The Malta Blockchain Regulatory Framework
41
The Malta Blockchain Regulatory Framework Joseph F Borg, WH Partners
Transcript of The Malta Blockchain Regulatory Framework
The Malta Blockchain Regulatory Framework
Joseph F Borg, WH Partners
Malta, the ‘blockchain island’On the 4th of July of 2018, the Maltese Parliament unanimously passed three bills that established the
foundations of the Maltese Blockchain Regulatory Framework:
- Virtual Financial Assets Act (VFA Act)
- Malta Digital Innovation Authority Act (MDIA Act)
- Innovative Technology Arrangements and Services Act (ITAS Act/ITASA)
Along with this regulatory framework, the Malta Gaming Authority (MGA) also published a set of guidelines
that create the parameters for the establishment of a sandbox in relation to the use of blockchain and
cryptocurrencies by Malta licensed gaming operators.
Blockchain
Platforms
Certification
Smart
Contracts
Certification
System
Auditors
Accreditation
What do the MDIA and the ITASA
regulate?
Malta Digital Innovation Authority (MDIA)
The MDIA is an independent authority which is regulated by the MDIA Act. The MDIA wasset up to support the development of Innovative Technology Arrangements (ITAs) andServices (ITSs) in Malta.
The MDIA aims also to encourage the development of regulatory processes in relation toITAs to support all National Competent Authorities (NCAs) regulating different sectors tobetter administer the laws entrusted to their administration for the public benefit.
Inter alia, the MDIA shall:
• regulate, monitor and supervise the provision of ITAs and ITSs in Malta;
• provide facilities for the recognition, certification, registration, or otherwise grant orissue of authorisation of ITAs;
• establish minimum quality, compliance and security standards for any ITAs and ITSs;
• provide information and issue guidelines.
Malta Digital Innovation Authority (MDIA)
The MDIA’s Main Objectives (i)
Promoting governmental policies that favour the deployment, within the public administration, of ITAs
Fostering, promoting andfacilitating the advancementand utilisation of ITAs andtheir design and uses
Promoting education onethical standards andlegitimate exploitation ofITAs
Safeguarding, maintainingand protecting the Malta’sreputation in the use of ITAs
Protecting users of ITAs,including consumers and thegeneral public and ensuringstandards are set
Harmonising practices andfacilitating the adoption of ITAs inMalta, to be in line withinternational norms, standards,rules and/or laws particularlythose of the EU
Malta Digital Innovation Authority (MDIA)
The MDIA’s Main Objectives (ii)
Promoting and enforcing ethicaland legitimate criteria in thedesign and use of ITAs andensuring quality of services andsecurity therein
Assisting the competent DPAs insafeguarding the data protectionrights of data subjects and assistingother CAs in the protection ofvulnerable persons and thepromotion of fair competition andconsumer choice
Promoting transparency andauditability in the use of ITAs,and any application, software, orderivative product from it orintrinsically part of or connectedto it
Supporting the prevention ofmoney laundering, terroristfinancing and the commission ofany other crime in or through theuse of ITAs
Promoting legal certainty in theapplication of laws, in a nationaland cross-border context, andthe development of appropriatelegal principles for the effectiveapplication of law to ITAs
Promoting ease of accessibility tothe facilities provided by publiclyavailable ITAs and the recognitionand implementation of the right ofexit, withdrawal or termination ofparticipation from any arrangementin the use of ITAs
Innovative Technology Arrangements and Services
Act (ITASA)
(i) Systems Auditor Guidelines;
(ii) Systems Auditor Report Guidelines;
(iii) Systems Auditor Control Objectives;
(iv) Enhanced Systems Audit/or Guidelines
(i) Innovative Technology Arrangements Guidelines;
(ii) ITA Blueprint Guidelines
(i) Technical Administrator Guidelines;
(ii) Resident Agent Guidelines
(i) Technology Stack Nomenclature Guidelines;
(ii) Forensic Node Guidelines;
(III) Guidelines on the definition of In or From Malta
Guidelines issued by the MDIA
ITA certification is voluntary in all cases except if
an IVFAO utilizes an ITA. The ITA must be carried
out in or from Malta.
Applicants wishing to have their ITA authorised,
are to provide the MDIA with any information,
documentation and assurances which may be
requested by the authority. Applicants and their
ITA must be deemed to be fit and proper by the
MDIA. Furthermore, applicants must comply with
the rules and regulations issued by the MDIA.
