All 52 Maltese standards,
organised by theme

Key functions may only be provided by natural persons, each holding a certificate of approval issued by the Authority. A person lacking the certificate may exercise a key function only on a temporary basis (max one calendar month, renewable with MGA approval) where extenuating circumstances prevent the approved holder from acting; the Authority must be notified within 24 hours.

At application stage the licensee notifies the MGA of the CEO, Compliance Officer, and (where applicable) the MLRO. The remaining key function holders must be notified within six (6) months of the licence being issued. When a key person resigns or is dismissed, the MGA must be notified within three (3) working days, and the replacement within fifteen (15) working days.

Remote B2C licensees must appoint key persons responsible for: (a) chief executive role; (b) day-to-day gaming operations, including finance, payments and anti-fraud; (c) compliance with all MGA obligations, including responsible gaming, player support, marketing, and sports integrity where applicable; (d) legal affairs, including dispute resolution; (e) data protection and privacy; (f) the prevention of money laundering and terrorist financing; (g) technological affairs, including back-end, control systems and network security; and (h) internal audit.

A key person must notify the Authority within three (3) working days of any circumstance that may render them not fit and proper (including conviction of any offence punishable by imprisonment above one year), any circumstance affecting a licensee for which they act, their own resignation or dismissal, and any other matter the key person believes the Authority should be aware of.

Per the MGA Policy on Eligibility and Ongoing Competency Criteria for Key Persons, key persons must complete minimum annual CPD hours: 5 hours for the CEO key function and 10 hours for Key Operations, Key Compliance, Key Legal, Key Privacy, MLRO, CTO and Internal Audit.

The licensee must at all times maintain up-to-date documentation of its key technical setup, including hardware (make/model/location), virtual machines (identifiers/location), network connections, firewall/router specifications, and all installed applications with specifications.

Changes to the key technical setup must be notified to the MGA. Changes to essential components require prior written approval; only in case of urgency may a change be made first and notified within 72 hours. Audit logs of any changes must be retained for not less than two (2) years.

The key technical setup must be located in Malta or another EU / EEA Member State, unless the MGA on a case-by-case basis authorises another location offering equivalent safeguards. Hardware must reside in premises adhering to a high level of information security. The licensee must maintain a live or real-time mirror server for essential regulatory data, accessible to the Authority at all times including by physical access where applicable.

Essential components include RNG hosts, jackpot hosts, game hosts, gaming/player/financial databases, the control system, and any other component the MGA deems critical. Licensees must file a risk assessment addressing loss of governance, inadequate maintenance, cloud-data leakage, insecure storage, data-erasure failures, unauthorised data access, unreliable APIs/isolation failure, and denial of service. The assessment must be continuously updated.

A B2C licensee adding a game to an already-approved vertical using an already-approved RNG and game engine must notify the MGA within five (5) days (notification not required where the game is sourced from a pre-existing authorised game provider relationship). A new RNG, new game engine, or a new gaming vertical requires prior written MGA approval and payment of the administrative fee.

Approval applications must include documents and certification as required by the MGA. The Authority may require an audit for a new vertical, or certification for a new RNG/engine. Updating or changing critical elements of a game (including the RNG or any part of the game engine) requires prior MGA approval and may include re-certification.

A licensee takes responsibility for third parties to whom it outsources any aspect of its licensed activities. A critical gaming supply must be obtained only from providers in possession of a B2B licence or recognition notice; a material gaming supply only from providers with a material supply certificate or MGA case-by-case approval. Non-regulated outsourcing contracts must bind the provider to behave as if subject to the same regulatory instruments as the licensee.

A service provider that manages a website or gaming premises on behalf of a B2C licensee is deemed to act for and on behalf of the licensee, who is responsible for the provider’s actions. Where such a provider enters into contractual agreements with players directly or handles registration plus deposits and withdrawals, it is presumed to require its own gaming licence unless it is proven that those functions are solely to facilitate the B2C licensee’s service.

A B2C licensee may not permit gaming without a registered player account. At minimum the licensee must collect name and surname, date of birth, and permanent residential address (plus email / remote-means contact for remote licensees; ID copy and photograph for gaming-premises operators). Data must be verified and due diligence performed in line with AML legislation. Licensees must detect identical or similar player details, and same IP/device/SIM registrations, before activating an account.

Where the licensee allows a player to hold more than one account, it must ensure holistic activity monitoring across accounts, application of RG limits across accounts (unless restricted to a specific game/vertical), self-exclusion across all accounts, anti-collusion controls, and aggregated observation of triggers for customer interaction.

B2C licensees must conduct ongoing monitoring of their players for fraud, money laundering and the financing of terrorism, in the manner required by AML legislation and their own risk management policies.

Terms and conditions must clearly define the circumstances in which an account becomes inactive and the consequences. The licensee must notify the player at least thirty (30) days before inactivity, including the option to withdraw. Fees may only be charged on a non-negative balance, never during self-exclusion, and never to accounts excluded by the operator without justification. Where the licensee cannot refund the remaining balance, acquisitive prescription can only prevail after a final notice and a minimum five (5) year wait, and appropriated funds must be used for responsible-gaming endeavours.

