Crypto & Blockchain Company Setup & Structuring in Malta

Malta was the first EU member state to enact a comprehensive legislative framework specifically designed for distributed ledger technology (DLT) and virtual financial assets. For international entrepreneurs, this creates a concrete opportunity: a regulated, EU-passportable environment for crypto and blockchain operations, backed by a dedicated supervisory authority and a body of law that addresses the full lifecycle of a virtual asset business. The risks of ignoring this framework are equally concrete - operating without the required authorisation exposes a company to administrative sanctions, criminal liability for directors, and the practical inability to open banking or payment accounts. This article walks through the legal architecture, the licensing process, the optimal corporate structures, the compliance obligations that follow authorisation, and the most common mistakes made by international founders entering the Maltese market.

---

Malta';s regulatory framework for crypto and blockchain rests on three statutes enacted together and administered by the Malta Financial Services Authority (MFSA).

The Virtual Financial Assets Act (VFA Act), Chapter 590 of the Laws of Malta, is the central instrument. It governs the issuance of virtual financial assets, the provision of VFA services, and the conduct of VFA exchanges. The Act defines a virtual financial asset as any form of digital medium recordable value that is not electronic money, a financial instrument under MiFID II, or a virtual token. This definition is operationalised through a four-stage classification test set out in the Act';s First Schedule, which determines whether a given digital asset falls under the VFA Act, the Investment Services Act (Chapter 370), the Banking Act (Chapter 371), or falls outside regulated categories entirely.

The Innovative Technology Arrangements and Services Act (ITAS Act), Chapter 591, creates a voluntary certification regime for DLT platforms and technology service providers. Certification under ITAS is not mandatory for most commercial operations, but it signals technical credibility and is increasingly expected by institutional counterparties and banks.

The Malta Digital Innovation Authority Act (MDIA Act), Chapter 592, establishes the Malta Digital Innovation Authority as the body responsible for certifying innovative technology arrangements and promoting Malta as a technology hub. The MDIA and the MFSA operate in parallel: the MFSA supervises financial services aspects, while the MDIA oversees the technology layer.

For founders, the immediate practical consequence of this architecture is that the classification of the digital asset being issued or traded determines which regulatory path applies. A token that qualifies as a financial instrument triggers the Investment Services Act and the full MiFID II regime, which is substantially more demanding than the VFA Act pathway. Getting this classification wrong at the outset - a common mistake among founders who rely on informal assessments - can result in operating under the wrong licence or, worse, operating without any licence at all.

---

The classification test under the VFA Act';s First Schedule is a sequential decision tree. It must be applied to each digital asset before any structuring decision is made.

The first question is whether the asset qualifies as a virtual token - defined as a digital medium of value whose utility, value or application is restricted to the acquisition of goods or services within the DLT platform on which it was issued. If yes, the asset falls outside the VFA Act entirely and is unregulated for financial services purposes, though data protection, consumer protection and general commercial law still apply.

If the asset is not a virtual token, the second question is whether it qualifies as electronic money under the Financial Institutions Act (Chapter 376). E-money tokens trigger a separate licensing requirement with the MFSA under the e-money framework.

If the asset is neither a virtual token nor e-money, the third question is whether it qualifies as a financial instrument under MiFID II - specifically, whether it represents a transferable security, a money market instrument, a unit in a collective investment scheme, or a derivative. Assets that pass this threshold are regulated under the Investment Services Act, and the VFA Act does not apply.

Only assets that fail all three prior tests qualify as virtual financial assets under the VFA Act. In practice, utility tokens with broad external use cases, payment tokens, and hybrid tokens with limited governance rights typically fall into this category.

The MFSA has published guidance on the classification test, but the authority does not issue pre-classification rulings as a matter of routine. Founders who need certainty before committing capital to a structure must engage a VFA Agent - a licensed intermediary who is the mandatory point of contact between the applicant and the MFSA - to conduct a formal classification analysis and, where appropriate, submit a query to the MFSA on the applicant';s behalf.

To receive a checklist for the VFA classification process in Malta, send a request to info@vlolawfirm.com

---

The VFA Act, Article 14, sets out eight categories of VFA service that require authorisation from the MFSA. These are: the reception and transmission of orders, the execution of orders on behalf of clients, dealing on own account, portfolio management, custodian or nominee services, investment advice, the operation of a VFA exchange, and market making. A company may apply for one or more categories simultaneously.

The licensing process has several mandatory stages.

