Operating a Crypto Exchange in Malta


19 Dec 2018

Exchanges and other providers of cryptocurrency related services that have been providing their services in or from Malta were granted a 12-month transitory period in which they need to apply for a VFA service licence from the Malta Financial Services Authority (the “MFSA”). Those that have been operating in or from Malta before 1 November 2018 had to notify the MFSA by 12 November 2018 that they wish to avail themselves of these transitory provisions.

There are four types of licences:

Class 1: Applicable to those receiving and transmitting orders or that provide investment advice or that are placing Virtual Financial Assets (the “VFAs”)

Class 2: Applicable to those offering any other VFA service except those dealing on own account or offering an exchange

Class 3: Applicable to those offering any VFA service and that deal on own account but do not offer an exchange

Class 4: Applicable to those offering any VFA service including an exchange

Classes 2, 3 and 4 are allowed to hold or control clients’ assets or money in conjunction with the provision of a VFA Service. Assets held under the control of a VFA service provider, are deemed by law to constitute distinct patrimony and not subject to the of creditors of the operator. VFA service providers can only deal with FIAT and and VFAs. They cannot deal with financial instruments, electronic money or exchange between FIAT currencies.

For those of you that are new to the concept of dealing on own account, this is a term borrowed from the traditional financial services industry whereby the service provider buys and sells VFAs using its own money. The service would be similar to what Coinbase offers. On the other hand, an exchange service is similar to what Binance offers where it matches asks and bids.

The aim of the regulatory framework is:

i. the protection of investors and the general public;

ii. the promotion of innovation, competition and choice; and

iii. the reputation and suitability of the Applicant and all other parties connected with the Applicant.

An applicant for a licence, must demonstrate to the MFSA that it has sufficient integrity, competence and solvency to run the operation. This assessment shall be applicable to every (i) person that has a qualifying holding in the Applicant, (ii) beneficial owner, (iii) member of the Board of Administration of the Applicant, (iv) Senior Manager, (v) MLRO, (vi) Compliance Officer, (vii) Risk Manager (where applicable) and (viii) any other person who will effectively direct the VFA business of the Applicant.

VFA service providers must have in place a number of policies and procedures, amongst which the following:

i. Information and data security management policy

ii. Access management policy

iii. Key management policy

iv. Wallet management policy

v. Sensitive data management policy

vi. Threats management policy

vii. Business continuity plan

viii. Response and disaster recovery plan

ix. Security education and training

x. Risk management policy

xi. Compliance and reporting policy

xii. Outsourcing policy (if applicable)

xiii. Conflict of Interest Policy

xiv. Complaints Policy

xv. Order Execution Policy

xvi. AML Policy

Licensees are also required to make every effort possible to take out and maintain a professional indemnity insurance covering any loss or damage. There are also some rules and limitations about outsourcing. Licensees can also offer white label solutions to third parties.

The MFSA rules impose tough liquidity requirements on all licensees. They also have to ensure they have no conflict of interest. They must also have a compliance officer that will be responsible to compile a compliance certificate on a periodical basis.

Exchanges are required to also to abide by the listing criteria prescribed in the rules issued by the MFSA that include:

- Assessment of the quality of the VFA listed

- Custody requirements

- Monitoring for market manipulation and reporting

- Apply pre-trade and post-trade transparency measures

- Client record keeping

- Reporting of suspicious transactions

- Ensure System Resilience

- Apply streamlined and clear settlement procedures

- Have bye-laws in place

If you have any queries, we are happy to assist you. Kindly drop us an email at blockchain@whpartners.eu.

This article does not constitute legal advice and does not establish an attorney relationship. If you require legal advice, please contact me on joseph.borg@whpartners.eu or one of my colleagues who helped me with this article and with all blockchain related work at WH Partners at blockchain@whpartners.eu.