Malta CASP Authorization: Why KYC Can Make or Break Your License

Malta’s Financial Intelligence Analysis Unit (FIAU) received 1,751 suspicious transaction reports from the virtual financial assets sector in 2024, up from 1,476 the year before (FIAU 2024 Annual Report). That is an 18.6% year-on-year increase in regulatory attention, focused on the same small cluster of firms now rebuilding their licences under MiCA.

A Crypto-Asset Service Provider (CASP) is any firm offering crypto-related services inside the European Union under the Markets in Crypto-Assets Regulation (MiCA), the bloc’s unified crypto-asset rulebook. In Malta, existing Virtual Financial Assets (VFA) licence holders operate under a grandfathering window until 1 July 2026, after which the CASP licence from the Malta Financial Services Authority (MFSA) becomes the only legal basis for providing those services.

The 1 July 2026 CASP deadline is often filed in the legal calendar as a transition event. That framing hides the real risk. CASP authorisation by the MFSA is not a filing event. It is a KYC infrastructure event. Firms that cross the MiCA threshold with their licence and banking access intact are the ones whose onboarding stack can survive three reviewers at once.

Why is the July 2026 CASP deadline a KYC infrastructure event, not a legal filing?

MiCA defines the licensing framework. It does not define the KYC obligation. That obligation flows from Malta’s Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and the EU’s AML directives, which operate independently of MiCA’s licensing architecture. The distinction matters because it decides what MFSA assessors are looking for during a CASP application review.

An MFSA application tests whether your onboarding infrastructure meets the AML rulebook, the operational risk expectations, and the governance standards MFSA applies to every regulated firm. A legal filing can be produced in days. KYC infrastructure cannot. If your current stack was built to the VFA regime, you are working with controls designed against a national framework that was narrower in scope than what MFSA now reviews against MiCA-era expectations.

The practical consequence for compliance leads is that the CASP review is a two-layer conversation. MFSA examines the legal structure, the fit-and-proper assessment of directors, and the business model. Assessors then probe whether the AML program, the CDD and EDD workflows, the sanctions and PEP screening coverage, and the audit trail meet the required standard in the real onboarding system, not on paper.

Why is the FIAU watching crypto closely, and what does that mean for CASP applicants?

The FIAU is Malta’s anti-money-laundering supervisor and financial intelligence unit. It scrutinises every regulated sector for the quality of suspicious transaction reporting and the AML controls behind it. In 2024, the FIAU received 9,430 suspicious transaction reports across all sectors, with the virtual financial assets sector contributing the fastest-growing share of that volume. Any CASP application lands on a desk that already knows the attack surface of your business.

The FIAU’s 2024 Annual Report records 187 supervisory interventions and 70 additional enforcement actions across subject persons (FIAU 2024 record). Remote gaming remains the leading reporting sector, but the virtual financial assets sector is the fastest-growing one. Crypto-focused firms filed 1,751 suspicious transaction reports (STRs) in 2024, up from 1,476 in 2023, a rate of growth that outpaced every other regulated category on a percentage basis.

For a CASP applicant, these numbers translate into a specific expectation. The FIAU, and through it the MFSA, expects CASPs to maintain the same calibre of AML programme as an electronic money institution or a licensed bank. Audit trails must survive a thematic review. Flagged customers need a documented rationale. Closed alerts need a named analyst, a time stamp, and a decision record that the FIAU can re-examine two years later without reconstruction work.

The practical test is whether your system can answer, on demand, the question a FIAU supervisor actually asks.

What does MFSA actually check in a CASP authorisation review?

MFSA’s CASP authorisation process is documented publicly and anchored in EU MiCA requirements. The surface of the application looks like a paperwork checklist. Real depth sits in five focus areas where MFSA has historically sent applications back for resubmission. Each one tests operational readiness, not legal eligibility alone.

