Issue link: https://maltatoday.uberflip.com/i/1545285
6 COMMERCIAL maltatoday | SUNDAY • 7 JUNE 2026 Fintech supervsion: Ensuring innovation is secure and structurally resilient Christopher Aquilina is head of Fintech Supervision at the Malta Finacial Services Authority. We spoke to him about the Authority's Fintech function, the EU AI Act, and what Malta can offer f intechs and crypto-asset service providers Malta was one of the first ju- risdictions in Europe to intro- duce a dedicated framework for virtual financial assets. Now that MiCA is the appli- cable EU framework for cryp- to-assets, and the transitional period for legacy providers is approaching its end, how do you see Malta's role evolving? What can Malta offer fintechs and crypto-asset service pro- viders in a harmonised Euro- pean market? Malta's role is evolving from that of an early mover to that of a jurisdiction with mature, battle-tested regulatory and su- pervisory experience. MiCA has levelled the competitive land- scape by replacing fragment- ed national rules with a single European framework. Conse- quently, Malta can no longer compete simply by having a be- spoke national framework. The opportunity now is to compete on regulatory quality, predicta- bility, supervisory expertise, and our ability to support serious operators looking to scale sus- tainably across the EU. The conclusion of the MiCA transitional arrangements on 1 July 2026 is a defining moment for the market; firms serving European clients must be fully authorised or cease operations. For Malta, this reinforces the importance of being a credible home for Crypto-Asset Service Providers (CASPs) that view regulation as a foundation for trust rather than a hurdle to in- novation. The MFSA's focus remains on proportionate, risk-based super- vision and enhanced operation- al efficiency during the appli- cation process and throughout the life cycle of a licensed firm. Malta's differentiator is that it deeply understands digital fi- nance in practice, maintains an open dialogue with the market, and remains fully aligned with European standards. MiCA creates a harmonised regime for crypto-asset servic- es, but decentralised finance remains more complex. MiCA recognises that services pro- vided in a fully decentralised manner without an interme- diary may fall outside scope, yet many DeFi models still involve identifiable govern- ance, front-end, operational or control points. How should supervisors approach DeFi in practice? DeFi requires us to look be- yond labels and examine sub- stance. The key question is not whether a project calls itself de- centralised, but whether there is an identifiable person or entity providing, controlling, facili- tating or materially benefiting from a regulated service. While MiCA recognises that services provided in a fully decentralised manner without an intermedi- ary may fall outside its scope, this is not a blanket exemption for everything described as DeFi. In practice, our supervisory approach is to assess the true control points: who can upgrade the protocol, who operates the interface, who controls the treasury or governance mech- anisms, and who receives fees. Where those points of control exist, regulatory obligations nat- urally follow. Our objective is never to regu- late technology for its own sake, but to manage risks related to market integrity, consumer pro- tection, financial crime, opera- tional resilience, and contagion into regulated financial servic- es. For the MFSA, this means taking a risk-based and tech- nologically informed approach, particularly at the intersections where DeFi interacts with reg- ulated entities, fiat channels, custodians, exchanges, or retail users. DeFi challenges tradi- tional supervisory models, but the core principles remain un- changed: if an activity creates comparable risks, those risks must be understood, monitored, and addressed in a proportion- ate manner. Your background includes cyber security, ICT risk and technology governance. With DORA now applicable across the EU financial sector, and with AI-enabled fraud, cyber threats and outsourcing risk becoming more sophisticated, is fintech supervision today as much about technology as it is about finance? Yes, absolutely. In modern financial services, technology and finance are inseparable. A licence holder's risk profile, commercial viability, and op- erational continuity are shaped by its software architecture, da- ta governance, and third-party dependencies. DORA, which has been fully applicable since January 2025, formalised this reality by introducing strict EU requirements for digital opera- tional resilience. For fintech supervision, un- derstanding the underlying technology is now a prerequisite for assessing the business risk. A payments firm, a CASP, or an AI-driven compliance platform may share similar financial tar- gets, but their operational risk profiles can vary significantly depending on how their systems are secured and engineered. This is particularly critical when addressing sophisticated cyber threats, AI-driven fraud, and systemic outsourcing concen- tration in cloud infrastructure. To meet this challenge, I am ensuring that the MFSA's Fin- Tech function deploys truly multidisciplinary capabilities by combining traditional financial analysis with advanced cyber expertise and data literacy. Our mandate is not to restrict tech- nological evolution, but to en- sure that innovation is structur- ally resilient, secure, and worthy of market trust. The Malta Financial Services Advisory Council's (MFSAC) strategy identifies several structural priorities, including the development of national payments infrastructure, dig- ital identity, legal reform, tal- ent and operational efficiency. From the perspective of the MFSA's FinTech Function, how can these high-level initi- atives translate into practical improvements for fintech op- erators? High-level strategies are only valuable if they translate into measurable, day-to-day im- provements for operators and consumers. For fintech firms, the priorities outlined in the MFSAC strategy—such as na- tional payments infrastructure, centralised identity manage- ment, and legal modernisation— are not abstract concepts. They directly impact a firm's practical ability to secure banking rails, onboard clients efficiently, at- tract specialised talent, and scale without friction. From the MFSA's perspective, the FinTech Function acts as a proactive catalyst to ensure that policy execution is grounded in market realities. A modernised national pay- ments infrastructure, for ex- ample, directly addresses the historical frictions fintechs have faced regarding settlement and clearing access. Similarly, ro- bust digital identity infrastruc- ture can significantly streamline client onboarding while simul- taneously strengthening our AML/CFT outcomes. The Authority is not building these ecosystems in isolation, but, rather, we are actively col- laborating with cross-govern- mental stakeholders to remove unnecessary operational bot- tlenecks. Our ultimate goal is an ecosystem that is faster to navigate, digitally native, and anchored in consistently high regulatory standards. The EU AI Act is now being phased in, while regulators are increasingly using da- ta analytics and supervisory technology. As compliance and supervision become more automated and data-driven, how do you ensure that the re- lationship between the regu- lator and firms remains open, human and constructive? Supervision must become more data-driven to keep pace with the market, and when im- plemented responsibly, this shifts regulation from a reactive posture to a more predictive one. Due to delays in finalising technical standards and official European Commission guide- lines, the EU introduced the "Digital Omnibus on AI" to ex- tend implementation timelines. The MFSA is concurrently ad- vancing its own use of supervi- sory technology (SupTech) and data analytics to flag risks early and prioritise its regulatory re- sources. With the majority of the EU AI Act compliance dead- lines approaching on 2 August 2026, the MFSA is concurrently advancing its own use of super- visory technology (SupTech) and data analytics to flag risks early and prioritise its regulato- ry resources. However, automation is a tool to enhance human judgement, not a substitute for it. Financial services are fundamentally built on trust, and effective super- vision will always rely on clear communication and contextual understanding. Licence holders must always have direct access to the regulator to discuss com- plex business models, interpret evolving parameters, and ad- dress emerging challenges early. My philosophy for the FinTech Function is high-tech supervi- sion complemented by high- touch engagement. We will lev- erage automation to eliminate administrative burdens and de- rive clearer insights from data, but human accountability for supervisory decisions remains central. By maintaining trans- parency, predictability, and an open-door policy, we ensure that as the industry becomes more automated, the relation- ship between the MFSA and its partners remains constructive and grounded in mutual respect. Christopher Aquilina