Data Protection

Compliance for FinTech Companies: What your Website Visitors Have a Right to Know

12 Jul 2016

4 min read

In recent years, the financial services industry has been stepping into the digital world, with many financial institutions also operating online. The evolution of the use of software for the provision of financial services is also known as “FinTech”. Between 2010 and 2015, total global investment in FinTech amounted to $49.7 billion. The most popular FinTech areas are those of payment and lending services (consumer and retail), block-chain services, such as bitcoin, and cybersecurity and cloud-based services, such as market monitoring and tracking.

Legislation regulating the information which must be provided on a financial institution website and the manner in which this information is to be presented are both factors which financial services providers need to take into consideration. Below is an outline of the principle Maltese rules and regulations which financial institution websites must adhere to.

Distance Marketing of Consumer Financial Services

Key information about the financial institution’s products and services must be provided in at least one of the official languages of Malta. Before the conclusion of a contract between the financial institution and a third party, certain information about the institution as the service provider, the financial service itself, elements which are to be found in the distance contract and methods for redress must be provided by the institution.

Compliance with the Distance Marketing of Consumer Financial Services Directive is regulated by the Malta Financial Services Authority (MFSA). Failure to comply with the provisions in the Distance Marketing of Consumer Financial Services Directive may result in an administrative fine of up to €93,000 on the supplier, or the manager, secretary, director or other person responsible for the supplier’s activity.

E-Commerce Act

Under the Electronic Commerce (General) Regulations, implemented through S.L. 426.02 in Malta, the financial institution shall only send direct marketing by electronic means if certain conditions are met. For example, no unsolicited communications may be sent unless the client gives his prior consent, and the person/company sending the advert must be identified. The Malta Communications Authority has the power to impose fines of up to €23,293.73 for non-compliance with the provisions in these regulations.

Comparative Advertising

The use of comparative advertising in Malta must comply with certain provisions found in the Commercial Code. For example, comparative advertising must not be misleading, and must not take unfair advantage of the reputation of a third party trademark. The First Hall of the Civil Court in Malta may fine up to €4,658.75 for any breach of the provisions relating to comparative and misleading advertising.


Financial institution websites must ensure compliance with the Data Protection Act and the EU Directive on the Protection of Personal Data, and the Directive on Privacy and Electronic Communications. Whenever personal data is collected from the website, the basic privacy choices and policies must be displayed in a prominent form on the website, specifically in the same page. A link to the more detailed and proper explanation must be provided by means of a privacy policy.

The data controller or any other person authorised by him on his behalf must provide a data subject from whom data relating to the data subject himself are collected, with certain information, inter alia, the identity and habitual residence or principal place of business of the controller and of any other person authorised by him on his behalf, and the purposes of the processing for which the data is intended.

The gathering of “cookies” through a website also falls within the broader realm of data protection regulation. A cookie can be thought of as an internet user’s identification card. The information the cookie contains is set by the server and it can be used by that server should the user visits the site again. Users must be informed about their use of cookies and other tracking technologies and how they can delete and control them.

In Malta, the Data Protection Commissioner may impose fines of up to €23,300 for breach of any provisions within the Data Protection Act, and €50 for each day the violation persists, and/or to imprisonment of up to six months.


A website disclaimer, although not required by law, should be utilised to describe in particular the intellectual property and hyper-linking matters such as advertisements, hyperlinks and pointers to web sites operated by third parties.

GVZH Advocates can help you to make sure that you are compliant with the above mentioned regulations. For further information about how GVZH Advocates can help you with your financial services requirements please contact us here.