Section 1. A New Regulatory Framework

Malta has established a new regulatory framework centring around the use of Innovative Technology Arrangements capturing Distributed Ledger Technology (“DLT”) platforms and Blockchain technology, with the primary aim of providing transparency and legal certainty. The legislation aims to instil peace of mind and certainty, as society places more trust in innovative technology. Furthermore, this regulatory framework positions Malta at the forefront of technological business opportunities, as it creates a sound platform for innovators.

The new regulatory framework enacted on 4 July 2018 comprises three Acts:

  • the Malta Digital Innovation Authority Act (the “MDIA” Act), which oversees the setup of the MDIA as the lead Authority in the innovation technology sector;
  • the Innovative Technology Arrangement and Services Act (the “ITAS” Act), which regulates Innovative Technology Arrangements and Services, such as the software and coding used in DLT, smart contract and related applications, together with the technical administration and review services; and
  • the Virtual Financial Assets Act (the “VFA” Act), which regulates Initial Virtual Financial Assets Offerings and delineates their licensing requirements.

The MDIA Act provides for the establishment of the MDIA, the Authority that will regulate innovative technologies, and introduces a new level of communication between national competent authorities. The MDIA complements other national competent authorities.

It is the purpose of the Authority to address the development in Malta of all Innovative Technology Arrangements and Innovative Technology Services, whilst exercising supervisory and regulatory functions in these fields.

The Authority aims to foster safer usage of innovative technology and thus more adoption, whilst at the same time increasing the prospects for investment in innovative technology.

The Authority addresses the development of all Innovative Technology Arrangements and Services in Malta in order to achieve its principles and objectives and exercises its supervisory and certification functions thereon.

In particular, the MDIA Act establishes the MDIA as a new competent authority to (inter alia):

  • exercise regulatory functions regarding Innovative Technology Arrangements and related services;
  • support the development and implementation of the guiding principles described in the MDIA Act; and
  • establish minimum quality, compliance and security standards for any Innovative Technology Arrangements and related services.

The various objectives of the MDIA include, but are not limited to the following:

  • to harmonise practices and to facilitate the adoption of standards on Innovative Technology Arrangements in Malta in line with international norms, standards, rules and/ or laws;
  • to promote, enforce ethical and legitimate criteria in the design and use of Innovative Technology Arrangements and any application, software or derivative product from it;
  • to promote transparency and auditability in the use of Innovative Technology Arrangements, and any application software, or derivative product from it;
  • to promote legal certainty in the application and cross-border context, and the development of appropriate legal principles for the effective application of law to Innovative Technology Arrangements; and
  • to increase protection to users of Innovative Technology Arrangements, through high standards and guidelines.

The MDIA may extend recognition to the following:

  • Innovative Technology Arrangements, provided these opt for voluntary certification;
  • Systems Auditors and their nominated Subject Matter Experts;
  • Technical Administrators (who carry out specific functions related to the operation of an Innovative Technology Arrangement); and
  • Resident Agents (habitually resident in Malta and act on behalf of a person who is not resident in Malta and applying for certification/ registration).

The purpose of the ITAS Act revolves around recognition and authorisation, investigation and enforcement of Innovative Technology Arrangements and Innovative Technology Service Providers by the MDIA.

A DLT Asset is defined in the Virtual Financial Assets (“VFA”) Act as:

  1. a virtual token (as defined in the VFA Act);
  2. a virtual financial asset (as defined in the VFA Act);
  3. electronic money (as defined in the Third Schedule to the Financial Institutions Act); or
  4. a financial instrument (as defined in the Second Schedule to the Investment Services Act) that is intrinsically dependent on, or utilises, DLT.

Section 2. Innovative Technology Arrangements

The following are considered to be Innovative Technology Arrangements:

  • software and architectures which are used in designing and delivering DLT, subject to specified conditions, including the use of distributed, decentralised, shared and, or replicated ledger; being permissioned or permissionless or hybrids thereof; protection with cryptography; and auditability;
  • smart contracts and related applications, including decentralised autonomous organisations, as well as other similar arrangements; and

any other Innovative Technology Arrangement that in the future may be designated by the Minister, on the recommendation of the Authority.

The general requirements of an Innovative Technology Arrangement are intended to meet the standards of legality, integrity, transparency, compliance and accountability. These shall be assessed by the Authority based on its own reviews of all persons involved, all documentation available and the software it may access as would any user thereof.

Applications received by the Authority for certification of Innovative Technology Arrangements, which are deemed to be related to licensable activities by other lead authorities e.g. the Malta Financial Services Authority, the Malta Gaming Authority etc., fall outside the remit of the MDIA.

An Innovative Technology Arrangement shall be granted a Certificate, having a unique number for purposes of identification and stating details of how the Innovative Technology Arrangement is identified.

The Certificate shall be posted in a specific location which shall be notified to the Authority.

Obtaining certification of an Innovative Technology Arrangement from the Authority will instil confidence that the Innovative Technology Arrangement functions as intended.

