Malta’s MFSA cryptocurrency licensing practices have recently drawn attention from the European Securities and Markets Authority (ESMA), which oversees implementation of the Markets in Crypto-Assets Regulation (MiCA) across the EU.
In a review released Thursday, ESMA identified several shortcomings in how Malta’s Financial Services Authority (MFSA) authorized a particular crypto asset service provider (CASP). While the report acknowledged that the MFSA met expectations in terms of supervisory structure and staffing, it concluded that the regulator only “partially met expectations” during the licensing process itself.
As a result, ESMA’s Peer Review Committee recommended that the MFSA revisit unresolved issues from the original authorization and re-evaluate aspects that may not have been thoroughly assessed during the initial review.
Malta Review Launched in April
The report follows more than a year after the Markets in Crypto-Assets Regulation (MiCA) came into effect on June 29, 2024—marking a major step forward in the EU’s unified approach to regulating digital assets.
MiCA aims to establish a consistent legal framework across the European Union. As such, ESMA emphasized that all National Competent Authorities (NCAs), including Malta’s Financial Services Authority (MFSA), must follow the same authorization standards when licensing crypto asset service providers (CASPs).
In December 2024, the European Banking Authority’s Board of Supervisors (BoS) adopted a coordinated approach for CASP authorizations. Then, in April 2025, following a series of internal assessments, ESMA’s Board of Supervisors launched a peer review into how the MFSA handled the authorization and early supervision of a specific CASP.
MFSA’s Authorization Fell Short of Expectations
The European Securities and Markets Authority’s (ESMA) Peer Review Committee (PRC), which conducted the review, acknowledged that Malta’s Financial Services Authority (MFSA) has developed solid expertise in the crypto space and allocated sufficient supervisory resources for handling CASP authorizations and ongoing oversight.
The PRC focused its evaluation on three main areas: the supervisory framework and resourcing, the licensing process, and the execution of supervisory powers. While MFSA fully met the expectations for supervisory structure and largely satisfied the criteria for ongoing oversight, the committee found shortcomings in the licensing process for a specific CASP.
According to the review, MFSA only “partially met expectations” during the actual authorization phase. The PRC urged the authority to closely monitor the growing number of license applications and proactively refine its supervisory practices to address potential gaps early in the process.
Four MiCA-Licensed CASPs Registered by MFSA
The European Securities and Markets Authority (ESMA) did not name the crypto asset service provider (CASP) at the center of Malta’s licensing shortcomings, leaving it unclear whether the Peer Review Committee’s (PRC) recommendations could impact any of the licenses already granted.
“It’s difficult to assess the implications without knowing which specific issues remain unresolved,” said Nathan Catania, partner at XReg Consulting, in comments to Cointelegraph. “That said, I don’t expect this report to trigger any license revocations or re-evaluations.”
According to the MFSA’s official register, four CASPs have received licenses under the EU’s Markets in Crypto-Assets Regulation (MiCA):
-
BP23, operating as Bitpanda
-
Foris Dax, trading as Crypto.com
-
Okcoin Europe, known as OKX
-
Zillion Bits, operating under the brand ZBX
Notably, Okcoin Europe faced regulatory penalties earlier this year. In April, Malta’s Financial Intelligence Analysis Unit fined the exchange €1.2 million for compliance violations dating back to 2023. This enforcement action came shortly after the MFSA granted a MiCA license to OKX in January 2025.
