Banking & Finance

Consultation Paper on the Virtual Financial Assets Rules for VFA Service Providers

10 Sep 2018

13 min read

On Friday 31st August, the MFSA published a consultation document outlining the Virtual Financial Assets (VFA) Rules for VFA Service Providers, (which include VFA [Crypto]Exchanges). The document is the third and final Chapter of the “Virtual Financial Assets Rulebook”. The scope of the Consultation is to obtain industry feedback in relation to Chapter 3 of the Virtual Financial Assets Rulebook; and the Authority’s interpretation of the transitory provision provided under Article 62(1)(c) of the Virtual Financial Assets Act (VFAA).

Transitory provision under Art62(1)(c) – VFAA

The applicant has a twelve-month period, from the date of coming into force of the VFAA to apply for a licence with the MFSA in terms of Art14 of the Act. For the transitory period to apply, it should be noted that mere incorporation is not deemed sufficient and entities are required to be actively operating prior to the coming into force of the VFAA.

Licensing Requirements for VFA Services

The four classes of VFA Services are the following:

  • Class 1 – Licence holders authorised to receive and transmit orders and/ or provide investment advice in relation to one or more virtual financial assets and/ or the placing of virtual financial assets. Class 1 Licence Holders are not authorised to hold or control clients’ money.
  • Class 2 – Licence holders authorised to provide any VFA service but not to operate a VFA exchange or deal for their own account. Class 2 Licence Holders may hold or control clients’ money in conjunction with the provision of a VFA Service.
  • Class 3 – Licence holders authorised to provide any VFA service but not to operate a VFA exchange. Class 3 Licence Holders may hold or control clients’ money in conjunction with the provision of a VFA Service.
  • Class 4 – Licence holders authorised to provide any VFA service. Class 4 Licence Holders may hold or control clients’ money in conjunction with the provision of a VFA Service. A Class 4 License is applicable to VFA (Crypto) Exchanges.

A person applying for a license to provide a VFA service shall be a legal person established in Malta. Moreover, a person seeking licensing under the VFAA to provide a VFA Service shall appoint a VFA Agent registered with the MFSA. The Applicant shall ensure that all communications, meetings, notifications and/or submissions to the MFSA are made through its VFA Agent. The VFA Agent is required on an on- going basis; is responsible to assess the fitness and properness of the Applicant; and may also hold the role of Compliance Officer.

The Authority may require an applicant to appoint a Systems Auditor in relation to its Innovative Technology Arrangement and may also require such an Applicant to have a Systems Auditor in place at all times. The Systems Auditor shall be responsible for reviewing and auditing the Applicant’s Innovative Technology Arrangement.

Licensing of a VFA Service Provider

The onus of providing assurance to the Authority that a person is a fit and proper person to provide a VFA service rests with the Applicant and its VFA Agent. The fitness and properness assessment shall be applicable to every (i) person that has a qualifying holding in the Applicant, (ii) beneficial owner, (iii) member of the Board of Administration of the Applicant, (iv) Senior Manager, (v) MLRO, (vi) Compliance Officer, (vii) Risk Manager (where applicable) and (viii) any other person who will effectively direct the VFA business of the Applicant. The above-mentioned persons shall also demonstrate and provide reasonable assurance to the satisfaction of the Authority that they have sufficient competence in terms of qualifications, experience and skills as well as that they are capable of committing sufficient time to effectively carry out their particular activities or functions within the Applicant’s proposed structure.

The application process of VFA service providers

Preparatory Phase – The Applicant shall notify the Authority in writing, through its VFA Agent, of its intention to apply for a VFA Services Licence. The Authority, upon receipt of the aforementioned statement of intent, shall schedule a preliminary meeting with the Applicant. Such a meeting is mandatory during this phase of the application process. The Applicant shall, by not later than 60 days from the date of the preliminary meeting, submit an application form with any supporting documentation as specified therein. The Authority shall not initiate the review of any application which is not complete.

Pre–Licensing Phase – The Authority shall, upon submission of the complete application pack, initiate the review of the application and the supporting documentation. The Authority shall, once it is satisfied with the information set out in the application documentation and the completion of the fitness and properness assessment issue an ‘in principle Approval’, which shall be valid for a period of three months from the date of the issue thereof.

