MGA Player Protection Directive: Deposit Limits, Reality Checks, and Disclosure Requirements Under Directive 2 of 2018

Scope and Legal Basis

The Malta Gaming Authority issued Directive 2 of 2018, the Player Protection Directive, in exercise of the power conferred by article 7(2) of the Gaming Act, 2018 (Cap. 583 of the Laws of Malta). The directive came into force on 1 August 2018 and has since been updated; compliance teams should work from V3, dated January 2023, which is the operative version. The directive delineates in further detail the specific player protection requirements to which Authorised Persons must adhere, the MGA’s preferred terminology for licence holders.

The directive draws a clear structural distinction between B2C licensees, meaning persons licensed to provide or carry out a gaming service from Malta or to any person in Malta under regulation 3 of the Gaming Authorisations Regulations, and B2B licensees, meaning persons licensed to provide a critical gaming supply. The substantive player-facing obligations fall primarily on B2C licensees. B2B licensees carry supporting obligations where their game engines or technical supply interact with player-facing controls. Compliance officers at B2B suppliers should not read “B2C-focused” as meaning the directive is irrelevant to their certification obligations; game engine design choices can directly affect whether a B2C licensee can meet its requirements.

Gambling History: What Must Be Available and When

One of the directive’s foundational disclosure requirements concerns gambling history. The directive defines this term specifically: it includes total deposits, withdrawals, win/loss transactions, and total net position, calculated as of 1 August 2018 or such earlier date as the licensee may elect to offer. The practical significance of that date anchor is that licensees cannot retrospectively claim an inability to provide historical data simply because their systems predated the directive; the obligation to surface this data runs from the regime’s commencement.

The MGA Compliance Audit Manual (MGA/G/001, August 2018, v1) confirms the auditor’s expectation in section 6.7.8, which instructs auditors to check that gaming transaction history and financial transaction history, including total deposits, withdrawals, win/loss transactions, and total net position, are readily available to players. This formulation means the data must be accessible to the player on demand, not merely held in back-end logs. Licensees operating account interfaces that bury transaction history behind multiple navigation steps should assess whether that presentation genuinely makes history “readily available” in the MGA’s sense.

“Gambling history includes total deposits, withdrawals, win/loss transactions and total net position, as of the 1st August 2018 or such earlier date as the licensee may wish to offer.” : MGA Player Protection Directive 2018, V3 January 2023, article 3(2).

Reality Checks: The Session Information Obligation

The directive requires B2C licensees to provide players with session information and reality check functionality. In practice, the requirement addresses both the content of the check and its timing relative to gameplay. A reality check must surface at minimum the elapsed session time and relevant account position information, presented in a manner that gives the player a genuine opportunity to reflect on their activity before continuing.

Implementation details matter here. The MGA Compliance Audit Manual section 6.7.1 requires auditors to check that an auto-updatable player account balance is displayed at all times together with the relevant currency selected by the player. This is a continuous display obligation, not a check triggered only at intervals. The balance display requirement exists alongside, rather than as a substitute for, discrete reality check prompts. Licensees that rely solely on a persistent balance indicator without implementing scheduled or configurable reality check interruptions should review their compliance position carefully.

In practice, operators should ensure that reality check settings, once configured by the player, persist across sessions where technically feasible. Where persistence is not technically achievable, the player must receive clear information explaining that they will need to reconfigure the check at each login. This implementation principle mirrors the approach in the UKGC’s Remote Gambling and Software Technical Standards (RTS 13B), which, while not directly applicable to MGA-licensed operations, reflects industry consensus on what a functionally adequate reality check looks like. Licensees should note the distinction between these frameworks and ensure their MGA compliance analysis is grounded in the directive rather than the RTS.

Deposit Limits: Defaults, Surfaces, and Prompt Obligations

Directive 2 of 2018 requires B2C licensees to offer players the ability to set deposit limits. The directive addresses both the existence of the limit mechanism and the obligation to surface it at appropriate points in the player journey. A deposit limit tool buried in account settings accessible only to determined players does not satisfy the directive’s player protection intent.

The directive’s requirements interact with broader MGA expectations around responsible gambling tools being actively promoted rather than passively available. Compliance teams implementing or reviewing their deposit limit interfaces should assess: whether limits are prompted at registration, whether the tool is accessible within a defined number of clicks from the account homepage, whether decreases to limits take effect immediately or after a cooling-off period, and whether increases are subject to a delay to prevent impulsive upward revision.

Disclosures During and After Registration

The directive imposes disclosure obligations that extend beyond transaction history. B2C licensees must ensure players are informed of responsible gambling tools available to them, the risks associated with gambling, and how to access support services. The MGA’s Commercial Communications Committee Guidelines (March 2019, v1) reinforce these obligations in the context of marketing, requiring that responsible gaming messages accompany commercial communications and that a web portal devoted to responsible gambling be clearly accessible.

Section 3.1 of the Commercial Communications Committee Guidelines requires that responsible gaming messages be included in commercial communications and be legible and prominent. Section 3.2 requires that a link to the licensee’s responsible gambling web portal be included. These obligations are distinct from, but operationally connected to, the in-product disclosures required under Directive 2 of 2018. Licensees should ensure their compliance review covers both instruments together, as an audit finding in one area often signals a gap in the other.

During gameplay, the directive requires that currency amounts relating to deposits, withdrawals, wagers, and winnings are quoted in the currency symbol the player is using. The Compliance Audit Manual section 6.7.7 confirms this as an active audit check. Licensees offering multi-currency accounts or currency conversion features must ensure the displayed amounts always reflect the player’s chosen currency rather than a base currency maintained internally.

