In July 2025, the European Securities and Markets Authority (ESMA) concluded an in-depth review of Malta’s approach to granting licenses under the Markets in Crypto-Assets (MiCA) framework. While Malta’s Financial Services Authority (MFSA) demonstrated solid capacity and expertise in crypto oversight, ESMA flagged significant procedural deficiencies.
Key Findings
-
Incomplete Risk Assessment
ESMA discovered that at least one crypto-asset service provider (CASP) received authorization despite existing unresolved issues. Concerns included material risks related to governance, internal IT systems, and anti-money laundering controls that hadn’t been fully addressed at the time of approval. -
Rushed Approval Procedures
The license review process was described as hurried and lacking thoroughness. ESMA emphasized that the MFSA failed to allow sufficient time to properly assess compliance with MiCA rules, potentially compromising cross-border regulatory consistency. -
Inconsistent Monitoring Practices
The scrutiny revealed that MFSA sometimes opted to handle outstanding problems after licensing, rather than resolving them beforehand. This post-approval monitoring approach was deemed inadequate by the EU regulator.
ESMA Recommendations
-
Pre-authorization Remediation
Address all critical red flags—like undisclosed business plans, conflict-of-interest structures, and IT vulnerabilities—before granting licenses, not retrospectively. -
Stronger Governance Oversight
Enhance scrutiny of firms’ internal control frameworks, board structures, and risk management strategies. -
Enhance IT and AML Resilience
Ensure robust cybersecurity and data integrity systems, alongside rigorous anti-money laundering measures. -
Heightened Cross-border Coordination
Promote better collaboration across EU regulators to prevent discrepancies in licensing standards and to ensure MiCA’s uniform application across member states. -
Protect Consumers from Unregulated Products
Tighten oversight over client-facing services—particularly DeFi-related offerings and custody solutions—to guard against misleading marketing or hidden risks.
MFSA’s Response and Next Steps
Despite the criticisms, the MFSA defended its record, stating that no existing MiCA license is at risk of revocation. It acknowledged ESMA’s feedback and reaffirmed its commitment to implementing enhancements by the end of September 2025.
Already a pioneer in the digital asset domain—having adopted crypto regulations back in 2018—Malta has issued several MiCA-based licenses since this year. Moving forward, the MFSA aims to incorporate ESMA’s recommendations to reinforce its regulatory reliability and uphold investor protection standards.
Bottom Line
ESMA’s peer review stresses that while Malta retains significant regulatory capabilities, its crypto licensing procedures need to become more rigorous and transparent. The emphasis is on validating all aspects of applications thoroughly—before licensing—instead of relying heavily on after-the-fact supervision. The MFSA is on track with reforms but has a tight schedule to align fully with EU expectations and maintain trust in Malta’s role as a leading crypto hub.
