Financial Services & Fintech

The International Comparative Legal Guide to Fintech 2019 | ICLG

27 Mar 2019

19 min read

GVZH Advocates’ contribution to the 2019 International Comparative Legal Guide to Fintech Law in Malta. Contributors: Dr. Andrew Zammit & Dr. Kurt Hyzler. 

The Fintech Landscape

Please describe the types of fintech businesses that are active in your jurisdiction and any notable fintech innovation trends of the past year within particular sub-sectors (e.g. payments, asset management, peer- to-peer lending or investment, insurance and blockchain applications).

Malta provides a very attractive environment for technology-based businesses having a European marketing strategy. The island has seen significant growth in the technological sector, including an exponential rise in fintech businesses, including both start-ups and more established businesses.

The predominant type of fintech businesses currently established in Malta are payment institutions (“PI/PSPs”) and electronic money institutions (“EMIs”), both of which are classified as “financial institutionsfinancial institutions”. Rolling spot forex and binary option models are also present, albeit to a lesser extent than PSPs and EMIs.

With the introduction of the Second Payment Services Directive (PSD2) framework, it is expected that there will be an increase in the number of operators in the payment services space establish themselves in Malta.

After 12 months of very intense work by the Malta Financial Services Authority (“MFSA”) and a number of legal and regulatory practitioners, July 2018 saw the Maltese Parliament approve three separate laws aimed at regulating blockchain and cryptocurrency technologies, providing an environment of certainty for an industry that has been fraught with its fair share of opacity and risk.

The three laws are distinguished by their regulatory objectives, covering different aspects of these industries:

  1. The Malta Digital Innovation Authority Act (“MDIA Act”) serves to establish the Malta Digital Innovation Authority (“MDIA”), a governmental agency tasked with the responsibility of promoting consistent principles for the development of visions, skills, and other qualities relating to technology innovation, and for the exercise of regulatory functions regarding innovative technology arrangements including distributed or decentralised ledger technologies (“DLT”), and related services. The MDIA has the role of granting formal recognition to innovative technology services providers or arrangements, such as smart contracts, by certifying them, giving users and service providers the necessary legal certainty regarding their use of certified DLT platforms, smart contracts and other technological arrangements.
  2. The Virtual Financial Assets Act (the “VFA Act”) lays down the regulatory framework to regulate Initial Coin Offering (“ICOs”) or “Initial Virtual Financial Asset Offerings”, as they are referred to in the Act, and other Virtual Financial Assets (“VFAs”). In essence, the VFA Act represents the most significant of the three laws given the breadth of its scope, capturing cryptocurrencies, utility tokens and ICOs and all those operators providing services within the cryptocurrency ecosystem, such as advisors, brokers, exchanges, trading platforms and custodians.
  3. The Innovative Technology Arrangements and Services Act (“ITAS Act”) provides the regulatory foundations for the development and regulation of innovative technology arrangements and innovative technology services. The ITAS Act provides that the MDIA will have regulatory responsibility for such arrangements and services. The technologies targeted by the ITAS Act are essentially DLT technologies, smart contracts, decentralised autonomous organisations and any other designated innovative technology arrangements which may be certified by the MDIA, thereby attributing higher levels of public trust.

As from the 1st November 2018 all of these laws have been brought into effect, subject to specific grandfathering procedures enabling undertakings already established and operational on the effective date to comply with the new regulatory requirements.

Are there any types of fintech business that are at present prohibited or restricted in your jurisdiction (for example cryptocurrency-based businesses)?

While no specific types of fintech businesses are prohibited in Malta, the MFSA takes a prudent and conservative approach towards reviewing any applicants looking for a Malta licence, particularly those in the online forex and binary options space. The MFSA is also very prudent in its approach towards “pay-day loan” type offerings.

Insofar as ICOs, and virtual currencies (“VCs”) are concerned, it is the specific features of each particular instrument that will determine whether or not it falls within the scope of existing legislation and would therefore be governed by existing EU legislation such as the Markets in Financial Instruments Directive (“MiFID” and “MiFID 2”), the Prospectus Directive, the Alternative Investment Fund Managers Directive (“AIFMD”), and/or the Financial Instruments Directive or possibly within the remit of Maltese national legislation, such as the Investment Services Act and the Financial Institutions Act.

Those offerings falling outside the scope of existing EU and Maltese financial legislation such as, for example, tokens having features of membership or privilege cards and/or single- or multiple-use vouchers would not be prohibited by Maltese law, but could very well be caught and regulated by the VFA Act.

Funding for Fintech

Broadly, what types of funding are available for new and growing businesses in your jurisdiction (covering both equity and debt)?

