FIR/03: MFSA’s updated rulebook for EMIs and payments institutions

The Malta Financial Services Authority (MFSA) has unveiled Chapter 3 of the Financial Institutions Rulebook, known as FIR/03. This development is part of the regulator's efforts to strengthen the regulatory framework for payment institutions and e-money institutions. Alongside FIR/03, the MFSA has published revised versions of the FI Return and Guidance Notes, as well as a Feedback Statement summarising the key points from the consultation process and subsequent changes.

What has changed?

Whilst the high-level principles remain unchanged, the updated rule book seeks to eliminate much of the ambiguity that existed in previous iterations. We note a focus on areas the regulator considerers to be inherently risky to the sector, particularly in the areas of corporate governance and safeguarding. A number of rules bring about new operational challenges that may require institutions to revisit existing processes and systems in order to comply.

Additionally, the rules introduce new internal/audit expectations in the areas of outsourcing arrangements and compliance with the revised safeguarding rules. The rulebook extends the MFSA’s supervisory oversight capability through the introduction of direct reporting obligations for those performing safeguarding audits.

Regulatory reporting changes are brought about in the new FI Return. The MFSA has worked with the Central Bank of Malta and the FIAU to streamline and eliminate duplicate data capture from financial institutions by consolidating these within the FI Return. Whilst this initiative should lessen the regulatory burden, one must also note the abbreviated reporting deadlines as it relates to the REQ submission that is now set for 31 January.

Implementation timelines

The implementation of FIR/03 will occur in two stages:

• Stage 1: Already in effect since 15 October 2024. Organisations are expected to be compliant with all the requirements of the regulation with the exception of Governance and Safeguarding.
• Stage 2: This will come into effect on 15 December 2024 and will focus on the Governance and Safeguarding requirements.

Let us guide you

Deloitte will be publishing a series of articles and podcasts where we will be exploring the implications of the new regulations for the Payment Services and E-money sector in the coming weeks. Sign up here to keep updated about our insights.

Our FinTech team is prepared to assist you in navigating these changes. If you would like a one-on-one conversation to clarify any questions and/or learn more about the regulatory updates and potential operational impact, reach out.