Section 1. A new Regulatory Framework

Q: Why is Malta creating a new regulatory framework for Innovative Technology Arrangements?

A: Malta has established a new regulatory framework centring around the use of Innovative Technology Arrangements capturing Distributed Ledger Technology (“DLT”) platforms and Blockchain technology, with the primary aim of providing transparency and legal certainty. The legislation aims to instil peace of mind and certainty, as society places more trust in innovative technology. Furthermore, this regulatory framework positions Malta at the forefront of technological business opportunities, as it creates a sound platform for innovators.

Q: What does the new regulatory framework comprise?

A: The new regulatory framework enacted on 4 July 2018 comprises three Acts:

  • the Malta Digital Innovation Authority Act (the “MDIA” Act), which oversees the setup of the MDIA as the lead Authority in the innovation technology sector;
  • the Innovative Technology Arrangement and Services Act (the “ITAS” Act), which regulates Innovative Technology Arrangements and Services, such as the software and coding used in DLT, smart contract and related applications, together with the technical administration and review services; and
  • the Virtual Financial Assets Act (the “VFA” Act), which regulates Initial Virtual Financial Assets Offerings and delineates their licensing requirements.

Q: What is the purpose of the MDIA Act?

A: The MDIA Act provides for the establishment of the MDIA, the Authority that will regulate innovative technologies, and introduces a new level of communication between national competent authorities. The MDIA complements other national competent authorities.

It is the purpose of the Authority to address the development in Malta of all Innovative Technology Arrangements and Innovative Technology Services, whilst exercising supervisory and regulatory functions in these fields.

Q: What is the purpose of the MDIA and what functions will it have?

A: The Authority aims to foster safer usage of innovative technology and thus more adoption, whilst at the same time increasing the prospects for investment in innovative technology.

The Authority addresses the development of all Innovative Technology Arrangements and Services in Malta in order to achieve its principles and objectives and exercises its supervisory and certification functions thereon.

In particular, the MDIA Act establishes the MDIA as a new competent authority to (inter alia):

  • exercise regulatory functions regarding Innovative Technology Arrangements and related services;
  • support the development and implementation of the guiding principles described in the MDIA Act; and

establish minimum quality, compliance and security standards for any Innovative Technology Arrangements and related services.

Q: What are the objectives of the MDIA?

A: The various objectives of the MDIA include, but are not limited to the following:

  • to harmonise practices and to facilitate the adoption of standards on Innovative Technology Arrangements in Malta in line with international norms, standards, rules and/ or laws;
  • to promote, enforce ethical and legitimate criteria in the design and use of Innovative Technology Arrangements and any application, software or derivative product from it;
  • to promote transparency and auditability in the use of Innovative Technology Arrangements, and any application software, or derivative product from it;
  • to promote legal certainty in the application and cross-border context, and the development of appropriate legal principles for the effective application of law to Innovative Technology Arrangements; and
  • to increase protection to users of Innovative Technology Arrangements, through high standards and guidelines.

Q: What falls within the scope of recognition by the MDIA?

A: The MDIA may extend recognition to the following:

  • Innovative Technology Arrangements, provided these opt for voluntary certification;
  • Systems Auditors and their nominated Subject Matter Experts;
  • Technical Administrators (who carry out specific functions related to the operation of an Innovative Technology Arrangement); and
  • Resident Agents (habitually resident in Malta and act on behalf of a person who is not resident in Malta and applying for certification/ registration).

Q: What is the purpose of the ITAS Act?

A: The purpose of the ITAS Act revolves around recognition and authorisation, investigation and enforcement of Innovative Technology Arrangements and Innovative Technology Service Providers by the MDIA.

Q: What is a DLT Asset?

A: A DLT Asset is defined in the Virtual Financial Assets (“VFA”) Act as:

  1. a virtual token (as defined in the VFA Act);
  2. a virtual financial asset (as defined in the VFA Act);
  3. electronic money (as defined in the Third Schedule to the Financial Institutions Act); or
  4. a financial instrument (as defined in the Second Schedule to the Investment Services Act) that is intrinsically dependent on, or utilises, DLT.

Section 2. Innovative Technology Arrangements

Q: What is an innovative technology arrangement?

A: The following are considered to be Innovative Technology Arrangements:

  • software and architectures which are used in designing and delivering DLT, subject to specified conditions, including the use of distributed, decentralised, shared and, or replicated ledger; being permissioned or permissionless or hybrids thereof; protection with cryptography; and auditability;
  • smart contracts and related applications, including decentralised autonomous organisations, as well as other similar arrangements; and

any other Innovative Technology Arrangement that in the future may be designated by the Minister, on the recommendation of the Authority.

Q: What are the general principles that an Innovative Technology Arrangement is required to meet?