The first stage is the appointment of a VFA Agent. Under Article 7 of the VFA Act, no application for a VFA licence may be submitted to the MFSA without a VFA Agent acting on the applicant';s behalf. VFA Agents are licensed by the MFSA and are personally responsible for the accuracy and completeness of the application. The agent conducts due diligence on the applicant, its beneficial owners, directors and key function holders before submitting anything to the MFSA.

The second stage is the preparation of the application package. This includes a detailed business plan, a financial model covering at least three years, a description of the technology systems, a cybersecurity policy, an AML/CFT programme compliant with the Prevention of Money Laundering Act (Chapter 373) and the FIAU';s Implementing Procedures, policies for conflicts of interest, safeguarding of client assets, and business continuity. For companies intending to operate a VFA exchange, the technical documentation requirements are substantially more extensive.

The third stage is the MFSA';s review. The MFSA has a statutory period of 90 days from receipt of a complete application to issue a decision, though in practice the process frequently extends beyond this period due to requests for additional information. Founders should plan for a total timeline of six to twelve months from engagement of a VFA Agent to receipt of the licence.

The fourth stage is the satisfaction of pre-commencement conditions. The MFSA typically imposes conditions that must be met before the licence becomes operative, including minimum capital requirements. For most VFA service categories, the minimum initial capital requirement is EUR 125,000, rising to EUR 730,000 for operators of VFA exchanges. These figures are set by MFSA rules made under Article 62 of the VFA Act.

The costs of the licensing process are substantial. MFSA application fees vary by service category. VFA Agent fees, legal fees for document preparation, and compliance consultancy fees together typically start from the low tens of thousands of EUR and can reach the low hundreds of thousands for complex multi-category applications. Founders who underestimate these costs frequently run into cash flow problems mid-process, which can cause applications to lapse.

---

The choice of corporate vehicle and ownership structure is as important as the licence itself. Malta';s Companies Act (Chapter 386) provides the primary vehicle: the private limited liability company (Ltd), which is the standard form used for VFA licence holders.

A Malta Ltd requires a minimum share capital of EUR 1,165, though in practice the paid-up capital must meet the MFSA';s minimum capital requirements for the relevant VFA service category. The company must have at least one director who is resident in Malta or who can demonstrate sufficient presence to satisfy the MFSA';s mind and management test. The MFSA scrutinises the actual location of decision-making: a company with a nominal Maltese director but with all strategic decisions made abroad will not satisfy the requirement.

For international groups, the typical structure involves a Malta operating company holding the VFA licence, with a holding company in a jurisdiction chosen for tax efficiency and investor relations purposes. Common holding jurisdictions used alongside Malta include Luxembourg, the Netherlands, and Cyprus, each of which has a tax treaty with Malta and offers participation exemption regimes for dividend income and capital gains on shares.

The Malta operating company itself benefits from Malta';s full imputation tax system. Under the Income Tax Act (Chapter 123), corporate tax is levied at 35%, but shareholders who are not Maltese residents are entitled to a refund of five-sevenths of the tax paid on trading income, reducing the effective rate to approximately 5%. This refund mechanism is a feature of Malta';s domestic law and is not dependent on any specific holding structure, though the mechanics of claiming refunds require careful planning.

Beneficial ownership disclosure is mandatory. Under the Companies Act, Article 401A, and the Beneficial Ownership (Disclosure) Regulations (Subsidiary Legislation 386.20), all companies must register their ultimate beneficial owners in the Maltese Beneficial Ownership Register. The MFSA also conducts its own fit and proper assessment of all persons who hold, directly or indirectly, 10% or more of the shares or voting rights in a VFA licence applicant.

A non-obvious risk for international founders is the interaction between the beneficial ownership register and the MFSA';s ongoing supervision. Any change in qualifying shareholding - defined as an acquisition or disposal that crosses the 10%, 20%, 33% or 50% thresholds - requires prior MFSA approval under Article 13 of the VFA Act. Founders who restructure their cap table post-licensing without seeking this approval expose the company to licence suspension or revocation.

To receive a checklist for corporate structuring of a crypto and blockchain company in Malta, send a request to info@vlolawfirm.com

---

Anti-money laundering and counter-financing of terrorism compliance is not a box-ticking exercise in Malta. The MFSA and the Financial Intelligence Analysis Unit (FIAU) conduct regular supervisory examinations of VFA licence holders, and enforcement action - including significant administrative fines - has been taken against firms whose AML frameworks were found to be inadequate.

