Licence Application Document Pack: What MGA, UKGC, and AGCO Reviewers Actually Read First
Know which documents MGA, UKGC, and AGCO reviewers scrutinise first, and why incomplete packs stall or kill applications before substantive review begins.
Licence application packs for the Malta Gaming Authority, UK Gambling Commission, and AGCO (Ontario) are not evaluated in the order you submit them. Each regulator has a fixed internal triage sequence: certain documents are read before anything else, certain deficiencies halt the review entirely, and certain policy submissions are effectively pre-screened against known failure patterns. Understanding that sequence matters more than perfecting the formatting of a cover letter.
This article maps what each regulator reads first, which document categories generate requests for information most frequently, and what operational teams must have ready before submission to avoid a stalled or rejected application. It draws on the UKGC’s Licence Conditions and Codes of Practice (version effective 6 April 2026), MGA Directive 3 of 2018 (Gaming Authorisations and Compliance Directive, version 2, October 2021), the MGA Compliance Audit Manual (MGA/G/001), the AGCO Registrar’s Standards for Internet Gaming, and the AGCO Internet Gaming Go-Live Compliance Guide.
What Triggers an Immediate Completeness Check: The Pre-Screening Layer
All three regulators apply a completeness check before substantive review begins. Failing that check does not mean a review has started and paused. It means the review has not started at all.
The MGA is the most explicit about its process. Under the MGA Licensee Portal workflow, an application receives a preliminary check as soon as it is submitted. Any incomplete application is set to a one-time “incomplete” status and the applicant has 60 days to resubmit in full. If the application is not resubmitted within that period, it is rejected and closed. The MGA’s FAQ documentation confirms this expressly: “If the application is not re-submitted in full within this period, the application will be rejected and closed off.” The 90-day go-live clock, which runs from licence issuance, cannot begin until the application clears this gate, making early completeness critical for any operator with a launch deadline.
The UKGC operates through its eServices digital portal. The Commission has consistently stated through its Licensing, Compliance and Enforcement Policy Statement that it will prioritise applications that are complete and accurate at submission. Incomplete applications may be returned or lead to extended processing times without any clock-stop obligation on the Commission.
AGCO’s approach is particularly consequential because incompleteness at the registration stage has a downstream effect the other jurisdictions do not share. Under the Registrar’s Standards for Internet Gaming, the Registrar may refuse registration outright if the applicant is carrying on activities that would be in contravention of the Standards if the applicant were registered. The refusal is not a delay. It is a substantive decision requiring a fresh application.
Key Threshold: MGA incomplete applications have a 60-day cure window. After that, the application is closed and fees are not refunded. Build your submission to be complete at first submission, not complete after queries.
Fit and Proper: The Gating Review Across All Three
All three regulators assess the fitness and propriety of applicants, their ultimate beneficial owners (UBOs), and key personnel before any substantive evaluation of operational policies or technical architecture begins. The specific documentation demanded, and the committee structure reviewing it, differ materially across jurisdictions.
The MGA has a dedicated Fit and Proper Committee established by its Board. The Committee assesses whether applicants for an MGA licence are fit and proper persons, particularly from a criminal probity perspective, to be granted a gaming licence and authorised to conduct gaming business activities. The Committee determines which entities and personnel are subject to enhanced due diligence, decides whether existent licensees should continue to operate, and may impose licence conditions on its own initiative. The MGA Compliance Audit Manual (MGA/G/001) lists the documents the authority checks under this review: a copy of the corporate group chart confirming whether the MGA holds the latest version, verification that any parent entity exercises control over at least 90% of other group bodies as required under the Gaming Act (Cap. 583), and a full list of Key Persons with their Key Function assignments confirmed.
Under Directive 3 of 2018, Key Functions for a B2C gaming service licensee include the chief executive role, management of day-to-day gaming operations, compliance with obligations under the Gaming Act and binding instruments, legal affairs and contractual management, data protection, the prevention of money laundering and financing of terrorism, and internal audit. Each of these roles requires an individual Key Function Certificate from the MGA. Key Persons must be fit and proper not only at the time of the application but on an ongoing basis thereafter.
The UKGC’s suitability assessment runs through two instruments. For the operating licence itself, the Commission examines the applicant entity’s ownership structure under LCCP licence condition 15.2.1, which requires notification of any person or entity becoming a 5% or greater shareholder, controlling 5% or more of voting rights, or entitled to 5% or more of dividends. For large-scale non-remote and remote operating licensees, key persons holding “specified management offices” under LCCP licence condition 1.2.1 must hold personal management licences (PMLs). The specified offices include, among others, the individual with overall management responsibility for anti-money laundering compliance and for responsible gambling. The UKGC’s consultation response on financial key event reporting, published 18 December 2025, confirmed expanded requirements for licensees to report changes in ownership and interests, reflecting the complexity of modern global business structures. The 5-working-day notification deadline for key events applies from the date the licensee becomes aware of the event.
