The Malta Financial Services Authority (“MFSA”) has issued a Dear CEO Letter outlining its supervisory expectations regarding the adoption and use of Artificial Intelligence (“AI”) across Malta’s financial services sector.

The communication reflects the evolving European regulatory landscape following the introduction of the EU Artificial Intelligence Act and forms part of the MFSA’s ongoing supervisory work to ensure that AI adoption develops in a manner that supports financial stability, consumer protection and market integrity.

The expectations apply to MFSA-supervised licence holders across the financial services sector.

Increasing Adoption of AI Across Financial Services

The MFSA notes that AI is increasingly being integrated into financial services operations, including risk management, customer interaction, financial crime monitoring and internal analytics. While AI adoption among Maltese licence holders remains at an early stage, the Authority expects the scale and complexity of AI use to increase significantly over the coming years.

The Authority emphasised that the use of AI does not alter the fundamental objectives of financial regulation, namely the protection of consumers, the safeguarding of financial stability and the preservation of market integrity.

“The MFSA expects firms to adopt a forward-looking approach to AI governance, risk management and operational resilience,” stated Alan Decelis, Head, Supervisory ICT Risk and Cybersecurity, in the Dear CEO Letter.

Supervisory Expectations Relating to AI Governance and Risk Management

The Dear CEO Letter outlines the MFSA’s supervisory expectations in several key areas, including:

• Board and senior management accountability for AI systems;
• Governance and oversight arrangements;
• Third-party dependencies and concentration risk;
• Model validation, monitoring and reliability;
• Data governance and regulatory compliance; and
• Operational resilience and systemic risk considerations.

The Authority expects licence holders to recognise AI as a prudentially relevant risk area and ensure that AI-related risks are embedded within existing governance, risk management and internal control frameworks.

Self-Assessment Framework and Ongoing Supervisory Engagement

As part of its supervisory engagement, the MFSA has developed a structured self-assessment framework to assist firms in evaluating current and anticipated AI use cases, governance arrangements, third-party dependencies and control environments.

While firms are not currently required to submit the assessment results to the Authority, licence holders are expected to demonstrate that:

• the assessment has been performed;
• the outcomes have been considered at Board and senior management level; and
• identified gaps are being addressed through appropriate remedial action.

The MFSA confirmed that AI-related considerations will continue to form part of its supervisory activities, including thematic reviews and onsite inspections. Particular focus will be placed on governance frameworks, outsourcing arrangements, the use of AI in customer-impacting processes, and alignment between AI adoption and firms’ risk appetite.

The Authority also announced that targeted AI-related training and capacity-building initiatives will be offered through the Financial Supervisors Academy to support firms in strengthening internal expertise and oversight capabilities.