Background

On the 4th of June 2026, the Malta Financial Services Authority issued a Dear CEO Letter, titled ‘Artificial Intelligence (AI): Governance, Risk and Prudential Expectations) (the ‘Letter’).

The Letter sets out a number of observation and supervisory expectations to ensure that the adoption of AI within the financial sector develops in a manner that is consistent with sound prudential principles, effective governance and the overarching objectives of financial regulation.

MFSA Expectations

Recognising AI as Risk Area

The Letter makes it clear that licence holders are expected to recognise AI as a prudentially relevant risk area. As a result, they are expected to:

(i)  assess how AI may impact their risk profile, decision-making processes and overall resilience;

(ii) ensure that such considerations are embedded within existing governance and management structures.

Internal Assessment: Evaluate, Identify Gaps and Take Remedial Action

The Letter also makes it clear that licence holders are expected to critically evaluate their current and anticipated use of AI, identity any gaps in governance, oversight or controls, and take appropriate remedial action where necessary.

Utilising AI to Enhance Financial Stability, Market Integrity and Consumer Protection

The MFSA expects that AI is deployed in a manner that enhances, rather than undermines, financial stability, market integrity, and consumer protection. Firms that fail to adequately address the risks associated with AI may be subject to increased supervisory scrutiny and, where necessary, further supervisory intervention.

Clear Governance Arrangements

The MFSA expects licence holders to ensure that AI adoption is supported by clear

governance arrangements, including that:

(i) Boards and senior management must retain effective oversight of AI systems and remain accountable for their use, including where such systems are provided by third parties;

(ii) Responsibility for AI systems should be clearly assigned;

(iii) Sufficient expertise exists to provide effective challenge and oversight of AI systems.

Outsourcing

Licence holders are expected to treat AI-related outsourcing in line with existing outsourcing and third-party risk management frameworks, including:

(i) ensuring that they retain sufficient control, oversight, and understanding of any externally provided AI systems; and

(ii) assessing concentration risk and avoiding excessive reliance on a limited number of providers, especially where such dependencies may impact critical operations.

Validation and Testing of AI Systems

The MFSA notes that certain AI systems, particularly generative AI systems, may hallucinate.

Licence holders are thus expected to ensure that AI systems are subject to appropriate validation, testing, and ongoing monitoring, including:

(i) identifying of potential model limitations;

(ii) implementing controls to detect model drift; and

(iii) establishing clear escalation mechanisms where issues arise.

Understanding AI Systems & Redesigning when Unable to Explain System Behaviour

The Authority expects that firms are able to understand, explain, and evidence how AI systems operate, particularly where outputs influence financial or customer outcomes, including:

(i)  ensuring that sufficient documentation, audit trails, and model governance artefacts are maintained to support effective internal challenge and supervisory review.

Where firms are unable to adequately explain or evidence system behaviour, consideration should be given to restricting or redesigning the use of such systems, particularly in higher-risk contexts.

Data Governance: Ensuring Data Relied Upon (by AI Systems) is Accurate

Licence holders are expected to implement robust data governance frameworks supporting AI use, including:

(i) ensuring that data is accurate, relevant, and appropriately validated, and that data flows and usage are clearly understood and documented;

(ii) ensuring that data used in AI systems is consistent with applicable regulatory

requirements and internal policies.

Preventing Operational & Systematic Risk

Licence holds are expected to take a forward-looking approach to AI risk, considering not only firm level impacts but also potential system-wide implications, including:

(i)  assessing dependencies, identifying potential single points of failure, and ensuring that contingency measures are in place.

The Self-Assessment Framework

In order to support licence holders in assessing their exposure to AI-related risks, the MFSA has developed a structured self-assessment framework designed to provide firms with a practical tool to:

(i) identify AI use cases across their operations;

(ii) map dependencies, including third-party providers;

(iii) assess governance, accountability, and oversight arrangements; and

(iv) evaluate the adequacy of existing risk management and control frameworks.

Licence holders are expected to complete this assessment in a comprehensive and

critical manner, ensuring that it reflects both current use of AI and anticipated future

developments.

At this stage, firms are not required to submit the results of this exercise to the MFSA but should be in a position to demonstrate that:

(i) the assessment has been performed;

(ii) its outcomes have been considered at Board and senior management level; and

(ii) any identified gaps are being addressed through appropriate remedial actions.

Conclusion

The MFSA’s Dear CEO Letter marks a clear shift in regulatory focus, positioning AI not merely as an innovation tool but as a core prudential concern requiring structured oversight and accountability.

Licence holders must move beyond passive adoption and take a proactive, risk-based approach to AI, embedding it within governance frameworks, strengthening internal expertise, and ensuring transparency in how systems operate and influence outcomes. The emphasis on explainability, validation, and data integrity highlights the Authority’s expectation that firms remain fully in control of their technological deployments.

Ultimately, firms that treat AI with the same rigour as other material risk areas will be better placed to enhance resilience, maintain regulatory trust, and leverage AI responsibly. Those that do not may face increased scrutiny and intervention.

Contact Us

zeta. assists firms in aligning AI strategies with regulatory expectations, including governance design, risk assessments, and implementation of control frameworks.

To discuss how these developments may impact your organisation, contact us at: info@zeta-financial.com

This article is intended for general information purposes only and does not constitute tax, legal or other professional advice. It provides a high-level summary of the information and reflects our interpretation of the information as at the date of publication.

The application and impact of the information may vary depending on individual circumstances, and the information is subject to change and to interpretation by the relevant authorities. Accordingly, this article should not be relied upon as a substitute for specific professional advice.

Readers are encouraged to seek tailored advice before taking any action based on the information contained herein.