AGCO’s due diligence process operates through a dedicated Due Diligence Unit. Applicants engage the Unit directly at the start of the process. The background checks cover the company’s ownership structure, financial stability, key personnel, associated persons, and compliance history across other jurisdictions. Operators with enforcement actions, licence suspensions, or material AML failures in other markets face heightened scrutiny. The Registrar’s Standards for Internet Gaming confirm that registration may be refused if operation would contravene the Standards.
Source: MGA, Gaming Authorisations and Compliance Directive (Directive 3 of 2018, version 2, October 2021), Parts I and II, MGA Compliance Audit Manual MGA/G/001, UKGC LCCP, licence conditions 1.2.1 and 15.2.1 (version effective 6 April 2026); AGCO, Registrar’s Standards for Internet Gaming, Sound Control Environment and Third Party Management sections.
What Does a Reviewer Look for in a Business Plan?
All three regulators require a description of the applicant’s proposed business, but the weight each places on this document differs significantly from what operators typically assume.
The MGA’s Licensee Portal process requires applicants to submit a description of the gaming service or gaming supply they intend to provide, including the game types, target markets, and corporate structure. An MGA reviewer reading a business plan is looking for internal coherence: does the proposed AML risk appetite match the player base described? Does the described corporate structure match the group chart provided? Does the technology architecture support the regulatory data obligations the applicant is accepting? A business plan that reads like a pitch deck rather than an operational blueprint is the fastest route to an MGA request for information and a six-week delay.
The UKGC’s application guidance, reflected through the eServices portal, requires applicants to describe their proposed licensed activities and how they intend to meet each of the three licensing objectives: keeping crime out of gambling, ensuring fair and open play, and protecting children and vulnerable people. Reviewers at the Commission assess whether the business plan’s treatment of anti-money laundering, customer due diligence, and responsible gambling is proportionate to the stated business model. An operator proposing high-value slot-focused content targeting mass-market UK consumers must demonstrate in its plan, not in separate exhibits, how those product and demographic choices map to its proposed AML and customer interaction controls.
AGCO’s Registrar’s Standards for Internet Gaming embed the operational requirements that a business plan must satisfy. Standard 1.02 requires operators to develop, document, and implement formal control activities addressing each regulatory risk identified by the AGCO. The business plan, in the Ontario context, functions as the anchoring narrative for the Control Activity Matrix (CAM) that the operator must submit for go-live. Reviewers are checking whether the described controls are authorised at the appropriate level of management and whether the operator has articulated a process for periodically reviewing their effectiveness.
AML Policies: The Substantive Review That Determines Timeline
AML documentation generates more requests for information across all three regulators than any other category. The reason is consistent: applicants submit policy frameworks that describe AML obligations in general terms without mapping those obligations to the specific operational risk profile of their proposed business.
The MGA’s AML review operates under the Prevention of Money Laundering Act (Cap. 273 of the Laws of Malta) and the implementing procedures issued jointly with the Financial Intelligence Analysis Unit (FIAU). Directive 3 of 2018 requires that the person performing the key function of AML and counter-financing of terrorism must be named and must hold the relevant Key Function Certificate. The MGA Compliance Audit Manual confirms that auditors check whether the AML key person’s duties are in line with their level of authority, specifically through examining a sample of contracts, correspondence, access logs to front-end and back-end gaming systems, and their capability to extract gaming and monthly regulatory reports. An AML policy that fails to describe who has system access to extract regulatory data will be flagged at this stage.
The UKGC’s AML requirements flow from LCCP licence condition 12.1.1, which requires licensees to implement AML and counter-terrorist financing policies, procedures, and controls proportionate to their assessed risk. The Commission is the AML supervisory authority for the gambling sector in Great Britain. Application-stage AML documentation must address the specific risks the proposed business model creates: the game types offered, the payment methods accepted, the target geographies, and the customer demographic. A March 2026 reminder issued by the Commission ahead of Cheltenham Festival restated that all licensees must address money laundering and terrorist financing risks by following appropriate policies, procedures, and controls, and specifically referenced LCCP condition 15.1.2 (reporting suspicion of offences, betting licences) alongside condition 12.1.1. For remote casino applicants, LCCP condition 15.2.3 creates additional ongoing reporting obligations specific to casino operations.
