FinTech supervision: Ensuring innovation is secure and structurally resilient

Malta was one of the first jurisdictions in Europe to introduce a dedicated framework for virtual financial assets. Now that MiCA is the applicable EU framework for crypto-assets, and the transitional period for legacy providers is approaching its end, how do you see Malta’s role evolving? What can Malta offer FinTechs and crypto-asset service providers in a harmonised European market?

Malta’s role is evolving from that of an early mover to that of a jurisdiction with mature, battle-tested regulatory and supervisory experience. MiCA has levelled the competitive landscape by replacing fragmented national rules with a single European framework. Consequently, Malta can no longer compete simply by having a bespoke national framework. The opportunity now is to compete on regulatory quality, predictability, supervisory expertise, and our ability to support serious operators looking to scale sustainably across the EU.

The conclusion of the MiCA transitional arrangements on 1 July 2026 is a defining moment for the market; firms serving European clients must be fully authorised or cease operations. For Malta, this reinforces the importance of being a credible home for Crypto-Asset Service Providers (CASPs) that view regulation as a foundation for trust rather than a hurdle to innovation.

The MFSA’s focus remains on proportionate, risk-based supervision and enhanced operational efficiency during the application process and throughout the life cycle of a licensed firm. Malta’s differentiator is that it deeply understands digital finance in practice, maintains an open dialogue with the market, and remains fully aligned with European standards.

MiCA creates a harmonised regime for crypto-asset services, but decentralised finance remains more complex. MiCA recognises that services provided in a fully decentralised manner without an intermediary may fall outside scope, yet many DeFi models still involve identifiable governance, front-end, operational or control points. How should supervisors approach DeFi in practice?

DeFi requires us to look beyond labels and examine substance. The key question is not whether a project calls itself decentralised, but whether there is an identifiable person or entity providing, controlling, facilitating or materially benefiting from a regulated service. While MiCA recognises that services provided in a fully decentralised manner without an intermediary may fall outside its scope, this is not a blanket exemption for everything described as DeFi.

In practice, our supervisory approach is to assess the true control points: who can upgrade the protocol, who operates the interface, who controls the treasury or governance mechanisms, and who receives fees. Where those points of control exist, regulatory obligations naturally follow.

Our objective is never to regulate technology for its own sake, but to manage risks related to market integrity, consumer protection, financial crime, operational resilience, and contagion into regulated financial services. For the MFSA, this means taking a risk-based and technologically informed approach, particularly at the intersections where DeFi interacts with regulated entities, fiat channels, custodians, exchanges, or retail users. DeFi challenges traditional supervisory models, but the core principles remain unchanged: if an activity creates comparable risks, those risks must be understood, monitored, and addressed in a proportionate manner.

Your background includes cyber security, ICT risk and technology governance. With DORA now applicable across the EU financial sector, and with AI-enabled fraud, cyber threats and outsourcing risk becoming more sophisticated, is fintech supervision today as much about technology as it is about finance?

Yes, absolutely. In modern financial services, technology and finance are inseparable. A licence holder’s risk profile, commercial viability, and operational continuity are shaped by its software architecture, data governance, and third-party dependencies. DORA, which has been fully applicable since January 2025, formalised this reality by introducing strict EU requirements for digital operational resilience.

For FinTech supervision, understanding the underlying technology is now a prerequisite for assessing the business risk. A payments firm, a CASP, or an AI-driven compliance platform may share similar financial targets, but their operational risk profiles can vary significantly depending on how their systems are secured and engineered. This is particularly critical when addressing sophisticated cyber threats, AI-driven fraud, and systemic outsourcing concentration in cloud infrastructure.

To meet this challenge, I am ensuring that the MFSA’s FinTech function deploys truly multidisciplinary capabilities by combining traditional financial analysis with advanced cyber expertise and data literacy. Our mandate is not to restrict technological evolution, but to ensure that innovation is structurally resilient, secure, and worthy of market trust.

The Malta Financial Services Advisory Council’s (MFSAC) strategy identifies several structural priorities, including the development of national payments infrastructure, digital identity, legal reform, talent and operational efficiency. From the perspective of the MFSA’s FinTech Function, how can these high-level initiatives translate into practical improvements for fintech operators?

High-level strategies are only valuable if they translate into measurable, day-to-day improvements for operators and consumers. For FinTech firms, the priorities outlined in the MFSAC strategy—such as national payments infrastructure, centralised identity management, and legal modernisation—are not abstract concepts. They directly impact a firm's practical ability to secure banking rails, onboard clients efficiently, attract specialised talent, and scale without friction.

From the MFSA’s perspective, the FinTech Function acts as a proactive catalyst to ensure that policy execution is grounded in market realities. A modernised national payments infrastructure, for example, directly addresses the historical frictions FinTechs have faced regarding settlement and clearing access. Similarly, robust digital identity infrastructure can significantly streamline client onboarding while simultaneously strengthening our AML/CFT outcomes.

The Authority is not building these ecosystems in isolation, but, rather, we are actively collaborating with cross-governmental stakeholders to remove unnecessary operational bottlenecks. Our ultimate goal is an ecosystem that is faster to navigate, digitally native, and anchored in consistently high regulatory standards.

The EU AI Act is now being phased in, while regulators are increasingly using data analytics and supervisory technology. As compliance and supervision become more automated and data-driven, how do you ensure that the relationship between the regulator and firms remains open, human and constructive?

Supervision must become more data-driven to keep pace with the market, and when implemented responsibly, this shifts regulation from a reactive posture to a more predictive one. Due to delays in finalising technical standards and official European Commission guidelines, the EU introduced the "Digital Omnibus on AI" to extend implementation timelines. The MFSA is concurrently advancing its own use of supervisory technology (SupTech) and data analytics to flag risks early and prioritise its regulatory resources. With the majority of the EU AI Act compliance deadlines approaching on 2 August 2026, the MFSA is concurrently advancing its own use of supervisory technology (SupTech) and data analytics to flag risks early and prioritise its regulatory resources.

However, automation is a tool to enhance human judgement, not a substitute for it. Financial services are fundamentally built on trust, and effective supervision will always rely on clear communication and contextual understanding. Licence holders must always have direct access to the regulator to discuss complex business models, interpret evolving parameters, and address emerging challenges early.

My philosophy for the FinTech Function is high-tech supervision complemented by high-touch engagement. We will leverage automation to eliminate administrative burdens and derive clearer insights from data, but human accountability for supervisory decisions remains central. By maintaining transparency, predictability, and an open-door policy, we ensure that as the industry becomes more automated, the relationship between the MFSA and its partners remains constructive and grounded in mutual respect.