FAQ

The general requirements of an Innovative Technology Arrangement are intended to meet the standards of legality, integrity, transparency, compliance and accountability.

These shall be assessed by the Authority based on its own reviews of all persons involved, all documentation available and the software it may access as would any user thereof.

Applications received by the Authority for certification of Innovative Technology Arrangements, which are deemed to be related to licensable activities by other lead authorities (e.g. the Malta Financial Services Authority, the Malta Gaming Authority, etc.) fall outside the remit of the MDIA.

An Innovative Technology Arrangement shall be granted a Certificate, having a unique number for purposes of identification and stating details of how the Innovative Technology Arrangement is identified.

The Certificate shall be posted in a specific location which shall be notified to the Authority.

Obtaining certification of an Innovative Technology Arrangement from the Authority will instil confidence that the Innovative Technology Arrangement functions as intended.

‘Blueprint’ is defined in the MDIA Innovative Technology Arrangement Guidelines as a document that sets out a description of the qualities, attributes, features, behaviours or aspects of an Innovative Technology Arrangement.

Each Applicant must ensure that the Innovative Technology Arrangement is implemented in line with the Blueprint submitted to the Authority, as this document will serve as the basis for the Systems Audit carried out as part of Stage 2 of the application process.

A Systems Auditor (in the case of an individual), and the Subject Matter Experts, must, in aggregate, meet all of the following criteria:

• Hold a qualification in ICT and/ or Information Security at MQF level 6 or higher;
• Hold a certification in IT Audit or IT Risk or Security Management;
• Have experience in carrying out audits and reporting based on audit established standards; and
• Have suitable experience in Innovative Technology Arrangements in the fields that would be subject to audit of not less than two years during the last three years.

In addition, each Subject Matter Expert is required to demonstrate suitable work experience of not less than three years in performing IT audits, developing or implementing web/ enterprise-grade applications, or Information Security.

An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

The Systems Audit Control Objectives are designed to provide and assist the Systems Auditor with an audit framework in the field of Innovative Technology Arrangements. The Control Objectives are based on five key principles, namely:

• Security
• Processing Integrity
• Availability
• Confidentiality
• Protection of Personal Data.

The Authority is directing Systems Auditors to follow standards issued by the International Auditing Standards and Assurance Board in preparing the Systems Audit report.

Furthermore, the Systems Auditor Guidelines issued by the MDIA set out the required contents of a Systems Audit report.

A Systems Audit report is typically carried out when:

• An Innovative Technology Arrangement is in the process of applying to be certified by the Authority (Type 1 Systems Audit report); or
• Periodically during the operational lifetime of an Innovative Technology Arrangement (Type 2 Systems Audit report); or when deemed necessary or requested by the Authority, or other Lead Authority in Malta.

A Type 1 Systems Audit report assesses whether the description of the Innovative Technology Arrangement is fairly presented and whether controls are suitably designed to meet the applicable criteria (i.e. relates to new technology).

A Type 2 Systems Audit report contains the same opinions expressed in a Type 1 report and also includes an opinion on the operating effectiveness of the controls during the period covered by the audit (i.e. relates to technology that has already been audited).

Systems Auditors and Subject Matter Experts are expected to keep up to date on the subjects on which they perform Systems Audits. Furthermore, they would be required to demonstrate a minimum of 20 hours of Continuous Professional Education per annum.

Moreover, the Systems Auditor is required to be covered by a Professional Indemnity Insurance policy for an amount of not less than € 1,000,000.

A Subject Matter Expert is an individual who is assigned a specific technical role by the Systems Auditor based on his/ her expertise. A Subject Matter Expert may be an employee of the Systems Auditor or an employee of a sub-contracted entity.

The Authority expects the Systems Auditor to have a complement of at least two Subject Matter Experts. Furthermore, the Authority as part of the Systems Auditor registration process must recognise all Subject Matter Experts.

Yes.

Systems Auditors and Technical Administrators are collectively referred to as “Innovative Technology Service Providers”.

An Innovative Technology Service Provider may be an individual or a legal organisation whose place of residence is in Malta, the European Union, or the European Economic Area.

In order to register an Innovative Technology Service Provider, the Authority must be satisfied that the Applicant:

• Is fit and proper;
• Has the qualifications and, or experience which the Authority requires for registration; and
• Has sufficient technical resources or third party support and is in a position to comply with and observe any applicable innovative technology authorisation rules and regulations.

A Technical Administrator is a person who accepts to carry out specific functions relating to the operation, of the whole or a designated part, of an Innovative Technology Arrangement.

Any Innovative Technology Arrangement subject to certification by the MDIA must have a registered Technical Administrator in office at all times who is able to demonstrate to the MDIA, the Innovative Technology Arrangement’s ability to satisfy certain specific criteria, which include:

• All pre-requisites required for certification;
• The Innovative Technology Arrangement’s ability to meet standards on a continuing basis and to address critical matters; and
• The Innovative Technology Arrangement’s ability to vary parameters or functionalities.

