1 Legal and enforcement framework

1.1 What general regulatory regimes and issues should blockchain developers consider when building the governance framework for the operation of blockchain/distributed ledger technology protocols?

The blockchain economy allows for a new form of organisational design though decentralised autonomous organisations (DAOs), whose governance rules are specified in the blockchain. However, the recent experiences of some DAOs have highlighted that since they are run through smart contracts, if there is a bug or error in the smart contract code, the potential remedial effects could be problematic due to the autonomous enforcement mechanisms in place.

For this reason, DAO governance mechanisms should be examined and design-oriented research should be conducted to identify solutions to the risks of smart contracts and propose risk management mechanisms to mitigate such risks.

1.2 How do the foregoing considerations differ for public and private blockchains?

See question 4.7.

1.3 What general regulatory issues should users of a blockchain application consider when using a particular blockchain/distributed ledger protocol?

Privacy laws, contractual laws, IT security regulations and standards, and industry-specific laws – for example, financial services laws in relation to stablecoins and securities laws in relation to security tokens.

1.4 Which administrative bodies are responsible for enforcing the applicable laws and regulations? What powers do they have?

The authority which deals with licensing is the Malta Financial Services Authority (MFSA). The MFSA grants and revokes licences and has the power to issue hefty fines. When it comes to anti-money laundering, following findings from police investigation units, the Financial Intelligence Analysis Unit and the courts have the power to enforce the applicable rules and regulations.

1.5 What is the regulators' general approach to blockchain?

The Malta Digital Innovation Authority (MDIA) is responsible for certifying and auditing distributed ledger technology (DLT) and blockchain technology systems. The MDIA works with the MFSA in relation to the granting of licences to service providers that utilise DLT and blockchain technology. The reason that Malta adopted this approach is to ensure that specialised tech experts can check the tech side of things, in order to maintain high standards of security and quality.

1.6 Are any industry or trade associations influential in the blockchain space?

The Malta Blockchain Association often organises events in collaboration with key industry players, such as Finance Malta. The University of Malta also conducts research and has introduced some crypto and blockchain-related courses; and the MDIA is quite active in carrying out technical research in the field.

2 Blockchain market

2.1 Which blockchain applications and protocols have become most embedded in your jurisdiction?

Reportedly, more than 51% of such applications and protocols are built on Ethereum.

2.2 What potential new applications/protocols are most actively being explored?

Various sectors – including finance, pharmaceuticals and supply chain/distribution – are exploring and shifting to blockchain technology, thanks to its capacity to resolve issues relating to factors such as trust and accountability.

2.3 Which industries within your jurisdiction are making material investments within the blockchain space?

Much development is taking place within the capital markets space. Players include the stock exchange and security token offering issuers, as well as crypto-exchanges (eg, BTC, ETH and Tether).

2.4 Are any initiatives or governmental programmes in place to incentivise blockchain development in your jurisdiction?

The Malta Information Technology Agency has established accelerator programmes that offer pre-seed investment to blockchain and fintech start-ups. The government is also investing around €200,000 in scholarships relating to distributed ledger technology. The Maltese government has also implemented various national artificial intelligence strategies with the aim of promoting investment, innovation and adoption, and attracting skilled talent to the island.

3 Cryptocurrencies

3.1 How are cryptocurrencies and/or virtual currencies defined and regulated in your jurisdiction?

Maltese law groups tokens into four main categories, as follows:

  • Virtual tokens: A form of digital medium recordation which has no utility, value or application outside the distributed ledger technology (DLT) platform on which it was issued, and which may only be redeemed for funds on such platform directly by the issuer. These are commonly known as ‘utility tokens'. Utility tokens are not traded on exchanges.
  • Electronic money: Electronically (including magnetically) stored monetary value as represented by a claim on the issuer which is issued on receipt of funds for the purpose of making payment transactions (eg, stablecoins backed by fiat).
  • Financial instruments (security token): The meaning here is the same as that set out in the second schedule of the Maltese Investment Services Act. These include instruments such as transferable securities, money market instruments and units in collective investment schemes.
  • Virtual financial assets: Any digital medium recordation that is used as a digital medium of exchange unit or an account or store of value, but which is not electronic money, a financial instrument or a virtual token (eg, Bitcoin, Ethereum).

3.2 What anti-money laundering provisions apply to cryptocurrencies?

Under Maltese law, the requirements of the Fifth Money-Laundering Directive apply to crypto-related service providers.

