Insights

The Intersection of PSD2 and MiCAR: Implications for Maltese Payment & Crypto Firms

By Dr Kelly Fenech, Advocate – GKF Legal

In the evolving regulatory landscape, one of the key challenges for financial and fintech firms is understanding how the Payment Services Directive 2 (PSD2) and the new Markets in Crypto-Assets Regulation (MiCAR / MiCA) interact. While PSD2 has long governed payment services in the EU, MiCAR introduces a layer of regulation specifically for crypto-assets and related services. In Malta, where both frameworks come under the supervision of the MFSA, it is critical for firms to align their operations with both sets of rules. Below, I set out the principal intersections, legal risks, and practical strategies for compliance, viewed through a Maltese lens.

Understanding the Two Regimes: PSD2 vs. MiCAR

PSD2 is the EU directive that regulates payment services, payment institutions (PIs), and certain digital payments. It sets out rules on strong customer authentication, transparency, interoperability, and rights of payer and payee.

MiCAR, in contrast, is a newer EU regulation that addresses crypto-assets: providers of services (e.g., exchanges, custody, wallets) and issuers of tokens. MiCAR fills the regulatory gap for digital assets that were not explicitly covered under existing EU financial services law.

Key overlaps arise when a business offers payment services involving crypto-assets — for example, converting crypto to fiat, facilitating transfers, or custodian services that touch both payment and crypto realms.

Key Interplay Issues & Maltese Application

1. Dual classification and licensing boundaries

A firm in Malta may fall under both PSD2 and MiCAR if it offers services such as exchanging crypto-assets into fiat and then executing payment transfers. In such cases:

  • Under MiCAR, the firm may need to be authorised as a Crypto-Asset Service Provider (CASP).
  • Under PSD2, the same or overlapping activities may trigger licensing as a Payment Institution (PI) or an Electronic Money Institution (EMI) (if fiat e-money is involved). In Malta, that is within the remit of the MFSA.

The EBA’s opinion highlights that firms must carefully map which services fall under which regime, and ensure no regulatory arbitrage. A Maltese firm cannot claim full immunity from PSD2 simply because it is also a CASP.

2. Consumer protections and transparency obligations

PSD2 imposes strict rules on transparency (fees, execution time, liability) and strong customer authentication (SCA). When crypto-assets are used in a payment journey, such transparency obligations may still apply — for example, when converting crypto to fiat and then executing a payment transaction to a beneficiary.

In Malta, the MFSA would likely expect firms to comply with PSD2’s transparency and SCA rules for the fiat leg of a transaction, even if MiCAR governs the crypto segment. Failure to treat the fiat portion as a “payment service” can expose a firm to supervisory scrutiny or enforcement.

3. Safeguarding and custody of client assets

Under PSD2, payment institutions must safeguard client funds (i.e., keep them separate from the institution’s own funds). MiCAR similarly requires that crypto assets held in custody are properly protected, and subject to operational and security standards.

In Malta, a firm combining crypto custody and payment operations would need to implement segregated systems that satisfy both directives: e.g., separate accounting, strong internal controls, audit trails, and strict governance oversight. The MFSA will expect robust internal controls and periodic audits reflecting both regimes’ expectations.

4. Prudential requirements and capital

PSD2/EMD2 set certain capital requirements for payment institutions and EMIs; MiCAR likewise imposes own funds requirements for CASPs. When a firm straddles both regulatory domains, it must maintain capital buffers that satisfy both regimes, taking the more stringent requirement where applicable. In Malta, before authorisation, the MFSA will require proof that the entity can sustain combined regulatory capital obligations without breaching either framework.

5. Reporting, monitoring and conflict handling

Both PSD2 and MiCAR impose reporting obligations to supervisory authorities: incident reporting, transaction monitoring, consumer complaints, and more. In a Maltese setting, a firm must integrate its compliance and reporting functions so that reports to the MFSA satisfy both PSD2 and MiCAR, avoiding redundant or conflicting submissions.

Additionally, conflicts of interest must be addressed: for instance, if a firm acts as both exchange operator (crypto side) and payment provider (fiat side), governance must ensure functional separation so that client interests are always protected.

Practical Steps for Maltese Firms Under MFSA Supervision

  1. Service Mapping & Legal Classification


Conduct a thorough mapping of your services: which are pure payment services, which are crypto-services, and where they overlap. Determine whether you need a PI licence, EMI licence, CASP licence, or combinations thereof under MFSA oversight.

  1. Unified Governance and Risk Framework


Establish governance that bridges both PSD2 and MiCAR, with key function holders (compliance, risk, audit) independent from business operations. In Malta, the MFSA will expect clear internal lines of accountability.

  1. Segregation and Safeguarding Controls


Design technical and operational segregation between fiat and crypto flows. Ensure client funds and crypto assets can never be inadvertently mingled with the firm’s own assets.

  1. Capital Adequacy Planning

Before applying for authorisation, validate that your capital structure meets the most demanding requirements across both regimes. Submit detailed stress testing and scenario analyses to the MFSA.

  1. Regulatory Reporting Integration

Build reports, dashboards, and internal monitoring systems that can generate data for both PSD2 and MiCAR compliance obligations, without duplication or contradiction.

  1. MFSA Engagement & Dialogue

Open dialogue early with the MFSA. Present your hybrid business model, explain how you will meet overlapping obligations, and request guidance on any ambiguous interactions. That proactive approach can reduce scrutiny delays.

  1. Ongoing Compliance Reviews

Conduct regular internal reviews and audits to ensure that changes in regulation (e.g. updates to PSD2, EBA opinions, MFSA guidance) are promptly reflected in policies and procedures.

Conclusion

The interaction between PSD2 and MiCAR presents both challenges and opportunities for payment and fintech operators. In Malta, under MFSA supervision, firms must recognise that overlapping jurisdictional requirements are not optional but fundamental to legal compliance.

By proactively mapping service lines, designing unified governance, and engaging with the MFSA, firms can position themselves at the forefront of European payments and crypto innovation. At GKF Legal, we offer strategic legal guidance on navigating this dual regime, helping clients achieve robust authorisation and sustainable business operations in Malta and across the EU.

Dr Kelly Fenech is a Founding Partner in GKF Legal’s Financial Services Practice, specialising in EU FinTech law. The views expressed are his own and do not constitute legal advice.