Banking & Finance

The 2018 International Comparative Legal Guide to Fintech in Malta – Q&As

10 Apr 2018

17 min read

Authors: Dr. Andrew J. Zammit & Dr. Kurt Hyzler

The Fintech Landscape

Describe the types of fintech businesses that are active in your jurisdiction and any notable fintech innovation trends of the past year within particular sub-sectors (e.g. payments, asset management, peer-to-peer lending or investment, insurance and blockchain applications).

Malta provides a very attractive environment for technology-based businesses having a European marketing strategy.  The island has seen significant growth in the technological sector, including an exponential rise in fintech businesses, including both start-ups and more established businesses.

The predominant type of fintech businesses currently established in Malta are payment institutions (PI/PSPs) and electronic money institutions (EMIs), both of which are classified as “financial institutions”. Rolling spot forex and binary option models are also present, albeit to a lesser extent than PSPs and EMIs.

With the introduction of the PSD2 framework, it is expected that there will be an increase in the number of operators in the payment services space establish themselves in Malta.

The Government has also indicated that it is aiming to develop Malta’s legal and regulatory framework to provide an innovation hub for the development of blockchain applications.  At the time of writing (March 2018), the Government of Malta announced its intentions to pass the following bills through Parliament.  We expect that this legislative package should be duly submitted to Parliament by Q3 2018:

  • The Malta Digital Innovation Authority Act (MDIA Act), which is expected to provide for the establishment of the Malta Digital Innovation Authority. This Authority will act as a central regulator and “will promote government policy that favours the development of Malta as a hub for new and innovative technologies”.
  • The Technology Arrangement Services Act (TAS Act), which is expected to set out the regime for the registration of technology service providers and the certification of “technology arrangements”. This framework will allow for the registration of auditors and administrators of DLT platforms, and set standards for the certification of such platforms.
  • The Virtual Currencies Act (VC Act), which will set out a framework for initial coin offerings (ICOs) and the regulatory regime on the provision of services related to virtual currencies.

It is also pertinent to note that The Malta Financial Services Authority (MFSA) issued a consultation paper on 30th November 2017, with a consultation period which ended on the 11th January 2018.  The MFSA invited practitioners to provide feedback on ICOs, VCs and Related Service Providers.

The discussion process focused, amongst other things, on how securitised tokens can be defined and identified, and also how best to treat those operators and intermediaries involved in the crypto and ICO value chain including inventors, issuers, miners, processing service providers, wallet providers, exchanges, trading platforms and other such players.

The feedback submitted by practitioners, operators and other stakeholders will be duly considered by the Authority and the Government in the course of the legislative process.

It is not clear when the results of the discussion process will be released by the MFSA but the indications are that these should be published in Q3l 2018.

Are there any types of fintech business that are at present prohibited or restricted in your jurisdiction (for example cryptocurrency-based businesses)?

While no specific types of fintech businesses are prohibited in Malta, the Malta Financial Services Authority (MFSA) takes a prudent and conservative approach towards reviewing any applicants looking for a Malta licence, particularly those in the online forex and binary options space.  The MFSA is also very prudent in its approach towards “pay-day loan” type offerings.

Insofar as initial coin offerings (ICOs), and virtual currencies (VCs) are concerned, it is the specific features of each particular instrument that will determine whether or not it falls within the scope of existing legislation and would therefore be governed by existing EU legislation such as Markets in Financial Instruments Directive (MiFID and MiFID 2), the Prospectus Directive, the Alternative Investment Fund Managers Directive (AIFMD), and/or the Financial Instruments Directive or possibly within the remit of Maltese national legislation such as the Investment Services Act and the Financial Institutions Act.

Those offerings falling outside the scope of existing EU and Maltese financial legislation such as, for example, tokens having features of membership or privilege cards and/or single- or multiple-use vouchers would not be prohibited by Maltese law, and several ICO and VC operators and intermediaries are in the process of establishing a presence in Malta.

Funding For Fintech

Broadly, what types of funding are available for new and growing businesses in your jurisdiction (covering both equity and debt)?

