MiCA CASP License in Malta

Why Choose Malta for Crypto Licensing?

Malta authorises crypto-asset service providers under a single MiCA-aligned framework administered by the MFSA, an established financial services regulator with seven years of supervisory continuity from the legacy VFA Act. Existing VFA holders also have a simplified conversion route under Article 143(6) (see the transition section below).

Full MiCA Passporting from a MoneyVal-Cleared Jurisdiction

Malta exited the FATF grey list on 17 June 2022 after a 13-month listing, and the 2024 MoneyVal follow-up confirmed sustained compliance.^[1] A Malta MiCA CASP authorisation passports to 30 EEA states under Article 65 of Regulation (EU) 2023/1114, with MFSA forwarding notifications to host competent authorities within 10 working days.^[2] Unlike Cyprus, where the CySEC MiCA framework was issued later and the authorised CASP cohort is smaller, Malta’s MFSA had been licensing virtual financial asset service providers since 2018 and carries that operational track record into the MiCA regime.

Tax Treatment Built for Active Trading Businesses

Malta’s full-imputation corporate tax system reduces the effective rate on active trading income to 5% via the 6/7ths shareholder refund mechanism, retained after the introduction of the 15% Pillar Two elective regime.^[3] A Malta-incorporated CASP routing operating income through a Maltese parent achieves a structurally lower effective rate than competing EU MiCA jurisdictions where the rate is the headline number: Cyprus at 12.5%, Estonia at 22% on distribution, Ireland at 12.5% or 15% under Pillar Two for in-scope groups. The Highly Skilled Individuals Rules introduced by Legal Notice 20 of 2026 apply a flat 15% personal tax to qualifying employment income from €65,000, for 15 years, replacing the legacy Highly Qualified Persons Rules.^[4]

English-Language Legal System and Anglo-Saxon Counsel Ecosystem

Malta’s legal system is bilingual English-Maltese with English the working language of MFSA, FIAU, the Office of the Arbiter for Financial Services, and the Financial Services Tribunal. Common-law principles supplement the civil-law base, and the MiCA Rulebook FIR/03 issued 11 March 2025 is published exclusively in English.^[5] This matters operationally because international applicants do not need certified translations for any MFSA submission, and counsel briefings can move at native-language speed. The common mistake is to assume this advantage is purely cosmetic: in practice, it saves four to six weeks across a typical 12-month authorisation file compared with civil-law-only EU jurisdictions.

Operational Track Record: 13 CASPs Authorised by May 2026

MFSA had authorised 13 CASPs under MiCA by 22 May 2026, the second-largest cohort in the EU after Germany (BaFin) and ahead of Cyprus, Lithuania, Ireland, and the Netherlands.^[6] The cohort includes several globally significant exchanges and custody businesses. Authorisations granted after the ESMA peer review of 10 July 2025 demonstrate that MFSA continued to license post-review, applying the tightened authorisation gating recommended in the peer review report rather than slowing the pipeline.^[7]

Regulatory Framework

The MFSA is Malta’s sole competent authority for MiCA under the Markets in Crypto-Assets Act, Chapter 647 of the Laws of Malta, enacted by Act No. XXXVI of 2024 on 5 November 2024. The consolidated MiCA Rulebook (FIR/03) was issued on 11 March 2025, with Title 2 covering authorisation, Title 3 covering ongoing CASP requirements, Title 4 covering ART issuers, and Title 5 covering surrender of authorisation.^[5]