A: The general requirements of an Innovative Technology Arrangement are intended to meet the standards of legality, integrity, transparency, compliance and accountability. These shall be assessed by the Authority based on its own reviews of all persons involved, all documentation available and the software it may access as would any user thereof.

Q: What falls outside the scope of the MDIA ?

A: Applications received by the Authority for certification of Innovative Technology Arrangements, which are deemed to be related to licensable activities by other lead authorities e.g. the Malta Financial Services Authority, the Malta Gaming Authority etc., fall outside the remit of the MDIA.

Q: What are the features of a Certificate issued by the MDIA to an Innovative Technology Arrangement?

A: An Innovative Technology Arrangement shall be granted a Certificate, having a unique number for purposes of identification and stating details of how the Innovative Technology Arrangement is identified.

The Certificate shall be posted in a specific location which shall be notified to the Authority.

Q: What are the benefits of having an Innovative Technology Arrangement certified by the Authority?

A: Obtaining certification of an Innovative Technology Arrangement from the Authority will instil confidence that the Innovative Technology Arrangement functions as intended.

Q: What is meant by the term ‘blueprint’ ?

A: ‘Blueprint’ is defined in the MDIA Innovative Technology Arrangement Guidelines as a document that sets out a description of the qualities, attributes, features, behaviours or aspects of an Innovative Technology Arrangement.

Each Applicant must ensure that the Innovative Technology Arrangement is implemented in line with the Blueprint submitted to the Authority, as this document will serve as the basis for the Systems Audit carried out as part of Stage 2 of the application process.

Section 3. Systems Auditors, Subject Matter Experts and Systems Audit Reports

Q: What is the role of the Systems Auditor ?

A: Systems Auditor is a person who is engaged on a commercial basis by the Applicant to review and, or audit Innovative Technology Arrangements and smart contracts or parts thereof. A Systems Auditor may not necessarily be an accountant or auditor with a practising certificate under the Accountancy Profession Act.

The Systems Auditor will be responsible for the final deliverable of the systems audit (prepared in conjunction with nominated Subject Matter Experts) and to conduct a quality-based assignment focusing on professional ethics. Systems Auditors and their nominated Subject Matter Experts will be required to demonstrate their key competencies and suitable expertise to the MDIA.

Q: What qualifications or attribute must a Systems Auditor have?

A: A Systems Auditor (in the case of an individual), and the Subject Matter Experts, must, in aggregate, meet all of the following criteria:

  • Hold a qualification in ICT and/ or Information Security at MQF level 6 or higher;
  • Hold a certification in IT Audit or IT Risk or Security Management;
  • Have experience in carrying out audits and reporting based on audit established standards; and
  • Have suitable experience in Innovative Technology Arrangements in the fields that would be subject to audit of not less than two years during the last three years.

In addition, each Subject Matter Expert is required to demonstrate suitable work experience of not less than three years in performing IT audits, developing or implementing web/ enterprise-grade applications, or Information Security.

Q: What are the features of a Certificate of Registration issued by the MDIA?

A: An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

Q: What are Systems Audit Control Objectives ?

A: The Systems Audit Control Objectives are designed to provide and assist the Systems Auditor with an audit framework in the field of Innovative Technology Arrangements. The Control Objectives are based on five key principles, namely: security, processing integrity, availability, confidentiality and protection of personal data.

Q: What is a Systems Audit Report ?

A: The Authority is directing Systems Auditors to follow standards issued by the International Auditing Standards and Assurance Board in preparing the Systems Audit report. Furthermore, the Systems Auditor Guidelines issued by the MDIA set out the required contents of a Systems Audit report.

Q: When should a Systems Audit Report be submitted to the MDIA ?

A: A Systems Audit report is typically carried out when:

  • an Innovative Technology Arrangement is in the process of applying to be certified by the Authority (Type 1 Systems Audit report); or
  • periodically during the operational lifetime of an Innovative Technology Arrangement (Type 2 Systems Audit report); or when deemed necessary or requested by the Authority, or other Lead Authority in Malta.

Q: What is the difference between a Type 1 and a Type 2 Systems Audit Report ?

A:  A Type 1 Systems Audit report assesses whether the description of the Innovative Technology Arrangement is fairly presented and whether controls are suitably designed to meet the applicable criteria (i.e. relates to new technology).

A Type 2 Systems Audit report contains the same opinions expressed in a Type 1 report and also includes an opinion on the operating effectiveness of the controls during the period covered by the audit (i.e. relates to technology that has already been audited).

Q: What continued obligations do Systems Auditors and Subject Matter Experts have?

A: Systems Auditors and Subject Matter Experts are expected to keep up to date on the subjects on which they perform Systems Audits. Furthermore, they would be required to demonstrate a minimum of 20 hours of Continuous Professional Education per annum.

