FAQs
All B2C licensees required to prepare the AUPs shall be able to view the draft record entitled ‘Auditor Player Funds & Gaming Revenue’ on the MGA’s LRMS. In the event that a B2C licensee concludes that they fall within the scope of the AUPs, and are however unable to locate the draft record on their LRMS timeline, then they are kindly requested to notify the MGA by sending an email to [email protected].
The compliance obligation to submit the AUPs rests with the licence holder. To the extent that the practitioner is submitting on the licensee’s behalf, they could request access. In this regard, the practitioner would have access to the MGA’s LRMS/online portal only in the event that such access has been granted by the licensee’s Power User through the LRMS itself.
Statutory audit service providers approved by the MGA are allowed to prepare the AUPs. The approved list is accessible by clicking here.
The AUPs shall be submitted to the MGA by the licensee through the MGA’s LRMS which can be accessed through https://portal.mga.org.mt. The AUPs shall be uploaded through the draft record entitled ‘Auditor Player Funds & Gaming Revenue’ which shall be visible on the licensee’s respective timeline as at its financial year end date.
The AUPs are to be submitted annually to the MGA not later than 9 months from the end of the licensee’s financial year. This shall apply for the year ending December 2022 as well as for any subsequent years.
A B2C licence holder which would have had its licence suspended voluntarily for some time during the year is still obliged to prepare the AUPs.
Yes, in such case, it wouldstill be required. The MGA is already allowing an exemption from the requirement to prepare the AUPs for the first financial year during which a licence is granted, hence, no further exemptions shall be permitted from the second financial year onwards, should a licensee still remain non-operational until that time.
No. If for example, a B2C licence holder would have obtained its licence in April 2021, it shall not be required to prepare the AuPs for financial year 2021. Notwithstanding this exemption, preparation of the AUPs shall still be required for subsequent years.
All B2B licence holders are exempted from reporting the AUPs in terms of Article 41(2)(b)(ii) and (iii) of the Gaming Authorisations and Compliance Directive.
All B2B licensees, whether or not they are offering a shared pooled jackpot, fall out of scope and are thus not required to prepare the AUPs.
Correct. For the financial year 2021 only the main licence holder of a corporate group licence shall be obliged to prepare the AUPs. This shall however be reassessed by the MGA for future financial years and any changes to this policy shall be communicated to the industry.
The requirement to submit the AUPs applies to all companies licensed by the MGA, except for:
• B2B licensees;
• Companies which were granted a licence during the period covered by the Audited Financial Statements for the financial year ending during 2021 (such companies shall then be required to submit the respective declarations for the financial years ending during 2022 onwards);
• Companies covered by a Corporate Group Licence, other than the main licensee which shall still be required to submit the declarations.
A Commercial Communication Game is a game organised with the purpose to promote or encourage the sale of goods or services.
Any person interested in organising a lottery to promote a good or service will need to apply for the relevant permit in order to offer the lottery.
An entity can apply for a Commercial Communication Game permit via the Licensee Portal. Applications need to be accompanied by the relevant application fee of €25 or 0.5% of the total monetary or retail value of the prize, whichever is higher.
In the case of Commercial Communication Games, the purchase of the good or service is the entry requirement for participation. Where an additional participation fee is required, the value of the latter shall not exceed two euro (€2) per player, and the value of the prize shall not exceed two hundred and fifty euro (€250).
Any prize relating to a single event that is covered by a Commercial Communication Game shall not exceed €50,000.
In the case of limited Commercial Communication Games, the prize shall not exceed €250.
Commercial communications must not:
- Condone or encourage behaviour which is criminally or socially irresponsible;
- Portray gaming as a means of resolving problems;
- Suggest that gaming is an alternative to employment.
Gaming adverts cannot make reference to easily available means of credit, and cannot tarnish the image of any other licensee.
Commercial Communication Games are not to cumulatively exceed €100,000 in prizes during any calendar month and not more than €500,000 during any calendar year.
A Voluntary Surrender is the voluntary termination of a Licence issued by the Authority. In cases where an Authorised Person wishes to surrender a Licence issued by the Authority, the Authorised Person shall submit a ‘Licence – Licence Surrender’ application, by visiting the MGA portal. The Authorised Person shall adhere to the termination procedures provided by the Authority which relate to players, the Authorised Person’s website, the Authorised Person’s gaming system, the Authorised Person’s duties and payable fees.
The application shall include the following information: a formal certified letter signed by one of the company directors, including a brief explanation as to why the entity wants to surrender the licence, and what will become of the entity following the surrender approval. The letter must also contain information regarding the date of termination, player operations, pending player funds, and winding up of jackpots.
Information Security Incident reports shall be submitted to the MGA for the following instances:
- Any breach of the licensee’s information security that adversely affects the confidentiality of information related to players; and
- Any breach of the licensee’s information security that precludes players from accessing their accounts for a period exceeding twelve (12) hours.
- Adverts must be compliant with the requirements envisaged in the Gaming Commercial Communications Regulations (S.L. 583.09), including but not limited to, displaying the licensee’s name, licence number, the minimum age to participate and responsible gaming-related information.
- Adverts displayed on social media must also be compliant with the Regulations
The Authority may require any licensee to undergo a Compliance Audit, on a regular or ad hoc basis, in accordance with any binding instrument that may be issued by the Authority. This provided that only Compliance Audits carried out by auditors approved by the Authority shall be recognised by the Authority.
Once the Authority contacts a licensee stating that a Compliance Audit needs to be conducted, the licensee needs to engage an approved Compliance Auditor and submit a ‘Letter of Engagement’, as well as a ‘No Conflict-of-Interest’ declaration. From thereon, the engaged External Auditor has three (3) months to submit the complete Compliance Audit Report to the MGA. Following submission, the MGA's audit team conducts a review of the Compliance Audit Report and follows up with the licensee on any issues that arose during the audit.
