Malta opens its FinTech 'regulatory sandbox'
Chris Hamblin, Editor, London, 5 August 2020
The operators of financial technology can now apply to test their innovations within the bounds of the Malta Financial Services Authority’s 'sandbox' for a specified period of time and under certain prescribed stipulations, making Malta the latest in a series of jurisdictions to relax its investor-protection rules under controlled conditions for the sake of experimentation in IT.
Michael Xuereb, the regulator's Chief Officer for Strategy, Policy and Innovation, welcomed the opening of the 'sandbox' and noted that “financial services start-ups and incumbents view the sandbox as a much-needed tool to help in the adoption of innovative solutions within their entities, in an orderly manner, whilst enabling them to offer value-added products and services to their customers.
"Furthermore, it will enable the MFSA to enhance its understanding of the ever-changing technological innovation and increase its technical know-how in order to enable the necessary policy-making for further growth of the financial services industry in a sustainable manner.”
Also on the subject of IT, the regulator wants its charges to exercise proper governance and control over their technological arrangements and their outsourcing and to run effective cybersecurity regimes. Such regimes typically involve combinations of on-premise and cloud-based arrangements and these are problematic for both regulators and the regulated, not least because they have increased the incidence of outsourced services which may be provided, virtually, from any location. This makes the MFSA nervous because certain aspects of outsourced activities may be unregulated - a bad thing inherently, in its eyes - and might frustrate its attempts to keep an eye on all the things that financial firms are doing.
With this in mind, the MFSA is proposing to issue principle-based cross-sectoral guidelines to govern technological arrangements, ICT (information and communications technology) and security risk management and outsourcing arrangements. These are to apply equally to all financial firms. Comments must be in by Friday 28 August.
The principles are four in number.
- Proportionality. Governance arrangements ought to take into consideration the nature, scale and complexity of the technological arrangements of the firm in question, plus the risks that arise from them.
- "Principles-based consistency of outcomes." The regulator is keen not to favour one type of technology or service model over another, as long as firms are meeting their obligations to comply with its rules.
- Information assurance (IA) in technological arrangements. Communication and information systems must protect the data that they handle in transit and at rest and must only be accessible to authorised parties. Confidentiality (only authorised parties can access data), integrity (only authorised parties and software systems can modify it), availability (it must be accessible swiftly), authentication (the secure identification and verification of the identity of anyone who wants to see the data) and non-repudiation (the ability to correlate, with high certainty, a recorded action with its originating person, system, device or entity) are the watchwords here.
- Every firm should approach cloud computing in line with the global non-profit IT association ISACA's Guiding Principles for Cloud Computing Adoption and Use, clauses 2.4.2 to 2.4.7.