Recent Regulatory Developments

• February 2026: ESMA Q&A 2349 on CASP capital requirements. ESMA confirms that “total expenses” for the Article 67(3) fixed-overheads calculation includes all indirect costs (fixed and variable), with deductions limited to subparagraphs (a) to (d).^[8]
• January 2026: Highly Skilled Individuals Rules. Legal Notice 20 of 2026 introduces a flat 15% personal tax on qualifying employment income from €65,000, replacing the legacy HQP Rules. Application window 1 January 2026 to 31 December 2035, 15-year maximum benefit.^[4]
• 10 July 2025: ESMA Peer Review on CASP Authorisation and Supervision in Malta. ESMA42-2004696504-8164. MFSA rated “fully meets expectations” on supervisory settings and resources, “largely meets” on post-authorisation supervision, “partially meets” on one specific authorisation file. MFSA accepted findings.^[7]
• 10 June 2025: EBA Opinion EBA/Op/2025/08. Clarifies the PSD2-MiCA interplay for e-money tokens, with practical implications for CASPs offering EMT transfer or custody services.^[9]
• 4 April 2025: MFSA CASP Return introduced. Template v25-01-a; first cumulative submission deadline 30 April 2025, signed Representations Sheet required.^[10]
• 24 March 2025: MFSA Major ICT-Related Incident Reporting Process v3.00. Implements Commission Delegated Regulations 2024/1772 (classification) and 2025/301 (timeframes): initial report within 4 hours, intermediate within 72 hours, final per delegated act.^[11]
• 11 March 2025: MiCA Rulebook FIR/03 issued. Consolidated MFSA rulebook plus amendments to the Financial Institutions Rulebook.^[5]
• 30 December 2024: FIAU revised Implementing Procedures Part II for CASPs. Issued alongside Legal Notice 379 of 2024 amending the PMLFTR. BRA review cadence moved to every six months for CASPs.^[12]
• 5 November 2024: Markets in Crypto-Assets Act enacted. Act No. XXXVI of 2024 transposes MiCA and consolidates Maltese implementing measures.^[13]

Regulatory Overlap

Court Treatment of Virtual Assets

Maltese courts have applied the VFA Act and ancillary regulations consistently since 2018, with the OAFS handling consumer-facing complaints and the Financial Services Tribunal handling regulatory appeals. The MFSA penalty regime is under ongoing constitutional appeal (the Chair and CEO have publicly flagged the risk of erosion of dissuasive power), which is a watch-item for 2026 but not a current state.^[14]

Regulatory Transition: Virtual Financial Assets Act to MiCA

The Old Regime: VFA Act 2018

The Virtual Financial Assets Act, Chapter 590 of the Laws of Malta, was enacted in 2018, making Malta one of the first EU member states with a dedicated virtual asset framework. VFA service providers were classified under four service classes: Class 1 (advisory), Class 2 (brokerage and dealer), Class 3 (dealer plus custody), Class 4 (exchange operator).^[15] MFSA accumulated supervisory experience and a body of licensed entities under this regime, which the MiCA Rulebook FIR/03 explicitly maps to MiCA service classes.

The New Regime: MiCA + MiCAA

MiCA (Regulation (EU) 2023/1114) applies in Malta from 30 December 2024, transposed and supplemented by the Markets in Crypto-Assets Act, Chapter 647, enacted 5 November 2024.^[13] MFSA is the sole competent authority. The ten MiCA Article 3(1)(16) service types are grouped into three MFSA prudential classes: Class 1 (€50,000 floor), Class 2 (€125,000), Class 3 (€150,000) under Annex IV.

Article 143(6) Simplified Conversion

Entities holding a VFA licence before 30 December 2024 qualify as Category A applicants under MFSA’s Circular on the Authorisation Process for MiCA Applicants. The procedure: board resolution committing to MiCA conversion, surrender of the VFA licence subject to MiCA grant, completion of the 2024 MiCA thematic questionnaire (or reliance on prior submission). Application fees discounted 50% if filed before 1 July 2026.^[16]

Category B: New Applicants

Standard authorisation process applies. Pre-application Statement of Intent, legal opinion from a Maltese warranted lawyer, full programme of operations, governance manual, ICT architecture, AML/CFT manual, business plan with 3-year financials, fit-and-proper packs for all qualifying holders, directors, senior managers, MLRO, and Compliance Officer.

Key Deadlines

Practical Implications

In practice, the 1 July 2026 deadline matters more than the 3 July 2026 repeal: an existing VFA holder that has not filed under the simplified route by 1 July 2026 loses both the discount and the streamlined procedure, defaulting to the full Category B process with the standard fee. From July 2026, all data points elsewhere on this page reflect the new MiCA regime only.

License Types and Activities Covered

MFSA authorises CASPs to provide one or more of the ten MiCA crypto-asset services, grouped into three prudential classes by capital floor. Authorisation is service-specific: an exchange operator wanting to add custody adds a service class via a variation, not a fresh application.