Fintech businesses looking to set-up in Malta would typically have equity backing originating from outside Malta, primarily other EEA jurisdictions.  Such financing usually takes the form of venture capital, loan capital or a combination of the two.  Admittedly, debt financing is made available to more established business models having a track record, since such models have a trading history to present to the banking institutions from which they seek to raise finance.  In the case of start-ups, debt financing is a significantly more challenging route.

Employee Share Option Programmes (ESOPs) are also commonly used by start-up companies seeking to engage and retain talent in the early years of their operations, whilst keeping their salary bill lower on the basis of key employees’ future equity participation.

To date, there have not yet been any fintech businesses that have sought to raise capital through an equity or a bond listing in Malta.  ICO issues by Maltese companies, on the other hand, have increased significantly over the past 12 months although there is no centralised record in Malta from which any reliable statistical information may be obtained in this regard.

Are there any special incentive schemes for investment in tech/fintech businesses, or in small/medium-sized businesses more generally, in your jurisdiction, e.g. tax incentive schemes for enterprise investment or venture capital investment?

Malta provides a very attractive corporate tax environment for businesses establishing a presence on the island, and this has seen significant growth in the Maltese economy, particularly over the past seven years.

In addition to the corporate tax incentives, fintech businesses regulated by the MFSA may also attract top talent to Malta through the 15% personal tax rate that is granted to qualified expatriates working in key positions with fintech and other financial services operators in Malta, which is known as the Highly Qualified Person programme.  This measure, which applies both to EU and non-EU nationals, was introduced by the Maltese Government in 2011 to sustain the burgeoning financial services industry with the best skill and talent available on the wider international market.

Venture capital financing is not available in Malta and most entrepreneurs seeking to base their businesses in Malta invariably source financing for their business from outside Malta.

Other incentives targeted at research, development and innovation could also be availed of by qualifying fintech undertakings.  These incentive schemes are administered by the Malta Enterprise which is the public corporation charged with attracting Foreign Direct Investment into Malta.

In brief, what conditions need to be satisfied for a business to IPO in your jurisdiction?

The requirements for an IPO in Malta can be stated as follows:

  • Minimum three year track record.
  • Appointment of a sponsoring broker.
  • Issuing of a Prospectus complying with the EU Prospectus Directive.
  • Shareholders’ funds and less intangible assets must be of at least €585,000.
  • Company must have a fully paid-up capital of at least €235,000.
  • Expected aggregate market value of the securities forming the subject of the application must not be less €1,165,000 (not being Preference Shares).
  • At least twenty-five percent (25%) of the listed class of shares shall be publicly held.

Have there been any notable exits (sale of business or IPO) by the founders of fintech businesses in your jurisdiction?

No, there have not been any notable exits in Malta.

Fintech Regulation

Please briefly describe the regulatory framework(s) for fintech businesses operating in your jurisdiction, and the type of fintech activities that are regulated.

The Malta Financial Services Authority, also referred to as the MFSA, is the regulatory authority charged with the power to regulate, monitor and supervise all financial services in Malta.  Fintech businesses are regulated by the general legal and regulatory provisions relating to credit institutions, financial institutions, investment services and insurance.  All of these financial services activities have witnessed technological developments that have created innovative fintech business propositions although admittedly payment related services have seen the most innovation over recent years.

Malta’s financial services legislation is organised under service- or activity-specific statutes which focus on the nature of the service being provided by the relevant undertaking.  One would therefore find laws such as the Banking Act, the Financial Institutions Act, the Investment Services Act and the Insurance Business Act under this category.  Therefore, fintech activities would be regulated in the same way that the corresponding non-fintech business (that is more traditional bricks-and-mortar operations) would.  There has, however, been significant focus on the part of the MFSA to introduce regulations, rules and policies which serve to address specific risks and concerns that are relevant for fintech models, revolving principally around security and technological standards.

In the course of 2018 we are expecting the Malta Digital Innovation Authority to be established, which will act as a central regulator and help promote government policy to develop Malta as a hub for new and innovative technologies.

Are financial regulators and policy-makers in your jurisdiction receptive to fintech innovation and technology-driven new entrants to regulated financial services markets, and if so how is this manifested?