‘Blueprint’ is defined in the MDIA Innovative Technology Arrangement Guidelines as a document that sets out a description of the qualities, attributes, features, behaviours or aspects of an Innovative Technology Arrangement.

Each Applicant must ensure that the Innovative Technology Arrangement is implemented in line with the Blueprint submitted to the Authority, as this document will serve as the basis for the Systems Audit carried out as part of Stage 2 of the application process.

Section 3. Systems Auditors, Subject Matter Experts and Systems Audit Reports

Systems Auditor is a person who is engaged on a commercial basis by the Applicant to review and, or audit Innovative Technology Arrangements and smart contracts or parts thereof. A Systems Auditor may not necessarily be an accountant or auditor with a practising certificate under the Accountancy Profession Act.

The Systems Auditor will be responsible for the final deliverable of the systems audit (prepared in conjunction with nominated Subject Matter Experts) and to conduct a quality-based assignment focusing on professional ethics. Systems Auditors and their nominated Subject Matter Experts will be required to demonstrate their key competencies and suitable expertise to the MDIA.

A Systems Auditor (in the case of an individual), and the Subject Matter Experts, must, in aggregate, meet all of the following criteria:

  • Hold a qualification in ICT and/ or Information Security at MQF level 6 or higher;
  • Hold a certification in IT Audit or IT Risk or Security Management;
  • Have experience in carrying out audits and reporting based on audit established standards; and
  • Have suitable experience in Innovative Technology Arrangements in the fields that would be subject to audit of not less than two years during the last three years.

In addition, each Subject Matter Expert is required to demonstrate suitable work experience of not less than three years in performing IT audits, developing or implementing web/ enterprise-grade applications, or Information Security.

An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

The Systems Audit Control Objectives are designed to provide and assist the Systems Auditor with an audit framework in the field of Innovative Technology Arrangements. The Control Objectives are based on five key principles, namely: security, processing integrity, availability, confidentiality and protection of personal data.

The Authority is directing Systems Auditors to follow standards issued by the International Auditing Standards and Assurance Board in preparing the Systems Audit report. Furthermore, the Systems Auditor Guidelines issued by the MDIA set out the required contents of a Systems Audit report.

A Systems Audit report is typically carried out when:

  • an Innovative Technology Arrangement is in the process of applying to be certified by the Authority (Type 1 Systems Audit report); or
  • periodically during the operational lifetime of an Innovative Technology Arrangement (Type 2 Systems Audit report); or when deemed necessary or requested by the Authority, or other Lead Authority in Malta.

Type 1 Systems Audit report assesses whether the description of the Innovative Technology Arrangement is fairly presented and whether controls are suitably designed to meet the applicable criteria (i.e. relates to new technology).

Type 2 Systems Audit report contains the same opinions expressed in a Type 1 report and also includes an opinion on the operating effectiveness of the controls during the period covered by the audit (i.e. relates to technology that has already been audited).

Systems Auditors and Subject Matter Experts are expected to keep up to date on the subjects on which they perform Systems Audits. Furthermore, they would be required to demonstrate a minimum of 20 hours of Continuous Professional Education per annum.

Moreover, the Systems Auditor is required to be covered by a Professional Indemnity Insurance policy for an amount of not less than € 1,000,000.

A Subject Matter Expert is an individual who is assigned a specific technical role by the Systems Auditor based on his/ her expertise. A Subject Matter Expert may be an employee of the Systems Auditor or an employee of a sub-contracted entity.

The Authority expects the Systems Auditor to have a complement of at least two Subject Matter Experts. Furthermore, the Authority as part of the Systems Auditor registration process must recognise all Subject Matter Experts.

Section 4. Technical Administrator, Resident Agent and Other Questions

The following are considered to be Innovative Technology Services:

  • The review of Innovative Technology Arrangements provided by Systems Auditors; and
  • The technical administration services with reference to Innovative Technology Arrangements provided by Technical Administrators.

Systems Auditors and Technical Administrators are collectively referred to as “Innovative Technology Service Providers”.

An Innovative Technology Service Provider may be an individual or a legal organisation whose place of residence is in Malta, the European Union, or the European Economic Area.

In order to register an Innovative Technology Service Provider, the Authority must be satisfied that the Applicant:

  • is fit and proper;
  • has the qualifications and, or experience which the Authority requires for registration; and
  • has sufficient technical resources or third party support and is in a position to comply with and observe any applicable innovative technology authorisation rules and regulations.

A Technical Administrator is a person who accepts to carry out specific functions relating to the operation, of the whole or a designated part, of an Innovative Technology Arrangement.

Any Innovative Technology Arrangement subject to certification by the MDIA must have a registered Technical Administrator in office at all times who is able to demonstrate to the MDIA, the Innovative Technology Arrangement’s ability to satisfy certain specific criteria, which include:

  • all pre-requisites required for certification;
  • the Innovative Technology Arrangement’s ability to meet standards on a continuing basis and to address critical matters; and
  • the Innovative Technology Arrangement’s ability to vary parameters or functionalities.

