The Malta Financial Services Authority (MFSA) has issued a Dear CEO Letter to licensed investment firms, setting out the key findings and supervisory expectations arising from its 2025 Thematic Review on complaints handling, conducted as part of the Authority’s multi-year Outcomes-Based Supervision initiative.
The review assessed a sample of ten investment firms representing 14% of all investment firms servicing retail clients in Malta, five of which operate on a cross-border basis. Firms included in the scope of the review have been individually notified of the Authority’s findings and are required to take appropriate remedial action. All other licensed investment firms are equally expected to consider the outcomes of this letter and enhance their complaints-handling arrangements where necessary. A follow-up supervisory assessment is planned for 2027.
The review focused on adherence to the complaints-handling requirements under Section 6, Chapter 4 of the Conduct of Business Rulebook (CoBR), which apply equally to business conducted on a cross-border basis. The Authority’s assessment covered governance arrangements, complaints register-keeping, root cause analysis frameworks, website disclosures, and complaint response procedures.
Key Findings
1. Complaints Management Policy (Rule R.4.6.4 CoBR)
While all sampled firms had some form of complaints-handling policy in place, the majority had not reviewed or updated it on at least an annual basis, in one instance, the most recent update dated back to 2018. Policies frequently contained outdated information, including incorrect contact details for the Office of the Financial Services Arbiter, and several lacked version control, senior management endorsement, and firm-specific operational detail. A common shortcoming was the absence of a single overarching policy, with some firms maintaining multiple fragmented documents that created confusion for staff. Cross-border firms largely failed to address host Member State regulatory requirements or provide complaint templates in the relevant EU languages. The MFSA expects investment firms to have a tailored complaints-management policy that clearly assigns responsibility, sets out reporting lines, and explains how complaints are received, assessed, resolved, and monitored. It should also address fair treatment standards, conflicts of interest, complaint templates, cross-border handling, and the Maltese regulatory framework, including the Office of the Financial Services Arbiter where relevant. Policies should be practical, firm-specific, and supported by complete procedures and records to ensure consistency, transparency, and effective oversight.
2. Complaints Management Function (Rules R.4.6.5 and R.4.6.6 CoBR)
In many instances, complaints were managed by the CEO, Compliance Officer, or Board of Directors, roles that may create conflicts of interest and undermine the impartiality required for effective complaints handling. The MFSA has clarified that complaints management must not be handled by the Board directly. The Board’s role is to provide strategic oversight and ensure an effective framework is in place. Where possible, firms should designate an appropriately independent and competent function to manage complaints operationally. Where proportionality applies, the Compliance Officer should assume responsibility. Firms should also proactively notify the MFSA of any change in the responsible individual via the Licence Holder Portal.
3. Registration of Complaints (Rule R.4.6.7 CoBR)
The Authority identified a widespread lack of consistency and granularity in complaints registers. Common deficiencies included missing outcome fields, closure dates, cross-border origin indicators, Arbiter escalation columns, and vague complaint summaries lacking reference to the relevant financial instrument or ISIN. The MFSA expects firms to distinguish between formal complaints and simple enquiries through clear internal procedures, maintain a complete and up-to-date complaints register with sufficient detail for trend and root-cause analysis, and ensure the Compliance Officer has full access to complaint records. The Compliance Officer should monitor and follow up on complaints, while providing regular reporting to the Board so it can oversee trends, risks, and the effectiveness of the complaints-handling framework.
4. Root Cause Analysis (Rule R.4.6.8 CoBR)
Most investment firms had not established a tailored root cause analysis (RCA) framework. Where RCA was in place, it was typically presented at a high level only and did not adequately identify the underlying systemic drivers contributing to complaints. Firms are expected to conduct structured, comprehensive RCA for all complaints regardless of volume, document findings in a formally approved internal report, and use the results to implement corrective and preventive measures.
5. Website Disclosure (Rule R.4.6.9 CoBR)
Thirty-three percent (33%) of investment firms had no complaints-handling information published on their website. Where disclosures were present, they were often difficult to locate, incomplete, or inconsistent with the firm’s internal policy, particularly in relation to acknowledgement and resolution timelines. The MFSA has stated that the absence of published complaints procedures will be considered a failure to meet regulatory obligations. All complaints-handling information must be complete, current, prominently displayed, and written in plain and accessible language.
6. Procedure for Responding to Complaints (Rule R.4.6.10 CoBR)
Significant gaps were identified across firms’ response procedures. Key omissions included: no formal process for acknowledging complaints upon receipt; no documented procedure for handling verbal complaints or obtaining client signatures on written summaries; insufficient detail on evidence gathering and investigation; failure to specify the mandatory 15-working-day response deadline or delay notification procedures; and no explicit reference to the Office of the Arbiter for Financial Services as the external escalation mechanism. The MFSA expects investment firms to acknowledge complaints formally, handle oral complaints properly, gather evidence in a structured way, and communicate clearly with clients, including in relevant host Member State languages where needed. Firms must respond within 15 working days, notify clients of any delay with an indicative completion date, and explain escalation options, including the Office of the Arbiter for Financial Services. Complaint outcomes should be set out in simple, transparent language so clients can understand the firm’s position.
Good practices identified
The Authority highlighted several positive practices observed during the review as benchmarks for the wider industry, including: a firm that maintained a dedicated cross-border appendix within its policy listing country-specific contact details, applicable dispute resolution authorities, and complaint languages; a firm whose Board complaints report included graphical trend analysis, year-on-year comparisons, and KPI tracking across acknowledgement timeliness and complaint closure rates; and a firm whose complaints register included a dedicated column for the country of origin of each complaint.
Way Forward
All investment firms are urged to conduct a comprehensive gap analysis against the findings and expectations set out in this Dear CEO letter and to take prompt remedial action. The MFSA will continuously monitor compliance with applicable regulatory requirements and may engage directly with individual firms on the matters raised.
The full Dear CEO Letter is available on the MFSA website at www.mfsa.com.mt
