On 14th May 2026, the Malta Business Registry officially launched the Malta Business Wallet, a new digital infrastructure aimed at reducing administrative burdens and streamlining due diligence processes. The initiative is supported by Legal Notice 151 of 2026, namely the Companies Act (Central Data Repository) Regulations, 2026 (the “CDR Regulations”), which establish the legal and operational framework within which the system operates. The initiative is intended to make the sharing of corporate and due diligence information quicker and more standardised.
In practical terms, the Malta Business Wallet is designed as a central data repository, being a centralised platform through which businesses and their representatives may securely store and manage corporate and compliance documentation. Similarly to the EU Inc. proposal, which is currently being discussed at EU level, it introduces a “once only” approach, enabling users to upload verified information once and reuse it across multiple interactions with authorities and regulated entities.
The CDR Regulations set out, in particular, the scope, governance and functionality of this central data repository. Under the CDR Regulations, “users” are the persons authorised to upload and manage data on the system. These include company officers, partners, legal representatives and other persons authorised to act on behalf of a body corporate, including subject persons acting for clients. By contrast, “relying parties” are those entitled to access such data, subject to user consent, and include competent authorities, anti-money laundering (AML) subject persons conducting due diligence, and other authorised entities. This reflects a model whereby data is centrally maintained by users and accessed by third parties for compliance purposes.
The CDR Regulations also set out the categories of data that may be uploaded, which broadly reflect standard due diligence documentation. These include identification documents (such as passports or identity cards), proof of residential address, details of service or correspondence addresses, and documentary evidence of authority or appointment where a person is acting on behalf of another. In addition, the Registrar may require the submission of further information where necessary, particularly for verification or compliance purposes. This dataset is therefore designed to align closely with typical KYC requirements across financial institutions and regulated service providers.
They also address key operational aspects, including verification and authentication requirements, data retention periods (generally five years, extendable in certain cases), and the legal recognition of electronically stored documents as valid copies.
A central feature of the framework is the emphasis on selective disclosure, whereby users retain control over which parties may access their data and may grant, limit or revoke access at any time. At the same time, the regulations impose detailed data protection and governance safeguards, reflecting GDPR principles, including strict access controls, logging obligations and security requirements, with the Registrar acting as data controller and relying parties as independent controllers.
The platform also facilitates secure communication between users and relying parties and maintains logs of all access and disclosures. Documents uploaded and verified through the repository benefit from legal recognition as valid copies, notwithstanding their electronic form.
Use of the Malta Business Wallet and repository is voluntary, and the CDR Regulations expressly provide that it does not replace existing methods of information exchange or alter anti-money laundering obligations. Subject persons remain fully responsible for carrying out independent due diligence and cannot rely solely on repository data.
From a practical perspective, the Malta Business Wallet has the potential to reduce duplication in onboarding processes, improve data consistency and enhance efficiency, particularly for larger or more complex structures. Its overall impact, however, will depend on the extent of market adoption and how effectively it is incorporated into existing compliance processes.
