MFSA Urges Financial Institutions to Strengthen Business Resilience

The Malta Financial Services Authority has issued Dear CEO Letterdirecting Boards and senior management to embed business resilience as a strategic priority.

The findings of a recent Thematic Exercise conducted by the MFSA on Business Resilience revealed several gaps that require attention. The purpose of this study was to conduct a systematic assessment of the sector's preparedness to protect consumer interests during potential disruptions.

Key Concerns Identified

The MFSA's review uncovered several trends that directly affect consumer interests:

• Weak Financial Forecasting: Despite claiming positive financial outlooks, several institutions have been consistently reporting losses over multiple years, raising questions about their ability to serve consumers reliably during economic fluctuations, operational disruptions or regulatory changes that may affect their financial health.
• Over-reliance on Major Clients: Some institutions were found to be disproportionately dependent on a limited number of large clients, leaving them vulnerable to disruptions that could compromise service availability and drive-up costs for all consumers if those relationships were to falter.
• Inadequate Risk Assessment: Many financial institutions demonstrated tunnel vision when identifying external threats, focusing solely on IT-related risks while ignoring broader threats that could disrupt services to consumers.
• Insufficient Testing: While most institutions claim to have business continuity plans, many fail to conduct proper annual testing, leaving consumers potentially exposed during actual crisis situations.
• Operational Weaknesses: High staff turnover, challenges in replacing key function holders, and insufficient succession planning were prevalent across institutions. Addressing these vulnerabilities requires greater investment in training and the systematic development of internal talent, ensuring organisational resilience and continuity.
• Business Continuity: While most institutions have continuity and recovery plans, many reported no lessons learned from testing. The MFSA warned that effective testing must generate improvements and be properly documented.

Action Required

The MFSA expects Financial Institutions to take ownership of resilience at board level, ensuring that it is embedded into business strategy, financial planning, and day-to-day operations. The MFSA outlined several expectations.

1. Enhanced Risk Management: Institutions must develop comprehensive risk assessment frameworks that go beyond IT threats to include operational, financial, and reputational risks that could impact consumer services.
2. Stress Testing: Financial Institutions should implement annual, rigorous stress tests that include liquidity, financial, and operational dimensions.
3. Local Risk Awareness: Group-level monitoring is insufficient; risk assessments must be conducted and owned locally.
4. Diversification Strategies: Institutions must reduce over-reliance on major clients and develop strategies to maintain service quality and availability for all consumers.
5. Robust Business Continuity: Comprehensive business continuity plans must be properly tested, documented, and regularly updated to ensure consumer services remain protected during disruptions.

Intensified Regulatory Oversight

"Resilience is not a compliance box to tick - it is the bedrock of financial stability and consumer protection. Firms must embed robust forecasting, comprehensive stress testing, and the bolstering of third-party arrangements into their core strategy," stated Dr Christopher P. Buttigieg, MFSA's Chief Officer Supervision.

The Authority will integrate the findings of the thematic review into supervisory meetings and onsite inspections to reinforce compliance. Long-standing licensees, particularly those operating under a license for more than a decade, are expected to demonstrate a level of maturity and preparedness proportionate to their tenure and market experience.