The Virtual Currency Regulation Review: Malta
Introduction to the legal and regulatory framework
Malta remains at the forefront of the major developments taking place within the blockchain and cryptocurrency scene, both within the European Union and globally. In 2016, the Maltese government set up a Blockchain Taskforce to help create and implement a national blockchain strategy aimed at materialising the opportunities of distributed ledger technology (DLT) and of setting the necessary safeguards. This strategy eventually resulted in three new laws relevant to the sector being published in 2018: the Virtual Financial Assets Act, Chapter 590 of the Laws of Malta (the VFA Act), the Innovative Technology Arrangements and Services Act, Cap 592 of the Laws of Malta (ITASA), and the Malta Digital Innovation Authority Act, Cap 591 of the Laws of Malta (the MDIA Act).
Considering the size of Malta's gaming sector, it is natural to link this thriving sector to the future of DLT; Malta was a trailblazer in the gaming sector and in its regulation of gaming law, creating a robust framework wherein licensees can operate in a well-regulated and flexible atmosphere.
Malta has not only enacted three full pieces of legislation, but various stakeholders and authorities continue to release guidelines to assist in the application and implementation of these laws. For instance, the Malta Gaming Authority issued a position on virtual currencies and their adoption within the Maltese gaming context and has created a sandbox for the use of certain cryptocurrencies by MGA licensees. The Malta Financial Services Authority (MFSA) also issued three Rulebooks covering the role of virtual financial asset (VFA) agents, issuers of initial coin offerings (ICOs) and providers of crypto services, which it updates on a regular basis to reflect developments in this field. Following the coming into force of the VFA Act and the finalisation of the aforementioned Rulebooks, the MFSA approved the first batch of VFA agents and launched the application forms for prospective crypto services (VFA service providers) and issuers to respectively initiate the licensing process and white paper registration. In addition, the Financial Intelligence Analysis Unit (FIAU) recently issued Part II of the Implementing Procedures on the Application of Anti-Money Laundering and Countering the Funding of Terrorism Obligations to the Virtual Financial Assets Sector.
Securities and investment laws
Investment services rendered in relation to securities and financial instruments, whether traditional or dependent upon DLT, are regulated by the Maltese Investment Services Act, Chapter 370 of the Laws of Malta and the Markets in Financial Instruments Directive (MiFID). On the other hand, the VFA Act aims to regulate DLT assets, which are to be distinguished from financial instruments, electronic money and virtual tokens.
The VFA Act defines virtual tokens as a form of digital medium recordation whose utility, value or application is restricted solely to the acquisition of goods or services, either solely within a DLT platform on or in relation to which it was issued or within a limited network of DLT platforms. If a virtual token is or can be converted into another DLT asset type, it is treated as the DLT asset type into which it is or may be converted, unless its technical set-up prohibits the virtual token's conversion.
Electronic money is regulated in accordance with the Financial Institutions Act (Chapter 376 Laws of Malta) and specifically Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions.
The term VFA is defined as any form of digital medium recordation that is used as a digital medium of exchange, unit of account or store of value, and that is not electronic money, a financial instrument or a virtual token. Thus, primarily, the VFA Act aims to regulate assets that do not fall within the parameters of traditional security legislation.
To offer legal clarity regarding this distinction, the MFSA created the Financial Instrument Test. The Test must be applied to each DLT asset (i.e., financial instruments, electronic money or virtual tokens dependant on DLT) to determine its nature and the respective applicable legal framework based on the token's features.
Once the type of DLT asset is determined, the following legal regime will be applicable:
- virtual tokens are not regulated by any specific body of law in Malta;
- financial instruments are defined as set out in the MiFID and thus regulated by financial services legislation;
- electronic money is regulated in Malta by the Financial Institutions Act; and
- VFAs are regulated by the VFA Act.
