Malta’s process for licensing crypto asset service providers (CASPs) has come under the microscope of Europe’s top securities regulator, which says the country’s approval procedures fell short in key areas.
In a review published Thursday, the European Securities and Markets Authority (ESMA) found that Malta’s Financial Services Authority (MFSA) only “partially met expectations” when authorizing one CASP under the EU’s new MiCA rules. The regulator did not name the company involved.
While ESMA acknowledged that Malta had adequate staffing and sector expertise, it said the MFSA failed to fully address pending issues at the authorization stage, raising questions about how rigorously some applicants were vetted.
The peer review, launched in April 2025, aimed to assess how closely Malta is aligning with MiCA—Europe’s flagship crypto framework. The findings could have implications not only for Malta but for other EU regulators preparing to license crypto firms under MiCA.
MiCA, which began taking effect in 2024, seeks to harmonize digital asset rules across the bloc. While the framework attracted leading firms, not all players are on board. Tether, issuer of the USDT stablecoin, has opted out of MiCA registration, prompting some exchanges to delist the token in response.
“Due to the novelty and nature of these entities—as well as the inherent risks of their business model—the PRC recommends all NCAs pay close attention to key aspects of the authorization process,” ESMA’s peer review committee said.
The report urged the MFSA to step up its monitoring of new applicants and to reassess any material issues that were unresolved at the time of granting a license.
So far, four crypto firms are listed in Malta’s MiCA register: Bitpanda (BP23), Crypto.com (Foris Dax), OKX (Okcoin Europe), and ZBX (Zillion Bits). The review did not specify whether any of these were involved.
Back in April, Okcoin Europe was fined €1.2 million by Malta’s Financial Intelligence Analysis Unit over compliance violations tied to 2023 activity—just months after the firm received its MiCA license.
The penalty stems from a 2023 compliance review in which authorities uncovered “serious and systematic” weaknesses in OKX’s AML processes. The FIAU cited shortcomings in the firm’s business risk assessment (BRA), which failed to address threats posed by privacy-focused tools like coin mixers, stablecoins, and activity on decentralized exchanges. Regulators also flagged concerns over exposure to jurisdictions outside of Europe, despite OKX’s stated intent to serve only EU-based users.
Although the FIAU acknowledged that OKX made “major strides” in upgrading its compliance framework over the past 18 months, it said the previous lapses were too severe to overlook.
