The Malta Financial Services Authority (MFSA) has issued a Dear CEO letter to supervised licence holders detailing prudential expectations for Artificial Intelligence (AI) governance. The regulator issued this communication alongside the introduction of the EU Artificial Intelligence Act. While the Malta Digital Innovation Authority functions as the market surveillance authority under this legislation, the MFSA retains direct responsibility for financial stability and risk oversight.
While current AI adoption among Maltese licence holders remains relatively limited, international developments indicate that the scale, complexity, and criticality of these systems will expand rapidly over the coming years.
The letter outlines three primary regulatory aims across the financial sector. First, licence holders must recognise AI as a prudentially relevant risk area rather than classifying it merely as an operational or technological modification. Second, the communication prompts a structured internal assessment at Board and senior management level to identify control gaps and clarify accountability. Third, the Authority aims to establish consistency and preparedness across the market, allowing firms to align their risk frameworks proactively before fragmented approaches develop across the sector.
A 2025 cross-sectoral assessment by the Authority revealed that a significant proportion of firms lack a formal or board-approved AI strategy. The assessment also showed that entities rely primarily on externally provided tools, particularly generative AI solutions, and have limited internal expertise and governance structures or technical expertise to oversee deployment. This gap remains a central concern for the regulator, as rapid technology adoption without a corresponding strengthening of internal controls increases sector-wide vulnerabilities.
To manage these risks, the MFSA requires boards and senior management to maintain clear governance arrangements and ultimate accountability for all AI deployment, including systems provided by third parties. Emphasis is made that licence holders must define oversight roles across the three lines of defence. This clear separation of duties guarantees effective internal challenge by preventing any single function from exercising unchecked control over the design, deployment, and validation of AI models.
The Authority directs firms to apply heightened scrutiny where AI systems support, enable, or influence critical or important functions under the Digital Operational Resilience Act (DORA). This applies particularly to automated processes affecting customers, financial decisions, or market outcomes.
The regulator has mandated specific operational expectations categorised across several risk domains:
- Third-Party Dependencies: Licence holders must manage AI outsourcing under existing third-party risk management frameworks. Firms are expected to track cloud service providers, model developers, and data vendors to avoid excessive concentration risk and single points of failure.
- Model Risk and Reliability: Risk mitigation requires continuous validation, pre-deployment testing, and ongoing monitoring to detect model drift. Firms must maintain sufficient documentation, audit trails, and model governance artefacts to support internal challenge and supervisory review. If a firm cannot adequately explain or evidence system behaviour, it must restrict or redesign the application.
- Data Governance: Entities must implement frameworks that ensure data used by AI models is accurate, relevant, validated, and compliant with regulatory requirements. This systematic management reduces the risk of biased outputs or data protection breaches.
- Systemic Considerations: Firms must adopt a forward-looking approach to evaluate how shared data sources, common models, or interconnected third-party providers could cause correlated behaviour or amplify market vulnerabilities during stress scenarios.
To assist firms in executing these requirements, Annex 1 of the letter contains a structured self-assessment framework covering process inventories, data governance, and financial crime compliance strategies. Licence holders must use this tool to map vendor dependencies, evaluate oversight arrangements, and identify control gaps. While firms do not need to submit the results to the MFSA immediately, they must integrate the findings into internal operations. Leaders must demonstrate that the assessment occurred, show evidence of Board-level review, and execute clear remedial actions for any identified deficiencies.
The MFSA will monitor compliance by integrating AI-related considerations into ongoing supervisory activities, including onsite inspections and thematic reviews. The regulator will focus specifically on governance frameworks, third-party concentration, risk appetite alignment, and customer-impacting processes.
To support the sector, the Authority will offer targeted training and capacity-building initiatives regarding AI risks and supervisory expectations through the Financial Supervisors Academy (FSA).
Licence holders should review these expectations carefully to determine whether adjustments to internal policies, reporting procedures or governance frameworks are required.
Reach out to us on info@shoulder.mt for support.