---
title: Malta MFSA CASP & EMI Authorisation Guide (2026)
slug: malta-mfsa-casp-emi-authorisation
publishedAt: 2026-05-14T13:00:00Z
author: Finconduit Editorial Team
tags: MiCA, VFA Act, EMD2, MFSA
canonicalUrl: https://finconduit.com/resources/malta-mfsa-casp-emi-authorisation
---
# Malta MFSA CASP & EMI Authorisation Guide (2026)

Malta's MFSA runs a dual-track regime — MiCA CASP authorisation alongside grandfathered VFA Act 2018 firms, with an EMI overlay. This guide maps both tracks, substance bar, and timeline for 2026.

Malta is the only EEA Member State that ran a full crypto\-asset regulatory regime — the **Virtual Financial Assets Act 2018** — for six years before **MiCA** arrived. That history matters in 2026. The **MFSA** — the Malta Financial Services Authority — supervises a population of **16 MiCA CASP authorisations** on the ESMA register, **18 EMI authorisations**, and **3 EMT issuer authorisations** — but it does so under a unique **dual\-track** structure in which legacy VFA Act firms transition into MiCA under Article 143 grandfathering while new entrants apply directly under MiCA.

The dual\-track is more than a transitional curiosity. It changes the practical experience of authorisation. New entrants apply against an **MFSA** supervisory desk that has been licensing crypto firms since 2018 — meaning the playbook, the in\-house expertise, and the policy reflexes are all crypto\-fluent in a way that newer entrants to MiCA supervision are still building. The trade\-off is that **MFSA's substance bar** — driven by post\-Moneyval remediation since 2021 — is materially higher than in newer jurisdictions, and timelines run longer.

This guide maps the Malta dual\-track end\-to\-end: the MiCA CASP authorisation path under MFSA, the surviving role of the VFA Act 2018, the EMI overlay for firms holding both licences, the 2026 substance bar, timeline and cost, and the structural question every founder should answer before filing — when is Malta actually the right answer?

> **Note:** Executive summary: Malta runs the EEA's only dual\-track crypto\-asset regime — MiCA CASP authorisation for new entrants, VFA Act 2018 grandfathering for legacy firms under MiCA Article 143. MFSA's supervisory expertise is materially deeper than newer jurisdictions; its substance bar is materially higher than offshore alternatives; decisions run 8–12 months.

## The Malta dual\-track — what makes it distinctive

Most EEA Member States are MiCA\-only jurisdictions in 2026 — they had no crypto framework before MiCA, so MiCA authorisation is the first and only regime. Malta is structurally different. The [MFSA](https://www.mfsa.mt/)¹[^1] had been licensing **VFA agents** and **VFA service providers** under the VFA Act 2018 framework — Class 1, Class 2, Class 3 and Class 4 — for six years before MiCA fully applied on 30 December 2024.

The result is that the [VFA Act](https://legislation.mt/eli/cap/590/eng)²[^2] did not vanish on 30 December 2024. Existing VFA service providers continued under their VFA authorisations during the **MiCA Article 143** grandfathering window, while applying for MiCA CASP authorisation in parallel. The dual\-track exists because Malta inherited a pre\-MiCA crypto cohort that no other EEA Member State carries at comparable scale.

For new entrants in 2026, the practical implication is twofold. First, the **MFSA crypto desk** has eight years of accumulated supervisory experience with crypto\-asset firms — operational risk, custody, market\-abuse surveillance, AML for token flows — which is qualitatively different from a regulator that has supervised crypto only since late 2024. Second, the MFSA's enforcement reflexes were calibrated by the post\-Moneyval remediation programme of 2019–2022, which reshaped Malta's AML and supervisory infrastructure. **Malta** is no longer the light\-touch jurisdiction it was perceived to be in 2018; it is one of the more demanding EEA supervisors in 2026.

## MiCA CASP authorisation path under MFSA

A new entrant CASP applies for authorisation under [the Markets in Crypto\-Assets Regulation](https://eur-lex.europa.eu/eli/reg/2023/1114/oj)³[^3] via the MFSA's authorisation pre\-application and full\-application process. The application is filed against the relevant CASP class under **MiCA Annex IV** — Class 1 \(€50,000 minimum own funds\), Class 2 \(€125,000\), or Class 3 \(€150,000\) — depending on the bundle of services offered.

