Understanding Malta’s VFA framework and licensing classes
Malta was the first country in Europe to introduce a full-fledged legal regime for digital assets – the Virtual Financial Assets Act (VFAA). Even after the regulatory shift across the EU, Malta has managed to maintain its status as one of the most proactive crypto hubs in the region. While many jurisdictions were still drafting their rules, Malta created a transparent licensing system that allowed crypto brokers, custodians, and exchanges to operate legally. At the core of this framework lies a clear division into four licensing classes, and the choice of class determines whether a company can hold client assets, perform trading activities, or act as a custodian. To obtain authorization from the MFSA, it is crucial to understand not only the legal definitions but also the economic logic behind the regulatory model. In this article, we explain how the VFA framework works, how the four license classes differ, and what requirements the MFSA imposes on crypto-asset service providers.
What is the VFA Framework?
Malta’s crypto-asset regulatory regime is based on the Virtual Financial Assets Act (VFAA), a law adopted in 2018 that became the first comprehensive EU framework governing digital-asset activities. It defines which tokens qualify as Virtual Financial Assets (VFA), who may provide related services, and under what conditions. Oversight of the regime is carried out by the Malta Financial Services Authority (MFSA), the country’s primary financial regulator.
The main purpose of the VFA Framework is to create a transparent yet flexible system that enables crypto companies to operate legally while ensuring investor protection and compliance with AML/KYC standards. Unlike many jurisdictions where digital-asset regulation remains fragmented, Malta has developed a consistent model with clear distinctions between types of assets and services.
Key elements of the regime
- Virtual Financial Assets Act (VFAA) – the core legislation that sets out token classifications, licensing procedures, and requirements for service providers.
- Financial Instruments Test – a tool used by the MFSA to determine whether a token qualifies as a VFA, electronic money, a financial instrument, or a utility token. This test is mandatory for all issuers and service providers.
- VFA Regulations and Rulebooks – supplementary regulatory instruments describing application procedures, corporate governance requirements, IT-security standards, and AML controls.
VFA Service Providers license classes
A VFA license in Malta is an official authorization to provide services related to virtual financial assets. Depending on the scale and nature of the business, the MFSA has established four licensing classes: Class 1, 2, 3, and 4. Each class determines which activities a company may perform, what minimum capital is required, and what level of regulatory oversight applies.
Class 1 – Advisory and Technical Services
This class is suitable for companies that do not handle client assets and do not execute transactions on their behalf. Examples include analytics platforms, DeFi advisory firms, and infrastructure developers.
Permitted activities:
- providing investment advice related to VFAs;
- developing technological solutions for crypto service providers;
- promoting or marketing VFA products without access to client funds.
Minimum capital: €50,000.
Main advantage: simplified compliance and relatively fast licensing (3–4 months).
Class 2 – Execution of Orders on Behalf of Clients
This class is chosen by brokers and dealers who execute client orders but do not hold client assets.
Permitted activities:
- receiving and executing orders;
- trading virtual assets on behalf of clients;
- providing brokerage and agency services.
Minimum capital: €125,000.
Key requirement: a robust IT infrastructure and internal controls capable of managing order execution and AML risks.
Class 3 – Custody and Asset Management
This license is required for companies that hold or manage client assets, operate wallets, or provide custody-like services.
Permitted activities:
- safeguarding and managing clients’ virtual assets;
- providing full custodial services;
- ensuring settlement and execution of transactions.
Minimum capital: €730,000.
Additional obligations: IT system audits, professional indemnity insurance, and the appointment of a certified Compliance Officer.
Class 4 – Full-Scale Trading and Platform Management
The highest level of authorization, intended for exchanges, trading platforms, and multi-service providers that hold client funds, manage trading environments, and act as intermediaries.
Permitted activities:
- operating trading platforms;
- receiving and safeguarding client funds;
- market-making and internal clearing operations;
- issuing and listing tokens.
Minimum capital: €730,000 + enhanced operational reserves and continuous audit requirements.
MFSA supervision: quarterly reporting and mandatory involvement of certified officers (MLRO, Risk Officer, Compliance Officer).