Covered Activities (MiCA Article 3(1)(16) Service Types)

ART and EMT Issuance

MFSA also authorises issuers of asset-referenced tokens (Title III MiCA) and supervises e-money token issuers (Title IV: EMTs may only be issued by Financial Institutions Act-authorised electronic money institutions or credit institutions). Application fees for ART whitepapers: €3,000 (credit institution issuer), €8,000 (non-credit institution issuer). Whitepaper modifications: €1,000.^[17]

What Does NOT Require CASP Authorisation

• Whitepaper notification only. Non-ART/EMT crypto-asset whitepapers can be notified to MFSA by any Maltese entity without a CASP authorisation, under MiCA Articles 8 and 21. MFSA does not pre-approve content; the offeror bears responsibility.
• Purely peer-to-peer activity without intermediary service. Self-custodied wallet activity, transfers between own wallets, and pure peer-to-peer exchanges where no intermediary provides custody, execution, or matching fall outside the CASP perimeter.
• NFTs that are unique and not fungible. Unique non-fungible tokens (where the value derives from individual, non-fungible attributes) sit outside MiCA per Recital 10. Fractional NFTs, NFT collections issued as fungible series, and NFTs that function as financial instruments fall back into scope.
• DeFi protocols without an identifiable issuer or service provider. MiCA Recital 22 carves out fully decentralised services. What MFSA does not formally cover is the question of when “fully decentralised” stops being decentralised: a foundation, multisig council, or token-issuer entity will typically be in scope.
• Crypto-asset services already in scope of MiFID II / EMI / E-Money frameworks (e.g., security tokens treated as transferable securities). MiCA Title II governs which side of the perimeter applies.

Tokenised securities and RWA

A MiCA CASP authorisation does not reach tokenised securities or tokenised real-world assets that qualify as financial instruments. MiCA Article 2(4) excludes crypto-assets that are financial instruments, so a security token, a tokenised share, bond, or note, falls under MiFID rather than MiCA. In Malta that token is regulated under the Investment Services Act, outside both MiCA and the phasing-out VFA Act, and the operator needs a MiFID investment-services licence rather than a CASP authorisation. The MFSA’s Financial Instrument Test is the gating mechanism that routes a token to either side of the perimeter, applying ESMA’s operative Guidelines on the conditions and criteria for the qualification of crypto-assets as financial instruments. We scope the security-token route through the Investment Services Act and pair it with our fund licensing work where a tokenised fund vehicle is the better structure.

Requirements

The make-or-break elements are a Maltese-incorporated company with local key-function presence, MiCA Article 67 capital held in cash, and a DORA-aligned ICT framework. Generic templates do not pass MFSA’s authorisation gate, and substance is tested directly through post-authorisation supervision.

Requirements Table

Fit-and-Proper Assessment

MFSA assesses individual fitness and propriety using its standard Personal Questionnaire (PQ) forms, applying the ESMA/EBA Joint Guidelines on Suitability of Management Body Members and Shareholders for Entities under MiCA. Dimensions: integrity (criminal record, regulatory history, civil judgments, bankruptcy), competence (qualifications, relevant experience, knowledge of the business), financial soundness, and conflicts of interest. The PQ is required for every beneficial owner, qualifying holder (10% or more direct or indirect), administrator, senior manager, MLRO, and Compliance Officer. Approval must be received before any appointment takes effect.

Experienced applicants build out PQ files before drafting the programme of operations because the PQ approval timeline is the longest serial dependency: an unresolved fit-and-proper concern blocks the whole application, while drafting can be paralleled.

Local Substance

MFSA does not publish a numerical substance test, but the supervisory expectation observed across the authorised cohort is approximately 10 substance staff within six months of authorisation, scaled to business size and complexity. The team mix includes employed personnel (MLRO, Compliance Officer, executive director, key business roles) and qualifying service arrangements for support functions. A registered office in Malta is mandatory; co-working addresses without dedicated space are not accepted. The real constraint on Malta substance is not the cost (€30,000 to €50,000 office rent for 10 people in Sliema or St Julian’s, manageable), but the availability of MiCA-experienced compliance talent: salaries for senior MLRO and Compliance Officer roles run €60,000 to €90,000 fully loaded.^[18]

AML/CFT and Travel Rule

CASPs are Subject Persons under the Prevention of Money Laundering Act (Cap. 373) and the Prevention of Money Laundering and Funding of Terrorism Regulations (S.L. 373.01). FIAU supervises AML/CFT compliance. The revised Implementing Procedures Part II for CASPs published on 30 December 2024 aligns terminology with MiCA and the Travel Rule (Regulation (EU) 2023/1113), adds crypto-specific risk factors (immediacy, irrevocability, sectoral velocity, lack of value or volume restrictions), and accelerates the Business Risk Assessment review cadence to every six months for CASPs (vs annual for other Subject Persons).^[12]

Travel Rule requirements apply from 30 December 2024: collection and transmission of originator and beneficiary information on crypto-asset transfers, with a €1,000 threshold for unverified information and self-hosted wallet attestation procedures. Sanctions screening is required against UN, EU, and Maltese designations (the EBA Guidelines on internal policies, procedures, and controls (EBA/GL/2024/15) inform MFSA’s supervisory expectations).

Application Process

MFSA targets the MiCA Article 63 statutory clock: 25 working days for the completeness check and 40 working days for substantive assessment (extendable by 20 working days for information requests). In practice, the realistic end-to-end Malta timeline is 9 to 18 months, driven by pre-application preparation (4–7 months) plus the formal review (5–11 months including iteration on RFIs).

Application language: English exclusively. Maltese-language documents are not required and not accepted by MFSA for CASP authorisation files.

Jagelski & Partners’ specialist compliance partners draft Malta-specific AML/CFT policy suites, the Enterprise-Wide Risk Assessment, Travel Rule implementation procedures, and the DORA ICT risk management framework as part of the MiCA CASP licensing engagement. The compliance documentation is the most time-intensive component of any Malta CASP application: 10 to 14 weeks of specialist work that cannot be shortcut with generic templates. MFSA explicitly screens for adapted-from-elsewhere policies and issues RFIs against them. Book a Licensing Assessment →

Required Documents

MFSA’s Circular on the Authorisation Process for MiCA Applicants sets the document inventory MFSA expects to see in a complete file.^[16] The list below reflects the live expectation as of June 2026, post the ESMA peer review tightening.

Corporate Documents

Memorandum and Articles of Association; certificate of incorporation; register of members; certified copy of the share register; registered office confirmation; UBO declaration filed with the Malta Business Registry; organisational chart showing legal entities and individuals; corporate governance manual.

Personal Documents (All Directors, Officers, MLRO, Compliance Officer, UBOs 10% or more)

MFSA Personal Questionnaire; valid passport and proof of address; CV with verifiable employment history; certificates of qualifications and professional memberships; criminal record certificate from country of residence and any country of residence in the past 10 years; financial standing declaration; declaration of conflicts of interest; details of any prior regulatory engagements, sanctions, or proceedings.

Compliance Documentation

The compliance documentation is the most heavily scrutinised component of any Malta CASP application. Jagelski & Partners’ specialist compliance partners draft each of these documents as part of the licensing engagement: bespoke and Malta-specific, not templates adapted from other jurisdictions. Each document must reflect the applicant’s specific business model, risk profile, and operational structure.

Business Plan and Financial Projections

3-year financial projections with revenue model, cost base, sensitivity analysis; market analysis (target geographies, client profiles, competitive positioning); funding plan and capital runway analysis; operational scaling plan tied to substance commitments.

Technology and Operational Documentation

ICT architecture diagram; data flow diagrams; key management system design; business continuity and disaster recovery plans; cybersecurity policy; cloud governance; third-party vendor inventory with DORA Article 30 contracts; outsourcing register; threat-led penetration testing schedule (if a significant CASP).

Costs and Pricing

MFSA fees are set under the Markets in Crypto-Assets Act (Fees) Regulations, Legal Notice 295 of 2024.^[17] The all-in Year 1 cost for a Class 2 or Class 3 CASP is €350,000 to €900,000, of which €125,000 to €150,000 is the own-funds capital that remains on balance sheet rather than being spent.