The Test is expected to be carried out compulsorily within the context of an ICO for VFAs, referred to as an initial VFA offering (IVFAO) by the issuer and his or her VFA agent. It must also be carried out by persons providing any service or performing any activity within the context of the VFA Act or traditional financial services legislation in relation to DLT assets whose classification has not been determined. Given that the type of DLT asset may change during its lifetime, the MFSA may at any time order the conduct of the Test again to obtain an update on the determination of a DLT asset. If the DLT asset is not issued in or from Malta, the Test must be conducted before any service involving the asset is provided in Malta.
If a DLT asset, such as a securitised token, is considered to be a financial instrument by the Financial Instrument Test, then it is to be regulated by financial services legislation. In this case, rather than conducting an IVFAO or ICO, the issuer would need to assess whether the security token offering qualifies as an offer to the public or not. If it is deemed to constitute an offer to the public, then a prospectus must be drafted and registered with the authority in line with the Prospectus Regulation. The MFSA has also issued feedback on a recent consultation process on the offering of tokens that classify as financial instruments. In the coming months, the MFSA will be collaborating with the Malta Business Registry to explore whether any provisions of the Companies Act require any amendments to clarify whether the registers of members and debenture holders can be kept in dematerialised form using DLT.
Banking and money transmission
When addressing the holding of cryptocurrencies between issuer and investor during the undertaking of a VFA service, the VFA Act makes reference to wallets.
The VFA Act addresses custodian and nominee services and defines them as a VFA service licensable under the Act. Under the VFA Act, acting as a custodian or nominee holder of VFAs or private cryptographic keys, or both, or if in conducting such activities the nominee is holding such assets or keys on behalf of another person, these are considered to be VFA services.
According to the VFA Act, an issuer must provide a detailed description of the issuer's wallet or wallets used in the white paper along with a description of the 'security safeguards against cyber threats to the underlying protocol, to any off-chain activities and to any wallets used by the issuer'. The Act thus addresses security measures that are paramount to the existence and reliability of a wallet. The Act does not impose any requirements in terms of the actual technology to be used when hosting such wallets, thus ensuring the intended neutrality of the law.
If a DLT asset is classified as electronic money, it continues to be regulated by the Financial Institutions Act, and ancillary rules and regulations.
The provision of banking services in relation to cryptocurrencies, and more specifically VFAs, continues to be regulated by financial services legislation through the Banking Act, and ancillary rules and regulations.
Money laundering is criminalised primarily by means of the Prevention of Money Laundering Act and the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR). The PMLFTR contain detailed provisions on the measures and procedures to be maintained and applied by subject persons.
As with all new technologies, there are often hurdles that stand between advancement and stasis. Anti-money laundering could be considered to be one such hurdle in the sphere of cryptocurrency regulation. Concerns about money laundering and the funding of terrorism are often the rationale behind the banning of virtual currencies entirely. One of the primary risks noted by the authorities, along with regulators around the globe, is the anonymous and pseudo-anonymous nature of cryptocurrencies.
The Prevention of Money Laundering Act and the PMLFTR are supplemented by the Implementing Procedures issued by the FIAU. The Implementing Procedures are binding on subject persons, and failure to comply is subject to an administrative penalty.
The term 'subject persons' is defined in the PMLFTR as 'any legal or natural person carrying out either relevant financial business or relevant activity'. The term 'relevant financial business' now includes reference to 'VFA services carried out by a person or institution licensed or required to be licensed under the provisions of the Virtual Financial Assets Act' as well as 'the issue of virtual financial assets for offer to the public in or from Malta in terms of the Virtual Financial Assets Act'. The VFA Act has, therefore, extended the term subject person to include issuers of VFAs conducting an IVFAO as well as those offering VFA services. The VFA Regulations also set out that the term includes persons who are acting under an exemption from the requirement of a VFA licence. This therefore means that the provisions of the PMLFTR as well as the FIAU Implementing Procedures regulate the procedures and measures to be adopted by such persons under the VFA Act with regards to anti-money laundering and countering the funding of terrorism.
