Strengthening business resilience in financial institutions

Key insights from the MFSA’s “Dear CEO” letter

Changes to the internal governance guidelines for banks

Publication
3 minute read
September 24, 2025

The Malta Financial Services Authority (“MFSA”) has recently issued a “Dear CEO” letter to all financial institutions (“FIs”) licensed and supervised in Malta, focusing on the criticality of robust business resilience frameworks. The “Dear CEO” letter was published following a ‘Thematic Exercise on Business Resilience’ initiated by the FinTech Supervision Function within the MFSA, in which FIs were requested to complete a questionnaire structured into three categories, namely (i) Business Strategy; (ii) Financial; and (iii) Operational.

Below we outline the key findings per category the MFSA has noted from questionnaires submitted by FIs.

Most FIs have a business strategy in place that is reviewed on a cyclical basis ranging from one to three years.

Only IT-related risks were cited as FIs top three external threats, overlooking other potential risks.

Threat monitoring is conducted solely at group level, which is deemed insufficient by MFSA - threats should be managed at the local institutional level, irrespective of size or support from the group.

Despite each FI believing it has distinguishing characteristics vs. other FIs, most institutions were not able to provide differentiating factors through generic responses, lacking in distinctiveness.

Most respondents confirmed having clear and well-documented business continuity arrangements, through three documents in line with the Financial Institutions Rulebook (“FIR/03”): (a) Business Impact Analysis; (b) Business Continuity Plan (“BCP”); and (c) Disaster Recovery Plan (“DRP”). However, not all institutions conduct the required annual testing of their BCP and Disaster Recovery Plan as mandated by the Rulebook.

Inconsistencies were also noted where institutions reported testing these plans in FY 2024 but did not disclose any lessons learnt or improvements from such testing.

An inconsistency has been found where several financial institutions have been identified as consistently reporting losses despite claiming regular positive financial forecasting.
A number of FIs limit their stress testing to IT-related issues, overlooking other key risks faced by FIs, including liquidity, financial and other essential factors. Furthermore, certain institutions did not perform any stress testing during the financial year 2024.
Reliance on a few major clients was acknowledged by some institutions, posing significant risk if a financial institution were to lose large clients.

Some FIs that experience turnover challenges did not accurately report their turnover rates.
Succession plans for human resources are not consistent.
FIs often struggle to recruit individuals for key function holder positions due to high staff turnover.
A small number of FIs reported having no active correspondent banking relationships, limiting their growth opportunities, and no contingency plans in place to manage potential disruptions or termination of correspondent bank agreements.

MFSA recommendations

The MFSA has encouraged FIs, particularly long-standing licensees, to demonstrate a corresponding level of preparedness and embed resilience at all levels of their organisations, fostering a culture of agility and adaptability. It has therefore recommended FIs to focus on the following points:

A robust risk management framework and comprehensive business continuity arrangements in place, in line with FIR/03, with identification, assessment and mitigation frameworks specific to its business model including fraud, cyber threats, operational failures and third-party dependencies.

Recognition of unique differentiating factors which contribute to enhanced competitiveness and financial performance.

Ongoing training and awareness programmes to equip staff with the skills needed to manage unforeseen events, risks and support effective succession planning.

Prioritising regular stress testing exercises annually, at minimum.

Regular testing and update of BCPs through simulations and drills and ensuring disaster recovery plans for IT infrastructure are in place.

Assessment of financial, operational and key personnel risks to identify gaps and weaknesses in plans.

Documented contingency plans to address potential resignations from key personnel, terminations/failures linked to non-IT related third parties (such as correspondent banking) and any regulatory/legal disruptions.

Regular review and update of resilience strategies based on lessons learned from incidents, audits and regulatory feedback.

What does this mean for you?

The MFSA’s “Dear CEO” letter highlights the urgent need for FIs to strengthen their resilience and preparedness for potential disruptions. Institutions are expected to adopt a proactive approach to risk management, ensure robust business continuity and disaster recovery arrangements, and regularly review and test their frameworks in line with regulatory requirements. Our Banking and Capital Markets Advisory team is equipped to support you in addressing these challenges. With our expertise in risk management, stress testing and governance, we can help you address such key regulatory requirements.

Contact us

Norbert Paul Vella

Assurance Partner, PwC Malta

Tel: +356 9945 3843

Malcolm Debattista

Senior Manager, Assurance, PwC Malta

Tel: +356 7973 6120

© 2019 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

Key insights from the MFSA’s “Dear CEO” letter

MFSA recommendations

Risk Management & Mitigation Framework

Unique Competitive Advantage Recognition

Continuous Staff Training & Succession

Regular Stress Testing Protocols

Continuity & Disaster Recovery Testing

Risk Assessment and Gap Analysis

Planning for Key Personnel & Third Parties

Strategy Review and Update

What does this mean for you?

Contact us