Fintech businesses looking to set up in Malta would typically have equity backing originating from outside Malta, primarily in other EEA jurisdictions. Such financing usually takes the form of venture capital, loan capital or a combination of the two. Admittedly, debt financing is made available to more established business models having a track record and a significant collateral-to-debt ratio, since such models have a trading history to present to the banking institutions from which they seek to raise finance. In the case of start-ups, debt financing is a significantly more challenging route, precisely due to the absence of corporate collateral available.

Employee Share Option Programmes (“ESOPs”) are also commonly used by start-up companies seeking to engage and retain talent in the early years of their operations, whilst keeping their salary bill lower on the basis of key employees’ future equity participation. Such arrangements also enjoy a favourable 15% Malta tax rate in the hands of the employee benefitting from such a benefit, when properly structured.

To date, there have not yet been any fintech businesses that have sought to raise capital through an equity or a bond listing in Malta. However, we do expect that it is a matter of time until fintech businesses begin resorting to the Malta Stock Exchange for the listing of equity offerings.

ICO issues by Maltese companies, on the other hand, increased significantly over 2018, in keeping with international trends, although it is difficult to say how long this trend may continue. Regrettably, there is no centralised record in Malta from which any reliable statistical information may be obtained in this regard.

Are there any special incentive schemes for investment in tech/fintech businesses, or in small/medium-sized businesses more generally, in your jurisdiction, e.g. tax incentive schemes for enterprise investment or venture capital investment?

Malta provides a very attractive corporate tax environment for businesses based in and operating from the island, and this has contributed significantly to the growth in the Maltese economy over the past years.

In addition to the corporate tax incentives, expat employees working in key positions with operators regulated by the MFSA may also avail themselves of a 15% personal tax rate on their employment income, provided that it exceeds an established threshold that is adjusted every year to reflect the cost of living index (€85,000 gross income for base year 2019). This Highly Qualified Person programme applies to EU and non-EU nationals alike, and was introduced by the Maltese Government in 2011 to sustain the burgeoning financial services industry with the best skill and talent available on the wider international market.

Due to the restricted size of the Maltese market, there are no venture capital financing houses based in Malta. Entrepreneurs seeking to base their businesses in Malta invariably source financing for their businesses from financial centres outside Malta.

Other incentives targeted at research, development and innovation could also be availed of by qualifying fintech undertakings. These incentive schemes are administered by the Malta Enterprise, which is the public corporation charged with attracting Foreign Direct Investment into Malta.

In brief, what conditions need to be satisfied for a business to IPO in your jurisdiction?

he requirements for an IPO in Malta can be stated as follows:

■ Minimum three-year track record.

■ Appointment of a sponsoring broker.

■ Issuing of a Prospectus complying with the EU Prospectus Directive.

■ Shareholders’ funds and less intangible assets must be of at least €585,000.

■ Company must have a fully paid-up capital of at least €235,000.

■ Expected aggregate market value of the securities forming the subject of the application must not be less than €1,165,000 (not being Preference Shares).

■ At least 25% of the listed class of shares shall be publicly held.

Have there been any notable exits (sale of business or IPO) by the founders of fintech businesses in your jurisdiction?

No, there have not been any notable exits by the founders of fintech businesses in Malta over the past years.

Fintech Regulation

Please briefly describe the regulatory framework(s) for fintech businesses operating in your jurisdiction, and the type of fintech activities that are regulated.

The MFSA is the single regulator charged with the authority of regulating, monitoring and supervising the full spectrum of financial services in Malta. Fintech businesses are regulated by the general legal and regulatory provisions relating to credit institutions, financial institutions, investment services and insurance. All of these financial services activities have undergone tremendous changes over the past years, presenting new opportunities in the form of electronic distribution channels. As a firm we have witnessed the most significant transformation in payment-related services, partly as a result of the introduction of the PSD2.

Malta’s financial services legislation is organised under service- or activity-specific statutes which focus on the nature of the service being provided by the relevant undertaking. The Banking Act, the Financial Institutions Act, the Investment Services Act and the Insurance Business Act regulate the specific financial services activities falling within their respective regulatory scope. Therefore, fintech activities would be regulated in the same way as corresponding “non-fintech” business (i.e. brick-and-mortar operations).

However, in a recent launch of its “Vision 2021”, the MFSA announced that it will be launching a specialised fintech unit and also a “sandbox” environment, enabling operators that are fundamentally technology-driven businesses to operate within a framework of regulatory oversight without a fully-fledged licence, until the model is developed and the specific regulatory treatment is established by the regulator.

Is there any regulation in your jurisdiction specifically directed at cryptocurrencies or cryptoassets?

Yes. As indicated above, in 2018 Malta has introduced a comprehensive legal framework to regulate the issue and intermediation of cryptocurrencies, and also a comprehensive test to enable operators and practitioners to classify this novel asset class correctly and objectively.