The MFSA is receptive to fintech innovation and technology-driven financial services operators, and takes up a very pro-active approach towards new entrants, dedicating the resources to meet with the promoters of fintech businesses, even prior to commencing the application process, in order to understand their proposed model and provide valuable preliminary feedback.

This approach of open dialogue and hands-on regulation has made Malta a very popular base for fintech businesses, particularly in the PSP and EMI space.

What, if any, regulatory hurdles must fintech businesses (or financial services businesses offering fintech products and services) which are established outside your jurisdiction overcome in order to access new customers in your jurisdiction?

Fintech businesses licensed in another EEA state may freely target and access new customers in Malta as long as they have undertaken the necessary regulatory notifications to provide cross-border services or to establish a branch in Malta.  If a branch is established there is a registration requirement for that branch and also tax registration requirements.

Where, on the other hand, the fintech business is based outside of the EEA, the applicable regulatory framework would effectively prohibit any solicitation of customers based in Malta.

Other Regulatory Regimes / Non-Financial Regulation

Does your jurisdiction regulate the collection/use/transmission of personal data, and if yes, what is the legal basis for such regulation and how does this apply to fintech businesses operating in your jurisdiction?

Yes – the Data Protection Act (Chapter 440 of the Laws of Malta) (DPA) and its subsidiary legislation provide for the protection of individuals against the violation of their privacy by the processing of personal data.  The provisions of this statute implement the provisions of the EU’s Data Protection Directive.

The processing of data effectively refers to the processing (whether automated, mechanical, manual or otherwise) of a person’s data in a filing system, or in what is intended to form part of a filing system.

Do your data privacy laws apply to organisations established outside of your jurisdiction? Do your data privacy laws restrict international transfers of data?

Maltese Data Protection Law applies to:

  • Data controllers established in Malta.
  • Data controllers in a Maltese Embassy or High Commission outside Malta.

Equipment used for processing and situated in Malta, even where the Controller is established outside the EU.

Briefly describe the sanctions that apply for failing to comply with your data privacy laws.

Penalties for non-compliance with the Data Protection Act will depend on the level of breach.  The provisions of the law specify which level of sanction should apply for specific types of breach.

The Courts of Malta may impose the following penalties:

  • Level 1: Fine between €120 and €600, imprisonment of not more than one month.
  • Level 2: Fine between €250 and €2,500, imprisonment of between one and three months.
  • Level 3: Fine between €2,500 and €23,300, imprisonment between three and six months.

The Data Protection Commissioner may impose the following fines without recourse to a court hearing:

  • Level 1: Fine between €120 and €600, or a daily fine between €20 and €60.
  • Level 2: Fine between €250 and €2,500, or a daily fine between €25 and €250.
  • Level 3: Fine between €2,500 and €23,300, or a daily fine between €250 and €2,500.

Does your jurisdiction have cyber security laws or regulations that may apply to fintech businesses operating in your jurisdiction?

Yes.  Maltese laws dealing with various aspects of cybersecurity include the following:

  • the Maltese Criminal Code does deal with cybercrime in a chapter entitled ‘Of Computer Misuse’;
  • processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary legislation 440.01); and
  • the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28).

Malta is also signatory to the Council of Europe Cybercrime Convention since 2001, which Convention was ratified in April 2012.

Describe any AML and other financial crime requirements that may apply to fintech businesses in your jurisdiction.

Malta holds a status as a full member of the EU and is signatory to the main international multilateral treaties which tackle money laundering in the world’s financial markets.  Although Malta is not a member of FATF, it does play an active role in Moneyval, or the Select Committee of Experts on the Evaluation of Anti-Money Laundering Measures.

Malta’s prevention of the money laundering regime is contained in two pieces of legislation, namely the Prevention of Money Laundering Act (PMLA) and the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR).  The PMLA establishes the foundations for the legal framework by introducing basic legal definitions, laying down the procedures for the investigation and prosecution of money laundering offences, and establishing the Financial Intelligence Analysis Unit, whilst the regulations provide the substantive provisions relating to the offences, and clarify the systems and procedures to be adopted by subject persons in the course of their business activities.