System and Compliance Audit Service Providers
Name | Registration Number | Country of Registration |
BDO Technology Advisory Ltd | C87755 | Malta |
Capstone Assurance Ltd | C57993 | Malta |
Deloitte Advisory and Technology Limited | C23487 | Malta |
eCOGRA Ltd | 4690117 | United Kingdom |
Finanz-Audit Ltd | C65281 | Malta |
Gaming Associates Europe Limited | 9663955 | United Kingdom |
GCS Assurance Malta Limited | C79687 | Malta |
Global Lab Ltd | C93984 | Malta |
GLI Europe | 818473393 | Netherlands |
Grant Thornton | C80426 | Malta |
KPMG | AB/26/84/12 | Malta |
Kyte Consultants Ltd | C39922 | Malta |
Malpep Ltd | C98086 | Malta |
MAZARS Consulting Ltd | C29387 | Malta |
Nouv Audit Limited | C66782 | Malta |
PriceWaterHouseCoopers | AB/26/84/38 | Malta |
QUINEL Ltd | C59317 | Malta |
Radix Technologies Ltd | C97052 | Malta |
RNG Labs International Ltd | C58224 | Malta |
RSM Malta | AB/26/84/53 | Malta |
Statutory Audit Service Providers
Name | Registration Number | Country |
Acubed Assurance Ltd | C104324 | Malta |
Altima Assurance Limited | C91283 | Malta |
Bailey Audit Service Limited | C53740 | Malta |
BDO Malta | AB/26/84/06 | Malta |
Borg Galea Audit Limited | C79290 | Malta |
Capstone Assurance Ltd | C57993 | Malta |
CG Audit Limited | C97404 | Malta |
Core Audit and Assurance Ltd | C97823 | Malta |
Deloitte Audit Limited | C51312 | Malta |
ECOVIS Malta Limited | C89831 | Malta |
Ernst & Young Malta Limited | C30252 | Malta |
FACT Audit | AB/2/15/15 | Malta |
Finanz-Audit Ltd | C65281 | Malta |
FST Audit Limited | C21500 | Malta |
GCS Assurance Malta Limited | C79687 | Malta |
Grant Thornton | C80426 | Malta |
Griffiths & Associates Ltd | C58472 | Malta |
John Zammit & Associates (Audit & Assurance) Limited | C104557 | Malta |
KPMG | AB/26/84/12 | Malta |
KSi Malta | LPA 92 | Malta |
Mazars Malta | AB/26/84/39 | Malta |
MJA Assurance Ltd | C106895 | Malta |
NCMB Auditing Ltd | C97541 | Malta |
Nouv Audit Limited | C66782 | Malta |
PriceWaterHouseCoopers | AB/26/84/38 | Malta |
RJV Audit Limited | C78969 | Malta |
RSM Malta | AB/26/84/53 | Malta |
Steven Galea & Associates Limited | C93610 | Malta |
VCA | AB/26/84/46 | Malta |
ZD Assurance Limited | C66286 | Malta |
More information may be found on this page.
The ESG Code Approval Seal is a recognition awarded to entities that report under this Code, showcasing their commitment to ESG. The seal will be valid for one year from the award date and will be renewable at the next reporting period. Different seals will be awarded to licensees that meet Tier 1 or Tier 2 reporting requirements and such licensees can change the Tier at which they report each year.
Reporting entities will be able to display the MGA Code Approval Seal, Tier 1 or Tier 2, on their MGA-licensed website, corporate website, social media platforms, and any publications.
Participation in the Code is voluntary, and licensees have the discretion to decide whether they have the capacity to start reporting on ESG results. However, we strongly encourage all MGA licensees to adopt the Code, reinforcing their commitment to sustainability and the continual improvement of the industry’s ESG standing.
The Code currently applies only to B2C and B2B licence holders of the MGA and is not applicable to recognition notice holders. Nevertheless, the Authority may reassess the inclusion of recognition notice holders within the scope of the Code in the future.
The information submitted to the MGA will be used to track stakeholders’ commitment to ESG. The Authority may publish aggregated information to showcase the sector’s commitment to ESG practices; however, no individual submissions or information pertaining to specific licensees will be divulged.
It should be noted that any confidential information which is submitted to the Authority in terms of the Code shall be subject to the secrecy and disclosure obligations established in the Gaming Act (Chapter 583 of the Laws of Malta) and any subsidiary legislation promulgated thereunder. The information submitted will be considered internally by the MGA to gauge the industry’s commitment to ESG matters. The Authority may decide to publish general and anonymised information regarding the industry’s ESG commitment and initiatives.
In determining the ESG topics for the materiality assessment, the MGA adopted a multifaceted approach, drawing insights from research, peer review, and consultative discussions with licensees. This method ensured a comprehensive understanding of industry practices and expectations, fostering a balanced selection of topics. The goal of the materiality assessment was to maintain a balanced and manageable framework while considering the impact on society, financial implications, existing reporting requirements, the strategic importance to Malta or the Authority, and ease of implementation.
As we move forward, ongoing revisions of the Code may incorporate additional ESG topics identified in this collaborative and consultative process, reinforcing the commitment to a balanced and responsive regulatory approach.
The Code introduces two levels of reporting: Tier 1 and Tier 2. Tier 1 is designed as a basic ESG standard for entities to report on and achieve and is intended to be used by reporting entities that are in the initial stages of their ESG journey. Tier 2 is more aspirational, for licensees with more experience and/or greater ambitions on ESG. A different seal will be awarded to licensees that meet Tier 1 or Tier 2 reporting requirements.
The decision to change the reporting level is at the discretion of the licensee. The latter has the flexibility to adjust the reporting level, whether it involves upgrading from Tier 1 to Tier 2 or downgrading from Tier 2 to Tier 1, during the subsequent reporting period. Any changes made will be duly reflected in the MGA ESG Code Approval Seal awarded to the licensee.
The Code pertains exclusively to the operations of licensees under the MGA licence. Therefore, global operators are expected to report information solely related to activities that fall within the scope of the Authority’s oversight.
Reference should be made to page 20, footnote 20 of the Code, wherein it is stated that a ‘Reporting entity’ means the remote gaming entity licensed by the MGA (whether at group or at company level), on behalf of whom this submission is being made.
The Code will be implemented through the existing fees and no additional financial cost will be introduced in relation to the implementation of this initiative.
Participation in the Code is on a voluntary basis, and it is at the discretion of the licensee to determine whether they have the capacity to start reporting on ESG results. While we strongly encourage all our licensees, especially those within the scope of the CSRD, to participate, there will be no consequences for those who choose not to do so.
