MiCA Licence in Malta

Obtain a Malta MiCA license for CASP activities under MFSA supervision. RUE supports exchanges, custody providers, brokers, and crypto platforms targeting EU passporting in 2026.

Schedule Free Consultation

Regulator

MFSA

Timeframe

4-9 months

Cost

from €19,900

Capital

€50k-€150k

Depends on service scope, substance, AML risk, and technical setup.

Why Choose Malta for a MiCA License

A MiCA license in Malta gives a crypto-asset service provider access to a mature supervisory environment under the MFSA and a lawful route to EU passporting. RUE structures the legal perimeter, prepares the application file, and aligns governance, AML, and operational controls with 2026 supervisory expectations.

Polina Merkulova

Polina Merkulova

Licensing Services Manager

[email protected]

As your point of contact, I help coordinate the licensing process end-to-end, keep communication clear, and move your application forward without unnecessary delays.

Regulated United Europe advises on the full lifecycle of a MiCA Licence in Malta: legal scoping, company formation, governance design, AML/CFT framework, outsourcing review, application drafting, and regulator-facing remediation.

We also support adjacent workstreams that often determine approval speed in practice, including banking preparation, tax coordination, accounting setup, MLRO/compliance staffing, and post-license passporting readiness.

Contact me

🏛️

Experienced Financial Supervisor

The MFSA entered crypto supervision before MiCA and remains one of the few EU authorities with practical experience reviewing exchange, custody, and platform models.

🌍

EU Passporting Potential

A CASP authorization in Malta can be used for cross-border services across the EU after the required notification process, without separate relicensing in each member state.

🧩

Strong Legal and Corporate Infrastructure

Malta combines English-language legal practice, established corporate services, audit capacity, and a workable ecosystem for governance, tax, and banking structuring.

🛡️

Suitable for Serious Operators

Malta is usually a better fit for projects with real management, credible funding, and institutional-grade compliance rather than low-budget or paper-substance setups.

MiCA Licence in Malta

23,900 EUR

Package includes (8)

Preparation of necessary documents for registration of a new company in Malta
Translation of a certificate of no criminal record through a sworn translator
Payment of state fees related to company registration
Payment of notary fees related to company registration
Preparation of compliance documents for MiCA application
Preparation of a business plan
Submission of the necessary documents to MFSA
Recruitment of local MLRO/Compliance officer

MiCA Class Comparison for MiCA Licence in Malta

Compare MiCA Class 1, Class 2 and Class 3 by permitted activities and baseline requirements.

Mica Class 1 - 50 000 EUR

CapitalFrom EUR 50,000 TimeCountry-specific

Swipe left/right to switch license type

Reception and transmission of client orders

Execution of orders on behalf of clients

Placement and advisory services

Portfolio management

No custody of client crypto-assets

Target Models

Advisory firms Introducing brokers Portfolio advisory setups

Mica Class 2 - 125 000 EUR

CapitalFrom EUR 125,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 1 services

Crypto-fiat and crypto-crypto exchange

Custody and administration of client assets

Transfer services for crypto-assets

Higher organizational and AML requirements

Target Models

Exchanges Custody providers Broker-dealer operations

Mica Class 3 - 150 000 EUR

CapitalFrom EUR 150,000 TimeCountry-specific

Swipe left/right to switch license type

All Class 2 services

Operation of crypto-asset trading platform

Enhanced governance and internal controls

Advanced risk management and reporting

Typical for full-scale marketplace operators

Target Models

Trading venues Multi-service CASP groups Institutional-grade operators

Discuss this license

MiCA Class Comparison (Class 1, Class 2, Class 3)

Activity / Option	Mica Class 1 - 50 000 EUR	Mica Class 2 - 125 000 EUR	Mica Class 3 - 150 000 EUR
Reception and transmission of orders	V	V	V
Execution of orders on behalf of clients	V	V	V
Advisory and portfolio management	V	V	V
Crypto-fiat and crypto-crypto exchange	X	V	V
Custody and administration of crypto-assets	X	V	V
Operation of a trading platform	X	X	V

Core Requirements for a Malta MiCA License

A MiCA license in Malta is granted only to applicants that can evidence legal scope clarity, paid-up capital, real substance, fit-and-proper management, and operational readiness. In 2026, the MFSA does not assess the application as a formality; it assesses whether the applicant can actually run the proposed crypto-asset services in a controlled and sustainable manner.

The requirements below apply to most CASP license in Malta projects, but the depth of scrutiny increases materially for custody, exchange, transfer, and trading platform models. The practical review perimeter usually spans MiCA, AML/CFT, sanctions controls, outsourcing, complaints handling, ICT security, and customer asset protection.

