GVZH Advocates’ contribution to the 2017 International Comparative Legal Guide to Fintech Law in Malta. Contributors: Dr. Andrew Zammit & Dr. Michael Grech.
Read the full original report here. Contributors: Dr. Andrew Zammit & Dr. Michael Grech
The Fintech Landscape
Please describe the types of fintech businesses that are active in your jurisdiction and any notable fintech innovation trends within particular sub-sectors (e.g. payments, asset management, peer-to-peer lending or investment, insurance and blockchain applications).
Malta provides a very attractive environment for technology-based businesses having a European marketing strategy. The island has seen significant growth in the technological sector, including an exponential rise in fintech businesses, including both start-ups and more established businesses.
The predominant type of fintech businesses currently established in Malta are payment institutions (“PI/PSPs”) and electronic money institutions (“EMIs”), both of which are classified as “financial institutions”. Rolling spot forex and binary option models are also present, albeit to a lesser extent than PSPs and EMIs.
With the introduction of the PSD2 framework, it is expected that there will be an increase in the number of operators in the payment services space establish themselves in Malta.
Are there any types of fintech business that are at present prohibited or restricted in your jurisdiction?
Whilst no specific types of fintech businesses are prohibited in Malta, the Malta Financial Services Authority (“MFSA”) takes a prudent and conservative approach towards reviewing any applicants looking for a Malta licence, particularly those in the online forex and binary options space. The MFSA is also very prudent in its approach towards “pay-day loan” type offerings.
Funding For Fintech
Broadly, what types of funding are available for new and growing businesses in your jurisdiction (covering both equity and debt)?
Fintech businesses looking to set-up in Malta would typically have equity backing originating from outside Malta, primarily other EEA jurisdictions. Such financing usually takes the form of venture capital, loan capital or a combination of the two. Admittedly, debt financing is made available to more established business models having a track record, since such models have a trading history to present to the banking institutions from which they seek to raise finance. In the case of start-ups debt financing is a significantly more challenging route.
Employee Share Option Programmes (“ESOPs”) are also commonly used by start-up companies seeking to engage and retain talent in the early years of their operations, whilst keeping their salary bill lower on the basis of key employees’ future equity participation.
To date, there have not yet been any fintech businesses that have sought to raise capital through an equity or a bond listing in Malta.
Are there any special incentive schemes for investment in tech/fintech businesses, or in small/ medium-sized businesses more generally, in your jurisdiction, e.g. tax incentive schemes for enterprise investment or venture capital investment?
Malta provides a very attractive corporate tax environment for businesses establishing a presence on the island, and this has seen significant growth in the Maltese economy, particularly over the past seven years.
In addition to the corporate tax incentives, fintech businesses regulated by the MFSA may also attract top talent to Malta through the 15% personal tax rate that is granted to qualified expatriates working in key positions with fintech and other financial services operators in Malta, which is known as the Highly Qualified Persons programme. This measure, which applies both to EU and non-EU nationals, was introduced by the Maltese Government in 2011 to sustain the burgeoning financial services industry with the best skill and talent available on the wider international market.
Venture capital financing is not available in Malta and most entrepreneurs seeking to base their businesses in Malta invariable source financing for their business from outside Malta.
Other incentives targeted at research, development and innovation could also be availed of by qualifying fintech undertakings. These incentive schemes are administered by the Malta Enterprise which is the public corporation charged with attracting Foreign Direct Investment into Malta.
In brief, what conditions need to be satisfied for a business to IPO in your jurisdiction?
The requirements for an IPO in Malta can be stated as follows:
- Minimum three-year track record.
- Appointment of a sponsoring broker.
- Issuing of a Prospectus complying with EU Prospectus Directive.
- Shareholders’ funds less intangible assets must be of at least €585,000.
- Company must have a fully paid-up capital of at least €235,000.
- Expected aggregate market value of the securities forming the subject of the application must not be less €1,165,000 (not being Preference Shares).
- At least twenty-five percent (25%) of the listed class of shares shall be publicly held.
Have there been any notable exits (sale of business or IPO) by the founders of fintech businesses in your jurisdiction?
No, there have not.
Please briefly describe the regulatory framework(s) for fintech businesses operating in your jurisdiction, and the type of fintech activities that are regulated.
The Malta Financial Services Authority, also referred to as the MFSA, is the regulatory authority charged with the power to regulate, monitor and supervise all financial services in Malta. Fintech businesses are regulated by the general legal and regulatory provisions relating to credit institutions, financial institutions, investment services and insurance. All of these financial services activities have witnessed technological developments that have created innovative fintech business propositions although admittedly payment related services have seen the most innovation over recent years.
