Malta Financial Institution License in 2026: The Complete MFSA Guide
A 2026 deep dive into the MFSA Financial Institution Act licence: the two-tier authorisation (payment services and e-money), Statement of Intent, capital, English-language procedure, timelines, supervisory fees and why Malta still attracts payments firms after MiCA.
Why Malta is still a relevant fintech jurisdiction in 2026
Malta has been the EU's smallest but most visible common-law fintech jurisdiction since the early 2010s. The Malta Financial Services Authority (MFSA) regulates banks, PIs, EMIs, MiFID firms, AIFMs, UCITS ManCos, insurance and pensions, all under a common "gatekeeper" authorisations regime under the MFSA Act.
For payment and e-money firms, Malta offers four practical advantages.
English-language procedure
Entire MFSA process in English, common-law jurisdiction, EU member.
Tier-1 supervisor
MFSA has stronger recovery-post-Panama-papers reputation than many peers; authoritative supervisory style.
Cross-licence ecosystem
Payments, crypto (VFA/MiCA), funds, gaming, insurance in one jurisdiction; Mediterranean hub for cross-border products.
Tax regime
Headline CIT 35%, effective rate often 5% to 10% after the refund system for non-resident shareholders.
Experienced service market
Deep legal, audit, IT and compliance service-provider network with specialised fintech expertise.
Crypto-ready
Pre-MiCA VFA framework migrated into MiCA CASP; Malta authorised Crypto.com, OKX and ZBX among the first CASPs.
Malta's weak point is scale: smaller service-provider market than Ireland or Luxembourg, smaller banking base for safeguarding, and occasionally slower onboarding with Tier-1 correspondent banks.
Let's discuss your project and see how we can launch your Malta payment or e-money product together
Request demoThe Financial Institutions Act framework
Payment and e-money firms fall under the Financial Institutions Act (Chapter 376 of the Laws of Malta). The Act transposes PSD2 and EMD2 and is supplemented by MFSA Financial Institutions Rules (FIR/01 to FIR/10). Two licence categories exist.
| Licence | Scope | Initial capital |
|---|---|---|
| Payment Services (PI) | PSD2 Annex I services: transfers, acquiring, remittance, issuing, PISP, AISP. | EUR 20k / 50k / 125k by service mix. |
| Electronic Money (EMI) | All PI services plus issuance and redemption of e-money, stored-value balances, cards. | EUR 350k. |
Small PI and small EMI are not commonly used in Malta; authorised scope is the standard track. AISP-only firms can register under a lighter variant of the PI regime.
MFSA rules also include FIR/06 on safeguarding, FIR/07 on governance, FIR/08 on outsourcing and FIR/09 on business continuity and ICT that together define the operational bar above PSD2 minimum.
The MFSA authorisation process: Statement of Intent first
Unlike most EU NCAs, MFSA requires a formal Statement of Intent before a full authorisation file is accepted. This is the gate that filters out unsuitable candidates early.
- Statement of Intent (SoI). A high-level document presenting the applicant, proposed business model, organisational structure, beneficial ownership, type of authorisation required and indicative funding plan. 10 to 30 pages typical.
- Preliminary meeting. MFSA reviews the SoI, may request additional information, meets the applicant. The outcome is either "no objection to proceed" or "declined to proceed", allowing founders to re-scope or withdraw before significant cost.
- Full application. Only filed after the SoI no-objection. Includes business plan, governance, AML, ICT, safeguarding, fit-and-proper questionnaires, capital evidence and all FIR-required policies.
- Completeness check. MFSA confirms the file is complete, typically within 2 to 4 weeks.
- Substantive assessment. RFIs, interviews, independent experts where relevant. Statutory clock is 3 months from a complete file; real-world is 4 to 8 months for PI and 6 to 10 for EMI.
- Conditions precedent. Capital paid up, key hires on board, safeguarding account operational, IT systems tested.
- Passporting notifications. Submitted to MFSA post-licence; host states notified through MFSA.
End-to-end timelines for a well-prepared PI file: 9 to 14 months. EMI: 12 to 18 months. SoI phase alone can take 2 to 4 months; founders who skip it waste 6 months later on a full file that MFSA was never going to approve.
Substance and key function holders
MFSA substance expectations are roughly in line with Ireland's and heavier than Lithuania's. FIR/07 on governance is explicit.
- Local directors. At least one resident director, preferably two. Non-resident chairs are tolerated if the executive bench is local.
- Key function holders. CEO, Head of Risk, Head of Compliance (often dual-hat as MLRO), Head of Internal Audit, CFO. All subject to individual MFSA approval.
- Four-eyes principle. Two executive directors sign off on material decisions.
- Outsourcing. FIR/08 allows outsourcing of IT, processing and back office but requires full MFSA oversight. Intra-group outsourcing acceptable with clear service levels and exit plans.
