The MFSA has on the 30th July 2018 issued a consultation paper on the Virtual Financial Assets rules for issuers of Virtual Financial assets. The closing date for submission was 13th August 2018 and now the MFSA is expected to issue the official chapter after taking into account the submissions which it has received as well as other consultations with relevant stake holders which it has carried out.
This paper is intended to form part of a rule book which will be entitled the ‘Virtual Financial Assets Rulebook’ and which will be divided into three chapters. This chapter applies to issuers of Virtual Financial Assets.
The first title of this chapter outlines the high-level principles which should guide issuers when issuing Virtual Financial Assets while title 2 sets out the general requirements for issuers which includes that the issuers must be legal persons and that the business is directed by two persons. Title 3 outlines the initial and ongoing requirements applicable to initial VFA offerings, which are mainly related to the requirements to register their white paper as well as the conditions to admit VFA assets on a DLT exchange. Title 4 provides details with regards to the administrative penalties and sanctions as well as the principles which will be guiding the MFSA when imposing administrative penalties.
This chapter also includes the MFSA’s interpretation on the transitory provisions provided for under Article 62(1)(a) of the Virtual Financial Assets Act.
This article will deal with other requirements that issuers have in relation to cyber-security, record keeping and I.T. infrastructure
Title 2 – Requirements for issuers (continued) – Cyber-security, Record keeping and I.T. infrastructure
Cyber-Security
An issuer must establish a ‘Cyber-Security Framework’ which shall include:
- Information and data security roles and responsibilities
- Access management policy
- Sensitive data management policy
- Threats management policy
- Business continuity plan
- Response and recovery plan
- Security education and training
The Cyber Security Framework shall comply with internationally recognized cyber security standards and shall be in line with the provisions of the General Data Protection Regulation (GDPR).
Record keeping
The documents must be kept in a manner which will enable the MFSA to monitor compliance with the rules. Documents shall be kept at the disposal of the MFSA for at least five years, which may be increased to seven years at the request at the MFSA. The documents must be retained in a medium that allows storage of information in a way accessible for future reference by the MFSA.
I.T. infrastructure
The I.T. infrastructure must ensure the integrity and security of the data, the availability, traceability and accessibility of the data, its privacy and confidentiality and that it is in line with the GDPR.
The I.T. infrastructure must be located in Malta and / or in any other EEA member state and / or any other third country wherein the MFSA will be satisfied that the above-mentioned requirements are satisfied. Where the issuer’s I.T. infrastructure is not located in Malta, or is located in a cloud environment, data must be replicated real time by virtue of a live replication server located in Malta.
