor in relation to its Innovative Technology Arrangement.
The MFSA’s consent shall be sought prior to the appointment/ replacement of a Systems Auditor. The role of the Systems Auditor is that of reviewing and auditing the Applicant’s Innovative Technology Arrangement.
The Authority takes into consideration various aspects when deciding whether to grant a licence to an applicant which include inter alia: the protection of investors and the general public, the protection of the reputation of Malta taking into account Malta’s international commitments, the promotion of innovation, competition and choice and the reputation and suitability of the applicant and all other parties connected with the Applicant.
In assessing whether a person is a fit and proper person, the Authority requires the applicant to satisfy the following requirements:
Integrity – the applicant and persons referred to above must be of good repute, honest and trustworthy;
Competence – the applicant and persons referred to above must provide reasonable assurance to the satisfaction of the Authority both collectively and individually that they have an acceptable level of knowledge, professional expertise and experience;
Solvency – the applicant and persons referred to above should demonstrate to the Authority that it is financially sound, that proper financial controls and management of liquidity are ensured.
The initial capital requirements applicable to each respective class of VFA Services Licence Holders are:
|VFA Services Licence||Initial Capital Requirement (EUR)|
The application process consists of three phases (i) preparatory phase, (ii) pre-licensing phase and (iii) post-licensing/ precommencement of business phase.
a. Preparatory Phase
The Applicant must first notify the MFSA in writing, through its VFA Agent of its intention to apply for a VFA Services Licence. This must include a (i) comprehensive written description of the proposed structure, (ii) the VFA Service/s for which Licensing is being sought identifying the persons proposed to hold key positions thereto; and (iii) a legal opinion that the proposed activity does not fall within the scope of traditional financial services legislation.
Upon receipt of the notification mentioned above, the MFSA shall schedule a preliminary meeting with the Applicant who shall by not later than 60 days from the date of the meeting submit an application form with any supporting documentation as specified therein. Applicants must also pay the application fee to the MFSA in accordance with the VFA Regulations when submitting the application form and this application fee shall be non-refundable.
b. Pre-Licensing Phase
Upon receiving the complete application pack, the MFSA shall initiate the review of the application and the supporting documentation. If the Applicant has any changes the Authority must be informed of such as soon as possible. Once the MFSA is satisfied with the information set out in the application documentation and the completion of the fitness and properness assessment is finalised, then the Authority shall issue an ‘in principle approval’ which shall be valid for a period of three months from the date of the issue thereof. The Applicant shall during the three months finalise any outstanding issues raised during the application process, finalise any prelicensing conditions as determined by the MFSA in the in-principle approval; and submit the original copies of the final application form together with all supporting documentation.
c. Post-Licensing and Pre-Commencement of Business phase
Licence Holders may be required to satisfy a number of postlicensing matters as required by the MFSA prior to commencement of business.
The MFSA may vary or revoke any condition of a License as well as impose new conditions and it shall have the power to cancel the Licence granted to a VFA Service Provider should it fail to satisfy the post-licensing matters within the set timeframes as stipulated by the Authority
The Licence Holder shall commence its VFA Services business within twelve months of the date of issue of the VFA Service Licence.
