Regulatory Influencer: Malta’s Key Observations on Website Practices of Crypto-Asset Service Providers

July 17, 2025
<
Back
Earlier in the year, the Malta Financial Services Authority (MFSA) conducted a thematic review of websites belonging to all the crypto-asset service providers (CASPs) authorised by the MFSA in relation to Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA). This was part of the MFSA’s commitment to consumer protection, ensuring that the information provided was fair, transparent and not misleading. Following its review of websites, the MFSA sent out a Dear CEO letter to CASPs laying out its findings.

Earlier in the year, the Malta Financial Services Authority (MFSA) conducted a thematic review of websites belonging to all the crypto-asset service providers (CASPs) authorised by the MFSA in relation to Regulation (EU) 2023/1114 on Markets in Crypto-Assets (MiCA). This was part of the MFSA’s commitment to consumer protection, ensuring that the information provided was fair, transparent and not misleading. Following its review of websites, the MFSA sent out a Dear CEO letter to CASPs laying out its findings.

The review assessed the extent to which CASPs align with the regulatory expectations and licensing conditions in their public communications set out in MiCA. In accordance with the implementation of MiCA, all CASPs licensed in Malta must operate honestly, fairly and professionally, always acting in the best interests of their clients and prospective clients. The purpose of the MFSA’s review was not only to assess the alignment of these websites with MiCA’s requirements but also to provide licensed entities and applicants with a set of expectations and best practices in relation to website content and disclosures. 

Key considerations

Following the entry into force of MiCA in Europe, on December 30, 2024, a new licensing and operating framework has been established for CASPs operating in and across the European Union, which includes a marketing requirement.

Article 66(2) of MiCA requires CASPs to “provide their clients with information that is fair, clear and not misleading, including in marketing communications, which shall be identified as such”. The MFSA’s review of websites belonging to CASPs focused on evaluating whether the content of these websites adhered to industry best practices and the principles outlined in MiCA. 

The results of the review were categorised into six themes:

  • Website complexity and navigation.
  • Regulatory and risk disclosures.
  • Products and services.
  • Marketing practices and promotions entailing the provision of rewards or other forms of incentives.
  • Disclosure of conflicts of interest.
  • Disclosure of principal adverse impacts.

These six themes can be further categorised into four distinct expectation categories that the MFSA has established following its review.

Website navigation: 

Observation - The MFSA observed that websites were complex in design and structure, featuring multiple navigation layers, which could potentially make it difficult for users to navigate easily.

Expectation - The MFSA expects CASPs to conduct their own assessments to identify areas where their websites can be streamlined and take the necessary steps to simplify the layout and navigation to improve the user experience where needed.

Disclosures:

Observation - The MFSA focused on three types of disclosures during its review: regulatory and risk disclosures; conflict of interest disclosures; and disclosure of principal adverse impacts. Overall, the MFSA observed that CASPs had insufficiently displayed these necessary disclosures on their websites. The disclosures either were not displayed in a prominent place on the website or, when they were displayed, they included incomplete or unclear regulatory references and incomplete descriptions of the services they were authorised to provide.

Expectation - The MFSA expects CASPs to display their relevant licensing statements in a font size that is clearly legible and proportionate to their other content, and it should be placed on at least their homepage. The statement should also include confirmation that they are licensed by the MFSA and the services that they are licensed to provide.

- In relation to risk disclosures, CASPs need to ensure that these disclosures are placed in proximity to the relevant information and in a prominent place that does not reduce the visibility of the warnings.

- Disclosures of conflicts of interest must be clear, transparent and prominent regarding any applicable conflicts of interest.

- Disclosures of principle adverse impacts, covering the adequate identification and disclosure of the climate and other environment-related adverse impacts linked to the crypto-asset services provided, are expected to be fully disclosed in line with Commission Delegated Regulation (EU) 2025/422, ensuring accuracy, completeness and adherence to the specified content and form.

Products and services:

Observation - The MFSA observed references to investment services, unregulated services, and products and services not available for EU/EEA clients on the websites of CASPs.

Expectation - The MFSA expects CASPs to avoid the use of wording that could imply the provision of investment services, as well as other regulated activities that the CASP is not authorised to provide.

  • CASPs are expected to clearly differentiate between regulated and unregulated services on their website and include a clear and prominent disclaimer near the relevant information, explicitly stating that unregulated services are not regulated under MiCA.
  • CASPs are expected to only provide information pertaining to products and services available in the EU/EEA jurisdictions, which are displayed on the website dedicated to EU/EEA clients.

