By Emily Benson, Head, & Angela Thorns, Senior Analyst - Conduct Supervision, MFSA
The Company Service Providers (CSP) Act regulates persons who provide CSP services to third parties by way of business.
Late last year, Act L of 2020 passed through Parliament amending the CSP Act and a legal notice will be published giving notice of the coming into force of the amending Act.
The aim of the reform is to meet two objectives: ensuring fit and proper standards, basic good business standards and applicable legal and AML/CFT requirements are met on an ongoing basis, while applying a risk-based and proportionate regulatory approach.
The legal reform centres around three main changes being:
- anyone providing CSP services to third parties by way of business, including warranted professionals, will be required to apply for authorisation to the MFSA. Transitory provisions have been built in the legislation to allow those who will need to apply for authorisation to prepare for this change gradually as explained below.
- the introduction of three classes of CSPs, as set out in the Schedule to the amending Act, categorising CSPs by reference to the service they provide.
- the change from registration to authorisation for all CSPs, including those already in possession of a Certificate of Registration.
The MFSA issued a Consultation Document on the proposed CSP Rule book and Exemptions to the CSP Act in December 2020. A Statement will be issued shortly summarising the feedback received.
In this article we will be focusing on the next steps for those who will now need authorisation.
Anyone providing CSP services to third parties by way of business will be required to comply with the law when it comes into force and apply to the MFSA for authorisation as they will be providing a regulated activity. These persons will have a two-month timeframe within which to apply. A tailormade application will be made available on an online portal requiring data relating to the type and number of customers serviced and information that is usually readily available. Individuals will also submit Personal Questionnaires for the Authority to conduct its ‘fitness and properness’ checks. The Authority will review applications submitted for completeness and communicate with applicants in case of any follow-up queries.
After the two-months are over, the portal will automatically close and the second stage will commence. This involves a period of six (6) months from when the portal closes, when all applicants will receive notification of:
- the category assigned by the Authority, and separately
- whether their application is being authorised, provisionally authorised or declined.
There will be an opportunity to discuss the categorisation with the MFSA, if it is thought that the category selected is not deemed appropriate for the business. At the end of the six months, the exemption of offering CSP services to third parties by way of business will end as all applicants will have received the MFSA’s decision on their application.
The third stage will apply only to those who are provisionally authorised. This will generally be granted to more complex businesses as their internal systems and structures merit further consideration by the Authority. The Authority will look more closely to their applications and the systems put in place before granting an authorisation. During a twelve-month period, provisionally authorised CSPs and the Authority will communicate on any information required to finalise the process. Once the Authority has all the information it needs, their full authorisation, or otherwise, will be decided.
The MFSA will be issuing several publications on this process on its website.
Applicants are invited to have a look at the Company Service Providers section on the MFSA website as this is being updated periodically.