Yes, this will be possible. However, we strongly encourage our licensees to continue reporting under the Code, especially those within the scope of CSRD.
It should be noted that in such a case, the relevant B2C Tier will be applicable.
Licensees will be responsible for providing the required information through the reporting system/tool. Those licensees who choose to participate in the Code will be granted access to the tool and will be required to periodically report on disclosures included in the Code.
Data covering the reporting period (1 January – 31 December) is due by 31 August of the following year. For example, if the reporting period is 1 January – 31 December 2023, then the ESG reporting submission is due by 31 August 2024.
Yes, prior to the opening of the reporting period, the MGA will be issuing guidelines on the reporting tool that will be used for the purposes of ESG disclosures and on certain substantive aspects of the Code.
The following are the Game Types authorised by the Authority:
- Type 1: games of chance played against the house, the outcome of which is determined by a random generator, and shall include casino-type games (including roulette, blackjack, baccarat, and virtual sports games), poker played against the house, lotteries, secondary lotteries; and/or
- Type 2: games of chance played against the house, the outcome of which is not generated randomly, but is determined by the result of an event or competition extraneous to a game of chance, and whereby the operator manages his or her own risk by managing the odds offered to the player; and/or
- Type 3: games of chance not played against the house and wherein the operator is not exposed to gaming risk, but generates revenue by taking a commission or other charge based on the stakes or the prize, and shall include player versus player games such as poker, bingo, betting exchange, and other commission-based games; and/or,
- Type 4: controlled skill games as per regulation 8 of the Gaming Authorisations Regulations.
In the case of a game displaying elements which may fall under more than one of the types referred to above, the Authority shall have full discretion in categorising the game in the type it believes closest reflects the nature of the game.
By definition, the term “gaming vertical” means a category of products that require specific safeguards in order to ensure that it is offered in a manner which adheres to the law and the regulatory objectives, owing to its characteristics and the distinction between it and other categories of products. For the sake of clarity, the different verticals include:
- Casino;
- Live casino;
- Scratch Cards;
- Lotteries;
- Secondary lotteries;
- Fixed odds betting including live betting;
- Pool betting, including betting exchange;
- Peer-to-peer Poker;
- Other commission-based, peer-to-peer games such as bingo, but excluding pool betting, betting exchange and poker;
- Lottery messenger services;
- Controlled skill games;
- Any other gaming vertical which is not comprised of the above.
No, the Authority does not require licensees to obtain a licence for each type of game. Operators that are already in possession of a Gaming Service Licence or Critical Gaming Supply Licence, and wish to offer an additional type of game are required to apply for the necessary approval through the Licensee Portal.
As a minimum, the entire set of rules, including the manner in which a player can win or lose a game, must be no further than one click away from the page on which the game can be played. Upon that one click, a player must be immediately presented with the rules. However, the rules may be categorised further within this window, possibly requiring further clicks due to the limitation of space, but they shall always remain easily accessible and easy to understand.
With respect to games which are played after being downloaded and installed on a compatible device, licensees shall ensure that the game rules shall be made present to the player in any case prior to the player’s first wager on the game.
By definition, the term “key function” means an important function, role or task carried out by a person in connection with a gaming service or a gaming supply, as may be prescribed by the Gaming Authorisations and Compliance Directive (Directive 3 of 2018).
Key Persons are required to have full knowledge, understanding and access to the applicant’s or licensee’s operations, as may be necessary for them to carry out their respective Key Function/s.
Applicants are required to be fit and proper in order to carry out their respective roles, not only at the time of their application for a Key Function Certificate, but also on an ongoing basis thereafter.
More information may be found here: https://www.mga.org.mt/licensee-hub/applications/individuals/key-function-director/
Key Functions vary per licence type, and the full list can be found within Part 2 of the Gaming Authorisations and Compliance Directive (Directive 3 of 2018).
When a Key Function holder cannot exercise their function/s due to extenuating circumstances, a person not holding the certificate approval but having the necessary competencies may exercise such function/s on a temporary basis. In any such case, the Authority shall be notified forthwith and in no case later than twenty-four (24) hours after such person is vested with the exercise of the key function/s. Such a temporary exercise may not exceed one (1) calendar month, but may be renewed with the prior written approval of the Authority.
The element of ongoing training and relevant Continuous Professional Development (CPD) is considered to be fundamental for ensuring that Key Persons are continuously up to date on developments in their respective fields, and thus remain fully equipped to carry out their designated roles. Eventually, when applying for the renewal of their Key Function Certificate, Key Persons shall be required to show that they have attained a minimum number of CPD hours during each calendar year of the previous certification period for each of their authorised Key Functions, in order for such renewal to be approved. The minimum number of CPDs required is outlined in the 'Key Function Eligibility Criteria Policy' document.
Key Persons shall be required to fulfil the CPD requirements with respect to each of the Key Roles which they are authorised to fulfil upon their first application for renewal of their Key Function. Hence, no yearly reporting or notifications are required, prior to the renewal.
The following is an exhaustive list of methods applicable to the attainment of CPD requirements.
Unless otherwise specified below, one (1) CPD hour is earned for each hour of active participation in qualifying professional educational activities, excluding lunches and breaks where applicable. CPD hours can also be earned in half-hour increments.
- Professional Educational Activities: These activities include courses, in-house training, conferences, seminars, and workshops relevant to a given Key Function.
- Presentations: These activities include vendor or system-specific presentations relevant to a given Key function. A maximum of four (4) CPD hours per year can be attained through such activities.
- Teaching/Lecturing/Presenting: These activities include the development and delivery of presentations and courses relevant to Key Functions. In terms of such activities, CPD hours are earned at two (2) times the presentation time for the first delivery, e.g. a two-hour presentation earns four (4) CPD hours. CPD hours cannot be earned for subsequent presentations of the same material unless the content is substantially modified and/or updated.
- Publication of articles: These activities include the publication of material directly related to the designated Key Functions. Such publications must be credited to the Key Person and appear in a formal publication or website. CPD hours are earned on the basis of word count for the given publication so that one (1) CPD hour shall be awarded for every five hundred (500) words, provided that not more than five (5) CPD hours shall be awarded on the basis of such publications for a given year.
