Over the next few days, the Malta Digital Innovation Authority (MDIA) will be publishing the details of three new approved systems auditors working in the field of Distributed Ledger Technologies.
CEO Stephen McCarthy has told The Malta Business Observer that the authority, which is Malta’s serving regulatory body for new emergent technologies, had also received interest from another five potential systems auditors, who will be vetted over the coming months.
The MDIA, however, is not responsible for the approval of VFA agents, under the Virtual Financial Assets (VFA) Act, as this falls under the Malta Financial Services Authority’s (MFSA) remit. There are currently 11 VFA agents officially registered with the MFSA, with rolling confirmations announced on their website as applications are approved.
The new approved systems auditors have met “the requirements set by the MFSA, as documented in the guidelines on the definition of ‘in or from Malta’,” according to Mr McCarthy, who also noted that the decision rested on the applicants’ education, experience and their performance in an interview. He underlined the MDIA’s commitment to “undertaking due diligence and scrutiny to ensure that the approved systems auditors can provide the required levels of assurances when it comes to providing a systems audit on innovative technology arrangements.”
Indeed, systems auditors are responsible for carrying out thorough inspections of exchanges, ICOs, STOs, or any other entity using DLT technologies as they proceed to apply for initial certification from the MFSA, in accordance with the legislative framework enacted towards the end of last year. The Innovative Technology Arrangements and Services (ITAS) Act and the VFA Act, together with the guidelines issued by the MDIA, have also placed emphasis on yearly audits to verify the firms’ continued security and transparency, with regular monitoring to scrutinise the integrity of their operations and IT set-up.
Mr McCarthy stressed that although this systems audit framework is a voluntary one, it was still needed in order to help strengthen confidence in the underlying technology, and to combat concerns over weaknesses within the system. These have been exacerbated following the hacking of the world’s largest cryptocurrency exchange, Malta-registered Binance, which moved operations to Malta in 2018 and was robbed of more than €35 million worth of Bitcoin.
Moreover, this may go some way to assuage the fears of some banks, that have been hesitant to open accounts for operators in the field, and that have declined business with blockchain operators, claiming that it was outside their “risk appetite”, with concerns that it would spook their banking relationships with foreign institutions.
“The MDIA’s systems audit framework aims to raise the levels of assurances on the underlying technology,” Mr McCarthy emphasised. “This is achieved by undertaking due diligence on approved systems auditors, and scrutiny on subject matter experts,” assured Mr McCarthy. “The sector is a fast-paced one, but the MDIA is attempting to remain as diligent as possible, allowing itself to keep up with the fast-paced sector.”
Systems audits are mandatory for issuers and service providers applying for a licence under the Virtual Financial Assets Act and for Innovative Technology Arrangements (ITA) seeking a voluntary certification under the MDIA certification process. The requirement to conduct systems audits came into force on 1st November 2018 as a result of Malta’s new regulatory framework around blockchain activity and Distributed Ledger Technology. The process to obtain the MDIA’s recognition as systems auditor is very rigorous and requires the systems auditor to have deep knowledge and understanding of the technology being audited as well as the systems audit principles applied across IT assurance frameworks.
VFA agents, on the other hand, assist issuers and service providers under the Virtual Financial Assets Act, and put forward applications to the MFSA on their behalf. VFAs agent have to perform a thorough due diligence and KYC on their clients and are required to support the MFSA in its supervisory function by providing the necessary information during post-registration supervision. The role is akin to that of a gatekeeper – a first line of defence which ensures that only persons who are fit and proper enter the financial system.