MFSA-CONFIDENTIAL

MALTA FINANCIAL SERVICES AUTHORITY

Authorisation Forms - Annex

Annex AX05: Extended ICT Questionnaire

High Level Guidelines

1. General

This form, Annex AX05: Extended ICT Questionnaire (‘Annex’), shall be duly filled in by persons
wishing to obtain authorisation from the MFSA to carry out financial services activities. This Annex
shall be submitted as part of and in conjunction with the relevant Authorisation Application Form, as
indicated therein.

This Annex primarily aims to capture relevant information in relation to the Applicant’s Information
and Communications Technology (‘ICT’) infrastructure and arrangements.

In this respect, the Applicant shall to the best of its knowledge, provide information, which is
truthful, accurate and complete. The Applicant shall notify the MFSA immediately if the information
provided changes in any material respect either prior to or subsequent to authorisation.

The Applicant is required to make reference, and where applicable comply with, the relevant Act,
the Regulations made, or Rules issued thereunder during the completion of the Application. The
Applicant shall also refer to the respective National and/or European Regulatory Frameworks or
other binding regulation as may be applicable.

The Applicant shall not tamper with, or modify in any manner, this Annex or its respective
Application. Should it transpire that the documents were tampered with, or modified in any manner,
the Authority shall consider the submission to be invalid. Any potential improvements should be
communicated to the MFSA for consideration.

The Authority may at its sole discretion request from the Applicant further information/
documentation.

2. Definitions

Unless otherwise specified, terms used in this Annex shall have the same meaning assigned to
them within the respective Application.

3. Instructions

In order for this Annex to be considered complete, the Applicant is required to complete all the
respective sections under this Annex. It is noted that the information provided should reflect the
Applicant’s structure and method of operations at time of authorisation.

4. Privacy Notice

The MFSA ensures that any processing of personal data is conducted in accordance with Regulation
(EU) 2016/679 (General Data Protection Regulation), the Data Protection Act (Chapter 586 of the
Laws of Malta) and any other relevant European Union and national law. For further details, you
may refer to the MFSA Privacy Notice available on the MFSA webpage https://www.mfsa.mt/privacy-
notice/.

Document ID: AX05_V1 PAGE 1 OF 9

 MFSA-CONFIDENTIAL

Section 1 - Applicant Details

1.1 Applicant – Identification Details

Registered Name

1.1.1 (if not yet Formed, Enter text

provide proposed
name)
Registered
1.1.2 Number Enter text
(if applicable)
LEI Code
1.1.3 Enter text
(if applicable)

Document ID: AX05_V1 PAGE 2 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

2.1 ICT Governance and Strategy (GAS)

Is the Applicant's ICT Strategy aligned with the overall business

2.1.1 Select item
strategy?

How will the Applicant ensure that its resources (human, physical capital / financial,
2.1.2 technology) are adequate to support the ICT operational needs and ICT and security risk
management processes?

Enter text

Will the established function include a designated person responsible

2.1.3 for inter alia establishing, maintaining and overseeing the internal Select item
cybersecurity?

If ‘No’: Explain what measures will be put in place by the Applicant to ensure adequate
2.1.4
oversight of the internal cybersecurity.

Enter text

2.2 ICT Function

2.2.1 ICT Function

2.2.1.1 Does the Applicant have, or intend to establish, an ICT function? Select item

If ’Yes’: Provide an overview of the structure of the Applicant's ICT Function, including its
2.2.1.2 resources and respective reporting lines, in line with the proposed volume and value of
business being proposed.

Enter text

2.2.2 Third-Party Outsourcing

Does the Applicant intend to outsource any critical or important ICT

2.2.2.1 systems, services, processes or functions to a Third-Party Outsourcing Select item
Provider?

