CoinPoint Advice: How to start an exchange business in Malta and which licence is required for its operation

CoinPoint Advice: How to start an exchange business in Malta and which licence is required for its operation

Maltese regulations and procedures requisite for crypto enterprises

As countries around the world became ambivalent about accepting cryptocurrency and blockchain technology, a small country in the Mediterranean Sea started writing rules that offered legal certainty in a space that had been unregulated. Malta was one of the first countries to regulate the crypto industry and offer legal framework for its application. Following this news many businesses, exploited the opportunity and moved their headquarters to Valletta, country’s capital.

Crypto exchanges were amongst the industries which benefited the most out of this deal, as the VFA (Virtual Financial Act) finally enabled their legal operation.

Maltese government divided the licences into 4 categories, encompassing different areas and organizations:

– Class 1: Simple consulting and placement of VFAs

 Class 2Offering VFA services except those dealing on one’s own account or offering an exchange

– Class 3: Licence for any type of VFA service but a VFA exchange

– Class 4: The licence for VFA Exchanges

Licence applicants must show to the MFSA (Malta Financial Service Authority) that they possess sufficient capability, coherence, and solvency to run the exchange.

The MFSA rules impose tough liquidity requirements on all licensees. They also have to ensure they have no conflict of interest. They must also have a compliance officer that will be responsible to draft a compliance certificate on a periodical basis.” — Joseph F Borg

As previously stated, the licence process for a crypto exchange in Malta is classified as VFAA Class 4, and its application process is divided into the following 3 phases:

1. Preparatory Phase

2. Pre-Licensing Phase

3. Post Licencing & Pre-Commencement of Business


The applicant chooses a VFA agent and the VFA will inform the regulator (MFSA) that a client would like to apply for a licence.

This “information” is actually a lot more than just an email, as it should contain already the business plan and a clear picture who the applicant is and who the persons / roles are that should hold positions in the new company (only key persons and key roles, like directors, shareholders, CFO, compliance officer, etc.)

It can make sense to have a company set up for the application. Also, what should be included in this first approach is a legal opinion, that the application is in fact for a crypto exchange and not, for example, a MiFID exchange.

After reviewing the email and the supplied information, the MFSA will invite the key persons to Malta. The VFA agent and the client will attend the meeting and will make the best impression. This meeting is mandatory.

As soon as the meeting is concluded, the VFA agent has 60 days to submit the full application and the client needs to pay the application fee of 24’000 EUR to the MFSA with the filing of the application.


Once the complete application is received and the fee has been paid, the MFSA will review the application. This will include a back and forth of questions and answers and the clients are advised to respond quickly, as otherwise momentum might be lost.

Once the regulator is principally satisfied, it will issue an “in principal approval”, which is “valid” for 3 months. Within these 3 months the client has to finalize all pending items and submit the original application. Pending items are, for example:

a. Set up the company

b. Open the company

c. Rent the office

d. Employ the staff

e. Pay in the share capital

f. Get the insurance

g. Buy the servers

h. Pay the hosting

On top of these, VFA providers require a range of procedures and policies which are necessary for the project’s assessment and final evaluation:

i. Information and data security policy

ii. AML Policy

iii. Privacy Policy

iv. Business Continuity Policy

v. Accounting Policies & Procedures

vi. Personal Transaction Rules

vii. Cyber Security Framework

viii. VFAs and VFA Service Policy

ix. Remuneration Policy

x. Risk Management Policy

xi. Internal Audit Plan

xii. Insurance Policy

xiii. Disaster Recovery Plan

xiv. Outsourcing Policy (if applicable)

xv. Internal Liquidity Management Policy

xvi. Conflict of Interest Policy

xvii. Categorization of Clients Policy

xviii. Complaints Management Policy

xix. Order Execution Policy

xx. Client Order Handling Rule

Very important: Since the 3 months can be “short”, it makes sense to have some aspects (like company, bank account etc) ready beforehand.

Once all “issues” from the “in principal approval” are solved, the licence is issued.


Licence holders MAY be required, even so the licence has been issued, to comply with conditions by the MFSA before the commencement of the business.

Overall the process will take at least 12 months for its completion.

Wide exploitation and business allocation

Once Maltese regulations were authorized by the government, two biggest exchanges worldwide allocated their offices and headquarters to Malta. Binance, being the largest cryptocurrency exchange platform volume-wise moved its offices from Asia-Pacific to Malta. The operation of Binance in the Asia-Pacific theater has been coming under increased scrutiny from regulatory bodies. In both Japan and Hong Kong, the company has had to deal with a number of issues with the regulatory agencies in these countries. Blockchain utopia which positioned itself as a crypto hub, Malta welcomed Binance with open arms and its Prime Minister Joseph Muscat congratulated people behind the Binance himself.

Second biggest exchanging platform, namely OKEx, also moved its offices in Malta.

“Malta’s Virtual Financial Asset Act is a solid foundation for the industry and the government to work together in fostering the nascent blockchain/digital asset industry. More specifically, Malta’s sound risk-based approach will help cultivate a responsible, compliant, and healthy ecosystem,” explained by Tim Byun, chief risk officer and head of government relations at OKEx.

These clearly defined protocols and procedures Malta introduced for regulating and making space for blockchain and crypto organizations, paved the way not only for big sharks who wanted to exploit the legal hub, but also to other, smaller organizations and businesses. Hosting providers, Payment gateway providers, iGaming operators, Legal advisors, Investment trading firms, Decentralized mobile network providers, ICOs, STOs, and Decentralized applications are just some of the areas that finally found a much sought-after safe haven.

Both Philipp Sauerborn and Joseph Borg endowed this article with legal steps imperative for its successful execution.

About CoinPoint:

CoinPoint is a premium marketing agency, founded in 2013, working with all scale businesses — from startups, presenting their businesses on a global level, to multinational companies looking for digital transformation & blockchain adoption. The agency stays on top by providing the best services and solutions to its clients around the world.

For interviews or other media inquiries: