How to ensure your company is compliant with the MFSA ICT Guidance

How to ensure your company is compliant with the MFSA ICT Guidance


In December 2020, the Malta Financial Services Authority announced technical guidelines relating to IT in licensed entitles. Entitled “Guidance on Technology Arrangements, ICT, and Security Risk Management, and Outsourcing Arrangements,” they aim to establish several “risk mitigation factors” which arise from an increasing reliance on technology. The MFSA will, amongst other things, create an ICT governance framework and provide extensive guidance to third parties on the outsourcing of IT work. 


What are the MFSA ICT Guidelines?

The MFSA ICT Guidance apply to businesses and companies, including financial institutions, insurance, and reinsurance undertakings, pension providers, investment firms, fund managers, trading venues, securities depositories, trustees and fiduciaries, corporate service providers, and those engaged with virtual financial assets, amongst others. Following extensive consultation with various stakeholders, the guidelines focus on several critical areas, including confidentiality, integrity, availability, authentication, and non-repudiation.


The guidance provided by the MFSA is based on principles and is unbiased in terms of favouring different kinds of technology or service models. The key foundation of the guidance is that companies should meet compliance obligations. Stakeholders are advised to implement the principle of proportionality wiht the guidelines, considering the scale, nature, and complexity of the technology arrangements and the risks arising from them. It is a legal requirement for all licensed entities to comply with the framework’s principles.


Where do I start?

If you’re a company that falls under the applicable categories, you need to take several courses of action. These include first familiarizing yourself with the MFSA guidance document and trying to identify how this can or may impact your operations. To do this, you should have a firm understanding of the types of data your firm processes, how they are processed, and how and where they are stored. It can be good practice at this point to set up a specialized task force, including your IT team, to oversee compliance wiht the Guidance. It can also be necessary to engage third-party experts to assist.


Once this has been completed, you must undertake a gap analysis to figure out the differences or shortcomings between your current ICT practices and the MFSA guidelines. At this stage, a full ICT risk assessment should be undertaken. Following this, your company will be able to establish which remedial actions you should take to ensure full compliance. The aim of this process is not only to comply but to demonstrate that you have taken reasonable measures to be and remain compliant.


How can BDO help?

Assessing whether you’re in line with the guidelines and ensuring compliance is a time and resource-consuming task. As mentioned, it is a smart decision to engage a third-party expert to assist. This is not only to speed up the process while lessening the burden on your staff but also to ensure the utmost accuracy throughout.


BDO Malta can help with the following:

  • Conduct a thorough IT Risk Assessment while noting the size and nature of your business;
  • Provide feedback on your company’s current level of compliance with the MFSA guidelines and create a scalable remediation plan, tailor made for you;
  • Assist in reviewing or creating an ICT governance framework in compliance with the Guidelines;
  • Provide training on cybersecurity, the Guidelines, compliance and other related matters;
  • Conduct penetration testing and vulnerability assessments;
  • Help with setting up security incident platforms and similar;
  • Provide help in setting up internal incident response teams and drafting incident procedures;
  • Help with IT and cybersecurity audits.


To understand more about the MFSA’s guidelines, your obligations, and how to meet them, book a call with our technology team.