3.3 What consumer protection provisions apply to cryptocurrencies?

Usually, persons launching and registering a white paper must address risks involved with purchase of such tokens and include refund mechanisms in case the promises set out in the white paper are not delivered. The licence requirements for service providers such as exchanges include implementing certain procedures and employing personnel to cater for complaints handling, incident reporting and customer care. These must also be made available on service providers' websites.

3.4 How are cryptocurrencies treated from a tax perspective?

In November 2018 the Malta Commissioner for Revenue issued tax guidelines on the income tax, stamp duty and value added tax (VAT) treatment of transactions or arrangements involving DLT assets.

In relation to initial coin offerings (ICOs), the guidelines state that proceeds from token generation events will not be taxed.

For the purposes of the guidelines, tokens are divided into financial tokens, utility tokens and hybrid tokens (bearing characteristics of both). In relation to financial tokens (security tokens), for income tax purposes, returns derived from security tokens – whether in crypto or in fiat – should be treated as income. In relation to the transfer of tokens, the tax treatment depends on whether the transfer is a trading transaction or the transfer of a capital asset. Trading profits are taxable; however, capital gains are taxable only insofar as the token meets the definition of a ‘security'.

In terms of security token offerings aimed at raising capital, this will not give rise to any VAT implications, since the raising of finance itself does not constitute the supply of goods or services.

3.5 What regulatory requirements apply to a cryptocurrency trader/exchange?

Service providers of exchange platforms will be treated like normal companies and will thus be taxed under the normal tax rules applicable to Maltese companies. For VAT purposes, the provision of a trading or exchange service against payment for a user transaction fee constitutes the supply of services for consideration and will therefore fall under the Maltese VAT regime, unless an exemption applies. Tax exemptions for trading/exchange platforms depend on the nature of the service being supplied. Relevant factors include whether the service being provided is purely technological.

Trading profits are taxable; however, capital gains are taxable only insofar as the token meets the definition of a ‘security' set out in the Income Tax Act (eg, Bitcoin and Ethereum do not qualify as securities).

3.6 How are initial coin offerings and securities token offerings defined and regulated in your jurisdiction?

ICOs are defined as a way to raise capital through the sale of tokens or coins to the public. Tokens which are not classified as securities are classified as ICOs. In order to launch and sell tokens through an ICO, an issuer must draft, register (with the Malta Financial Services Authority) and launch a white paper that complies with local laws.

A security token is a traditional security as is described in traditional securities legislation, including commodities (eg, gold and other precious metals), shares and bonds whereby the rights and obligations of token holders are embedded in token form and transactions recorded on the blockchain (eg, dividend payments).

When it comes to stablecoins, if the stablecoin's business model involves backing the token by a fiat currency (to ensure stability) and exhibits similar characteristics to electronic money, then it may be necessary to apply for a financial institution licence. Many EU jurisdictions are in agreement on this point.

4 Smart contracts

4.1 Can a smart contract satisfy the legal requirements of a legal contract under the laws of your jurisdiction? What will be considered when making this determination?

The prerequisites for the validity of a contract under Maltese law are as follows:

  • capacity to contract;
  • consent of the parties;
  • causa – subject matter; and
  • lawful consideration.

The absence of any one of these requirements will render the contract null and void in the eyes of the law.

In Malta, registered smart contracts must comply with the Malta Digital Innovation Authority (MDIA) and Innovative Technological Arrangements Services (ITAS) regulations. These regulations ensure that certain safeguards are in place to prevent material loss to users and material breaches of the law. For example, the regulations state that there should be an in-built technological feature to enable a technical administrator to intervene in case of material breach. They must also specify that the courts of Malta have jurisdiction (even though users will be located all over the world). The technology must further include an in-built feature in relation to alternative dispute resolution – providing a quick, cheap and efficient electronic procedure to allow that users from all over the world to enforce their rights.

The Maltese Civil Code will soon be amended to include smart contracts (as defined in the MDIA and ITAS regulations) in the definitions.

4.2 Are there any regulatory or governmental guidelines or policies within your jurisdiction which provide guidance on regulating/defining smart contracts?

Yes, the MDIA and ITAS regulations focus on this technology.

4.3 What parts of traditional contract might smart contracts be able to replace?

Smart contracts are agreements in digital form that are self-executing and self-enforcing, based on the fulfilment and verification of certain conditions. Such processes afford considerable efficiency, due to features such as automation, removal of middlemen/the human element, and an auditing function. Smart contracts have become quite advanced and are being built with features that allow for the reversal of transactions or wrongfully obtained funds and dispute resolution mechanisms.

Smart contracts can replace traditional contracts in situations where the certainty of a result can be achieved. Smart contract verification responds to binary situations (yes or no), but not to situations which are open to interpretation or which can be adjudicated based on retrospective events.