Moreover, the Systems Auditor is required to be covered by a Professional Indemnity Insurance policy for an amount of not less than Euro 1,000,000.

Q: What is a Subject Matter Expert ?

A: A Subject Matter Expert is an individual who is assigned a specific technical role by the Systems Auditor based on his/ her expertise. A Subject Matter Expert may be an employee of the Systems Auditor or an employee of a sub-contracted entity.

The Authority expects the Systems Auditor to have a complement of at least two Subject Matter Experts. Furthermore, the Authority as part of the Systems Auditor registration process must recognise all Subject Matter Experts.

Q: Can a Subject Matter Expert be affiliated with more than one Systems Auditor?

A: Yes.

Section 4. Technical Administrator, Resident Agent and Other Questions

Q: What is meant by the term ‘Innovative Technology Service’?

A: The following are considered to be Innovative Technology Services:

  • The review of Innovative Technology Arrangements provided by Systems Auditors; and
  • The technical administration services with reference to Innovative Technology Arrangements provided by Technical Administrators.

Q: Who is eligible to apply for registration as an Innovative Technology Service Provider?

A: Systems Auditors and Technical Administrators are collectively referred to as “Innovative Technology Service Providers”.

An Innovative Technology Service Provider may be an individual or a legal organisation whose place of residence is in Malta, the European Union, or the European Economic Area.

In order to register an Innovative Technology Service Provider, the Authority must be satisfied that the Applicant:

  • is fit and proper;
  • has the qualifications and, or experience which the Authority requires for registration; and
  • has sufficient technical resources or third party support and is in a position to comply with and observe any applicable innovative technology authorisation rules and regulations

Q: What is the role of a Technical Administrator ? 

A: A Technical Administrator is a person who accepts to carry out specific functions relating to the operation, of the whole or a designated part, of an Innovative Technology Arrangement.

Any Innovative Technology Arrangement subject to certification by the MDIA must have a registered Technical Administrator in office at all times who is able to demonstrate to the MDIA, the Innovative Technology Arrangement’s ability to satisfy certain specific criteria, which include:

  • all pre-requisites required for certification;
  • the Innovative Technology Arrangement’s ability to meet standards on a continuing basis and to address critical matters; and
  • the Innovative Technology Arrangement’s ability to vary parameters or functionalities.

However, the Authority acknowledges that, in specific Innovative Technology Arrangement implementations, the functionality to grant the Technical Administrator and the Authority, where applicable, power to intervene, as required in Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act, may not be technically feasible or justifiable. In this regard, when it is clearly justified as to why the implementation of such functionality cannot be achieved, the Authority reserves the right to vary the power to intervene. In doing so, subject to all other requirements being successfully met by the Applicant, the Authority may issue an Innovative Technology Arrangement certification that clearly states that the requirements of Article 8(4)(c)(iv) and Article 8(4)(d)(iii) of the ITAS Act are not being achieved. In addition, the Applicant shall be required to disclose such limitation to all users as part of the Terms of Service.

Q: Can a Technical Administrator act for more than one Innovative Technology Arrangement?

A: Yes.

Q: When is a Resident Agent required to be appointed?

A: When persons making an application for any form of recognition are not ordinarily resident in Malta. The Resident Agent can be a natural or legal person who is habitually resident in Malta and has satisfied the Authority that he is capable of carrying out the functions stated in the legislation.

Q: What are the functions of the Resident Agent?

A: On behalf of the Innovative Technology Arrangement, the Resident Agent will:

  • act as the channel of communication between the technology authorisation holder and the Authority/ other national competent authorities;
  • sign and file with the Authority and other Maltese government departments and authorities all declarations and forms required in terms of Maltese law; and
  • act as the judicial representative of the innovative technology authorisation holder for judicial proceedings in Malta.

Q: When is the Authority required to be notified of a material change? 

A:  The Authority should be informed in the event that there are material changes in:

  • Software on which assurance has been provided by a Systems Auditor;
  • Rights of users;
  • Rights, authorisation or powers of Technical Administrators;
  • Technical Administrator/ Resident Agent;
  • Administrator of a legal entity;
  • Qualifying shareholders;
  • Person with reference to whom a certification or a Certificate of Registration has been issued; and
  • Subject Matter Experts.

Q: What can give rise to sanctions by the MDIA?

A: Non-compliance with the requirements of the MDIA Act, including the failure:

  1. to notify the authority of material changes; or
  2. to submit such notifications within the stipulated timeframes shall give rise to the imposition of sanctions by the Authority, including the imposition of fines or penalties.

Further detail as to the quantum of fines is set out in the MDIA Act and in the Innovative Technology Arrangements and Services (Fees) Regulations.