Government / MFSA Fees

ART whitepaper application: €3,000 (credit institution issuer) / €8,000 (non-credit institution issuer). FIAU supervisory contribution: annual, scaled by Subject Person profile (figure published in FIAU annual fee circular).^[12]

Total Cost Summary

MiCA CASP authorisations are indefinite rather than time-limited. The annual MFSA supervisory fee comprises the base fee by class plus €2,000 per additional service and 0.05% of transaction volume (capped at €250,000). Volume-based fees apply once the CASP is operational, so Year 1 supervisory cost is typically the base + per-service uplift only.

Timeline

The realistic Malta CASP timeline is 9 to 18 months end-to-end: 4 to 7 months of pre-application preparation plus a formal review of 5 to 11 months including RFI iteration. MFSA targets the MiCA Article 63 statutory clock of 25 plus 40 working days, but the clock pauses during information requests, so calendar time runs well beyond the statutory minimum.

The pace of authorisations to date suggests adequate MFSA capacity, so speed in practice is determined by the applicant’s pre-application preparation, not by MFSA throughput. The 9-month end of the range is achievable only by Category A applicants converting under the simplified route with complete documentation; new applicants should plan against the 14–18-month end.

Taxation

Malta is a 5% effective tax jurisdiction for active CASP trading income, achieved through the full-imputation system: 35% corporate tax at the company level, with a 6/7ths refund payable to non-resident shareholders on dividend distribution, producing a 5% effective rate at group level.

All rates as of June 2026.

Highly Skilled Individuals Rules (Legal Notice 20 of 2026)

The HSI Rules apply a flat 15% personal income tax to qualifying employment income from €65,000 (rising by €10,000 every five years) for non-domiciled employees in financial services, gaming, crypto, aviation, and maritime sectors. The benefit lasts up to 15 years per employee, with an application window of 1 January 2026 to 31 December 2035.^[4] The HSI Rules replaced the legacy Highly Qualified Persons Rules under Legal Notice 20 of 2026.

DAC8 / CARF Reporting

Malta implements DAC8 (Directive (EU) 2023/2226) extending DAC to crypto-assets, with the OECD Crypto-Asset Reporting Framework transposed alongside. Effective date for first reporting: 1 January 2026 data, first reports due 2027. Reporting CASPs are responsible for collecting and transmitting reportable user data.^[19]

Pillar Two (Global Minimum Tax)

Malta has elected the deferral available under Article 50 of Council Directive (EU) 2022/2523, postponing application of the substantive GloBE rules (the Income Inclusion Rule, Undertaxed Profits Rule, and any qualified domestic top-up tax) for up to six fiscal years; as of June 2026 none of these rules has been introduced, while Malta has transposed the Directive’s administrative provisions and the DAC9 reporting framework. A 15% elective top-up regime is available domestically for in-scope groups that prefer to settle the minimum tax in Malta. Standalone Maltese-domiciled CASPs below the €750 million consolidated revenue threshold are out of scope. Multinational groups whose consolidated revenue exceeds €750 million should assess parent-jurisdiction Income Inclusion Rule exposure independently.^[25]

Ongoing Compliance & Post-Registration

MFSA authorisations are indefinite. CASPs operate under continuous prudential, conduct, AML/CFT, and DORA obligations, with the supervisory cycle anchored by quarterly CASP Returns, annual audited financial statements, the DORA Register of Information, and an extensive notification regime for material changes.

Annual Reporting Obligations

Supervision Fees and Recurring Costs

The MFSA annual supervisory fee is the class base (€10,000 / €25,000 / €50,000) plus €2,000 per additional authorised service plus 0.05% of transaction volume capped at €250,000. FIAU contribution is separate. Recurring operational costs (office, MLRO and Compliance Officer headcount, audit, Travel Rule subscription, blockchain analytics, KYC tooling) sit in the €200,000 to €500,000 band excluding capital.

Regulatory Inspections

MFSA conducts scheduled supervisory engagements (annual or biennial depending on risk rating) and thematic reviews. The 2024 supervisory cycle saw 612 investigations opened, 387 concluded, 134 enforcement actions taken, and €926,485 in penalties: a material step-up from €444,800 in 2023.^[14] CASPs sit in the elevated-attention cohort following the ESMA peer review.