4.4 What parts of traditional contracts might smart contracts be unable to replace?

There are certain situations in which smart contracts should not be used. For example, a contract may include phrases which are open to interpretation, such as ‘best efforts', ‘good faith' or ‘what a reasonable person would do'; these subjective phrases are difficult to reduce to computer code. Certain situations might also still require human intervention. As smart contracts are programmed to respond to a set of rules, how can one expect such rules to capture all possible scenarios, thus removing the need for lawyers or formal dispute resolution altogether? While smart contracts are generally effective and efficient, they are not omnipotent.

Furthermore, smart contracts are programmed to execute transactions based on the design of the smart contract code when it was created; so unless such code includes an option for re-negotiation, the parties are bound by the contractual terms and the possibility to modify the terms is excluded.

4.5 What issues might present themselves in your jurisdiction with regard to judicial enforcement of smart contracts?

Off-chain enforcement may be required in the event of certain smart contract breaches. This may cause problems where pseudonymity is coupled with an international aspect. This is why the identification of the parties that consent to jurisdictional clauses in smart contracts is imperative. If the parties wish to remain private, smart contracts cannot rectify or resolve breaches and disputes may arise.

4.6 What are some practical considerations that parties should consider when drafting a smart contract?

Parties in blockchain nodes may incur legal liability – especially if the network applies proof of authority (ie, when block validators stake their reputation instead of coins). What happens if there is a bug in the code, which makes an unfair or devious transaction resemble a legitimate transaction as far as the code is concerned? Should the smart contract address the liability and type of recourse in case of such risks? Will the developers of the code be liable?

Off-chain enforcement may be required in the event of certain smart contract breaches. This may cause problems where pseudonymity is coupled with an international context. This is why the identification of the parties that consent to jurisdictional clauses in smart contracts is imperative. If the parties wish to remain private, smart contracts cannot rectify or resolve breaches and disputes may arise.

4.7 How will the foregoing considerations differ when smart contracts are running on a private versus public blockchain?

The main difference between public and private blockchains is the level of access granted to participants. Public blockchains are decentralised and completely open and transparent, allowing anyone to participate by verifying or adding data to the blockchain. Private blockchains are permissioned, which controls user access to information. A private blockchain network requires an invitation and must be validated either by the network or by a set of pre-defined rules established by the network. Only entities participating in a particular transaction will have knowledge of and access to it – other entities will not have access to it.

As private blockchains are run by private individuals, there is a higher risk of fraudulent behaviour, since powerful actors may make decisions in favour of persons within the group.

On private blockchains, the possibility for review and audit is also limited, since permission is required to access data. When it comes to public blockchains, anyone can run a node and access the ledger to review and audit it, making it more transparent and reducing the risk of malicious behaviour.

Private blockchains may be completely centralised and may thus allow for certain corrections and changes to data stored on the chain which may not be possible on public blockchains, as these require consensus. From a legal perspective, a private blockchain allows for a governance structure to be set up that can correct faulty data and account for situations where legal enforcement comes into play. However, since such a structure may be centralised, this runs counter to the advantages afforded by blockchain technology, which is based on openness, trust, transparency and the absence of middlemen.

5 Data and privacy

5.1 What specific challenges or concerns does blockchain present from a data protection/privacy perspective?

In their current state, most smart contracts are not entirely confidential. Certain advantages of blockchain may simultaneously be some of the biggest drawbacks when it comes to data protection legislation. For example, there is uncertainty as to whether blockchain violates the EU General Data Protection Regulation (GDPR), as an immutable ledger is incompatible with the right to be forgotten. Also, if parties are not comfortable with the lack of confidentiality, then public smart contracts may not be a viable option to replace traditional contracts.

Further, the development of blockchain projects should include careful assessment as to what sort of data is being stored and whether it could be considered to be personal data.

A common workaround is to store the main data outside of the blockchain (on a sidechain) and use blockchain for verification, time-stamping and ordering.

Also, zero-knowledge proofs can be used to ensure that only non-personal data can be derived from an entry on a blockchain.

5.2 What potential advantages can blockchain offer in the data protection/privacy context?

The nature of blockchain technology, which has no centralised storage of private data, means that there is no single point of failure, which greatly increases the security of the system. It allows users to digitise and store assets in a way that ensures they cannot be copied, tampered with or duplicated without permission through the use of cryptography. Thus, security is a key advantage of this technology.

Further, although some transactions may be pseudonymous, creating a risk of potential criminal activity, chain analytics can be used to trace such transactions.

