MFSA flags governance and transparency gaps in complaints handling across financial services

The Malta Financial Services Authority (MFSA) has published three ‘Dear CEO’ letters outlining the results of a cross-sector thematic review into complaints handling frameworks, highlighting persistent weaknesses in governance, transparency and consumer-centric practices across credit institutions, insurance undertakings and investment firms.

The review, conducted during 2025 as part of the regulator’s Outcomes-Based Supervision framework, assessed whether licensed entities are effectively implementing complaints management systems in line with requirements such as Banking Rule BR/22 and the Conduct of Business Rulebook (CoBR). Across all three sectors, the Authority found that while some examples of good practice exist, significant gaps remain.

Governance weaknesses and fragmented frameworks

A recurring issue identified by the MFSA relates to weak governance structures underpinning complaints handling. In several cases, firms maintained outdated or fragmented policies, with insufficient version control and limited evidence of senior management approval.

Among investment firms, policies were often not reviewed regularly, with some documents dating back several years or lacking clear ownership and accountability structures. The Authority also flagged cases where multiple overlapping procedures created confusion, undermining clarity for staff responsible for handling complaints.

Similarly, within credit institutions, the MFSA noted instances where policies were still in draft form or lacked proper approval and version tracking, raising concerns over compliance with Banking Rule BR/22.

These shortcomings point to what the MFSA described as “material weaknesses” in governance and oversight, with firms failing to embed complaints handling as a core operational and risk management function.

Inadequate complaints registers and poor data quality

The review also uncovered deficiencies in record-keeping, particularly in complaints registers. Across sectors, firms frequently failed to maintain complete and consistent data, limiting their ability to track cases, identify trends, and address systemic issues.

Investment firms, for instance, were found to maintain registers with missing or vague information, including incomplete fields, unclear descriptions, and absent resolution data, undermining traceability and oversight.

In the banking sector, some institutions failed to record all complaints – particularly those resolved at first contact – resulting in an incomplete picture of customer grievances and weakening the basis for meaningful analysis.

The MFSA stressed that comprehensive and accurate data is essential for identifying recurring issues and improving customer outcomes, warning that incomplete registers will not be considered compliant.

Limited focus on root cause analysis

A key theme across all three letters is the lack of robust root cause analysis. While firms are required to analyse complaints data to identify underlying issues, many were found to rely on superficial categorisation rather than substantive investigation.

In both investment firms and credit institutions, the Authority observed that root cause frameworks were either absent or insufficiently detailed, limiting firms’ ability to detect systemic weaknesses and implement corrective measures.

The MFSA expects firms to move beyond procedural compliance and instead use complaints data as a strategic tool to improve processes, products, and customer experience.

Transparency and communication gaps

Transparency in communicating complaints procedures to clients was another area of concern. Insurance undertakings, in particular, were criticised for failing to make complaints processes clearly accessible on their websites or for providing incomplete or unclear information.

In some cases, the MFSA was unable to locate complaints procedures online despite firms claiming they were available, while others provided only generic contact details without structured guidance.

The Authority also highlighted deficiencies in how firms communicate outcomes to complainants, including limited reasoning in final decisions and insufficient information on escalation options –particularly the right to refer complaints to the Office of the Arbiter for Financial Services.

Delays, inconsistencies and operational shortcomings

Across sectors, the MFSA identified delays and inconsistencies in acknowledging and resolving complaints, with some firms failing to adhere to regulatory timelines or applying internal deadlines that deviate from established rules.

For example, certain insurance undertakings acknowledged complaints several days after receipt rather than “without undue delay” as required under the CoBR. Meanwhile, some credit institutions used unclear wording in delay notifications, potentially misleading clients about resolution timelines.

The handling of verbal complaints also emerged as a weak point, with firms lacking clear procedures to record and confirm such complaints, increasing the risk of disputes and inaccuracies.

Cross-border challenges and conflicts of interest

The MFSA further highlighted challenges in cross-border complaints handling, including language barriers, unclear allocation of responsibility between entities, and insufficient adaptation of group-level policies to Maltese regulatory requirements.

In addition, concerns were raised around conflicts of interest, particularly where complaints handling responsibilities were assigned to senior executives such as CEOs or compliance officers without appropriate safeguards.

The Authority warned that reliance on individual integrity, rather than structured controls, is insufficient to ensure impartiality.

One-year remediation period and 2027 review

As part of its supervisory approach, the MFSA has given all licensed entities a one-year remediation period to address the identified shortcomings. Follow-up assessments are scheduled for 2027, forming part of the broader multi-year Outcomes-Based Supervision cycle.

The regulator has made it clear that Chief Executive Officers and Compliance Officers are expected to take direct responsibility for implementing improvements, under the oversight of their respective Boards.

Beyond compliance, the MFSA emphasised that complaints handling should be treated as a critical mechanism for strengthening governance, enhancing conduct risk management, and building consumer trust.

“Complaints handling is not merely a procedural obligation,” the Authority noted, “but a key driver of better customer outcomes and a more resilient financial services sector.”