Marketing and Promotion Rules

Marketing communications must be fair, clear, not misleading; identifiable as marketing; consistent with any whitepaper; and accompanied by risk warnings per MiCA Article 7. ESMA’s 2025 guidance cautions against misleading “regulated under MiCA” language, particularly when promoting unregulated products alongside regulated ones. Cross-border promotion is subject to host-state language and conduct rules even where the EU passport applies.

Enforcement

MFSA has the power to revoke authorisation, impose administrative penalties, and require specific remedial action. The FIAU operates a separate AML/CFT penalty regime. The most prominent recent CASP-related enforcement was a €1,054,000 FIAU penalty issued on 3 April 2025 against an authorised Malta CASP for AML breaches that predated MiCA authorisation, signalling that historical compliance failings travel with the entity.^[20]

ICT Risk Management & Operational Resilience

The Digital Operational Resilience Act (Regulation (EU) 2022/2554) applies in full to Malta CASPs from 17 January 2025. CASPs are “financial entities” within DORA Article 2 scope, with no exemption for size or activity profile.

ICT Risk Management Framework

The framework must cover governance (board ownership), risk identification and classification, business continuity policy, disaster recovery, and the proportionality principle (DORA Article 4) for smaller CASPs. MFSA’s Supervisory ICT Risk and Cybersecurity (SIRC) Function publishes guidance via “The Nature and Art of Financial Supervision Volume XI: ICT Risk and Cybersecurity” (3 September 2024).^[21]

Incident Reporting (4 / 72 Hour Cadence)

The MFSA Major ICT-Related Incident Reporting Process v3.00 implements Commission Delegated Regulation (EU) 2024/1772 (classification thresholds) and Commission Delegated Regulation (EU) 2025/301 (reporting timeframes):^[11]

• Initial Report: within 4 hours of classification as “major” and no later than 24 hours of awareness
• Intermediate Report: within 72 hours
• Final Report: per delegated act timeframe

Submission via the Cyber Reporting Management System (CRMS) on the MFSA LH Portal. The Significant Cyber Threat Notification Process (17 January 2025) provides a voluntary parallel channel for non-incident threat intelligence.

Digital Operational Resilience Testing

All financial entities must run a programme of digital operational resilience testing proportionate to size and risk. “Significant” CASPs (criteria set by ESMA RTS) are subject to threat-led penetration testing (TLPT) at least every three years, scoped to critical functions and conducted by accredited testers.

Third-Party ICT Risk and the Register of Information

DORA Article 28 requires a Register of Information (RoI) covering all ICT third-party arrangements, with annual submission to MFSA. The Maltese submission window is 1 January to 21 March annually; reference date is 31 December of the prior year. First cycle 2026 covers FY2025 data. Only “Accepted” status is DORA-compliant.^[22]

DORA Article 30 sets out contractual provisions: written contracts with audit rights, exit strategies, sub-outsourcing controls, location of data processing, and termination triggers. Cloud and blockchain analytics vendors are typically the highest-risk arrangements. Critical third-party providers may be designated by the ESAs and subject to oversight directly.

Wallet Management and Key Custody

MFSA expects a documented cold-storage majority for client crypto-assets, multi-signature controls, HSM-backed key material for production keys, and recorded key ceremonies. Hot wallet operational floats must be sized to documented operational needs with quantitative limits in the Risk Appetite Statement.

Banking

Banking is the single largest operational friction for Malta-based CASPs. Even fully authorised CASPs face enhanced due diligence at every Maltese credit institution and at most EU banks. Realistic timelines for operational account opening run 4 to 8 months in parallel with the authorisation process, longer if pursued sequentially.

The Maltese Banking Landscape

The Maltese banking landscape comprises two large domestic credit institutions plus a small number of fintech-oriented Maltese banks, all of which apply enhanced due diligence to crypto-asset service providers. Detailed transaction-flow analysis, source-of-funds evidence, beneficial ownership traceability, and demonstrated AML maturity are universal entry conditions. EU electronic money institutions licensed in MiCA-friendly jurisdictions are typically more accessible for safeguarding, fiat on-ramps, and operational SEPA flows.

