Malta’s Markets in Crypto‑Assets Act
Malta’s Markets in Crypto‑Assets Act (2024) implements the EU Markets in Crypto‑Assets Regulation (MiCA) within Maltese law and establishes a licensing and supervisory regime for crypto‑asset service providers (CASPs) and token issuers.
The Act covers all crypto‑assets that are not already regulated as financial instruments, together with asset‑referenced tokens and e‑money tokens. It applies to offers to the public, admissions to trading, and the full range of crypto‑asset services. A single “competent authority” (the Malta Financial Services Authority) grants, monitors, extends, limits or withdraws authorisations and can attach or vary licence conditions at any time.
Pre‑application checks
Startups must ensure that:
-
Founders, managers and qualifying shareholders are of good repute and collectively possess appropriate knowledge, skills and experience.
-
Prudential safeguard requirements (own‑funds and/or insurance) are met.
-
Robust governance, ICT security, AML/CFT and business‑continuity frameworks are already designed.
The application dossier
A complete file must contain, at minimum, the following:
-
corporate documents and legal form;
-
a detailed programme of operations describing each crypto‑asset service, marketing approach, target markets and geographical reach;
-
evidence of own‑funds/insurance and internal control mechanisms (including risk management, AML/CFT, complaints‑handling and business‑continuity);
-
non‑technical documentation of ICT systems and security arrangements;
-
custodial, client‑asset segregation and safeguarding policies;
-
service‑specific information such as trading‑platform rules, execution policies, pricing methodology, advisory competence, transfer procedures and the types of crypto‑assets to be handled;
-
identity and fitness evidence for managers, qualifying shareholders and key staff.
Statutory timetable
-
Receipt acknowledgement – within 5 working days.
-
Completeness check – decision within 25 working days. If information is missing, the authority sets a deadline; persistent incompleteness allows it to refuse to examine the file.
-
Substantive assessment – once complete, the authority has 40 working days to grant or refuse authorisation; requests for additional data must be made by day 20 of that period. The clock stops only for a single further‑information round, capped at 20 working days.
-
The resulting licence lists the crypto‑asset services that may be provided. Any new service later requires a formal extension request backed by updated documentation; the same procedure and timelines apply.
Grounds for refusal
Applications are rejected where management threatens prudent operation, shareholders lack good repute, AML/CFT risks are material, close‑link structures hinder supervision or any licensing requirement is (or is likely to be) unmet.
-
-
Maintain all conditions under which the licence was granted; keep governance, ICT, AML/CFT and capital arrangements effective and proportionate to scale and complexity.
-
Publish privileged information quickly and maintain it on the firm’s website for at least five years to prevent market abuse.
-
Notify the authority and host–state contact points before passporting services into another EU member state; cross‑border activity may start on receipt of the authority’s confirmation or 15 calendar days after notification, whichever is earlier.
-
-
Licences are automatically withdrawn after 12 months of non‑use, 9 consecutive months with no services, voluntary surrender, irregular acquisition, persistent breaches, ineffective AML/CFT controls or serious MiCA/Act infringements. The authority may also limit withdrawal to a specific service class.
-
Before refusing, varying or withdrawing a licence, the authority must give written notice of its intention and the reasons, and allow the startup to make representations.
-
Asset‑referenced tokens (ARTs)
-
Issuers must secure separate authorisation if Malta is their home member state.
-
The application dossier mirrors CASP governance and AML/CFT content, plus a legal opinion on regulatory classification and the crypto‑asset white paper.
-
Timetable: 25 working days for completeness, 60 working days for the substantive decision; each may be paused once for missing information (up to 20 working days).
E‑money tokens (EMTs)
-
Only credit institutions or licensed e‑money institutions may issue EMTs.
-
They must notify the competent authority of the intended offer at least 40 working days in advance and file the white paper not later than 20 working days before publication.
-
-
Plan early: design governance, AML/CFT and ICT controls before filing; incomplete files stop the clock and may be rejected.
-
Resource the team: ensure directors and key personnel can demonstrate experience and allocate sufficient time.
-
Budget for timing: standard processing can reach 70‑85 working days assuming one information‑request pause; build this into launch plans.
-
Stay compliant: failure to launch within 12 months, material AML breaches or inaccurate statements can lead to swift revocation.
-
Think EU‑wide: the Act enables passporting once Maltese authorisation is in hand—prepare a concise host‑state notification pack.
-
Mind the sunset: if you hold a current VFA licence, file for MiCA authorisation well before July 2026 to avoid automatic cancellation.
-
Behind Licentium
Our Edge
Licentium is a specialized platform that connects crypto-asset issuers and service providers with an international network of lawyers, regulatory consultants, and former supervisors. Projects can map applicable rules in key jurisdictions through a single interface, obtain jurisdiction-specific launch advice, arrange the drafting of white papers and licensing applications, and schedule ongoing compliance health-checks. The platform’s curated expert pool spans financial services, data protection, and corporate law, enabling founders to address cross-border requirements—from MiCA in the EU to securities, AML, and consumer-protection regimes elsewhere—within coherent project timelines and budgets.
