1. One for All
There is only one law that everyone in gaming in Malta needs to be aware of: The Gaming Act. It regulates all gaming services in Malta – online and land-based. However, it is complemented with subsidiary legislation covering the main areas of regulation, as well as a series of directives, codes and guidelines, which can be amended from time to time, ensuring that the law responds to technological advancements and innovation.
2. Keeping it Simple
The MGA has replaced the previous multi-licence system with a two-licence system – a business-to-consumer (B2C) licence and a business-to-business licence (B2B) – covering different types of activities across multiple distribution channels.
A second tier of approvals addresses the systems, game types and channels used under one licence. Prior approval is only required when the change or addition significantly changes the operation, such as the addition of a new game vertical which may change the risk profile of the operation.
3. How do I Apply?
The MGA operates a Licensee Relationship Management System (LRMS) through which companies can apply for a gaming licence. The LRM provides a dedicated dashboard that will give users the possibility to follow the status of their requests in real-time, ensuring efficiency and transparency. Applicants should acquire knowledge of the regulations and ascertain themselves whether they are committed to complying with the high standards. The implications of operating a Maltese licence - such as taxation, human resources, operating costs and legal implications to name but a few - should also be taken into consideration. In the application stage the MGA assesses whether an applicant:
- Is fit and proper to conduct gaming business.
- Is correctly prepared from a business strategy perspective.
- Has the operational and statutory requirements to meet the obligations prescribed by law and policy.
- Has correctly implemented what has been applied for on a technical environment before going live.
4. A longer Runway
Licences issued by the MGA are no longer limited to a 5-year period; the licence term has been extended up to 10 years. The regulations also provide for a licence with limited duration, leaving the term open for the Malta Gaming Authority to establish the gaming activities thereunder.
5. It's all about the Risk
The MGA classifies operators in different risk categories and supervises them accordingly. This risk-based approach to regulation means that the level of compliance checks can vary depending on the categories of games and the risk they pose to consumer protection and to the integrity of the operation.
6. Pay where you Earn
All operators need to pay gaming tax amounting to 5% of the Gross Gaming Revenue (GGR) generated from customers located in Malta. This shift to a ‘point of consumption’ model means gaming operators are required to pay tax in Malta only on revenue from Maltese customers, while they need to pay the point of consumption tax in other markets where they operate. B2B operators are exempt from tax, hence are only paying the annual licence fee.
7. Licence and Compliance Fees
Gaming operators need to pay a fixed licence fee of €25,000 annually, together with a compliance contribution fee added to the fixed fee calculated on gaming revenue generated.
The variable component of the compliance contribution includes a minimum payable fee of €15,000 or €25,000 (€5,000 for skill games), as well as a maximum capping of either €375,000, €500,000 or €600,000, depending on the type of games offered. The variable compliance contribution fee is payable monthly. Game providers are also subject to a yearly licence fee ranging between €25,000 and €35,000, depending on the revenue generated by the provider. Providers of back-end services, or a control system whereby essential regulatory data is captured, stored or otherwise processed, are subject to a fee ranging between €3,000 and €5,000 annually.
8. Who's in charge
The MGA wants to vet the power brokers in your organisation, and operators need to inform the MGA why is in charge of key functions and filling roles such as CEO, CTO, CMO, Chief Legal Officer, Chief Compliance Officer and Anti-Money Laundering Reporting Officer. The professionals also need to prove their competence through certification, relevant experience and continuing professional development. Persons holding these positions are required to have a sound understanding and knowledge of their obligations, as well as gaming operations compliance methodologies.
9. Three is the Magic Number
The regulatory framework covers three different categories of games: games of chance, games of chance and skill, as well as skill games. The MGA says that shifting from a prescriptive approach to one based more on regulatory objectives and principles makes it easier to deal with innovation in the gaming sector, as it gives the MGA the ability to license new types of products that might come to market without the need to amend the law.
10. Not for Profit
Non-profit games, limited commercial communication games and commercial communication games are classified as Low Risk Games. Rather than requiring a licence, such games are required to acquire a Low Risk Games Permit and are exempt from paying gaming tax.
Read Gaming Malta 2019
11. A different Kettle of Fish
Malta has recognised that several games, including fantasy sports, vary substantially both from pure skill games such as chess and also from games of chance. The law embodies this approach and regulates skill games.