Correct MiCA Service Scope and Legal Qualification +

The first requirement is correct legal scoping. The applicant must identify which crypto-asset services are actually being provided under Regulation (EU) 2023/1114 and whether the model also touches other regimes such as EMT issuance, ART issuance, MiFID II, e-money, or payments.

Typical in-scope models include custody, exchange of crypto-assets for funds, exchange of crypto-assets for other crypto-assets, execution of orders, reception and transmission of orders, placement, transfer services, advice, portfolio management, and operation of a trading platform;
White-label structures, OTC desks, and broker-style flows often require deeper perimeter analysis than founders initially expect;
Some software-only or genuinely decentralized models may fall outside CASP authorization, but this must be assessed case by case.

Incorrect scoping is one of the most common reasons applications stall, because every later document depends on the exact service perimeter.

Minimum Own Funds and Prudential Safeguards +

Minimum capital for a Malta MiCA license depends on the services provided. The headline thresholds are €50,000, €125,000, and €150,000, but the applicant must also maintain own funds equal to the higher of the minimum threshold or 25% of the previous year’s fixed overheads.

€50,000 typically applies to lower-risk service sets such as advice, reception/transmission, execution, and portfolio management without custody or platform operation;
€125,000 typically applies where custody and transfer functions are involved;
€150,000 typically applies to exchange services and operation of a trading platform.

Capital must be paid up in fiat, not in crypto-assets. In practice, the MFSA also reviews whether the business has enough liquidity to survive the first 12 months, so minimum capital alone is not enough for approval.

Maltese Entity, Office, and Real Substance +

The applicant normally needs a Maltese legal entity registered through the Malta Business Registry (MBR), a registered office, and credible local substance. A letterbox structure is not sufficient for a serious MiCA Licence in Malta.

The MFSA expects effective mind and management, not merely outsourced administration;
Board meetings, strategic decisions, and oversight should be demonstrably anchored in Malta;
The local setup should match the scale and complexity of the business model;
Where critical functions are outsourced, the applicant must still retain control, monitoring, and escalation capacity.

Substance is assessed qualitatively. A small no-custody advisory model may justify a lighter setup than a custody or platform business, but both still need real governance and decision-making capacity.

Directors, Key Function Holders, and Fit-and-Proper Review +

A CASP applicant must appoint directors and key function holders who can pass fit-and-proper assessment. The regulator looks at competence, integrity, reputation, time commitment, conflicts of interest, and ability to understand the actual crypto business model.

Typical roles include board directors, MLRO, compliance officer, risk function, and where proportionate, internal audit;
Nominee-style appointments without real involvement are a red flag;
Excessive role concentration can raise segregation-of-duties concerns;
Shareholders and controllers may also be reviewed, especially where qualifying holdings are involved.

Documentation usually includes CVs, references, police conduct certificates, questionnaires, proof of qualifications, and evidence of relevant crypto, payments, securities, or AML experience.

AML/CFT, Sanctions, and Travel Rule Framework +

A Malta CASP operates under both MiCA and AML/CFT expectations. The FIAU remains central for AML supervision, and the applicant must show a business-wide framework that is tailored to its actual products, customers, geographies, and transaction patterns.

Required controls usually include customer risk scoring, CDD/EDD, PEP screening, sanctions screening, ongoing monitoring, suspicious transaction reporting, and recordkeeping;
Crypto transfer flows must be aligned with the Transfer of Funds Regulation and Travel Rule data requirements;
Source of funds and source of wealth checks are especially important for founders, investors, and high-risk clients;
Generic AML manuals copied from non-crypto sectors are usually easy for the regulator to detect.

In 2026, the operational AML stack often includes blockchain analytics, case management, alert escalation logic, and structured Travel Rule messaging such as IVMS101-compatible data exchange.

Technology, ICT Security, and Operational Resilience +

A MiCA license in Malta requires more than a short IT policy. The regulator will expect a coherent technology architecture, access control model, incident handling process, and outsourcing governance framework proportionate to the services offered.

Custody models should address wallet segregation, key management, privileged access, transaction authorization, reconciliation, and recovery procedures;
Common control concepts include HSM, MPC, multisig governance, penetration testing, logging, and vendor due diligence;
Operational resilience should define escalation paths, incident classification, business continuity, and measurable RTO/RPO targets;
The broader compliance environment may also intersect with DORA expectations depending on the entity’s classification and ICT dependency model.

Weak technical documentation is a frequent cause of delays, especially where the business claims institutional custody or high-volume exchange capability.

Business Plan, Financial Model, and Outsourcing Map +

The application file must show that the business is commercially coherent and operationally controllable. The MFSA will review whether the applicant understands its revenue drivers, cost base, risk exposures, and outsourcing dependencies.

The business plan should describe services, target markets, onboarding channels, customer categories, complaints handling, and growth assumptions;
Financial projections should usually cover at least 3 years and reconcile with staffing, capital, and compliance costs;
Every critical outsourced function should be mapped, with service providers, SLAs, oversight controls, audit rights, and exit plans;
Over-reliance on third parties for compliance, technology, and management simultaneously often triggers deeper scrutiny.

