Overreliance on IT risks, weak testing and unrealistic forecasts

The MFSA found that most institutions have business strategies and continuity plans in place but warned that these are not being properly tested or updated. Some firms claimed to have conducted continuity and disaster recovery testing in 2024 but reported no “lessons learned”. This a contradiction the regulator said was concerning and possibly indicative of incomplete or inaccurate reporting.

It also noted that many institutions focus too narrowly on IT-related risks while overlooking broader threats such as financial, reputational and operational vulnerabilities. Furthermore, several firms rely on group-level monitoring rather than managing risks at a local level, which the MFSA deemed insufficient.

On the financial side, the Authority flagged inconsistencies between reported forecasts and actual performance. Some institutions have consistently registered losses while claiming positive outlooks and regular forecasting reviews. The MFSA described this as “inconsistent and concerning,” noting that access to additional capital remains limited for certain firms.

Stress testing, which the Authority considers essential to identifying weaknesses, was also found lacking. A number of institutions limited stress tests to IT disruptions or failed to conduct them altogether during 2024.

Staffing and client concentration risks

The review revealed persistent high staff turnover and succession planning gaps, especially in key function roles that are difficult to fill. The MFSA urged institutions to invest in developing internal talent pipelines and training junior staff.

It also highlighted that some firms depend heavily on a small number of clients — a structural risk that could have “significant negative effects” if those relationships were lost.

MFSA outlines clear expectations

In its concluding remarks, the Authority urged boards to demonstrate leadership in embedding resilience “at all levels of the organisation.” It expects institutions to:

• Identify, assess and mitigate risks specific to their business model, including cyber threats, operational failures and third-party dependencies.
• Conduct annual stress testing covering financial, liquidity and operational factors.
• Maintain and test comprehensive business continuity and disaster recovery plans.
• Establish contingency plans for key staff departures and third-party failures.
• Continuously update resilience strategies based on lessons learned and regulatory feedback.

Senior management, the MFSA said, must “lead business resilience efforts from the front” and treat the matter as a strategic priority, not a compliance obligation.

The Authority confirmed that findings from the review will be followed up through supervisory meetings and on-site inspections in the months ahead.

“A test of maturity” for long-standing licensees

In a pointed message, the MFSA said institutions that have held a licence for more than a decade should demonstrate a corresponding level of maturity and preparedness. Long-established players, it said, are expected to have developed “robust frameworks and internal capabilities” reflecting their experience in the market.

The letter, signed by Chief Officer Supervision Dr Christopher P. Buttigieg and Head of FinTech Supervision Camille Pepos, concludes that continuous improvement, staff training and proactive risk management are essential if Malta’s financial institutions are to sustain stability and consumer trust.

The legal team at BDO is ready to assist your financial institution by identifying any compliance gaps and tailoring solutions to be in line with MFSA rules and regulations. Should you require any further information or assistance, the team may be contacted here.