Are financial regulators and policy-makers in your jurisdiction receptive to fintech innovation and technology-driven new entrants to regulated financial services markets, and if so how is this manifested?

The MFSA is very receptive to fintech innovation and technology- driven financial services operators, and takes a very pro-active approach towards new entrants, dedicating the resources to meet with the promoters of fintech businesses, even prior to commencing the application process, in order to understand their proposed model and provide valuable preliminary feedback.

This approach of open dialogue and hands-on regulation has made Malta a very popular base for fintech businesses, particularly in the PSP and EMI space.

The MFSA is currently undertaking a comprehensive analysis about the optimal approach to be taken towards sandbox environments as a test-ground for novel business models, which is expected to be rolled out in 2021.

What, if any, regulatory hurdles must fintech businesses (or financial services businesses offering fintech products and services) which are established outside your jurisdiction overcome in order to access new customers in your jurisdiction?

Fintech businesses licensed in another EEA state may freely target and access new customers in Malta as long as they have undertaken the necessary regulatory notifications to (i) provide cross-border services, or (ii) establish a branch in Malta. If a branch is physically established in Malta, there is a registration requirement for that branch and also tax registration requirements.

Where, on the other hand, the fintech business is based outside of the EEA, the applicable regulatory framework would effectively prohibit any solicitation of customers based in Malta.

Other Regulatory Regimes / Non- Financial Regulation

Does your jurisdiction regulate the collection/use/transmission of personal data, and if yes, what is the legal basis for such regulation and how does this apply to fintech businesses operating in your jurisdiction?

Yes – the Data Protection Act (Chapter 586 of the Laws of Malta) (“DPA”) implements the provisions of the EU’s General Data Protection Regulation (“GDPR”) and, together with the related subsidiary legislation, provides for the protection of individuals against the violation of their privacy by the processing of personal data.

The DPA and the GDPR are applicable to any fintech businesses processing personal data and operating in or from Malta.

Do your data privacy laws apply to organisations established outside of your jurisdiction? Do your data privacy laws restrict international transfers of data?

Yes – Maltese data protection law applies to:

  • the processing of personal data in the context of the activities of an establishment of a controller or processor in Malta;
  • data controllers or processors in a Maltese Embassy or High Commission outside Malta, regardless of whether the processing takes place in Malta;
  • the processing of personal data of data subjects located in Malta by a controller or a processor not established in the European Union; and
  • the processing of personal data by a controller not established in the European Union but in a place where the laws of Malta apply by virtue of public international law.

Further to the GDPR, the transfer of personal data to a non-EU/EEA country may only take place on the basis of an adequacy decision in favour of such country issued by the European Commission. In the absence of an adequacy decision, such transfer may take place if it is subject to one of the following appropriate safeguards:

  • a legally binding and enforceable instrument between public authorities or bodies;
  • binding corporate rules in accordance with Article 47 of the GDPR;
  • standard data protection clauses adopted by the European Commission or by a supervisory authority and approved by the Commission; or
  • an approved code of conduct.

Please briefly describe the sanctions that apply for failing to comply with your data privacy laws.

Penalties for non-compliance with the DPA will depend on the level of breach. The provisions of the law specify which level of sanction should apply for specific types of breach. The Information and Data Protection Commissioner may impose fines of two different categories, depending on the provision of the law which has been breached:

  • up to €10,000,000, or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher; or
  • up to €20,000,000, or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.In the case of a public authority or body which has been found to be in breach of the DPA, the Information and Data Protection Commissioner may impose administrative fines of two different categories, depending on the provision of the law which has been breached:
  • up to €25,000 for each violation and a daily fine penalty of €25 for each day during which such violation persists; or
  • up to €50,000 for each violation and a daily fine penalty of €50 for each day during which such violation persists.

Any person who knowingly provides false information to the Commissioner or fails to comply with any lawful request pursuant to an investigation by the Commissioner is liable to a fine of between €1,250 and €50,000, or to imprisonment for six months. or to both such fine and imprisonment.

Does your jurisdiction have cyber security laws or regulations that may apply to fintech businesses operating in your jurisdiction?

Yes. Maltese laws dealing with various aspects of cybersecurity include the following:

  • the Maltese Criminal Code deals with cybercrime in a chapter entitled ‘Of Computer Misuse’;
  • processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01); and
  • the Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28).Malta has also been a signatory to the Council of Europe Cybercrime Convention since 2001; such Convention was ratified in April 2012

Please describe any AML and other financial crime requirements that may apply to fintech businesses in your jurisdiction.

Malta holds full EU Member status and is signatory to the main international multilateral treaties which tackle money laundering in the world’s financial markets. Although Malta is not a member of FATF, it does play an active role in Moneyval, or the Select Committee of Experts on the Evaluation of Anti-Money Laundering Measures.