However, the Authority acknowledges that, in specific Innovative Technology Arrangement implementations, the functionality to grant the Technical Administrator and the Authority, where applicable, power to intervene, as required in Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act, may not be technically feasible or justifiable. In this regard, when it is clearly justified as to why the implementation of such functionality cannot be achieved, the Authority reserves the right to vary the power to intervene. In doing so, subject to all other requirements being successfully met by the Applicant, the Authority may issue an Innovative Technology Arrangement certification that clearly states that the requirements of Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act are not being achieved. In addition, the Applicant shall be required to disclose such limitation to all users as part of the Terms of Service.

When persons making an application for any form of recognition are not ordinarily resident in Malta. The Resident Agent can be a natural or legal person who is habitually resident in Malta and has satisfied the Authority that he is capable of carrying out the functions stated in the legislation.

The Authority should be informed in the event that there are material changes in:

  • Software on which assurance has been provided by a Systems Auditor;
  • Rights of users;
  • Rights, authorisation or powers of Technical Administrators;
  • Technical Administrator/ Resident Agent;
  • Administrator of a legal entity;
  • Qualifying shareholders;
  • Person with reference to whom a certification or a Certificate of Registration has been issued; and
  • Subject Matter Experts.

Non-compliance with the requirements of the MDIA Act, including the failure:

  1. to notify the authority of material changes; or
  2. to submit such notifications within the stipulated timeframes shall give rise to the imposition of sanctions by the Authority, including the imposition of fines or penalties.

Further detail as to the quantum of fines is set out in the MDIA Act and in the Innovative Technology Arrangements and Services (Fees) Regulations.

An Administrator is an officer or any person who is appointed to carry out representative and fiduciary functions in the control and administration of a legal organisation. The Administrator may not be a Technical Administrator, a Resident Agent or a VFA agent.

The term ‘qualifying shareholder’ encapsulates any shareholder who:

  • owns or controls the Innovative Technology Arrangement;
  • holds more than 25% of the shares or ownership interests in the legal organisation; or
  • through provisions of the statute, has special voting or other rights permitting him to exercise effective control over the activities of the legal organisation.

The skills-set and qualifications that the Systems Auditor and Subject Matter Experts must collectively have will be assessed through a Competence Assessment consisting of a series of questions aimed at verifying their knowledge on the subject matter to be audited.

Additionally, Systems Auditor and Subject Matter Experts will be requested to meet the Authority to demonstrate their experience, qualifications and other information submitted in the Innovative Technology Service Provider application.

An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

Section 5. Administrative Procedures and Fees

Any person who desires to obtain certification for an Innovative Technology Arrangement may apply to the Authority by submitting the relevant prescribed forms and fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

The application process is split in two stages:

  • Stage 1, whereby the Authority will assess the Innovative Technology Arrangement’s capability to meet generic and specific requirements – the Applicant is liable to an initial processing fee; and
  • Stage 2, whereby the Applicant (following receipt of the Letter of Intent by the Authority), engages a Systems Auditor to carry out Systems Audit on the Innovative Technology Arrangement – the Applicant is liable to submit the Systems Audit report to the MDIA against a fee.

Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail regarding fees.

Any person who desires to become registered as an Innovative Technology Service Provider may apply to the Authority by submitting a Service Provider Application Form and remitting the requisite fees. Processing fees may differ depending on the number of Subject Matter Experts the Systems Auditor nominates. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Following receipt of a complete application, the Authority will review and assess the information provided, review the documentation submitted, as well as, any additional documentation that the Authority may request, and carry out the necessary due diligence on the Applicant.

In the case of an application for certification of an Innovative Technology Arrangement, the MDIA will also assess whether the appointed Technical Administrator can fulfil its proposed role and rely on the Systems Auditor opinion to confirm that reasonable standards of the Innovative Technology Arrangement are met.

The Authority will indicate pending requirements to the Applicant. Processing of the application shall not commence prior to receipt of outstanding items. If pending items remain outstanding after one month from communication issued by the Authority without an explanation from the Applicant, the Authority will terminate the application process and inform the Applicant accordingly.

Processing fees are non-refundable. However, in the event that an application is refused by the Authority, the Applicant enjoys the right of appeal.

Authorisation must remain valid and effective and should be renewed at least within the last 3 months of its duration but prior to expiry, by:

  • submitting the information assurances, declarations and other materials to confirm that the Applicant is still in compliance with the ITAS Act and the conditions of its authorisation;
  • carrying out the audits and reviews and obtaining the necessary declarations from the registered Systems Auditor and Technical Administrator (in the case of an Innovative Technology Arrangement only); and
  • by paying the Authority the relevant fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

The certification/ registration fee is payable following the MDIA’s certification of the Innovative Technology Arrangement or registration of the Innovative Technology Service Provider. The fee (payable in advance) covers the two-year certification/ registration term and would also become due at renewal stage. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

The certification of an Innovative Technology Arrangement and registration of an Innovative Technology Service Provider are valid for a period of two years, after which an application may be submitted for renewal for a further term of two years.