MGA AML Requirements: Malta’s Casino Due Diligence Framework Explained
MGA licensees face a dual AML supervisory structure spanning the PMLA, FIAU Implementing Procedures, and a €2,000 deposit-monitoring threshold. Here is what your compliance function must implement.
Malta Gaming Authority licensees operating casino or other Type 1, 2 and 3 game verticals carry AML obligations that sit across two distinct regulatory layers: the MGA’s own supervisory programme and the Financial Intelligence Analysis Unit’s Implementing Procedures. Those two layers interlock in a specific way. The MGA acts as an agent of the FIAU under the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR), which means a documented deficiency in a licensee’s AML programme can trigger coordinated scrutiny from both authorities simultaneously. This article maps the operative obligations, the key thresholds systems must capture, and the developments that will reshape Malta’s AML baseline through the remainder of 2026.
The Legal Architecture: PMLA, PMLFTR, and the MGA-FIAU Split
The Prevention of Money Laundering Act (Cap. 373 of the Laws of Malta), together with the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR), forms the primary legislative foundation. The MGA’s AML mandate flows from its designation under the PMLFTR as supervisory authority over both land-based and remote gaming. In that role, the MGA is treated as an agent of the FIAU, extending the FIAU’s reach into the gaming sector without requiring the FIAU to supervise each licensee directly.
The MGA monitors licensee compliance with the PMLA, the PMLFTR, and the FIAU’s Implementing Procedures, and reports non-compliance to the FIAU. The FIAU Implementing Procedures are themselves legally binding instruments issued under Regulation 17 of the PMLFTR. Part I applies across all sectors, Part II contains sector-specific requirements for the remote gaming sector and for land-based casinos respectively. Licensees must read both parts together, not Part II in isolation.
The Gaming Act (Cap. 583 of the Laws of Malta) reinforces this structure through Directive 2 of 2018 (Player Protection Directive) and Directive 3 of 2018 (Gaming Authorisations and Compliance Directive). Directive 2 explicitly defines “AML legislation” as the Prevention of Money Laundering Act and all regulations, guidance and any other instrument issued thereunder, making clear that player-facing obligations and AML obligations are not separate compliance workstreams. A single transaction or player account can engage requirements under both directives simultaneously.
Source: Malta Gaming Authority, Anti-Money Laundering function page, mga.org.mt, MGA Directive 2 of 2018 (Player Protection Directive), Part I, Prevention of Money Laundering Act, Cap. 373, Laws of Malta.
Which Licensees Are In Scope?
The MGA’s AML/CFT obligations apply to B2C licensees offering Type 1, Type 2, and Type 3 games. B2B licensees providing critical gaming supply are not directly subject to the PMLA in the same way, but they can be drawn into scope where their operational role gives them control over or access to player transaction data. Compliance teams at B2B suppliers cannot assume they are entirely outside the framework, the substance of the relationship with the B2C licensee determines the analysis.
For B2C licensees, the obligations apply regardless of whether the player is resident in Malta or accessing the service from another jurisdiction. The territorial scope of the PMLA follows the licensee’s authorisation, not the player’s country of residence. This has practical consequences for risk-rating: a player from a FATF high-risk jurisdiction accessing an MGA-licensed casino from abroad carries the same elevated ML/TF risk classification as they would under any EU fourth-directive framework. The full licensing framework within which these AML obligations sit is covered in the MGA standards explorer.
What Does the Business Risk Assessment Require?
The business risk assessment (BRA) is the foundational document from which every other AML control derives its proportionality. The MGA requires licensees to complete a BRA to understand the ML/TF risks and vulnerabilities specific to their business model before devising a Customer Acceptance Policy (CAP) or drafting AML/CFT policies and procedures. A CAP written without a completed BRA lacks the risk rationale that an auditor will need to verify.
The BRA must be a living document. Licensees must update it when there are material changes to the business, including new markets, new payment methods, new game verticals, or structural corporate changes. The MGA has signalled in its 2026 Supervisory Engagement Efforts publication that it applies a risk-based, evidence-led approach to supervision. A BRA last updated two years ago is unlikely to withstand scrutiny where the operator has since onboarded crypto payments or expanded into new jurisdictions.
