Malta Financial Services Authority warns payment and e-money institutions to strengthen client fund safeguarding and outsourcing controls under updated Rulebook

The Malta Financial Services Authority (MFSA) has warned Payment Institutions and Electronic Money Institutions to improve how they protect clients’ funds and manage outsourcing, following thematic reviews and updates to the Financial Institutions Rulebook that set out expected safeguarding methods and outsourcing practices. The reviews assessed compliance with obligations including the EBA Guidelines on Outsourcing Arrangements, the Digital Operations Resilience Act and the Financial Institutions Act (Safeguarding of Funds) Regulations. The MFSA reported weaknesses such as missing or late-developed safeguarding and outsourcing documentation, policies and procedures drafted only for the thematic reviews, inadequate ongoing reviews, misalignment of documentation with the applicable framework, and flawed pre-contractual assessments including instances of internal control functions being classified as not critical. It also identified conflicts of interest in outsourcing arrangements and stressed the need for stronger board oversight, clear governance and designated individuals to monitor adherence to the safeguarding and outsourcing requirements. Under the revised Rulebook, financial institutions must include safeguarding of clients’ funds in their yearly audit plan and provide for audit reviews of outsourcing arrangements. The MFSA indicated it will continue supervisory engagement through further meetings and onsite inspections.