iGaming Compliance

Compliance at a Glance

MaltaProfile outlines the compliance conditions according to the Remote Gaming Regulations of the Malta Gaming Authority.


The Malta Gaming Authority's (MGA) rigorous application process is designed to ensure ethical behaviour and fair play, from the strict due diligence process each company undergoes prior to being issued with a licence, to the monitoring and supervision of the operations once they are set up and running. The MGA mandates that after going live a licensee undergoes a number of compliance reviews in order to ensure that the licensee is compliant and operating in accordance with the applicable requirements. Therefore, licensees need to be aware that the licence application process is just the beginning when it comes to compliance requirements.

The MGA requires the following reviews:

• After the first year of operation once licensed by the MGA.

• On the third year of operation after being licensed by the MGA, following a risk-based assessment.

• Prior to the expiry of the five-year licence for its renewal.

• At the discretion of the MGA when this is deemed necessary and specifically in cases where the licensee is suspected to be conducting its operations in breach of the applicable requirements.

Failure to carry out or successfully undergo a compliance review may lead to administrative action from the part of the MGA, including the suspension of a licence.



The MGA may order the suspension or cancellation of a licence for a number of reasons, including but not limited to: cases where the licensee or the Key Official is convicted in any country of an offence which is punishable by imprisonment; the licensee fails to comply with a material term or condition of the licence, fails to pay taxes and other fees or is insolvent; fails to meet commitments to players; has obtained the remote gaming licence by providing false or misleading information or is in breach of the laws or regulations for the prevention of money laundering.



Every licensee is obliged to appoint at least one Key Official who is responsible for supervising operations and to ensure that the licence holder complies with all laws, regulations, conditions and any directives issued by the Malta Gaming Authority (MGA). The official must assist the MGA with any investigations and queries relating to the licensed operations; oversee and audit processes, ensure that all games are fair and correct, and that the remote gaming system is well-kept and maintained. The Key Official role holds great responsibility, and therefore the selected person should be readily available in Malta, appointed as a director of the gaming company, and has to be approved by the MGA.



In applying for a gaming licence, the applicant must present to the MGA the software used and the specifications of the control system that will be used to conduct gaming operations and which will be subject to verification testing. The operational manual must include the following details: game description, software, reporting requirements, and a full list of the terms and conditions with the rules of the games. It should also include the general procedures to be followed for the operation of remote gaming software where applicable, the procedures for recording and paying prizes won in remote gaming, and the accounting systems and procedures to be followed to play a game. The MGA also requires the following to be submitted: the procedures and standards for the maintenance, security, storage and transportation of equipment to be used to conduct remote gaming; the procedures for the setting up and maintenance of security facilities including general compliance and internal controls relating to access to critical systems, a disaster recovery plan and an adequate system of data backup. Before a new gaming system becomes operational, a licensee must provide adequate certification to the MGA to confirm that the gaming system was tested within the previous six months and found to comply with all technical specifications. These requirements confirm that the system is technologically sound, secure and unbiased. More specifically, the data in the gaming system must be randomly generated, unpredictable and unable to be reliably reproduced. The operation of all gaming equipment must have the prior approval of the MGA. The requirement for randomly generated data means the system must pass appropriate statistical tests of randomness to prove that the data is unpredictable and that it is computationally unfeasible to predict what the next number will be. If, for example, the sequence generator is activated again with the same input, it must produce two completely unrelated random sequences. Moreover, the outcome of the game event, and the return of the player, must be shown to be independent of the CPU, memory, disk or other components used in the playing device. Nor must the game event outcome be affected by the effective bandwidth, link utilisation, bit error rate or any characteristic of the playing. Operators must seek prior approval of the MGA before making any changes to the system. The gaming system must also be capable of producing monthly auditable and aggregate financial statements of gaming transactions, and calculate accurately all taxation and other monies due to the MGA. The gaming system must maintain information about all games played and the identity of the player.



The regulations require players to submit certain information to the licensee before they can be registered as players and participate in the games. These include the following details, which the operator is obliged to obtain from each player: that the player is over 18 years of age, the player’s identity, the player’s place of residence, and the player’s valid e-mail address. The database server must be physically located within the European Economic Area or any other approved jurisdiction and could be subject, if necessary, to inspection by the MGA. The MGA also requires the presence of a mirror server in Malta that replicates in real-time the data on the database.



Operators granted a Malta licence must set up and maintain a player’s account for each player registered, and the licensee cannot accept a wager from a player unless a player’s account has adequate funds to cover the amount of the wager. The licensee is barred from accepting cash from a player, and funds can only be received from the player by credit/debit cards, electronic transfer, wire transfer, cheques or any other method approved by the MGA. It is a strict provision that a licensee must not provide credit to a player or act as agent for a credit provider to facilitate the provision of credit to that player. When a player requests to withdraw funds from their account, the licensee must remit such funds within five working days, if practical, and a licensee must not personally deal with the credit of a player’s account. A licensee cannot make a payment in excess of €2,329.37 to a player’s account until the player’s identity, age and place of residence have been verified. A payment may only be remitted by the licensee to the same account from which the player’s funds originated. Inactivity for 30 months on a player’s account permits the licensee to remit the balance in that account to the player or, if the player cannot be satisfactorily located, to the MGA. The licensee must keep players’ funds separate from the licensee’s own funds in a client’s account held with an approved credit institution. The licensee must instruct and authorise the credit institution at which a player’s account is held, to disclose any information as may be requested by the MGA in respect of a player’s account. The licensee must also submit to the MGA a Player Liability Report on a monthly basis, to confirm that player funds are controlled in accordance with the applicable requirements.