In Ontario, AML for iGaming operators operates under FINTRAC’s requirements as a federal matter, while the AGCO’s Registrar’s Standards require operators to implement policies and procedures that identify, prevent, and minimise the risks of harm. iGaming Ontario, as the commercial counterparty under the Operator Agreement, has separate AML and financial reporting obligations that sit alongside FINTRAC. The AGCO Internet Gaming Go-Live Compliance Guide confirms that AML procedures must be in place and demonstrable before go-live clearance is granted, not merely described in the application.
For a detailed treatment of AML frameworks across licensed iGaming jurisdictions, including FINTRAC, FIAU, and transaction monitoring obligations, the AML and Financial Compliance hub sets out the supervisor-by-supervisor requirements in full.
Responsible Gambling Policies: Where Boilerplate Gets Applications Stalled
Responsible gambling policy submissions are the second most common source of requests for information at all three regulators. The failure pattern is almost always the same: the submitted policy describes regulatory obligations accurately but does not explain how the operator’s specific product offering, player acquisition model, or technology stack makes those obligations operational.
The MGA’s Player Protection Directive (Directive 2 of 2018) sets out the responsible gambling framework for B2C licensees. An MGA reviewer reading an RG policy is checking, at minimum, whether the self-exclusion procedures integrate with the national self-exclusion register applicable to the target markets, whether the customer interaction triggers are calibrated to the specific product types proposed, and whether the RG key function holder identified in the application has sufficient authority and system access to act on those triggers. Generic RG policies that list tools without explaining how the operator’s platform implements them generate immediate queries.
The UKGC applies its Remote Customer Interaction requirements under LCCP social responsibility code provision 3.4.3, which came into force in September 2023. Application-stage RG documentation must now demonstrate that the operator has a system capable of identifying customers displaying indicators of harm and triggering appropriate responses. Operators proposing to serve the UK market with high-engagement casino products must demonstrate product-specific risk calibration in their RG submissions. The Commission’s post-White Paper reforms have made the financial vulnerability check framework a close-scrutiny area: any applicant whose business plan describes VIP programmes or high-spend player segments must address this specifically in its RG policy submission.
AGCO’s Standard 2.01 requires operators to implement and follow policies that identify, prevent, and minimise the risks of harm from gaming. The Registrar’s Standards also mandate RG Check accreditation for Ontario operators, and the AGCO’s Centralized Self-Exclusion (CSE) programme, launching in 2026 with defined terms of six months, one year, and five years, requires mandatory operator participation. An application describing an RG programme without addressing CSE integration will not satisfy the current Standards.
For deeper reading on the responsible gambling obligations that underpin these policy requirements across all three jurisdictions, including self-exclusion register integration, deposit limits, and customer interaction frameworks, the Responsible Gambling Compliance hub covers each of the ten topic streams in detail.
Technical Architecture: The Document Category Most Applicants Under-Prepare
Technical architecture documentation is consistently under-prepared relative to what each regulator actually reads at the application stage.
The MGA’s Technical Infrastructure guidelines for remote gaming require applicants to provide a network schematic showing all hardware and virtual machines in operation, internal IP addresses, and the geographic locations of all premises where technical infrastructure hosting gaming systems, control systems, and regulatory data is located. Where any element is cloud-hosted, the MGA requires additional justification and, for critical components, confirmation of a private cloud environment not shared with other tenants. The MGA Compliance Audit Manual confirms that auditors subsequently check whether the licensee is actually hosting in the declared data centres and whether the application architecture in the MGA’s possession matches what is deployed. Applicants that submit a high-level system description rather than a detailed network schematic with IP-level detail will receive an immediate request for supplemental documentation.
The MGA also requires that regulatory data, including transaction logs, gaming data, and financial data, be replicated in real time to servers in Malta where primary hosting is outside the country. An application architecture that does not address data replication latency and confirm a live replication server in Malta will be queried before the technical review can proceed.
The UKGC addresses technical standards through LCCP licence condition 2.1.1, which requires that any operator adding or relocating key equipment to a different jurisdiction must apply to the Commission for a variation before the change is made. At the application stage, this means the technical submission must identify where key equipment is located and confirm that the proposed architecture does not require a variation to operate as described. For remote casino, bingo, and betting licences, the technical standards compliance obligation is ongoing, and the initial application establishes the baseline against which subsequent changes are measured.
AGCO’s go-live compliance requirements, as set out in the Internet Gaming Go-Live Compliance Guide, require a Technology Compliance Confirmation letter signed by the CEO or CCO (or equivalent) confirming that the operator’s technology complies with the applicable Standards. The scope must cover the entire technological solution, including the platform and underlying infrastructure, operating systems and databases, network devices, gaming software and other applications, all affiliated gaming-related supplier providers, and third-party technology integrations. For operators running critical gaming systems, the Control Activity Matrix must address all these technology layers with controls documented at the level required for independent audit.
