Malta’s FinTech and crypto ecosystem continues to evolve at a remarkable pace. As more firms prepare to operate under the Markets in Crypto-Assets Regulation (MiCA), one theme stands out above all others - risk management.
MiCA represents a major step toward harmonising crypto regulation across the European Union. It brings new expectations for governance, consumer protection, and operational resilience. However, for many firms, particularly startups and rapidly scaling FinTechs, translating these regulatory expectations into practical, day-to-day risk management frameworks can be challenging.
This is where internal audit plays a pivotal role. Beyond verifying compliance, internal auditors are uniquely positioned to help organisations understand their risk exposures, strengthen their control environment, and prepare for supervisory scrutiny.
Understanding Risk Management Under MiCA
MiCA requires crypto-asset service providers (CASPs) to establish sound governance arrangements, effective risk management policies, and clear accountability for control oversight. These requirements are not simply regulatory formalities - they are essential for maintaining market integrity and protecting clients in an increasingly interconnected digital economy.
Unlike traditional financial institutions, many crypto businesses operate in highly decentralised, technology-driven environments. Risks evolve quickly; from cybersecurity incidents and ICT disruptions to market manipulation, custody breaches, and liquidity pressures. MiCA expects firms to identify, assess, and manage these risks in a structured and ongoing manner.
For internal auditors, this means evaluating whether risk management frameworks are not only documented but also functioning effectively in practice. Do management teams truly understand their key risks? Are risk registers updated regularly? Are emerging risks, such as those linked to decentralised finance or third-party service providers, being properly considered?
Answering these questions requires auditors to combine regulatory insight with a strong understanding of operational realities.
The Evolving Risk Landscape for MiCA Firms
MiCA introduces new obligations that broaden the traditional view of risk. Internal auditors must expand their focus to cover areas such as:
-
Operational and ICT Risk – Assessing resilience against system outages, data breaches, and cyberattacks.
-
Safeguarding of Client Assets – Verifying that crypto assets held on behalf of clients are segregated, traceable, and protected against loss.
-
Market Conduct Risk – Evaluating controls around price transparency, order execution, and market abuse prevention.
-
Third-Party and Outsourcing Risk – Ensuring appropriate due diligence, contractual clarity, and continuous monitoring of technology and custody partners.
-
Liquidity and Capital Risk – Reviewing how the organisation maintains adequate resources to meet obligations during stress conditions.
-
Regulatory and Reputation Risk – Testing how the firm stays abreast of evolving compliance requirements while maintaining public and investor confidence.
In Malta, where many CASPs are at the early stages of building formalised governance structures, addressing these risks systematically can be a significant learning curve. This makes internal audit not merely a control function but a strategic partner in organisational maturity.
Internal Audit’s Expanding Role
Under MiCA, internal audit is expected to go beyond compliance testing. It should evaluate whether the firm’s risk management framework is proportionate, embedded, and forward-looking.
An effective internal audit approach includes:
-
Assessing governance and oversight – Ensuring that boards and senior management have a clear view of key risks and that decision-making processes are transparent.
-
Testing the maturity of risk identification – Reviewing whether the firm captures both current and emerging risks, including those arising from rapid technological change.
-
Evaluating risk mitigation and monitoring – Confirming that controls are not only in place but are regularly reviewed and refined based on lessons learned.
-
Reviewing escalation and reporting – Assessing how risk information flows within the organisation and how issues are escalated to governance bodies.
-
Coordinating with the second line – Working constructively with compliance, risk, and AML functions to ensure that assurance activities are complementary rather than duplicative.
Through this approach, internal audit becomes an essential contributor to resilience — supporting the firm in demonstrating to regulators that its governance and risk management are not theoretical, but operational realities.
BDO Malta’s Perspective: Supporting Risk Management under MiCA
At BDO Malta, we work closely with FinTechs, crypto firms, and emerging CASPs that are preparing for MiCA authorisation. Many of these organisations are eager to comply but face challenges in designing proportionate risk management frameworks that balance innovation with regulatory expectation.
Our team helps clients assess their current control environments, identify gaps, and develop pragmatic risk management structures aligned with MiCA. This includes reviewing governance arrangements, advising on the segregation of duties across the Three Lines Model, and designing internal audit plans that deliver meaningful assurance.
We recognise that each firm’s journey is different. A startup developing its first crypto custody solution will not have the same level of formality as a mature exchange. Therefore, our focus is on right-sizing risk management, ensuring that controls are practical, scalable, and suited to the organisation’s stage of growth.
By doing so, BDO Malta supports firms in building the resilience and confidence needed to thrive under MiCA.