The Malta Financial Services Authority issued Dear CEO Letter directing Boards and senior management to embed business resilience as a strategic priority.
The findings of a recent Thematic Exercise carried out by the MFSA on Business Resilience revealed a number of gaps that would need attention.
The purpose of this particular research study was to carry out a systematic assessment of the sector’s preparedness (or lack thereof) to protect consumer interests at the time of potential disruptions.
The MFSA’s review has reportedly uncovered various trends that are said to directly impact consumer interests:
- Weak Financial Forecasting: Despite claiming positive financial outlooks, several institutions have been consistently reporting losses over multiple years, raising questions about their ability to serve consumers reliably during economic fluctuations, operational disruptions or regulatory changes that may affect their financial health.
- Over-reliance on Major Clients: Some institutions were found to be disproportionately dependent on a limited number of large clients, leaving them vulnerable to disruptions that could compromise service availability and drive-up costs for all consumers if those relationships were to falter.
- Inadequate Risk Assessment: Many financial institutions demonstrated tunnel vision when identifying external threats, focusing solely on IT-related risks while ignoring broader threats that could disrupt services to consumers.
- Insufficient Testing: While most institutions claim to have business continuity plans, many fail to conduct proper annual testing, leaving consumers potentially exposed during actual crisis situations.
- Operational Weaknesses: High staff turnover, challenges in replacing key function holders, and insufficient succession planning were prevalent across institutions. Addressing these vulnerabilities requires greater investment in training and the systematic development of internal talent, ensuring organisational resilience and continuity.
- Business Continuity: While most institutions have continuity and recovery plans, many reported no lessons learned from testing. The MFSA warned that effective testing must generate improvements and be properly documented.
The MFSA says that it expects all FIs to take ownership of resilience at board level, ensuring that it is embedded into business strategy, financial planning, as well as daily operations.
The MFSA outlined several expectations.
- Enhanced Risk Management: Institutions must develop comprehensive risk assessment frameworks that go beyond IT threats to include operational, financial, and reputational risks that could impact consumer services.
- Stress Testing: Financial Institutions should implement annual, rigorous stress tests that include liquidity, financial, and operational dimensions.
- Local Risk Awareness: Group-level monitoring is insufficient; risk assessments must be conducted and owned locally.
- Diversification Strategies: Institutions must reduce over-reliance on major clients and develop strategies to maintain service quality and availability for all consumers.
- Business Continuity: Comprehensive business continuity plans must be properly tested, documented, and regularly updated to ensure consumer services remain protected during disruptions.
Dr Christopher P. Buttigieg, MFSA’s Chief Officer Supervision:
“Resilience is not a compliance box to tick – it is the bedrock of financial stability and consumer protection. Firms must embed robust forecasting, comprehensive stress testing, and the bolstering of third-party arrangements into their core strategy.”
The Authority said it would integrate the findings of the thematic review into supervisory meetings as well as onsite inspections to enhance ongoing compliance efforts.
Long-standing licensees, especially those operating under a license for more than 10 years or so, are now expected to demonstrate a set level of maturity and preparedness that may be considered proportionate to their tenure and overall market experience.