Customer Due Diligence: Registration, Verification, and the €2,000 Threshold
The MGA Compliance Audit Manual (MGA/G/001, v1, August 2018) sets out the procedural standards against which appointed auditors assess CDD. At registration, a licensee must collect the player’s date of birth, full name and surname, permanent residential address, and a valid email address or other remote contact means. A player must not be permitted to begin gaming before their email address or other contact means has been verified, and the back-office system must be able to display the verification status of each player account.
The deposit monitoring obligation is specific and must be built into the transaction monitoring system. The Compliance Audit Manual requires systems to flag a player’s cumulative deposits when the total equals or exceeds €2,000. That threshold can be applied on a daily basis, taking into account all deposits since the establishment of the business relationship, or on a rolling 180-day period. Whichever method is adopted must be documented in the funds management procedure.
“Check that the system is able to flag a deposit, if the total accumulation of deposits equals or exceeds €2,000, which value can be calculated either on a daily basis taking into account all deposits effected by a customer since the establishment of the business relationship, or on the basis of a rolling period of 180 days.”
Source: MGA Compliance Audit Manual, MGA/G/001 v1, August 2018, section 6.18.3.
On withdrawals, the manual requires auditors to verify that, absent exceptional circumstances, the licensee remitted funds to the same account from which they were deposited. Directive 2 of 2018 confirms this in operational terms: where return to the originating account is not possible, the licensee must apply AML legislation to determine the appropriate withdrawal route. Departures from the return-to-source requirement demand documented justification, as the restriction directly targets the layering stage of money laundering.
Player Risk Profiling and Source of Wealth Checks
How Risk Profiles Are Built
The Customer Acceptance Policy must specify which player categories present higher than average ML/TF risk, the risk indicators that support a low, medium, or high classification, and the level of CDD, including ongoing monitoring, to be applied at each tier. The manual explicitly requires auditors to verify that enhanced due diligence is being carried out on high-risk players, and that source of wealth and source of funds information is being requested for those players.
Customer risk factors that elevate ML/TF risk in the gaming context include: players with multiple or irregular income streams, politically exposed persons (PEPs), high spenders whose declared income is inconsistent with their wagering volume, players using multiple payment methods or accounts, and players from higher-risk geographic jurisdictions. None of these factors is individually determinative. The obligation is to apply a combined assessment that reflects the actual risk profile of the relationship.
Source of Wealth and Source of Funds
The distinction between source of wealth and source of funds is operative, not cosmetic. Source of funds refers to how the funds for a particular transaction were obtained. Source of wealth refers to the origin of the player’s total asset base. For high-risk players, both must be established. For lower-risk players, a declaration from the player with basic details of employment or business may suffice where the overall risk assessment supports that approach, but where doubts exist as to the veracity of self-declared information, independent and reliable documentation is required.
The Compliance Audit Manual’s audit checklist (section 6.17.12) treats source of wealth verification as a discrete procedural requirement for high-risk profile players. It sits alongside the general KYC procedure as a separate documented step, not embedded within it. Licensees that conflate the two in their procedures risk an audit finding that source of wealth checks are not being conducted at the appropriate trigger point.
PEP Controls
The manual requires auditors to verify both that the licensee has controls in place to detect PEPs among its player base and that enhanced due diligence is actually being conducted on identified PEPs (section 6.17.11). Detection capability is necessary but not the end of the obligation. The EDD applied to a PEP must be documented and must be commensurate with the heightened risk that PEP status presents. Where a PEP is identified, senior management approval to commence or continue the business relationship is a standard FIAU expectation under the relevant implementing procedures.
The MLRO: Appointment, Registration, and Responsibilities
Every B2C licensee must appoint a Money Laundering Reporting Officer (MLRO) of sufficient seniority and command. The MLRO carries primary responsibility for analysing unusual or suspicious activity and transactions, and for filing Suspicious Transaction Reports (STRs) with the FIAU where there are grounds to do so. The role is not delegable to a junior compliance officer. The MGA requires sufficient seniority because the MLRO must have the authority to act on their analysis without needing to escalate for approval before filing.
