The Malta Financial Services Authority ("MFSA") has issued a Dear CEO Letter setting out the findings of its review of the Internal Liquidity Adequacy Assessment Process ("ILAAP") across a sample of Less Significant Institutions ("LSIs"). While the review focused on selected banks, the MFSA made it clear that its observations are relevant to all credit institutions operating under the Banking Act.
The review highlights a common theme: banks must be able to demonstrate that they understand, monitor, and actively manage their liquidity risks, rather than simply maintaining policies and procedures.
Governance and Risk Appetite Require Greater Attention
The MFSA identified weaknesses in Board oversight and liquidity risk governance. While most banks formally approved their ILAAP documentation, discussions on liquidity and funding risks were often limited, with insufficient evidence of challenge from Boards.
The review also found that many banks rely heavily on regulatory metrics such as the Liquidity Coverage Ratio ("LCR") and Net Stable Funding Ratio ("NSFR") when setting risk appetite. The MFSA expects banks to develop a broader range of indicators that reflect their specific business model and risk profile.
These findings reinforce the need for Boards to take an active role in understanding liquidity risks and ensuring that risk appetite arrangements provide meaningful oversight.
Internal Audit Under the Spotlight
One of the most relevant messages from the Dear CEO Letter relates to Internal Audit.
The MFSA found that liquidity and funding risks often receive limited audit coverage. In some cases, banks could not demonstrate why the scope of audit work performed was sufficient, while weaknesses were also identified in the independent review of liquidity methodologies and the timely remediation of audit findings.
For Internal Audit Functions and Audit Committees, liquidity risk should be treated as a key risk area and reflected appropriately within risk-based audit plans.
Internal audit reviews should go beyond compliance testing and assess areas such as:
- Governance and Board oversight;
- Data quality and liquidity reporting;
- Stress testing methodologies;
- Risk appetite monitoring;
- Contingency funding arrangements; and
- Follow-up of previously identified issues.
As supervisory expectations continue to increase, internal audit has an important role in providing independent assurance over the effectiveness of liquidity risk management and the ILAAP process.
Data Quality, Stress Testing and Contingency Planning
The MFSA also highlighted weaknesses in data quality, manual reporting processes, stress testing, and contingency planning.
Many banks continue to rely on spreadsheets and manual interventions, increasing the risk of errors and reducing the reliability of management information. The review also found that stress testing scenarios were often insufficiently severe and that some banks could not demonstrate that contingency funding sources would remain available during periods of stress.
The MFSA expects banks to strengthen these areas and demonstrate how stress testing results are used to support decision-making, review risk appetite, and improve resilience.
Online Deposit Platforms Remain a Focus Area
The review also examined the use of Online Deposit Platforms ("ODPs"), which continue to attract supervisory attention.
The MFSA highlighted risks relating to concentration, operational resilience, cybersecurity, and regulatory compliance. It also noted that a significant number of banks using ODPs applied incorrect outflow assumptions in their LCR calculations.
Banks relying on ODP funding should ensure that these risks are appropriately reflected within their risk management, stress testing, and contingency planning processes.
Key Takeaways
The MFSA's review shows that many banks still have work to do in areas such as governance, risk appetite, stress testing, contingency planning, data quality, and internal audit coverage.
For Internal Audit Functions in particular, the message is clear: liquidity risk is an area of increasing supervisory focus and should receive appropriate attention within audit plans. Internal audit can play a critical role in challenging management, assessing the effectiveness of controls, and providing assurance that liquidity risk management arrangements are operating as intended.
As the MFSA continues to focus on how banks manage liquidity risk in practice, institutions that address these findings proactively will be better positioned to strengthen resilience and meet supervisory expectations.
How BDO Malta Can Help
BDO Malta assists credit institutions in strengthening their governance, liquidity risk management, and internal audit frameworks. Our teams can support ILAAP reviews, risk assessments, and assurance engagements to help institutions meet evolving supervisory expectations.
Learn more about our Internal Audit services.
