Licentium

Licensing Hub

Malta

Full MiCA jurisdiction. MFSA is the competent authority for CASP authorisation and supervision; FIAU handles AML/CFT. The legacy VFA framework is now transitional only.

Available licences

MFSA MiCA Crypto-Asset Service Provider Authorisation

MFSA authorisation under MiCA Article 63. Applicant must have registered office in an EU Member State where it carries out at least part of its services, effective management in the EU and at least one EU-resident director. Application submitted through MFSA Licence Holder Portal; beneficial owners, qualifying holders, administrators and senior managers submit personal questionnaires first. MFSA may impose pre-licensing and post-licensing pre-commencement conditions. Application fees: EUR 10,000 (class 1), EUR 20,000 (class 2), EUR 25,000 (class 3); reduced VFA transition fees EUR 5,000/EUR 10,000/EUR 12,500. Annual supervisory fees: class-based EUR 10,000/EUR 25,000/EUR 50,000 plus EUR 2,000 per service and 0.05 percent of transaction volume (capped at EUR 250,000); due 30 July.

MFSA Article 60 Notification (Eligible Financial Entities)

Notification route for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and AIFMs. Financial entity must notify the MFSA at least 40 working days before first providing the relevant crypto-asset services; MFSA assesses completeness within 20 working days. Non-equivalent services still require full CASP authorisation.

MFSA Fit and Proper Review

Central part of the authorisation process. Review applies to qualifying holders, beneficial owners, board members, senior managers, MLRO, compliance officer and any other person the MFSA considers necessary. Compliance officer expected to have independent judgement, day-to-day compliance oversight, familiarity with the regulatory framework and the ability to prevent, identify, record and escalate breaches. Weak governance, unclear ownership, unresolved due diligence, inadequate compliance independence or weak MLRO arrangements can delay or derail the process.

MiCA Prudential Safeguards (Class 1, 2, 3)

CASP must maintain MiCA prudential safeguards at all times: at least the higher of the applicable permanent minimum capital requirement or one quarter of fixed overheads for the preceding year. Class amounts: EUR 50,000 (class 1: execution, placing, transfer, reception and transmission, advice, portfolio management); EUR 125,000 (class 2: class 1 plus custody, exchange for funds, exchange for other crypto-assets); EUR 150,000 (class 3: class 2 plus operation of a trading platform). Highest applicable class applies for multi-service providers.

AML/CFT, TFR, DORA, Conduct and Enforcement Compliance

FIAU updated the Maltese AML framework for CASPs in line with MiCA, recast TFR, VFA Act changes and EU AML amendments. CASPs must prepare customer due diligence, beneficial ownership analysis, AML/TF risk assessment, sanctions screening, transaction monitoring, travel-rule procedures, self-hosted-address controls, cross-border correspondent-CASP controls, multi-party wallet risk controls, MLRO arrangements and FIAU-facing procedures. DORA and ICT third-party risk are central; CASP applicants submit digital operational resilience and ICT third-party provider assessment materials. Conduct: practical conflicts management (disclosure alone is not enough); best execution; fair, clear and not misleading marketing; permanent, effective and independent compliance function. Natural-person fines up to EUR 700,000; legal-person fines up to EUR 5,000,000 or 5 percent of annual turnover for CASP-related breaches; higher penalties for market-abuse breaches. MFSA may publish sanctions decisions.

Detailed overview

Malta: MFSA MiCA Authorisation under the Markets in Crypto-Assets Act

Malta is a full MiCA jurisdiction. The Maltese framework is based on Regulation 2023/1114 and the Maltese Markets in Crypto-Assets Act.

The Malta Financial Services Authority is the competent authority for crypto-asset service provider authorisation and supervision in Malta.

Malta has a legacy Virtual Financial Assets framework, but that framework is now only relevant for transition. New Malta-facing crypto-asset service activity should be structured through MiCA authorisation, a valid Article 60 route or a valid MiCA passport.

Regulator

The main regulator is the MFSA.

The MFSA receives CASP authorisation applications, receives Article 60 notifications from eligible financial entities, supervises authorised providers, maintains register information and exercises MiCA supervisory powers.

The Financial Intelligence Analysis Unit is relevant for AML and counter-terrorist-financing obligations. CASPs should treat MFSA authorisation and FIAU financial-crime compliance as linked but distinct workstreams.

Other Maltese and EU regimes may still apply where the activity involves banking, payment services, e-money, e-money tokens, asset-referenced tokens, financial instruments, funds, deposits, insurance products, AML, sanctions, TFR or DORA.