The primary legislative instruments are the Prevention of Money Laundering Act (Chapter 373) and the Prevention of Money Laundering and Funding of Terrorism Regulations (Subsidiary Legislation 373.01). VFA service providers are subject matter persons under these instruments and must implement a risk-based AML/CFT programme that includes customer due diligence (CDD), enhanced due diligence (EDD) for higher-risk customers, transaction monitoring, suspicious transaction reporting to the FIAU, and record-keeping for a minimum of five years.

The FIAU';s Implementing Procedures, Part II, contain sector-specific guidance for VFA service providers. This guidance addresses the particular risks of the crypto sector: pseudonymous transactions, cross-border flows, the use of privacy-enhancing technologies, and the challenge of identifying the source of funds for customers whose wealth derives from earlier crypto holdings.

In practice, a VFA licence holder must appoint a Money Laundering Reporting Officer (MLRO) who is resident in Malta and who has direct access to the board. The MLRO is personally responsible for the firm';s suspicious transaction reporting obligations. Many international founders appoint an external MLRO initially, which is permissible, but the MFSA expects the function to be internalised as the business scales.

A common mistake is to treat the AML programme submitted with the licence application as a static document. The FIAU expects the programme to be reviewed and updated at least annually, and more frequently when the firm';s risk profile changes - for example, when new products are launched, new customer segments are onboarded, or new jurisdictions are added to the firm';s geographic footprint.

The Travel Rule, implemented in Malta through amendments to the Subsidiary Legislation 373.01 in line with the EU';s Transfer of Funds Regulation (Regulation (EU) 2015/847) and the subsequent Markets in Crypto-Assets Regulation (MiCA), requires VFA service providers to collect and transmit originator and beneficiary information for crypto-asset transfers above EUR 1,000. Compliance with the Travel Rule requires technical integration with a Travel Rule solution provider, which adds to the firm';s operational costs and must be factored into the business plan from the outset.

---

The EU';s Markets in Crypto-Assets Regulation (MiCA), Regulation (EU) 2023/1114, entered into force across the EU and applies directly in Malta. MiCA creates a harmonised EU-wide regime for crypto-asset service providers (CASPs) and issuers of asset-referenced tokens (ARTs) and e-money tokens (EMTs).

The interaction between MiCA and Malta';s existing VFA Act is a live regulatory question. The MFSA has confirmed that existing VFA licence holders will be subject to a transitional regime, during which they may continue to operate under their VFA licences while the MFSA processes their applications for authorisation as CASPs under MiCA. The transitional period runs for a defined period from MiCA';s application date, and firms that fail to submit their CASP applications within the transitional window will lose the benefit of the transitional regime and must cease regulated activities until they obtain a MiCA authorisation.

For new applicants, the practical question is whether to apply for a VFA licence under the existing Maltese framework or to apply directly for a MiCA CASP authorisation. The MFSA has indicated that it will accept direct MiCA CASP applications, and for firms whose business model is clearly within MiCA';s scope, a direct MiCA application may be more efficient. However, for firms whose activities include services or asset types that fall outside MiCA';s scope - such as certain DeFi protocols or NFT platforms - the VFA Act may remain the relevant instrument.

MiCA';s passporting mechanism is a significant advantage for Malta-based CASPs. A CASP authorised in Malta may provide services across all EU member states on the basis of its Maltese authorisation, subject to notification procedures. This is the same passporting mechanism available under MiFID II for investment firms, and it is one of the primary reasons why Malta remains an attractive jurisdiction for crypto businesses targeting the EU market.

A non-obvious risk in the MiCA transition is the capital requirements. MiCA imposes minimum capital requirements that differ from those under the VFA Act for certain service categories. Firms that are adequately capitalised under the VFA Act may need to increase their capital to meet MiCA requirements before their CASP authorisation is granted.

---

Scenario one: a startup issuing a utility token for a gaming platform

A founder based outside the EU wishes to issue a token that grants holders access to in-game assets on a blockchain-based gaming platform. The token has no investment features, no profit-sharing rights, and its use is restricted to the platform';s ecosystem. The classification test under the VFA Act';s First Schedule indicates that the token is a virtual token, placing it outside the VFA Act. The founder does not need a VFA licence to issue the token, but must comply with Malta';s general commercial law, data protection obligations under the GDPR (Regulation (EU) 2016/679), and consumer protection rules. The company can be incorporated as a Malta Ltd with a relatively straightforward setup. The risk of inaction here is different: if the token';s features evolve - for example, if secondary market trading is enabled or if the token acquires investment characteristics - the classification may change, and the company must reassess its regulatory position promptly.