- Professional Examinations: This activity pertains to the pursuit of examinations related to the individual’s designated Key Function. Two (2) CPD hours are earned for each examination in relation to which a passing score is achieved.
Participation or attendance of the activities mentioned above would be deemed relevant as CPD hours as long as the activity is related to the Key role held by the applicant. Key Persons authorised to carry out multiple Key Functions will be required to fulfil the relevant CPD requirements for each role. If, however, a given CPD activity is considered relevant for multiple Key Functions, this can be counted towards the fulfilment of the requirements of each respective role simultaneously.
In case of doubt, Key Persons may contact the Authority’s Compliance Department on [email protected] for confirmation of the relevance of a particular activity to a given role.
Licence applications can be submitted through the Licensee Portal, by selecting the New Licence Application. Applicants can apply by logging into the Portal and following the simple process steps. The Portal provides a dedicated timeline that will give users the possibility to follow the status of their requests in real-time, ensuring efficiency and transparency.
Further information with regard to the licence fees, the regulations & directives as well as the technical checklist can be found under the Regulatory Framework of the MGA website. The Portal's homepage provides a link to some tutorial videos, with common application requests.
The Authority may issue licences for the following categories:
- Gaming Service licence:
- A business-to-consumer licence to offer or carry out a gaming service;
- Critical Gaming Supply licence:
- A business-to-business licence to supply and manage the material elements of a game; or
- A business-to-business licence to supply and manage the software, whether as a standalone or as part of a system, to generate, capture, control or otherwise process any essential regulatory record and/or the supply and management of the control system itself on which such software resides.
In order for a game to be licensable by the Authority, the following criteria need to be present, cumulatively;
(i) A stake to enable participation;
(ii) The predominance of chance;
(iii) A prize of money or money’s worth.
Any entity established in the European Union (EU) or the European Economic Area (EEA) is eligible to apply for a licence, as long as it meets the required Shared Capital requirements and the annual Financial Statements reporting requirements.
Where the applicant for a licence is a body corporate, such an applicant may apply for a licence either for himself only or for its corporate group. In the latter option, all references in these regulations to an applicant shall be deemed to refer to each and all members of the corporate group, and where such licence is granted, each member of the corporate group and all of them jointly and severally shall be deemed to be a licensee.
Following the submission of the application, the Authority will verify the settlement of payment, as well as conduct a preliminary check to ensure that the application is complete.
Any incomplete applications will be set to a one-time ‘incomplete’ status for sixty days. If the application is not re-submitted in full within this period, the application will be rejected and closed off.
Once the application is accepted, the applicant is informed of the status and notified with respect to who will be the main point of contact for the licence application.
The MGA may require further information and/or amendments, as well as the submission of required documents to complete the application review according to the gaming legislation.
Applications, once submitted, can be viewed and accessed from the licensee’s, or the applicant’s timeline on the Licensee Portal. Gaming licences are immediately assigned to an Authorisations team, and the applicant receives an official confirmation via email that the licence application has been received successfully, if the application submission is deemed to be complete at face value.
Licensees are given a period of 90 days to go live, after issuance of the licence. However, licence fees, compliance contribution and gaming tax are due from the date of issuance of the licence. The licensee shall be required to submit a Declaration of Go-Live application by no less than two (2) days prior to the go-live date indicated within the declaration, whereby such an application can be found through the Licensee Portal. In the case that a licensee does not go live within this stipulated timeframe, the licensee will be required to apply for a Voluntary Licence Suspension from the Licensee Portal (Licence – Voluntary Licence Suspension), for a maximum extension of 9 months
No, the Authority does not charge any fees for meetings held with applicants, licensees or service providers.
The Authority is conscious of the fact that outsourcing is integral to the operational setup of most gaming businesses nowadays, whether for advantages of cost or specialisation or for any other reason which the operator may deem relevant. The type of supplies considered to be supplementary to the activity being licensed can be found within the Outsourcing Policy.
The Authority requires a company applying for a licence to have the following minimum issued paid-up share capital when registering the company with the competent authority:
Gaming Service Licence:
- Type 1 – Minimum €100,000
- Type 2 – Minimum €100,000
- Type 3 – Minimum €40,000
- Type 4 – Minimum €40,000
Critical Gaming Supply Licence:
- Minimum €40,000
Companies with multiple type approvals are required to meet the above share capital requirements cumulatively up to a maximum capping of €240,000.
Companies having or applying for a Corporate Licence are required to have the minimum Share Capital in any one of the entities forming part of the Corporate Licence.
Any major changes occurring throughout the term of a licence application will require a new licence application to be submitted accordingly. Major Changes include:
- Any changes affecting more than 75% equity ownership, control or funding of the prospective applicant;
- Any changes that require a new Business Plan to be submitted, such as major changes to the products to be offered or the respective markets, requiring the submission of revised Financial Projections; and
- Any other changes that would necessitate a new review of the submitted policies and procedures and other documentation.
In order to aid applicants, in cases of major changes, any information submitted to the Authority that would still be valid will not need to be resubmitted again. However, any other updated documents, forms and/or information, together with the application form details will still need to be submitted in full through the Licensee Portal together with the respective application fee.
Any person who feels aggrieved by a decision of the Authority may enter, within twenty days after the date of service upon him of notice of the Authority’s decision, an appeal to the Administrative Review Tribunal in accordance with article 43 of the Gaming Act (Chapter 583 of the Laws of Malta).
Any person in possession of a gaming service or a critical gaming supply licence issued by the Authority shall pay to the Authority a licence fee that depends on the type of approval in line with the Gaming Licence Fee Regulations (S.L. 583.03), which may be found on the Authority’s website. The initial licence fee needs to be paid at the last step of the application process, prior to the issuing of the licence. Yearly licence fees then need to be paid upfront in advance, and are non-refundable.
Gaming tax due in terms of the Gaming Tax Regulations (S.L. 583.10) is based on the gaming revenue, generated by the operators from end customers located in Malta.
The gaming tax shall be payable monthly, together with the submission of regulatory returns containing the relevant data to calculate the said tax.
Further information is clearly stated under the Gaming Tax Regulations (S.L. 583.10), which may be found on the Authority’s website.
