Skip to main content
19 Jun 2026
14 minute read

MFSA's Dear CEO Letter on AI

What your board must now be able to show.

AI governance just became a supervisory expectation in Malta — not a nice-to-have. Nothing must be filed proactively, but on request every firm must show its AI is mapped, its risks assessed, its board engaged, and its gaps closed.

21%

of companies have a mature model for governing autonomous AI

Deloitte, 2026 State of AI in the Enterprise

74%

of enterprises expect to use agentic AI within two years — up from 23% today

Deloitte, 2026 State of AI in the Enterprise

5

key areas the MFSA examined across the sector

4

priority areas where supervisory attention lands first

Three outcomes the letter is built to achieve

The MFSA communication emphasised that AI governance has now become a supervisory expectation. Set out below is the underlying structure supporting that message—namely, the three specific outcomes the MFSA intends to drive through the letter.

AI as a prudential risk area

Firms must treat AI as prudentially relevant — not merely an operational or technological enhancement — and assess how it affects their risk profile, decision-making and resilience within existing governance structures.

A structured internal assessment

The letter is meant to prompt a critical review at board and senior-management level: evaluate current and anticipated AI use, find gaps in governance, oversight and controls, and remediate — with accountability clearly defined.

Consistency across the market

By setting expectations early, the MFSA gives firms the chance to align frameworks proactively — reducing fragmented, inconsistent approaches to AI adoption across the sector.

Turning three outcomes into evidence the board can stand behind

How Deloitte can help

Each outcome maps to a concrete piece of work. On recognising AI as a prudential risk, our AI Control over Risk review helps classify high-risk systems and embed AI into your existing risk and decision-making frameworks rather than treating it as a side process. On the structured internal assessment, our MFSA Self-Assessment Support takes you through the Annex 1 register end to end — building the AI inventory, mapping vendor and data dependencies, and assembling the governance evidence and board reporting the framework expects. And on market consistency, our AI Readiness and gap analysis benchmarks your frameworks against the EU AI Act and ISO/IEC 42001, so you align proactively rather than retrofit controls under supervisory pressure.

The aim is practical: when the MFSA asks, you can show the assessment was performed, its outcomes were considered at board level, and identified gaps are being closed — with governance positioned as the enabler of confident adoption, not the brake on it.

Five areas the MFSA examined — and what it now expects

The 2025 assessment found AI awareness rising but implementation early: many firms had no board-approved AI strategy, leaned heavily on external generative-AI tools, and held limited internal expertise. Against that backdrop, the letter sets out five observation areas, each paired with a specific expectation.

What the MFSA found: 

Governance frameworks are uneven. Responsibility for AI is often undefined, and board / senior-management oversight is limited — raising the risk that systems are deployed without challenge, validation, or alignment to risk appetite, including where they touch critical functions under DORA.

What it now expects: 

Clear governance arrangements, with the board accountable even for third-party-provided AI. Responsibilities assigned, sufficient in-house expertise to challenge effectively, and roles across the three lines of defence defined so no single function holds unchecked control over design, deployment and validation.

What the MFSA found:

Strong reliance on third-party providers — cloud, model developers, data vendors — with limited visibility into how those systems function, introducing concentration and operational-dependency risk that grows as adoption scales.

What it now expects:

Treat AI outsourcing under existing outsourcing and third-party risk frameworks. Retain control, oversight and understanding of external systems; assess concentration risk; and avoid over-reliance on a limited set of providers where critical operations are at stake.

What the MFSA found:

Advanced and generative models can produce inconsistent, inaccurate or hard-to-interpret outputs, and may drift over time in ways not immediately visible — undermining decision reliability in critical processes.

What it now expects:

Validation, testing and ongoing monitoring, with drift detection and escalation paths. Firms must explain and evidence how systems behave; where they cannot, they should restrict or redesign use — particularly in higher-risk contexts — supported by documentation and audit trails.

What the MFSA found:

Data governance frameworks are not always developed enough to support AI. Weak data governance can produce biased outputs, incorrect conclusions or regulatory breaches — especially where personal or special-category data is involved.