A Systems Auditor is required to provide the MDIA
with an opinion on whether the ITA meets
reasonable standards as set out by the said
authority. These shall include, amongst others, the
specific purposes, qualities, features, attributes,
behaviors or aspects of the ITA as specified in the
Blueprint.
An ITA must also have a Technical Administrator
(TA) in place at all times; whereby, said TA shall,
inter alia, demonstrate to the MDIA that the ITA
satisfies all pre-requisites for the certification which
may be granted to it. Furthermore, the TA shall
also ensure that the ITA is able to meet the MDIA’s
standards on a continuing basis and should any
critical matters surface, the TA is to show how
such matters shall be addressed n the event of
their occurrence.
Issuers of VFAs -
Initial VFA
Offerings and
Trading of VFAs
on the Exchanges
What does the VFA Act regulate?
VFA Service
Providers
VFA Agents
Issuers of VFAs
Issuers of VFAs
‘Issuer’ means a legal person duly formed under any law for the time
being in force in MALTA which issues or proposes to issue virtual
financial assets in or from within Malta.
Accordingly, it is necessary to incorporate a Maltese Company,
typically a private limited company (Ltd) or public limited company
(p.l.c). However, it is also possible to launch a token offering via a
Foundation, following amendments introduced to the Maltese Civil
Code.
The Issuer’s business shall be effectively directed or managed by at
least two individuals in satisfaction of the ‘dual control’ principle.
Such persons shall be capable of demonstrating to the satisfaction of
the Authority sufficient knowledge and understanding of the Issuer’s
business to enable them to discharge their duties.
The Whitepaper
The whitepaper shall convey factual information about a business in words and figures, and shall serve as a source of information about the Issuer and its proposed activities. The whitepaper shall:
1. be dated;
2. contain all the information stipulated in the First Schedule to the Act;
3. be signed by the Issuer’s Board of Administration; and
4. include a statement by the Issuer’s Board of Administration that the whitepaper complies with the requirements under the Act, the relevant regulations and these Rules.
The Issuer shall commence the offering of its VFAs to the public or shall proceed with the admission of its VFAs to trading on DLT exchanges within six months from the date of registration of the whitepaper with the MFSA.
An Issuer shall ensure
that an investor does
not invest more than
Euro 5,000 in its Initial
VFA Offering over a
12-month period.
Provided that its shall
not apply to an investor
who declares to the
Issuer that:
Board of
Administration
A. he is capable of
providing evidence that
he has already
participated in other
Initial VFA Offerings and
his initial investment
exceeded EUR 10,000 or
its equivalent;
B. he is aware of the risks
involved; and
C. the funds he is
contributing to the
specific Initial VFA
Offerings does not
exceed one per cent of
his net worth excluding
his main residential
home.
Responsible for
ensuring that the
Issuer complies with
its obligation under the
VAF framework.
Experienced
Investors
Cap on
maximum
investable
amount
Initial VFA Offerings & Trading on DLT
exchangesApplications for registration are made through the submission of the Whitepaper
Registration Form, publicly available online on the Virtual Financial Assets Framework
page on the MFSA website. The Whitepaper registration form is divided in 2 stages:
The Issuer is to submit the following document to
the MFSA:
• M&A;
• Board Resolution or, in case where the
entity’s Legal Form is not a company, a
document indicating agreement to apply for
registration of the whitepaper;
• Financial Instrument test in excel format;
• Whitepaper in PDF in colour;
• Annex 1 of the Whitepaper registration form in
excel format;
• Details of payment of application fees;
• Annex 2 of the Whitepaper registration form
signed in blue ink and in PDF format;
• System Audit Report;
• Audited Annual Accounts for each of the
last three financial years.
Stage 1 Stage 2
The following is to be submitted in the
stage two:
• Organizational chart reflecting clearly
both the Qualifying Unitholding
structure and the Underlying Group
structure;
• P.Q.s and supporting documents;
• Letter of Engagement with VFA
Agent;
• Letter of Engagement with Financial
Auditor.
Functionaries
An Issuer shall appoint, and have at all times appointed, the following functionaries,
who are required to have sufficient knowledge and experience in the field of information
technology, DLT assets and their underlying technologies, and have a good understanding
of the Issuer’s business:
Systems Auditor VFA Agent
Responsible for reviewing and auditing
the Issuer’s Innovative Technology
Arrangement/s (ITA/s) (including cyber
security arrangements) and shall also
be charged with preparing an annual
systems audit report on its ITA in
compliance with guidelines issued
by the Malta Digital Innovation
Authority (MDIA).