Licensing route

A business that provides crypto-asset services in or from Malta generally needs MiCA authorisation as a crypto-asset service provider unless it is an eligible financial entity using Article 60 or a duly authorised EU CASP passporting into Malta.

The relevant crypto-asset services are custody and administration of crypto-assets for clients, operation of a crypto-asset trading platform, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of client orders, placing of crypto-assets, reception and transmission of orders, advice on crypto-assets, portfolio management on crypto-assets and transfer services for clients.

Transfer services are a separate MiCA service and should be included in the service-mapping analysis.

The licence perimeter applies only where the asset is within MiCA. Tokens that qualify as financial instruments, deposits, structured deposits, fund interests, payment instruments, non-MiCA e-money arrangements, insurance products or other regulated products require separate legal analysis.

Article 63 authorisation

A standard unregulated Maltese CASP applicant applies to the MFSA for MiCA authorisation.

A MiCA-authorised CASP must have a registered office in an EU Member State where it carries out at least part of its crypto-asset services, its effective management in the EU and at least one EU-resident director.

The CASP application is submitted through the MFSA Licence Holder Portal. Beneficial owners, qualifying holders, administrators and senior managers must submit personal questionnaires before the application form is submitted.

A credible Maltese application should include a full service map, legal perimeter analysis, Malta home-state analysis, programme of operations, business plan, constitutional documents, proof of prudential safeguards, governance materials, management fit-and-proper evidence, qualifying-holder information, source-of-funds and source-of-wealth information where relevant, internal controls, AML and counter-terrorist-financing procedures, sanctions controls, TFR procedures, self-hosted-address controls, risk assessment, business-continuity plan, ICT and DORA materials, client-asset and client-fund segregation procedures, complaints procedures, conflicts management, outsourcing framework, custody policy where relevant, trading-platform rules and market-abuse systems where relevant, exchange commercial policy and pricing methodology where relevant, execution policy where relevant, advice and portfolio-management competence evidence where relevant and transfer-service procedures where relevant.

The MFSA may impose pre-licensing and post-licensing pre-commencement conditions. These can include final constitutional documents, final business plan, outstanding due-diligence materials, capital evidence, outsourcing agreements, key function-holder appointments, compliance and MLRO arrangements, bank account engagement letters for safeguarding client funds, tested systems, recruited staff and formal commencement notification.

Fit and proper review

The MFSA fit-and-proper review is a central part of the authorisation process.

The review applies to qualifying holders, beneficial owners, board members, senior managers, the MLRO, the compliance officer and any other person the MFSA considers necessary.

The compliance officer is expected to have independent judgement, day-to-day compliance oversight, familiarity with the applicable regulatory framework and the ability to prevent, identify, record and escalate breaches.

Applicants should not treat fit-and-proper review as an administrative formality. Weak governance, unclear ownership, unresolved due diligence, inadequate compliance independence or weak MLRO arrangements can delay or derail the process.

Article 60 notification

Article 60 is not a general shortcut for unregulated applicants. It is a notification route for specified regulated financial entities and permitted equivalent crypto-asset services.

The Article 60 route may be relevant for credit institutions, central securities depositories, investment firms, market operators, electronic-money institutions, UCITS management companies and alternative investment fund managers.

A financial entity must notify the MFSA at least 40 working days before first providing the relevant crypto-asset services.

The MFSA assesses completeness within 20 working days. If the notification is incomplete, the provider may not begin providing the crypto-asset services while the notification remains incomplete.

A regulated entity must map each proposed crypto-asset service to its existing authorisation and to the MiCA Article 60 equivalence rules.

A regulated entity that wants to provide non-equivalent crypto-asset services may still need full CASP authorisation.

Transitional position

Malta’s MiCA transition is still active, but only for qualifying legacy VFA service providers.

A person that was licensed under the Maltese Virtual Financial Assets Act on 30 December 2024 may continue to provide, or hold itself out as providing, the VFA services for which it was licensed until 1 July 2026 or until MiCA authorisation is granted or refused, whichever occurs earlier.

Malta also provides a simplified procedure for qualifying applications submitted between 30 December 2024 and 1 July 2026. The simplified procedure does not remove MiCA substance. Before granting authorisation, the MFSA must still ensure compliance with the relevant MiCA Title V requirements.

Legacy VFA status is not MiCA authorisation and should not be marketed as such.

