MGA Mandatory Spend Limits: Platform Build Requirements and the Compliance Contribution Connection

Every MGA B2C licensee must build a specific set of player spend controls into its platform as a condition of authorisation under the Player Protection Directive (Directive 2 of 2018). The directive, now at Version 3 (January 2023), is the operative instrument. It sets the mandatory minimum toolkit, defines the technical behaviour those tools must exhibit, and draws a clear line between what Authorised Persons must offer and what remains encouraged but not compelled. According to the MGA’s published Supervisory Engagement Efforts, enhanced oversight of player protection measures is identified as a named priority, making the platform implementation of these controls a live enforcement focus, not a background obligation.

This article maps the mandatory spend-control requirements under Directive 2 of 2018, the platform-level technical obligations attached to each tool, and the compliance contribution arithmetic that makes non-compliance disproportionately expensive for mid-to-large operators.

What the Player Protection Directive Actually Requires

Directive 2 of 2018 applies to all B2C licensees operating under the Gaming Act (Cap. 583 of the Laws of Malta). Authorised Persons are required to offer players a minimum of one spend-control tool from the following pair: a deposit limit or a wagering limit. The directive does not require both simultaneously, but the MGA’s published FAQ guidance makes the Authority’s preference explicit.

“The Player Protection Directive (Directive 2 of 2018) mandates that either [deposit limits or wagering limits] be offered to players, however, the Authority encourages Operators to offer both limits.”

Reality checks are a separate, independently mandatory requirement. They cannot be treated as a substitute for deposit or wagering limits, nor can their presence on a platform satisfy the spend-control obligation on its own. Authorised Persons must implement all three categories: at least one spend limit type, reality checks, and self-exclusion. Platforms missing any of these fail the minimum threshold regardless of what other responsible gambling tools they offer.

Beyond the mandatory minimum, the directive encourages Authorised Persons to offer loss limits (a cap on the amount lost within a defined period), session time limits, and time-out functionality for periods between 24 hours and 30 days. These remain recommended rather than required, but the MGA’s supervisory framework signals that the Authority is moving toward evidence-based assessments of whether the recommended tools are being offered in practice. Compliance teams should treat the encouraged tools as the expected standard rather than an optional enhancement.

How Deposit Limits and Wagering Limits Differ in Practice

The operational distinction between a deposit limit and a wagering limit matters for platform architecture. A deposit limit caps the total funds a player can transfer into their account over a defined period, daily, weekly, or monthly. A wagering limit caps the total staked across wagers over the same time frames, regardless of the current account balance.

The two controls intercept player spend at different points in the session flow. Deposit limits operate at the payment gateway layer, wagering limits operate within the gaming engine itself, requiring integration with the bet acceptance system. Platforms offering only deposit limits cannot prevent a player with an existing account balance from wagering beyond what they would otherwise have been able to deposit. Platforms offering only wagering limits leave open the possibility of large lump-sum deposits that fund sustained play just beneath the wagering cap.

The MGA’s FAQ guidance articulates the mechanics when both types are active simultaneously. Where a player holds both a deposit limit and a wagering limit and those limits conflict, the stricter of the two applies. The guidance gives a concrete example: a player with a weekly deposit limit of €40 and a wagering limit of €2 per wager who has already wagered €38 that week may not accept a new wager, because the combined effect of their remaining deposit headroom and their wagering limit produces the lower effective cap of €2. Platforms must implement logic that evaluates both limit types in parallel and enforces whichever produces the more restrictive outcome.

Platform-Level Technical Requirements for Spend Controls

The directive’s technical requirements for limit implementation derive from both Directive 2 of 2018 itself and the MGA’s Technical Infrastructure guidelines for Remote Gaming. Taken together, they impose the following obligations on the platform:

Limit reductions must take effect immediately upon player request. There is no permitted delay between a player requesting a lower limit and the platform enforcing that lower figure. Any architecture that queues or batches limit updates introduces a gap during which the player may exceed the intended cap, which constitutes a breach.

Limit increases are subject to a mandatory waiting period before they take effect. The platform must not apply an increased limit at the moment of the player’s request. The waiting period allows the player to reconsider and is a non-negotiable design constraint. The directive does not prescribe a specific cooling-off duration for limit increases in the same granular way that some jurisdictions do, but the intent is a minimum of 24 hours between request and activation, consistent with industry standard implementation across comparable regulatory frameworks.

