Malta has established a new regulatory framework centring around the use of Innovative Technology Arrangements capturing Distributed Ledger Technology (“DLT”) platforms and Blockchain technology, with the primary aim of providing transparency and legal certainty. The legislation aims to instil peace of mind and certainty, as society places more trust in innovative technology. Furthermore, this regulatory framework positions Malta at the forefront of technological business opportunities, as it creates a sound platform for innovators.
The new regulatory framework enacted on 4 July 2018 comprises three Acts:
The MDIA Act provides for the establishment of the MDIA, the Authority that will regulate innovative technologies, and introduces a new level of communication between national competent authorities. The MDIA complements other national competent authorities.
It is the purpose of the Authority to address the development in Malta of all Innovative Technology Arrangements and Innovative Technology Services, whilst exercising supervisory and regulatory functions in these fields.
The Authority aims to foster safer usage of innovative technology and thus more adoption, whilst at the same time increasing the prospects for investment in innovative technology.
The Authority addresses the development of all Innovative Technology Arrangements and Services in Malta in order to achieve its principles and objectives and exercises its supervisory and certification functions thereon.
In particular, the MDIA Act establishes the MDIA as a new competent authority to (inter alia):
The various objectives of the MDIA include, but are not limited to the following:
The MDIA may extend recognition to the following:
The purpose of the ITAS Act revolves around recognition and authorisation, investigation and enforcement of Innovative Technology Arrangements and Innovative Technology Service Providers by the MDIA.
A DLT Asset is defined in the Virtual Financial Assets (“VFA”) Act as:
The following are considered to be Innovative Technology Arrangements:
any other Innovative Technology Arrangement that in the future may be designated by the Minister, on the recommendation of the Authority.
The general requirements of an Innovative Technology Arrangement are intended to meet the standards of legality, integrity, transparency, compliance and accountability. These shall be assessed by the Authority based on its own reviews of all persons involved, all documentation available and the software it may access as would any user thereof.
Applications received by the Authority for certification of Innovative Technology Arrangements, which are deemed to be related to licensable activities by other lead authorities e.g. the Malta Financial Services Authority, the Malta Gaming Authority etc., fall outside the remit of the MDIA.
An Innovative Technology Arrangement shall be granted a Certificate, having a unique number for purposes of identification and stating details of how the Innovative Technology Arrangement is identified.
The Certificate shall be posted in a specific location which shall be notified to the Authority.
Obtaining certification of an Innovative Technology Arrangement from the Authority will instil confidence that the Innovative Technology Arrangement functions as intended.
‘Blueprint’ is defined in the MDIA Innovative Technology Arrangement Guidelines as a document that sets out a description of the qualities, attributes, features, behaviours or aspects of an Innovative Technology Arrangement.
Each Applicant must ensure that the Innovative Technology Arrangement is implemented in line with the Blueprint submitted to the Authority, as this document will serve as the basis for the Systems Audit carried out as part of Stage 2 of the application process.
Systems Auditor is a person who is engaged on a commercial basis by the Applicant to review and, or audit Innovative Technology Arrangements and smart contracts or parts thereof. A Systems Auditor may not necessarily be an accountant or auditor with a practising certificate under the Accountancy Profession Act.
The Systems Auditor will be responsible for the final deliverable of the systems audit (prepared in conjunction with nominated Subject Matter Experts) and to conduct a quality-based assignment focusing on professional ethics. Systems Auditors and their nominated Subject Matter Experts will be required to demonstrate their key competencies and suitable expertise to the MDIA.
A Systems Auditor (in the case of an individual), and the Subject Matter Experts, must, in aggregate, meet all of the following criteria:
In addition, each Subject Matter Expert is required to demonstrate suitable work experience of not less than three years in performing IT audits, developing or implementing web/ enterprise-grade applications, or Information Security.
An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).
The Systems Audit Control Objectives are designed to provide and assist the Systems Auditor with an audit framework in the field of Innovative Technology Arrangements. The Control Objectives are based on five key principles, namely: security, processing integrity, availability, confidentiality and protection of personal data.
The Authority is directing Systems Auditors to follow standards issued by the International Auditing Standards and Assurance Board in preparing the Systems Audit report. Furthermore, the Systems Auditor Guidelines issued by the MDIA set out the required contents of a Systems Audit report.
A Systems Audit report is typically carried out when:
A Type 1 Systems Audit report assesses whether the description of the Innovative Technology Arrangement is fairly presented and whether controls are suitably designed to meet the applicable criteria (i.e. relates to new technology).
A Type 2 Systems Audit report contains the same opinions expressed in a Type 1 report and also includes an opinion on the operating effectiveness of the controls during the period covered by the audit (i.e. relates to technology that has already been audited).
Systems Auditors and Subject Matter Experts are expected to keep up to date on the subjects on which they perform Systems Audits. Furthermore, they would be required to demonstrate a minimum of 20 hours of Continuous Professional Education per annum.