A strong application file reads like an operating model, not a marketing deck. That distinction matters in Malta.

Client Asset Safeguarding and Complaints Handling +

Where the business touches client assets or client orders, safeguarding arrangements must be demonstrable, not theoretical. The applicant should explain how customer crypto-assets, fiat balances, records, and entitlements are segregated and how errors are detected and remediated.

Custody providers should document wallet segregation, reconciliation frequency, incident response, and recovery governance;
Exchange and platform models should explain order handling, execution logic, conflicts management, and market abuse controls;
Complaints procedures should include intake channels, classification, response timelines, escalation, and board reporting;
Client disclosures must be consistent with the real risk profile of the service.

Applications often fail on this point when the legal documents promise protections that the actual technology stack cannot deliver.

Jurisdiction Comparison

Compare Malta with other jurisdictions by key conditions for obtaining and operating a MiCA/CASP license: regulator, review period, fees, capital, local substance, and passporting.

* This table focuses on MiCA/CASP authorization conditions. Use the settings icon to customize countries and parameters.

💰 Licensing Cost Estimator

Get an approximate cost estimate for your crypto license based on your business needs

Configure Your Licensing Package

Select options below to see estimated costs

License Type

Mica Class 1

Mica Class 2

Mica Class 3

Do you need company registration?

Yes — Register New Company

No — I Have a Company

Additional Services

✓ AML/KYC Package ✓ Bank Account Opening ✓ Physical Office ✓ Compliance Officer

Estimated Cost

€0

Estimated Timeframe

Country-specific

Capital Requirement

€0

📞 Get Exact Quote

* This calculator provides approximate estimates only. Actual costs may vary based on your specific situation. Contact us for a detailed personalized quote.

Taxation and Cost Structure for Malta CASPs

Malta remains tax-relevant for crypto businesses, but the tax story must be presented accurately. The standard corporate income tax rate is 35%. In some structures, Malta’s full imputation system and shareholder refund mechanism can reduce the effective tax burden to around 5%, but that outcome is not automatic and depends on legal form, tax residency, substance, shareholder profile, source of income, and actual distribution mechanics.

How the Malta tax mechanism is usually described in practice

A Maltese company may pay 35% corporate tax on profits. Upon dividend distribution, qualifying shareholders may claim a refund of 6/7 of the Malta tax paid in certain trading income scenarios. This can produce an effective tax leakage of approximately 5%. However, anti-abuse analysis, residence questions, permanent establishment issues, and cross-border shareholder taxation must be reviewed before relying on that outcome.

Do not model your licensing budget on a headline “5% Malta tax” claim alone;
Tax structuring should be coordinated with substance planning and board/control arrangements;
Crypto businesses with mixed income streams may face different tax treatment across activities.

VAT and service characterization

VAT treatment depends on the exact service. Some exchange activities may fall within financial-services exemptions, while advisory, software, white-label, or support services may be taxable. Cross-border B2B treatment, place-of-supply rules, and invoicing design should be reviewed before launch.

Licensing economics: budget beyond statutory capital

The real first-year cost of a Malta MiCA license is broader than minimum capital. Budgeting usually includes legal work, policy drafting, governance staffing, audit, office, accounting, AML tooling, Travel Rule tooling, cybersecurity, insurance, and banking onboarding support.

Corporate Income Tax

Standard Malta corporate tax rate

35%

The headline corporate income tax rate in Malta is 35%. This is the starting point for tax analysis and should not be confused with the potential post-refund effective rate available in some structures.

Shareholder Refund Mechanism

Potential reduction of effective tax burden

6/7 refund

In qualifying cases, shareholders may claim a refund of 6/7 of Malta tax paid on certain trading income after dividend distribution. This can reduce the effective burden to around 5%, but only where the full legal and tax conditions are satisfied.

Effective Tax Outcome

Possible but not automatic

~5%*

The often-quoted ~5% effective rate is a structuring outcome, not a statutory rate. It depends on substance, shareholder residence, treaty position, anti-abuse analysis, and proper implementation. Independent Maltese tax advice is essential.

VAT

Depends on service type and customer profile

18% / exempt

Malta’s standard VAT rate is 18%, but some crypto-related financial services may be exempt depending on characterization. Advisory, software, and certain support services may be taxable. VAT should be reviewed service by service.

Accounting and Audit

Mandatory annual compliance layer

€12,000-€45,000+

Annual accounting, statutory reporting, and audit costs vary by transaction volume, corporate complexity, and group structure. Crypto businesses with custody, high turnover, or multiple counterparties usually sit at the upper end of the range.