Q: What is the role of the Administrator ? 

A: An Administrator is an officer or any person who is appointed to carry out representative and fiduciary functions in the control and administration of a legal organisation. The Administrator may not be a Technical Administrator, a Resident Agent or a VFA agent.

Q: Who is designated as a qualifying shareholder in the ITAS Act?

A: The term ‘qualifying shareholder’ encapsulates any shareholder who:

  • owns or controls the Innovative Technology Arrangement;
  • holds more than 25% of the shares or ownership interests in the legal organisation; or
  • through provisions of the statute, has special voting or other rights permitting him to exercise effective control over the activities of the legal organisation.

Q: How will Systems Auditor and Subject Matter Expert key competencies be assessed?

A: The skills-set and qualifications that the Systems Auditor and Subject Matter Experts must collectively have will be assessed through a Competence Assessment consisting of a series of questions aimed at verifying their knowledge on the subject matter to be audited.

Additionally, Systems Auditor and Subject Matter Experts will be requested to meet the Authority to demonstrate their experience, qualifications and other information submitted in the Innovative Technology Service Provider application.

Q: What are the features of a Certificate of Registration issued by the MDIA?

A: An Innovative Technology Service Provider shall be granted a Certificate of Registration, having a unique number for purposes of identification and listing the class or classes of services that the Innovative Technology Service Provider has been registered to provide. Furthermore, the Certificate shall be posted in a specific location or on the website (if available).

Section 5. Administrative Procedures and Fees

Q: How to apply for certification of an Innovative Technology Arrangement?

A: Any person who desires to obtain certification for an Innovative Technology Arrangement may apply to the Authority by submitting the relevant prescribed forms and fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Q: Who is eligible to apply for registration as an Innovative Technology Service Provider?

A: The application process is split in two stages:

  • Stage 1, whereby the Authority will assess the Innovative Technology Arrangement’s capability to meet generic and specific requirements – the Applicant is liable to an initial processing fee; and
  • Stage 2, whereby the Applicant (following receipt of the Letter of Intent by the Authority), engages a Systems Auditor to carry out Systems Audit on the Innovative Technology Arrangement – the Applicant is liable to submit the Systems Audit report to the MDIA against a fee.

Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail regarding fees.

Q: How to apply for registration of an Innovative Technology Service Provider?

A: Any person who desires to become registered as an Innovative Technology Service Provider may apply to the Authority by submitting a Service Provider Application Form and remitting the requisite fees. Processing fees may differ depending on the number of Subject Matter Experts the Systems Auditor nominates. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Q: How are applications processed by the Authority?

A: Following receipt of a complete application, the Authority will review and assess the information provided, review the documentation submitted, as well as, any additional documentation that the Authority may request, and carry out the necessary due diligence on the Applicant.

In the case of an application for certification of an Innovative Technology Arrangement, the MDIA will also assess whether the appointed Technical Administrator can fulfil its proposed role and rely on the Systems Auditor opinion to confirm that reasonable standards of the Innovative Technology Arrangement are met.

Q: What happens in the event that an application is incomplete?

A: The Authority will indicate pending requirements to the Applicant. Processing of the application shall not commence prior to receipt of outstanding items. If pending items remain outstanding after one month from communication issued by the Authority without an explanation from the Applicant, the Authority will terminate the application process and inform the Applicant accordingly.

Q: Will a separate processing fee be required when submitting additional documentation to the MDIA?

A: No.

Q: What happens in the event that the application process is terminated?

A:  Processing fees are non-refundable. However, in the event that an application is refused by the Authority, the Applicant enjoys the right of appeal.

Q: What is the process for renewal of certification/ registration of an Innovative Technology Arrangement/ Innovative Technology Service Provider?

A: Authorisation must remain valid and effective and should be renewed at least within the last 3 months of its duration but prior to expiry, by:

  • submitting the information assurances, declarations and other materials to confirm that the Applicant is still in compliance with the ITAS Act and the conditions of its authorisation;
  • carrying out the audits and reviews and obtaining the necessary declarations from the registered Systems Auditor and Technical Administrator (in the case of an Innovative Technology Arrangement only); and
  • by paying the Authority the relevant fees. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Q: What is the certification/ registration fee and when is it due ?

A: The certification/ registration fee is payable following the MDIA’s certification of the Innovative Technology Arrangement or registration of the Innovative Technology Service Provider. The fee (payable in advance) covers the two-year certification/ registration term and would also become due at renewal stage. Refer to the Innovative Technology Arrangements and Services (Fees) Regulations for further detail.

Q:What is the term of validity of certification/ registration?

A: The certification of an Innovative Technology Arrangement and registration of an Innovative Technology Service Provider are valid for a period of two years, after which an application may be submitted for renewal for a further term of two years.