The Malta Financial Services Authority (MFSA) has issued its findings following a thematic review focused on two core areas relevant to financial institutions: outsourcing and other third-party arrangements, and the safeguarding of clients’ funds.
The exercise provides insight into the extent to which firms are aligning with regulatory expectations and identifies several areas requiring further attention.
Outsourcing and Third-Party Arrangements
The review found that many financial institutions continue to face uncertainty when classifying service providers as either outsourcing partners or third-party vendors. In some cases, identical services were reported under both categories, suggesting a lack of clarity around definitions. Internal functions such as Compliance, Risk, and Internal Audit were sometimes not classified as “critical or important,” despite their clear relevance under the applicable framework. The MFSA reiterated that governance functions fall within this category and should be treated accordingly.
The review also noted insufficient assessments of intragroup outsourcing arrangements. While these can bring operational benefits, they remain subject to the same standards as external outsourcing and should be governed by robust risk assessments and contractual safeguards.
Documentation was another area of concern. In some instances, firms lacked formal outsourcing policies or had not updated their registers or agreements in line with expected standards. There were also examples of governance weaknesses, including the oversight of operational functions by inappropriate roles, such as compliance teams overseeing internal audit.
Safeguarding of Clients’ Funds
The MFSA identified growing reliance on the investment method of safeguarding, which requires greater scrutiny compared to the deposit method. Firms opting for this method must ensure the assets used are secure, low-risk, and liquid — and be able to demonstrate this through detailed assessments. These assessments should reference the relevant CRR risk weights and liquidity classifications, particularly for UCITS. Concentration risk also emerged as an area of concern, especially for firms relying on a single safeguarding arrangement. The Authority recommends diversification of safeguarding accounts and, where the investment method is used, holding a portion of funds on deposit to maintain liquidity.
Governance practices around safeguarding varied significantly. While many institutions designated a responsible person (typically the CFO), not all demonstrated adequate board-level oversight. The MFSA underlined the need for formal reconciliation procedures and urged firms to adopt a “four-eyes” principle when managing access to safeguarding accounts.
MFSA Expectations
Going forward, financial institutions are expected to:
- Clearly distinguish between outsourcing and third-party arrangements, and assess the criticality of each;
- Maintain up-to-date outsourcing policies, registers, and agreements that reflect actual practices;
- Conduct and document thorough risk assessments, including those for intragroup arrangements;
- Ensure proper segregation of duties, especially between compliance, risk, and internal audit;
- Adopt safeguarding practices that are fully compliant with FIR/03 and related regulations;
- Maintain diversified arrangements and conduct periodic reviews to ensure resilience and compliance.