Legal and Licensing Support

Application drafting and remediation

€40,000-€120,000+

Professional fees typically cover scoping, company setup, governance design, policy drafting, application preparation, and regulator-facing responses. Complex custody or platform models generally cost more than advisory-only models.

Substance and Staffing

Directors, MLRO, compliance, office

€80,000-€250,000+

First-year substance costs usually include directors, MLRO/compliance support, office, local administration, and company secretarial services. The actual figure depends on whether functions are internal, outsourced, or hybrid.

AML, Travel Rule, and Security Tooling

Recurring operational compliance stack

€15,000-€90,000+

Recurring tooling may include KYC, sanctions screening, blockchain analytics, transaction monitoring, Travel Rule messaging, cybersecurity monitoring, and secure infrastructure. Costs scale fast for exchange and custody models.

Compliance and Ongoing Obligations

A Malta CASP authorization is the start of supervision, not the end of the project. Ongoing compliance spans prudential, AML, operational, governance, and customer-protection obligations.

📊

Regulatory Reporting and Governance

Periodic prudential and supervisory reporting to the MFSA
Annual audited financial statements and corporate filings
Board oversight, minutes, and documented decision-making
Notification of material changes in ownership, services, outsourcing, or management
Ongoing review of fixed overheads and own funds adequacy

🛡️

AML/CFT and Sanctions Controls

Customer due diligence and enhanced due diligence where risk requires
PEP, adverse media, and sanctions screening
Ongoing transaction monitoring and alert escalation
Suspicious transaction reporting to the FIAU where applicable
Travel Rule compliance for relevant crypto transfers under TFR

🔐

Operational Resilience and Security

Access control, logging, and privileged-user governance
Incident response, breach escalation, and root-cause analysis
Business continuity and disaster recovery testing
Vendor oversight and outsourcing monitoring
Custody safeguards, reconciliation, and asset segregation where relevant

📋

Conduct of Business and Customer Protection

Clear client disclosures on fees, execution, and risk
Complaints handling procedures and response timelines
Conflicts of interest identification and mitigation
Recordkeeping and evidence retention
Regular review and updating of internal policies

💡

RUE handles compliance for you. Our team provides ongoing compliance support, including AML officer services, regulatory reporting, and policy updates. We ensure your license stays in good standing year after year. Contact us for compliance support →

Updated for 2026: Malta after the MiCA transition

Malta MiCA license in 2026: what changed after the transition period

A MiCA license in Malta is now the central authorization route for crypto-asset service providers serving the EU from Malta. The older VFA Act framework remains relevant mainly as historical context and for transition analysis, but it is no longer the correct primary lens for new CASP structuring in 2026.

Key dates that matter:

2018: Malta introduced the VFA framework and became an early mover in crypto supervision;
30 December 2024: MiCA became fully applicable for CASP authorization across the EU;
1 July 2026: end of the Maltese transition window for legacy operators relying on grandfathering arrangements.

For founders and legal teams, the practical consequence is simple: new projects should be scoped directly under MiCA, not under legacy VFA terminology. Existing operators that failed to transition by the applicable deadline face a materially narrower legal position and may need to stop regulated activity until properly authorized.

Discuss Your Malta MiCA Strategy

What a CASP authorization in Malta actually covers

What services a Malta CASP can provide under MiCA

A CASP license in Malta can cover one or several crypto-asset services, but the scope must be expressly defined. The service set directly affects capital, governance burden, safeguarding expectations, and supervisory intensity.

Typical MiCA service categories include:

custody and administration of crypto-assets on behalf of clients;
operation of a trading platform for crypto-assets;
exchange of crypto-assets for funds;
exchange of crypto-assets for other crypto-assets;
execution of orders on behalf of clients;
placing of crypto-assets;
reception and transmission of orders for crypto-assets on behalf of clients;
providing advice on crypto-assets;
providing portfolio management on crypto-assets;
providing transfer services for crypto-assets on behalf of clients.

Scope matters in practice:

No-custody advisory or order-routing models usually face a lighter control burden, but still require governance, AML, complaints, and conduct frameworks;
Custody models trigger deeper scrutiny on wallet architecture, key management, asset segregation, and incident recovery;
Exchange and platform models usually attract the highest scrutiny because they combine conduct, operational, AML, and market-integrity risks.

A recurring mistake is to apply for a narrow scope while the product flow, terms of business, or user interface implies broader regulated activity. The MFSA will review the actual commercial logic, not only the labels used in the application.

View CASP Licensing in Europe

Service scope to capital and control burden matrix

Service model	Likely minimum own funds	Control burden	Main scrutiny points
Advice / reception & transmission / execution without custody	€50,000	Moderate	Conduct rules, AML onboarding, complaints, outsourcing, governance
Custody / transfer services	€125,000	High	Wallet architecture, key management, segregation, reconciliation, incident response
Exchange / trading platform operation	€150,000	Very high	Execution model, market abuse controls, AML monitoring, resilience, conflicts management

Actual classification depends on the full service perimeter. Own funds must also satisfy the higher-of test against 25% of fixed overheads.