Responsible for acting as an intermediary with the MFSA – all
communications, meetings, notifications and/or submissions to the MFSA are made through its VFA Agent, carrying out the fitness & properness assessment in respect of the Issuer,
ensuring that the whitepaper complies with the requirements of the VFA Act
and endorsing the Financial Instrument Test. If more the one VFA Agent is
appointed, the Issuer must establish how responsibility is to be allocated
and inform the MFSA in writing of the respective allocations made;
Functionaries
Custodian Auditor
An independent third
party responsible for
the safekeeping of the
Issuer’s assets and
investor’s funds.
The Issuer shall appoint and have at all times in
place an Auditor approved by the MFSA. The Auditor
shall have adequate business organisation,
systems, experience and expertise to act as Auditor to an Issuer. The Issuer
shall obtain from its Auditor a signed letter of
engagement defining clearly the extent of the Auditor's responsibilities
and the terms of his appointment.
Responsible for ensuring
compliance with all
applicable Anti-Money
Laundering and
Prevention of Funding of
Terrorism laws and
regulations.
Money Laundering
Reporting Officer
Systems Auditor Report
The Issuer shall ensure that its Systems
Auditor, prior to the commencement of the
offering of the Virtual Financial Assets, has
prepared a report which covers all aspects of
its Innovative Technology Arrangement/s.
The Issuer shall also ensure that the Systems
Auditor, prior to the commencement of the
offering of the Virtual Financial Assets, checks
and certifies that nothing in the Innovative
Technology Arrangement/s used, including
any smart contract to be deployed, shall
contain any rights to unilaterally mutate,
amend and, or destroy without leaving
trace the Innovative Technology
Arrangement/s involved, in whole or in
part, including any smart contract thereof.
Cyber-Security
An Issuer shall establish a ‘Cyber-Security
Framework’ which shall inter alia include:
1. Information and data security roles and
responsibilities;
2. Access management policy;
3. Sensitive data management policy;
4. Threats management policy;
5. Business continuity plan;
6. Response and recovery plan; and
7. Security education and training.
The Cyber-Security Framework shall comply with
internationally recognized cyber security standards
and shall be in line with the provisions of the
GDPR. The MFSA has issued guidance Notes on
Cybersecurity in order to assist Issuers and VFA
Service Providers to comply with this requirement.
AML/CFT
Report
The Issuer shall, on an annual
basis, engage an independent
auditor to draw up a report which
shall include:
1. a confirmation that the
AML/CFT/KYC systems the
Issuer purports to have in place
are indeed in place, and
2. a review of the operations of
the Issuer from an AML/CFT
perspective.
Whitepaper must contain detailed description of the past and future milestones including any deliverable in any private placement and its effect of the public offering to the investors. The issuer must provide regular updates by means of public announcements.
In the event that the milestones are not met and these delays would potentially affect the risk parameters of the project, the Issuer shall also pursuant to his obligation at Law, update the Whitepaper accordingly and inform the investors of their right to opt out.
Disclosure to
the public
Compliance Certificate To be drawn up by the Issuer on an annual basis. It is to be reviewed by the VFA
Agent, signed by all members of the Issuer’s Board of Administration and
subsequently submitted to the MFSA by the VFA Agent.
It shall include:
a confirmation that
all the local
AML/CFT
requirements have
been satisfied and
that the Issuer has
adequate systems
in place to identify
suspicious
transactions and to
draw up
suspicious
transaction
reports, which
confirmation
should be obtained
from its MLRO;
a confirmation that its
Innovative Technology
Arrangement complies with
any qualitative standards set
and guidelines issued by the
Malta Digital Innovation
Authority applicable to the
particular type of arrangement
(irrespective of whether the
said arrangement holds a
certification or a ruling of
eligibility under the Innovative
Technology Arrangements
and Services Act), which
confirmation should be
obtained from a Systems
Auditor;
a statement as
to whether the
Issuer is a fit
and proper
person, which
statement shall
be confirmed by
the VFA Agent
to the Issuer;
and
a statement as
to whether there
have been any
breaches of the
Act, the
Regulations or
these Rules,
which statement
should be made
by its Board of
Administrators.
Record Keeping
An Issuer shall arrange for documents to be
kept for 5 years to enable MFSA to monitor
compliance with the requirements under the
VFA framework.
