Key Takeaways
- According to the review, while the MFSA has adequate resources and a foundation of expertise, it failed to meet expected standards during a recent CASP licensing process.
- Among the areas flagged for stricter supervision were the sustainability of business models, governance structures, intra-group relationships, among others
The European Securities and Markets Authority (ESMA) has identified serious shortcomings in how Malta’s financial regulator approved a crypto asset service provider (CASP) license under the new Markets in Crypto-Assets (MiCA) regulation. In a peer review report published on July 10, 2025, ESMA criticised the Malta Financial Services Authority (MFSA) for authorising a CASP without resolving key risk issues and conducting a comprehensive risk assessment.
According to the review, while the MFSA has adequate resources and a foundation of expertise, it failed to meet expected standards during a recent CASP licensing process. ESMA noted that the regulator granted the license despite outstanding material concerns that should have been addressed during the application phase. The peer review committee emphasised that the MFSA missed an opportunity to require the applicant to resolve key compliance issues before authorisation.
The review stated that Malta is among the most active MiCA license issuers in the European Union, having granted five CASP licenses since the framework came into effect. This places Malta behind only Germany and the Netherlands in terms of the number of MiCA licenses issued. According to data compiled by industry sources, a total of 53 crypto firms have been authorised under MiCA across the European Economic Area (EEA) as of July 2025.
MiCA allows authorized firms to offer their services across all 30 EEA member states without needing to seek regulatory approval in each country. However, ESMA’s report suggests that inconsistent oversight could weaken the integrity of this.
Among the areas flagged for stricter supervision were the sustainability of business models, governance structures, intra-group relationships, conflicts of interest, ICT systems, and the promotion of services not covered under MiCA. The report urged national regulators across the EU to strengthen their supervisory frameworks to ensure full compliance with the regulation.
The MFSA responded to the report by confirming that it has already begun implementing ESMA’s recommendations and expects full compliance by September 2025. The regulator stated that no licenses issued in Malta are currently at risk of revocation or re-evaluation.
As per reports, MFSA claimed that none of the MiCA licenses in the country are at risk of revocation or re-evaluation as a result of the peer review outcomes. Malta has positioned itself as a pro-crypto jurisdiction, having launched its first crypto laws in 2018.
ESMA clarified that the peer review did not assess the individual CASP involved but focused on the MFSA’s authorization procedures. The agency added that it plans to conduct further peer reviews in other EU countries as MiCA supervision expands.