Regulatory architecture: MFSA, FIAU, ESMA, EBA

The MFSA is the national competent authority for a MiCA Licence in Malta, but Malta CASP compliance does not sit under one institution alone. The operating perimeter usually spans MFSA authorization and prudential supervision, FIAU AML/CFT oversight, company law formalities through the Malta Business Registry, and EU-level convergence through ESMA and EBA.

Who does what:

MFSA: authorization, governance review, conduct expectations, prudential supervision, outsourcing, safeguarding, and ongoing supervisory engagement;
FIAU: AML/CFT framework expectations, suspicious transaction reporting perimeter, sanctions-related controls, and thematic AML supervision;
ESMA / EBA: guidelines, technical standards, and supervisory convergence that shape how MiCA is applied in practice across the EU;
MBR: incorporation, corporate maintenance, and beneficial ownership formalities.

For serious applicants, this means the application file must read consistently across all layers. A strong MiCA file with weak AML logic, or a strong AML file with paper-thin governance, is still a weak file overall.

Primary legal sources to track in 2026: EUR-Lex for MiCA, relevant ESMA and EBA guidance, the MFSA, and the FIAU.

Capital requirements and prudential math

Capital requirements and prudential safeguards: the math behind a Malta MiCA license

The prudential test for a Malta MiCA license is not just a static capital deposit. The applicant must maintain own funds equal to the higher of the applicable minimum threshold or 25% of the previous year’s fixed overheads.

Core formula:

Own funds requirement = max(applicable minimum capital; 25% of previous year fixed overheads)

Worked example:

Assume the business falls into the €125,000 category;
Previous year fixed overheads = €600,000;
25% of fixed overheads = €150,000;
Required own funds = max(€125,000; €150,000) = €150,000.

This matters for scaling businesses. A startup may enter on the statutory minimum, but once the cost base grows, the fixed-overheads test can become the binding prudential threshold. Applicants that ignore this dynamic often under-budget their first year and create avoidable supervisory friction.

A second practical point is often missed: the regulator looks beyond the formula to overall viability. If the business plan shows aggressive burn, thin liquidity, or dependency on uncertain funding rounds, the file may still be viewed as weak even when the minimum own-funds calculation is technically satisfied.

Prepare MiCA Application Documents

What regulators expect from substance and governance in Malta

Effective Mind and Management

Strategic decisions, board oversight, and escalation logic should be demonstrably controlled from Malta rather than delegated abroad in substance.

Qualified Key Function Holders

MLRO, compliance, risk, and directors must understand the real crypto operating model, not just hold titles on paper.

Segregation of Duties

The same person should not dominate management, AML, risk, and control functions without a proportionate and defensible rationale.

Controlled Outsourcing

Critical functions may be outsourced, but accountability, oversight, audit rights, and exit planning must remain with the licensed entity.

Documented Governance

Committees, reporting lines, conflicts registers, and board minutes should evidence actual oversight, not post-factum paperwork.

Local Operational Plausibility

The office, staffing model, and vendor map should match the scale of the proposed business and the risks it creates.

Documents required for a MiCA license in Malta

Documents required for a MiCA Licence in Malta

A complete application file normally includes legal, financial, AML, governance, and technical documentation. The exact list varies by scope, but a serious MiCA license in Malta file usually includes at least the following:

business plan and service description;
program of operations and customer journey mapping;
financial projections and capital planning;
ownership chart, UBO disclosure, and shareholder documentation;
source of funds and source of wealth package for founders and key investors;
governance framework, board structure, and role descriptions;
fit-and-proper files for directors and key function holders;
AML/CFT manual, business-wide risk assessment, sanctions policy, and suspicious activity escalation logic;
complaints handling, conflicts of interest, outsourcing, and remuneration policies;
ICT security architecture, incident response, business continuity, and vendor management documentation;
custody and safeguarding framework where relevant;
client terms, disclosures, and risk warnings.

What the regulator is really testing in these documents:

Business plan: whether the model is commercially coherent and legally scoped correctly;
Financial model: whether the company can remain solvent and compliant after launch;
AML pack: whether controls are tailored to the actual risk profile;
Technical pack: whether the operating architecture can support the promises made to clients and the regulator;
Ownership and SoF/SoW: whether the capital base is transparent and defensible.

One practical nuance often missed by founders: inconsistencies between the business plan, customer terms, and product UI are frequently more damaging than a missing annex, because they suggest the model has not been internally aligned before filing.