Malta’s financial services legislation is organised under service- or activity-specific statutes which focus on the nature of the service being provided by the relevant undertaking. One would therefore find laws such as the Banking Act, the Financial Institutions Act, the Investment Services Act and the Insurance Business Act. Therefore fintech activities would be regulated in the same way that the corresponding non-fintech businesses (that is more traditional bricks-and-mortar operations) would. There has, however, been significant focus on the part of the MFSA to introduce regulations, rules and policies which serve to address specific risks and concerns that are relevant for fintech models, revolving principally around security and technological standards.
Are financial regulators and policy-makers in your jurisdiction receptive to fintech innovation and technology-driven new entrants to regulated financial services markets, and if so how is this manifested?
The MFSA is receptive to fintech innovation and technology-driven financial services operators and takes up a very pro-active approach towards new entrants, dedicating the resources to meet with the promoters of fintech businesses, even prior to commencing the application process, in order to understand their proposed model and provide valuable preliminary feedback.
This approach of open dialogue and hands-on regulation has made Malta a very popular base for fintech businesses, particularly in the PSP and EMI space.
What, if any, regulatory hurdles must fintech businesses (or financial services businesses offering fintech products and services) which are established outside your jurisdiction overcome in order to access new customers in your jurisdiction?
Fintech businesses licensed in another EEA state may freely target and access new customers in Malta as long as they have undertaken the necessary regulatory notifications to provide cross-border services or to establish a branch in Malta. If a branch is established there is a registration requirement for that branch and also tax registration requirements.
Where, on the other hand, the fintech business is based outside of the EEA, the applicable regulatory framework would effectively prohibit any solicitation of customers based in Malta.
Other Regulatory Regimes / Non-Financial Regulation
Does your jurisdiction regulate the collection/use/ transmission of personal data, and if yes, what is the legal basis for such regulation and how does this apply to fintech businesses operating in your jurisdiction?
Yes, the Data Protection Act (Chapter 440 of the Laws of Malta) (“DPA”) and its subsidiary legislation provide for the protection of individuals against the violation of their privacy by the processing of personal data. The provisions of this statute implement the provisions of the EU’s Data Protection Directive.
The processing of data effectively refers to the processing (whether automated, mechanical, manual or otherwise) of a person’s data in a filing system, or in what is intended to form part of a filing system.
Do your data privacy laws apply to organisations established outside of your jurisdiction? Do your data privacy laws restrict international transfers of data?
Maltese Data Protection Law applies to:
- Data controllers established in Malta.
- Data controllers in a Maltese Embassy or High Commission outside Malta.
- Equipment used for processing and situated in Malta, even where the Controller is established outside the EU.
Please briefly describe the sanctions that apply for failing to comply with your data privacy laws.
Penalties for non-compliance with the Data Protection Act will depend on the level of breach. The provisions of the law specify which level of sanction should apply for specific types of breach.
The Courts of Malta may impose the following penalties:
- Level 1: Fine of between €120 and €600, imprisonment of not more than one month.
- Level 2: Fine of between €250 and €2,500, imprisonment of between one and three months.
- Level 3: Fine of between €2,500 and €23,300, imprisonment of between three and six months.
The Data Protection Commissioner may impose the following fines without recourse to a court hearing:
- Level 1: Fine of between €120 and €600, or a daily fine of between €20 and €60.
- Level 2: Fine of between €250 and €2,500, or a daily fine of between €25 and €250.
- Level 3: Fine of between €2,500 and €23,300, or a daily fine of between €250 and €2,500.
Does your jurisdiction have cyber security laws or regulations that may apply to fintech businesses operating in your jurisdiction?
Yes. Maltese laws dealing with various aspects of cybersecurity include the following:
- The Maltese Criminal Code does deal with cybercrime in a chapter entitled ‘Of Computer Misuse’;
- Processing of Personal Data (Electronic Communications Sector) Regulations (Subsidiary Legislation 440.01); and
- The Electronic Communications Networks and Services (General) Regulations (Subsidiary Legislation 399.28).Malta is also signatory to the Council of Europe Cybercrime Convention since 2001, which Convention was ratified in April 2012.
Please describe any AML and other financial crime requirements that may apply to fintech businesses in your jurisdiction.
Malta’s status as a full member of the EU and signatory to the main international multilateral treaties which tackle money laundering in the world’s financial markets. Although Malta is not a member of FATF, it does play an active role in Moneyval, or the Select Committee of Experts on the Evaluation of Anti-Money Laundering Measures.
