New Rule on the Security of Internet Payment Services for Malta

Maria Chetcuti-Cauchi | Published on 14 Sep 2015

Ccmalta Default

In August 2015, the Malta Financial Services Authority has issued a new rule on the Security of Internet Payment Services for Malta for Credit, Payment and Electronic Money Insitutions. 

Scope of New Rule on the Security of Internet Payment Services for Malta

The scope of this new rule on the Security of Internet Payment Services for Malta (FIR/04 2015) is to be in line with the provisions of the European Banking Authority ("EBA") Guidelines and to establish a set of minimum requirements in the security of internet payments sector. Further to the Circular issued by the Malta Financial Services Authority in January 2015, regarding the Guidelines on the Security of Internet Payments which were issued by the European Banking Authority in December 2014 (“EBA Guidelines”), the Authority has issued this Financial Institutions Rule FIR/04 of 2015 on the Security of Internet Payments of Credit, Payment and Electronic Money Institutions (the “Rule”) to ensure that the provisions prescribed are in line with the EBA Guidelines. 

The Rule applies to the provision of internet payment services undertaken by:

  • Credit Institutions licensed in terms of the Banking Act;
  • Payment Institutions licensed in terms of the Financial Institutions Act in order to undertake Payment Services
  • Electronic Money Institutions licensed in terms of the Financial Institutions Act in order to issue electronic money.

When payment integrators offering payment initiation services are external technical service providers of licensed holders, these licensed holders shall contractually ensure that such payment integrators also comply with the provisions of the Rule.

Applicability of Financial Institutions Rule FIR/04 2015 

This Rule shall not apply to:

  • Internet payment services other than the following payment services, irrespective of the access device used:
    • the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in “wallet solutions”;
    • the execution of credit transfers on the internet;
    • the issuance and amendment of direct debit electronic mandate; and
    • transfers of electronic money between two e-money accounts via the internet (such as e-brokerage and online contracts).
  • Payments where the instruction is given by post, telephone order, voice mail or using SMS-based technology;
  • Mobile payments other than browser-based payments;
  • Credit transfers where a third party accesses the customer’s payment account;
  • Payment transactions made by an enterprise via dedicated networks;
  • Card payments using anonymous and non-rechargeable physical or virtual prepaid cards where there is no on-going relationship between the issuer and the cardholder; and
  • Clearing and settlement of payment transactions.

The rule is focused on enhancing security for payment services and specifically internet payments. Therefore the overall requirements are centred on enhancing governance, by requiring institutions to hold a security policy; risk assessment, which must take place on a yearly basis for internet payments and related services; incident monitoring and reporting procedures; traceability  of funds processes as well as risk control and mitigation measures. The rule gives detailed and clear guidance on what the policy and measures an Institution is expected to adopt.

Control & Security Measures

Further to the above stated requirements, the below specific control and security measures for internet payments have been laid out by the Malta Financial Services Authority:

  • Initial Customer Identification and Information; customer due diligence procedures must be in line with the Prevention of Money Laundering and Funding of Terrorism Regulations , the Implementing Procedures issued by the Financial Intelligence Analysis Unit regarding the Regulations  and any additional anti-money laundering provisions.
  • Strong Customer Authentication; Institutions shall ensure that they maintain a strong customer authentication procedure in place in order to protect the initiation of internet payments, identify abnormal customer payment patterns, prevent fraud and protect access to sensitive payment data.
  • Enrolment for, and provision of, authentication tools and/or software delivered to the customer;  the Institutions  must ensure that such enrolments and provision of the authentication tools required, is carried out in a secure manner and follows the specific requirements set out within the rule.

Other specified control mechanisms include data protection and transaction monitoring. Furthermore, there is also an onus on the Institution to ensure customer education and awareness of the products and services being offered.

This Rule should be read in conjunction with the EBA Guidelines and has entered into force on the 7th of August 2015. 



Contact Us
Please send me legal and other updates
Key Contacts

Dr Jean-Philippe Chetcuti

Senior Partner, Global Residency & Citizenship

+356 22056411

Dr Priscilla Mifsud Parker

Senior Partner - Corporate, Trusts & Fintech

+356 22056422

Mr Colin B German

Chief Executive Officer

+356 22056442

Mr Steve Muscat Azzopardi

Senior Manager, Corporate & Fintech

+356 22056438

Related Industry Groups
Related Practices
Related Opportunities