The European Securities and Markets Authority (ESMA) has raised red flags over Malta’s handling of license approvals under the EU’s Markets in Crypto-Assets (MiCA) regulation.
In a peer review report released on July 10, ESMA highlighted deficiencies in how the Malta Financial Services Authority (MFSA) approved a recent crypto asset service provider (CASP), urging tighter oversight moving forward.
Malta’s regulator, MiCA compliance
According to the report, while the MFSA possesses a solid foundation of expertise and sufficient resources for supervising CASP applications, its latest authorization process fell short of expected standards.
The review committee found that the regulator granted approval despite outstanding material issues and an inadequate risk assessment. The report noted that these lapses raise questions about Malta’s commitment to ensuring full compliance with the MiCA framework.
The Peer Review Committee expressed concern that the MFSA failed to use the authorization phase to compel the unnamed CASP to resolve key shortcomings. ESMA emphasized that a more rigorous approach could have helped bring the entity fully in line with MiCA obligations before granting its license.
Malta remains one of the EU’s most active MiCA license issuers. Since MiCA’s enforcement began, the country has issued five CASP licenses, ranking just behind Germany and the Netherlands.
Recent data shared by Circle executive Patrick Hansen shows that 53 firms have secured MiCA licenses within six months of the framework taking effect. These licenses enable crypto firms to operate across all 30 European Economic Area (EEA) countries without additional regulatory approvals in each jurisdiction.
This wave of compliance marks a major step for the industry, with major players such as Circle and Kraken already approved under the MiCA regime.
Recommendations
Considering this, the report urged national European regulators to strengthen their oversight during the CASP licensing process.
It emphasized the need for close scrutiny in several high-risk areas. These include business model sustainability, governance structures, potential conflicts of interest, intragroup relationships, ICT architecture, and the promotion of unregulated crypto services.
Beyond that, the financial regulator also flagged emerging sectors such as DeFi and Web3 for more careful evaluation.
It added:
“The PRC encourages NCAs to review, as part of the authorisation assessment, user interfaces and customer journeys to ensure that relevant risk warnings are clearly presented to users and that the overall customer experience is in line with MiCA requirements.”