Banking Access by Business Profile

Banking access remains hardest for Class 3 trading platforms with high transaction velocity, easier for Class 1 advisory and portfolio management businesses. Operators planning to serve institutional counterparties will find that the historical Malta grey-listing (now lifted) still surfaces in correspondent banking conversations: post-MoneyVal-clearance is the dominant narrative, but enhanced due diligence at the correspondent level persists.

Jagelski & Partners’ Banking Service

A licence without banking access is a certificate on the wall. Jagelski & Partners’ banking partner network covers more than 90 institutions across the EU, EEA, and offshore corridors, and businesses placed more than fourteen billion euros in client turnover across banking and EMI relationships in 2025. Pre-qualification across the network surfaces the institutions whose risk appetite matches the applicant’s business profile before formal application. Learn about the Banking service →

FATF Status & International Standing

Malta exited the FATF grey list on 17 June 2022 after a 13-month listing, and MoneyVal follow-up reports through 2024 confirmed sustained compliance with the action plan. As of June 2026, Malta is rated compliant or largely compliant with all FATF 40 Recommendations and is not under any FATF or MoneyVal enhanced monitoring.^[1]

Money laundering prosecutions in Maltese courts dropped from 57 in 2021 to 16 in 2023, a pattern read by some commentators as enforcement softening and by Maltese authorities as normalisation of the post-grey-listing baseline.^[23] The realistic operator assessment: Malta’s MoneyVal-cleared status is a credible banking and counterparty narrative, but historical scrutiny still surfaces in correspondent banking conversations and US counterparty due diligence.

MiCA Passporting and EU Market Access

A Malta MiCA CASP authorisation passports to all 30 EEA states under Article 65 of Regulation (EU) 2023/1114. The procedure: home CASP notifies MFSA of the host states targeted, services offered, planned start date, and branch details where applicable. MFSA forwards within 10 working days to host single points of contact, ESMA, and EBA. Services may commence on the date of communication or no later than the 15th calendar day after submission.^[2]

Host competent authorities are informed rather than asked: they cannot block authorised cross-border activity but retain supervisory powers over local conduct, marketing, and consumer protection. A branch establishment requires additional Article 65(4) information including a named person responsible for branch management and compliance. The ESMA Interim MiCA Register lists 13 Malta-authorised CASPs as of May 2026, with cross-border passports filed for most.^[6]

Advantages and Limitations

Malta is a high-value jurisdiction for the right CASP profile and a poor fit for several others. The advantages cluster around tax efficiency, EU market access, supervisory continuity, and English-language operations. The limitations cluster around banking friction, substance cost, and the reputational overhang from the July 2025 ESMA peer review.

• ✓ 5% effective corporate tax. Full-imputation system with 6/7ths shareholder refund on active trading income produces structural tax efficiency unmatched within the EU MiCA cluster.
• ✓ Full MiCA passport. Authorisation passports to 30 EEA states under Article 65, with MFSA forwarding to host NCAs within 10 working days.
• ✓ English-language legal system. Bilingual common-law overlay reduces friction for international applicants; no certified translation required for MFSA submissions.
• ✓ Established supervisory track record. MFSA’s seven years of VFA supervisory continuity inform the current MiCA framework; 13 CASPs authorised by May 2026, second-largest cohort in the EU.
• ✓ Simplified Article 143(6) conversion for VFA holders before 1 July 2026, with 50% fee discount, offers a faster path for the existing cohort.
• ✓ MoneyVal-cleared since 2022. Malta exited the FATF grey list on 17 June 2022, with sustained compliance through subsequent MoneyVal reporting cycles.
• × Banking friction. Maltese credit institutions apply enhanced due diligence to CASPs; operational account opening runs 4 to 8 months. Mitigation: pursue banking in parallel with MFSA authorisation; pre-qualify across a multi-institution EU and offshore EMI and bank network before any formal application.
• × Year 1 cost band starts at €350,000. MFSA fees plus substance plus compliance documentation plus DORA tooling makes Malta materially more expensive than the cost-leader EU MiCA jurisdictions. Mitigation: Class 1 advisory or portfolio management models can reduce Year 1 to the lower end of the band.
• × ESMA peer review (July 2025) tightened MFSA gating. New applicants face deeper authorisation scrutiny than the pre-July 2025 cohort, particularly on Web3 and DeFi exposure controls, custody booking models, and the resolution of any prior enforcement history. Mitigation: prepare a robust pre-application file with named precedent for any non-standard activity; assume MFSA will test every governance, ICT, and AML claim in the application.
• × Substance cost. Local team of ~10 within six months of authorisation, MLRO and Compliance Officer salaries €60,000 to €90,000 fully loaded, plus office. Mitigation: scale substance to business size; service arrangements are permitted for support functions while keeping board, MLRO, and Compliance in-house.
• × Talent pool depth. MiCA-experienced lawyers and compliance officers are available in Malta but the pool is shallower than Lithuania or Ireland; competition for senior compliance hires drives salary inflation. Mitigation: combine local hires with experienced expatriate appointments under the Highly Skilled Individuals Rules (Legal Notice 20 of 2026, flat 15% personal tax from €65,000 qualifying income).