12. Regulatory Teeth
The new law gives the MGA extended monitoring and enforcement powers. There is greater emphasis placed on on-going and transparent access by the MGA to operators’ data, while a compliance review process has been introduced for cases of reported or suspected breach of laws, or on an ad-hoc basis when required. New reporting procedures with respect to suspicious transactions are introduced in line with the latest Anti-Money-Laundering laws.
13. Name and Shame
The MGA has the power to issue a list of non-compliant operators who can then clarify and/or address any shortcomings in order to be removed from the list. This is aimed at ensuring that players are aware of non-compliant operators and the risk that may be incurred when making use of their services.
14. Losing your Licence
The MGA can suspend or cancel a licence for a number of reasons, including, but not limited to: cases where the licensee is convicted in any country of an offence which is punishable by imprisonment; the licensee fails to comply with a material term or condition of the licence, fails to pay taxes and other fees or is insolvent; fails to meet commitments to players; has obtained the gaming licence by providing false or misleading information or is in breach of the laws or regulations for the prevention of money laundering.
15. The Last Resort
Malta’s Gaming Act also includes the concept of administration to protect operations and player funds should a licence need to be suspended.
The MGA can appoint an administrator to manage the company and, if necessary, assist in winding down the operation. This concept is widely used in the financial services sector and has now been extended into gaming services.
16. I don’t Agree
Operators can appeal and challenge any decision of the MGA, which they deem to be wrong or unfair.
This ‘administrative review procedure’ highlights the MGA’s commitment to render the regulator more accountable, while improving transparency in the way it conducts its regulatory function.
17. Grouped Together
Licence holders may hold a licence for themselves or for a corporate group. If a licence is issued for a corporate group, the approved members of the corporate group are jointly considered as the licensee.
18. Do more Good
The new regulations strengthen the MGA’s role in the promotion of responsible gaming and safeguarding minors and vulnerable persons, by incorporating the functions of the Responsible Gaming Foundation under the remit of the Authority, in order to better leverage the necessary resources and expertise to achieve these objectives to the fullest. A Social Causes Fund, which mirrors and improves upon the structure of the Good Causes Fund established under the previous legislation, has also been set up.
19. Welcome to the Party
B2B supplies that provide services that are critical to the gaming operation require a licence from the MGA. This includes companies supplying and managing back-end systems controlling, processing or capturing regulatory data. Affiliates whose role is limited to advertising and marketing do not require a licence given that the responsibility for compliance rests with the licensee. However, should the affiliate, or any other outsourcing service provider, conduct other activities related to the gaming service, a licence might be required. For instance, if the outsourcing service provider processes payments and handles player registration, the service provider itself needs to have a B2C licence, unless such services are being carried out solely on behalf of the licensee, in which case they are deemed to be covered within the remit of the licensee’s authorisation.
20. The right Message
Advertising compliance is important for iGaming companies as the impact on the overall operation and brand can be huge.
Companies need to comply with the following rules: licensees are not allowed to encourage people under 18 years of age to gamble, publish false information on chances of winning, or suggest that gambling can be an investment.
Gambling cannot be promoted as a way of gaining prestige. It is also not allowed to use celebrities in advertising and making the player believe that gambling was behind their success, or that skill can influence the outcome in a game of luck. When it comes to social media, companies need to make sure that under-age persons are excluded from the target audience. All advertising also needs to contain an educational message on responsible gaming, and an age-limit warning.
Malta’s gaming regime also outlines strong limitations as to where advertisements can be placed, and the manner in which such communications can be made. The framework also introduced rules specifically relating to sponsorships, bonuses and promotions, misleading advertising and advertising aimed at self-excluded persons. The MGA would like to see companies go above and beyond these minimum requirements and become leaders in best practice in terms of player protection.
21. Say Hello
Malta recognises gaming licences issued in other EEA jurisdictions in line with European Treaty Principles, and licensed companies are allowed to operate in Malta.
However, such operators need to notify the MGA. In such cases the MGA will have visibility on the operators, who are based in Malta. The recognition notice is subject to a yearly fee and may also be revoked.
