The Malta Financial Services Authority (MFSA) ‘Guidance on Technology Arrangements, ICT & Security Risk Management and Outsourcing Arrangements’ outlines the importance of technology within the fintech / financial services sectors due to the heightened level of reliance which is being placed upon technology to perform critical business functions.

The Guidance provides governance on areas such as Technology Arrangements, ICT & Security Risk Management, and Outsourcing Arrangements. In addition, it provides the scope and emphasis on the importance of meeting the requirements authorised by said Guidance, with which authorised firms must ensure compliance.

In-scope Entities

The Guidance Document does not apply to Authorised Persons which are in scope of the DORA Regulation. The Guidance Document applies to the below entities as per MFSA Circular dated 26th March 2024: 

• Trustees and other Fiduciaries
• Company Service Providers
• Professional Investor Funds (‘PIFs’), including self-managed PIFs
• Investment Service Providers that are Custodians and Depositories
• Recognized Fund Administrators
• Managers of alternative investment funds as referred to in Article 3(2) of Directive 2011/61/EU (‘De Minimis alternative investment fund managers’)
• Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries which are microenterprises or small or medium-sized enterprises
• Institutions for occupational retirement provision which operate pension schemes which together do not have more than 15 members in total
• Insurance and reinsurance undertakings as referred to in Article 4 of Directive 2009/138/EC
• Personal Retirement Schemes and Administrators of Personal Retirement Schemes
• Financial Institutions that solely provide activities of the first schedule of the Financial Institutions Act (Cap. 376 of the Laws of Malta)
• Authorised Credit Servicers in terms of the Credit Services and Credit Purchasers Act

Want to know more?