Scenario two: a mid-size exchange operator seeking EU market access

An established crypto exchange operating outside the EU wishes to establish a regulated EU entity to serve European retail and institutional clients. The exchange intends to offer spot trading, custody, and portfolio management services. This requires a VFA licence covering at least three service categories, with a minimum capital of EUR 730,000 for the exchange function. The total cost of setup - including VFA Agent fees, legal and compliance consultancy, MFSA fees, and initial capital - will typically start from the low hundreds of thousands of EUR. The timeline from engagement to operational licence is realistically twelve months or more. The business case rests on the value of EU market access and the MiCA passport: a Malta CASP authorisation enables the exchange to serve clients across all 27 EU member states without establishing separate entities in each jurisdiction.

Scenario three: a DeFi protocol seeking a regulatory anchor

A team operating a decentralised finance protocol wishes to establish a regulated entity in Malta to provide a degree of regulatory certainty and to facilitate relationships with banks and institutional partners. The protocol';s activities are partially automated and partially operated by a foundation. The regulatory analysis here is complex: the MFSA';s position on DeFi is still developing, and the extent to which automated protocol functions constitute VFA services requiring authorisation is not fully settled. The practical approach is to establish a Malta Ltd that provides defined, non-automated services - such as front-end access, customer support, or fiat on/off ramp services - and to seek a VFA licence for those specific activities, while the protocol itself operates under its existing structure. This approach requires careful legal analysis to ensure that the licensed entity';s activities are genuinely distinct from the protocol';s automated functions.

---

What is the most significant practical risk for a crypto company that begins operating in Malta without a VFA licence?

Operating as a VFA service provider without authorisation is a criminal offence under Article 47 of the VFA Act. The MFSA may issue a cease and desist order, impose administrative penalties, and refer the matter to the police for criminal investigation. Directors and officers of the unlicensed entity may face personal liability. Beyond the legal consequences, an unlicensed entity will find it effectively impossible to open a bank account or payment account in Malta or in most EU jurisdictions, since banks conduct their own regulatory due diligence on crypto clients and will not onboard an entity that lacks the required authorisation. The reputational damage from an enforcement action also makes it substantially harder to obtain a licence subsequently.

How long does the VFA licensing process take, and what are the main cost drivers?

The MFSA';s statutory review period is 90 days from receipt of a complete application, but in practice the total timeline from initial engagement of a VFA Agent to receipt of an operative licence is typically between six and twelve months, and can extend further for complex multi-category applications or where the MFSA raises substantive questions. The main cost drivers are VFA Agent fees, legal fees for preparing the application documentation, compliance consultancy for the AML/CFT programme and policies, and the minimum capital requirement, which ranges from EUR 125,000 to EUR 730,000 depending on the service categories sought. Founders who underestimate the compliance infrastructure costs - including the cost of a compliant Travel Rule solution, a transaction monitoring system, and an MLRO - frequently encounter budget overruns that delay the process.

When should a founder consider a direct MiCA CASP application rather than a VFA licence application?

A direct MiCA CASP application is worth considering when the founder';s business model falls squarely within MiCA';s defined service categories and asset types, and when the founder';s primary objective is EU-wide market access through the MiCA passport. MiCA';s harmonised framework reduces the risk of regulatory divergence between Malta';s domestic rules and the EU-wide standard, which is a practical advantage for firms planning to scale across multiple EU jurisdictions. However, for firms whose activities include asset types or services that fall outside MiCA';s scope - including certain NFT platforms, DeFi protocols, and some categories of utility tokens - the VFA Act may remain the more appropriate instrument, at least until the regulatory treatment of those activities under MiCA is clarified by the European Securities and Markets Authority (ESMA) and the European Banking Authority (EBA) through their technical standards and guidance.

---

Malta';s crypto and blockchain regulatory framework is among the most developed in the EU, offering a clear licensing pathway, EU market access through MiCA passporting, and a tax environment that rewards careful structuring. The framework also demands genuine commitment: the MFSA expects substance, adequate capital, a functioning compliance infrastructure, and ongoing engagement with supervisory requirements. Founders who approach Malta as a light-touch jurisdiction will encounter significant difficulties. Those who invest in proper legal and compliance foundations from the outset will find Malta a genuinely viable base for a regulated EU crypto and blockchain business.

Our law firm VLO Law Firms has experience supporting clients in Malta on crypto, blockchain, and virtual financial assets matters. We can assist with VFA classification analysis, licence application preparation, corporate structuring, AML/CFT programme development, and MiCA transition planning. To receive a consultation, contact: info@vlolawfirm.com

To receive a checklist for the full VFA licensing and compliance process in Malta, send a request to info@vlolawfirm.com