A new Malta-facing provider should use MiCA authorisation, a valid Article 60 route or a valid MiCA passport.

Passporting and register checks

A MiCA-authorised CASP may provide its authorised services across the EU through the MiCA passport, subject to the required notification process and authorised service scope.

A CASP authorised in another EU Member State may provide services in Malta through the MiCA passport.

A Maltese legacy VFA licence does not itself create a MiCA passport.

CASPs intending to offer services across multiple Member States must notify the home Member State’s competent authority and use the applicable cross-border notification process.

MFSA and ESMA register information should be checked before relying on a provider’s authorisation status, onboarding a counterparty, launching services or publishing any authorisation claim.

Costs

MFSA application and supervisory fees apply.

For a new CASP application, the current fee is EUR 10,000 for class 1, EUR 20,000 for class 2 and EUR 25,000 for class 3.

Where the applicant is a qualifying VFA service provider applying during the transition, the current reduced application fee is EUR 5,000 for class 1, EUR 10,000 for class 2 and EUR 12,500 for class 3.

Where the applicant intends to provide services falling under different classes, only the highest applicable application fee applies.

An extension of authorisation attracts the applicable application fee reduced by 25 percent.

A request to stop providing one or more but not all authorised services attracts a EUR 1,000 modification fee.

Annual supervisory fees are calculated as an aggregate amount. The class-based annual amount is EUR 10,000 for class 1, EUR 25,000 for class 2 and EUR 50,000 for class 3. The CASP also pays EUR 2,000 for every authorised service and 0.05 percent of transaction volume, capped at EUR 250,000.

Annual supervisory fees following the first year are due on 30 July.

These fees are not the full cost of authorisation. Applicants should also budget for legal, governance, AML, sanctions, TFR, DORA, ICT, custody, outsourcing, complaints, conflicts, audit, accounting, prudential, insurance and operational implementation costs.

The fee framework should be checked before filing because Maltese fee rules may be amended.

Prudential safeguards

A CASP must maintain MiCA prudential safeguards at all times.

The required amount is at least the higher of the applicable permanent minimum capital requirement and one quarter of fixed overheads for the preceding year.

The MiCA class amounts are EUR 50,000 for class 1, EUR 125,000 for class 2 and EUR 150,000 for class 3.

Class 1 covers execution of orders, placing, transfer services, reception and transmission of orders, advice and portfolio management.

Class 2 includes class 1 services plus custody and administration, exchange of crypto-assets for funds and exchange of crypto-assets for other crypto-assets.

Class 3 includes class 2 services plus operation of a crypto-asset trading platform.

Where a provider offers services in more than one class, the highest applicable class applies.

Prudential safeguards may take the form of own funds, an insurance policy, a comparable guarantee or a permitted combination.

AML, TFR and financial crime controls

Maltese CASPs must prepare AML, sanctions, TFR and self-hosted-address controls before filing.

The FIAU updated the Maltese AML framework for CASPs in line with MiCA, the recast Transfer of Funds Regulation, changes to the VFA Act and EU AML amendments.

Core controls include customer due diligence, beneficial ownership analysis, AML and terrorist-financing risk assessment, sanctions screening, transaction monitoring, suspicious-activity escalation, travel-rule procedures, self-hosted-address controls, cross-border correspondent-CASP controls where relevant, multi-party wallet risk controls, outsourcing oversight, recordkeeping and staff training.

The applicant should also prepare MLRO arrangements, FIAU-facing procedures and evidence that financial-crime controls are embedded in the business model.

Legacy VFA status does not replace AML, TFR or MiCA obligations.

DORA, ICT and outsourcing

DORA and ICT third-party risk are central to Malta authorisation.

CASP applicants must submit digital operational resilience and ICT third-party provider assessment materials.

A Maltese CASP application should include ICT governance, cybersecurity controls, incident management, wallet and custody technology controls, business continuity, disaster recovery, outsourcing inventory, ICT third-party risk assessment and exit plans for critical or important arrangements.

Outsourcing is possible, but it must not impair the MFSA’s ability to supervise the CASP. Where outsourcing creates governance, compliance, operational resilience, auditability or client-service risk, the MFSA may require restrictions, remediation or exit from the arrangement.

Conduct, marketing and client protection

The MFSA expects high standards of conduct and compliance.

CASPs should implement practical measures to identify, prevent and manage conflicts of interest. Disclosure alone is not enough.

CASPs should act in clients’ best interests during trade execution. Best execution should consider price, cost, speed, execution likelihood, settlement reliability and overall client outcome.