The MLRO must be registered with the FIAU and approved as a Key AML Function by the MGA. Both registrations are prerequisites, not post-appointment formalities. Auditors testing section 6.19.5 of the Compliance Audit Manual will verify FIAU registration status, assess whether the MLRO is knowledgeable of the licensee’s AML, KYC, and funds management procedures, and determine whether staff across the business are engaged in detecting ML activity and escalating suspicions to the MLRO.
Licensees must also track whether the MLRO has ever filed an STR with the FIAU. A licensee that has processed thousands of transactions over several years but whose MLRO has never filed an STR is likely to prompt questions about whether the transaction monitoring programme is calibrated to detect suspicious activity or merely generating noise that goes unanalysed. To ensure your MLRO function is audit-ready and aligned with current MGA expectations, consult your compliance team against the Compliance Audit Manual’s section 6.19 standards and consider engaging with the MGA system audit requirements resource for a complete technical audit readiness assessment.
Key Requirement: The MLRO must be registered with the FIAU and approved as a Key AML Function by the MGA before taking up the role. Retroactive registration is not compliant with the MGA’s appointment requirements under the Prevention of Money Laundering and Funding of Terrorism Regulations.
Ongoing Monitoring: Transactions, Crypto, and Cash Controls
Ongoing due diligence requires licensees to scrutinise transactions throughout the business relationship to ensure they are consistent with the licensee’s knowledge of the player, including, where necessary, the player’s source of funds. Where transactions are not consistent with the expected pattern, the licensee must investigate and, where appropriate, file a report to the FIAU. The prohibition on tipping off applies: where a licensee suspects ML or TF and believes that conducting further CDD would alert the player, it may forego the CDD step and file directly.
For 2026, the MGA has identified two AML-adjacent thematic reviews as supervisory priorities. The first covers internal control frameworks around the use of cash and cash equivalents within the online gaming industry. The second covers internal control frameworks around the use of crypto assets. Both thematic reviews reflect the MGA’s observation that licensees’ treatment of these payment channels shows inconsistency, and the regulator will be looking for documented policies, transaction monitoring parameters, and evidence that controls are operating as designed, not just as written.
The crypto asset review is particularly significant. The MGA has operated a DLT sandbox and permanent DLT policy since 2018 that requires virtual asset operators to meet AML, KYC, audit, and game-fairness standards. For licensees that accept cryptocurrency deposits, the 2026 thematic review will test whether the controls applied to crypto transactions are equivalent in rigour to those applied to fiat transactions, including whether enhanced scrutiny is triggered for the anonymity characteristics that certain crypto assets present.
FIAU Reporting: STRs, the Reporting Channel, and Tipping-Off
Suspicious Transaction Reports must be filed with the FIAU through the designated reporting channel. The MLRO is the point of filing. Internal suspicions raised by employees must be escalated to the MLRO, who then determines whether the threshold for filing is met. The standard is reasonable suspicion, not certainty. Employees who raise concerns and then observe that no STR is filed should have access to a mechanism to escalate that concern independently of the MLRO where they believe the failure to file is itself a compliance failure.
Player collusion is treated as a discrete AML risk requiring specific procedural controls. Where the gaming vertical makes collusion possible, primarily poker and other player-versus-player formats, licensees must monitor chat rooms, apply automated alarms for suspicious play patterns, and detect indicators such as players with the same IP address, related surnames, or geographic proximity who consistently play against each other in tournaments. Licensees that permit fund transfers between player accounts face an additional burden: they must have a procedure specifically designed to prevent ML through that feature, and auditors will test it (Compliance Audit Manual, section 6.19.9).
AMLA and the Incoming EU AML Framework
The EU Anti-Money Laundering Authority (AMLA) is now the central factor shaping the medium-term trajectory of Malta’s AML framework for gaming. On 21 April 2026, the MGA published notice of a roundtable organised by AMLA, focusing on non-financial sectors including gaming, ahead of a public consultation scheduled for summer 2026. The roundtable, held on 4 May 2026, sought feedback from EU-level trade associations on AMLA’s proposed risk assessment methodology under Article 3(3) of the AML Regulation (AMLR).
