MFSA to ‘step up’ supervision of AI in financial services

The Malta Financial Services Authority (MFSA) has signalled that artificial intelligence will move firmly into the supervisory spotlight in 2026, as it prepares to “step up” oversight of how financial services firms integrate AI into their operations.

In its latest Supervision Priorities 2026 report, the regulator says it will intensify supervisory interactions to assess governance, accountability and consumer protection considerations linked to the growing use of AI across the sector.

While the Authority recognises that AI offers opportunities for innovation and operational efficiency, it is equally focused on ensuring that adoption does not outpace risk management frameworks.

The MFSA notes that most supervised entities remain in the early stages of AI deployment, with current use largely centred on internal operational efficiencies rather than client-facing activities, though this is expected to evolve as adoption matures.

At the same time, the regulator says it has been building its own capabilities. Throughout 2025, the MFSA says it sought to advance its understanding of AI as a tool to enhance supervisory effectiveness, with officials undergoing targeted training and participating in specialised workstreams aimed at strengthening data validation and automated controls.

Apart from AI

On a broader scale, the MFSA also mentioned seven core pillars that its 2026 supervisory agenda will continue to revolve around:

• Resilience of supervised entities
• Sustainable finance
• Digital finance
• Governance, risk and compliance
• Financial crime compliance
• Consumer protection and education
• Cross-border supervision

The Authority stresses that these priorities are interconnected and reflect both EU strategic direction and emerging market risks.

For executives, this means supervisory scrutiny will increasingly look at how governance, technology, risk management and customer outcomes interact – rather than assessing compliance in isolated silos.

Overall, innovation is encouraged, but AI deployment must be matched by robust governance and explainability.

Compliance outcomes model becoming the new normal

The MFSA’s “Compliance Outcomes-Based Supervision” approach – introduced in 2024 – has now expanded across all financial sectors.

Rather than simply checking rule adherence, the Authority is measuring whether firms achieve specific regulatory outcomes, such as:

• effective risk management frameworks
• reliable reporting quality
• adequate liquidity and capital stress testing
• sound outsourcing oversight
• proper consumer treatment

This shift changes how firms should prepare for supervision. Documentation alone will no longer suffice – regulators want evidence that governance structures actually work in practice.

Reporting quality

Across multiple sectors, the report highlights recurring governance weaknesses uncovered during 2025 thematic reviews:

• deficiencies in escalation procedures and compliance reporting
• outdated policies and incomplete governance frameworks
• weak internal controls around reporting accuracy
• insufficient board-level oversight in some cases

The MFSA notes that while submission deadlines are often met, accuracy and completeness remain problematic – forcing resubmissions and reducing supervisory effectiveness.

This reinforces the growing expectation that governance quality will be tested operationally, not just on paper.

Financial crime remains a central risk

Financial crime compliance remains one of the most significant supervisory themes.

The Authority’s reviews revealed that:

• some entities still lack sufficient understanding of AML/CFT obligations
• not all firms adequately consider national risk assessments in their frameworks
• transaction monitoring systems are sometimes insufficiently automated
• sanctions screening and terrorist financing controls require further improvement

The MFSA also signals that Malta’s upcoming MONEYVAL/FATF evaluation will continue to drive stricter supervisory expectations.

Executives should expect increased scrutiny on the role and independence of Money Laundering Reporting Officers (MLROs), as well as stronger testing of sanctions and risk frameworks.

Burden reduction but with smarter reporting

Interestingly, the report balances tighter supervision with a commitment to reducing administrative burden.

The MFSA is:

• redesigning reporting requirements to remove duplication
• introducing machine-readable reporting formats (JSON)
• promoting a “submit once” reporting principle alongside the FIAU
• working with the Central Bank of Malta to align data requests

For firms, this could reduce manual compliance work over time – but only for those investing early in automation and data governance.

Cross-border supervision intensifies

As Malta continues to host firms operating across Europe, cross-border supervision is becoming a major focus.

The MFSA has increased collaboration with European regulators and is conducting deeper assessments of:

• cross-border investment models
• affiliate and partnership structures
• marketing oversight in multiple jurisdictions
• digital operational resilience under DORA

This reflects broader EU pressure for supervisory convergence – meaning Malta-based firms operating internationally will face closer scrutiny.

What business leaders should take away

For Malta’s financial services executives, the 2026 supervisory priorities suggest three clear strategic implications:

1. Governance will define regulatory success
Boards and senior management are expected to demonstrate real oversight, especially around technology, outsourcing and risk management.

2. Technology adoption brings accountability
AI, digital assets and automation are welcome, but regulators expect clear governance frameworks and documented controls.

3. Data quality is now a strategic issue
Reporting accuracy, operational resilience and financial crime controls are increasingly data-driven – weak internal systems will quickly become supervisory risks.

All in all, this means regulatory strategy is no longer just a compliance function but it’s becoming a core element of corporate strategy and operational resilience.