Malta MFSA Class 3 CASP Substance: The Strictest Bar in the EU

Why Malta is the strictest substance bar in the EU

The MFSA’s substance posture sits at the strict end of the EU spectrum, alongside Ireland — but Malta is uniquely strict on functional separation of the MLRO and Compliance Officer. No other EU regulator reads the requirement as a mandatory precondition for Class 3 authorisation as far as practitioner-reported file experience is documented in 2025-2026; the MFSA does.

The position is rooted in the MFSA’s reading of the CASP authorisation requirement MiCA together with EBA-level AML/CFT guidance — both, in the MFSA’s view, contemplate an AML reporting function that is structurally independent of the broader compliance function. Combining the roles, the supervisor argues, compromises the escalation channel for suspicious-transaction reporting because a combined officer reports to themselves on issues that should escalate independently to the board and the Financial Intelligence Analysis Unit (FIAU).

Whether the legal basis is bullet-proof is a separate question. What matters for an applicant is that the MFSA treats combined role allocation in above-threshold Class 3 files as a substantive deficiency, and is unlikely to soften the position before formal ESA-level guidance forces a change. Plan to the strict reading.

How does the small-firm threshold work?

The MFSA in practice distinguishes smaller firms from larger ones, with practitioner-reported thresholds typically in the order of €25M annual revenue and €100M client custody (the precise figures are set out in supervisory correspondence on a file-by-file basis). Below the threshold, combined MLRO/Compliance Officer roles are acceptable provided the firm documents a succession plan for splitting the roles as it grows. Above the threshold, separation is the supervisory expectation.

The threshold is checked at application and re-tested annually. A firm that crosses the threshold mid-year is expected to file a notification within 30 days and effect the role split within 90 days. Failure to do either is a supervisory finding.

In practice, applicants in our advisory conversations land in three groups:

• Clear small firms (advisory or low-volume Class 1) — combined role acceptable, low friction
• Edge cases (early-stage Class 2/3 with growth ambition) — separation recommended even at authorisation, to avoid mid-year transition friction
• Clear large firms (Class 3 with custody balance projection above €100M) — separation mandatory, no flexibility

The middle group is where most cost-optimisation discussions happen with counsel.

Malta substance vs Estonia substance

Both jurisdictions are at the strict end of the EU spectrum but they emphasise different things:

Substance dimension	Malta MFSA	Estonia FSA
Resident senior management	2 Malta-resident, CEO Malta-resident	1 resident director
MLRO	Full-time, Malta-resident, separated from Compliance	0.5 FTE+, Estonia-resident, can combine with Compliance
Compliance Officer	Full-time, Malta-resident, separated from MLRO	0.5 FTE+, can combine with MLRO
Board composition	EU/EEA majority	No formal composition rule
Local registered office	Required, no virtual address	Required
Local staff (operations)	Documented headcount expected	Encouraged, not strictly required
Substance interview	Yes, 45 min per role	Yes, 30-60 min per role

The aggregate cost differential is significant. A Class 3 Maltese establishment carries a salaried-headcount floor around €350,000 per year before commercial activity; an Estonian establishment can run on around €200,000. For applicants choosing between the two, the Maltese reputation premium has to justify the cost differential.

Why does Malta still attract Class 3 applicants?

Despite being the strictest substance bar, Malta retains commercial attractiveness for two reasons:

1. Established VFA-Act practice. Malta has had a domestic crypto-services regime since 2018. The pool of local counsel and consultancy with practical experience is the deepest in the EU. For complex applications involving cross-border structuring, the Malta practice base is hard to replicate elsewhere.

2. English-language regulator. All MFSA correspondence, supervisory engagement, and formal filings are in English. For non-EU founders, this materially reduces translation and counsel-coordination cost. Estonia operates similarly bilingually but Czech Republic and Lithuania expect local-language correspondence.

3. Banking access. Counter-intuitively, Maltese authorised CASPs have better domestic banking access than Cyprus or Estonia counterparts. Two Malta-domiciled banks accept CASP onboarding post-authorisation with documented governance. This is a meaningful operational advantage that offsets the higher establishment cost.

What does the MFSA actually look for in a CASP file?

The the own-funds requirement governance file is where most 2026 applications consume time. The MFSA’s reviewers ask three implicit questions of every page:

1. Is the documented arrangement specific to this firm’s business model, or generic?
2. Are roles, responsibilities, and escalation triggers concrete enough to test?
3. Does the firm understand its own crypto-specific risk profile?

The fastest way to fail is template language — Big Four-style governance documents that read identically regardless of business model. The MFSA reviewers see hundreds of these and recognise them immediately. The file that succeeds reads like the firm’s own thinking, with specific examples drawn from the proposed operating model.

Working with counsel on a Malta Class 3 file

The diagnostic question for counsel: how many MFSA Class 3 applications has the firm processed since March 2026? Practice that pre-dates the implementing procedures is partial — the substance bar moved materially in early 2026. Counsel without recent files is still calibrating. The firms in our index with documented Malta CASP track record are listed below.