The Issuer shall ensure that Its I.T infrastructure is
located in Malta, and/or any EEA member state
and/or any other third country jurisdiction wherein
the Authority is satisfied that the date is stored in a
way that ensures integrity and security of the data,
availability, traceability and accessibility of data;
and privacy and confidentiality.
Provided that where the Issuer’s I.T. infrastructure
is not located in Malta, or is located in a cloud
environment, the Issuer shall ensure that data is
replicated real time by virtue of live replication
server located in Malta.
I.T. Infrastructure
Transaction by Restricted Persons
and with Related Parties IVFAO issuer must require all Restricted Persons to comply with an internal code of
dealing in compliance with the Rulebook when it comes to dealing (trading) directly or
indirectly with any of the virtual financial assets of the issuer.
Restricted Persons have been defined as the following:
The Board of Administration of the IVFAO issuer;
The Board of Administration of the Subsidiary of the IVFAO issuer;
The Board of Administration of the Parent Undertaking;
Any of the IVFAO issuer’s officers or employees, or an officer or employee of its subsidiary or parent undertaking
who, because of his office or employment in the issuer or subsidiary or parent undertaking, is likely to be in
possession of unpublished price-sensitive information in relation to the
IVFAO issuer.
Transaction by Restricted Persons
and with Related Parties Restricted Persons will be prevented from dealing directly or indirectly in the virtual financial assets of the IVFAO issuer at the following times:
• At any time when he is in possession of unpublished price-sensitive information in relation to those Virtual Financial Assets;
• Prior to the announcement of matters of an exceptional nature involving unpublished price-sensitive information in relation to the market price of the Virtual Financial Assets of the Issuer;
• Without giving advance written notice to one or more other Board of Administration designated for this purpose. In his own case, such designated Administrator shall not deal without giving advance notice to the board of administration of such Issuer or any other designated Administrator as appropriate; or
• During such other period as may be established by the MFSA from time to time;
• During the period of thirty (30) days immediately preceding any publication of the Issuer’s annual results. Provided that the Issuer may allow a Restricted Person to trade on its own account or for the account of a third party during a closed period, on a case-by case basis, due to the existence of exceptional circumstances, such as severe financial difficulty, which require the immediate sale of Virtual Financial Assets and the Issuer shall immediately notify the Authority accordingly.
Transaction by Restricted Persons
and with Related Parties
These restrictions apply also to any ‘Connected Person’ who acts on behalf of a Restricted Person and it is the duty of the Restricted Persons to seek to prohibit any such dealing by any Connected Person at a time when he himself is not free to deal.
Connected Person is a person who is connected to an Administrator of the Issuer, such person shall be considered to be connected to an Administrator if that person is:
A member of the Administrator’s family, including without limitation, the Administrator’s spouse or a partner,
the Administrator’s child or step-child, the Administrator’s parents and any
other dependents of the Administrator; or
A legal person in which the Administrator, any of the persons
related to the Administrator holds or hold units in a nominal value equal to at least 20% of the capital of that legal
person; or (ii) is or are entitled to control 20% of the voting rights at any general meeting of that legal person;
or
Acting in capacity as a trustee of any trust, the beneficiaries of which
include: (i) the Administrator, the Administrator’s dependents, including without limitation, the Administrator’s spouse, children or step-children; or (ii) a legal person with which one is
associated as set out above; or
Acting in a capacity as a business partners of that Administrator or of any
person who, is connected with the Administrator.
Cancellation of an IVFAO
If canceled for any reason the
Issuer shall ensure that any
funds collected from the investors
are duly returned thereto. The
process shall be monitored by
the VFA Agent.
VFA Service Providers
Introduction (1)Chapter 3 of the Virtual
Financial Assets Rulebook
Authorisation Requirements of VFA Service
Providersi. The Licensing Process of a VFA Service Provider
Ongoing Obligations for VFA Service Providers i. Organisational Requirements
ii. Supplementary Conditions
iii. Prudential Requirements
iv. Conduct of Business Obligations
Class 1
Licence holders authorised to receive and transmit orders
and/ or provide investment advice in
relation to one or more virtual financial assets and / or the placing of virtual
financial assets but are not authorized to hold or control client’s
money.
The Four Classes
Class 2
Licence holders authorised to provide any VFA service but not to operate a VFA exchange or deal for their own account. They may also hold
or control clients’ money in conjunction with the provision of a
VFA Service.
