MFSA publishes amendments to the VFA FAQs

The Malta Financial Services Authority (the “MFSA”) has recently amended their Virtual Financial Assets (the “VFA”) Frequently Asked Questions (“FAQs”) adding FAQs in section 5 and a whole new section 10. The amendments supplement the requirements in Chapter 3 of the VFA Rulebook, which have also been recently amended.

Additions to Section 5

Section 5 deals specifically with FAQs concerning those persons provide any service falling within the Second Schedule of the VFA Act in relation to a VFA (“VFA Service Providers”) and is mainly composed of FAQs on the licensing procedure. The addition of FAQs 5.26 – 5.29 provide VFA Service Providers, with additional information on the expectations the MFSA has on the operation of VFA Service Providers.

Quality of a VFA

In FAQ 5.26, the MFSA provides a non-exhaustive list of factors which a VFA Service Provider may take into consideration in assessing the quality of a VFA. Amongst others, the MFSA suggests that VFA Service Providers check the issuer’s anti-money laundering and cybersecurity systems and controls at the time of the initial VFA offering. Furthermore, VFA Service providers should analyse the protocol and the underlying infrastructure on which the VFA is based. Elements such as scalability or innovativeness contribute to increasing the quality of a VFA.


FAQ 5.27 provides for the information to be included in the bye-laws of a VFA Service Provider. The non-exhaustive list includes, amongst others, bye-laws delineating the administration of the VFA Service Provider which would include the governance, compliance and risk management information. The bye-laws should ideally also include the mode of operation of the VFA Service Provider which would include client onboarding procedures, procedures for the listing of VFAs, trading procedures, market monitoring, safekeeping arrangements and pre- and post-trade transparency.

Capital Requirements

In FAQ 5.28, the MFSA specifies in what situations it may demand a VFA Service Provider to hold additional capital to that already held. The first instance where the MFSA will demand the holding of additional capital arises where there is a change in the business of the VFA Service Provider which the MFSA considers to be material.

Secondly, the MFSA during its supervisory review process, concludes that the VFA Service Provider is:

exposed to risks or elements of risks that are not sufficiently covered by the capital in place;or

not meeting its ongoing obligations for risk management and internal capital adequacy assessment processes and additional administrative measures are unlikely to improve the arrangements; or

not able to sell or hedge out its positions within a short period without incurring material losses due to the prudential valuation of the trading book being insufficient; or

repeatedly failing to establish or maintain an adequate level of additional capital to ensure protection from cyclical economic fluctuations or potential losses and risks identified by the MFSA’s supervisory review process.


Finally, in FAQ 5.29 the MFSA provides additional information regarding the courses Compliance Officers and Money Laundering Reporting Officers may be requested to complete. At the moment, the CAMS certification course may be requested to be undertaken, however the MFSA reserves its right to add any other courses which it may deem fit from time to time.

Section 10

With the addition of Section 10 to the FAQs, the MFSA sheds some light on the Systems Audit and IT Audit requirements operators are to satisfy.

IT Audit

FAQ 10.2 provides that an IT Audit should asses the operator’s information technology infrastructure, policies and operations. Nationally or internationally recognised audit standards should be followed in this regard. Of importance is the confirmation from the IT Auditor to be included in the IT Audit declaring that the operator’s technological infrastructure does not materially interact with an Innovative Technology Arrangement.

Systems Audit Report

Additionally, FAQ 10.3 illustrates the timelines as to when the first Systems Audit Report is to be submitted by applicants for a Virtual Financial Asset Service licence. Applicants are separated into two categories, those operating under the Transitory Provision and those submitting their Letter of Intent after the 1st of February 2020. VFA Service providers in the first category are to submit their Systems Audit Report 6 months from licensing. The second category of VFA Service Providers are to submit their Systems Audit Report as part of their application pack.

Live Audit Log

Finally, in FAQ 10.4, the MFSA specifies the information to be stored on the Live Audit Log. As a minimum, the following information and data should be included:

i. The transaction records required by the FIAU’s Part II of the Implementing Procedures;

ii. Client records;

iii. Customer’s accounting records;

iv. Suitability assessment carried out on clients;

v. Information relating to failed or erroneous transactions carried out on the exchange or trading platform.

This information is to be made available on the Live Audit Log, at most, 10 minutes after the relevant transaction or event.

Feel free to contact us on any queries regarding the Virtual Financial Assets Act.