2.2.2.2 If ‘Yes’: Identify the Third-Party Outsourcing Provider/s.

1. Third-Party Outsourcing Provider

Name of Third-
Party Outsourcing Enter text
Provider
Registration
number Enter text
(if applicable)

(Add multiple as applicable)

Document ID: AX05_V1 PAGE 3 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

2.2.2.3 Attachment | MFSA Annex – AX03

ICT Function Holder

2.3 This sub-section is only applicable if the Applicant has or intends to establish an ICT
Function.

2.3.1 Identification

2.3.1.1 Title Select item

2.3.1.2 Name Enter text 2.3.1.3 Surname Enter text

2.3.1.4 Date of Birth Enter date

Identification
2.3.1.5 Document (‘ID’) Select item 2.3.1.6 ID Number Enter text
Type

Country of
2.3.1.7 ID Expiry Date Enter date 2.3.1.8 Select country
Issuance

2.3.1.9 MFSA PQ Code Enter text

2.3.2 Other Positions

Does the IT Function Holder hold or intend to hold any other positions
2.3.2.1 Select item
within the Applicant?

2.3.2.2 If ‘Yes’: Provide an explanation on the nature of the position/s

Enter text

2.4 ICT Systems Acquisition and Development (SAD)

Will the Applicant's core software application be developed in-house or

2.4.1 Select item
acquired?

If ‘Developed in-house’: Provide details regarding the segregation of the production

2.4.2
environment from development, testing and other non-production environments

Enter text

What measures will the Applicant put in place to test the integrity of its core software
2.4.3
application before use and after deployment on a continuous basis?

Enter text

Document ID: AX05_V1 PAGE 4 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

2.5 Technology Arrangements

Will the Applicant's business model utilise any type of innovative

2.5.1 technology, including but not limited to, those listed in Question Select item
2.5.2?1

2.5.2
Application Programming Interface
Select item
(APIs)
Artificial Intelligence (AI) Select item

Big Data Select item

Biometrics Select item

Cloud Computing Select item

Data Analytics Select item

Deep Learning Select item

If ‘Yes’: Specify
which of the Distributed Ledger Technology (DLT) Select item
following
Internet of Things Select item
innovative
technologies are Machine Learning Select item
being utilised
Natural Language Processing Select item

New Encryption Methodologies Select item

Quantum Computing Select item

Smart Contracts Select item

Robotic Process Automation Select item

Enter text
Other (specify)
(Add multiple as applicable)

2.5.3 Provide details of how these innovative technologies are being utilised

Enter text

What are the technology arrangements (network, systems, applications, ICT security tools
2.5.4
and cloud services) the Applicant will put in place?

Enter text

1
Where applicable, reference is to be made to the definitions falling within scope of the Innovative
Technology Arrangements and Services Act (Chapter 592 of the Laws of Malta) and any Regulations
issued thereunder.

Document ID: AX05_V1 PAGE 5 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

2.5.5 How will the Applicant's technology arrangements interface with customers?

Enter text

2.6 ICT and Security Risk Management

2.6.1 ICT Risk Management (RM)

Has the Applicant established a comprehensive risk management

2.6.1.1 framework that includes the mechanism for the management of ICT Select item
and Security Risk?

Will the Applicant manage its ICT and Security Risks by applying the
2.6.1.2 Select item
three lines of defence or a similar internal control framework?

2.6.1.3 If ‘No’: Outline alternative arrangement(s) the Applicant will put in place

Enter text

Has the Applicant conducted a preliminary ICT Risk Assessment/ICT

2.6.1.4 Audit on its governance, systems and processes for its ICT and security Select item
risks?
Will the Applicant have measures and/or mechanisms in place to
2.6.1.5 ensure adequate and continuous monitoring of cybersecurity threats Select item
and vulnerabilities?
Has the Applicant identified an internal auditor(s) with sufficient
2.6.1.6 knowledge, skills and expertise in ICT and security risks, to provide Select item
independent assurance to the Applicant's management body?

2.6.2 Information Security (ISE)

Are there any plans to align the information security framework with
2.6.2.1 Select item
any internationally recognised standard/framework?

Will the Applicant establish an information security policy based on its

2.6.2.2 Select item
predefined information security objectives?

What measures will the Applicant put in place to ensure that the function responsible for ICT
2.6.2.3
security is segregated from its ICT operations and processes?

Enter text

What measures and/or mechanism will the Applicant put in place to ensure that physical
2.6.2.4
access to ICT systems is controlled and restricted?