How Malta Compares

Malta sits in the established EU/EEA crypto centre tier alongside Cyprus and Gibraltar, with Estonia as the cost-leader alternative for applicants prioritising lower entry cost over institutional prestige. The four jurisdictions differ on capital floor (all MiCA-set), timeline, total Year 1 cost, effective tax, and FATF posture. Malta leads on tax efficiency and supervisory track record; Estonia leads on cost; Cyprus is broadly comparable to Malta with a smaller authorised cohort; Gibraltar is non-EU post-Brexit and follows its own pre-MiCA DLT framework.

Compare every crypto jurisdiction side by side →

When Malta Is the Right Choice

Choose Malta if:

• You hold an existing VFA licence and can still file under the Article 143(6) simplified route
• Active CASP trading income volume is large enough to make the 6/7ths refund materially valuable (the cost of the imputation structure is amortised against tax saved)
• EU passporting and English-language counsel ecosystem are decision-critical
• The applicant has €350,000+ in Year 1 budget and 6–8 months of pre-application capacity

Consider alternatives if:

• Year 1 budget is the binding constraint: see Estonia or Lithuania for materially lower entry costs
• The target market is German or French institutional: see Germany BaFin authorisation or France AMF authorisation: host-state familiarity matters
• The applicant has unresolved regulatory history elsewhere: post-July 2025, MFSA scrutinises this aggressively
• Speed is the priority over institutional positioning: see Estonia for the fastest realistic EU MiCA path

Not sure which column is you? Ask Emma. She compares these jurisdictions in seconds, in your language.

Common Mistakes in Malta Applications

MFSA’s Circular on the Authorisation Process for MiCA Applicants and the ESMA peer review report together signal the patterns that delay or block Malta CASP authorisations. Five recur across the applicant cohort.

• Generic programme of operations templates. MFSA’s authorisations team flags adapted-from-elsewhere business plans within the first 25-working-day completeness check. The programme must reflect the applicant’s specific business model, jurisdiction-specific compliance procedures, and Malta-anchored governance, not a translated Estonia or Lithuania file.
• Combined MLRO and Compliance Officer functions without conflict mitigation. MFSA accepts function combination only with documented conflict procedures, demonstrated capacity, and proportionality justification. Applicants who file the combination without addressing the conflict receive RFIs that delay the file by 2 to 4 months. The common mistake is to treat function combination as an efficiency choice rather than a governance question.
• Weak Web3 and DeFi exposure controls. The ESMA peer review specifically flagged this. CASPs offering staking, lending, structured crypto products, or DeFi integrations must document the protocol-level risk, smart contract audit history, and custody booking model in detail. MFSA expects evidence of legal and technical analysis, not vendor marketing.
• Capital held in non-segregated accounts at application. MiCA Article 67 requires own funds in CET1 instruments held in a segregated account at authorisation. Applicants who present capital in operational or general business accounts trigger an RFI and a delay until segregated arrangements are documented and evidenced.
• Outsourcing contracts that do not meet DORA Article 30. Pre-DORA outsourcing contracts (especially for cloud, custody technology, blockchain analytics) typically lack audit rights, exit strategies, sub-outsourcing controls, or location-of-processing terms. MFSA will not accept these as satisfying the DORA framework; renegotiation with vendors is the only remedy and can take 3 to 6 months.

Frequently Asked Questions

References