Subject persons, therefore, as defined in both the PMLFTR and the VFA Act, must take appropriate steps to identify the risks of money laundering and the funding of terrorism that could arise out of their business activities. This risk assessment must be properly documented, as the FIAU may demand this documentation.
Subject persons under the VFA Act are required to appoint and have a money laundering reporting officer (MLRO) in place at all times. The role is an onerous one and can only be held by individuals who fully understand the extent of the responsibilities attached to it. The MLRO must be a senior employee or a member of the board of administration.
In 2016, the European Commission proposed a fifth revision of the Anti-Money Laundering Directive. The proposal included measures that aimed to enhance the powers of the European Union in the fight against money laundering, as well as to introduce safeguards in the area of virtual currencies.
One of the changes that affected the cryptocurrency sphere was the extension of the scope of the Directive to cover both wallet providers and exchange service providers. Perhaps the most important change that came about through this revision was the inclusion of a definition of virtual currencies. This definition ensures that providers of exchange services and custodian wallet providers would also have to comply with the Directive.
The definition states that virtual currencies are 'a digital representation of value that is not issued or guaranteed by a central bank or a public authority, is not necessarily attached to a legally established currency, and does not possess a legal status of currency or money, but is accepted by natural or legal persons, as a means of exchange, and which can be transferred, stored and traded electronically'. This definition ensures that the concepts of electronic money and funds are entirely separate to that of virtual currencies.
The preamble to the Fifth Anti-Money Laundering Directive, which was adopted in April 2018, also provides further clarity, stating that virtual currencies may be used as a means of exchange, for investment purposes, as store-of-value products or in online casinos. It is important to note that the Fifth Anti-Money Laundering Directive also limits itself to regulating fiat-to-crypto exchanges and not crypto-to-crypto exchanges.
Following a consultation process, the FIAU issued new Implementing Procedures, which take into consideration the provisions of the Fifth Anti-Money Laundering Directive and which apply to all subject persons, including VFA Agents, VFA Service Providers and persons offering VFAs to the public. This has been further supplemented by specific Implementing Procedures on the Application of Anti-Money Laundering and Countering the Funding of Terrorism Obligations to the Virtual Financial Assets Sector. The Implementing Procedures set out the requirement for subject persons to carry out a business risk assessment to identify the risks their business is exposed to. Subject persons must also carry out a customer risk assessment to determine risks present in individual business relationships and occasional transactions. The Implementing Procedures also discuss the risk-based approach, the importance of distinguishing business relationships from occasional transactions for AML purposes, conducting ongoing monitoring, and source of wealth and source of funds, and outline a number of red flags that may be typically encountered in this sector.
Regulation of exchanges
The VFA Act regulates virtual exchanges established in Malta to protect investors from fraud and market abuse to combat money laundering and the financing of terrorism activities, and to ensure that exchanges operate using reliable technology.
The VFA Act only allows VFAs to be admitted on VFA exchanges. Indeed, DLT assets that are qualified as financial instruments through the Financial Instrument Test must be exchanged on traditional financial markets. Virtual tokens as defined in the VFA Act cannot be exchanged on a DLT exchange; in fact, if a virtual token is traded on a DLT exchange it would change the nature of a virtual token, causing it to be regulated either by the VFA Act or traditional financial services laws.
Operating a VFA exchange is expressly considered as one of the VFA services listed in the Act. As a VFA service provider, the operator of a VFA exchange must therefore comply with all the requirements governing the offer of a VFA service. It must:
- be a legal person established in Malta;
- establish different entities if it wishes to conduct activities incompatible with its VFA licence;
- select a VFA agent approved by the MFSA to act as liaison between the exchange and the MFSA during the licensing process, and to ensure that the provisions of the Act are properly complied with;
- apply, through its VFA agent, and obtain a licence granted by the MFSA, and comply with the rules and regulations applicable to licence holders;
- conduct the Financial Instrument Test on all the DLT assets listed on the exchange both when admitting that asset for trading onto the exchange and when the asset changes in nature;
- circulate advertisements that are accurate and consistent;
- appoint a MLRO who must be a senior employee of the licensee, its compliance officer or a member of the board of administration;
- appoint a compliance officer responsible for the compliance function of the exchange and for any reporting required by the MFSA Rules; and
- comply with all the relevant regulations made in application of the Act, such as the MFSA Rules.