|Application/Notification Fee||Supervisory Fee|
|VFAA CLASS 1||Licence holders authorised to receive and transmit orders and, or provide investment advice in relation to one or more virtual financial assets and, or the placing of virtual financial assets.||6,000||For revenue up to 50,000 Further tranches of 50,000 up to a maximum of 1,000,000||5,500 700 per tranche or part thereof|
|VFAA CLASS 2||Licence holders authorised to provide any VFA service and to hold or control clients’ money, but not to operate a VFA exchange or deal for their own account.||10,000||For revenue up to 250,000 Further tranches of 250,000 up to a maximum of 5,000,000||9,000 800 per tranche or part thereof|
|VFAA CLASS 3||Licence holders authorised to provide any VFA service and to hold or control client’s money, but not to operate a VFA exchange||14,000||For revenue up to 250,000 Further tranches of 250,000 up to a maximum of 5,000,000||12,000 800 per tranche or part thereof|
|VFAA CLASS 4||Licence holders authorised to operate a VFA exchange and to hold or control client’s money, virtual financial assets and, or private cryptographic keys and provide custodian or nominee services solely in relation to the operation and activities of such VFA exchange.||24,000||For revenue up to 1,000,000 Further tranches of 1,000,000 up to a maximum of 100,000,000||50,000 5,000 per tranche or part thereof|
3. Ongoing Obligations for VFA Service Providers
The VFA Service Provider’s business shall be effectively directed or managed by at least two individuals in satisfaction of the dual control principle. These persons shall be of good repute, possess sufficient knowledge and experience, commit sufficient time to perform their functions and be sufficiently experienced so as to ensure the sound and prudent management of the Licence Holder.
The Licence Holder shall:
- Establish, implement and maintain decision-making procedures and an organisational structure which clearly and in a documented manner, specifies reporting lines and allocates functions and responsibilities;
- Ensure that its relevant persons are aware of the procedures which must be followed for the proper discharge of their responsibilities;
- Establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the Licence Holder;
- Employ personnel with the skills, knowledge and expertise necessary for the discharge of responsibilities allocated to them;
- Establish, implement and maintain effective internal reporting and communication of information at all relevant levels of the Licence Holder;
- Maintain adequate and orderly records of its business and internal organisation; and
- Ensure that the performance of multiple functions by its relevant persons does not and is not likely to prevent those persons from discharging any particular function soundly, honestly and professionally.
The Licence Holder shall ensure that it has sound administrative and accounting procedures, internal control mechanisms; effective procedures for risk assessment and effective control and safeguard arrangements for information processing systems
The Licence Holder should also inter alia implement and maintain systems and procedures safeguarding security, have in place adequate business continuity processes, accounting policies and procedures, financial reports as well as adequate security arrangements in relation to cyber security. The latter must be an established Cyber-Security Framework which inter alia includes an access management policy, key management policy, business continuity plan and response and recovery plan.
The Licence Holder must inter alia establish, implement and maintain adequate risk management policies and procedures which identify risks relating to activities carried out, adopt effective arrangements, processes and mechanisms to manage the risks relating to the activities and monitor the adequacy and effectiveness of these processes and mechanisms, the level of compliance and any measures taken to address any deficiencies.
The Licence Holder shall establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the Licence Holder to comply with its obligations under the VFAA.
The Licence Holder shall establish and maintain a permanent and effective compliance function which operates independently and which can monitor and assess the adequacy and effectiveness of the measures and procedures put in place, draw up and implement a compliance monitoring plan and advise and assist the relevant persons responsible for carrying out VFA services to comply with the Licence Holder’s legal and regulatory obligations.
The Licence Holder shall submit to the MFSA annually together with the annual audited financial statements, a Compliance Certificate drawn up by its Compliance Officer, stating that the Licence Holder complies with the provisions of the Act, the Regulations and Rules. Such Certificate should confirm that all the local AML/ CFT requirements have been satisfied and the Licence Holder’s Innovative Technology Arrangement if any, complies with any qualitative standard set and guidelines issued by the MDIA. Should there be any breaches these need to be notified in the Compliance Certificate.
A MLRO shall be appointed and be in place at all times and the Licence Holder shall ensure that the MLRO is a senior employee of the Licence Holder, its Compliance Officer or a member of the Board of Administration.
An internal audit function which is separate and independent from the other functions and activities of the Licence holder would need to be established. Provided that where appropriate and proportionate, in view of the nature, scale and complexity of its business and the nature and range of VFA services undertaken in the course of its business, the MFSA may, at its discretion, exempt the Licence Holder from this requirement.