Get a Document Checklist

Application file checklist: document and regulator purpose

Document	Why it matters
Business plan	Shows service scope, target market, revenue logic, and operational model
Financial projections	Tests viability, liquidity, and prudential sustainability
Ownership / UBO chart	Confirms control structure and transparency of beneficial ownership
SoF / SoW package	Validates legitimacy of funding and shareholder background
AML/CFT framework	Demonstrates risk-based onboarding, monitoring, and reporting capability
Outsourcing policy and vendor map	Shows control over third-party dependencies and critical functions
ICT security and BCP/DR	Tests resilience, incident handling, and technology governance
Client disclosures and complaints policy	Assesses conduct, transparency, and customer-protection readiness

AML, Travel Rule, and transaction monitoring

AML, Travel Rule and transaction monitoring obligations for Malta CASPs

A Malta CASP must operate an AML framework that is both legally compliant and operationally usable. In 2026, regulators expect control logic that works in live transaction environments, not only a policy manual drafted for filing.

The practical AML stack usually includes:

KYC/CDD and EDD with identity verification, beneficial ownership analysis, and risk scoring;
PEP and sanctions screening at onboarding and on an ongoing basis;
transaction monitoring combining rules, scenarios, and manual review workflows;
blockchain analytics to assess wallet exposure, typologies, and counterparty risk;
Travel Rule compliance for relevant crypto transfers under the TFR;
alert triage and case management with documented escalation to the MLRO;
STR/SAR decisioning and evidence retention.

A technical nuance serious applicants should not ignore: Travel Rule compliance is not only a legal policy issue. It often requires interoperability between onboarding, wallet screening, transfer orchestration, and messaging standards such as IVMS101. If the product team and compliance team design these flows separately, implementation gaps appear quickly.

Another issue that increasingly matters in supervisory reviews is sanctions exposure through indirect wallet interaction. Even if a client is onboarded cleanly, transaction monitoring must be able to detect exposure to sanctioned services, mixers, or high-risk clusters and route the case for enhanced review.

Review Crypto Regulations in Malta

ICT security, custody controls, and outsourcing

Technical architecture influences licensing outcomes more than many founders expect. For custody, exchange, and transfer models, the regulator will want to understand how the system actually works under stress, error, or compromise.

Key control areas for 2026 applications:

Wallet architecture: segregation between client and house assets, hot/cold wallet logic, reconciliation, and recovery design;
Key management: use of HSM, MPC, multisig governance, key ceremonies, backup, and revocation procedures;
Access governance: privileged access management, maker-checker controls, session logging, and periodic access review;
Incident response: classification, escalation, containment, evidence preservation, and post-incident remediation;
Outsourcing: vendor due diligence, concentration risk, subcontracting visibility, audit rights, and exit planning;
Resilience metrics: defined RTO and RPO, tested backup procedures, and business continuity exercises.

Applicants that rely heavily on external wallet, KYC, and exchange infrastructure should be ready to explain not only who the vendor is, but how the licensed entity remains in control if the vendor fails, is breached, or changes service terms.

When Malta is the right jurisdiction and when it is not

Best fit for Malta

EU-focused exchanges, institutional custody providers, broker-execution models, and long-term businesses that can support real governance, AML maturity, and a six-figure first-year compliance budget.

Poor fit for Malta

Low-budget startups, founders seeking paper substance only, unclear token/service models, or businesses that want to outsource almost all management, compliance, and technology control.

Why strong applicants choose Malta

Regulatory maturity, English-language legal environment, credible EU positioning, and a supervisory culture that can work well for structured applicants with institutional ambitions.

Why weak applicants struggle in Malta

Applications often stall on scoping errors, weak SoF evidence, underpowered AML frameworks, unrealistic financials, or technical stacks that do not match the claimed service model.

Common mistakes that delay or derail a Malta CASP application

Top mistakes in Malta MiCA applications

The fastest way to lose time is to file before the model is internally coherent. In practice, the most common problems are:

Wrong service scoping and mismatch between product flow and requested authorization;
Weak substance with no credible local management or control framework;
Template AML documents that do not reflect the actual customer and transaction risk profile;
Unclear source of funds for founders, investors, or paid-up capital;
Over-outsourcing of critical functions without oversight capacity inside the applicant;
Thin technical documentation for custody, exchange, or transfer services;
Financial projections detached from reality, especially on staffing, compliance, and tooling costs.

RUE usually addresses these issues before filing through a readiness review, gap analysis, and document harmonization process. That is often more valuable than accelerating submission by a few weeks.

Request Pre-Filing Assessment

Internal support lines relevant to a Malta MiCA project

Most successful MiCA license in Malta projects require parallel workstreams beyond the application itself. RUE typically coordinates licensing with legal services in Malta, accounting services in Malta, bank account opening in Malta, and broader MiCA licensing in Europe strategy.

For applicants comparing jurisdictions or structuring multi-country expansion, related resources may also include crypto license in Malta, cryptocurrency regulation in Malta, MiCA regulation for CASPs, and preparation of compliance documents for MiCA application.