Class 3
Licence holders authorised to provide any VFA service but not to operate a VFA exchange. They may also hold or control
clients’ money in conjunction with the provision of a VFA
Service.
Class 4
Licence holders
authorised to provide
any VFA service and
hold or control clients’
money in conjunction
with the provision of a
VFA Service.
1 2 3 4
The VFA Agent
Appointing a VFA
Agent registered
with the MFSA
Fitness and
Properness
Assessment
Handles all MFSA
communications,
meetings,
notifications and
submissions
The Licensing Process
Preparatory Phase
Pre-Licensing Phase
Post-Licensing Requirements and
Pre-Commencement of Business
The Licensing Process (2)
1. 2. 3.
Preparatory Phase
• Notification of Intent
to the MFSA
• Schedule of a
preliminary meeting
• Submission of
Application Form
Preparatory Phase
• Review of the application
and submitted documents.
• Completion of Fitness and
Properness Assessment
• Issuance of an ‘in principle
Approval’.
• Applicant shall: i. Finalise any outstanding
issues
ii. Finalise any pre-licensing
conditions
iii. Submission of original
copies & final application
form.
• Satisfy a number of
post-licensing matters
prior to the
commencement of
business.
• Commencement of
VFA Services business
within twelve (12)
months from date of
issue of licence.
Post-Licensing & Pre-Commencement
of Business
Organisational Requirements
• Governance Arrangements
• Establishment of a Board of Administration
• Responsibility of Senior Management
• Risk Consideration
• Risk Management
• Compliance & Compliance Certificate
• Financial Instrument Test
• MLRO
• Safeguarding of Clients’ Assets
• Internal Audit
• Insurance Requirements
• Business Continuity Process
• Outsourcing Requirements
• Procedure for Reporting a breach
Supplementary Conditions
• System Auditor
• Supplementary Conditions applicable to
VFA exchanges:
i. Listing Criteria
ii. Custody
iii. Suspension and removal from trading
iv. Order Matching
v. Pre-trade and Post-trade Transparency
vi. Client Record Keeping
vii. Reporting of Suspicious Transactions
viii. System Resilience
ix. Settlement
x. Bye-Laws
xi. Inability to Discharge Function
xii. Disciplinary Action
xiii. Synchronization of Business Clocks
xiv. Compliance Certificate
Prudential Requirements
Own Capital Requirements:
i. Initial Capital Requirements
ii. Capital Requirements – the Company shall at all times maintain,
at a minimum, own funds equal to their capital requirement,
which shall amount to the higher of the following:
i. Its permanent minimum requirement (initial capital)
ii. Its fixed overheads – at least one quarter of the fixed overheads of the
proceeding year.
iii. Internal Capital Adequacy Assessment Process
iv. Liquidity Requirements – minimum an amount of liquid assets
equivalent to at east one third of the fixed overhead
requirements.
Conduct of Business Obligations
• Conflict of Interest:
I. Remuneration Policy Rules
II. Inducement Rules – Investment advice and portfolio mangement
III. Personal Transaction Rules
• Sale Processes & Selling Practices:
I. Client Categorisation
II. Experienced Investors
III. Non-experienced Investors
• Advice and Non-Advice (Investment Advice)
• Assessment of Clients’ Suitability and Appropriateness
• Contractual Arrangements with Clients
• Complaints Handling by Licence Holders
• Execution of Clients’ Orders
Record Keeping, Reporting and
Disclosure Requirements
• Record Keeping:
I. Customers’ Accounting records
II. Accounting Records
• Appointing an Auditor
• Reporting Requirements:
I. Audited Annual Reporting Requirements
II. Annual Financial Return
III. Interim Financial Returns
IV. Risk Management and the Internal
Capital Adequacy Assessment Report
• Disclosure Requirements:
I. Governance
II. Own Funds
III. Capital Requirements
Blockchain and gambling
Advantages
Added
Transparency
and provable
Fairness
Increased
Security and
Immutability
Faster, Easier
and Cheaper
Remittances
Greater Efficiency
and Automation
through Smart
Contracts
MGA Sandbox
Acceptance of payments Cryptocurrencies• VFAs and Virtual Tokens
• Limit of Eur 1000 per user per month
• Outsourcing
• Wallet Verification and AML
• Rate of Exchange
Use of DLT, Smart Contracts and Other ITAs• Hosting
• Smart Contracts
• Certification
AML