Moreover, the Systems Auditor is required to be covered by a Professional Indemnity Insurance policy for an amount of not less than € 1,000,000.
A Subject Matter Expert is an individual who is assigned a specific technical role by the Systems Auditor based on his/ her expertise. A Subject Matter Expert may be an employee of the Systems Auditor or an employee of a sub-contracted entity.
The Authority expects the Systems Auditor to have a complement of at least two Subject Matter Experts. Furthermore, the Authority as part of the Systems Auditor registration process must recognise all Subject Matter Experts.
The following are considered to be Innovative Technology Services:
Systems Auditors and Technical Administrators are collectively referred to as “Innovative Technology Service Providers”.
An Innovative Technology Service Provider may be an individual or a legal organisation whose place of residence is in Malta, the European Union, or the European Economic Area.
In order to register an Innovative Technology Service Provider, the Authority must be satisfied that the Applicant:
A Technical Administrator is a person who accepts to carry out specific functions relating to the operation, of the whole or a designated part, of an Innovative Technology Arrangement.
Any Innovative Technology Arrangement subject to certification by the MDIA must have a registered Technical Administrator in office at all times who is able to demonstrate to the MDIA, the Innovative Technology Arrangement’s ability to satisfy certain specific criteria, which include:
However, the Authority acknowledges that, in specific Innovative Technology Arrangement implementations, the functionality to grant the Technical Administrator and the Authority, where applicable, power to intervene, as required in Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act, may not be technically feasible or justifiable. In this regard, when it is clearly justified as to why the implementation of such functionality cannot be achieved, the Authority reserves the right to vary the power to intervene. In doing so, subject to all other requirements being successfully met by the Applicant, the Authority may issue an Innovative Technology Arrangement certification that clearly states that the requirements of Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act are not being achieved. In addition, the Applicant shall be required to disclose such limitation to all users as part of the Terms of Service.
When persons making an application for any form of recognition are not ordinarily resident in Malta. The Resident Agent can be a natural or legal person who is habitually resident in Malta and has satisfied the Authority that he is capable of carrying out the functions stated in the legislation.
The Authority should be informed in the event that there are material changes in:
Non-compliance with the requirements of the MDIA Act, including the failure:
Further detail as to the quantum of fines is set out in the MDIA Act and in the Innovative Technology Arrangements and Services (Fees) Regulations.
An Administrator is an officer or any person who is appointed to carry out representative and fiduciary functions in the control and administration of a legal organisation. The Administrator may not be a Technical Administrator, a Resident Agent or a VFA agent.
The term ‘qualifying shareholder’ encapsulates any shareholder who:
The skills-set and qualifications that the Systems Auditor and Subject Matter Experts must collectively have will be assessed through a Competence Assessment consisting of a series of questions aimed at verifying their knowledge on the subject matter to be audited.
Additionally, Systems Auditor and Subject Matter Experts will be requested to meet the Authority to demonstrate their experience, qualifications and other information submitted in the Innovative Technology Service Provider application.
An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).
Any person who desires to obtain certification for an Innovative Technology Arrangement may apply to the Authority by submitting the relevant prescribed forms and fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.
The application process is split in two stages:
Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail regarding fees.
Any person who desires to become registered as an Innovative Technology Service Provider may apply to the Authority by submitting a Service Provider Application Form and remitting the requisite fees. Processing fees may differ depending on the number of Subject Matter Experts the Systems Auditor nominates. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.
Following receipt of a complete application, the Authority will review and assess the information provided, review the documentation submitted, as well as, any additional documentation that the Authority may request, and carry out the necessary due diligence on the Applicant.
In the case of an application for certification of an Innovative Technology Arrangement, the MDIA will also assess whether the appointed Technical Administrator can fulfil its proposed role and rely on the Systems Auditor opinion to confirm that reasonable standards of the Innovative Technology Arrangement are met.
The Authority will indicate pending requirements to the Applicant. Processing of the application shall not commence prior to receipt of outstanding items. If pending items remain outstanding after one month from communication issued by the Authority without an explanation from the Applicant, the Authority will terminate the application process and inform the Applicant accordingly.
No.
Processing fees are non-refundable. However, in the event that an application is refused by the Authority, the Applicant enjoys the right of appeal.
Authorisation must remain valid and effective and should be renewed at least within the last 3 months of its duration but prior to expiry, by:
The certification/ registration fee is payable following the MDIA’s certification of the Innovative Technology Arrangement or registration of the Innovative Technology Service Provider. The fee (payable in advance) covers the two-year certification/ registration term and would also become due at renewal stage. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.
The certification of an Innovative Technology Arrangement and registration of an Innovative Technology Service Provider are valid for a period of two years, after which an application may be submitted for renewal for a further term of two years.
