Towards enhanced legal certainty for VFA Service Providers – New Rulebook Published

On 25 February 2019, the MFSA published the third installment of the Virtual Financial Assets (‘VFA’) Rulebook concerning VFA Licence Holders.[1] The final version of this rulebook is the result of a consultation conducted by the Malta Financial Services Authority (‘MFSA’), being the designated ‘competent authority’ under the VFA Act[2] and follows two anteceding publications: one regulating VFA Agents and the other regulating ‘Initial VFA Offerings’ (commonly known as ICOs).

The provisions of the VFA Act empower the MFSA to issue rules as necessary to implement the VFA Act including the regulation of VFA Licence Holders and VFA Services, and the leading provision in this regard is Article 13 of the VFA Act that states that no person shall provide, or hold itself out as providing, a VFA Service in or from within Malta unless such person is in possession of a valid licence granted under the VFA Act.

The Rulebook contains detailed provisions on the licensing requirements of VFA ‘License Holders’[3], being those persons duly licensed to carry out the VFA Services found in the Second Schedule to the VFA Act.[4]

‘Chapter 3 of the Virtual Financial Assets Rulebook: Virtual Financial Assets Rules for VFA Service Providers’ (the ‘Rulebook’) fleshes out this provision by setting down VFA Service Providers’ licensing requirements, licensing process, their ongoing obligations and provisions concerning enforcement and sanctions in the event of misconduct. The Rulebook’s salient parts shall be explored next.

Classes of VFA services, Capital Requirements and Fees

The Rulebook and the VFA Regulations[5] establish minimum capital requirements, application fees and annual supervisory fees payable to the competent authority, as per the table below:

ClassActivitiesCapital Requirement (EUR)Application Fee (EUR)Annual Supervisory Fee (EUR)
Class 1Reception and transmission of orders and/or provision of investment advice in relation to VFAs.50,000 or 25,000+PII
Class 2Any VFA Service except operating a VFA Exchange or dealing on own account. 125,00010,0009,000*
Class 3Any VFA Service except operating a VFA Exchange.730,00014,00012,000*
Class 4Any VFA Service, including operating a VFA Exchange.730,00024,00050,000*

* The supervisory fee payable annually to the MFSA might increase depending on the revenue generated by the business.

The initial capital that VFA Licence Holders are required to have for authorization purposes must be retained at all times.

VFA Agent and Systems Auditor Requirements

A person seeking to obtain a licence under the ACT must engage a VFA Agent who has been duly registered with the MFSA. Currently, the MFSA is in the process of approving the first batch of VFA Agents, who upon registration shall be listed in a specific register that will be uploaded on the website of the MFSA. Where an applicant has an ‘innovative technology arrangement’[6] in place, the MFSA might also ask the applicant to appoint a Systems Auditor, the role of whom would be to certify that the particular arrangement complies with technical guidelines issued by the Malta Digital Innovation Authority (‘MDIA’).

VFA Service Providers operating under the transitory period

Entities who had started operating before the coming into force of the VFA regime on November 1st 2018 and who had submitted a transitory period notification in accordance with Article 63 of the VFA Act are not exempt from the application of the Rulebook, insofar as they comply on a best effort basis. According to a recent circular issued by the MFSA,[7] such entities must engage a VFA Agent, must provide evidence that it has passed a ‘fitness and properness assessment’ conducted by the VFA Agent, and must provide evidence that it has sufficient mechanisms and internal controls to comply with AML/CFT requirements.

Fitness and Properness Assessment

Applicants are obliged to undergo a ‘fitness and properness assessment’ conducted by the VFA Agent which, upon conclusion, would determine whether an entity is ‘fit and proper’ in terms of integrity, competence and solvency. The fitness and properness assessment should not be made in respect of the entity as whole only but should also be made in respect of certain natural individuals involved in the applying entity such as qualifying holders, beneficial owners, members of the board of directors, senior managers, and so on

The licensing processes

An application for a license under the VFA Act is to be made only by through the VFA Agent. The application process consists of three stages – a ‘preparatory stage’ during which the applicant submits a letter of intent containing an overview of the proposed business and activities to be carried out and a formal application; a ‘pre-licensing stage’ during which the MFSA initiates a review of the application, a successful completion of which would lead to an ‘in principal approval’; and a ‘post-licensing & pre-commencement of business’ stage during which the applicant is asked to satisfy a number of pending matters prior to commencing the business.

Passporting a VFA licence

Although under European Union law, a VFA Services Licence issued by the MFSA in terms of the VFA Act is not passportable to other European member states, other European member states may individually make provision for the exercise of such right. If such right exists by virtue of a law of a specific member state, a VFA Service Provider would need to notify the MFSA of its intention to provide a VFA service in another member state.

Ongoing Obligations – Governance

An entity should have at least two individuals directing or managing the Licence Holder’s affairs. This is known as the ‘dual control principle’ or ‘four-eyes principle’. The internal organizational structure must be clearly defined, with clear reporting lines and specific functions and responsibilities assigned to each person involved in the entity’s organizational structure.

Good internal governance also requires entities to put in place effective internal management systems and controls as you would find in any professional business. The Rulebook specifies what policies a Licence Holder is expected to have, including a ‘Cyber-Security Framework’ to manage the control of sensitive date securely and effectively; a risk management policy; a business continuity framework; a compliance policy and function. In any case, the complexity of the internal systems and controls should be proportional to the complexity of the business activities being carried out by the relevant Licence Holder.

Anti-Money Laundering / Countering Finance of Terrorism

A Licence Holder must appoint and retain at all times a Money Laundering Reporting Officer (MLRO).

[1] <> accessed 26 February 2019.

[2] Chapter 590 of the Laws of Malta.

[3] Under the VFA Act, a license holder is a person who holds a license under the Act. Vide Article 2 of the VFA Act.

[4] The VFA services listed in the Second Schedule are: (a) Reception and Transmission of Orders, (b) Execution of orders on behalf of other persons, (c) Dealing on own account, (d) Portfolio Management, (e) Custodian or Nominee Services, (f) Investment Advice, (g) Placing of virtual financial assets, and (h) The operation of a VFA Exchange.

[5] Subsidiary Legislation 590.01 ‘Virtual Financial Assets Regulations’.

[6] This term should be construed in accordance with Article 2(2) of the Innovative Technology Arrangements and Services Act, Chapter 592 of the Laws of Malta. Vide MFSA’s VFA Framework Glossary. An innovative technology arrangement can be any software or architecture utilizing distributed ledger technology, a smart contract or any other arrangement that may be approved.

[7] accessed 27 February 2019.