Compliance Contribution is a contribution payable on qualifying activities, which are determined in the manner stipulated in Part A of the First Schedule of the Gaming Licence Fees Regulations (S.L. 583.03) by reference to the gaming revenue generated during the licence period from the gaming services offered. Compliance Contribution is payable on qualifying activities consisting of Type 1, Type 2, Type 3 and Type 4.
This shall be determined by the gaming revenue generated during the licence period depending on the type of gaming services approved (minimum compliance contribution fee is applicable).
Information relating to the Compliance Contribution fee can be found in the Gaming Licence Fees Regulations (S.L. 583.03), which may be found on the Authority’s website.
An entity can apply for a Commercial Communication Game permit via the MGA’s Licensee Portal. The application needs to be accompanied by an application fee of €25.
Limited Commercial Communication Games shall not cumulatively exceed €5,000 in prizes during any calendar month and not more than €50,000 during any calendar year.
For the game to qualify as a Limited Commercial Communication Game, the value of the stake cannot exceed €2 per player.
Any single event shall not award a prize that exceeds €250.
Any Persons or Entities interested in organising a tombola or lottery, which does not qualify as a Low-Risk Game need to apply for a limited commercial communication game permit.
These are Non-Profit Games such as some lotteries and tombolas. Commercial Communications and Limited Commercial Communication Games are all classified as Low-Risk Games.
A de minimis game is one with a maximum stake of €1 and a maximum prize of €100.
A de minimis game is an exempt game and does not require a permit.
All non-profit organisations that wish to organise a lottery or tombola event are required to apply for a non-profit game permit. In order to qualify as a non-profit game, at least 90% of the net proceeds need to be paid out to the non-profit organisation, and an updated Statute of the non-profit organisation needs to be submitted.
A non-profit entity can apply for a non-profit game permit via the MGA’s Licensee Portal. Every application needs to be submitted at least 10 days before the event, together with the non-profit games permit application fee of €25
The maximum stake cannot exceed €5 per player.
A permit is valid only for a singular event. It expires once the event is concluded and is non-renewable, as well as non-transferable.
Up to two de minimis games per month can be organised without a permit. However, throughout a calendar year, these are not to exceed ten games in total. Should a person or entity wish to organise more events than the stipulated limits, the person or entity would need to apply for a Limited Commercial Communications Games Permit.
No, there are no refunds for non-profit tombola.
A self-barring is essentially a self-exclusion in a land-based setting. A player can request self-barring from all premises where gambling is offered, which will prevent the player from accessing land-based premises for the duration of the self-barring timeframe.
The timeframes for a self-barring are either for 6 months, 12 months, or 12 months with an automatic renewal.
To obtain a self-barring from land-based gaming premises, the player must request this at the Operator’s reception area, where a form will need to be completed and signed, along with a copy of the player’s proof of ID and a photograph of the player.
Alternatively, players can request a land-based self-barring from either the Malta Gaming Authority’s premises in SmartCity, Kalkara, or from the Responsible Gaming Foundation offices in Fleur-de-Lys, Birkirkara.
If a player has a current self-barring, this applies to all premises where gambling is offered. For the duration of the self-barring, the player cannot enter any MGA-licensed gambling premises, except to discuss matters relating to the self-barring itself, such as increasing the timeframe etc. This exclusion also includes entering any bars, restaurants or any other facilities which are located within the gambling premises.
When a player sets a self-barring, this would be for either 6 months, 12 months, or 12 months with an auto-renewal. Once this has been set, it cannot be removed until the timeframe has expired, when the self-barring will automatically be removed.
Regarding the 12-month self-barring with auto-renewal option, whilst the self-barring aspect cannot be removed, the auto-renewal aspect can be removed by completing the Self-Barring Auto-Renew Form.
A land-based operator cannot impose a self-barring on a player. However, if the Licensee has sufficient reason to believe that the player may be experiencing gambling-related harm, they can exclude a player from their premises.
The overriding objectives are to promote responsible gambling, prevent the occurrence of problematic gambling, and to safeguard players’ rights. The aim is to ensure that all players can gamble in a safe, secure, and sustainable manner, mitigating the risk of gambling problems or gambling-related harm. Moreover, it is imperative that Licensees operate in a manner which is open, transparent, and that they implement preventive measures to mitigate the occurrence of gambling-related harm. This is a shared responsibility between the Player, the Operator, and the Authority.
Licensed operators must display on their website:
- The Licensee details.
- A sign which indicates that underage gaming is not permissible.
- A ‘responsible gaming’ message, explaining that gaming can be harmful if it is not controlled, and information about the player support measures on the website.
- A dynamic seal or kite mark.
- A link leading to a webpage or application which includes all relevant responsible gaming information required by the Directive. This information must be clear and intelligible, and within one click from anywhere on the website.
- A link which enables players to refer to one or more gambling help organisations.
- A message before first deposit, providing information and access to available responsible gaming tools and limits.
In line with the Player Protection Directive (Directive 2 of 2018), Operators licensed by the Malta Gaming Authority must offer players the ability to self-exclude for either a definite or indefinite timeframe. The ability to self-exclude must be simple and easily accessible.
Moreover, it is mandatory that Operators must also offer players the ability to set either Deposit Limits or Wagering Limits as well as providing players with the ability to set Reality Checks, to assist in maintaining control of their gambling.
What other responsible gambling tools can be made available to players?
As well as the mandatory tools which Operators must make available to players as a minimum, Operators are strongly encouraged to also offer:
- Both Deposit Limits and Wagering Limits. At present the Player Protection Directive (Directive 2 of 2018) mandates that either of the limits be offered to players however, the Authority encourages Operators to offer both limits.
- Loss Limits, which allows a player to limit the amount of money that can be lost within a given timeframe; usually daily, weekly, or monthly.
- Time Limits or Session Limits, which allow a player to limit the amount of time which they spend playing.
- Time Outs/Short Breaks, which work in much the same way that a self-exclusion does except for that the duration is for a timeframe of more than 24 hours and not more than 30 days.
If a minor or underage person creates an account, deposits funds, and uses gaming services, as soon as the Operator becomes aware that the account holder is underage, they are required to close the account and to refund all deposits made by the player.
Any excess winnings made by the minor are to be confiscated by the Operator.