What it now expects:

Robust data governance: data that is accurate, relevant and validated; data flows and usage understood and documented; and consistency with applicable regulatory requirements and internal policy.

What the MFSA found:

Shared models, common data sources and the same third-party providers create interconnectedness across firms. Under stress, this can drive correlated behaviour or amplify existing market vulnerabilities.

What it now expects:

A forward-looking view of AI risk that weighs system-wide as well as firm-level impact — assessing dependencies, identifying single points of failure, and putting contingency measures in place.

Where Deloitte's AI Controls & Assurance services map

Governance is the enabler of confident adoption — not the brake on it. These services align to the expectations above.

Advisory review of AI governance structures and control frameworks, including AI inventory completeness and technical documentation — addressing the call for a board-approved AI strategy and stronger oversight.

Advisory review of how AI-related risks are identified, assessed and managed across governance and operations, including classification of high-risk AI systems.

Assurance-readiness and gap analysis against current and proposed AI regulation and standards, including EU AI Act and ISO/IEC 42001 gap assessments.

Technical AI, control and governance specialist support to internal audit — strengthening the third line and the board's overall lines of oversight.

Structured support to complete the MFSA's Annex 1 register — building the inventory of AI-enabled processes, tools and vendor dependencies, mapping data flows, and assembling governance evidence and board reporting.

Haven't started, just starting, or unsure where to begin?

The MFSA's expectations aren't limited to firms already using AI — governance frameworks must reflect both current and anticipated adoption. For firms at the start of the journey, this is the moment to get the foundations right: connecting strategy, data, implementation, governance and assurance into a single operating model. Deloitte offers hands-on support across four areas.

AI strategy and use-case identification

Spotting, prioritising and assessing AI opportunities across the enterprise — aligned to business objectives, value creation and risk appetite from the outset.

AI implementation and transformation

Designing, deploying and scaling solutions — from copilots and GenAI applications to advanced analytics, automation and enterprise AI platforms.

AI and data readiness

Assessing the quality, governance, architecture and accessibility of data, recognising that trusted AI depends on strong data foundations.

AI governance and control

Designing governance structures and organisational control frameworks. Starting with governance in place isn't slower — it's how firms avoid retrofitting controls later under supervisory pressure.

Four priorities where supervisory attention lands first

The MFSA will fold AI into its ongoing supervision — onsite inspections and thematic reviews — and has flagged four priority areas. The Financial Supervisors Academy will also offer training to build oversight capability across firms.

  • Priority 01: Governance and oversight frameworks
  • Priority 02: Third-party dependencies
  • Priority 03: AI in critical or customer-impacting processes
  • Priority 04: Alignment of AI adoption with risk appetite

The firms that treat governance as the enabler of confident adoption — not the brake on it — will be the ones scaling AI with their regulator's trust intact.

Get in touch

Ian Coppini

Ian Coppini

Strategy, Risk & Transactions Advisory leader
+356 2343 2000
Sandro Psaila

Sandro Psaila

Director | Audit & Assurance
+356 2343 2000
Kurt Rapinett

Kurt Rapinett

Senior Manager | Technology & Transformation
+356 2343 2263

Did you find this useful?

Yes
No

Thanks for your feedback

Your feedback is important to us

To tell us what you think, please update your settings to accept analytics and performance cookies.

Need help updating cookies?

Recommendations

The State of AI in the Enterprise – 2026 AI report

Organisations are standing at the untapped edge of AI’s potential—find out what it takes to go beyond in this year’s report.

Algorithm Assurance

As algorithm risks are made clearer, what steps can be put into place to bring about algorithm regulation and an algorithm control framework?
Perspective

AI assurance

Third-party AI assurance has a vital role to play in building trust in AI systems; this has been recognised by the UK government as a critical enabler for the UK to realise the full potential of AI.

Generative AI

Generative AI turns unstructured data into logical results, makes mundane tasks creative and transforms code into art, but it needs human input for purpose and trust. Let’s collaborate and explore how GenAI can reinvent business models, create lasting value and execute your vision.
Collection