An insurance policy that covers loss of money or loss or damage to any other asset or property belonging to the Licence Holder or which is in the care, custody or control of the Licence Holder or for which the Licence Holder is responsible has to be in force together with a professional indemnity insurance where required.
Supplementary Conditions Applicable to VFA Exchanges
The Licence Holder prior to admitting a VFA to trading on its platform, shall asses the quality of the VFA and inter alia consider the technological experience, track record and reputation of the issuer and its development team, issuer’s AML/CFT and cyber security systems and controls, determination in accordance with the Financial Instrument Test and developments in markets in which the issuer operates.
Effective systems, procedures and arrangements shall be in place to ensure its trading systems are resilient, have sufficient capacity to deal with peak order and message volumes, are able to ensure orderly trading under conditions of severe market stress which are fully tested to ensure such conditions are met and are subject to effective business continuity arrangements to ensure continuity of its services if there is any failure of its trading systems.
The Licence Holder must be able to temporarily halt or constrain trading if there is a significant price movement in a VFA on its platform or a related platform during a short period and in exceptional cases be able to cancel, vary or correct any transaction. Fee structures shall be transparent, fair and non-discriminatory and do not create incentives to place, modify or cancel orders or to execute transactions in a way which contributes to disorderly trading conditions or market abuse
Own Funds Requirements
A Licence Holder shall have own funds consisting of the sum of its Tier 1 capital and Tier 2 capital where:
- At least 56% of the sum shall consist of Common Equity Tier 1 capital;
- Up to 44% of the sum may consist of additional Tier 1 capital;
- Up to 25% of the sum may consist of Tier 2 capital.
The Licence Holder shall at all times maintain, as a minimum, own funds equal to their capital requirement, which shall amount to the higher of either its permanent minimum requirement or its fixed overheads requirement calculated in accordance with the Rules. The Licence Holder could also necessitate additional capital on the basis of the internal capital adequacy assessment process.
Additional capital requirements may also be required by the Authority when there is a change in the business of a Licence Holder that the Authority considers to be material; during the Authority’s supervisory review process when it concludes that a Licence Holder is either exposed to risks or elements of risks that are not covered or not sufficiently covered by the capital requirement; the Licence Holder does not meet the requirements of the internal capital adequacy assessment process; risk management and other administrative measures are unlikely to sufficiently improve the arrangements, processes, mechanisms and strategies within an appropriate timeframe; the prudential valuation of the trading book is insufficient to enable the licence holder to sell or hedge out its positions within a short period without incurring material losses under normal market conditions; the Licence Holder repeatedly fails to establish or maintain an adequate level of additional capital to ensure that (i) cyclical economic fluctuations do not lead to a breach of the requirements or (ii) the capital requirement can absorb the potential losses and risks indentified pursuant to the Authority’s supervisory review process.
Conflict of Interest Policy Rules
Amongst other policy rules a Licence Holder shall have in place Remuneration Policy Rules, Inducement Rules and Personal Transaction Rules and Conflict of Interest Policy Rules.
Record Keeping and Accounting Records
It is important to retain all records of all services and transactions undertaken which shall be sufficient to enable MFSA to monitor compliance with the requirements under these Rules and in particular ascertain that the Licence Holder has complied with all obligations with respect to clients or potential clients. Records shall include the recording of telephone conversations and/or electronic communications involving transactions when dealing on own account and the reception, transmission and execution of client orders. The Licence Holder shall also keep at the disposal of the MFSA for at least five years, the relevant data relating to all transactions in VFA which it has carried out. Proper accounting records should also be kept to show and explain transaction processes by the Licence Holder on behalf of its customers.
The Licence holder’s I.T infrastructure shall ensure the integrity and security of any data stored, availability, traceability and accessibility of data and privacy and confidentiality. It shall also ensure that the I.T infrastructure is located in Malta and/ or any EEA member state and/or any other third country jurisdiction provided there is live replication on a server in Malta.