The MFSA process runs in three stages: a **pre\-application meeting** — mandatory in practice, where MFSA assesses business\-model fit and identifies prima facie blockers — followed by **in\-principle approval** once the dossier is substantively complete, followed by full authorisation on satisfaction of conditions. Realistic total elapsed time from pre\-application to authorisation is **8–12 months**; complex applications with novel business models or weak management dossiers can run longer.

MFSA's review is exhaustive. The supervisor scrutinises the **programme of operations**, the **business plan and financial projections** \(three\-year, base\-case and stressed\), **governance arrangements**, fit\-and\-proper of all directors, senior managers, qualifying shareholders and beneficial owners, the **ICT and cyber\-resilience framework** against DORA, segregation of client assets, custody policy where applicable, **AML and CFT programme**, MLRO appointment, market\-abuse surveillance, and complaints handling.

Two areas where Malta is materially stricter than newer MiCA jurisdictions: **custody safekeeping** arrangements \(segregation, key management, insurance, business\-continuity testing of custody operations\) and **market\-abuse monitoring** where the CASP operates a trading platform under Article 76 MiCA. MFSA carries over the surveillance expectations from its investment\-services supervision and applies them at Class 3 CASP level.

The comparison with two other common EEA crypto\-asset jurisdictions — Lithuania and Cyprus — is informative.


*Table: MFSA Malta vs Bank of Lithuania vs CySEC Cyprus — MiCA CASP, EMI and EMT authorisation footprint \(2026\).*

| Dimension | Malta \(MFSA\) | Lithuania \(Bank of Lithuania\) | Cyprus \(CySEC\) |
| --- | --- | --- | --- |
| MiCA CASP authorisations | 16 on ESMA register | Materially larger cohort | Materially larger cohort |
| EMI authorisations | 18 \(MFSA register\) | Largest EMI cohort in EEA | Mid\-sized EMI cohort |
| EMT issuer authorisations | 3 | Limited | Limited |
| Pre\-MiCA crypto regime | VFA Act 2018 — 6yrs of supervisory experience | None — MiCA is the first regime | None — MiCA is the first regime |
| Decision timeline \(CASP\) | 8–12 months typical | 6–12 months — among the fastest in EEA | 9–12 months |
| Substance bar | High — post\-Moneyval remediation reset 2021–22 | Moderate — workable for compliant operators | High — capital \+ governance scrutiny |
| Supervisory crypto experience | Deepest in EEA \(VFA\-era\) | Building since MiCA | Building since MiCA |
| Corporate income tax \(effective\) | Imputation system; effective rate via refunds | 15% standard \(5% small cos under €300k\) | 12.5% standard |

The headline number — **16 MiCA CASP authorisations in Malta** — is smaller than Lithuania's or Cyprus's CASP cohorts, but the qualitative composition is different. The Maltese cohort skews toward larger, longer\-established firms that ran VFA authorisations from 2019 onward, rather than first\-time crypto applicants. That is a function of the substance bar more than appetite.

## VFA Act 2018 — what it was, what survives, grandfathering under MiCA Article 143

The [VFA Act 2018](https://www.mfsa.mt/financial-services-act/virtual-financial-assets/)⁴[^4] — Chapter 590 of the Laws of Malta — created four classes of VFA service provider licence and a separate VFA agent regime. Class 1 covered reception and transmission and investment advice; Class 2 added portfolio management and execution; Class 3 covered dealing on own account; Class 4 covered custody, operation of trading facilities and market\-making. The classes were calibrated to mirror MiFID\-style permissions, adapted to crypto\-asset services.

On 30 December 2024 MiCA fully applied, and the VFA Act was substantially superseded for activities now scoped into MiCA. The remaining role of the VFA Act is residual: it covers **VFA agents** — the Maltese institutional figure that signs off VFA whitepapers and acts as gatekeeper — and the legacy framework under which existing VFA service providers continued to operate during the **Article 143 grandfathering window**. Malta opted for an 18\-month grandfathering period — the maximum permitted under MiCA — so VFA service providers active before 30 December 2024 may continue under VFA authorisation until 1 July 2026, by which point MiCA authorisation must be in hand or activity must cease.