Explore RUE Services

📝 Check Your Eligibility

Answer a few quick questions to find out if this jurisdiction suits your crypto business

Step 1 of 5

What type of crypto services will you provide?

Exchange (fiat ↔ crypto)

Custody & Wallet Services

Transfer & Payment Services

Advisory / Portfolio Management

Multiple / All of the Above

Step 2 of 5

What is your target market?

European Union only

EU + Global markets

Global (non-EU priority)

Step 3 of 5

Do you already have a registered company in the EU?

Yes, in this jurisdiction

Yes, in another EU country

No, I need to register one

Step 4 of 5

What is your available budget range?

Under €20,000

€20,000 – €50,000

€50,000 – €100,000

Over €100,000

Step 5 of 5

When do you plan to launch?

As soon as possible (1–3 months)

Within 6 months

Within a year

Just exploring options

✅

This Jurisdiction Is a Great Fit!

Based on your answers, this jurisdiction matches your business requirements well. Here's a quick summary:

Recommended License

CASP License

Estimated Budget

€24,000 – €35,000

Estimated Timeframe

4–6 months

EU Passporting

Available

📞 Get Personalized Assessment

Step-by-Step Malta MiCA Process

Step 1

Scope and Feasibility

RUE reviews the business model, token/service perimeter, target markets, and likely MiCA service categories. We identify whether the project fits CASP authorization in Malta and flag overlaps with EMT, ART, payments, or securities rules. Typical duration: 1-3 weeks.

Step 2

Company and Structure Setup

We incorporate the Maltese entity, align ownership and governance, prepare substance planning, and coordinate with tax, accounting, and banking workstreams where needed. Typical duration: 2-6 weeks depending on ownership complexity.

Step 3

Governance and Staffing

We define board composition, key function holders, segregation of duties, outsourcing boundaries, and fit-and-proper readiness. This stage often includes MLRO/compliance planning and local substance calibration. Typical duration: 2-5 weeks.

Step 4

Policy and File Drafting

We prepare the application pack: business plan, financial model, AML/CFT framework, governance documents, outsourcing map, complaints policy, technical/security documentation, and supporting annexes. Typical duration: 4-8 weeks.

Step 5

Pre-Filing Quality Review

Before submission, we reconcile the legal file against the real operating model, website flows, customer terms, and vendor stack. This reduces later RFIs caused by internal inconsistencies. Typical duration: 1-2 weeks.

Step 6

Submission and Completeness

The application is submitted to the MFSA. The authority acknowledges receipt and reviews whether the file is complete enough for substantive assessment. If gaps are identified, remediation may be requested before the review proceeds.

Step 7

MFSA Review and RFIs

The MFSA conducts substantive review, raises questions, and may seek clarifications on scope, AML, governance, technology, or financial assumptions. For strong files this phase is manageable; for weak files it becomes the main source of delay. Typical duration: 2-4+ months.

Step 8

Approval and Go-Live Readiness

After approval or in-principle approval, the applicant completes any final conditions, operationalizes controls, finalizes vendor and banking arrangements, and prepares for launch and passporting notifications. Typical duration: 2-8 weeks.

Start Your Application

Answers

Frequently Asked Questions

Open the key issues founders, compliance teams and legal leads usually need to confirm before a Lithuania CASP rollout.

What is the difference between a CASP license in Malta and a legacy VFA license? +

A CASP license in Malta is the MiCA-era authorization for crypto-asset services under Regulation (EU) 2023/1114, while the VFA framework is Malta’s earlier national regime introduced in 2018. In 2026, new applicants should be assessed primarily under MiCA. Legacy VFA references remain relevant for transition analysis, but they are no longer the correct primary framework for a new EU-facing crypto business.

How much capital is required for a Malta MiCA license? +

The headline minimum own-funds thresholds are €50,000, €125,000, or €150,000 depending on the service scope. However, the real prudential test is the higher of the applicable minimum or 25% of the previous year’s fixed overheads. This means a growing business may need to hold more than the statutory minimum once its operating cost base increases.

How long does MFSA approval take in 2026? +

A realistic end-to-end timeline for a MiCA Licence in Malta is often around 4 to 9 months, depending on scope, readiness, and the quality of the application file. No-custody models can move faster than custody or trading platform applications. The formal review timeline is only part of the process; pre-filing scoping, staffing, and document alignment usually determine whether the review stays efficient.

Can non-EU founders obtain a MiCA license in Malta? +

Yes, non-EU founders can own a Maltese CASP applicant, but ownership transparency, fit-and-proper review, and source-of-funds evidence become especially important. Foreign ownership is generally possible, yet the company still needs real Maltese substance, credible management, and a governance model that is not purely remote or nominee-based.