Self-exclusion cannot prevent fund withdrawals. Where a player excludes from gaming, the platform must disable access to gaming services while keeping the withdrawal pathway active. Any technical design that freezes funds or requires customer support intervention to process a withdrawal during a self-exclusion period fails this obligation. Version 3 of the directive added specific provisions on this point, including an obligation on Authorised Persons to clearly delineate the withdrawal process during exclusion within their terms and conditions.

Multi-brand operators face an additional obligation. Where an Authorised Person operates multiple brands under separate registrations, and a player requests self-exclusion, the operator must enquire whether the exclusion should apply across all brands. The operator may apply an exclusion to the requested brand only, but where there are sufficient indications that the player may have problem gambling issues, the exclusion must be applied across all operated brands. The platform must support this cross-brand logic, which requires either a centralised account management layer or a defined API protocol between brand instances.

What the MGA’s Supervisory Priorities Signal for Spend-Limit Compliance

The MGA’s published supervisory priorities identify enhanced oversight of player protection measures as a named focus area within the player protection pillar.

The framework confirms that the MGA is applying a risk-based, evidence-led, and outcomes-focused approach. For compliance teams, this means supervisory activity will not be limited to reviewing whether the technical controls exist on paper. The MGA is assessing whether those controls are functioning as intended in practice, how operators respond when limits are triggered, and whether the responsible gambling framework is embedded into live operational processes rather than confined to policy documentation.

For spend-limit compliance specifically, this translates to three practical implications. The platform must be able to demonstrate that limit enforcement logic executes correctly under load and across all game types. The back-office must produce an auditable record of limit activations, changes, and enforcement outcomes linked to individual player accounts. And the compliance function must be able to show that exceptions, cases where a player sought a limit increase or modification, were handled within the required timelines with appropriate documentation.

The MGA’s supervisory framework signals a shift from checking whether the tools exist to verifying whether they are working as designed in live player journeys.

Authorised Persons who last reviewed their spend-limit implementation at the point of licensing, without subsequent technical testing against the current Version 3 requirements, carry meaningful supervisory risk in the current environment. The recommended remediation is a control-mapping exercise that tests actual platform behaviour against each provision of the directive, not a review of documentation alone.

Virtual Financial Assets and the Separate Spend-Limit Ceiling

Authorised Persons operating under the MGA’s distributed ledger technology sandbox, or accepting Virtual Financial Assets as a funding method under the relevant policy, carry an additional spend-control obligation. The platform must maintain a separate player-specified ceiling for VFAs, distinct from the fiat currency limit. During the sandbox period, the platform may not accept VFA deposits exceeding the equivalent of €1,000 per month from any individual player, without prejudice to the spend-limit requirements that apply under Part V of Directive 2 of 2018.

Where a player elects to set a player-specified limit in VFAs, that limit runs alongside, not in place of, the fiat currency limit. The platform must enforce both independently and apply the stricter in any scenario where the two interact. This creates a compound enforcement requirement for operators running multi-currency account architectures, because the PAM system must track two parallel limit pools per player account and resolve conflicts at the point of wager or deposit acceptance.

The Compliance Contribution Connection

The compliance contribution is a financial obligation payable by all MGA B2C licensees to the Authority on a monthly basis, calculated as a percentage of qualifying gaming revenue generated during the licence period. The rates are set out in the Gaming Licence Fees Regulations (S.L. 583.03) and are tiered by revenue band and game type. The contribution due is paid by the twentieth day of the month following the reference month.

Game Type	Revenue Band	Contribution Rate	Annual Min / Max
Type 1 (casino / slots)	First €3,000,000	1.25%	€15,000 / €375,000
Type 1 (casino / slots)	Next €4,500,000	1.00%
Type 1 (casino / slots)	Next €5,000,000	0.85%
Type 1 (casino / slots)	Next €7,500,000	0.70%
Type 1 (casino / slots)	Remainder	0.40%
Type 2 (live casino / table games)	First €3,000,000	4.00%	€25,000 / €600,000
Type 2 (live casino / table games)	Next €4,500,000	3.00%
Type 2 (live casino / table games)	Next €5,000,000	2.00%
Type 2 (live casino / table games)	Remainder	0.40%
Type 3 (poker)	First €3,000,000	1.25%	€25,000 / €500,000