A B2C licensee offering services online must prominently display licensee details and contact information, a sign that underage gaming is not permissible, an RG message that gaming can be harmful if uncontrolled plus information on player-support measures, the MGA identifier/dynamic seal, a clear notice where regulated and non-regulated games coexist, and, following registration and before the first deposit, information about the available responsible-gaming tools.

Online licensees must provide, on the homepage or the player-account interface, a link referring the player to one or more problem-gambling support organisations. All required information must be available in any language in which the licensee markets its services, and every licensee website must at minimum be available in English or Maltese.

T&Cs must be fair in terms of the Consumer Affairs Act, available pre-registration, no more than one click away for remote services, and written in clear language. Only one version of the T&Cs may apply to the licensed service at any point in time, per brand. Material changes must be notified to players, expressly accepted before continued play, and notified to the MGA within 30 days. A change is material if it alters rights/obligations, licensee powers/liability, the structure of a game, the player’s chance of winning, a progressive-jackpot termination, or the player’s personal data.

Game rules must be readily available, one click away from the web page where the game is played for online licensees, and available pre-first-wager for other remote channels. Rules must be in plain intelligible language and describe the various ways the player can win or lose and the prize payable.

Information about any commission or fee held or charged by the licensee must be made readily available to players in plain language, in the T&Cs and on every deposit and withdrawal page.

Every B2C licensee must at all times make available a self-exclusion procedure allowing definite or indefinite exclusion. Online licensees must place the facility no more than one click from the RG information page. An account-closure or permanent-closure request must be treated as a self-exclusion request where the player so indicates.

A self-exclusion can only be removed on the expiry of the set duration or on the player’s written request with an explanation. The B2C licensee has discretion to accept or reject the request based on its own policies, must respond within seven (7) days, and must remind the player of the available RG tools if it accepts. A decrease or revocation is effective only after 24 hours (definite) or 7 days (indefinite) from the day the licensee accedes.

Individuals not previously registered who contact the licensee to be excluded from future gaming must not be allowed to register or play until they revoke the request in writing. Circumvention attempts by an already-excluded individual are taken into account in any MGA investigation. Records of a player’s self-exclusion must be retained at least for the duration of the self-exclusion and thereafter as long as necessary to maintain a complete RG profile.

An exclusion must not preclude the player from withdrawing remaining funds. The withdrawal process must be clearly described in the T&Cs. Licensees that automatically remit player funds on exclusion are deemed compliant.

Licensees must implement effective RG policies and maintain evidence that they are followed. They must deploy effective detection measures, analytical tools, behaviour-monitoring systems with pre-designed/evolving parameters, and customer-facing / RG staff, to identify problem gambling and at-risk behaviour, and must take effective steps to address it.

The criteria used to meet article 17(1) must, at minimum, include: (a) amount and frequency of deposits/wagers; (b) use of multiple payment methods; (c) reversal of withdrawals pending processing; (d) communication indicators such as increased complaints and bonus requests; and (e) use of responsible-gaming tools. Policies must govern the triggers for staff intervention, information nudges, imposition of limits, and exclusion of the player.

Licensees must ensure that staff responsible for RG-related matters and player interaction are properly and routinely trained in RG procedures. Training must cover the recognition of agitation, distress, intimidation, aggression and other indicators of a gambling problem. Records of training completion and testing must be kept and produced on MGA request.

For repetitive random-outcome games played against the house, remote licensees must offer a time-alert facility delivered by pop-up message. The pop-up must suspend play, display time spent, amount wagered and win/loss, require the player to acknowledge, and offer a choice to continue or end the session. Account balance must be visible at all times on screen. Players must be able to access the immediately preceding six (6) months of gambling history, with entire history available on request.

Licensees must retain records of all player interactions as a clear, detailed audit trail, and make it available to the Authority on request. Records must be kept for at least two (2) calendar years from the last interaction, without prejudice to AML legislation.

Any no-stake version of a licensed game must retain the same technical conditions as the corresponding authorised game. Where a gaming service uses in-game digital currency, the real monetary value must be made clear at every deposit, in every game-history report, and in every statistic requested by the player.

B2C licensees must offer players the possibility to set deposit limits and/or wagering limits. Optionally, loss limits and time or session limits may also be offered. Bonuses and incentives need not count towards wagering-limit calculations.

Following registration and before first deposit, online B2C licensees must ask the player whether they wish to set the limits in article 14(1). The facility must remain available at any time. Non-online remote licensees must ask at registration and make the facility available on request.

Any limit implemented under the Directive may only be removed on the player’s request or on expiry of the set duration. Tightening a limit or extending it takes effect immediately on receipt by the licensee. Relaxing or removing a limit takes effect only after a 24-hour cooling-off period.

An online B2C licensee offering games that use repetitively generated random selection must pay out on average at least eighty-five per cent (85%) of money wagered (or any higher percentage set by licence condition). The MGA may calculate the RTP across a category of similar games and over a calendar-year period unless otherwise specified. Licensees must monitor RTP; where the games are hosted by an authorised B2B, the B2B may fulfil this obligation.

