According to the report, while the MFSA possesses a solid foundation of expertise and sufficient resources for supervising CASP applications, its latest authorization process fell short of expected standards.
The review committee found that the regulator granted approval despite outstanding material issues and an inadequate risk assessment. The report noted that these lapses raise questions about Malta’s commitment to ensuring full compliance with the MiCA framework.
The Peer Review Committee expressed concern that the MFSA failed to use the authorization phase to compel the unnamed CASP to resolve key shortcomings. ESMA emphasized that a more rigorous approach could have helped bring the entity fully in line with MiCA obligations before granting its license.
Malta remains one of the EU’s most active MiCA license issuers. Since MiCA’s enforcement began, the country has issued five CASP licenses, ranking just behind Germany and the Netherlands.
Considering this, the report urged national European regulators to strengthen their oversight during the CASP licensing process.
It emphasized the need for close scrutiny in several high-risk areas. These include business model sustainability, governance structures, potential conflicts of interest, intragroup relationships, ICT architecture, and the promotion of unregulated crypto services.
Beyond that, the financial regulator also flagged emerging sectors such as DeFi and Web3 for more careful evaluation.
It added:
“The PRC encourages NCAs to review, as part of the authorisation assessment, user interfaces and customer journeys to ensure that relevant risk warnings are clearly presented to users and that the overall customer experience is in line with MiCA requirements.”