MGA Data Replication Requirement: Where primary hosting is outside Malta, the MGA requires real-time regulatory data replication to a server in Malta. Applications that do not address replication latency and architecture will receive a request for supplemental documentation before technical review proceeds.
How the Three Reviewer Sequences Compare
| Document Category | MGA Review Sequence | UKGC Review Sequence | AGCO Review Sequence |
|---|---|---|---|
| Completeness check | Immediate, 60-day cure window, then rejection | Immediate, returned or delayed without clock-stop | Immediate, may result in registration refusal |
| Ownership / UBO disclosure | Fit and Proper Committee, enhanced CDD for complex structures | LCCP 15.2.1, 5% shareholder/voting-rights threshold | Due Diligence Unit, background checks on all key personnel |
| Key persons / management | Key Function Certificates required per Directive 3 of 2018 | Personal management licences for specified management offices (LCCP 1.2.1) | Key personnel reviewed during due diligence, ongoing suitability |
| Business plan | Coherence check against corporate structure and tech architecture | Must address all three licensing objectives with product-specific mapping | Anchors the Control Activity Matrix, must reflect actual control ownership |
| AML policy | FIAU joint framework, key function holder must have demonstrable system access | LCCP 12.1.1, risk-proportionate to product type, payment methods, and geographies | FINTRAC compliance + iGO Operator Agreement, must be operational before go-live |
| RG policy | Directive 2 of 2018, self-exclusion register integration and trigger calibration | LCCP 3.4.3, financial vulnerability checks for high-spend segments | Standard 2.01, RG Check accreditation + CSE integration required |
| Technical architecture | Network schematic with IP detail, Malta replication server confirmation | Key equipment location declared, variation required for relocation (LCCP 2.1.1) | Technology Compliance Confirmation letter (CEO/CCO sign-off); full-stack scope |
AGCO’s Dual-Authority Complication: Registration Is Not Go-Live Clearance
The AGCO registration process is structurally different from MGA and UKGC licensing in one critical respect: AGCO registration and completion of go-live compliance requirements do not, by themselves, authorise an operator to begin gaming operations. That authority rests with iGaming Ontario.
The Internet Gaming Go-Live Compliance Guide states this directly: “AGCO registration and successful completion of our go-live compliance requirements will not constitute permission for operators and their GRSs to begin gaming operations in Ontario’s igaming market. That authority rests with iGaming Ontario (iGO), the body responsible for conducting and managing internet gaming in Ontario, including establishing operating agreements with AGCO-registered operators.”
“Operators are expected to ensure that the Standards related to the operation of their gaming site are met, regardless of the entity that is carrying out the related activities.”, AGCO Registrar’s Standards for Internet Gaming
This creates a compliance obligation that runs across both authorities simultaneously. Operators must satisfy the AGCO’s Standards and complete the go-live compliance steps, including the Control Activity Matrix, the independent audit confirmation, the Technology Compliance Confirmation, and the Standards and Requirements gap analysis. They must also negotiate and execute an Operator Agreement with iGO, which incorporates all AGCO Standards by reference and adds commercial compliance obligations. A compliance team that focuses exclusively on AGCO registration without concurrent engagement on the iGO Operator Agreement will face a gap that cannot be closed quickly at go-live.
The AGCO’s Registrar’s Standards for Internet Gaming, Standard 1.02, require that substantial changes to the operator’s control environment be communicated to the Registrar in a timely manner. This obligation runs throughout the registration and go-live period, meaning that changes made to the proposed architecture, AML procedures, or responsible gambling tools during the review process must be reported, not silently incorporated.
Common Causes of Delayed or Stalled Applications
Across all three regulators, the patterns that stall applications are well documented through enforcement decisions, compliance audit findings, and regulatory guidance.
At the MGA, the Compliance Audit Manual records the specific checks that become live once a licence is granted, and those checks mirror what reviewers look for at the application stage. The most consistently flagged issues are: changes implemented by the applicant that were not notified to the authority as required under Regulations 36 and 37 of the Authorisations and Compliance Directive, key person contracts that do not reflect the level of authority ascribed to the key function role, and board governance structures that do not give the compliance function sufficient autonomy relative to the commercial function. Applicants should treat the MGA Compliance Audit Manual as a pre-submission checklist, not as a post-licensing document.
