How to get a crypto license in Malta in 2025?
With the introduction of the MiCA Regulation, crypto businesses in the EU can no longer operate without a licence, and Malta has become one of the first countries to implement this regime through the MFSA. The VFA licence is no longer sufficient: companies must transition to CASP status or cease operations. At the same time, Malta remains one of the most accessible entry points to the EU market thanks to its clear licensing process, English-based legal system, experienced regulators and mature blockchain infrastructure. It was here that the VFA Act, the EU’s first law on virtual financial assets, was introduced back in 2018, and in 2024–2025 Malta became one of the first to begin the shift to MiCA standards. This makes the country attractive for crypto exchanges, custodians, brokers and Web3 projects that want to operate legally within the EU. In this article, we will explain how to obtain a crypto licence in Malta, how the VFA regime differs from MiCA, what requirements the MFSA imposes, how long the procedure takes and which mistakes most often lead to refusal.
Who regulates cryptocurrency companies in Malta?
Malta is one of the few EU countries where the crypto sector is regulated not by temporary circulars or informal guidelines, but by a full legal framework. Before the introduction of MiCA, the Virtual Financial Assets Act (VFA Act) was in force, and supervision was carried out by two authorities — the MFSA (licensing and financial supervision) and the FIAU (AML/CFT). The country is now transitioning to the EU-wide MiCA (Markets in Crypto-Assets Regulation), while still retaining certain national regulatory elements.
Malta Financial Services Authority
The MFSA is the primary financial regulator in Malta. It:
- Issues licences to crypto companies (previously VFA licences, now CASP authorisations under MiCA);
- Approves directors, shareholders and key function holders (fit and proper test);
- Reviews business plans, IT infrastructure, asset custody and risk management frameworks;
- Conducts supervision, inspections and regulatory inquiries, and can suspend or revoke a licence.
Financial Intelligence Analysis Unit
The FIAU is responsible for ensuring compliance with AML/CFT rules. Obligations of CASP/VFA providers include:
- Customer identification (KYC) and verification of source of funds;
- Transaction monitoring and detection of suspicious activity;
- Submission of STR/SAR reports (Suspicious Transaction/Activity Reports);
- Recordkeeping and regular internal AML audits.
Malta is a member of the EU, which means MiCA applies directly and overrides national legislation. The MFSA will no longer issue VFA licences — only CASP authorisations under MiCA. Companies that already hold a VFA licence must go through the transition (grandfathering) process and prove compliance with MiCA. ESMA and EBA technical standards (RTS/ITS) will also apply.
Licensing regimes: VFA, MiCA and who should receive authorization
Malta was the first country in Europe to introduce a dedicated legal framework for crypto businesses (the VFA Act), but in 2024–2025 it is gradually being replaced by the EU-wide MiCA regulation.
What changes with the transition from VFA to MiCA?
Previously, Malta regulated the crypto market under the VFA Act – a national law under which companies could obtain Class 1–4 licences from the Malta Financial Services Authority (MFSA). Now the country is fully integrating into the European MiCA framework. Instead of a VFA licence, companies must obtain CASP (Crypto-Asset Service Provider) authorization, and this licence is valid not only in Malta but across the entire EU.
The benefits for businesses are clear: one regulator (MFSA), one licence and full access to the EU market. However, the requirements have become stricter: local substance in Malta, minimum capital, AML/KYC obligations, client asset safeguarding, corporate governance and IT security standards.
Which services are considered crypto-asset services?
MiCA clearly defines which activities require authorisation. As you requested, here is the only list in this section: A company must obtain CASP authorisation if it:
- Exchanges crypto-assets for fiat or other tokens;
- Holds or safeguards clients’ crypto-assets (custody/wallet services);
- Receives and transmits client orders;
- Operates a trading platform or exchange for crypto-assets;
- Offers or places crypto-assets to the public (ICOs, token sales);
- Provides crypto-asset investment advice;
- Manages crypto-asset portfolios on behalf of clients.
Other activities are assessed on a case-by-case basis: if a company only provides technology and does not handle client assets, authorisation may not be required.
Who must obtain authorisation in Malta?
Authorisation is required for crypto exchanges, custodians, brokers, OTC platforms, crypto payment providers and issuers of tokens (ART/EMT) that serve clients in the EU. Even if a company is physically located outside Malta, it still falls under MiCA if it offers services to EU users and it must obtain authorisation in one EU member state (Malta being one of the most popular jurisdictions).
Companies already holding a VFA licence may continue operating, but only temporarily. They must comply with MiCA, update their governance, capital, documentation and apply for CASP status. Otherwise, their licence will become invalid. MFSA has issued guidance stating that the transition will take 6–12 months and will include due diligence, updates to AML policies, risk management and IT procedures.