Malta’s prevention of the money laundering regime is contained in two pieces of legislation, namely the Prevention of Money Laundering Act (“PMLA”) and the Prevention of Money Laundering and Funding of Terrorism Regulations (“PMLFTR”). The PMLA establishes the foundations for the legal framework by introducing basic legal definitions, laying down the procedures for the investigation and prosecution of money laundering offences, and establishing the Financial Intelligence Analysis Unit, whilst the regulations provide the substantive provisions relating to the offences, and clarify the systems and procedures to be adopted by subject persons in the course of their business activities.
Are there any other regulatory regimes that may apply to fintech businesses operating in your jurisdiction?
The Electronic Commerce Directive (Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the internal market), which is transposed into Maltese law by virtue of the Electronic Commerce Act (Chapter 426 of the laws of Malta) and the Electronic Commerce (General) Regulation are relevant for fintech businesses operating from Malta. These rules are relevant insofar as they define what constitutes an “Information Society Service” and provide a framework for such services to be conducted.
In broad terms, what is the legal framework around the hiring and dismissal of staff in your jurisdiction? Are there any particularly onerous requirements or restrictions that are frequently encountered by businesses?
Employment law draws heavily on Anglo-Saxon law and practice, providing an extremely balanced framework for employers. Whilst employees are provided with all the protection one would expect within the European Union, businesses are able to dismiss employees on the basis of just and sufficient cause or on the basis of redundancy without liability.
Social security contributions in Malta are reasonable and payroll formalities uncomplicated. Besides, the Highly Qualified Persons tax programme offers key expat fintech personnel with a competitive 15% personal income tax rate on their employment income. This programme has attracted significant talent to Malta, including within the fintech sector.
Unemployment in Malta is extremely low, requiring the labour market to be supplemented by EU and non-EU nationals that have moved to the island seeking various opportunities, including in the financial services industry, which is estimated to contribute in excess of 20% to Malta’s GDP. Finding experienced fintech professionals could prove to be difficult given the limited size of the labour market (Malta has a population of approx. 420,000). However, the Maltese labour force is educated, loyal and ambitious, with a university population of over 10,000 students. This provides fintech operators with the opportunity of training staff and providing them with on- the-job training.
What, if any, mandatory employment benefits must be provided to staff?
Employees are not granted any significant mandatory benefits by Maltese law.
What, if any, hurdles must businesses overcome to bring employees from outside your jurisdiction into your jurisdiction? Is there a special route for obtaining permission for individuals who wish to work for fintech businesses?
Any EEA citizens may freely establish themselves and work in Malta without any material formalities besides usual tax and social security registration and a notification procedure intended for statistical purposes. Citizens of other countries are required to apply for a work permit on the basis of a formal job offer. The granting of such a work permit will depend largely on the skills of the individual concerned and the industry in which he/she is seeking to be employed.
With Malta’s shortfall of personnel having both skill and experience in the fintech sector, obtaining a work permit for a suitably qualified individual should not be difficulty, although such permits can involve a waiting time of up to 90 days until approved.
Please briefly describe how innovations and inventions are protected in your jurisdiction.
Any innovations and inventions that would qualify for protection can be protected locally depending on the nature of the particular innovation and invention. Indeed, the European intellectual property framework has been transposed into local law and provides ample protection for any patents, trademarks, industrial designs and copyright in the widest sense.
Please briefly describe how ownership of IP operates in your jurisdiction.
Maltese law provides for specific protection for all aspects of IP, and this is in the form of specific statutes regulating each individual area of IP. Accordingly, in the case of trademarks, patents and designs, protection may be sought pursuant to registration of the IP with the Maltese or European intellectual property office, whilst copyright would enjoy automatic protection in terms of the local
Copyright Act without the need to pursue any formal registration in its regard. In addition to the foregoing, the Maltese Commercial Code also provides specific protection in respect of trademarks against unlawful competition.
In order to protect or enforce IP rights in your jurisdiction, do you need to own local/national rights or are you able to enforce other rights (for example, do any treaties or multi-jurisdictional rights apply)?
In addition to local/national rights, one would be able to enforce any European Union rights, registered with the competent supranational authorities, as well as any rights that are considered to be famous and well-known in terms of Article 6bis of the Paris Convention.
How do you exploit/monetise IP in your jurisdiction and are there any particular rules or restrictions regarding such exploitation/monetisation?
There are no restrictions to the exploitation or monetisation of IP rights provided that such practices are in-keeping with the general Maltese legal framework and Maltese mandatory public policy rules.
For further information about how GVZH Advocates can help you with your Fintech enquiries, kindly contact us on firstname.lastname@example.org.