Marketing practices:

Observation - The MFSA observed that CASPs have been engaging in marketing practices that include promotional campaigns offering rewards or incentives to clients.

Expectation - The MFSA urges CASPs to ensure that the terms and conditions of promotions are sufficiently detailed and clearly explain the mechanics of the offer, including any applicable limitations or restrictions. The terms and conditions should be easily accessible and prominently disclosed on the CASP’s website and any related promotional materials.

Why should you care?

In its “Dear CEO” letter, the MFSA clearly sets out the expectations for CASPs to create a clearer and more transparent environment, fostering increased customer protection and providing more accurate information to potential and existing clients. Following the publication of the CEO Letter, the MFSA held a workshop for CASPs in which it outlined the key conduct rules for operators. It provided an in-depth look into the MFSA’s supervisory expectations under MiCA and discussions focused on conduct obligations, compliance requirements and practical supervisory insights which equipped participants with the tools to operate within the new regulator framework.

Failing to comply with the MFSA’s expectations for CASP websites is not just a technical breach, it can have further implications for a CASP licence, legal standing and reputation. Sector-wide non-compliance could cause the MFSA to take a tighter line in its supervision of CASPs and lead to the imposition of fines for those that fail to adhere or make changes. This has been seen in the UK regarding the newly established financial promotions regime, which interplays with the UK anti-money laundering regime to tackle financial crime, under which the Financial Conduct Authority imposed a £3.5m fine on a firm enabling crypto-asset trading. The MFSA, alongside the Malta Financial Analytical Unit (FIAU), released a note on combating the financing of terrorism via the abuse of crypto-assets and CASPs in July 2025, reminding all subject persons about the importance of having robust measures in place. This signals the MFSA’s focus on AML in relation to CASPs.   

Other possible repercussions of failure to comply with the expectations of the MFSA include:

  • An increase in regulatory action such as warnings and notices, administrative penalties, licence suspensions or revocation and enforcement proceedings.
  • Legal liability, which could lead to civil claims due to misleading or non-compliant website content and breach of consumer protection laws for failure to disclose risks or terms clearly.
  • Reputational damage resulting in loss of trust from the public and possible reduced business opportunities.

To fulfil the MFSA’s detailed expectations, CASPs should look to take steps to complete them. These measures should include:

  • Conducting an assessment of their websites and updating them to ensure that all disclosures are adequately displayed and the visibility expectations are complied with.
  • Reviewing their licensing statements to ensure that they detail all the necessary information, including a full disclosure of the services they are authorised to provide and those they are not.
  • Reviewing the impact of their services on the climate and environment and updating their principal adverse impact disclosures to accurately reflect the findings and impact.
  • Reviewing their promotion and marketing materials to ensure that they align with the MFSA’s Circular on marketing campaigns in relation to financial products or services linked towards rewards or giveaways.
  • For CASPs that offer/provide services outside the EU, they should either establish a dedicated website catering to EU/EEA clients or establish geo-blocking or redirection mechanisms to ensure that only services available for EU/EEA clients are displayed to them.

With the introduction of MiCA and the requirements it places on CASPs regarding the information they present to existing and potential clients, regular audits of their websites for regulatory alignment are the way forward. Malta is one of the first jurisdictions that has issued expectations and good practices for CASPs relating to their requirements under Article 66 of MiCA and may signal a trend across other EU states. CASPs that follow through on the expectations of the MFSA and make the necessary changes to ensure that their websites are compliant in Malta will set themselves up for success in other EU states that they operate in due to the nature of MiCA and its applicability across the EU. 

Toba Ojuri

Our premium content is available to users of our services.

To view articles, please Log-in to your account. Alternatively, if you would like to gain access to the tools that will help you navigate compliance risk with confidence please get in touch today.

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

July 17, 2025

Bailey Cool On UK CBDC Suggestions

Hopes of a British central bank digital currency (CBDC) were dealt a blow by the governor of the Bank of England, Andrew Bailey, who said he “remained to be convinced” of the need for one.
Read article
July 17, 2025

EU Lawmakers Insist Digital Euro Must Safeguard Privacy And Preserve Cash Access

The European Parliament’s Civil Liberties Committee (LIBE) has called for stronger guardrails for privacy and guaranteed access to physical cash in its opinion on the EU's proposed legislation to establish a digital euro.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
Crypto-Assets
Malta

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?