When a player requests an account closure this means that should the player wish to reopen the account later, they may do so simply by requesting this from the customer service team. Whilst general account closures can be requested for many different reasons or no reason at all, it is important that the Operator confirms with the player that the closure request has not been made due to gambling issues or problematic gambling. Probing a player’s responses during this conversation is recommended to ensure that the Operator is entirely satisfied that the closure request is not related to gambling harm.
Whilst an account which has simply been closed can be reopened later upon request, if the player mentions problematic gambling or any issues related to their control of their gambling, the Operator must set a self-exclusion on the account. The self-exclusion can be for either a definite or indefinite timeframe, dependent on the player’s request, the information provided by the player, and the Operator’s discretion, which only extends so far as increasing the self-exclusion timeframe. The Operator must never apply a self-exclusion for a shorter timeframe than the player’s request, nor attempt to persuade or induce a player to set a lesser timeframe.
A self-exclusion is different to a general account closure, as a self-exclusion is a responsible gambling tool which prevents a player from gaining access to the account for either a set timeframe, or indefinitely. If a self-exclusion is set, the account can only be reopened once the exclusion has expired, or on the Player’s request, at the operator’s discretion. Self-exclusions are designed to allow players to take a break from gambling, with the further security that there are additional steps to reopen the account.
All Licensees are required to always offer players the ability to self-exclude from all gaming activity for either a definite or an indefinite timeframe. However, the Player Protection Directive (Directive 2 of 2018) does allow Licensees the option to offer self-exclusions which are product-specific or set for a particular gaming vertical. However, please note that this is an optional self-exclusion and not an alternative to either a definite or indefinite self-exclusion.
As Licensees are not required to offer the ability to self-exclude for a specific product or gaming vertical, this may not be available across all Licensees.
Operators licensed by the MGA are obliged to offer players the option to self-exclude either for a definite or an indefinite timeframe. When a definite self-exclusion is set, players do have the option to extend or decrease the period which the self-exclusion is in place for.
When increasing a self-exclusion timeframe, the player must contact the operator, who will increase the self-exclusion immediately upon receiving the request. There is no cool-off period when increasing a self-exclusion.
A player can request at any time that their self-exclusion timeframe is shortened or removed entirely. To do this, the player must make their request to the Operator in writing, detailing why the self-exclusion was imposed and how circumstances have now changed making the self-exclusion unnecessary. It is at the Operator’s discretion whether to accept or decline the request.
Should the Operator accept the request to decrease or revoke a definite self-exclusion, the account cannot be opened until after the lapse of at least twenty-four (24) hours from the time which the Operator accepts the request.
If the request relates to an indefinite self-exclusion, the player’s account cannot be reopened until after the lapse of at least seven (7) days from the day on which the request to decrease or revoke the self-exclusion was accepted.
A player can self-exclude across all brands which a Licensee offers on request. When a Licensee operates multiple brands with a separate registration for each, and a player requests a self-exclusion for any reason other than responsible gambling issues, the Licensee can apply the self-exclusion solely to the brand where the request was made.
If the request has been made due to problematic gambling, the player must be self-excluded from all brands which the Licensee operates, irrespective of whether the player holds an account with that brand.
When players request a self-exclusion due to problem gambling issues, the Authority encourages Licensees to emphasise with players that they should also exclude any accounts they hold with all other Licensees, and that they make use of the available blocking software to prevent access to gambling sites.
Whilst there are no set timeframes which Operators must offer for a definite self-exclusion; the Authority encourages Operators to offer the below timeframes:
- 24 Hours
- 48 Hours
- 7 Days
- 30 Days
- 90 Days
- 180 Days
- 365 Days
Where a player applies multiple responsible gambling limits, the strictest limit must always take precedence.
For example, a player sets a €20 per day and a €40 per week wager limits.
On day 1, the player wagers €20, and is prevented from wagering any further (the strictest limit is applied).
On day 2, €18 is wagered. As this is below the €20 daily wagering limit, the player limit does not kick in and prevent the player from gambling further.
On day 3, despite the customer having a €20 per day wager limit, the player can only wager €2, as combined throughout the week, the player would have wagered €40, and so this becomes the stricter limit which must be imposed.
If the player was to wager another €2 at any point during the week, they would now be prevented from wagering for the remainder of the week, as they would have triggered the stricter limit.
Should an Alternative Dispute Resolution (ADR) entity decide in favour of the player, the Operator has 20 days in which to comply with this decision.
Operators are required to fully comply with any decision given by their Alternative Dispute Resolution (ADR) entity.
Failure to fully comply with a decision given by an ADR entity may result in enforcement action being taken against the Operator.
Operators licensed by the MGA are required to engage an Alternative Dispute Resolution (ADR) entity to manage disputes escalated externally, prior to going live with operations.
Failure to engage and maintain an ADR entity whilst operating may result in enforcement action being taken against the Operator.
The sub-section ‘Protection of Player Funds’ is clearly stated under the Gaming Player Protection Regulations.
It highlights the importance of player funds being kept segregated and remaining separately identifiable at all times whereby the Authority may, at its sole discretion, exercise viewing rights over the common account of player funds.
Where a player feels aggrieved by a decision or other action of the authorised person, they shall be able to make a complaint to the authorised person and, in the event that they are not satisfied by the response of the authorised person, the player may (with the handed procedure by the authorised person) refer such complaint and all relevant facts to the Authority’s Player Support Unit or to another Alternative Dispute Resolution (ADR) entity.
Authorised persons offering a gaming service shall make readily available to players the applicable procedure for making a complaint to the authorised person.
a. Authorised persons offering a gaming service shall, upon receipt of a complaint made by a player who makes or has made use of their gaming service, immediately inquire into the complaint;
b. Authorised persons shall inform the complainant of the results of such inquiry within ten days from the date on which the complaint is received; Provided that where the nature of the inquiry is such that more time is necessary to complete it, such period may be extended by a further ten days; Provided further that where such extension is necessary, the player shall be informed within the first ten days from the date of receipt of the complaint that the authorised person shall be making use of such extension, and the reason or reasons why such extension is warranted.
A Recognition Notice is the process whereby an authorisation issued by another Member State of the European Union or European Economic Area, or a State which is deemed by the Authority to offer safeguards largely equivalent to those offered by Maltese law, is recognised as having the same effect as an authorisation issued by the Authority for the purpose of providing a gaming service, gaming supply in or from Malta. Once this is confirmed, the applicant is provided with a Recognition Notice Certificate, which needs to be maintained on a yearly basis.