However, the Authority acknowledges that, in specific Innovative Technology Arrangement implementations, the functionality to grant the Technical Administrator and the Authority, where applicable, power to intervene, as required in Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act, may not be technically feasible or justifiable. In this regard, when it is clearly justified as to why the implementation of such functionality cannot be achieved, the Authority reserves the right to vary the power to intervene. In doing so, subject to all other requirements being successfully met by the Applicant, the Authority may issue an Innovative Technology Arrangement certification that clearly states that the requirements of Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act are not being achieved. In addition, the Applicant shall be required to disclose such limitation to all users as part of the Terms of Service.

Yes.

When persons making an application for any form of recognition are not ordinarily resident in Malta.

The Resident Agent can be a natural or legal person who is habitually resident in Malta and has satisfied the Authority that he is capable of carrying out the functions stated in the legislation.

The Authority should be informed in the event that there are material changes in:

• Software on which assurance has been provided by a Systems Auditor;
• Rights of users;
• Rights, authorisation or powers of Technical Administrators;
• Technical Administrator/ Resident Agent;
• Administrator of a legal entity;
• Qualifying shareholders;
• Person with reference to whom a certification or a Certificate of Registration has been issued; and
• Subject Matter Experts.

Non-compliance with the requirements of the MDIA Act, including the failure:

1. to notify the authority of material changes; or
2. to submit such notifications within the stipulated timeframes shall give rise to the imposition of sanctions by the Authority, including the imposition of fines or penalties.

Further detail as to the quantum of fines is set out in the MDIA Act and in the Innovative Technology Arrangements and Services (Fees) Regulations.

An Administrator is an officer or any person who is appointed to carry out representative and fiduciary functions in the control and administration of a legal organisation. The Administrator may not be a Technical Administrator, a Resident Agent or a VFA agent.

The term ‘qualifying shareholder’ encapsulates any shareholder who:

• Owns or controls the Innovative Technology Arrangement;
• Holds more than 25% of the shares or ownership interests in the legal organisation; or
• Through provisions of the statute, has special voting or other rights permitting him to exercise effective control over the activities of the legal organisation.

The skills-set and qualifications that the Systems Auditor and Subject Matter Experts must collectively have will be assessed through a Competence Assessment consisting of a series of questions aimed at verifying their knowledge on the subject matter to be audited.

Additionally, Systems Auditor and Subject Matter Experts will be requested to meet the Authority to demonstrate their experience, qualifications and other information submitted in the Innovative Technology Service Provider application.

An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

The application process is split in two stages:

• Stage 1, whereby the Authority will assess the Innovative Technology Arrangement’s capability to meet generic and specific requirements – the Applicant is liable to an initial processing fee; and
• Stage 2, whereby the Applicant (following receipt of the Letter of Intent by the Authority), engages a Systems Auditor to carry out Systems Audit on the Innovative Technology Arrangement – the Applicant is liable to submit the Systems Audit report to the MDIA against a fee.

Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail regarding fees.

Any person who desires to become registered as an Innovative Technology Service Provider may apply to the Authority by submitting a Service Provider Application Form and remitting the requisite fees. Processing fees may differ depending on the number of Subject Matter Experts the Systems Auditor nominates. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Following receipt of a complete application, the Authority will review and assess the information provided, review the documentation submitted, as well as, any additional documentation that the Authority may request, and carry out the necessary due diligence on the Applicant.

In the case of an application for certification of an Innovative Technology Arrangement, the MDIA will also assess whether the appointed Technical Administrator can fulfil its proposed role and rely on the Systems Auditor opinion to confirm that reasonable standards of the Innovative Technology Arrangement are met.

The Authority will indicate pending requirements to the Applicant. Processing of the application shall not commence prior to receipt of outstanding items. If pending items remain outstanding after one month from communication issued by the Authority without an explanation from the Applicant, the Authority will terminate the application process and inform the Applicant accordingly.

No.

Processing fees are non-refundable. However, in the event that an application is refused by the Authority, the Applicant enjoys the right of appeal.

Authorisation must remain valid and effective and should be renewed at least within the last 3 months of its duration but prior to expiry, by:

• Submitting the information assurances, declarations and other materials to confirm that the Applicant is still in compliance with the ITAS Act and the conditions of its authorisation;
• Carrying out the audits and reviews and obtaining the necessary declarations from the registered Systems Auditor and Technical Administrator (in the case of an Innovative Technology Arrangement only); and
• By paying the Authority the relevant fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

The certification/ registration fee is payable following the MDIA’s certification of the Innovative Technology Arrangement or registration of the Innovative Technology Service Provider. The fee (payable in advance) covers the two-year certification/ registration term and would also become due at renewal stage. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

The certification of an Innovative Technology Arrangement and registration of an Innovative Technology Service Provider are valid for a period of two years, after which an application may be submitted for renewal for a further term of two years.