6 Cybersecurity

6.1 What specific challenges or concerns does blockchain present from a cybersecurity perspective?

The cybersecurity challenges include the following:

  • Key management: Private keys are a direct means of authorising activities from an account, so if an adversary were to get hold of them, any assets secured in a wallet could be compromised.
  • Cryptography: Most blockchains rely on cryptography, which generates public and private keys to operate. Some of the programs that generate these keys have been identified as weak.
  • Privacy: In a permissionless ledger, all counterparties can download the ledger, which means that they could attempt to explore a person's transaction history. One potential solution is hyperledger technology, which can allow for certain customisation and security protections.

6.2 What potential advantages can blockchain offer in the cybersecurity context?

Blockchain operates on a distributed network and uses complex encryption methods and algorithms to verify and store data. These features provide strong security elements.

Since blockchain is decentralised and has no single centralised point of entry, certain attacks – such as distributed denial-of-service attacks – which target centralised systems are harder to effect, given that hackers will have to gain access to multiple nodes in the system.

Since data cannot be removed from a blockchain, new or edited data is added on top of old blocks and all changes are visible. This makes it harder to tamper with data.

6.3 What tools and measures could be implemented to mitigate cybersecurity risk?

Code reviews are essential to test vulnerabilities and ensure application integrity.

Global consensus and implementation regarding a standard set of best practice rules for blockchain development are needed.

7 Intellectual property

7.1 What specific challenges or concerns does blockchain present from an IP perspective?

The driving factor behind blockchain's swift development is the code's open source nature, meaning that people are free to copy and improve on it. This was a deliberate decision – to disallow the use of copyright law to protect the source code, in contrast to proprietary software.

Blockchain has changed conventional ways of thinking. Open source technologies (the Internet, the World Wide Web and now blockchain) are flourishing in the absence of IP protection.

7.2 What type of IP protection can blockchain developers obtain?

Unfortunately, the challenges presented by the Internet mean that intellectual property is often copied, modified, shared and stolen around the world, resulting in the owner losing control.

In terms of potential IP protection, due to the ‘proof of authorship' protocol, blockchain could provide the authors of digital data with evidence that proves their authorship. Blockchain in itself constitutes evidence of IP registration, thereby affording IP protection. Blockchain ledgers create time-stamped records that cannot be retroactively altered.

7.3 What are the best open-source platforms that could be used to protect developers' innovations?

Ethereum, Corda and HydraChain.

7.4 What potential advantages can blockchain offer in the IP context?

Proof of authorship, since blockchain ledgers create time-stamped records that cannot be retroactively altered.

8 Trends and predictions

8.1 How do you think the regulatory landscape in your jurisdiction will evolve in the blockchain space over the next two years? Are any pending changes currently being considered?

The latest developments include:

  • the enactment of the Virtual Financial Assets Act, which regulates issuers and service providers of crypto and blockchain-related business; and
  • the publication of a consultation paper on security token offerings (STO).

It is expected that more STO issuers will emerge as a result of the increase in investments and continued advancements in distributed ledger technology (DLT) based infrastructure in the capital markets space.

8.2 What regulatory changes would you like your jurisdiction to implement to further advance the blockchain industry?

The crowdfunding licensing requirements could be improved and clarified in order to promote crowdfunding and encourage those seeking to host a crowdfunding platform to apply for a licence. Greater incentives and accessibility are needed when it comes to raising capital. In the new token era, a few new security token crowdfunding platforms have been launched (eg, TokenMarket); conceptually, this is a great idea for securities issuers that are seeking to raise reasonably small amounts of capital (eg, under €5 million). However, the infrastructure is still being developed with regard to the tokenisation of securities (eg, primary markets, secondary markets); although many players are gradually making the shift to DLT.

8.3 What is the largest impediment within your jurisdiction to the adoption of blockchain technology?

It is difficult to speak of blockchain impediments on a jurisdictional basis, as blockchain is designed to facilitate global business and transactions. While generic standards for information sharing exist (eg, ISO/IEC 27010), when it comes to blockchain and DLT incident management, as yet there are no standards on how these technologies could be used to support such models. That said, the technologies are still maturing and evolving. Perhaps once a few clear leaders have emerged (in terms of adoption) and the level of advancement of the technology has become clearer, the authorities will move to set some global standards.

9 Tips and traps

9.1 What are your top tips for effective use of blockchain technologies in your jurisdiction and what potential sticking points would you highlight?

  • Ensure a high quality of code creation and undertake regular testing to mitigate risks in areas such as privacy and data management.
  • Remain legally compliant (to the furthest extent possible).
  • Recognise the importance of interoperability.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.