This is where the Malta dual\-track gets practical. In 2026 there are three categories of crypto firm in Malta: **new MiCA CASPs** authorised directly under MiCA \(the 16 on the ESMA register\); **transitioning VFA firms** operating under Article 143 grandfathering with MiCA applications mid\-flight; and **non\-CASP VFA\-adjacent activity** that remains under residual VFA Act scope \(notably the VFA agent function\).

For a new entrant, the VFA route is not available — MiCA is the only viable framework. The VFA Act mattered as a transitional bridge for the legacy cohort and continues to matter for the gatekeeper roles MiCA does not directly cover.


*Table: VFA Act 2018 legacy authorisation vs MiCA CASP — the choice for transitioning firms.*

| Dimension | VFA Act 2018 legacy | MiCA CASP authorisation |
| --- | --- | --- |
| Legal basis | Maltese national law \(Chapter 590\) | EU Regulation 2023/1114, directly applicable |
| Geographic scope | Malta only — no EEA passport | Full EEA passport via Article 65 notification |
| Permissions framework | Class 1–4 VFA service licence | MiCA Annex IV services \(operating platform, custody, exchange, execution, placement, transmission, advice, portfolio mgmt, transfer\) |
| Capital floor | Class\-specific \(broadly aligned to MiCA\) | €50k / €125k / €150k per CASP class |
| Supervisor | MFSA | MFSA — same desk, MiCA rulebook |
| Grandfathering window | Available to 1 July 2026 \(Malta's 18\-month election\) | N/A — applicable from 30 Dec 2024 |
| Position by 1 July 2026 | Must hold MiCA authorisation or cease | Standard MiCA supervisory regime |
| Choice for legacy firms | Bridging only | The destination — apply early and run grandfathering as fallback |

The table makes the practical point: VFA legacy authorisation is a bridging position. Every firm running under VFA Act in 2026 must reach MiCA CASP authorisation by 1 July 2026 to continue operating. The strategic question is not whether to transition — it is how early to file the MiCA application so that the in\-principle decision lands well before the grandfathering deadline.

## EMI authorisation overlay — when firms hold both

Malta is also a credible EMI jurisdiction. MFSA supervises **18 EMI authorisations** — a moderate cohort by EEA standards, smaller than Lithuania's flagship EMI base but with materially stronger supervisory depth on AML and governance. **3 EMT issuer authorisations** sit inside that cohort — Malta has been one of the early jurisdictions to license MiCA Title III e\-money tokens.

EMI authorisation in Malta sits under [EMD2](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0110)⁵[^5] — the Electronic Money Directive — transposed into Maltese law via the Financial Institutions Act. Minimum initial capital is **€350,000**, with own\-funds requirements scaling under Method D against outstanding electronic money in issue. Safeguarding of customer funds is mandatory and the MFSA scrutinises the safeguarding methodology — segregated bank account vs. insurance — at authorisation and on supervisory cadence.

The natural reason a firm holds both an EMI authorisation and a CASP authorisation in Malta is the **EMT issuance use\-case**. Under MiCA Title III, EMT issuance requires the issuer to be authorised as either a credit institution or an EMI; offering services on the EMT — exchange, custody, transfer — requires a CASP authorisation. Firms running both legs of the model in\-house need both authorisations, supervised by the same MFSA desk.

The other common pattern is a CASP that wants to issue prepaid card products or run a custodian\-wallet model with on\-platform fiat balances — that fiat component pushes the firm into EMD2 scope, requiring an EMI authorisation alongside the CASP authorisation.

## Substance bar 2026 — what MFSA actually inspects

Malta's substance bar is high in 2026 — materially higher than 2018\-era VFA\-applicant expectations. Five concrete elements MFSA will not accept compromises on.

- **Real management in Malta** — the CEO, the senior risk function and the MLRO must be tax\-resident in Malta and physically present for the working week. Fly\-in directors are not accepted at MFSA fit\-and\-proper review for senior\-management roles.

