MFSA issues Consultation Document on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements  

On the 30 June 2020, the Malta Financial Services Authority (the “MFSA”) issued a Consultation Document on the Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangement (the “Guidance Document“).

The MFSA recognises that proper governance and control over technology arrangements and their outsourcing as well as an effective cybersecurity framework have become of utmost importance for any organisation. Moreover, the fact that the scope of outsourced services has widened to the extent that these can be provided virtually from any location, this may result in adverse risk, and also makes it more difficult for the MFSA to exercise its oversight and monitoring functions. Therefore, the MFSA is proposing this Guidance Document which sets out the MFSA’s expectations.

The Guidance Document is split into five titles as follows:

Title 1 – Scope and Application

Title 1 outlines the scope of this Guidance Document. Indeed, Licence Holders are expected to establish and maintain an operational governance framework which includes ICT governance and risk mitigation. Furthermore, this title identifies to which entities licensed by the MFSA this Guidance document applies, including investment services licence holders, trustees and fiduciaries, financial institutions, and company service providers.

Title 2 – High Level Principles

 Title 2 explains the four high levels principles on which this document is based, namely; Proportionality, Principles-based consistency of outcomes, Information Assurance in Technology Arrangements and Approach to cloud computing.

 Title 3 – Technology Arrangements

 Title 3 delves into the main characteristics of cloud computing including, cloud computing service models, cloud computing deployment models and shared responsibilities for different cloud service models.

 Title 4 – ICT and Security Risk Management

Title 4 provides for internal governance and risk management measures that should be taken into account when managing risks associated with Technology Arrangements, their operations and the data they contain. Indeed this title covers various aspects such as ICT strategy, ICT Risk Management, Information Security, ICT Operations Management and ICT Project and Change Management.

 Title 5 – Outsourcing Arrangements

 Title 5 provides for internal governance arrangements such as sound risk management that a Licence Holder must have in place when outsourcing their functions, particularly when outsourcing critical or important functions, in a Technology Arrangement or an outsourced business function or process that is delivered as a Cloud Service.

This section also provides guidance on other internal governance arrangements including management of conflicts of interest, business continuity planning and internal audit function expectations.


Interested stakeholders are encouraged to participate in the consultation by submitting their feedback to the MFSA by not later than 28 August 2020.

Feel free to contact us if you require further information on the applicable Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.