How we can help?

MFSA issued the proposed rules (Chapter 2) for ICO issuers, with the consultation on this rules closing on the 13th August. The highlights from the detailed rules for ICO Issuers are mentioned below.

In determining whether a DLT asset qualifies as a Virtual Financial Asset, an Issuer of a DLT asset shall, prior to offering such DLT asset to the public in or from within Malta, or applying for its admission on a DLT exchange, undertake the Financial Instrument Test (as per Guidance Note on Financial Instrument test) , which shall be signed by its Board of administration, and endorsed by its VFA Agent.

An Issuer shall appoint and have at all times in place: a Systems Auditor; a VFA Agent; an Auditor; a Money Laundering Reporting Officer (‘MLRO’);

The Issuer shall require its Systems Auditor to prepare on an annual basis a systems audit report on its Technology Arrangement’s compliance with any qualitative standards set and guidelines issued by the Malta Digital Innovation Authority (‘MDIA’). The Issuer shall ensure that it’s Systems Auditor, prior to the commencement of the offering of the Virtual Financial Assets, has prepared a report which covers all aspects of its Technology Arrangement/s.

The Issuer shall ensure that all communications, meetings, notifications and/or submissions to the MFSA are made through its VFA Agent. The Issuer shall provide written confirmations to the VFA Agent that its Board of Administration has established procedures which provide a reasonable basis for the said Board to make proper judgements as to the prospects and, where applicable, the financial position of the Issuer and, also where applicable, as provided investors with a roadmap which clearly establishes and sets out milestones for the Initial Virtual Financial Assets Offering (ICO) and  any profit forecast or estimates have been made after due and careful analysis andthat financial information presented in any document published by it has been properly extracted from its accounting records.

The Issuer shall obtain from its Auditor a signed letter of engagement defining clearly the extent of the Auditor's responsibilities and the terms of his appointment. The Issuer shall confirm in writing to its Auditor its agreement to the terms in the letter of engagement. In respect of each annual accounting period, the Issuer shall require its Auditor to prepare a management letter in accordance with International Standards on Auditing.

The Issuer shall appoint and have at all times in place an MLRO. The role of the MLRO is an onerous one and the Issuer shall ensure that it is only accepted by individuals who fully understand the extent of responsibilities attached to the role. The Issuer shall ensure that the MLRO is a senior employee of the Issuer or a member of the Board of Administration.

An Issuer shall establish a ‘Cyber-Security Framework’ which shall include Information and data security roles and responsibilities; Access management policy; Sensitive data management policy; Threats management policy; Business continuity plan; Response and recovery plan; and Security education and training.

The Issuer shall ascertain that its I.T. infrastructure ensures the integrity and security of any data stored therein; availability, traceability and accessibility of data; and privacy and confidentiality and is in line with the provisions of the GDPR. The Issuer shall ensure that its I.T. infrastructure is located in Malta, and/or any EEA member state and/or any other third country jurisdiction wherein the Authority is satisfied that above mentioned  requirements be satisfied,. Provided that where the Issuer’s I.T. infrastructure is not located in Malta, or is located in a cloud environment, the Issuer shall ensure that data is replicated real time by virtue of a live replication server located in Malta.

No Issuer shall offer a Virtual Financial Assets to the public in or from within Malta or apply for their admission to trading on a DLT exchange unless such Issuer draws up a whitepaper which complies with the requirements of the VFA Act (Schedule 1) and has this whitepaper registered with the MFSA in accordance with the VFA Act.

An Issuer wishing to undertake any ICO or/and have a the DLT issued admitted for trading on any VFA exchange  shall submit, through its VFA Agent, the following documents to the MFSA:


  • the whitepaper and any supplementary documentation, duly signed by its Board of Administration;


(b)  a copy of the Financial Instrument Test, duly signed by its Board of Administration and

endorsed by its appointed VFA Agent;

(c)   a confirmation from its Systems Auditor that the Issuer’s Technology Arrangement/s complies with any qualitative standards set and guidelines issued by the MDIA applicable to the particular type of arrangement (irrespective of whether the said arrangement holds a certification or a ruling of eligibility under the Innovative Technology Arrangements and Services Act)

(d)  one (1) copy of the Issuer’s audited Annual Accounts for each of the last three years.

Where the Issuer forms part of a Group of which the Issuer is a member, the consolidated accounts of the Group of which the Issuer is a member for each of the last three (3) financial years prepared in accordance with either Generally Accepted Accounting Principles or Practice or with equivalent standards. Provided that where an Issuer and/or Group has/have been established for a period of less than three (3) years, the documents mentioned above shall be required for such shorter period that the said person(s) has/have been established.

(e) a certified copy of its Constitutional Document/s;


The whitepaper shall convey factual information about a business in words and figures, and shall serve as a source of information about the Issuer and its proposed activities. The whitepaper shall be dated, contain all the information stipulated in the First Schedule to the Act, be signed by the Issuer’s Board of Administration and include a statement by the Issuer’s Board of Administration that the whitepaper complies with the requirements under the Act, the relevant regulations and these Rules.

Where a smart contract is deployed, the Issuer shall ensure that the elements of a whitepaper are coded within the respective smart contract. This shall, where applicable, include inter alia coding for Transfer limitations; Soft cap and hard cap; Refund mechanisms; Dispute resolutions; Besting schedules; and Burning protocols.

In conclusion, one can see that the duties and requirements by the Rules are quite detailed and extensive in regards ICO issuers. Thus, it is highly advisable that ICO issuers intending to launch ICOs in Malta get prepared and well acquainted with these Rules. EMCS has been following the DLT regulation and is well positioned to advise you on this matter.

These rules are still under consultation and any changes can occur.


Job Reference: 2024JAA06 We are looking to expand our dynamic team of professionals within our...