Post-Licensing & Pre-Commencement of Business – Licence Holders may be required to satisfy, within set timeframes, a number of post-licensing matters, as determined by the Authority, prior to the commencement of business. The Licence Holder shall commence its VFA Services business within twelve months of the date of issue of the VFA Services Licence.

Ongoing Obligations for VFA Service Providers

The VFA Service Provider’s business shall be effectively directed or managed by at least two individuals in satisfaction of the ‘dual control’ principle. Such persons shall be of sufficiently good repute, possess sufficient knowledge and experience, commit sufficient time to perform their functions and be sufficiently experienced so as to ensure the sound and prudent management of the Licence Holder. A Licence Holder shall also establish a ‘Cyber-Security Framework’.

When allocating functions internally, the Licence Holder shall ensure that senior management, and where appropriate, the supervisory function, are responsible for ensuring that the Licence Holder complies with its obligations under these Rules.

The Licence Holder is required to establish and maintain a risk management function that operates independently, and which has sufficient authority and resources, including access to the Board of Administration where necessary. The MFSA may allow the Licence Holder to establish and maintain a risk management function which does not operate independently, provided this does not give rise to conflicts of interest.

The Licence Holder shall establish and maintain a permanent and effective compliance function which operates independently. The appointment of an individual as Compliance Officer is subject to MFSA’s prior approval. Such person may also act as the Licence Holder’s Money Laundering Reporting Officer.

A Licence Holder shall undertake a Financial Instrument Test to determine whether a DLT asset qualifies as a VFA, which document shall be signed by its Administrators, and endorsed by its Compliance Officer.

The Licence Holder shall appoint and have at all times in place an MLRO. The role of the MLRO is an onerous one and the Licence Holder shall ensure that it is only accepted by individuals who fully understand the extent of responsibilities attached to the role. The Licence Holder shall ensure that the MLRO is a senior employee of the Licence Holder, its Compliance Officer, or a member of the Board of Administration.

For purposes of safeguarding client’s rights in relation to virtual financial assets and money belonging to them which are held or controlled by the Licence Holder, a Licence Holder shall hold clients’ money and/or virtual financial assets in specially created and segregated accounts.

Other Organisational Requirements

The Licence Holder shall establish and maintain an internal audit function which is separate and independent from the other functions and activities of the Licence Holder. Where appropriate and proportionate, in view of the nature, scale and complexity of its business and the nature and range of VFA services undertaken in the course of its business, the MFSA may, at its discretion, exempt the Licence Holder from the above-mentioned requirements.

The Licence Holder shall make every effort to take out and maintain full Professional Indemnity Insurance cover. The Licence Holder shall notify the Authority whether it has managed to obtain a Professional Indemnity Insurance following its efforts pursuant to this Rule.

The licence holder shall establish and maintain a business continuity process which shall consist of a Disaster Recovery Plan (‘DRP’); a Business Continuity Plan (‘BCP’); and Business Continuity Management (‘BCM’).

The ultimate responsibility for the proper management of the risks associated with outsourcing lies with the Licence Holder. When the Licence Holder outsources any operational function or any VFA Services, the Licence Holder shall ensure that the outsourcing arrangements do not result in the delegation of its senior management’s responsibility.

A Licence Holder shall not outsource services and activities concerning licensable activities unless the outsourcing service provider either:

  1. has an equivalent authorisation of the Licence Holder outsourcing the services; or
  2. is otherwise allowed to carry out those activities in accordance with the relevant national legal framework.

Supplementary Conditions applicable to VFA Exchanges

A Licence Holder shall, prior to admitting a virtual financial asset to trading on its platform, carry out appropriate research to assess the quality of the virtual financial asset. A Licence Holder shall not admit to trading on its platform any virtual financial asset which has an inbuilt anonymization function unless the holder of the virtual financial asset can be identified.

Other supplementary conditions include: guidance should a VFA exchange decide to appoint a Custodian; suspension and removal of a VFA from trading; order matching, with a focus on pre-trade and post trade transparency; client record keeping; the reporting of suspicious transactions; system resilience; settlement; bye-laws, ensuring that any VFAs traded on its platform is being traded in a fair, orderly and efficient manner; inability to discharge functions; disciplinary action; synchronisation of business clocks; and the issuance of a Compliance Certificate.