Are there any other regulatory regimes that may apply to fintech businesses operating in your jurisdiction?

The Electronic Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market), which is transposed into Maltese law by virtue of the Electronic Commerce Act (Chapter 426 of the laws of Malta) and the Electronic Commerce (General) Regulation are relevant for fintech businesses operating from Malta.  These rules are relevant insofar as they define what constitutes an “Information Society Service” and provide a framework for such services to be conducted.

Accessing Talent

In broad terms, what is the legal framework around the hiring and dismissal of staff in your jurisdiction?  Are there any particularly onerous requirements or restrictions that are frequently encountered by businesses?

Employment law draws heavily on Anglo-Saxon law and practice, providing an extremely balanced framework for employers.  Whilst employees are provided with all the protection one would expect within the European Union, businesses are able to dismiss employees on the basis of just and sufficient cause or on the basis of redundancy without liability.

Social security contributions in Malta are reasonable and payroll formalities uncomplicated.  Besides, the Highly Qualified Persons tax programme offers key expat fintech personnel with a competitive 15% personal income tax rate on their employment income.  This programme has attracted significant talent to Malta, including within the fintech sector.

Unemployment in Malta is extremely low, requiring the labour market to be supplemented by EU and non-EU nationals that have moved to the island seeking various opportunities, including in the financial services industry, which is estimated to contribute an excess of 20% to Malta’s GDP.  Finding experienced fintech professionals could prove to be difficult given the limited size of the labour market (Malta has a population of approximately 420,000).  However the Maltese labour force is educated, loyal and ambitious, with a university population of over 10,000 students.  This provides fintech operators with the opportunity of training staff and providing them with on-the-job training.

What, if any, mandatory employment benefits must be provided to staff?

Employees are not granted any significant mandatory benefits by Maltese law.  Commercially agreed benefits are, however, becoming increasingly more commonplace.

What, if any, hurdles must businesses overcome to bring employees from outside your jurisdiction into your jurisdiction? Is there a special route for obtaining permission for individuals who wish to work for fintech businesses?

Any EEA citizens may freely establish themselves and work in Malta without any material formalities besides usual tax and social security registration and a notification procedure intended for statistical purposes.  Citizens of other countries are required to apply for a work permit on the basis of a formal job offer.  The granting of such a work permit will depend largely on the skills of the individual concerned and the industry in which he/she is seeking to be employed.

With Malta’s shortfall of personnel having both skill and experience in the fintech sector, obtaining a work permit for a suitably qualified individual should not be difficult, although such permits can involve a waiting time of up to 90 days until approved.


Please briefly describe how innovations and inventions are protected in your jurisdiction.

Any innovations and inventions that would qualify for protection can be protected locally depending on the nature of the particular innovation and invention.  Indeed, the European intellectual property framework has been transposed into local law and provides ample protection for any patents, trademarks, industrial designs and copyright in the widest sense.

Please briefly describe how ownership of IP operates in your jurisdiction.

Maltese law provides for specific protection for all aspects of IP, and this in the form of specific statutes regulating each individual area of IP.  Accordingly, in the case of trademarks, patents and designs,  protection may be sought pursuant to registration of the IP with the Maltese or European intellectual property office, whilst copyright would enjoy automatic protection in terms of the local Copyright Act without the need to pursue any formal registration in its regard.  In addition to the foregoing, the Maltese Commercial Code also provides specific protection in respect of trademarks against unlawful competition.

In order to protect or enforce IP rights in your jurisdiction, do you need to own local/national rights or are you able to enforce other rights (for example, do any treaties or multi-jurisdictional rights apply)?

In addition to local/national rights, one would be able to enforce any European Union rights, registered with the competent supranational authorities, as well as any rights that are considered to be famous and well-known in terms of Article 6bis of the Paris Convention.

How do you exploit/monetise IP in your jurisdiction and are there any particular rules or restrictions regarding such exploitation/monetisation?

There are no restrictions to the exploitation or monetisation of IP rights provided that such practices are in-keeping with the general Maltese legal framework and Maltese mandatory public policy rules.

For further information about how GVZH Advocates can help you with your banking and finance legal requirements kindly contact us on