Guidance Documents issued by the MFSA and the FIAU

Guidance Document for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for FinTechs

On the 18th June 2019, the Malta Financial Services Authority (“MFSA”) and the Financial Intelligence Analysis Unit (the “FIAU”) published a joint Guidance Document for Credit Institutions, Payment Institutions and Electronic Money Institutions opening accounts for FinTechs (the “Guidance”). This Guidance has been published following a joint public consultation by the MFSA and the FIAU issued on the 27th March 2019.

The Guidance stresses that it is not intended to replace the obligations that a subject person has to fulfill in terms of the Prevention of Money Laundering and Funding of Terrorism Regulations (the “PMLFTR”) but rather seeks to assist institutions in acquiring a better risk understanding of such prospective customers and complement their due diligence procedures. This is in line with the risk based approach which should be implemented by the Institutions in terms of the PMLFTR and the Implementing Procedures issued by the FIAU.

Guidance Note on Cybersecurity

Following the feedback received from the stakeholders in response to the MFSA Guidance Notes on Cybersecurity – Consultation Document, the MFSA has recently finalised the Guidance Notes on Cybersecurity (the “Guidance Notes”).

The key points identified by respondents and which were subsequently included in the Guidance Notes are the following:

1. Ongoing Monitoring – Proactive monitoring shall be given more attention in order to ensure that systems and networks are safeguarded in real-time. This should be achieved through intrusion detection measures which prompt alerts of any cyber threats;

2. Data Loss Prevention framework – A Data Loss Prevention framework should be in place in order to detect and flag any unauthorised disclosure of such data; and

3. Preventing critical lock out scenarios – This should be achieved through a Privileged Access Management Policy.

The Guidance Notes provide a minimum set of of best practices and risk management procedures to be followed in order to effectively mitigate cyber risks. The Guidance Notes apply to the decision-making body of an entity regulated under the rules applicable to Professional Investor Funds investing in Virtual Currencies or under the VFA Rulebook (the “Entity”), and which Entity is required to establish and maintain a prudent operational governance framework, which inter alia should include cybersecurity.

In this regard, please feel free to contact us should you require more information in relation to the above Guidance documents.