Capital Requirements

A Licence Holder shall have own funds consisting of the sum of its Tier 1 capital and Tier 2 capital where:

  1. at least 56 % of the sum shall consist of Common Equity Tier 1 capital;
  2. up to 44 % of the sum may consist of additional Tier 1 capital;
  3. up to 25% of the sum may consist of Tier 2 capital.

The initial capital applicable to each respective class of VFA Licence Holders required at the time of authorisation pursuant is indicated in the Table hereunder. The initial capital of a Licence Holder shall consist of one or more of the items referred to above (Own funds requirement). The initial capital of Licence Holders may also be complemented with a Professional Indemnity Insurance cover as previously set out.

VFA Services Licence

Initial Capital Requirements Eur

Class 1

50,000; or

25,000 and PII

Class 2


Class 3


Class 4


The Licence Holders shall at all times maintain, at a minimum, own funds equal to their capital requirement, which shall amount to the higher of the following:

  1. its permanent minimum requirement calculated according to the initial capital requirement;
  2. its fixed overheads requirement.

For the purposes of point (i), the permanent minimum requirement shall amount to at least the levels of initial capital specified above. For the purposes of point (ii), the fixed overheads requirement shall amount to at least one quarter of the fixed overheads of the preceding year. The Licence Holder of a Class 2, 3 & 4 shall always hold as a minimum, an amount of liquid assets equivalent to at least one third of the fixed overhead requirements, for their liquidity requirement.

Conduct of Business Obligations

A Licence Holder shall establish, implement and maintain an effective conflicts of interest policy set out in writing and which is appropriate to the size and organisation of the Licence Holder and the nature, scale and complexity of its business, to prevent conflicts of interest from adversely affecting the interests of its Clients. The Licence Holder will also establish and maintain Operational Independence Rules, Conflict of Interest Policy Rules, Remuneration Policy Rules, Inducements Rules and Personal Transaction Rules.

A Licence Holder shall, before providing a Service within the meaning of the Act, classify a Client to whom the Service is to be offered as a Professional Client or as a Retail Client.

A Licence Holder shall take all sufficient steps to obtain, when executing orders, the best possible result for its Clients taking into account the best execution factors of price, costs, speed, likelihood of execution and settlement, size, nature or any other consideration relevant to the execution of the order. A Licence Holder shall establish and implement an order execution policy to allow it to obtain, for its Client orders, the best possible result.

Record Keeping, Reporting and Enforcement and Sanctions

The Licence Holder shall ensure that its I.T. infrastructure ensures:

  1. the integrity and security of any date stored therein;
  2. availability, traceability and accessibility of data; and
  3. privacy and confidentiality.

The Licence Holder shall ensure that its I.T. infrastructure is located in Malta, and/or any EEA member state and/or any other third country jurisdiction wherein the Authority is satisfied that the IT infrastructure requirements can be satisfied. Provided that where the Licence Holder’s I.T. Infrastructure is not located in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta.

The Licence Holder shall have internal control mechanisms and administrative and accounting procedures which permit the verification of their compliance with these Rules as well as effective procedures for risk assessment and effective control and safeguard arrangements for information processing systems. The Licence Holder shall retain accounting records for a minimum period of ten years. During the first two years they shall be kept in a place from which they can be produced within 24 hours of their being requested.

The Licence Holder shall appoint an Auditor approved by the MFSA. The Licence Holder shall replace its Auditor if requested to do so by the MFSA. The MFSA’s consent shall be sought prior to the appointment or replacement of an Auditor. The Licence Holder shall make available to its Auditor the information and explanations he needs to discharge his responsibilities as an Auditor and in order to meet the MFSA’s requirements.

The Licence Holder shall prepare the Audited Annual Financial Return, the Annual Financial Return and Interim Financial Returns. The Licence Holder shall prepare a Risk Management and the Internal Capital Adequacy Assessment Report, which shall be submitted to the Authority on an annual basis with the submission of the Audited Annual Reporting Requirements.

Where a VFA Agent breaches or infringes a Rule, the MFSA may, by virtue of the authority granted to it under Article 48 of the Act, impose administrative penalties, without recourse to a court of law, up to a maximum of EUR 150,000.

For further information about how GVZH Advocates can help you with your cryptocurrency requirements, kindly contact us on