Requirements for the applicant: substance, capital, management
To obtain CASP status in Malta, it is not enough for a company to register and submit an application form. The MFSA treats a licence holder as a fully regulated financial institution, which means the company must demonstrate real presence, transparent governance, proven capital and functioning AML/IT controls.
Substance and physical presence in Malta
A company must show that its activities are genuinely carried out from Malta and not merely registered there on paper. This requires:
- A physical office or operational centre in Malta;
- At least one executive director who is resident in Malta;
- Key management functions (compliance, risk, MLRO) must be controlled from within the Maltese entity and not fully outsourced;
- IT infrastructure and servers may be located abroad, but only if proper control policies, backups and MFSA access procedures are in place.
Corporate governance
The MFSA evaluates not only the company’s structure but also the competence of its management. For a licence to be approved, the company must have:
- A board of directors with experience in finance, technology or law;
- No nominee directors: all key persons must be actively involved in decision-making;
- Internal governance documents: a governance manual, allocation of responsibilities, risk management policy and internal control procedures;
- All key persons must pass a fit and proper test, which checks integrity, financial soundness and the absence of criminal or regulatory breaches.
Capital and financial soundness
Capital requirements depend on the type of crypto services, but generally include:
- Minimum initial capital (typically from €50,000 to €150,000, the exact amount is determined by MiCA and MFSA based on the service type);
- Proof of source of funds and source of wealth;
- Financial projections for at least three years;
- Professional indemnity insurance or a guarantee fund, especially for custodians and exchanges.
Key function holders
To obtain MFSA approval, the company must appoint specific responsible persons to the following roles:
- Compliance Officer – regulatory compliance and communication with the MFSA;
- MLRO (Money Laundering Reporting Officer) – AML/CTF monitoring and reporting to FIAU;
- Risk Officer – management of operational, financial and IT risks;
- Internal Auditor – not always mandatory, but required for larger or high-risk operators.
These roles may be combined in smaller structures, but only if the MFSA is satisfied that no conflict of interest is created.
Technical and operational requirements: asset custody, IT security, incidents
To obtain a CASP licence in Malta, it is not enough to comply only with AML and corporate governance rules. The MFSA separately assesses how a company safeguards clients’ assets, ensures IT resilience and is prepared to respond to cyber incidents. These requirements are defined under MiCA, ESMA guidelines and local MFSA rules.
Custody & Safeguarding of digital assets
If a company holds clients’ crypto-assets, even temporarily, it must ensure their protection both technically and legally. This includes:
- Segregation of assets – client funds must be held separately from the company’s own assets;
- Cold and hot storage – the majority of assets should be kept in cold storage with limited access;
- Private key management – policies on key generation, multi-signature mechanisms and access logs;
- Backup and recovery procedures – in case of key loss, infrastructure failure or death of a director.
The Maltese regulator also recommends using custodians licensed as banks, trust companies or authorised in another EU member state.
IT security and cyber resilience
The MFSA requires every licensed CASP to have an approved information security policy, a risk management system and a business continuity and disaster recovery plan (BCP/DRP). This includes:
- Access control (administrators, keys, passwords, MFA);
- Regular penetration testing and internal vulnerability scanning;
- Audit trail and logging of all system actions;
- Encrypted data storage and regular backups;
- Business recovery procedures in case of outages, server failures or ransomware attacks.
Incidents & Reporting
If a cyber incident, breach, data leak or loss of client assets occurs, the company must immediately notify the MFSA and, where financial crime is suspected, the FIAU. Within 48–72 hours it must submit a report detailing what happened, what measures were taken and how clients were affected.
The regulator may request additional audits, technical assessments or new controls if it considers the company’s security measures insufficient.
The process of obtaining CASP authorization in Malta
Obtaining a crypto licence in Malta is not a formal registration process – it is a full regulatory assessment of the business model, governance structure, financial stability and compliance procedures. The MFSA reviews each application individually and may request clarifications, interviews or adjustments to documentation. On average, the process takes 3 to 6 months, but it may take longer if the company is not audit-ready or lacks sufficient substance in Malta.
Pre-application stage: consultation and business model assessment
Before submitting the application, the company must undergo a preliminary meeting with the MFSA. The regulator assesses whether the project falls under MiCA and whether its business model qualifies for CASP authorisation. At this stage, the applicant receives feedback on approval prospects and a list of documents to prepare.
