Malta opens its FinTech 'regulatory sandbox'

Chris Hamblin

5 August 2020

Michael Xuereb, the regulator's Chief Officer for Strategy, Policy and Innovation, welcomed the opening of the 'sandbox' and noted that “financial services start-ups and incumbents view the sandbox as a much-needed tool to help in the adoption of innovative solutions within their entities, in an orderly manner, whilst enabling them to offer value-added products and services to their customers.

"Furthermore, it will enable the MFSA to enhance its understanding of the ever-changing technological innovation and increase its technical know-how in order to enable the necessary policy-making for further growth of the financial services industry in a sustainable manner.”

Also on the subject of IT, the regulator wants its charges to exercise proper governance and control over their technological arrangements and their outsourcing and to run effective cybersecurity regimes. Such regimes typically involve combinations of on-premise and cloud-based arrangements and these are problematic for both regulators and the regulated, not least because they have increased the incidence of outsourced services which may be provided, virtually, from any location. This makes the MFSA nervous because certain aspects of outsourced activities may be unregulated - a bad thing inherently, in its eyes - and might frustrate its attempts to keep an eye on all the things that financial firms are doing.

With this in mind, the MFSA is proposing to issue principle-based cross-sectoral guidelines to govern technological arrangements, ICT (information and communications technology) and security risk management and outsourcing arrangements. These are to apply equally to all financial firms. Comments must be in by Friday 28 August.

The principles are four in number.

Proportionality. Governance arrangements ought to take into consideration the nature, scale and complexity of the technological arrangements of the firm in question, plus the risks that arise from them.
"Principles-based consistency of outcomes." The regulator is keen not to favour one type of technology or service model over another, as long as firms are meeting their obligations to comply with its rules.
Information assurance (IA) in technological arrangements. Communication and information systems must protect the data that they handle in transit and at rest and must only be accessible to authorised parties. Confidentiality (only authorised parties can access data), integrity (only authorised parties and software systems can modify it), availability (it must be accessible swiftly), authentication (the secure identification and verification of the identity of anyone who wants to see the data) and non-repudiation (the ability to correlate, with high certainty, a recorded action with its originating person, system, device or entity) are the watchwords here.
Every firm should approach cloud computing in line with the global non-profit IT association ISACA's Guiding Principles for Cloud Computing Adoption and Use, clauses 2.4.2 to 2.4.7.