The operator of a VFA exchange may offer other VFA services provided it holds a licence to do so. However, a VFA licence holder may not offer VFA services that are not covered by the licence held by the VFA licensee and may not conduct other business activities requiring a licence under Maltese law unless it establishes separate entities for these activities. This segregation of activities, particularly when offering both services under the VFA Act and services under the financial services framework, is intended to better protect investors' assets.
The MFSA may require access to all information related to any asset traded on a VFA exchange. As the competent authority, it may decide or demand that a VFA exchange discontinue or suspend the trading of an asset, and even any derivative related to it, if the asset no longer complies with the definition of a VFA, if it believes or suspects that a provision of the Act has been infringed, or if the orderly transaction of business is being prevented.
The Act also regulates the advertisement of the admission of a VFA to trading on a VFA exchange. Advertisements must be clearly identifiable as such, and may not include inaccurate or misleading information. The information must also be consistent with the required contents of the white paper. Furthermore, no person other than a VFA licence holder may issue an advertisement relating to a VFA service in or from Malta unless its contents have been vetted and approved by the licence holder's board of administration.
A VFA exchange must ensure that it is equipped with effective systems of detecting possible market abuse. Any suspicion of market abuse must be reported immediately to the MFSA. This refers to instances of insider dealing, unlawful disclosure of inside information and market manipulation when dealing with VFAs.
Regulation of miners
The VFA Act is drafted with technology neutrality in mind, and its application is therefore not based on the way a coin is created (whether by proof of work, proof of stake or other consensus mechanisms).
Nevertheless, miners remain generally unregulated within the context of Maltese law. Reference is, however, made to miners within the 'Guidelines for the VAT Treatment of transactions or arrangements involving DLT Assets', which provide that should miners receive payment for other activities, such as services in connection with the verification of a specific transaction, these services are deemed to be a chargeable event, with applicable Maltese VAT standard rates.
Regulation of issuers and sponsors
The VFA Act establishes legal definitions of numerous cryptocurrency and DLT-related concepts, offering legal certainty to business promoters and investors alike. The concept of an initial coin offering is termed an IVFAO, which excludes the issue of a virtual token, a financial instrument and electronic money.
Any person wishing to offer a VFA to the public in or from Malta, or wishing to apply for the VFA's admission to trading on a DLT exchange, must draw up a white paper in line with the VFA Act and register it with the MFSA 10 working days before the date of its circulation in any way whatsoever. Thus, to conduct an IVFAO, it would be necessary to conduct the Financial Instrument Test to ensure that the DLT asset is in fact a VFA. The Test is discussed at length in Section II.
The issuer must be a legal person managed by at least two individuals to ensure the principle of dual control and to appoint a board of administrators, an MLRO, an auditor and, where necessary, a custodian and a systems auditor. Issuers are also required to:
- conduct their business with honesty and integrity;
- communicate with investors in a fair, clear and non-misleading manner;
- conduct their business with due skill, care and diligence;
- identify and manage any conflict of interest that may arise;
- have effective arrangements in place for the protection of investors' funds;
- have effective administrative arrangements; and
- maintain all their systems and security access protocols to appropriate international standards.
The white paper must describe the IVFAO project in simple and informative terms and must be registered with the competent authority (the MFSA). The MFSA may, in certain specific cases, prohibit or suspend an IVFAO.
The white paper issued for an IVFAO must include information that, according to the particular nature of the issuer and of the VFAs offered to the public, is necessary to enable investors to make an informed assessment of the prospects of the issuer, the proposed project and the features of the VFA. The white paper may not contain a condition requiring or binding an investor to waive compliance with any requirement under the VFA Act, or purporting to affect the investor with notice of any contract, document or matter not specifically referred to in the white paper. The VFA agent is required to confirm that the white paper complies with the requirements of the VFA Act.