22. Blockchain Island
The MGA launched a Sandbox Framework for cryptocurrencies and virtual financial assets (VFA). The MGA is looking to develop directives that will lead to the ultimate acceptance of cryptocurrencies, as well as Innovative Technology Arrangements (ITA) for Malta’s gaming industry. The new framework will be divided into two phases. As of 1 January 2019, the MGA will accept applications for the use of DLT assets (VFAs and Virtual Tokens) as a method of payment. In a second phase the sandbox framework will be extended to applications for the use of ITAs within the key technical equipment of licensees, to coincide with developments launched by the Malta Digital Innovation Authority (MDIA).
Malta Blockchain Summit 2018
Every licensee must give players the possibility of filing complaints. Every licensee is obliged to enquire into any complaint made, and in the event that the complaint is forwarded to the MGA, the licensee must provide initial feedback within 21 days from the date on which the complaint has been lodged.
24. The first Commandment
Since the 1st of January 2018, iGaming Operators who are licensed to provide a service involving the wagering of a stake with monetary value in games of chance, including games of chance with an element of skill, via electronic means of distance communication upon request from the recipient of said services, with the opportunity to win prizes of money or money’s worth have become ‘Subject Persons’in terms of Regulation 2 of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR), better known as the 4th Anti-Money Laundering Directive.
On the 19th of July 2018, the Financial Intelligence Analysis Unit (FIAU) jointly with the Malta Gaming Authority (MGA) have issued a set of Implementing Procedures specifically for the iGaming Sector which outline gaming companies obligations under the new regulations. The new regulations under the PMLFTR, brought about an obligation for gambling operators to conduct a Business Risk Assessment which should be commensurate to the business risks the operator is exposed to in terms of money laundering and the financing of terrorism. Such risks may be categories into 4 major components which are; Geographical risk, Product service/transaction risk, Interface risk and Customer risk.
Accordingly, all ‘Subject Persons’ are required to perform a Customer Specific Risk Assessment and Verification once a player deposit reaches the €2,000 threshold within a rolling period of 180 days (accumulatively) and consequently to perform the necessary Customer Due Diligence (CDD) according to the risk level perceived. Players which are categorised into a Medium or High risk are to be requested for their Source of Funds (SOF) and additional documentation to verify the player’s identify should be requested when necessary.
Ultimately, all ‘Subject Persons’ are obliged to report any suspicious activity in terms of ML/TF without any unnecessary delays with the FIAU, who is the ultimate responsible body for AML/CFT under Article 16(1)(c) of the PMLA.
25. Player Protection
All licensees need to display at all times, in a prominent place on the entry screen of the website, a warning of the addiction possibilities of gaming and links to other websites assisting compulsive/problem gamblers. In addition, full-screen games cannot be offered unless a real-time clock is displayed on the screen at all times and players are given the facility to exit the game.
26. That’s my Limit
All registered players must be given the possibility to either set a deposit or wager limit upon registration, or immediately after registration upon login. The licensee needs to ensure that the option remains available and easily accessible for the player. The operator may offer players the possibility to set additional limits, including but not limited to loss and time session limits and to exclude themselves from playing for a definite or indefinite period of time. While operators are obliged to offer a self-exclusion system to their players, there is no unified system in place. The MGA is committed to designing a unified self-exclusion system across all channels.
27. Failure, Failure, Failure
A licensee is to take all reasonable steps to ensure that the computer system enables a player whose participation in a game, after they have made a wager, is interrupted by a connectivity or computer failure, is able to resume playing when the system is restored. If a licensee’s computer does not enable a player to continue, the licensee shall ensure that the game is terminated and the amount of the wager is refunded to the player by placing it in the player’s account.
28. Paving the Way for Automation
In 2019, the MGA will launch an Enhanced Automated Reporting Platform for land-based operators, which will be rolled out in 2020 for iGaming companies. This automation serves a twofold purpose: facilitating licensees’ adherence to their reporting obligations, while also increasing the MGA’s access to information and thereby strengthening effective compliance oversight.
29. A Beast of a Different Nature
While iGaming companies have to comply with various regulations depending on the markets they operate in, all organisations processing or controlling data in the European Union must comply with the General Data Protection Regulation (GDPR). In Malta, companies have to ensure that they are compliant with GDPR and with the gaming regulatory framework. They are obliged to appoint a Data Protection Officer (DPO).