It is highly important to report any suspicious sporting events to the relevant Sports Governing Body (SGB), in conjunction with the report being submitted via the Suspicious Betting Reporting Mechanism (some entities are affiliated with a betting monitoring body and hence a report to the SGB is done via said betting monitoring body). The Sports Betting Integrity department at the MGA always queries whether an operator has reported such an event to the relevant SGB.
Some operators do not find any issues in directly sharing betting data with the Sports Governing Bodies (SGB) requesting it directly from them. However, other operators may only accept to exchange that data via the regulator alone. Having said that, whenever the MGA corresponds a request for information (RFI) to the industry, the data being requested from the operators would then be transferred securely to the SGB only when an SGB submits a formal RFI to the MGA confirming that the data is being requested on the basis of an investigation into the potential manipulation of sports competitions.
In cases involving a participant breach but not necessarily entailing a suspicious event, only suspicious betting accounts falling within the remit of the MGA licence ought to be reported. However, if an event would be deemed suspicious due to activity emanating from such account holders, then the MGA would still require that it is notified of such an event (if the said event was offered to bettors falling within the remit of the MGA licence also).
When the Authority requests betting data, it is only requesting betting data of account holders that fall within the remit of the MGA licence. Therefore, when the MGA asks in the Industry Performance Returns (IPRs) how many suspicious accounts have been recorded, the MGA is only referring to those that fall under its remit.
To be able to access the portal and the Suspicious Betting Reporting Mechanism (SBRM), the Access Rights Administrator of the operator submitting the report must provide the necessary rights (of an Approver) to the individual accessing the SBRM.
For guidance on how to make use of the mechanism, the Authority has published a manual which acts as a point of reference when reporting suspicious betting activity to the MGA.
A detailed explanation regarding the suspicious behaviour noted should be given. All information that can be provided would be appreciated and would avoid any additional emails requesting further clarifications. B2C licensed operators should also communicate the relevant betting data falling under the MGAs remit at the reporting stage.
It is highly important to report any suspicious sporting events to the relevant Sports Governing Body (SGB), in conjunction with the report being submitted via the Suspicious Betting Reporting Mechanism (SBRM). However, whether an operator reports to an SGB or not, remains at the discretion of the operator. When submitting a report, it is highly important that the operator clarifies if such event was reported to the relevant SGB, in order for the department to determine whether the MGA should report it on their behalf.
When an operator submits a ticket via the MGA helpdesk, it would be beneficial for the operator to also inform the Sports Betting Integrity (SBI) department regarding the issue in question, since such tickets are handled by the MGA’s IT department, and the SBI department does not have visibility over such tickets. Hence, the SBI department will be in a better position with the operator to find an alternative working process until the issue is resolved.
Should it be the case that a licensed entity reports an event following a request for information (RFI) by the MGA, the Sports Betting Integrity (SBI) department would then kindly request the operator to report the relevant suspicious event/s via the MGA’s Suspicious Betting Reporting Mechanism (SBRM). Such operator should attach the relevant betting data requested in the formal RFI corresponded via the Enclosures section of the SBRM.
When an operator reports a suspicious event via the Suspicious Betting Reporting Mechanism (SBRM) and the Sports Betting Integrity (SBI) department requests the relevant betting data, the MGA expects the relevant betting data to be communicated via the SBRM. The MGA highlights the fact that at reporting stage, betting data is being requested to be provided via the SBRM if such betting data falls under the MGA’s remit. If not, clarification under which jurisdiction the relevant betting data falls under should be highlighted.
The MGA is alerting its licensees with any knowledge of suspicious betting activity, without revealing the source of the information. When receiving an alert, there is no need to revert with a reply should no suspicious betting activity be recorded on any of the events noted in the alert. If suspicious betting is recorded by an operator after receiving an alert, then the suspicious event in question is to be reported via the Suspicious Betting Reporting Mechanism (SBRM).
The alerting process is separate from the Request for Information process. When an alert is communicated, the MGA expects that licensees will be able to review (or re-review) the betting activity surrounding the event being indicated in the alert, as this will increase the odds of recognising any suspicious behaviour (if there is any). If suspicious betting is recorded by an operator after receiving an alert, then the suspicious event in question is to be reported via the Suspicious Betting Reporting Mechanism (SBRM).
With regards to the Request for Information process, the MGA sends a Request for Information when the Authority is officially requesting betting data (if the operator does indeed deem the event as suspicious). Therefore, in the Request for Information process, the MGA requires a reply informing it if suspicious activity was indeed recorded on such request or not before the set deadline is met.
The relevant betting data should be corresponded in the Enclosures section of the report via the Suspicious Betting Reporting Mechanism (SBRM) at reporting stage if such betting data falls under the MGAs remit. If not, clarification under which jurisdiction the relevant betting data falls should be highlighted.
Licensees that offer a gaming service (B2C) are to provide betting data in a spreadsheet file format (specifically “.xls”) so that it may be viewed using Microsoft Excel. If betting data is being requested after a Request for Information has been communicated, then the data requested needs to also be provided in the order as is requested.
Alerts are corresponded by the Sports Betting Integrity department with the Malta-licensed betting operators every Friday.
Sports Integrity related matters (including Alerts and Requests for Information) are corresponded with the licensee’s appointed Key Compliance and the relevant contact email of the departments designated to cater for sports integrity-related issues. Licensees who wish to include a department email address (not a personal address) should do so by informing the Sports Betting Integrity department on [email protected].
