The Malta Financial Services Authority (MFSA) has published the results of its Thematic Review on Business Resilience among Financial Institutions (FIs). The findings, set out in a recent Dear CEO Letter, provide valuable insight into how well firms are preparing for disruption and where gaps remain. Its conclusions offer important lessons for the industry on how to enhance resilience frameworks in an increasingly complex regulatory environment.
Key Findings
Strategy and Continuity
Most institutions maintain formal business strategies, typically reviewed every one to three years. Yet many focused almost exclusively on IT risks, overlooking wider external threats. Some relied too heavily on group-level monitoring, which the MFSA deemed insufficient for Malta-based operations.
On competitive positioning, many FIs described their differentiators in vague terms, suggesting limited analysis of market dynamics. The regulator urged firms to strengthen their understanding of client needs and competitive pressures, especially in the growing payments sector.
While most respondents had the required business continuity and disaster recovery plans, annual testing was not always carried out. The MFSA also noted inconsistencies: some firms claimed to have tested their plans yet reported no lessons learned — an unlikely outcome that raises questions about the quality of exercises and reporting.
Financial Resilience
The MFSA stressed that sound financial forecasting is central to resilience. Some institutions with years of losses still submitted overly optimistic forecasts, undermining credibility. Access to additional capital also remains a weakness for loss-making firms.
Stress testing was another gap. Several FIs limited their approach to IT scenarios, ignoring financial or liquidity factors, and some did not run stress tests at all in 2024. The MFSA reinforced that stress testing must be holistic and carried out at least annually.
Client concentration was highlighted as a key vulnerability, with some firms heavily dependent on just a few clients. The regulator advised diversification to reduce exposure to such risks.
Operational Resilience
Staff turnover, succession planning, and recruitment for key functions remain ongoing challenges. The MFSA recommended building internal capacity by training junior staff. In addition, some FIs lacked correspondent banking relationships or contingency plans for potential disruptions, limiting growth and exposing them to avoidable risks.
Next Steps
The MFSA expects FIs, particularly long-standing licensees, to have developed robust frameworks and internal capabilities. Institutions should:
- Maintain comprehensive risk management frameworks covering fraud, cyber, operational, and third-party risks.
- Clearly define and leverage differentiating factors to remain competitive.
- Invest in training and succession planning to mitigate human resource risks.
- Conduct holistic stress testing at least annually.
- Maintain comprehensive business continuity and disaster recovery plans.
- Establish contingency measures for non-IT third-party dependencies, including correspondent banks.
- Continuously refine resilience strategies based on incidents, audits, and regulatory feedback.
Ultimately, the MFSA stressed that business resilience must be a board-level priority. Institutions that allocate sufficient resources and continuous monitoring will be best placed to deal with potential disruptions and meet regulatory expectations going forward.