Requirements for applicants and the VFA-licensing process
Obtaining a VFA license in Malta is a comprehensive procedure in which the MFSA evaluates not only the company’s financial stability, but also the quality of its internal controls, the origin of its capital, the qualifications of key personnel, and the security of its technological infrastructure. The regulator expects applicants to demonstrate that the business will be genuinely managed from Malta and is capable of operating in full compliance with AML/KYC standards.
Corporate requirements and substance
The MFSA thoroughly verifies that the applicant has a real presence in the jurisdiction rather than functioning as a «shell company». The following are mandatory:
- Registered office and operational center in Malta;
- At least one resident director;
- Appointment of a Compliance Officer, MLRO, and Risk Manager;
- A transparent ownership structure with full UBO disclosure;
- Local accounting functions and internal controls.
Substance is one of the key factors for license approval, especially for Class 2–4 applicants.
Minimum capital and financial resources
The required share capital depends on the license class:
- Class 1 – €50,000
- Class 2 – €125,000
- Class 3 – €730,000
- Class 4 – €730,000 + enhanced operational reserves
All financial sources must be verified (SoF/SoW), and the company must maintain capital adequacy and liquidity levels in line with MFSA requirements.
Compliance, AML/KYC, and risk management
The MFSA views internal control systems as the foundation of every VFA licensee. Applicants must implement:
- AML/KYC policies, Customer Risk Assessment, and Transaction Monitoring;
- IT controls, data protection measures (GDPR), and cybersecurity frameworks;
- Procedures for managing operational, market, and IT risks;
- Internal audit mechanisms and an incident-management system.
The regulator evaluates not only the documentation itself but also the actual implementation — platforms, providers, logs, and detailed written procedures.
Documents submitted to the MFSA
A standard application package includes:
- Incorporation documents and UBO disclosures;
- A detailed three-year business plan;
- Financial projections and a description of the revenue model;
- AML/KYC Manual, Governance Manual, and Internal Control Framework;
- IT audit reports and a description of the technological infrastructure;
- CVs of key function holders, including proof of qualifications and clean regulatory history;
- Agreements with custodians, PSPs, and technology providers (where applicable).
The MFSA may request additional documents at any stage of the assessment.
Procedure for obtaining a VFA license: steps, verification and interaction with MFSA
Licensing under Malta’s VFA framework is a multi-stage process that requires a transparent corporate structure, a fully prepared operational infrastructure, robust AML/KYC procedures, and evidence of genuine substance within the jurisdiction. The MFSA places significant emphasis on the stability of the business, the maturity of its internal controls, and the accuracy and realism of the proposed operating model. The process consists of several interconnected stages, each of which influences the regulator’s final decision.
Stage 1. Pre-application consultation
This stage determines whether the business model aligns with the requirements of the VFA regime. The company, usually through a VFA Agent, holds an initial meeting with the MFSA to present its project, describe the services offered, outline the governance structure, and specify the intended license class. At this point, the regulator assesses the project’s risk profile, the qualifications of key personnel, the appropriateness of the proposed license class, and the level of substance the applicant can demonstrate.
The Pre-Application stage helps identify potential regulatory concerns early and allows the company to refine its model before submitting a formal application.
Stage 2. Submission of the official application package
After receiving preliminary clearance, the company submits a complete application through the MFSA platform. Accuracy is essential: the regulator reviews incorporation documents, ownership structure, the business plan, financial forecasts, the AML/KYC Manual, risk-management frameworks, and the description of the IT infrastructure.
The MFSA also scrutinizes the competence of key function holders: directors must have proven managerial experience, while the MLRO and Compliance Officer must demonstrate relevant expertise. At this stage, the regulator also assesses the Source of Funds and the applicant’s operational readiness.
Stage 3. Due diligence and regulator queries
This is typically the most demanding stage. The MFSA conducts an in-depth review of the project, examines UBOs and directors, evaluates internal processes, IT infrastructure, and checks whether the business model aligns with the selected license class.
The regulator may request clarifications, additional documentation, or interviews with senior management or the MLRO. Crucially, the MFSA assesses not only the written policies but also the actual operational readiness of the company: whether real KYC platforms are implemented, how transaction monitoring is structured, and whether agreements with technology providers are in place.