Enter text

What measures and/or mechanism will the Applicant put in place to ensure that logical
2.6.2.5
access to ICT systems is controlled and restricted?

Document ID: AX05_V1 PAGE 6 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

Enter text

What encryption techniques will the Applicant adopt to provide data integrity and
2.6.2.6
confidentiality of information?

Enter text

If the Applicant is utilising Application Programming Interface (API) to inter-operate with

2.6.2.7 third-parties, what mechanisms and/or measures will the Applicant put in place to ensure
security and protection of the API connections?

Enter text

What measures will the Applicant put in place to prevent the occurrence of security breaches
2.6.2.8
on ICT systems and services?

Enter text

What measures will the Applicant put in place to protect ICT systems against malware and/or
2.6.2.9
other security threats?

Enter text

What measures will the Applicant put in place to ensure adequate monitoring and response
2.6.2.10
to security events within the established Incident management framework?

Enter text

Will the Applicant implement and/or establish an information security

2.6.2.11 Select item
testing framework to validate its cybersecurity posture?

2.6.2.12 If ‘Yes’: provide details on the testing framework.

Enter text

Will the Applicant put in place specific ICT security training and
2.6.2.13 Select item
awareness campaigns/programmes?

2.6.2.14 Will the Applicant establish a digital platform? Select item

2.6.2.15 If ‘Yes’: Provide the following details:

i) Explain the purpose of such platform.

Enter text

Document ID: AX05_V1 PAGE 7 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

ii) How will the Applicant prevent unauthorised access to its platform?

Enter text

iii) What measures will the Applicant put in place to ensure users are aware and guided
against security risks linked to its platform?

Enter text

What processes and procedures would be in place in the event that security controls are not
2.6.2.16
compatible with Third-Party Outsourcing Providers, as applicable?

Enter text

2.6.3 ICT Operations Management (IOM)

Will the Applicant's incident management framework include provision

2.6.3.1 Select item
on incident reporting to the Competent Authority?

2.6.4 Business Continuity Management (BCM)

Has the Applicant established an ICT continuity policy as part of its

2.6.4.1 Select item
Business Continuity Policy (BCP)?

Does the Applicant's BCP include identification of the data and ICT
systems backup and restoration procedures, secondary/backup
2.6.4.2 Select item
location, back-up site, access to ICT infrastructure, and the key
software?
Has the Applicant conducted a potential business impact analysis (BIA)
2.6.4.3 in order to assess its exposure to severe business disruptions and to Select item
assess their potential impact on the Applicant's future performance?

As part of the BCP, has the Applicant established a Recovery Time

2.6.4.4 Select item
Objective (RTO) and a Recovery Point Objective (RPO)?

Will the secondary location for disaster recovery be located in a remote

2.6.4.5 Select item
site different from the primary location?

2.7 Attachments

2.7.1 Attachment | Enterprise ICT Architecture Diagram

Trading Platform
2.8
This Section is only applicable if the Applicant is implementing a Trading Platform / system.

Will the Applicant use a proprietary online trading platform or will this
2.8.1 Select item
be developed in-house or acquired?

2.8.2 Please provide relevant details.

Document ID: AX05_V1 PAGE 8 OF 9

 MFSA-CONFIDENTIAL

Section 2 - Operational and ICT

Enter text

Will the Applicant's core systems used for trading be developed in-
2.8.3 Select item
house or outsourced?

If ‘Outsourced’: Explain how the Applicant will ensure it has access rights and audit rights to
2.8.4
the core system.

Enter text

What measures will the Applicant put in place to ensure security of transmitted messages
2.8.5
during trading?

Enter text

What measures will the Applicant put in place to ensure effective monitoring of trading data
2.8.6
during trading?

Enter text

What measures will the Applicant put in place to ensure there is an appropriate testing of its
2.8.7
trading algorithms and facilities?

Enter text

What measures will the Applicant put in place to ensure that all employees are provided with
2.8.8
necessary training on the trading platforms to be offered to the clients?

Enter text

What measures will the Applicant put in place to sufficiently deal with peak order and
2.8.9
messages volumes during trading?

Enter text

Document ID: AX05_V1 PAGE 9 OF 9