Malta’s prevention of the money laundering regime is contained in two pieces of legislation, namely the Prevention of Money Laundering Act (“PMLA”) and the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”). The PMLA establishes the foundations for the legal framework by introducing basic legal definitions, laying down the procedures for the investigation and prosecution of money laundering offences, and establishing the Financial Intelligence Analysis Unit, whilst the regulations provide the substantive provisions relating to the offences, and clarify the systems and procedures to be adopted by subject persons in the course of their business activities.

Are there any other regulatory regimes that may apply to fintech businesses operating in your jurisdiction?

The Electronic Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market), which is transposed into Maltese law by virtue of the Electronic Commerce Act (Chapter 426 of the Laws of Malta), and the Electronic Commerce (General) Regulation are relevant for fintech businesses operating from Malta. These rules are relevant insofar as they define what constitutes an “Information Society Service” and provide a framework for such services to be conducted.

Accessing Talent

In broad terms, what is the legal framework around the hiring and dismissal of staff in your jurisdiction? Are there any particularly onerous requirements or restrictions that are frequently encountered by businesses?

Employment law draws heavily on Anglo-Saxon law and practice, providing an extremely balanced framework for employers. Whilst employees are provided with all the protection one would expect within the European Union, businesses are able to dismiss employees on the basis of just and sufficient cause or on the basis of redundancy without liability.

Social security contributions in Malta are reasonable and payroll formalities uncomplicated. Besides, the Highly Qualified Persons tax programme offers key expat fintech personnel with a competitive 15% personal income tax rate on their employment income. This programme has attracted significant and much-needed foreign talent to Malta within the fintech sector.

Unemployment in Malta is extremely low, requiring the labour market to be supplemented by EU and non-EU nationals that have moved to the island seeking various opportunities, including in the financial services industry, which is estimated to contribute an

excess of 20% to Malta’s GDP. Finding experienced fintech professionals could prove to be difficult given the limited size of the labour market (Malta has a population of approximately 470,000). However, the Maltese labour force is educated, loyal and ambitious, with a university population of over 10,000 students. This provides fintech operators with the opportunity of training staff and providing them with on-the-job training.

What, if any, mandatory employment benefits must be provided to staff?

Employees are not granted any significant mandatory benefits by Maltese law above those provided for within the framework of European law. Commercially agreed benefits are, however, becoming increasingly more commonplace.

What, if any, hurdles must businesses overcome to bring employees from outside your jurisdiction into your jurisdiction? Is there a special route for obtaining permission for individuals who wish to work for fintech businesses?

Any EEA citizens may freely establish themselves and work in Malta without any material formalities besides the usual tax and social security registration and a notification procedure intended for statistical purposes. Citizens of non-EEA countries (third-country nationals) are required to apply for a work permit on the basis of a formal job offer. The granting of such a work permit will depend largely on the skills of the individual concerned and the industry in which he/she is seeking to be employed.

With Malta’s shortfall of personnel having both skill and experience in the fintech sector, obtaining a work permit for a suitably qualified individual should not be difficult, although such permits can involve a waiting time of up to 90 days until approved. Efforts are being made by the authorities concerned to shorten this waiting period and make the work permit procedures more streamlined and efficient


Please briefly describe how innovations and inventions are protected in your jurisdiction.

Any innovations and inventions that would qualify for protection can be protected locally depending on the nature of the particular innovation and invention. Indeed, the European intellectual property framework has been transposed into local law and provides ample protection for any patents, trademarks, industrial designs and copyright in the widest sense.

Please briefly describe how ownership of IP operates in your jurisdiction.

Maltese law provides for specific protection for all aspects of IP, and this in the form of specific statutes regulating each individual area of IP. Accordingly, in the case of trademarks, patents and designs, protection may be sought pursuant to registration of the IP with the Maltese or European intellectual property office, whilst copyright would enjoy automatic protection in terms of the local Copyright Act without the need to pursue any formal registration in its regard. In addition to the foregoing, the Maltese Commercial Code also provides specific protection in respect of trademarks against unlawful competition.

In order to protect or enforce IP rights in your jurisdiction, do you need to own local/national rights or are you able to enforce other rights (for example, do any treaties or multi-jurisdictional rights apply)?

In addition to local/national rights, one would be able to enforce any European Union rights, registered with the competent supranational authorities, as well as any rights that are considered to be famous and well-known in terms of Article 6bis of the Paris Convention.

How do you exploit/monetise IP in your jurisdiction and are there any particular rules or restrictions regarding such exploitation/monetisation?

There are no restrictions on the exploitation or monetisation of IP rights, provided that such practices are in keeping with the general Maltese legal framework and Maltese mandatory public policy rules.


The authors would like to thank Dr. Yasmine Aquilina for her contribution related to data protection and privacy.

For further information about how GVZH Advocates can help you with your banking and finance legal requirements kindly contact us on