Bando

4notify Malta · By the Grace of the Order

PROCLAMATION · MFSA · SEPA Instant

Bando No

BND-MT-001

Date

2026-05-28

Status

In force

Section

Banking and payments

PSD2 Strong Customer Authentication and SEPA Instant: OTP delivery to Bank of Valletta, HSBC Malta, APS Bank and BNF over GO, Melita and Epic

The Malta Financial Services Authority (MFSA) supervises the Maltese banking system under PSD2 (transposed by S.L. 371.16) and the SEPA Instant scheme. Every login and every payment confirmation on Bank of Valletta, HSBC Malta, APS Bank and BNF Bank demands a second factor. 4notify delivers one-time passwords with a P50 below 4 seconds over the GO, Melita and Epic networks via direct tier-1 connections — and signs the audit envelope for the five-year retention window the MFSA expects.

SMSPushEmail

Preamble

Article 1. — By the Grace of the Order, and pursuant to the Banking Act (Cap. 371) of the Laws of Malta, the Financial Institutions Act (Cap. 376) and Subsidiary Legislation 371.16 transposing Directive (EU) 2015/2366 (PSD2), this present Bando is hereby published touching upon the delivery of Strong Customer Authentication codes to the Maltese banks over the licensed mobile networks of these Islands.

Citations to statute

Cap. 371 — Banking Act (Laws of Malta)

Constitutes the MFSA's supervisory remit over credit institutions licensed in Malta.

S.L. 371.16 — Credit Institutions (Payment Services) Regulations

Transposes PSD2 into Maltese law: Strong Customer Authentication, dynamic linking and exemptions.

EBA RTS on SCA and CSC

European Banking Authority Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication.

Articles

MCA registration plus tier-1 carrier contracts

4notify is registered with the Malta Communications Authority as an A2P messaging provider and holds direct tier-1 termination contracts with GO, Melita and Epic for authentication traffic.

OTP generated in the bank's HSM

The one-time password is generated inside the bank's hardware security module; 4notify receives only the hash and the MSISDN — the code itself never crosses our perimeter in clear.

60-second window with fallback chain

The SMS is delivered within 60 seconds; if the DLR fails we fall back to push, then email. Grey-route detours that would breach PSD2 dynamic linking are blocked at the API edge.

Five-year signed audit retention

Each delivery is signed and retained for five years, in line with MFSA Banking Rule BR/01 record-keeping expectations and the EBA Guidelines on outsourcing arrangements.

Delivery envelope

json
{
  "event": "bank.sca.otp",
  "bank_id": "MT-XXXX",
  "transaction_id": "TX-2026-05-28-471829",
  "amount": 450.00,
  "currency": "EUR",
  "delivery": {
    "channel": "sms",
    "fallback": ["push", "email"],
    "window_seconds": 60,
    "template": "sca_otp_mt_v3"
  },
  "audit_signature": "https://4notify.net/sig/bank/471829"
}

Sample message

SMS

Bank of Valletta: your code to confirm a SEPA Instant transfer of EUR 450.00 to J. Borg is 471829. Valid 5 minutes. Do not share with anyone.

Compliance checklist

MCA A2P provider registration current
Direct tier-1 termination with GO, Melita and Epic active
OTP P50 ≤ 4 seconds measured per quarter
Five-year signed retention demonstrable to MFSA inspection

The 4notify Difference

4notify is the only A2P provider with simultaneous direct tier-1 termination across GO, Melita and Epic and signed five-year audit retention for Strong Customer Authentication delivery under MFSA Banking Rule BR/01 and the EBA RTS.

Frequently asked questions

Does 4notify deliver directly to Maltese banks or via an aggregator?

Direct tier-1 termination with GO, Melita and Epic. We do not use grey-route aggregation for authentication traffic — it would breach PSD2 dynamic linking and the MFSA outsourcing guidelines.

Do push notifications qualify as a second factor on their own?

Yes — a push tied to a registered device is an acknowledged possession factor under the EBA RTS. But because the app cannot guarantee durable medium delivery, we always pair it with SMS or email fallback.

Proclaimed

4notify Office of Operations

2026-05-28 · BND-MT-001

Start free

14 days, no card required. English-speaking support across CET hours. EUR pricing throughout.

Try 4notify Talk to the team

Other proclamations in this edition

BND-MT-002 · Telecommunications

MCA numbering plan, Sender ID and A2P routing into Malta over GO, Melita and Epic

BND-MT-003 · Tax administration

Commissioner for Revenue, electronic invoicing and Maltese VAT: acknowledgement and validation delivery to the taxpayer

BND-MT-004 · Digital government

eID Malta, mygov.mt and the delivery of one-time codes to the Maltese citizen

BND-MT-005 · Privacy