- **Local board composition** — a majority or near\-majority of directors should have meaningful Malta presence, with at least one independent non\-executive director with Maltese supervisory pedigree.

- **Documented governance** — board AML and risk committees with documented quarterly cadence, terms of reference, minutes, and demonstrable challenge of management at each cycle.

- **AML programme depth** — the firm\-wide ML/TF risk assessment, control framework, transaction\-monitoring system, sanctions screening configuration, **MLRO** reporting line directly to the board, and Travel Rule operationalisation must all be authorisation\-ready, not roadmap commitments.

- **ICT and DORA readiness** — ICT risk framework, third\-party risk register, incident\-response runbook, business\-continuity and disaster\-recovery testing on an annual cycle, all in place at the date of authorisation, not promised for year one.

Malta's substance reset traces back to the Moneyval\-driven AML overhaul of 2019–2022. MFSA's standards in 2026 are calibrated for a post\-Moneyval supervisor that will not tolerate the brass\-plate model that some 2018 applicants attempted. Firms that arrive expecting that earlier template — minimal local presence, contracted\-out compliance — are routinely turned away at pre\-application stage.

> **Tip:** Practitioner note: the single highest\-impact preparation step is the pre\-application meeting dossier. Firms that arrive with a complete programme of operations, three\-year financial model, governance pack and AML framework — rather than asking MFSA to validate a concept — move through pre\-application in weeks rather than months.

## Timeline and cost

A realistic Malta CASP authorisation timeline runs **8–12 months** from first pre\-application meeting to authorisation in hand. Pre\-application: 1–2 months. Full application drafting and submission: 1–2 months. MFSA review and questions: 4–6 months. **In\-principle approval** then conditions: 1–2 months. Authorisation: when conditions are satisfied.

Cost is harder to typify because so much depends on the complexity of the business model and the quality of the advisory team. Indicative ranges for a Class 3 CASP authorisation: regulatory fees in the low five figures \(MFSA application fee, supervisory fee\); external counsel and authorisation\-consultant fees **€150,000–€400,000** depending on complexity; first\-year fully\-loaded operating cost \(real\-management substance, MLRO, board, ICT, AML systems\) of **€800,000–€1.5m**. Firms that under\-budget on substance routinely face conditional approvals or rejections that cost more time and money to remediate than building substance properly from the start.

## When Malta is the right answer

Malta is the right answer for a specific founder profile. Choose Malta if the firm is building a **long\-horizon CASP** with serious institutional ambitions, values supervisory expertise over speed, can credibly run real management in a small EU island jurisdiction, and is comfortable carrying the substance cost in exchange for **MFSA's deep crypto\-asset supervisory bench** and full EEA passporting. See our wider [EEA vs UK vs offshore comparison](/resources/eea-uk-offshore-crypto-incorporation) for how Malta benchmarks against alternative incorporation pathways.

Choose [Lithuania](/resources/emi-licence-lithuania) instead if speed of authorisation is the primary driver, the firm's first wedge is payments\-first with crypto layered on, or the founder team is more comfortable with the Bank of Lithuania's faster, more procedural authorisation desk.

Choose [Cyprus](/resources/emi-licence-cyprus) if the firm wants a common\-law\-flavoured legal environment, an institutional\-grade CySEC supervisor with deep investment\-services pedigree, and the 12.5% headline corporate tax rate as part of the structuring case.

Across all three EEA options, the underlying MiCA rulebook is identical — see the [MiCA compliance guide for CASPs](/resources/mica-compliance-guide-casps) for the operational obligations every authorised CASP will live under. The differentiator is the supervisor.

## FAQ

### How many MiCA CASP authorisations has the MFSA granted?

16 MiCA CASP authorisations under MFSA appear on the [ESMA MiCA register](https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica)⁶[^6] in 2026. The cohort is smaller than Lithuania's or Cyprus's, partly because the substance bar is higher and partly because many would\-be CASPs in Malta are still mid\-flight through the VFA\-to\-MiCA transition.

### Is the VFA Act still useful in 2026?

Only in a residual sense. The VFA Act 2018 remains in force to cover VFA agent gatekeeper roles and to support legacy firms running under MiCA Article 143 grandfathering through 1 July 2026. New entrants in 2026 cannot apply for a VFA service\-provider licence — the only route is MiCA CASP authorisation.