- Physical office. Real rented office in Malta, visited by MFSA. Virtual addresses refused.
Malta has publicly tightened its substance bar after the FATF grey-listing (2021-2022). The current posture is "credible, proportionate and demonstrable substance", and enforcement is visible.
Fees, supervision and tax
- Application fee. EUR 3,500 for PI and EUR 5,000 for EMI (indicative, published in MFSA fee schedule). Non-refundable.
- Supervisory fee. Tiered by revenue, EUR 5k to EUR 50k per year, with higher tiers for larger firms.
- Corporate income tax. Headline 35%. Refund system produces an effective rate often between 5% and 10% for non-resident shareholders, subject to meeting the conditions of the Maltese tax refund framework.
- VAT. Core payment services exempt under EU financial-services exemption. Maltese VAT at 18% on ancillary services.
- Audit and reporting. Annual audited accounts, quarterly prudential and safeguarding reports, AML supervisory return, major-incident reporting.
MFSA publishes an annual supervisory plan. Expect onsite inspections every 2 to 4 years for PIs/EMIs and thematic deep-dives on AML, safeguarding and governance.
Banking partners and operational reality
The single most common pain point of a Maltese PI or EMI is opening safeguarding and operational bank accounts. The Maltese banking market is concentrated and has historically been conservative on fintech onboarding.
- Local banks. BOV, HSBC Malta, APS Bank, MeDirect, Lombard. Onboarding timelines 3 to 6 months, documentation-heavy.
- Alternative safeguarding. Many Maltese EMIs and PIs use EU credit institutions outside Malta (Clearbank, Citibank Europe, ING, Commerzbank) for safeguarding. Permitted under the Act.
- Payment rails. No equivalent of Lithuania's CENTROlink. Most Maltese PIs rely on correspondent banking or EMI partner rails.
- Card schemes. Visa and Mastercard membership possible but typically via BIN sponsor.
Plan banking onboarding at the same time as the MFSA file. A licensed entity without bank accounts cannot go live.
PSD3 and DORA: what changes
PSD3 and PSR will merge the Maltese PI and EMI into the unified "payment institution authorised to issue e-money" when they apply in 2027. MFSA will publish updated FIR rules ahead of the PSD3 application date. Existing licensees are grandfathered.
DORA has applied since 17 January 2025. MFSA expects DORA-aligned ICT risk management, incident reporting, threat-led penetration testing and third-party ICT register from day one of a new authorisation file. See the PSD3 and PSR guide for the full roadmap.
Ship a Maltese PI or EMI product with Crassula
A Maltese licence is the legal wrapper. The core banking layer is what wins or loses customers. Crassula delivers it as a white-label platform tuned to MFSA expectations: FIR-aligned policies, governance documentation, safeguarding reconciliation, DORA incident handling and regulator-ready reporting.
Ledger and wallets
Multi-currency ledger, IBAN provisioning via EU partners, wallets, card issuing.
AML and FIR ready
KYC, sanctions, monitoring, MLRO workflows, FIR-aligned governance and complaints handling.
Multi-bank
Automated safeguarding across Maltese and EU credit institutions, daily reconciliation.
MFSA ready
Prudential, safeguarding, AML and DORA incident reporting aligned with MFSA rulebook.
FAQ
An authorisation under the Financial Institutions Act (Chapter 376 of the Laws of Malta) transposing PSD2 and EMD2. Two categories: Payment Services (PI) and Electronic Money (EMI). Fully passportable across the EEA.
A high-level document an applicant files before a full authorisation application. MFSA reviews the business model, ownership and organisational structure and issues a "no objection to proceed" or declines. The SoI phase filters out unsuitable projects early.
PI: EUR 20,000 (remittance), EUR 50,000 (PISP) or EUR 125,000 (acquiring, issuing, transfers). EMI: EUR 350,000. Identical to EU minima; MFSA does not apply a discount.
End-to-end 9 to 14 months for a PI, 12 to 18 months for an EMI. Statement of Intent phase adds 2 to 4 months before the formal file.
Headline corporate income tax 35%. Malta's refund system can bring the effective rate to 5% to 10% for non-resident shareholders meeting the conditions. Core payment services are VAT-exempt.
Yes, historically. Local banks have been conservative on fintech onboarding; timelines 3 to 6 months. Many Maltese PIs and EMIs safeguard with EU credit institutions outside Malta. Plan banking in parallel with the MFSA file.
Yes. Malta authorises CASPs under MiCA (Crypto.com, OKX, ZBX were among the first). A dual PI or EMI plus MiCA CASP structure is common for crypto-to-fiat on-off ramps.
Crassula provides the core banking layer pre-tuned to MFSA FIR expectations: ledger, wallets, cards, KYC and AML, safeguarding reconciliation, DORA-aligned ICT and MFSA-ready reporting. We work alongside your legal counsel on the SoI and full authorisation file.
