A first of its kind legal framework regulating cryptocurrencies and distributed ledger technologies, consisting of three separate pieces of legislation, has come into force on the 1stof November 2018.
Malta has embarked on an ambitious journey putting consumer protection, the fostering of a culture of accountability, transparency and the promotion of technological innovation through the adoption of a technology neutral approach at the centre of the legal framework.
The framework is mainly made up of three Acts: The Virtual Financial Assets Act (VFAA), the Malta Digital Innovation Authority Act (MDIAA) and the Innovative Technology Arrangements and Services Act (ITASA), respectively Chapters 590, 591 and 592 of the Laws of Malta.
The legal framework, which was proposed by the Parliamentary Secretary for Financial Services, Digital Economy and Innovation was set up through the assistance of a number of key players, pivotal to where Malta is today; a Blockchain Taskforce set up by the Maltese Government to provide it with advice on the way forward in its National Blockchain Strategy, the Malta Financial Services Authority, whose Fintech Department have published numerous guidelines, rules, circulars and the Financial Instrument Test and finally the Malta Digital Innovation Authority, set up by the Act carrying the same name. The latter has issued a number of guidelines to support the innovative technology arrangements and services outlined in ITASA.
What do these Acts regulate?
The Virtual Financial Assets Act regulates what is popularly known as cryptocurrencies. The term ‘cryptocurrencies’ does not feature within Maltese law, instead the term virtual financial asset (VFA) is utilised. What is a VFA? The Act defines a VFA as any form of digital medium recordation that is used as a digital medium of exchange, unit of account or store of value and that is not electronic money, a financial instrument or a virtual token. The Act also defines a distributed ledger technology (DLT) asset as either a virtual token, a VFA, electronic money or financial instrument that is intrinsically dependant on, or utilises, Distributed Ledger Technology.
An asset dependant on DLT is not necessarily a VFA. Such determination is carried out through the Financial Instrument Test. The Test poses several questions which are to be answered following the review of the asset and possibly its white paper. If the asset is determined to be a VFA the provisions of the VFAA kick in.
The VFAA regulates Initial Coin Offerings (ICOs), termed as an Initial Virtual Financial Asset Offerings (IVFAOs) and Virtual Financial Asset Services. For an issuer of a VFA to launch an IVFAO, from or in Malta, the issuer must register a Whitepaper with the MFSA, the competent authority in terms of the VFAA.
With regards to VFA Services, these are outlined in the Second Schedule of the same Act. There are eight VFA Services, mainly; the operation of a VFA exchange, custodian or nominee services, portfolio management, dealing on own account, execution of orders, reception and transmission of orders, placing of VFAs and offering Investment Advice. These Services are deemed as licensable activities and have been categorized into four licence classes.
Rules on Issuers and VFA Service Providers may be found in Chapter 2 and Chapter 3 of the Virtual Financial Assets Rulebook, which were published on the 30th of October 2018 and 25th of February 2019 respectively.
Chapter 3 on Service Providers was the final rulebook that was issued and covers 4 main areas, which include a) the General and High-Level Principles, b) the Authorisation Requirements of VFA Service Providers c) the Ongoing Obligations for VFA Service License Holders and d) the Enforcement and Sanctions. When compared to the original consultation document that was issued on the 30thof July 2018, a number of notable changes have taken place including;
- The removal of certain derogations from the Dual Control Principle;
- The requirement that investment advice (in relation to VFAs) may only be given by a company or other form of legal person and not by natural persons;
- The obligation on functionaries (Compliance Officers and MLROs) to complete a course approved by the authority;
- Certain new obligations on license holders;
- A prohibition on all license holders on onboarding VFAs which have in-built anonymisation features.
The transitory provision outlined in the VFAA has given the opportunity to aspiring licensees and issuers to offer VFA services or launch an IVFAO prior to the coming into force of the VFAA by notifying the MFSA. Persons applying to operate a VFA Service and issuers launching an IVFAO must now appoint a VFA Agent. As a role the VFA Agent has been set up by the VFAA and is to act as an intermediary between the aforementioned persons and the MFSA.
On the other hand, the Innovative Technology Arrangements and Services Act regulates smart contracts, Decentralized Autonomous Organisations (DAOs) and elements of distributed or decentralised ledger technologies, a popular example of which is the Blockchain. One can also anticipate that through the ITASA the uses and development of artificial intelligence and the internet of things will expand considerably.
Innovative Technology Arrangements can be voluntarily submitted for recognition to the MDIA. Prior to this, such arrangements must be reviewed by a systems auditor, one of the services outlined as an Innovative Service under ITASA. The systems auditor must review the innovative technology arrangement on the basis of recognised standards, in line with quality and ethical regulations and on the basis of five key principles; security, process integrity, availability, confidentiality and protection of personal data. These have been reinforced by guidelines issued by the MDIA in conjunction with the provisions of ITASA.
The services of a technical administrator, another Innovative Service under ITASA, must also be engaged. The technical administrator must demonstrate to the MDIA the ability of the innovative technology arrangement to satisfy a number of requisites and standards in accordance with ITASA and issued guidelines.
The Malta Digital Innovation Authority, on the other hand, oversees ITASA and is the Authority responsible in recognizing such Innovative Technology Arrangements and Services. All certifications issued by the MDIA will be issued for a term of two years.
The coming into force of the legal framework sees not the end of a journey, but the beginning of an immense chapter. A chapter which sees consumer protection as a central element of the framework regulating VFAs and a chapter where innovation is utilised to better and enhance the lives of all members of society through the good uses of technology.
Dr Ian Gauci