The compliance contribution calculation is directly linked to gaming revenue. An operator whose platform fails to enforce spend limits correctly, and who therefore generates revenue from wagers or deposits that should have been blocked, faces two simultaneous risks. The first is enforcement action under Directive 2 of 2018 and the Gaming Compliance and Enforcement Regulations. The second is that the revenue generated by non-compliant transactions forms part of the gaming revenue base on which the compliance contribution is computed. In other words, the financial cost of non-compliance compounds: the operator faces a penalty exposure at the same time as having paid contribution on revenue it should never have generated.

According to MGA enforcement records, failures to pay compliance contributions have resulted in licence cancellations. Knockout Gaming Limited’s authorisation was cancelled effective 16 September 2020, with non-payment of compliance contributions standing at €20,044.35 cited as a breach of the Gaming Authorisations and Compliance Directive. DGV Entertainment Group Limited’s authorisation was cancelled after failing to pay both annual licence fees (€25,000) and compliance contribution fees. These decisions illustrate that the MGA treats financial compliance obligations, including contribution payments, as fundamental licence conditions, not administrative details.

For compliance teams at revenue-generating operators, the spend-limit platform build is therefore not a siloed responsible gambling task. A platform architecture that permits over-limit play creates revenue that feeds a higher compliance contribution calculation while simultaneously generating the evidence the MGA would use in an enforcement action. Properly functioning spend controls, tested against live transaction data, protect both the player and the operator’s financial exposure under the contribution regime.

Comparing the MGA’s Approach to Other Frameworks

The MGA’s spend-control model is operator-set and player-initiated: the directive requires the platform to offer the tools and to enforce the limits the player specifies, but does not impose regulator-set caps on all players as a default. This differs materially from the approach taken in several other regulated markets.

The UK Gambling Commission’s LCCP-based deposit-limit regime, updated in phases through 2025 and 2026 with the second phase extended to 30 September 2026, mandates gross deposit limits as the exclusive mandatory form, requires equal prominence given to deposit limits at onboarding, and standardises the terminology licensees must use. The UKGC approach is more prescriptive about form, the MGA approach offers the choice between deposit limits and wagering limits but with less standardisation on how those tools are presented.

Spain’s DGOJ is moving toward a regulator-administered cross-operator deposit cap through a draft decree under review by the EU TRIS procedure, with proposed daily limits of €700, weekly limits of €1,750, and four-week limits of €3,300. If finalised, this would represent a centralised model in which the DGOJ, rather than individual operators, holds and enforces the limit. That is a structural departure from both the MGA and UKGC operator-side models.

The MGA’s framework sits in a middle position: player-initiated limits, operator-enforced, with mandatory minimum tools but no regulator-set default caps applicable to all players. The MGA’s supervisory priorities signal increased scrutiny of whether the operator-side enforcement is genuinely effective, without yet indicating a move toward centrally administered limits of the type Spain is developing.

For MGA licensees also holding UKGC remote operating licences, the two frameworks create overlapping but not identical implementation requirements. Qualified legal counsel should be engaged to map the obligations across both regimes and identify any gap in current platform architecture, particularly around the display prominence and labelling requirements that differ between the two jurisdictions. A detailed breakdown of how the MGA’s overall regulatory structure compares to the UKGC’s is available in the MGA licence requirements profile, and cross-jurisdiction player protection controls are tracked at the Responsible Gambling Observatory.

Platform Build: A Minimum Compliance Checklist

Compliance teams building or reviewing their platform against Directive 2 of 2018 should structure their assessment around the following operational dimensions, drawn directly from the directive and the MGA’s published guidance.

Account registration flow: the platform must display a message before the first deposit explaining the available responsible gaming tools and limits. This is a pre-deposit obligation, not a post-registration disclosure. The message must be visible and include a direct path to the limit-setting interface.

Limit enforcement logic: the platform must enforce both deposit and wagering limits simultaneously where both are active, applying the stricter of the two at any given transaction point. The logic must operate across all game types and payment methods within the platform, including promotional balance and free-bet conversions where those can be wagered.