Problem Gambling Detection: Tools and Documented Procedures

Directive 2 of 2018 requires B2C licensees to implement mechanisms for the detection of problem gambling, not merely to offer self-exclusion as a reactive tool. The MGA Compliance Audit Manual section 6.9.2 instructs auditors to assess whether the licensee has analytical tools and behavioural monitoring systems in place to detect and identify players with problem gambling, and whether documented procedures exist for the identification, detection, and actions to take with respect to such players.

The practical implication is that an undocumented or informal intervention process will not satisfy the requirement. Licensees need a written procedure that specifies: the behavioural indicators or data signals that trigger a review, the responsible function within the business that receives and acts on those alerts, the response options available including contact, limit imposition, and referral to support services, and the record-keeping obligations that attach to each intervention. Absent documented procedures, an MGA compliance audit in this area is likely to return a finding regardless of how sophisticated the underlying detection system is.

Auditors are instructed to “Indicate whether the Licensee has analytical tools and/or behaviour monitoring systems in place to detect and identify players with problem gambling” and to confirm that “procedures on the identification, detection, and actions to take with respect to problem gamblers are in place.” : MGA Compliance Audit Manual MGA/G/001, section 6.9.2.

Protection of Minors and Vulnerable Players

The directive, supported by the Compliance Audit Manual, requires B2C licensees to maintain policies and procedures specifically addressing minors. Section 6.8.1 of the Compliance Audit Manual requires that the licensee has a policy preventing minors from registering. Section 6.8.2 requires that players affirm legal age before registration. Section 6.8.3 extends this to procedures preventing minors who have nonetheless registered from making further use of the gaming service, including the return of deposited and wagered funds and the confiscation of winnings in such cases.

Critically, section 6.8.4 of the Compliance Audit Manual requires auditors to check that the licensee is not offering credit or loan services to players. This is an absolute prohibition under the MGA framework and sits alongside the prohibition on encouraging players to cancel pending withdrawal requests. Section 6.7.11(d) of the Compliance Audit Manual makes explicit that the licensee shall not attempt to encourage players to cancel a withdrawal request once made. Licensees whose retention strategies include any mechanic or communication that could be construed as discouraging withdrawal should seek legal review of those practices against the directive.

Player Funds Protection and Withdrawal Restrictions

The directive, read alongside the Compliance Audit Manual, imposes strict constraints on how licensees may handle player funds. Section 6.7.9 of the Compliance Audit Manual specifies that player funds can only be used by the licensee to: debit for a wager made by the player; deduct fees specified in the terms and conditions; and confiscate winnings or apply penalties in situations identified within the terms and conditions. Any use of player funds outside these three categories represents a breach of the framework.

Player funds must be remitted by no later than five working days, per section 6.7.10 of the Compliance Audit Manual. Withdrawal restrictions must be specified in the terms and conditions or on a dedicated webpage, and auditors expect withdrawal limits to be reasonable and typically not below €250/month. Deposited money is not subject to restrictions except where there are documented AML concerns. Licensees operating bonus structures that impose wagering requirements on deposits rather than on bonus funds should review whether those structures remain compliant with the restriction on treating deposited money as subject to withdrawal limitations.

Operational Implementation Priorities

For B2C licensees reviewing their compliance position against Directive 2 of 2018 (V3, January 2023), several implementation priorities stand out. First, the gambling history disclosure obligation is longitudinal: it runs from August 2018 and must be maintained in a player-accessible format. Data architecture decisions that make this history unavailable or difficult to retrieve are a compliance risk. Second, reality check and session information tools must be active and surfaced, not merely available. Third, problem gambling detection must be supported by written procedures specifying triggers, responsible functions, and record-keeping, not just technology.

Licensees should also note that the MGA Compliance Audit Manual functions as the primary lens through which the authority’s auditors assess directive compliance. Mapping internal controls directly to the audit manual’s checklist sections gives compliance teams a structured gap analysis framework. Where internal policies exist but are not documented in a form that survives audit scrutiny, the operational risk remains even if the technical capability is present.

Compliance officers and legal counsel should be aware that this article reflects the directive as published and the audit manual as available in the corpus. The MGA publishes updates to directives and guidance through its official portal. Given that Directive 2 of 2018 has already been revised to V3, further amendments are possible. Qualified legal counsel with current MGA practice knowledge should be consulted for jurisdiction-specific application, particularly where the licensee operates across multiple jurisdictions with overlapping or conflicting player protection requirements.

Key Resources

MGA Player Protection Directive 2018 (Directive 2 of 2018), V3 January 2023 : primary instrument governing all B2C player protection obligations under the Maltese gaming framework. Available via the Malta Gaming Authority official portal at mga.org.mt.

MGA Compliance Audit Manual (MGA/G/001), August 2018 v1 : the authority’s internal audit framework, providing the checklist criteria against which licensee compliance is assessed. Published by the MGA and available via mga.org.mt.

MGA Commercial Communications Committee Guidelines, March 2019 v1 : governs responsible gambling messaging in commercial communications and the requirement for a dedicated responsible gambling web portal. Available via mga.org.mt.

Gaming Act, 2018 (Cap. 583 of the Laws of Malta) : the primary legislative instrument under which the MGA issues directives, including Directive 2 of 2018. Available via the official Maltese legislation portal at legislation.mt.