Following numerous discussions held with the Malta Digital Innovation Authority (‘MDIA’), the Malta Financial Services Authority (‘MFSA’) issued a consultation document in order to acquire industry feedback in relation to projected modifications to the System Audit and Live Replication Server requirements laid down in Chapter 3 of the Virtual Financial Assets Rulebook. These will come into effect on 1st February 2020.
The MFSA proposed that all applicants having an Innovative Technology Arrangement (‘ITA’) in place as part of their operations will be required to appoint a Systems Auditor which is registered with the MDIA in terms of Article 9 of the Innovative Technology Arrangements and Services Act (Chapter 592 of the Laws of Malta).
The Systems Auditor will be required to carry out a Systems Audit and issue an audit report in line with the MDIA’s Systems Auditor Report Guidelines and Systems Auditor Control Objectives as well as the MFSA’s Guidance Notes on Cybersecurity, both at the application stage and on an annual basis.
Applicants without an Innovative Technology Arrangement.
Where an Applicant does not have an ITA in place, the MFSA proposed that the prerequisite to engage a Systems Auditor which is listed with the MDIA shall also apply.
Here, the Systems Auditor will be required to carry out an audit on the Applicant’s IT structure and issue an audit report in line with the MDIA’s Systems Auditor Report Guidelines and Systems Auditor Control Objectives as well as the MFSA’s Guidance Notes on Cybersecurity.
Live Replication Report.
Chapter 3 of the Rulebook presently states that:
‘where the Licence Holder’s IT infrastructure is not based in Malta, or is located in a cloud environment, the Licence Holder shall ensure that data is replicated real time by virtue of a live replication server located in Malta’
The MFSA proposed that the said live replication server requirement shall be applicable to all Applicants, regardless of where their IT infrastructure is based. This shall be consistent with the MDIA’s Forensic Node Guidelines, and will furthermore fall under the scope of the audits carried out by the Systems Auditors.
The MFSA further proposed that Applicants will be required to appoint a person with the necessary seniority, skills, knowledge and experience to ensure that any demand for information regarding legal compliance and the operational behaviour of the system can be acted upon satisfactorily.
Entities under Transitory Provision
Further to the Circular to Virtual Financial Asset Service Providers, entities functioning under a transitory provision in terms of Article 62 of the VFA Act and wanting to continue offering their services after the end of the transitory provision, together with those commencing the VFA Services Licence application process prior to the Effective Date, must in the case of the:
- requirement to appoint a Systems Auditor, appoint a registered Systems Auditor and submit an audit report within six (6) months from the granting of licence or commencement of business, as the case may be. It is proposed that this will only be applicable when no audit report would have been submitted during application stage; and
- live replication server requirement have in place such server upon submission of the VFA Licence Application Form. The live replication server will have to be audited by a registered Systems Auditor and any findings are to be presented in an audit report to be submitted both to the MFSA and MDIA within six (6) months from the granting of licence or commencement of business, as the case may be.