FinTech: MFSA Circular addressed to VFA Service Providers

The Authority has taken the decision to revisit certain obligations, thus adopting a more principles-based approach, whilst ensuring effective investor protection, financial market integrity, and financial stability.

FinTechCircular addressed to VFA Service Providers with respect to amendments to Chapter 3 of the VFA Rulebook. The updates to Chapter 3 shall become applicable as from 1 February 2020.

1. Systems Audit: the definition of ‘systems auditor’ has been amended. The aim is to ensure a fair playing field and an appropriate time for applicants to comply with the relevant requirements. 

  • Any Licence Holder/Applicant having an Innovative Technology Arrangement (ITA), then the MFSA shall require said LH/Applicant to appoint the Systems Auditor who is duly authorised by the Malta Digital Innovation Authority.  The role of the Systems Auditor shall be engaged to review and audit the LH/Applicant’s systems with the MDIA and MFSA guidelines, at the application stage and on an annual basis thereafter.
  • Any Licence Holder/Applicant not having an Innovative Technology Arrangement or does not operate a technological infrastructure which interacts with the ITA in some way or form, the MFSA notes that said LH/Applicant shall not be subject to the same obligations and controls as those entities who have ITAs, as this would be considered as disproportionate. For these entities, therefore, the MFSA requires LH/Applicants to carry out IT Audit in lieu of a Systems Audit.  It is to be noted that the IT Audit shall be prepared and submitted to the MFSA at application stage, and annually thereafter.  It would be imperative that said report would include the confirmations that the exemption applies. 
  • Any entities who currently operate under the transitory provision of the VFAA or commenced VFA services prior to 01.02.2020 shall be required to prepare and submit the first Systems Audit (or IT) Report within 6 months from granting of licence or commencement of business (whichever is the earlier). All other applicant entities shall file at the application stage.
  • R3-3.2.1.2 requiring the appointment of a Systems Auditor to be in place at all times has been deemed unnecessary.  The Systems Auditor is only required when said Systems Audit is to take place.

2. Live Replication Server: in order to avoid confusion and to establish a distinction from the live replication server established by Rule R3-3.5.2.1.6, the MFSA has reworded ‘Live Replication Server’ with ‘Live Audit Log’. 

  • This log is an obligation imposed on both LH/Applicant ITA users and non-users, irrespective of the location of the IT infrastructure.
  • The Live Audit Log shall be required in terms of the MDIA Forensic Node Guidelines, and further fall within the ambit of audit in terms of Systems (or IT) Audit.
  • For entities already operating under the transitory provision of the VFAA or commenced VFA service prior to 01.02.2020, such Live Audit Log shall be imposed as a post-licensing condition.

3. Fitness and Proper Test: the definition has been amended by MFSA so as to relieve the requirement of Risk Managers and other persons effectively directing the VFA business of the applicant, by default, to undergo the F&P test.  However, MFSA still retains the discretion to request such F&P tests by such individuals.  Additionally, CO (proposed) shall not be required to complete a relevant course prior to being approved by the MFSA since said courses are not held on a regular basis. In light of this, the mandatory interview established under Rule R3-2.2.3.3.4 shall become applicable.  Again, MFSA retains the discretion to require additional training at the application stage or on-going approval.

4. Exercising a European Right: the LH/Applicant shall be required to maintain a list of all jurisdictions in which the entity is providing, or holding themselves out to provide services. The MFSA delegates to the LH/Applicant the obligation to ensure that the provision/marketing of such services is permissible in such jurisdiction, and therefore the legal opinion shall no longer be required.

5. Matters requiring Approval: Going forward, MFSA shall only be required to receive prior notification of the LH engaging (i) Administrators, (ii) Senior Managers, or (iii) other employees, who would be engaged for portfolio management activities or the provision of investment advice. Yet, MFSA retains the discretion to object to the proposed engagement.

6. Cybersecurity: LHs shall now be required to ensure that their cybersecurity architecture is in line with inter alia any cybersecurity guidelines issued by the MFSA. This amendment has removed Rule R3-3.1.2.1.9.

7. Board of Administration: the rule established in terms of R3-3.1.2.2.2 has been removed by MFSA to ensure that a more principles-based approach.

8. Compliance Certificate: The MFSA shall going forward to review the Compliance Certificate in view of the Compliance Monitoring Plan duly carried out by the entity’s CO. However, the CC shall include

  • The outcome of the CO’s CMP, including a list of breaches identified;
  • A confirmation that all the local AML/CFT requirements have been satisfied, which should be obtained from the LH’s MLRO; and
  • A list of Clients against which disciplinary action has been taken by the LH along with a brief description of the breach, and the actions taken by the LH.

R3-3.2.3.14 establishing additional requirements to CC for Class 4 LHs has been removed.

9. The Financial Instrument Test: the FIT shall be required to be approved by the person responsible for carrying our the said test, and counter-sign the same by at least one Administrator. The obligation for the CO to approve the FIT has been removed.

10. Insurance Requirements: to guarantee a more principles-based approach MFSA requires the LH to ensure that the Professional Indemnity Insurance cover is in line with market standards and adequately cover the risks associated with the business of the LH.

11. Listing Criteria: the MFSA has focused its criteria to technological experience, track record, and reputation of the issuer and its development team. MFSA is considering whether to issue further guidelines in this respect.

12. Capital Requirements: this requisite has been removed.

13. Inducement Rules: R3-3.4.2.5 shall apply across the board and not solely to LH who provides investment advice or portfolio management.

Related content

mfsa cyber 1600x500

MFSA: Call for enhanced cyber security awareness

Due to the ongoing increase of cyber incidents and observed attack patterns, the MFSA notes that financial institutions may be the target of malicious attack campaigns.