Future of Security Token Offerings in Malta

Related Practice Area: Compliance
  1. Defining STOs

In the Consultation Document, the Authority proposed a categorization of different types of STOs, being:

  1. TRADITIONAL STOs: Traditional transferable securities such as shares; bonds (including callable bonds); convertible debt securities; derivatives, asset-backed securities; the storage and/or transaction execution of which is intrinsically dependent on, or utilizes Distributed Ledger Technology (DLT). In this case, the transferable security will have the same characteristics as non-technology-enabled transferable security which is already recognized in a defined and existing legal framework.
  2. OTHER STOs: A technology representation (a token, the storage and/or transaction execution of which is intrinsically dependent on, or utilizes DLT) that may share some qualities with traditional transferable securities and may be classified as ‘other securities’ in terms of MiFID II e.g. a token giving only the right to profits of certain investments of a business.

It appears that the proposed categorization was met with a level of opposition from industry stakeholders. The Authority has, however, reiterated the fact that the definition of ‘traditional securities’ is only partially harmonized at EU level thus leaving room for interpretation as to which instruments will qualify as such under this definition.


  1. Limiting Traditional STOs to companies

In the Consultation Document, the Authority proposed that issuers of STOs be solely structured as limited liability companies. The majority of respondents were in agreement with the Authority and felt that it is practical to limit issuances to companies for the time being. However, all have maintained the view that this initiative should eventually be extended to other vehicles such as commercial partnerships, associations, and foundations.

The Authority also sought to clarify that private placement regimes do not fall under its regulatory remit. Since no separate regime has been put in place for private placements in the case of non-tokenized offerings, there would be no legal basis to create a separate regime for private placements of STOs.


  1. Amendments to Companies Act

All respondents agreed that there is a need to amend certain aspects of the Companies Act. The Authority confirmed that it is in the process of liaising with the Malta Business Registry in order to amend various sections of the Companies Act, with a view to ensure that the registers of members and debenture-holders can be kept in a dematerialized form using DLT. Moreover, the Authority shall be putting forward proposals to provide legal clarification and an away forward on the use of DLT within the context of corporate actions. The Authority believes that the present corporate law structure allows companies to alter their articles of association in order to admit the use of DLT within the internal workings and processes such as opening voting rights directly on the blockchain.


  1. Drawing up a Financial Due Diligence Report (‘FDDR’)

The Authority has proposed that in certain cases an issuer should draw up an FDDR. This should be applicable to all applicants seeking approval for admissibility to listing and trading of a Traditional STOs. The FDDR would put forward the business model of the applicant to the Authority for its consideration, against a defined set of parameters. An explanation of the business model of the prospective issuer together with historical and/or projected financial information and/or additional security/guarantee would enable the Authority to be in a better position to assess the financial soundness of the applicant. Industry responses varied in relation to this proposal.

The MFSA agrees that the requirement of an FDDR should be the same for the same type of securities, irrespective of whether these are tokenized or not. Due regard has been taken as to whether the principle of proportionality warrants the application of a lighter regime for start-ups, however, having taken into consideration the considerable risks which investors will be taking when investing in startups, the same requirement is expected to be applicable in relation to start-ups. In this respect, the Authority is in the process of revising the present Listing Rules applicable to companies applying for securities to be listed and traded on Regulated Markets in Malta. It is envisaged that such revised Listing Rules will address these issues.


  1. Additional corporate governance requirements for Traditional STOs

The Authority proposed that in instances where the board of directors is also responsible for Innovative Technology Arrangements (ITAs) underpinning the storage and transactions in securities, the following additional corporate governance requirements should apply:

a. The Cyber-Security Framework and IT Infrastructure Requirements set out in the VFA Act should be adhered to; and

b. A Systems Auditor should be appointed in order to prepare a Systems Audit Report. The Authority would recommend that the requirements relating to the Systems Audit set out in the Systems Auditor Guidelines issued by the Malta Digital Innovation Authority (‘MDIA’) be applied.

This was accepted In principle by respondents and the Authority expressed its intention to enter into discussion with the MDIA in order to ensure that the wording in the MDIA guidelines can be applied to any kind of regulated DLT asset including financial instruments. In relation to the Cybersecurity Framework and IT Infrastructure, the onus will be placed on the issuer to ensure that its cybersecurity architecture complies with any internationally and nationally recognized cybersecurity standards, any future guidelines issued by the Authority and with the provisions of the GDPR, taking into consideration the nature, scale, and complexity of the business.


  1. System Audit requirement

The proposition brought forward by the MFSA requires the following:

a. A Systems Auditor will need to be appointed if the Issuer has an ITA in place, as defined in the First Schedule to the ITAS Act; or if the Issuer operates a technological infrastructure which interacts with an ITA in some way or form, including, in particular, a wallet.

b. Where a company will be operating an ITA which underpins the storage and transactions in securities, a Systems Auditor will need to be appointed to prepare a Systems Audit Report in line with the MDIA’s guidelines. If an Issuer utilizes the services of a third-party platform, it should be understood that all the requirements mentioned in this feedback statement and any guidance or rules which have been or which may be issued by the Authority will apply mutatis mutandis to such third-party platforms and their operators, instead of such Issuer.


  1. Adequacy of the Prospectus Regulation

Respondents generally agreed that the Prospectus Regulation and the relevant Annexes are adequate in the case of Traditional STOs and caters for a prospectus to include information on the underlying ITA or technology utilized, namely information in relation to the Systems Audit and the Cyber-Security Framework and the IT Infrastructure Requirements set out in Section 2.5 of the Consultation Document. The wording of the Prospectus Regulation is deemed by the Authority to be sufficiently broad to allow for these disclosures to be made without the creation of additional requirements that go above and beyond what the Regulation sets out.


The Consultation Document and the full feedback statement are available on the MFSA’s website on the below links:



Prospective issuers may derive considerable benefit from learning about the opportunities available through STOs, as they have the potential to be a more transparent and efficient way to raise finance. Regulatory clarity is, however, key in such scenarios. We, therefore, suggest getting in touch with us if you are interested to learn more about STOs in Malta or if you have any requests for clarifications.

Author:  Deborah Chappell
The information provided on this website is intended to convey general information only and does not, and is not intended to, constitute legal advice. Should you wish to obtain further information and advice on this subject we invite you to get in touch with one of our practitioners.


You have the questions. We have the answers.

Would you like to set up a meeting?

Give us a call

Drop us a line