Malta Pushes Financial Firms to Treat AI as a Governance Issue, Not a Technology Project

Key Takeaways

• AI Does Not Change Regulatory Expectations: The MFSA made clear that the use of artificial intelligence does not alter the core objectives of financial regulation, including consumer protection, financial stability and market integrity.
• Boards Are Expected to Own AI Risk: Responsibility for AI systems ultimately rests with boards and senior management, which are expected to oversee governance, controls and risk management arrangements.
• AI Is Being Treated as a Prudential Concern: The Authority expects firms to embed AI-related risks within existing governance, risk management and internal control frameworks rather than treating AI as a standalone technology initiative.
• Third-Party Dependencies Are a Growing Focus: The MFSA highlighted outsourcing arrangements and concentration risk associated with external AI providers as key areas requiring oversight and scrutiny.
• Supervisory Attention Is Increasing: AI governance, customer-facing AI applications, operational resilience and outsourcing arrangements will form part of future supervisory reviews, inspections and ongoing regulatory engagement.

Deep Dive

One line in the Malta Financial Services Authority's latest AI guidance says more than the rest of the document put together. The regulator reminds firms that artificial intelligence does not change the objectives of financial regulation. The statement appears almost in passing, but it captures a problem regulators across Europe are beginning to see. AI is arriving inside financial institutions wrapped in promises of efficiency, automation and better decision-making. What it has not brought with it is any exemption from accountability.

Malta's financial sector is not yet awash in AI systems making consequential decisions. The Authority acknowledges as much. Adoption remains relatively limited, and many firms are still experimenting with applications in risk management, customer interaction, financial crime monitoring and internal analytics. But regulators have watched enough technology cycles to know how this story usually goes. Governance tends to arrive after implementation. Oversight follows adoption. Boards discover dependencies only after they become critical.

The MFSA would prefer to reverse that sequence. Its guidance tells supervised firms to start treating AI as a prudential issue now, before the technology becomes deeply embedded in operations. That may sound obvious. It is not. For years, conversations about AI inside financial institutions have often lived inside technology teams, innovation groups and vendor demonstrations. The regulator is effectively pulling the discussion into the boardroom and insisting it stay there.

The letter places responsibility squarely on boards and senior management. Not for writing code. Not for training models. For understanding what has been deployed, where it is being used, who is accountable for it and what happens when it fails.

That distinction matters because many of the risks identified by the Authority have very little to do with artificial intelligence itself. Take third-party dependency risk. One of the MFSA's supervisory concerns is the growing reliance on external providers for AI capabilities. The risk is familiar. Financial regulators have spent years worrying about concentration risk in cloud computing, outsourcing arrangements and critical service providers.

AI simply creates a new version of an old problem. If enough firms depend on the same small group of vendors, a weakness in one corner of the ecosystem can quickly become everyone else's problem. The same logic applies to operational resilience. A model that produces unreliable outputs, a governance process that fails to identify weaknesses, or poor-quality data feeding critical decisions are not exotic AI risks. They are governance failures wearing modern clothing.

That perspective runs throughout the letter. The Authority's expectations cover governance structures, oversight arrangements, model validation, monitoring, data governance and regulatory compliance. None of those topics are new. What is changing is the technology being folded into them.

Perhaps the most revealing part of the announcement is what the MFSA is not asking firms to do. For now, institutions are not required to submit the results of the Authority's new AI self-assessment framework. There is no reporting exercise attached to it. No mandatory filing. No immediate supervisory return.

Instead, firms are expected to complete the assessment, review the results at board and senior management level and address any shortcomings they identify. It is a subtle distinction, but an important one. The regulator appears less interested in collecting paperwork than in forcing a conversation. The exercise is designed to make firms confront questions they may not yet have asked themselves. What AI systems are currently in use? What future deployments are being considered? Which third parties are involved? What controls exist? Where are the gaps?

Those questions are likely to become increasingly difficult to answer as adoption accelerates. The MFSA has already signaled that AI will become a routine feature of its supervisory work. Thematic reviews, onsite inspections, governance assessments and examinations of outsourcing arrangements will all incorporate AI-related considerations. Customer-facing applications will receive particular attention, as will the relationship between AI adoption and a firm's stated risk appetite.

The regulator is also investing in training through the Financial Supervisors Academy, an acknowledgment that supervisors face the same challenge confronting the institutions they oversee. Expertise cannot simply be purchased. It has to be built.

There is a tendency in discussions about artificial intelligence to treat every development as unprecedented. Regulators, perhaps because they have seen enough cycles of technological enthusiasm come and go, tend to be less impressed by novelty. The MFSA's letter reflects that instinct. Beneath the references to AI governance and model oversight lies a much older regulatory principle. If a system influences decisions, affects customers or creates risk, someone remains responsible for it.

The algorithm may be new. The accountability is not.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.