The VFA agent is also required to advise and guide the issuer as to its responsibilities and obligations under the VFA Act. The VFA agent must also receive and retain all documentation and information to demonstrate how, and to what extent, the issuer has satisfied the requirements prescribed in the VFA Act and of any ancillary rules or regulations insofar as they apply to any offer or admission to trading. This includes ensuring that the issuer is considered to be a fit and proper person to carry out such activities, and demonstrating how the issuer has complied and, as far as it can be determined, will comply with its continuing obligations under the VFA Act.
Before issuing an IVFAO, the issuer must also provide a copy of the audited annual accounts for the past three financial years and a confirmation by its systems auditor that its technology arrangement complies with the qualitative standards and guidelines issued by the Malta Digital Innovation Authority (MDIA), a new DLT regulator created by the government.
The VFA Act also regulates the advertisement of any IVFAO. Such advertisement must be clearly identifiable as such, and may not include inaccurate or misleading information. The information must also be consistent with the required contents of the white paper.
Criminal and civil fraud and enforcement
The VFA Act, together with the Virtual Financial Asset Regulations and the ancillary MFSA Rulebooks, confer the minister responsible for the regulation of financial services and the MFSA with powers to protect investors' interests while also overseeing the orderly transaction of business, primarily that of IVFAOs and VFA service providers.
Issuers of VFAs are liable for damages sustained by a person as a direct consequence of that person having bought VFAs, either as part of an IVFAO by the issuer or on a DLT exchange, on the basis of any false information contained in a white paper, on a website or in an advertisement. A statement included in a white paper, on a website or in an advertisement is deemed to be untrue if it is misleading or otherwise inaccurate or inconsistent, either wilfully or in consequence of gross negligence, in the form and context in which it is included.
The MFSA may suspend or terminate the trading of a VFA if this is in the interest of the VFA exchange, investors or the general public. Conversely, to avoid causing significant damage to investors' interests or the orderly functioning of a VFA exchange, the VFA exchange may suspend or remove from trading a VFA that no longer complies with the definition of a VFA or with its by-laws.
The MFSA may impose unilateral decisions on any issuer of an IVFAO and on any VFA agent or VFA service provider. It is thus empowered to:
- request information from any person;
- order the review of the determination of a DLT asset and submit this determination to a test;
- appoint inspectors to investigate and report on the activities of an issuer, VFA agent or VFA service provider;
- order an issuer or service provider to cease operations or appoint a person to advise him or her, take charge of his or her assets, or even control his or her business;
- order the suspension or the discontinuation of the trading of a VFA; and
- impose administrative penalties.
Where a VFA licence holder, or the secretary, a member of the board of administration or any other person responsible for a licence holder, contravenes or fails to comply with any of the licence conditions, or he or she is deemed to be in breach of the VFA Act, regulations or rules, including through a failure to cooperate in an investigation, the MFSA may impose an administrative penalty of up to €150,000 by notice in writing and without recourse to a court hearing.
In the public interest, most decisions made by the competent authority are subject to appeal in front of the Financial Services Tribunal.
The VFA Act does not put in place any specific tax regime in relation to cryptocurrencies, and more specifically VFAs. However, the VFA Act provides that regulations may be drawn up by the responsible minister to address certain tax matters, thus allowing for further regulation outside the main Act. In fact, the Maltese Inland Revenue Department has issued guidelines for the treatment of VAT for transactions involving DLT, guidelines on the Income Tax Treatment of transactions or arrangements involving DLT Assets, and Guidelines for the purpose of the Duty on Documents and Transfers Act. The guidelines address the various types of DLT Assets that exist, including the treatment of hybrid tokens.