Limit change handling: a decrease in any limit must be implemented immediately with no lag period. An increase must not take effect until after the required waiting period. The platform must log the timestamp of both the request and the activation for each change, creating an auditable trail available to the MGA during a compliance review.

Reality check delivery: reality checks must be offered as a mandatory tool. The platform must present the reality check notification at the intervals selected by the player and must record player acknowledgements within the session log.

Self-exclusion mechanics: self-exclusion must be simple to initiate, must not involve any attempt by the operator to induce the player to continue, must be implemented immediately upon request, and must not prevent the player from withdrawing funds. Multi-brand operators must implement the cross-brand enquiry and extension logic described in the relevant provision of the directive governing self-exclusion across multiple brands.

VFA limit segregation: where VFAs are accepted, the platform must maintain a separate limit pool with the €1,000 monthly cap as the maximum during the sandbox period, independent of the fiat limit pool.

What “Enhanced Oversight” Means for Compliance Evidence

What documentation should MGA licensees prepare for a player protection review?

The MGA’s evidence-led approach means a compliance review in the player protection space will look beyond policy documents to operational data. Authorised Persons should maintain a control matrix mapping each obligation in Directive 2 of 2018 to the specific platform function that fulfils it, accompanied by testing records that verify those functions execute correctly under live conditions. Session logs showing limit enforcement events, change-request timestamps, and self-exclusion activations should be retrievable by player account ID within a timeframe consistent with the MGA’s audit information requests.

Internal audit programmes should include periodic live transaction sampling to verify that no wagers or deposits were accepted above a player’s active limit. A discrepancy between the limit recorded in the PAM system and the transaction log is the finding most likely to generate enforcement interest. Operators running third-party platform-as-a-service arrangements must confirm contractually and technically that the platform provider’s limit enforcement logic meets MGA requirements, because the regulatory obligation rests with the Authorised Person, not the technology supplier.

How does the compliance contribution change if spend-limit failures generate excess revenue?

Compliance contribution is calculated on gaming revenue actually generated, without a mechanism to exclude revenue generated through non-compliant transactions. If a platform accepts wagers above a player’s active limit and those wagers generate net gaming revenue, that revenue enters the contribution calculation at the applicable rate. The operator therefore pays contribution on revenue the platform should not have permitted, and simultaneously faces the enforcement risk of having allowed the over-limit activity. There is no regulatory offset, and a subsequent enforcement fine would add to the cost rather than replace it.

In practice, operators reviewing their spend-limit implementation should run a transaction audit against active player limits for the preceding 12-month period. Any identified over-limit transactions should be assessed with legal counsel to determine whether proactive disclosure to the MGA is appropriate, given the Authority’s published approach to enforcement and the principles it has set out in its Guiding Principles for the Application of Enforcement Measures.

For a broader view of how the compliance contribution sits within the MGA’s overall fee and tax structure, and how it compares to the UKGC’s statutory levy model, see UKGC vs MGA in 2026: Which Licence Actually Costs More to Maintain. For operators wanting to understand the full technical documentation and audit obligations attached to an MGA licence, see MGA System Audit Requirements: What Your Tech Stack Must Document.

Key Resources

Malta Gaming Authority, Player Protection Directive (Directive 2 of 2018), Version 3, January 2023. The operative instrument governing all mandatory spend-control obligations for MGA B2C licensees. Available via mga.org.mt/regulatory-framework/player-protection/.

MGA Gaming Licence Fees Regulations (S.L. 583.03). Sets out the compliance contribution rates applicable to Type 1 through Type 4 gaming services, the minimum and maximum annual thresholds, and the monthly payment schedule.

MGA Supervisory Priorities. The MGA publishes supervisory priorities identifying areas of regulatory focus including enhanced oversight of player protection measures.

MGA Compliance Audit Manual (MGA/G/001, August 2018, v1), read alongside the May 2025 clarification on audit procedures. Sets out the mandatory and discretionary audit procedures against which MGA compliance auditors assess licensee platforms, including verification of player protection controls.

MGA FAQs, Player Protection and Responsible Gambling Tools. The Authority’s plain-language guidance on the distinction between mandatory and encouraged tools, including the stricter-limit-applies principle for operators offering both deposit and wagering limits simultaneously.

Start your compliance review now by downloading the MGA Directive 2 Spend-Control Compliance Checklist, which walks through each platform requirement with detailed testing steps.