MFSA clarifies certain requirements under the VFA framework


25 Mar 2020

On the 25th of March 2020, Malta Financial Services Authority ('MFSA') updated the Virtual Financial Assets ('VFA') Rulebook FAQs. 

We have analysed these changes and we have identified the following:

Assessing a virtual financial asset

R3-, in Chapter 3 of the MFSA VFA Rulebook, states that when assessing a virtual financial asset, the Licence Holder shall take into account the following factors:

  • The technological experience, track record and reputation of the issuer and its development team, and
  • The determination in accordance with the Financial Instrument Test.

The considerations requisite when assessing a virtual financial asset, were extended to the following:

  • The issuer’s AML/CFT and cybersecurity systems and controls at the time of the initial virtual financial asset offering;
  • The availability of a reliable multi-signature hardware wallet solution for the asset;
  • The protocol and the underlying infrastructure, including inter alia whether it is: (i) a separate Blockchain with a new architecture system and network or it leverages an existing Blockchain for synergies and network effects, (ii) scalable, (iii) new and/or innovative or (iv) the VFA has an innovative use case or application;
  • The relevant consensus protocol;
  • The System Auditor’s report on the Issuer’s Innovative Technology Arrangement, including any reservations that may have been expressed therein;
  • Developments in markets in which the issuer operates;
  • The geographic distribution of the VFA and the relevant trading pairs, if any;
  • The completeness and reliability of information included in the project website and/or whitepaper, including inter alia whether an ethical or professional code of conduct exists;
  • Whether the VFA has any built-in anonymization functions;
  • Whether the VFA has used or was used with any smurfing technology, mixers or has been traded on any Dark Net marketplaces;
  • Whether the VFA has any built-in mechanism which caters for settlement failure, such as resolution mechanisms;
  • Other DLT exchanges on which the VFA is traded, if any;
  • Social media information, including inter alia official website, Telegram, Twitter account and Facebook page.

Bye-Laws requirements

The bye-laws should include detailed information about:

  • The administration of the Licence Holder (Governance, Compliance, Risk Management);
  • How the Licence Holder operates (Client onboarding procedure, VFA listing procedure, trading procedures, pre-trade and post-trade transparency, market monitoring, custody and safekeeping arrangements, record keeping and fees);
  • Reporting of suspicious transactions;
  • Settlement and resolution mechanisms in case of settlement failure;
  • Suspension and removal from trading;
  • Periodic systems tests;
  • Business continuity;
  • Disciplinary action which the Licence Holder can take against its clients.

Capital Requirement

As per R3-, in Chapter 3 of the MFSA VFA Rulebook, the Licence Holders shall at all times maintain own funds equal to their capital requirement, which shall amount to the higher of (i) its permanent minimum requirement or (ii) its fixed overheads requirement calculated.

In accordance with the updated FAQs, the MFSA can request the Licence Holder to hold additional capital, to that mentioned in R3-, where:

  • There is a change in the business of a Licence Holder that the Authority considers to be material;
  • In the course of the Authority’s supervisory review, it is concluded that the Licence Holder:
  1. Is exposed to risks or elements of risks that are not covered or not sufficiently covered by the capital requirement set out in R3-;
  2. does not meet the requirements set out in Sub-section 7 (Internal Capital Adequacy Assessment Process) and Sub-section 3 (Initial Capital Requirement), Section 1 (Organisational Requirements), Title 3 (Ongoing Obligations for VFA Service Providers) of the VFA Rulebook Chapter 3, and other administrative measures which are unlikely to sufficiently improve the arrangements, processes, mechanisms and strategies within an appropriate timeframe;
  3. prudential valuation of the trading book is insufficient to enable the licence holder to sell or hedge out its positions within a short period without incurring material losses under normal market conditions or
  4. repeatedly fails to establish or maintain an adequate level of additional capital to ensure that cyclical economic fluctuations do not lead to a breach of the requirements laid out in this Section or the capital requirement can absorb the potential losses and risks identified pursuant to the Authority’s supervisory review process.

Fitness and Properness

In line with R3-, in Chapter 3 of the MFSA VFA Rulebook, apart from the mandatory interview, the Compliance Officers and MLROs, may be requested to complete a course approved by the Authority prior to licensing.

MFSA clarifies that the courses approved are CAMS certification and any other courses which the Authority may approve from time to time.

Registering a Company

Companies wanting to perform activities under the VFA are to be registered with the Malta Business Registry (‘MBR’). Prior to submitting the documentation for incorporation, interested parties must conduct a legal assessment which indicates whether the activity is licensable. The legal assessment, together with the Letter of Intent which is to be submitted to the MFSA as part of the application process, should be submitted to the MBR.  

Systems Audit and IT Audit Requirements

IT Audit

As highlighted by MFSA, in the VFA Rulebook FAQs, the IT Audit should evaluate the operator’s IT infrastructure, policies and procedures. The IT Audit should adhere to nationally or internationally recognised audit standards. The IT Audit should be accompanied by a confirmation from the IT Auditor that the Licence Holder does not have an Innovative Technology Arrangement in place as part of its operations or operate a technological infrastructure which interacts with an Innovative Technology Arrangement in some way or form.

First Systems/IT Audit Report submission

The first Systems Audit Report is required to be submitted according to the following criteria:

  1. VFA Service Providers operating under the Transitory Provisions and having ITA or a system interacting with ITA, must submit the Systems Audit Report within 6 months from licensing;
  2. VFA Service Providers operating under the Transitory Provisions and do not have ITA or a system interacting with ITA, must submit an IT Audit Report within 6 months from licensing;
  3. VFA Service Providers submitting Letter of Intent after 1st February 2020, and having ITA or a system interacting with ITA, must submit the Systems Audit Report at application stage;
  4. VFA Service Providers submitting Letter of Intent after 1st February 2020 and do not have ITA or a system interacting with ITA, must submit an IT Audit Report at application stage.

Live Audit Log

The Live Audit Log should include the following:

  • The transaction records required by the FIAU’s Part II of the Implementing Procedures (the customer’s identification details, the name of any other party to the transaction, details as to the bank account/wallet address used for the transfer of VFAs and/or FIAT currencies, the name of the institution holding the custodial wallets, if applicable, the value date and the date of the value transfer and the type and value of the VFA involved)
  • Client records
  • Customer’s accounting records
  • Suitability assessments carried out on clients and
  • Information relating to failed or erroneous transactions carried out on the exchange or trading platform.

The information mentioned above should be made available on the Live Audit Log, at most, 10 minutes after the relevant transaction or event takes place.


The information above does not, and is not intended to, constitute legal advice and should not be relied on as such. For any specific matters, please reach out to your usual WH Partners contact or write to us on