The Authority may require a testing-lab certificate confirming compliance with the Directive and any standards adopted by the Authority. Certificates from EU / EEA testing labs, or from MGA-approved/recognised jurisdictions, may be accepted. B2B-certified games do not require re-certification when resold to a B2C licensee. Certification may be waived where the nature of the game makes a certificate unattainable.

The Authority may audit, inspect or monitor a licensee, require RTP reports over specified periods or plays, and request any other information or tests. The Authority is further empowered to require a licensee to withdraw the offering of any non-compliant game to any player or any other licensee.

B2C licensees must have and implement policies and procedures to prevent minors from using the gaming service or holding an account. Players must affirm they are of legal age before playing. Where a minor nevertheless plays, the licensee, upon becoming aware, must prevent further use, return the minor to pre-play state, refund monies wagered and confiscate winnings.

B2C licensees must ensure that any imagery depicting illicit substances does not feature in their games or anywhere in their website design.

Licensees shall not offer credit services to any player. Licensees shall neither participate in, arrange, permit nor knowingly facilitate the giving of credit in connection with gaming.

A licensee must remit credit standing on a player’s account within five (5) working days of the request, where practicable, and where possible directly to the originating account. The licensee may take reasonably necessary time for identity verification, security procedures, rules enforcement, and AML due diligence.

Where the 5-day rule is not practicable, the licensee must not impose unreasonable withdrawal restrictions: any restriction must take into account the amount and the total time to withdraw, and the monthly limit may never be less than €250. Money in the player’s account that constitutes their own deposits may not be subject to a withdrawal restriction. Money subject to an outstanding withdrawal request may not be wagered; and any licensee attempt to encourage cancellation of a withdrawal request is prohibited.

Player funds may be held in licensed credit, financial or payment institutions approved by the MGA, within Malta or in other EU/EEA / MGA-approved jurisdictions. Balances must be withdrawable at any time. The licensee must authorise the institution to disclose any information to the MGA on request. The MGA may impose additional risk-based safeguards including trusts, bank guarantees and reserve accounts.

Player funds constitute the separate and distinct patrimony of the players and are not the licensee’s funds. The licensee’s creditors have no claim on the player-funds account. The balance of the player-funds account (including funds in transit) must at any time be at least equal to the aggregate of player-account credit, with at least ninety per cent (90%) sitting in the account balance itself and the remainder covered by funds in transit; any shortfall must be made good from the licensee’s own funds forthwith.

B2C licensees must maintain a player-support function with enough resources to interact with players efficiently. Remote licensees must offer at minimum email and telephone channels; premises operators must additionally offer an in-premises designated person. A written complaints procedure must be made available and included in the T&Cs. Disputes not resolved to the player’s satisfaction must be referable to a registered ADR entity, with the ADR entity’s details disclosed in the procedure. ADR decisions must be reported to the MGA in the format and within the timeframe the Authority may specify.

Licensees must notify the MGA forthwith, and in any case within thirty (30) days, of: any investment other than share subscription; any loan other than from an EU/EEA-licensed credit institution; matters significantly affecting financial standing (winding-up petitions, administration, receivership, bankruptcy); defaults on loan repayments; changes to accepted payment methods; non-essential technical-setup changes; criminal investigations or prosecutions; foreign gaming-licence applications and awards; changes to previously submitted information; and any other matter materially affecting the gaming service or compliance.

Licensees must notify the MGA forthwith, and in any case within three (3) working days, of: changes in direct or indirect qualifying shareholding; material litigation and its outcome; information-security breaches affecting player-data confidentiality; information-security breaches denying player-account access for more than 12 hours; foreign refusals or suspensions of a gaming licence; removal of a channel of delivery or a gaming vertical; and the resignation, dismissal, or change of any key-function holder.

Prior written MGA approval is required to make any of the following changes: changes to player-funds accounts or other player-funds-protection measures; adding a new channel of delivery; adding a new gaming vertical; adding new gaming premises; adding a new live-casino studio; changes to essential components; and changes to directors or equivalent persons. B2B licensees additionally need approval to cross between game provider and back-end service provider categories.

B2C licensees must provide a monthly player-funds report in the format established by the Authority, due no later than twenty (20) days after the end of the reporting month. The MGA may extend this obligation to B2B licensees that hold player funds (e.g. pooled jackpots).

Licensees must submit signed interim management accounts for the first six months of their financial year by the last day of the eighth month of that year. Audited financial statements prepared under IFRS must be filed within 180 days of year-end. Remote B2C licensees must present the player-funds account balance separately under Cash-and-Cash-Equivalents, include player funds under Trade-and-Other-Payables, include auditor reasonable-assurance on Gaming Tax and Licence Fees compliance, and an auditor letter of comfort confirming player-fund, jackpot-fund and Malta-licence portions.

Licensees providing a gaming service or critical gaming supply relating to betting on sport or sporting events must notify the Authority of any instance of suspicious betting, and of circumstances that may lead to bets being voided on suspicion of event manipulation.