MFSA Raises the Bar on AI Governance:

On 4th June 2026, the Malta Financial Services Authority (MFSA) issued its latest communication to licence holders on Artificial Intelligence (AI) – Governance, Risk and Prudential Expectations 

While AI adoption across Maltese financial institutions remains at an early stage, the MFSA signals a clear intention: firms must act now to ensure AI is governed, controlled, and aligned with prudential risk expectations. 

 

Below we summarise the key takeaways and, importantly, what firms should do next. 

1. AI is no longer just a technology topic, it is a prudential risk area 

A central message from the MFSA is that AI should not be viewed merely as an operational enhancement. Firms are expected to treat AI as a core risk domain impacting: 

• Risk appetite and decision-making 
• Financial stability and resilience 
• Consumer protection and market integrity  

This is a significant shift. It places AI alongside credit risk, operational risk, and ICT risk in terms of regulatory scrutiny. 

Implication: AI must be embedded into enterprise risk management frameworks—not handled in isolation by IT or innovation teams. 


 

2. Boards and senior management are expected to take ownership 

The MFSA is explicit: 

• Boards must retain oversight and accountability for AI systems 
• Responsibilities must be clearly defined 
• Sufficient expertise must exist to challenge and oversee AI deployment  

Current market observations show material gaps: 

• Many firms lack a formal AI strategy 
• Governance structures are immature 
• AI expertise remains limited

Implication: AI governance is becoming a Board-level agenda item, not a technical concern. 


 

3. Heavy reliance on third parties is a growing risk 

The MFSA highlights significant dependence on: 

• Cloud providers 
• AI model vendors 
• External data providers  

Key risks include: 

• Concentration risk 
• Limited transparency over model behaviour 
• Reduced control over critical processes 

Implication: Firms must treat AI outsourcing under existing third-party risk frameworks, with enhanced oversight. 


 

4. Model risk, explainability and monitoring are critical 

AI systems introduce new types of risk: 

• Inconsistent or inaccurate outputs 
• Model drift over time 
• Limited explainability  

The MFSA expects: 

• Robust validation and testing 
• Ongoing performance monitoring 
• Clear audit trails and model documentation 

Implication: Traditional model risk management frameworks must evolve to address AI-specific challenges. 


 

5. Data governance is a foundational requirement 

The quality of AI outcomes is directly dependent on data quality. 

The MFSA stresses: 

• Data must be accurate, validated and well-governed 
• Data flows must be understood and documented 
• Regulatory compliance (e.g. GDPR) must be maintained 

Implication: AI governance cannot exist without strong data governance maturity. 


 

6. Firms must complete a structured AI self-assessment 

The MFSA introduces a detailed self-assessment framework covering: 

• AI use case identification 
• Vendor and dependency mapping 
• Governance and accountability structures 
• Data flows, risk controls, and monitoring 
• Financial crime, conduct and systemic risks  

Importantly: 

• Firms are not required to submit results 
• However, they must be able to evidence the assessment and outcomes 
• The MFSA may request evidence during supervisory activities

Implication: This is effectively a pre-supervisory diagnostic exercise, firms should treat it as such. 


 

7. Supervisory scrutiny will intensify 

The MFSA confirms that AI will be embedded into: 

• Onsite inspections 
• Thematic reviews 
• Ongoing supervisory engagement 

Focus areas will include: 

• Governance frameworks 
• Third-party dependencies 
• Customer-impacting use cases 
• Alignment with risk appetite 

Implication: Firms should expect AI to feature prominently in future DORA, ICT risk, and internal audit reviews. 


 

How BDO Malta Can Help 

While the MFSA has not mandated submission, the expectations are clear: 
firms must be ready to demonstrate maturity, structure, and control. 

We support organisations across three key pillars: 

 

1. Perform the MFSA AI Self-Assessment (and go beyond compliance) 

We help firms: 

• Complete and structure the Annex 1 assessment 
• Identify AI use cases across the organisation 
• Map third-party dependencies and concentration risks 
• Assess governance gaps and control effectiveness

Outcome: A regulator-ready assessment aligned to MFSA expectations. 


 

2. Define an AI Strategy aligned to risk and business objectives 

Many firms cited by MFSA lack a formal AI strategy. 

We support: 

• Development of Board-approved AI strategies 
• Alignment with risk appetite and regulatory obligations 
• Identification and prioritisation of AI use cases 
• Integration with digital transformation and data strategies 

Outcome: A structured, forward-looking AI roadmap. 


 

3. Establish AI Governance and Oversight Frameworks 

We design and implement: 

• AI governance structures across the three lines of defence 
• Model risk management frameworks tailored to AI
• RACI models for AI accountability 
• Board-level reporting and AI risk dashboards 
• Policies and procedures aligned with EU AI Act and leading frameworks (including ISO 42001) 

Outcome: Clear accountability, oversight, and control over AI deployment. 


 

Key Takeaway 

The MFSA’s message is clear: 

AI adoption must be controlled, governed, and aligned with prudential risk expectations—before scale becomes a problem. 

Even though submission is not required today, firms should assume: 

• This assessment will be reviewed during supervision 
• Weak governance will result in increased scrutiny 
• Early adopters of structured frameworks will be better positioned