A ‘start-up’ undertaking shall mean a person who, at the date of the licence application, fulfils all of the following criteria:
a. A person has been established or operational in the same or a related sector for less than five (5) years;
Provided that, unless the business is operated in a different form, ‘established’ shall refer to the date of registration of a limited liability company, the date of the agreement establishing a partnership, the date of registration as a self-employed person, or as may otherwise be determined by the Authority.
b. In the case of a body corporate, that person has not yet distributed profits;
c. In the case of a body corporate, that person has not been formed through a merger or, if formed through a merger, all body corporates that formed part of the merger, satisfy, in aggregate, all the critical envisaged herein;
d. That person has not acquired the business as a going concern or, if so, the acquirer and the acquired both satisfied all criteria envisaged herein;
e. That person has generated actual revenue from the same, or a related, sector during the previous thirty-six months amounting to less than ten million euro (€10,000,000):
Provided that where the financial period cannot be determined or is not applicable, the previous thirty-six (36) calendar months shall be taken into consideration;
and
Provided that where the financial period cannot be determined, or is not applicable, the previous twelve (12) calendar months shall be taken into consideration;
f. That person is not part of, or controlled by, a corporate group whose actual revenue in the same, or a related sector within the previous thirty-six months exceeds ten million euro (€10,000,000): Provided that where the financial period cannot be determined or is not applicable, the previous thirty-six (36) calendar months shall be taken into consideration; and
g. That person is not subject to the requirement of a Government concession to offer the gaming service in accordance with the proviso to regulation 4 of the Gaming Authorisations Regulations;
Provided that in the case of a body corporate, if the person referred to in this sub-regulation has taken over the business from any person having a qualifying interest in the former, the provisions of this sub-regulation shall extend accordingly to the person having a qualifying interest in the applicant: Provided further that actual revenue referred to in paragraphs (e) and (f) shall be determined on the basis of generally accepted accounting principles and practice as defined in article 2(4) of the Compliance Act.
A person shall be deemed to be a start-up undertaking only upon the Authority’s confirmation, and the Authority shall be vested with discretion to determine whether a person is a start-up undertaking in terms of set regulations. Provided that the onus to prove that a person is indeed a start-up undertaking shall be vested in the same applicant.
Approved start-ups will benefit from a moratorium period of 12 months from the date of issuance of the licence in which they are exempt from paying Compliance Contribution although they are still required to submit the monthly player funds declaration. Annual Fixed licence fees will still be due.
Essential components are the:
- Components hosting Random Number Generators;
- Components hosting jackpots;
- Components hosting the games;
- Gaming database;
- Player database;
- Financial database;
- Control system; and
- Any other component which the Authority may deem to be critical.
Key Technical Setup is the technical infrastructure of a licensee, including all hardware and virtual machines in operation where the essential components are located.
Licensees may request the Authority’s approval to implement any changes within the essential components by submitting a Technical – Changes to Key Essential Components application through the Licensee Portal.
The Portal provides a dedicated dashboard that will give users the possibility to follow the status of their requests in real-time, ensuring efficiency and transparency.
Games, and/or their providers, which are not licensed by the MGA or a competent authority within the EU/EEA, but licensed and offered under the purview of other jurisdictions outside the EU/EEA, on the same website as the MGA-licensed operations, or linked therefrom, are not permissible.
Similarly, shared wallet setups with such non-EU/EEA licensed games, whether offered on the same or different domain or sub-domain name, are also prohibited.
The sandbox environment has been extended to 28 February 2023.
For the purpose of the sandbox regulatory framework, the exchange rate used shall be that of the VFA exchange designated by the licensee, which shall be declared by the licensee to the MGA.
Licensees may sell their custom tokens for fiat currency on their own platform, in order for players to make use of such tokens on the licensee’s platform itself, provided that the custom tokens may not be taken out of the licensee’s platform and any withdrawals are to be made in fiat currency after converting the custom tokens, on the licensee’s platform, at the same exchange rate at which they were acquired.
Exchanging between one VC and another shall not take place within the licensee’s ecosystem.
In accordance with applicable AML/CFT obligations, if control over the wallet cannot be verified, any pending transactions shall be logged, the licensee shall freeze the amounts, and:
- If a player claims to have deposited from such address within fifteen (15) days, or such longer period as the operator may stipulate in its terms and conditions, the amount may be assigned to such player’s account if control over the wallet is fully verified;
- If no player makes such claim, or control over the wallet is not successfully verified, the operator shall appropriate the funds and shall make use thereof for responsible gaming purposes.
The threshold triggering Customer Due Diligence obligations in terms of section 3.3.2 of the Implementing Procedures issued by the Financial Intelligence Analysis Unit (FIAU) for the remote gaming sector, shall be one hundred and fifty euro (€150). Where smart contracts are used to automate withdrawals, verification shall be fully completed before any wager may be made.
Licensees are required to maintain player-specified limits for fiat currencies. In the case of VFAs, licensees are required to incorporate a separate player-specified ceiling for Virtual Financial Assets (VFAs) that is distinct from the fiat currency limit.
Throughout the duration of the sandbox and without prejudice to limits required in terms of Part V of the Player Protection Directive (Directive 2 of 2018), licensees may not accept deposits in VFA by a player exceeding the equivalent of one thousand euro (€1,000) per month. Where a player elects to set a player-specified limit in accordance with the Player Protection Directive, the licensee shall give the player the option to set such limit both for fiat currency and for VFAs.
Players depositing in Virtual Currencies (VC) need to complete the verification process within thirty (30) days of the first deposit.
The wallet address shall form part of the player’s registered identity with an operator, and the player’s control over such wallet shall be verified prior to any deposit being made from it.
Following the verification of control over the wallet prior to the player’s first deposit, there may be instances where the wallet address is changed due to, inter alia, security-related reasons. In such cases, the verification of the player’s control over such wallet shall be carried out on a risk sensitive basis, in accordance with the applicable AML/CFT obligations.
The documentation that needs to be submitted is listed in sections 6 and 7 of the System Documentation Checklist.
Licensees may wish to make use of third-party service providers that accept Virtual Financial Assets (VFAs )from players, whilst allowing the operator itself to deal solely in fiat currency. In accordance with the VFA Act and the subsidiary legislation issued thereunder, such service providers shall require a VFA licence.
Any licensee that wishes to obtain an approval shall apply in the following manner, through the Licensee Portal:
(i) Prospective licensees need to apply for an approval to accept DLT assets and, or use innovative technology arrangements as part of a ‘New Licence Application’;
(ii) Existing licensees can apply for approval for the acceptance of DLT assets through the application type ‘Operational – Payment Methods’; and additional currencies can be added under the already approved payment method with the application type ‘Updated Documentation’.
(iii) Existing licensees can apply for an approval for the use of innovative technology arrangements through the application type ‘Technical – Changes to Key Essential Components’.