19 Dec 2018
There are four types of licences:
Class 1: Applicable to those receiving and transmitting orders or that provide investment advice or that are placing Virtual Financial Assets (the “VFAs”)
Class 2: Applicable to those offering any other VFA service except those dealing on own account or offering an exchange
Class 3: Applicable to those offering any VFA service and that deal on own account but do not offer an exchange
Class 4: Applicable to those offering any VFA service including an exchange
Classes 2, 3 and 4 are allowed to hold or control clients’ assets or money in conjunction with the provision of a VFA Service. Assets held under the control of a VFA service provider, are deemed by law to constitute distinct patrimony and not subject to the of creditors of the operator. VFA service providers can only deal with FIAT and and VFAs. They cannot deal with financial instruments, electronic money or exchange between FIAT currencies.
For those of you that are new to the concept of dealing on own account, this is a term borrowed from the traditional financial services industry whereby the service provider buys and sells VFAs using its own money. The service would be similar to what Coinbase offers. On the other hand, an exchange service is similar to what Binance offers where it matches asks and bids.
The aim of the regulatory framework is:
i. the protection of investors and the general public;
ii. the promotion of innovation, competition and choice; and
iii. the reputation and suitability of the Applicant and all other parties connected with the Applicant.
An applicant for a licence, must demonstrate to the MFSA that it has sufficient integrity, competence and solvency to run the operation. This assessment shall be applicable to every (i) person that has a qualifying holding in the Applicant, (ii) beneficial owner, (iii) member of the Board of Administration of the Applicant, (iv) Senior Manager, (v) MLRO, (vi) Compliance Officer, (vii) Risk Manager (where applicable) and (viii) any other person who will effectively direct the VFA business of the Applicant.
VFA service providers must have in place a number of policies and procedures, amongst which the following:
i. Information and data security management policy
ii. Access management policy
iii. Key management policy
iv. Wallet management policy
v. Sensitive data management policy
vi. Threats management policy
vii. Business continuity plan
viii. Response and disaster recovery plan
ix. Security education and training
x. Risk management policy
xi. Compliance and reporting policy
xii. Outsourcing policy (if applicable)
xiii. Conflict of Interest Policy
xiv. Complaints Policy
xv. Order Execution Policy
xvi. AML Policy
Licensees are also required to make every effort possible to take out and maintain a professional indemnity insurance covering any loss or damage. There are also some rules and limitations about outsourcing. Licensees can also offer white label solutions to third parties.
The MFSA rules impose tough liquidity requirements on all licensees. They also have to ensure they have no conflict of interest. They must also have a compliance officer that will be responsible to compile a compliance certificate on a periodical basis.
Exchanges are required to also to abide by the listing criteria prescribed in the rules issued by the MFSA that include:
- Assessment of the quality of the VFA listed
- Custody requirements
- Monitoring for market manipulation and reporting
- Apply pre-trade and post-trade transparency measures
- Client record keeping
- Reporting of suspicious transactions
- Ensure System Resilience
- Apply streamlined and clear settlement procedures
- Have bye-laws in place
If you have any queries, we are happy to assist you. Kindly drop us an email at email@example.com.
This article does not constitute legal advice and does not establish an attorney relationship. If you require legal advice, please contact me on firstname.lastname@example.org or one of my colleagues who helped me with this article and with all blockchain related work at WH Partners at email@example.com.