Does a Malta MiCA license allow passporting across the EU? +

Yes, a Malta MiCA license can support EU passporting after the required notification process. This allows the CASP to provide services cross-border or through a branch in other EU member states without separate full relicensing in each country. That said, passporting does not remove the need to comply with local consumer, tax, marketing, and data-protection rules where relevant.

Is physical presence in Malta mandatory? +

Yes, some degree of real presence is normally expected. The exact level depends on the business model, but a serious applicant should plan for a Maltese entity, registered office, effective local management, and governance that can be evidenced in practice. A pure letterbox setup is a weak basis for a Malta MiCA license, especially for custody, exchange, or platform operations.

What documents are required for a MiCA license in Malta? +

The file usually includes a business plan, program of operations, financial projections, ownership and UBO documentation, source-of-funds evidence, governance framework, fit-and-proper files, AML/CFT policies, outsourcing map, complaints policy, technical security documentation, and client-facing legal documents. The exact pack depends on scope, but the regulator expects consistency across legal, financial, AML, and product materials.

What are the AML and Travel Rule obligations for Malta CASPs? +

A Malta CASP must implement risk-based CDD, EDD where needed, sanctions screening, transaction monitoring, suspicious transaction escalation, and recordkeeping. Where relevant crypto transfers are processed, the business must also comply with the Transfer of Funds Regulation and Travel Rule data requirements. In practice, this often requires KYC tooling, blockchain analytics, and structured messaging standards such as IVMS101.

Is the 5% Malta tax rate automatic for crypto companies? +

No. The standard Malta corporate income tax rate is 35%. The often-cited effective rate of around 5% may arise only after dividend distribution and use of the shareholder refund mechanism in qualifying structures. The result depends on substance, shareholder profile, residence, treaty position, and tax advice. It should never be assumed as an automatic licensing benefit.

What happened after 1 July 2026 for legacy operators? +

1 July 2026 marked the end of the Maltese transition window for legacy operators relying on grandfathering arrangements. Businesses that had not properly transitioned to MiCA by the applicable deadline faced a materially weaker legal position and may have needed to stop regulated activity until authorized. For new applicants, the practical message is straightforward: file under MiCA, not under legacy VFA assumptions.

Can one Malta authorization cover multiple crypto services? +

Yes, one authorization can cover multiple MiCA service categories if the applicant can justify the scope and support it with adequate capital, governance, controls, and technology. In practice, broader scope means broader scrutiny. It is usually better to apply for a coherent service perimeter that the business can actually operate compliantly than to over-apply for optional services that are not yet operationally ready.

Is Malta suitable for startups seeking a MiCA license? +

Malta can work for startups, but it is usually best suited to well-prepared and reasonably capitalized teams. Founders with unclear business models, weak source-of-funds evidence, or very limited first-year budgets often struggle. If the project cannot support substance, governance, AML tooling, and professional documentation, another jurisdiction or a phased market-entry strategy may be more realistic.

What are the main reasons Malta CASP applications are delayed? +

The most common delay factors are wrong service scoping, weak local substance, underdeveloped AML/CFT controls, unclear source of funds, over-outsourcing of critical functions, poor technical documentation, and inconsistent business-plan assumptions. The quality of pre-filing preparation is usually the main predictor of timeline. Strong files tend to move through review more predictably than rushed submissions.

Can RUE help with banking, accounting, and post-license support in Malta? +

Yes. RUE supports not only the licensing file, but also adjacent workstreams that affect approval and launch in practice, including company formation, accounting in Malta, bank account opening in Malta, compliance document preparation, and ongoing legal coordination. This integrated approach is often more effective than treating the license as a standalone filing exercise.

Regulated United Europe OÜ

Registration number: 14153440
Anno: 16.11.2016
Phone: +372 56 966 260
Email: [email protected]
Address: Laeva 2, Tallinn, 10111, Estonia

Company in Lithuania UAB

Registration number: 304377400
Anno: 30.08.2016
Phone: +370 6949 5456
Email: [email protected]
Address: Lvovo g. 25-702, Vilnius, 09320, Lithuania

Company in Czech Republic s.r.o.

Registration number: 08620563
Anno: 21.10.2019
Phone: +420 775 524 175
Email: [email protected]
Address: Na Perstyne 342/1, Prague

Company in Poland Sp. z o.o.

Registration number: 38421992700000
Anno: 28.08.2019
Email: [email protected]
Address: Twarda 18, Warsaw, 00-824, Poland

Please leave your request

The RUE team understands the importance of continuous assessment and professional advice from experienced legal experts, as the success and final outcome of your project and business largely depend on informed legal strategy and timely decisions. Please complete the contact form on our website, and we guarantee that a qualified specialist will provide you with professional feedback and initial guidance within 24 hours.

Main Services

Terms of Cooperation

Regulated United Europe

Instagram

YouTube