MFSA’s review is anchored in five focus areas, which are:

The five building blocks of a CASP-ready KYC stack

A CASP-ready KYC stack is five coordinated capabilities that feed a single audit trail. Each one has to stand up to an MFSA review, a FIAU thematic examination, and a correspondent bank’s due diligence questionnaire. Most VFA-era stacks cover one or two of these well and leave the others to manual review, which is the main reason a compliant-looking programme still fails the CASP hurdle. The firms landing authorisation on the first attempt have rebuilt all five.

1. Customer Due Diligence (CDD) covers identity, residency, and risk tier for every new customer, with rejected documents flagged by reason code rather than a generic fail. MFSA expects a full audit trail of what was checked and why a decision was made.
2. Enhanced Due Diligence (EDD) applies to high-risk customers, politically exposed persons, and transaction patterns breaching risk thresholds. EDD is where VFA stacks most often underperform, because triggers are set too high.
3. Source of funds and source of wealth verification uses structured workflows supported by documentary evidence that the FIAU can reconstruct two years after the fact. This is the most common MFSA application failure point.
4. Sanctions, PEP, and adverse media screening now carry an ongoing monitoring obligation, not a one-time check. MFSA and the FIAU both expect a customer becoming a sanctioned party or an adverse media subject to be flagged in near real time.
5. The FIAU-ready audit trail records every onboarding decision, every alert, and every customer file with a timestamp, the analyst, and the decision rationale. That record has to be reconstructible on demand, not assembled during the audit.

Why do Malta’s banks run their own KYC check before opening your account?

Banking access is the silent survival requirement of the CASP transition. Maltese banks are required to conduct customer due diligence on every business relationship, and correspondent banks in other jurisdictions are required to conduct due diligence on the Maltese banks themselves. A CASP client with weak onboarding controls creates a compounding risk that flows up the correspondent chain, and correspondent banks respond to compounding risk by closing the relationship.

Banks look for three things in a CASP applicant. A documented AML program that maps to MFSA expectations is the baseline. Live onboarding controls, running against real applicants rather than sitting in a policy file, raise the ceiling. And the ability to produce a complete customer file on demand is what passes the bank’s own review, because that is the speed at which correspondent banks ask questions back.

Firms that cannot pass the bank’s KYC test will, in practice, lose access to euro-denominated payment rails. The licence on its own is not a commercially viable position when the banking relationship closes.

How does Shufti help Malta’s crypto firms pass MFSA review and keep banking access?

Shufti’s platform brings customer due diligence, anti-money-laundering screening, and ongoing monitoring into a single onboarding flow that produces a clean audit trail by default. That matters in Malta because the same audit trail has to satisfy three different reviewers in sequence. MFSA examines it during the CASP application, the FIAU examines it during thematic supervision, and a correspondent bank examines it during its own due diligence on the Maltese bank. One stack, one audit trail, three audiences.

The KYC verification layer handles document, biometric, and data checks across a wide span of document types and jurisdictions, which matters when a Malta-registered CASP serves a pan-EU customer base. Continuous AML screening runs sanctions, PEP, and adverse-media checks rather than only at onboarding, and surfaces the reasoning behind each alert so that analysts close files with documented rationale. Both sit under configurable workflows tuned for crypto-specific risk, not a generic screening cascade.

Firms that land their MFSA CASP authorisation on the first attempt and keep their Maltese banking relationships through the transition are the ones whose onboarding system can answer a reviewer’s question on demand.

Every Malta-licensed crypto firm is, in the next fifteen months, going to be assessed against the same MFSA, FIAU, and correspondent-bank standard, and the onboarding stack will either make that a routine event or a commercial crisis. Shufti’s single-platform approach to KYC, AML, and ongoing monitoring is built around the kind of audit trail those three reviewers expect, and it stands up to scrutiny without bolt-ons or vendor patchwork. See how Shufti supports Malta’s regulated firms on its dedicated Malta page, or request a demo and start verifying in minutes.