At the UKGC, applications most frequently generate requests for further information on three issues. The first is ownership transparency: the Commission’s December 2025 consultation response on financial key event reporting identified complex global corporate structures as a persistent challenge for licence oversight. Applicants with multi-layered holding structures spanning multiple jurisdictions must provide a clear group chart that traces decision-making authority to the operating entity. The second is AML proportionality: policies that describe general KYC procedures without calibrating thresholds, monitoring triggers, and escalation protocols to the specific product and customer risk profile are returned for amendment. The third is responsible gambling operational detail: the Commission expects to see how the proposed customer interaction system works in practice, not merely which tools are available.
At the AGCO, operators that have entered Ontario since the April 2022 market opening have encountered a consistent finding in the three years since launch: the dual AGCO/iGO compliance structure creates gaps that applicants do not discover until the go-live stage. The iGO Operator Agreement incorporates AGCO Standards by reference, which means any gap in the Standards compliance programme becomes simultaneously a regulatory deficiency and a contractual breach. Compliance teams entering Ontario should map obligations to source authority, AGCO Standard or iGO Agreement, at the document preparation stage, before the application is submitted.
The MGA’s Fit and Proper Committee may impose licence conditions on its own initiative and may recommend enforcement actions where it deems necessary, the committee’s scope extends beyond application review to ongoing regulatory oversight throughout the licence term.
Source of Funds and Financial Solvency: A Gating Document, Not an Afterthought
All three regulators treat evidence of financial solvency and legitimacy of funding as a gating condition, not a supporting document. An application that proceeds through fit and proper screening but cannot demonstrate that the proposed business is adequately funded from legitimate sources will be halted at the financial review stage.
The MGA requires applicants to provide evidence of sufficient financial resources to meet obligations to players and the authority. Where a bank guarantee is required under the licence type, the Compliance Audit Manual confirms that details of the bank guarantee are a live information item that auditors check throughout the licence term. Applicants must provide a complete group organisation chart showing all links, shareholdings, and funding flows, not merely a list of entities.
The UKGC’s LCCP licence condition 15.2.1 requires licensees to notify the Commission of any loan taken from a person not authorised by the Financial Conduct Authority, and a copy of the loan agreement must be supplied. This obligation applies from the date of licensing, but at the application stage it means that any non-FCA-regulated funding in the proposed capital structure must be disclosed, with documentation, before the application can be fully assessed.
AGCO’s Due Diligence Unit reviews financial stability as a component of its background check process. The AGLC Alberta market, which launches on 13 July 2026, provides a useful parallel: its registration roadmap treats financial stability and funding sources as a distinct due diligence category alongside corporate ownership and compliance history in other jurisdictions. Ontario’s equivalent scrutiny operates through the same Due Diligence Unit framework.
For operators comparing compliance obligations and costs across the UKGC and MGA in parallel with an application process, the UKGC vs MGA licence comparison sets out the structural differences in licensing architecture, fee obligations, and ongoing compliance requirements that inform which jurisdiction to prioritise.
Operators planning to enter Ontario should also review the AGCO registration requirements profile, which covers the dual-entity conduct-and-manage model, the Registrar’s Standards for Internet Gaming in full, and the iGO commercial framework in detail.
Source: UKGC, Licence Conditions and Codes of Practice, conditions 1.2.1, 2.1.1, 12.1.1, 15.2.1 (version effective 6 April 2026); MGA, Directive 3 of 2018 (Gaming Authorisations and Compliance Directive, v2 October 2021); MGA Compliance Audit Manual MGA/G/001 (August 2018); AGCO, Registrar’s Standards for Internet Gaming, AGCO, Internet Gaming Go-Live Compliance Guide.
Compliance officers preparing applications should consult qualified legal counsel in each target jurisdiction for advice on jurisdiction-specific application requirements and the interaction between the regulatory and commercial compliance layers. The obligations described here reflect the primary regulatory instruments in force as of the date of publication, regulators amend requirements periodically, and applicants should verify current versions directly with each authority before submission.
Key Resources
UKGC Licence Conditions and Codes of Practice (version effective 6 April 2026): gamblingcommission.gov.uk
MGA Gaming Authorisations and Compliance Directive (Directive 3 of 2018, version 2, October 2021): mga.org.mt/regulatory-framework/
MGA Player Protection Directive (Directive 2 of 2018): mga.org.mt/regulatory-framework/
MGA Compliance Audit Manual (MGA/G/001, August 2018): mga.org.mt/licensee-hub/
AGCO Registrar’s Standards for Internet Gaming: agco.ca/internet-gaming
AGCO Internet Gaming Go-Live Compliance Guide: agco.ca/internet-gaming
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.