Under the Income Tax Rules, the guidelines provide that any payment carried out in cryptocurrencies is to be treated as payment made or received in other currencies. However, generally, to determine duty on document transfers, this determination is to be made on a case-by-case basis. Charging of VAT depends on whether a specific good or service is identified.
On other matters ancillary to tax, the responsible minister can issue regulations to be able to organise compensation schemes for investments, and those schemes are exempt from the payment of income tax as of their date of establishment.
Furthermore, the First Schedule of the VFA Act provides that when drawing up a white paper to offer a VFA, any applicable tax that might apply to that VFA is to be included in the white paper.
Other legal considerations
The VFA Act does more than just regulate the roles of issuers and exchanges; in fact, the Second Schedule of the VFA Act refers to other services that, when provided in relation to VFAs, constitute a licensable activity under the VFA Act. These include:
- the receipt and transmission of orders;
- the execution of orders on behalf of other persons;
- dealing on own account;
- portfolio management;
- custodian and nominee services;
- investment advice; and
- the placing of VFAs.
These activities require a licence to operate in or from Malta, and must comply with the ongoing obligations set out in the Act.
The accompanying Regulations to the Act and MFSA rules emerging from the Rulebook contain detailed provisions on the licensing requirements for VFA service providers and the licensing process.
The Regulations provide for four classes of licences, with each having varying minimum capital requirements.
All prospective VFA service providers must be set up as a legal person managed by at least two individuals to ensure the principle of dual control; this was, in fact, one of the changes carried out to the VFA legal framework with the adoption of the third Rulebook for VFA Service Providers. Prospective VFA service providers must appoint a money laundering reporting officer and a compliance officer. The VFA service provider may also be required to appoint a systems auditor in relation to its innovative technology arrangement. Where an applicant or licence holder does not have an innovative technology arrangement in place as part of its operations, the MFSA requires it to carry out an IT audit instead of a systems audit. The VFA service provider must also ensure that its cybersecurity architecture: adheres to, inter alia, any cybersecurity guidelines issued by the MDIA; maintains adequate risk management policies and procedures; safeguards clients' rights in relation to virtual financial assets and money; and keeps records of all its services and transactions.
The VFA Act also regulates the role of the VFA agent who is responsible for representing a prospective VFA service provider before the MFSA, and who acts as an intermediary between the authority and the provider. An issuer of VFAs or any VFA service provider seeking licensing or authorisation under the Maltese regime is required to appoint a VFA agent to apply on his or her behalf.
An application for a VFA services licence may only be done through a VFA agent. The VFA agent is required, diligently and with utmost good faith, to submit full and correct information whenever it is required to do so; and to support the MFSA in carrying out its reviews to establish that the applicant is a fit and proper person to provide the VFA service, that it has a good reputation, that it is competent and solvent, and that it will comply with and observe the requirements of the VFA Act, and any regulations made and rules issued thereunder and that are applicable to it.
The government also created a new DLT regulator, the MDIA. The MDIA is tasked with issuing certifications for innovative technology arrangements, which are primarily regulated under the ITASA. Innovative technology arrangements include types of DLT, smart contracts and DAOs. The ITASA's certification regime is a voluntary one, unless an innovative technology arrangement is used by an IVFAO or by a gaming platform seeking to be licensed by the MGA.
The VFA Act and ancillary regulations and rules were drafted with technology neutrality in mind to be able to keep abreast with technological advancements in this field. As Malta continues to regulate cryptocurrency-related activities through its licensing regime, the regulator will undoubtedly respond to the industry's requirements, and assess the efficiency and applicability of the legal regime to consider any possible amendments for its improvement. The government is now also looking ahead, having set up an artificial intelligence (AI) strategy focusing on investment, start-ups and innovation, and public sector adoption and private sector adoption of AI, as well as looking at implementing specific guidelines for security token offerings.
1 Ian Gauci is a managing partner, Cherise Abela Grech and Terence Cassar are senior associates and Bernice Saliba is an associate at GTG Advocates.