EU regulatory review criticizes Malta’s MiCA licensing process

Malta’s approval process for digital asset firms seeking a license to operate in the European Union (EU) “should have been more thorough,” concluded a review conducted by the bloc’s top financial sector regulator.

Under the EU’s Markets in Crypto-Assets (MiCA) regulation, digital asset firms must obtain a license to operate in the EU. Earlier in June, Reuters reported that concerns had been raised about the speed with which Malta’s top finance sector regulator, the Malta Financial Services Authority (MFSA), was handing out licenses and that a review of its processes was underway.

On July 10, the European Securities and Markets Authority (ESMA)—the EU’s financial markets regulator and supervisor—published the review results, finding that MFSA’s authorization process had “timing” issues and lacked the appropriate thoroughness.

Malta too quick for its own good

After the EU’s MiCA regime for crypto asset service providers (CASPs) came into force in January, digital asset firms such as exchanges, wallet providers and issuers needed to obtain a MiCA license from a ‘National Competent Authority’ (NCA)—i.e. the relevant regulator of an EU nation—to operate in the bloc.

Due to the ‘passporting’ feature of the regulation, a license issued by any member state’s regulator allows the licensee to operate throughout the EEA, which includes every country in the 27-nation bloc, plus Iceland, Liechtenstein, and Norway.

Since January, 53 MiCA licenses have been handed out, 39 to CASPs and 14 to stablecoin issuers, according to Patrick Hansen, Director of EU strategy and Policy at Circle (NASDAQ: CRCL)—the U.S. firm behind the popular USDC stablecoin.

In the end, ESMA’s ‘Peer Review Report’ into Malta’s processes, published July 10, confirmed these fears, stating that “the overall authorisation process should have been more thorough and conducted on a sufficient time to allow MFSA to properly assess compliance against the MiCA framework.”

However, it found no issues related to staff or resources, saying that “MFSA has built a good level of expertise in this sector and has sufficient supervisory resources for CASP authorisations and supervision.”

Instead, it was “timing” that appeared to be the main issue. Specifically, it found that, due to the speed with which the process was conducted, some material issues were not fully resolved when MFSA granted the CASP authorisation and some risks areas were not adequately assessed during the authorisation process, including: aspects of the CASP’s business plan related to its growth and the on-boarding of new clients, potential conflicts of interest, governance arrangements, and certain anti-money laundering/counter financing of terrorism (AML/CFT) risks and controls.

In terms of recommendations, the report said that the Maltese regulator “needs to monitor closely the growth in authorisation applications and supervised entities and identify in a timely manner any need to scale up or adjust supervisory practices.”

Despite the words of warning, it wasn’t all bad news and reprimands for MFSA. The ESMA report also noted that Malta’s regulator had demonstrated “overall a good level of resources and supervisory engagement within the authority” and that its supervisory response “appears largely appropriate and proportionate.”

While the Peer Review Report focused on just one regulator, MSFA, and the license application process of one particular CASP—which was not named—ESMA was keen to point out that the review aimed to foster the sound authorization of CASPs by all NCAs in the EU.

Therefore, “its conclusions should be on-boarded by all NCAs to ensure that the authorisations they grant are well assessed in this new and high-risk sector, where supervisory knowledge is still being built.”

Watch: Breaking down solutions to blockchain regulation hurdles