MFSA amendments to FIR/02 and FIR/03: Participation in payment systems and DORA alignment

The Malta Financial Services Authority (“MFSA”) has revised Chapter 2 of the Financial Institutions Rulebook (“FIR/02”) and Chapter 3 of the Financial Institutions Rulebook (“FIR/03”) to reflect recent regulatory developments at European level. These updates, which were published on 28 May 2025 pursuant to an MFSA circular, are intended to:

1. implement changes introduced in Directive (EU) 2015/2366 (the “PSD2”) by way of Regulation (EU) 2024/886 (the “Instant Payments Regulation”) in relation to participation in designated payment systems; and
2. further align the financial institutions regulatory framework with Regulation (EU) 2022/2554 (the “DORA Regulation”) and the updated Guidelines on ICT and Security Risk Management (EBA/GL/2025/02) issued by the European Banking Authority (the “EBA”).

a. FIR/03 amendments on financial institutions’ participation in payment systems

In transposing Article 35a of the PSD2, which was recently implemented through the Instant Payments Regulation published in the Official Journal of the EU in March 2024, the amendments to FIR/03 introduce a new section under Rule R3-3.6 which sets out the regulatory requirements and expectations for licence holders requesting participation in a designated payment system.

The newly inserted provisions require that, in requesting participation and when participating in a payment system, licence holders must have in place:

1. a description of the measures taken for the safeguarding of clients’ funds;
2. a description of the governance arrangements and internal control mechanisms for the payment or electronic money services provided, including ICT-related arrangements in line with Articles 6 and 7 of the DORA Regulation, amongst others; and
3. a winding-up plan tailored to the size and business model of the institution.

Where the financial institution safeguards clients’ funds by depositing such funds in a credit institution or by investing in secure, liquid, low-risk assets, the description in point (i) above must contain, among other things, a description of the administration and reconciliation process to ensure that client funds are insulated in the interest of the clients against the claims of other creditors of the institution and a description of the investment policy to ensure the assets are liquid, secure and low-risk, as may be applicable. In cases where safeguarding is ensured through insurance or a comparable guarantee, the description of measures shall contain information on the duration and the terms of renewal of the coverage and a confirmation of the provider’s independence from the group.

The governance arrangements and internal control requirements referred to in point (ii) above extend to the detailed mapping of risks, the implementation of procedures for periodical and permanent controls, accounting frameworks, the identification of responsible persons for control functions, and appropriate oversight of outsourcing arrangements and group-level governance where applicable, amongst other elements.

Additionally, the winding-up plan in point (iii) above shall outline the mitigation measures to ensure the orderly execution of outstanding transactions and the termination of client contracts in the event of failure.

All licence holders seeking to participate in a payment system are required to perform a self-assessment confirming compliance with the above-mentioned requirements. This must be documented in a report addressed to the relevant payment system and accompanied by a signed declaration from the financial institution’s Board of Directors. A copy of the declaration must also be submitted to the MFSA.

Furthermore, all licence holders already participating in a payment system as of 9 April 2025 are similarly required to undertake such a self-assessment and comply with this new procedure and provide an update on the progress made to the MFSA by 9 June 2025.

The MFSA may also request that the self-assessment be counter-signed by an independent third-party auditor. Licence holders must also notify the MFSA and the relevant payment system of any key changes to the information previously submitted.

b. FIR/02 and FIR/03 amendments on ICT and security risk management

In parallel, the MFSA has also updated FIR/02 to remove the reference to the EBA Guidelines on ICT and Security Risk Management given that the FIR/02 is applicable to financial institutions licensed to provide the services listed in the First Schedule to the Financial Institutions Act (Chapter 376 of the laws of Malta) other than payment services and the issuance of electronic money (in this respect, the following MFSA Circular issued in October 2024 refers).

In this context, the MFSA has removed the reference to the EBA Guidelines from FIR/02 and retained instead the reference to its own Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.

Further to the above, a new rule has been introduced within FIR/03 requiring payment institutions and electronic money institutions to comply with the EBA Guidelines on ICT and Security Risk Management referred to above which were recently revised to account for the application of the DORA Regulation (EBA/GL/2025/02). The latest revisions to the EBA Guidelines are aimed at ensuring that firms maintain a robust framework for managing ICT and security risks in a manner that complements and supports the overarching objectives of the DORA Regulation, while providing regulatory clarity at national level on the applicable standards.