Separately, the MGA has notified licensees of three open public consultations launched by AMLA on draft Regulatory Technical Standards. These cover customer due diligence requirements under Article 28(1) of the AMLR, criteria for identifying business relationships and occasional and linked transactions under Article 19(9) of the AMLR, and the reporting of material weaknesses under Article 53(10) of the Sixth Anti-Money Laundering Directive (AMLD6). The gaming sector falls explicitly within the non-financial obliged entity scope of the AMLR, making these RTS directly applicable to MGA-licensed B2C operators once finalised.
“These consultations represent an important legislative stage for the gaming sector, particularly because AMLA is now consulting on the non-financial sector, which includes the gaming sector.”
Source: Malta Gaming Authority, notice on AMLA public consultations on draft Regulatory Technical Standards, mga.org.mt, MGA notice on AMLA Roundtable on AML Risk Assessment Methodology, 21 April 2026.
The current FIAU Implementing Procedures remain operative in full. When AMLA’s RTS are finalised, expected through late 2026 and into 2027, they will impose directly applicable EU-level CDD and threshold standards that will modify the Maltese implementing framework. Licensees that track only the MGA and FIAU channels risk missing the AMLA developments until they are already in force.
How Does Malta’s Framework Compare to Other EU Supervisory Models?
Malta’s MGA-as-FIAU-agent structure is one of several approaches adopted across EU gaming jurisdictions. The UK Gambling Commission, now outside the EU, operates as an independent AML supervisor with enforcement powers directly over licensees. A full treatment of how the two regimes differ on costs, obligations, and supervisory philosophy is available in our UKGC vs MGA 2026 licence cost comparison. The UKGC’s June 2026 AML warning to operators underscored the risk of overreliance on automated systems and the need for documented human oversight of AI-generated Suspicious Activity Reports, a concern with direct parallels in the MGA’s own risk-based supervision model.
Within the EU, Spain’s SEPBLAC acts as the dedicated AML supervisor for gaming operators, while the Netherlands’ FIU-NL receives suspicious transaction reports under the WWFT. Malta’s FIAU-agent model means the MGA carries more of the supervisory burden than many national gaming regulators do in isolation. That integration between the gaming regulator and the financial intelligence function is a structural feature of Maltese law, not an administrative arrangement that can change without legislative amendment.
Operators comparing jurisdictions should note that this dual-authority structure is both a risk and an asset. The risk is that an AML breach is visible to both the MGA and the FIAU simultaneously. The asset is that the MGA’s direct coordination with the FIAU means sector-specific guidance is more granular and operationally developed than in jurisdictions where the gaming regulator refers AML matters to a financial authority with limited gaming expertise.
Audit Readiness: What the MGA Compliance Audit Manual Tests
The Compliance Audit Manual (MGA/G/001) remains the operative audit framework. Appointed auditors test AML controls across sections 6.17 through 6.19 of the manual, covering KYC procedures, funds management, and MLRO operations. For a detailed mapping of how the manual structures technical and organisational controls beyond the AML scope, see our article on MGA system audit requirements, which covers the technical infrastructure obligations that sit alongside the AML controls tested in a compliance review.
The auditor’s primary tests on AML include: obtaining and reviewing the KYC procedure and funds management procedure, testing that the back-office system can display identity verification status for each player, checking that the deposit monitoring threshold triggers as specified, sampling at least 30 withdrawals to verify the return-to-originating-account requirement, checking PEP detection and EDD controls, verifying source of wealth requests for high-risk players, reviewing MLRO registration status and STR history, and assessing the adequacy of player collusion controls where applicable.