Marketing material should be fair, clear and not misleading. Promotions and incentives should be transparent, proportionate, relevant and not excessive.

A CASP should maintain a permanent, effective and independent compliance function.

Website disclosures, regulatory disclosures and risk disclosures should be reviewed before launch.

ESMA peer review and supervisory scrutiny

Malta should not be treated as a low-scrutiny licensing route.

ESMA’s 2025 peer review recognised MFSA sector expertise and supervisory resources, but also raised concerns about the timing and depth of one CASP authorisation. The review highlighted unresolved issues involving business-plan growth, conflicts, governance, ICT, custody, booking model, Web3 services and AML/CFT risks.

The MFSA welcomed the peer review and stated that ESMA found it largely meeting expectations.

Applicants should expect closer scrutiny of supervisory history, previous enforcement, unresolved remediation, business-plan assumptions, outsourcing, custody, ICT, AML, governance, conflicts and Web3 functionality.

A legacy VFA licence should not be treated as a guarantee of MiCA authorisation.

Token issuance and white papers

CASP authorisation and token-offer compliance are separate.

For crypto-assets other than ARTs and EMTs, admission to trading or public-offer activity may require a white paper and supporting documentation through the MFSA process.

EMT white papers may only be notified by persons duly authorised under the Maltese Financial Institutions Act.

ART white papers are submitted as part of the ART issuer authorisation process.

A CASP licence should not be treated as covering public offers, admission to trading, ART issuance, EMT issuance or white-paper obligations.

Stablecoin, wallet, exchange, settlement and payment-like structures should be reviewed separately for EMT, ART, e-money and payment-services implications.

Ongoing obligations

A Maltese CASP must comply with MiCA, the Markets in Crypto-Assets Act, MFSA rules, FIAU AML requirements, sanctions controls, TFR and DORA.

Core obligations include governance, management suitability, qualifying-holder controls, prudential safeguards, internal controls, risk management, AML and counter-terrorist-financing procedures, sanctions controls, transaction monitoring, TFR implementation, self-hosted-address controls, business continuity, ICT and DORA controls, outsourcing oversight, complaints handling, conflicts management, custody safeguards, client-asset and client-fund segregation, recordkeeping, fair and non-misleading client information, cost and fee transparency, market-abuse systems where relevant and service-specific conduct rules.

A CASP should also comply with MFSA reporting requirements, including audited annual CASP returns, audited financial statements, auditor communications, annual compliance reporting, social media annexes and wallet address forms where required.

Enforcement risk

Malta is not a light-touch jurisdiction.

The MFSA may require information and documents, require explanations, conduct inspections and investigations, suspend crypto-asset services, prohibit services, require cessation of unlawful conduct, impose management measures and impose administrative penalties.

For CASP-related MiCA breaches, the MFSA may issue public statements, order cessation, impose benefit-based penalties, impose temporary management bans and impose monetary penalties.

Natural-person penalties for CASP-related breaches may reach EUR 700,000.

Legal-person penalties may reach EUR 5,000,000 or 5 percent of annual turnover for relevant CASP-related breaches.

For market-abuse-related breaches, higher penalties may apply.

The MFSA may also publish sanctions decisions.

The main enforcement risks are operating without MiCA authorisation, relying on VFA status beyond the limited transition, presenting VFA status as MiCA authorisation, using Article 60 without eligibility or complete notification, providing services outside authorised scope, weak AML or TFR controls, weak DORA readiness, inadequate custody or segregation arrangements, weak compliance independence and misleading marketing or authorisation claims.

Practical assessment

Malta is suitable for firms that want MiCA authorisation in an EU jurisdiction with a long-standing crypto regulatory framework, a dedicated regulator and operational MiCA application mechanics.

It is not suitable for firms looking for a paper registration, automatic conversion from VFA status, indefinite grandfathering or a low-substance gateway.

The main execution risks are incorrect service classification, missing transfer services, treating Article 60 as a general shortcut, relying on VFA transition without meeting the Maltese conditions, underestimating MFSA documentation expectations, failing fit-and-proper review, unresolved supervisory history, weak compliance independence, inadequate AML or TFR controls, weak DORA or ICT evidence, insufficient custody controls, problematic outsourcing and filing before prudential, governance, complaints, conflicts and service-specific controls are ready.

Ready to launch legally?

Book a 30-minute consultation. We'll map your licensing path and tell you exactly what's required, in plain language.

Get Started