ESMA (European Securities and Markets Authority) criticises Malta's crypto licensing under MiCA

What happened?

In April 2025, the ESMA Board of Supervisors decided to establish a ad hoc Peer Review Committee (PRC) The trigger was Malta's status as one of the first EU countries to issue MiCA licenses—significantly ahead of other member states. The suspicion was that speed might have come at the expense of thorough vetting.

The result was published as an Executive Summary on July 10, 2025 (ESMA42-2004696504-8164). The PRC consisted of representatives from ESMA, the European Banking Authority (EBA), and several National Computing Centres (NCAs). The review focused on a single, unnamed crypto-asset service provider (CASP) licensed by the MFSA in the first months of 2025.

MiCA frames in brief

The Markets in Crypto Assets Regulation (MiCA) was introduced on June 29, 2024 It entered into force and has been fully applied since December 30, 2024. Since January 2025, crypto service providers in the EU have been required to apply for a CASP license from their national supervisory authority. Existing providers with a national license issued before the entry into force are exempt from this requirement. Grandfathering phase until June 30, 2026 — they may continue their services under the old regimes during this period, but must submit the MiCA license in due time.

The regulation pursues three main objectives: uniform investor protection in the EU, market integrity (insider trading, market manipulation) and combating money laundering and terrorist financing.

What ESMA specifically criticizes

In the specific case under investigation, the PRC concludes that the MFSA acted improperly during the authorization process. „partially met expectations“ – so partial compliance, not full compliance. The main points:

• Material issues unresolved. At the time the license was granted, key issues — such as business model, IT architecture and compliance — were still unresolved or only covered by remediation plans.
• Timing of authorization. The MFSA granted the license ahead of other NCAs without using the authorization process itself as leverage to address these issues in advance.
• Approach. The MFSA views open issues as a task for ongoing supervision; ESMA, on the other hand, argues that the license should only be granted after clarification.

Important for context: ESMA does not name the CASP. Market speculation suggests it could be OKX (operating in Malta as Okcoin Europe) — the Maltese Financial Intelligence Analysis Unit imposed a €1.2 million fine on Okcoin Europe in April 2025 for AML violations from 2023, shortly after it received its MiCA license in January 2025. There is no official confirmation.

What ESMA views positively

The review is not a blanket condemnation. On the contrary — the MFSA is explicitly praised in several areas:

• Resources and settings: „"Fully meeting expectations." The MFSA's staffing, expertise, and institutional structure meet expectations.
• Ongoing supervision: „"Largely meeting expectations." Supervision following licensing is generally carried out appropriately.
• Early preparation: Malta introduced a national crypto regime with the Virtual Financial Assets Act back in 2018. The MFSA has invested in personnel, university collaborations, and industry outreach.

Recommendations for all NCAs — not just Malta

The central point, which was overlooked in many headlines: The peer review is formally aimed at Malta, which However, the recommendations are directed at all NCAs in the EU/EEA.. ESMA highlights five issues that should be examined more closely in authorization procedures:

• Business models and actual activity (not just the legal shell)
• IT architecture and compliance with the DORA regulation (Digital Operational Resilience Act)
• Growth plans and their resource coverage
• Conflicts of interest at multi-service CASPs (spot, derivatives, custody, DeFi in parallel)
• Exposure to DeFi and unregulated Web3 services
• AML/CFT risks and controls

MFSA reactions

The Maltese regulatory authority has publicly accepted the findings. MFSA CEO Kenneth Farrugia stated that the agency welcomes the recommendations and will incorporate them into its own practices. A spokesperson also clarified: „No MiCA license in Malta is at risk of revocation or re-evaluation as a result of the peer review outcomes.“ The MFSA has committed to completing the implementation of the recommendations by September 2025.

Currently, four MiCA CASPs are listed in Malta: Bitpanda (BP23), Crypto.com (Foris Dax), OKX (Okcoin Europe) and ZBX (Zillion Bits).

Context: Forum Shopping and the debate about the right scale

The peer review touches upon a fundamental question that has been a pressing issue in EU crypto regulation since MiCA came into force: How quickly can—and how quickly must—a license be granted? Malta argues that this is necessary to promote innovation and establish an early market order. Other supervisory bodies, such as the French AMF or the German BaFin, are considered significantly stricter; BaFin, for example, explicitly points out that it only grants "immediately effective, formal licenses," not "preliminary approvals in principle.".

Behind this debate lies the accusation of regulatory overreach. Forum ShoppingCompanies choose the member state with the fastest or least restrictive procedure, obtain the license there, and then use the EU passporting, in order to become active across the EU. Closely related to this is the second major stock market movement of 2025: OKX received the first full MiCA license from Malta in January., in parallel, Bybit, HTX and other global platforms for licensing pathways in various EU countries.

Significance for investors in Germany

Specifically, the peer review process changes little for private investors:

• EU passporting remains in effect. A MiCA license from Malta is recognized in Germany. Platforms like OKX, Crypto.com, and Bitpanda are allowed to continue serving the German market via passporting.
• BaFin's powers remain in place. The German Crypto Markets Supervision Act (KMAG) grants the German supervisory authority supplementary national intervention rights — such as public warnings and the possibility of prohibiting individual crypto offerings in Germany.
• Consumer protection under MiCA is real. The separation of client and own funds, equity capital requirements, market abuse rules, and AML/KYC obligations remain unchanged. What MiCA does not offer is deposit protection on a bank-level basis. For larger holdings, self-custody in a hardware wallet remains the safest option.

Note on forensic practice

From a crypto forensics perspective, regulatory convergence under MiCA is a positive development. KYC data, complaint procedures, and regulatory inquiries function significantly better with licensed EU CASPs than with unregulated offshore platforms. Anyone who suspects that coins originating from a fraudulent case have ended up on an EU-regulated exchange should promptly obtain an initial forensic assessment through a [relevant forensic expert/institution]. Wallet check to toast.

FAQ – Frequently Asked Questions about the ESMA Peer Review