MFSA issues AI governance and prudential risk expectations for Malta financial services firms

On the 4th of June 2026, the Malta Financial Services Authority (“MFSA”) issued a Dear CEO Letter outlining its supervisory expectations regarding the adoption and use of Artificial Intelligence (“AI”) by financial services firms operating in Malta. The communication arrives against the backdrop of a rapidly evolving European regulatory framework, particularly following the entry into force of the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) (“AI Act”), and reflects the Authority’s broader objective of supporting technological innovation while safeguarding financial stability, consumer protection and market integrity. Against this background, the Authority has provided guidance on the governance, risk management and control measures that should accompany the use of such technologies.

The Dear CEO Letter outlines the MFSA’s key supervisory expectations:

I. Board and Senior Management Accountability for AI Systems

A central theme emerging from the Dear CEO Letter is that AI should not be viewed merely as a technological tool, but rather as a prudential matter requiring active oversight at the highest levels of the organisation. The MFSA stresses that ultimate accountability for the use of AI rests with the Board of Directors and senior management, who are expected to understand both the opportunities and risks associated with AI systems and ensure that their deployment remains aligned with the firm’s business strategy, risk appetite and regulatory obligations. The MFSA further expects firms to clearly allocate responsibility for AI systems, maintain sufficient expertise to provide effective challenge and oversight, and ensure that roles across the three lines of defence (“3LOD”) are appropriately defined so that no single function exercises unrestricted control over the design, deployment or validation of such systems.

II. Governance and Oversight Arrangements

The MFSA further emphasises that firms should treat AI as an integral component of their risk management framework. In practice, the MFSA expects firms to implement appropriate internal controls capable of ensuring that AI systems operate as intended and that any unintended outcomes, model failures or weaknesses are detected and addressed in a timely manner.

To assist firms in evaluating their preparedness for AI adoption, the MFSA has developed a structured self-assessment framework covering AI use cases, governance arrangements, third-party dependencies and control environments. The self-assessment tool is set out in Annex 1 to the Dear CEO Letter, entitled “AI-Enabled Process & Vendor Mapping Self-Assessment — Question Register”. Although firms are not currently required to submit the results of these assessments to the Authority, they are expected to be able to demonstrate that:

  • the assessment has been undertaken;
  • the outcomes have been reviewed at Board and senior management level; and
  • any identified deficiencies are being addressed through appropriate remediation measures.

III. Third-Party Dependencies and Concentration Risk

While outsourcing arrangements have long formed part of the financial services landscape, the MFSA notes that growing dependence on a limited number of technology providers may give rise to operational vulnerabilities.

Firms are therefore expected to conduct appropriate due diligence on third-party providers and assess concentration risks arising from reliance on a limited number of providers, as existing outsourcing and operational resilience requirements continue to apply in full to AI deployments.

IV. Model Validation, Monitoring and Reliability

Particular attention is also given to the reliability and robustness of AI models. The MFSA expects firms to ensure that AI models are tested before implementation, subject to continuous performance monitoring and reviewed regularly to ensure that outputs remain accurate, reliable and consistent with their intended purpose. Where firms are unable to adequately validate, monitor or assess the performance of AI systems, consideration should be given to restricting or redesigning the use of such systems, particularly in higher-risk contexts.

V. Data Governance and Regulatory Compliance

Given that AI systems are only as effective as the data on which they rely, firms are expected to implement robust data governance frameworks to support their use. Such frameworks should ensure that data is accurate, relevant and appropriately validated, and that data flows and usage are clearly understood and documented.

VI. Operational and Systemic Risk Considerations

The MFSA expects firms to adopt a forward-looking approach to AI-related risks by assessing dependencies, identifying potential single points of failure, and ensuring that appropriate contingency measures are in place.

Looking Ahead

The Dear CEO Letter provides a clear indication of the MFSA’s supervisory expectations as AI adoption continues to expand across the financial services sector. For regulated entities operating in Malta, the message is clear: innovation is encouraged, but it must be accompanied by effective governance, robust control frameworks and sound risk management practices.

Share

Go Back
01
image

How can we assist?

Contact us