The regulations oblige all licensees to display at all times, in a prominent place on the entry screen of the website, a warning of the addiction possibilities of gaming and links to other websites assisting compulsive/problem gamblers. In addition, every hour an automatic reality check that suspends play must appear which: indicates how long the player has been playing, displays the player’s winnings and losses during such period of time, requires the player to confirm that the player has read the message, and gives an option to the player to end the session or return to the game. All amounts displayed must be quoted with the symbol of currency that the player is playing with. Full-screen games cannot be offered unless a real-time clock is displayed on the screen at all times and players are given the facility to exit the game.



Self-barring gives players the option of managing their gaming activity effectively. All registered players must: be given the facility to set a limit on the amounts wagered within a specific period of time, set a limit on the losses that the player may sustain within a specific period of time, set a limit to the amount of time the player may play in one session and exclude the player from playing for a definite or indefinite period of time. If the game is displayed on a screen, an automatic counter must indicate the player’s account balance.



Malta’s commitment to player protection includes an obligation to provide safeguards to ensure responsible gaming. The dangers of compulsive gambling and other gamblingrelated problems are well recognised by the legislation and regulation governing Malta’s remote gaming industry. The MGA has put in place a variety of checks and balances to prevent the abuse of gambling and the proliferation of compulsive players who feel they should exclude themselves from playing for a period of time. Self-barring also includes provisions such as limiting the amount per wager, or limiting losses.



A licensee is to take all reasonable steps to ensure that its computer system enables a player whose participation in a game, after they have made a wager, is interrupted by a failure of the electronic communications system or a failure of the player’s computer system, is able to resume playing, when the system is restored. If a licensee’s computer does not enable a player to continue, the licensee shall ensure that the game is terminated and the amount of the wager is refunded to the player by placing it in the player’s account.



The MGA takes complaints from players very seriously, and every licensee must give players the possibility of filing complaints. Every licensee is obliged to enquire into any complaint made, and in the event that the complaint is escalated to the MGA, the licensee must provide the initial feedback within 21 days from the date on which the complaint has been lodged.



The framework also lays out detailed guidelines on advertising, and licensees are not permitted to carry out advertising that, among others: implies that remote gaming is required for social acceptance, personal or financial success or the resolution of any economic or social problems; that contains endorsements by well-known personalities that suggest remote gaming contributed to their success; that encourages individuals under 18 years of age to engage in remote gaming; or that sends unsolicited electronic mail, whether it is through its own operation or by the intervention of third parties.



Licensees are required to keep accounts and records that show a true and fair view of the financial position and state of affairs of the licensee. Within 180 days from the end of its financial year, the licensee needs to file with the MGA an audited set of financial statements. Within 30 days from the end of the half yearly period, the licensee has to submit interim financial statements. The gaming tax based on the licence class has to be paid monthly by the 20th of the following month.



Besides paying tax on their profits, gaming companies licensed in Malta must also pay gaming tax. However, when compared to other European Union member states, the gaming tax is relatively low and capped at a maximum of €466,000 per year. The gaming tax depends on the class of the licence:

• Class 1 - Fixed rate at €4,660 per month for the first six months and €7,000 per month thereafter

• Class 1 on Class 4 - €1,200 per month

• Class 2 and Class 2 on Class 4 - 0.5% of the gross amount of bets accepted in remote betting operations

• Class 3 and Class 3 on Class 4 - 5% of real income

• Class 4 - No tax for the first six months of operation, €2,330 for the subsequent six months, and €4,660 per month thereafter for the entire duration of the licence

• Class 4 licensee hosting and managing an operator that is not in possession of the relevant Class 1, 2 or 3 licence in terms of regulations, however hosting an EEA licensed Business to Consumer operator - €1,165 per month per operator, paid by the Class 4 licensee

With the new regulatory overhaul anticipated to be implemented in 2017, taxes will change according to the new licence classes and will be based on variables rather than fixed elements. In general, both licence fees and gaming tax will be based on gross gaming revenue (GGR).



The Fourth AML Directive came into force in June 2015 and must be transposed into national law by June 2017. The new directive presents a legal obligation for iGaming companies which requires more robust due diligence and more onerous obligations to prevent money laundering while bringing about an obligation for all gambling operators to conduct customer due diligence (CDD) for transactions of €2,000. Thus far, iGaming operators are not subject persons under the EU’s Third Anti-Money Laundering Directive, but this is about to change when the Fourth Directive will be transposed into national law. The Fourth Directive will also crystallise the obligation of remote gaming operators, as subject persons, to appoint a Money Laundering Reporting Officer and to notify the Financial Intelligence Analysis Unit – a unit of the Malta Financial Services Authority (MFSA) – and the MGA of the appointment. The importance of this aspect of the regulations is underlined in the provisions laid down, which require operators to have systems and training in place to prevent money laundering and the financing of terrorism. These systems include customer due diligence procedures, record keeping and internal reporting procedures. Gaming operators should take particular notice of the following sections of the PMLR regarding the obligation to be aware of compliance requirements on: identification of criminals, appropriate record keeping, dealing with internal reporting procedures and establishing the duty to report money laundering activities.



Brands who work with us