The Compliance Audit Manual states explicitly that the listed procedures are not exhaustive. Auditors must exercise professional judgement and develop additional tests where the risk profile of the specific licensee warrants it. A licensee with a high concentration of players from FATF high-risk jurisdictions, or one that accepts virtual assets, will face more extensive testing than the manual’s baseline procedures alone would suggest.
| AML Control Area | Manual Reference | Key Requirement |
|---|---|---|
| KYC Registration Data | Section 6.17.3 | Date of birth, full name, address, verified email or remote contact |
| Deposit Monitoring Threshold | Section 6.18.3 | System flag at €2,000 cumulative (daily or 180-day rolling) |
| Withdrawal Source Controls | Section 6.18.4 | Return to originating account unless not possible, documented exception |
| PEP Detection and EDD | Section 6.17.11 | Detection controls in place, EDD verified for identified PEPs |
| Source of Wealth (High Risk) | Section 6.17.12 | Requested and documented for high-risk profile players |
| MLRO Registration | Section 6.19.5 | Registered with FIAU, approved Key AML Function by MGA |
| STR Filing History | Section 6.19.7 | MLRO must have mechanism to report to FIAU via STR where grounds exist |
| Player Collusion Controls | Section 6.19.8 | Automated alarms, IP monitoring, chat room oversight where applicable |
Enforcement Context and Supervisory Direction
The MGA Enforcement Register shows that the most common grounds for cancellation of authorisation are non-payment of licence fees and compliance contribution fees, rather than AML-specific breaches. That pattern does not mean AML enforcement is absent. Fee non-payment is the easiest breach to document and the most commonly pursued through formal cancellation proceedings. AML and player protection failures tend to surface through administrative fines and directed remediation rather than outright cancellation, but those actions are also recorded in the Enforcement Register and carry reputational consequences for operators active across multiple jurisdictions.
The MGA’s 2026 supervisory direction is clear: the Authority applies a risk-based, evidence-led approach structured around compliance, player protection, and sports betting integrity as its three core themes. Within the compliance theme, the thematic reviews on cash and crypto controls signal that the MGA expects to find gaps. Licensees that have not reviewed their virtual asset controls since the 2018 DLT policy, or that have not documented their cash-equivalent treatment since Malta’s National Risk Assessment 2023, are the likely subjects of those thematic engagements. Operators should consult qualified Maltese legal counsel to assess current gaps against both the existing FIAU Implementing Procedures and the incoming AMLA RTS before the summer 2026 public consultation period closes.
Key Resources
Malta Gaming Authority, Anti-Money Laundering function page: mga.org.mt/function/anti-money-laundering/, the operative landing page for MGA AML supervision, including links to FIAU Implementing Procedures Parts I and II.
MGA Compliance Audit Manual (MGA/G/001, v1, August 2018): mga.org.mt, the primary document against which compliance auditors assess AML, KYC, and funds management controls. Obtained from the MGA’s Guidance Notes/Publications page.
MGA Directive 3 of 2018, Gaming Authorisations and Compliance Directive: Available at mga.org.mt/app/uploads/Directive-3-of-2018-Gaming-Authorisations-and-Compliance-Directive.pdf, covers MLRO obligations and suspicious betting reporting under Regulation 43.
MGA 2026 Supervisory Engagement Efforts: mga.org.mt/news/mga-enhances-regulatory-oversight-and-outlines-2026-supervisory-priorities/, the Authority’s 2026 thematic review agenda, including cash and crypto AML controls.
AMLA Roundtable on AML Risk Assessment Methodology (April 2026): mga.org.mt/news/amla-roundtable-on-aml-risk-assessment-methodology-registration-now-open/, the MGA’s notice of the AMLA non-financial sector consultation process and the draft RTS consultations on CDD and linked transaction thresholds.
Prevention of Money Laundering Act (Cap. 373, Laws of Malta): legislation.mt, the primary legislative instrument underpinning the entire AML framework applicable to MGA licensees.
Matt Denney
Editorial · gamingcompliance.io
Reads the primary source so you don't have to. Fifteen years inside iGaming compliance: operator, supplier, and crown-corporation lottery.
The Tuesday brief, every week.
One email. Every regulator change we surface, every standard we re-index, every enforcement decision we read. No marketing, no fluff.
Unsubscribe with one click. We'll never share your address.