Preparation of documentation
This is the most complex and time-consuming stage. The company must submit a complete application file to the MFSA, which includes:
- A detailed business plan and description of the crypto services to be provided;
- Ownership structure and information on all beneficial owners;
- Financial projections and proof of capital;
- AML/KYC policies and risk assessment procedures;
- IT infrastructure, asset custody setup and incident response plan (BCP/DRP);
- Corporate documents, governance manual and board charter;
- Biographies of key function holders along with fit & proper declarations.
Submission and interaction with the MFSA
Once the application is submitted, the MFSA appoints a Case Officer responsible for handling the process. The regulator may send written queries, request interviews with directors and verify the source of funds. If any part of the submission is incomplete or non-compliant, the applicant is granted time to correct it — usually within 30 days.
Decision and granting of the licence
After completing all reviews, the MFSA issues one of the following decisions:
- Approval – the company is registered as a CASP and can operate across the EU;
- Conditional approval – authorisation is granted, but corrective actions are required (such as appointing a new MLRO or updating IT/AML policies);
- Rejection – issued in cases of major non-compliance, unclear source of funds or lack of genuine governance.
Common mistakes and reasons for delays
In practice, most applications are delayed or rejected due to:
- Lack of real presence in Malta (no local directors, office or substance);
- Generic AML/KYC documentation not adapted to crypto operations;
- Unverified source of capital or incomplete financial projections;
- Weak description of IT security and key storage procedures;
- Absence of a governance manual and clear distribution of responsibilities;
- Unpreparedness for interviews with the MFSA.
The MFSA prefers to reject an application rather than allow a company to operate without transparency and proper compliance standards.
Marketing, disclosure and consumer protection
After receiving a CASP licence, companies in Malta cannot advertise their services as freely as ordinary IT projects. In the crypto sector, marketing is a regulated activity. Both the MFSA and MiCA require that advertising, service descriptions, client onboarding and investor communications must be transparent, not misleading and accompanied by appropriate risk warnings.
Advertising and public communication requirements
Any advertisements, websites, landing pages, promotional materials, social media posts and even Telegram channels fall under the supervision of the MFSA if the company provides services to users in the EU. The core requirements include:
- Marketing must be clear, fair, objective and must not promise guaranteed profits;
- All risks must be disclosed, e.g. «investing in crypto-assets may result in the total loss of funds»;
- It is prohibited to use misleading phrases such as “EU-regulated exchange” without specifying the actual licence;
- If services are offered outside the authorised scope (e.g. CFDs, staking, DeFi), this must be clearly explained to users.
Risk disclosure and client documentation
Under MiCA, a CASP must provide clients with full information before delivering any service, including:
- A description of the product, trading terms, fees and possible losses;
- A conflicts of interest policy;
- How client assets are held and the responsibilities of the custodian;
- The process for service termination or freezing of assets.
If a company issues tokens (ICO/ITO), a whitepaper is mandatory and must be registered with or approved by the MFSA.
Client protection and complaints handling
Every licensed CASP is required to have a Client Complaint Policy and a formal dispute resolution mechanism. This includes:
- A single contact channel for customer complaints;
- A complaint register and a maximum response time of 15–30 days;
- An internal escalation process and the right for clients to escalate to the MFSA or financial ombudsman;
- Suspension of operations where a complaint involves loss of client assets.
How can Key2Law help to get a crypto license in Malta?
The CASP licensing process in Malta is not just about submitting an application. The MFSA evaluates the entire business model, corporate structure, source of capital, AML/KYC framework, custody of client assets and IT security systems. A mistake at any stage can result in delays, additional requests from the regulator or even rejection. That is why most companies go through this process together with a regulatory and compliance advisor.
The Key2Law team supports crypto projects at every stage of entering the Maltese market:
- Assess the business model and determine whether CASP authorisation is mandatory or whether another structure is possible;
- Prepare the full documentation package: business plan, AML/KYC policies, risk assessment, IT and custody procedures;
- File the licence application with the MFSA, communicate with the regulator, respond to queries and resolve any objections;
- Assist in appointing the Compliance Officer, MLRO and other Key Function Holders, outsourcing is also possible;
- Help establish the asset custody framework: custodian selection, cold storage setup, key management and recovery procedures;
- Support IT audits, penetration testing, preparation of BCP/DRP and regulatory reporting to MFSA/FIAU;
- Assist with opening bank accounts, tax structuring and corporate setup (holdings, SPVs, branches).
If you are planning to obtain a crypto licence in Malta, enter the EU market or transition from VFA to MiCA, Key2Law will guide you through the entire process: from strategy to final authorisation. We help you complete licensing efficiently, securely and in full compliance with regulatory standards.