### How long does MFSA take to grant a CASP authorisation?

8–12 months from first pre\-application meeting to authorisation is the realistic envelope in 2026. Complex business models, weak management dossiers, or applications that arrive at full application without pre\-application preparation routinely run longer.

### What is the substance bar — can directors fly in?

No. MFSA will not accept fly\-in directors for senior\-management roles. The CEO, senior risk function and MLRO must be tax\-resident in Malta and physically present during the working week. A majority of the board should have meaningful Malta presence, with at least one independent non\-executive director carrying Maltese supervisory experience.

### Do I need an EMI authorisation alongside the CASP authorisation?

Only if the business model creates EMD2 scope. Firms that issue EMTs in\-house, run prepaid\-card programmes, or maintain on\-platform fiat balances that constitute electronic money will need both. Pure crypto\-asset exchange and custody businesses can typically operate on the CASP authorisation alone, provided fiat handling is via correspondent banking rather than e\-money issuance.

> **Call to action:** Evaluating Malta against Lithuania, Cyprus or an offshore alternative? Book a free regulatory bankability assessment. We respond within 24 hours.

## Related Guides

- [MiCA Compliance Guide for CASPs](/resources/mica-compliance-guide-casps): authorisation, ongoing obligations and Article 60 / Article 65 mechanics for EEA crypto\-asset service providers.

- [EMI Licence Cyprus](/resources/emi-licence-cyprus): CySEC EMI authorisation walkthrough — capital, governance, timelines, comparison points for founders weighing Malta vs Cyprus.

- [EMI Licence Lithuania](/resources/emi-licence-lithuania): the Bank of Lithuania EMI authorisation track, speed advantage and substance expectations.

- [EEA vs UK vs Offshore Crypto Incorporation](/resources/eea-uk-offshore-crypto-incorporation): the wider jurisdictional comparison framework — when EEA passporting beats offshore optionality.

- [Regulatory Legal Opinions](/services/legal): independent legal opinions on MiCA classification, CASP scope and EMI overlay structuring.

The Malta dual\-track is a window that closes on **1 July 2026**. After that date, the regime simplifies into a single MiCA\-only framework — and Malta's distinctive value will be the depth of MFSA's supervisory bench, not the legacy VFA framework. Firms choosing Malta in 2026 are choosing a supervisor with eight years of crypto\-asset experience, a substance bar that filters out brass\-plate operators, and an authorisation that — once granted — passports across the entire EEA.

## Footnotes

[^1]: Malta Financial Services Authority — single integrated regulator for financial services in Malta, supervising banks, EMIs, PIs, investment firms, insurance, VFA agents and MiCA CASPs. <https://www.mfsa.mt/>
[^2]: Virtual Financial Assets Act, Chapter 590 of the Laws of Malta \(Act XXX of 2018\), establishing the Maltese regulatory regime for virtual financial assets, VFA agents and licensable VFA services. <https://legislation.mt/eli/cap/590/eng>
[^3]: Regulation \(EU\) 2023/1114 of the European Parliament and of the Council of 31 May 2023 on markets in crypto\-assets \(MiCA\), OJ L 150, 9.6.2023. <https://eur-lex.europa.eu/eli/reg/2023/1114/oj>
[^4]: MFSA — Virtual Financial Assets framework page, setting out the four classes of VFA service providers, the VFA agent regime, and the transition arrangements under MiCA. <https://www.mfsa.mt/financial-services-act/virtual-financial-assets/>
[^5]: Directive 2009/110/EC of the European Parliament and of the Council on the taking up, pursuit and prudential supervision of the business of electronic money institutions \(EMD2\), as transposed into Maltese law via the Financial Institutions Act. <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32009L0110>
[^6]: European Securities and Markets Authority — MiCA register of authorised crypto\-asset service providers, maintained by ESMA on the basis of notifications from national competent authorities. <https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/markets-crypto-assets-regulation-mica>


---
Source: https://finconduit.com/resources/malta-mfsa-casp-emi-authorisation