Stage 4. Final assessment and decision
Once due diligence is complete, the MFSA compares the business model against VFAA requirements and evaluates whether the company meets the risk level and infrastructural standards of the intended license class. This includes assessing local substance, capital adequacy, operational resilience, and readiness to comply with ongoing supervisory obligations.
After this final assessment, the MFSA either approves the license or returns the application for further adjustment.
Stage 5. Post-licensing supervision and ongoing obligations
Receiving the license does not end the company’s regulatory responsibilities. A VFA licensee must maintain full compliance with all VFA regime requirements: update AML/KYC policies, maintain internal controls, file periodic reports, undergo annual audits, notify the MFSA of changes to directors or UBOs, and uphold required levels of operational capital.
The MFSA applies active and continuous supervision over VFA service providers, and failure to comply may result in fines, temporary suspension, or revocation of the license.
Practical tips and possible pitfalls
Malta is considered one of the most transparent jurisdictions for crypto projects, yet the requirements of the VFA Framework remain among the most detailed and demanding in Europe. Mistakes in choosing the correct license class, underestimating substance obligations, or having a weak AML system can delay approval for months or result in a direct rejection.
Common mistakes made by applicants
The most frequent reason for refusals is the incorrect classification of activities under the VFA license classes. Many projects attempt to obtain the «lighter» Class 1 or Class 2 license, even though their services actually fall under Class 3 or even Class 4. The MFSA treats this as a breach of transparency and automatically flags the application.
Another typical issue is insufficient substance. Despite the technological nature of crypto businesses, Malta requires:
- Local management
- One or more resident directors
- A VFA Agent
- A physical office
- Internal control functions (governance, compliance, risk)
If key functions are in fact performed abroad, the MFSA considers the management structure inadequate.
A weak AML system is also a major obstacle. Many applicants submit generic template KYC/AML policies that fail to reflect the actual risk profile of the business: client types, geographical exposure, sources of funds, and transaction risk management. In such cases, the MFSA usually demands extensive revisions or rejects the application entirely.
How to prepare for regulatory review?
The audit process prior to licensing is built around verifying real, operational compliance with the VFA Framework. Documentation alone is not enough – the regulator evaluates whether policies are implemented in practice.
What should be prepared in advance:
- A clear internal control checklist: role allocation (Compliance Officer, MLRO, Risk Manager), responsibility matrix, and detailed procedural descriptions
- Operational evidence of implemented processes: functioning onboarding, AML monitoring, a real client-data management system, transaction logging
- Post-licensing compliance readiness: annual audits, periodic updates to the Risk Assessment, policy re-approval, MFSA reporting, and proper IT systems (including cybersecurity and BCP/DRP)
The MFSA pays particular attention to whether the company can maintain compliance not only at the time of application, but continuously.
How can the Key2Law team help to successfully complete the licensing process in Malta?
Licensing under the VFA Framework is a complex process that requires a strategic approach, accurate classification of services, and real operational compliance with MFSA requirements. Errors in choosing the correct license class, insufficient substance, a weak AML system, or an improperly prepared application package can result in long delays, multiple rounds of regulatory queries, or a full rejection. To obtain approval on the first attempt, a business must combine regulatory expertise, compliance readiness, and mature IT infrastructure.
The Key2Law team helps crypto projects navigate the entire licensing process end-to-end, ensuring transparency and full MFSA compliance at every stage:
- Determining the correct VFA license class and legally qualifying the services;
- Preparing the corporate structure and substance: office, local directors, appointment of MLRO and Compliance Officer;
- Drafting AML/KYC policies, the Risk Assessment, Governance Manual, and internal control procedures;
- Preparing the full application package and managing all communication with the MFSA on behalf of the client;
- Supporting IT audits, certifications, and remediation of regulatory findings;
- Providing post-licensing support: policy updates, annual reporting, internal audits, and assistance with business expansion.
With Key2Law, you receive not only regulatory guidance, but also a strategic partner who understands the specifics of crypto regulation and the expectations of EU regulators. We design compliance systems that withstand audits, strengthen trust with banks and investors, and allow companies to scale without regulatory risks. If you plan to enter Malta or want to determine which VFA class fits your project – contact the Key2Law team. We will prepare a tailored roadmap and ensure a smooth, predictable licensing process.