Malta Gaming Operators Face New AML Expectations as MGA Points Industry to AMLA Consultations
Malta Gaming Operators Face New AML Expectations as MGA Points Industry to AMLA Consultations
The Malta Gaming Authority has informed relevant stakeholders that the EU Anti-Money Laundering Authority has launched additional public consultations on draft AML/CFT regulatory standards and guidelines under the EU Anti-Money Laundering Regulation.
The development is important for Malta gaming operators because EU AML reform is moving from high-level legislation into practical supervisory detail. Operators, recognition notice holders, B2B suppliers, payment-linked businesses and investors should treat the consultations as an early signal of future compliance expectations.
This update also comes shortly after the MGA launched a targeted consultation on proposed enhancements to Malta’s Recognition Notice Framework. Those proposed changes are aligned with Malta’s latest National Risk Assessment and National AML/CFT Strategy 2024–2026.
This piece explains what the developments mean for Malta gaming operators, which businesses are most exposed, and what compliance teams should review before expectations become more formal.
For readers’ convenience, we have placed the key official MGA, AMLA and EU materials at the end of this article.
Publish Date
7 May 2026
Reading Time
9 minutes
Category
Legal News
Jurisdiction
Malta
What the MGA has announced
On 4 May 2026, the MGA informed stakeholders that AMLA had launched two additional open public consultations. These consultations relate to draft Guidelines on Business-Wide Risk Assessment under Article 10(4) of the AMLR and draft Regulatory Technical Standards on Group-Wide Requirements under Articles 16(4) and 17(3) of the AMLR.
The MGA encouraged stakeholders to review the initiatives and participate in the consultation process. It also invited authorised persons to submit written feedback to the Authority, supporting its continued work and engagement on sector-specific considerations.
The consultation on draft RTS for group-wide requirements has a response deadline of 15 June 2026. The consultation on draft Guidelines for Business-Wide Risk Assessment has a response deadline of 15 July 2026.
The MGA also reminded stakeholders that earlier AMLA consultations on customer due diligence and criteria for identifying business relationships, occasional transactions, linked transactions and lower thresholds had a feedback deadline of 8 May 2026.
Why AMLA matters for Malta gaming operators
AMLA is not only relevant to banks, payment institutions or investment firms. The EU AML package affects obliged entities across sectors, including gaming businesses where customer funds, cross-border activity, payment methods and rapid transaction flows can create material AML/CFT exposure.
Regulation (EU) 2024/1624, known as the AMLR, introduces directly applicable AML/CFT requirements across the EU. AMLA is now developing technical standards and guidelines that will shape how those obligations are applied in practice.
For Malta gaming operators, this means the new framework should not be viewed as distant policy. It may influence business-wide risk assessments, customer due diligence, group-wide controls, monitoring, information sharing and the treatment of higher-risk customers or markets.
Business-wide risk assessment is becoming more structured
AMLA’s draft Guidelines on Business-Wide Risk Assessment focus on how obliged entities identify and assess money laundering and terrorist financing risks across their operations.
For gaming operators, this is a key compliance area. A business risk assessment should reflect the operator’s actual products, customer types, geographies, payment channels, transaction patterns, affiliates, outsourcing arrangements and technology tools.
A generic AML risk assessment is unlikely to be enough. Operators should be able to explain why their controls are proportionate to their business model and how risk findings are translated into day-to-day controls.
Group-wide controls are becoming more important
AMLA’s draft RTS on Group-Wide Requirements are relevant for gaming groups operating through multiple entities, branches or subsidiaries. This is particularly important where a group has EU and non-EU structures, centralised compliance functions, shared technology, group-level payments support or outsourced monitoring.
Gaming groups should review whether AML/CFT policies are applied consistently across the group. They should also assess how information is shared, how foreign subsidiaries are monitored, and how Malta-facing compliance responsibilities are documented.
For gaming operators, this is a key compliance area. A business risk assessment should reflect the operator’s actual products, customer types, geographies, payment channels, transaction patterns, affiliates, outsourcing arrangements and technology tools.
A generic AML risk assessment is unlikely to be enough. Operators should be able to explain why their controls are proportionate to their business model and how risk findings are translated into day-to-day controls.
Recognition Notice Framework changes may increase scrutiny
On 29 April 2026, the MGA launched a targeted consultation on proposed enhancements to Malta’s Recognition Notice Framework. The Recognition Notice Framework is relevant for certain operators authorised in other jurisdictions that seek recognition in Malta.
According to the MGA, the proposed changes follow an internal review and are aligned with Malta’s latest National Risk Assessment and National AML/CFT Strategy 2024–2026. They are intended to strengthen assessment measures at authorisation stage and introduce a more structured and proportionate approach to ongoing monitoring.
This is a significant signal for operators relying on recognition-based access. The MGA appears to be focusing not only on entry-stage assessment, but also on ongoing monitoring after recognition is granted.
Recognition notice holders should prepare for more documentation
Recognition notice holders should expect closer attention to the quality of information provided to the MGA. This may include foreign licence status, regulatory history, beneficial ownership, group structure, AML/CFT controls, compliance governance and jurisdictional risk.
Operators should also review whether their current documentation remains accurate. Any material changes to business model, ownership, management, foreign authorisation, product scope or risk exposure should be identified early.
A stronger ongoing monitoring approach may also increase the importance of recordkeeping. Operators should keep clear evidence of compliance reviews, board decisions, regulatory correspondence, incident handling and remediation steps.
Practical AML/CFT areas gaming operators should review now
| Area | What gaming operators should review |
|---|---|
| Business risk assessment | Whether AML/CFT risks reflect current products, markets, customers and payment channels |
| Customer due diligence | Onboarding, verification, PEP and sanctions screening, and enhanced due diligence triggers |
| Source of funds and wealth | Thresholds, documentation standards, affordability indicators and escalation rules |
| Transaction monitoring | Deposits, withdrawals, payment methods, unusual patterns and rapid movement of funds |
| Group-wide policies | Consistency across EU and non-EU entities, branches and outsourced functions |
| Affiliate and B2B risk | Lead generation, white-label models, platform providers and third-party exposure |
| Technology and AI tools | Fraud detection, automated monitoring, model governance and audit trails |
| Recordkeeping | Customer files, logs, internal decisions, regulatory correspondence and retention periods |
| Governance | MLRO authority, board oversight, training, reporting and remediation tracking |
AML controls should match real customer behaviour
Gaming AML risk is often dynamic. A customer’s risk profile may change based on transaction volume, payment method, withdrawal behaviour, unusual play patterns, geographic indicators or source-of-funds concerns.
Operators should ensure that monitoring rules are not limited to onboarding. Ongoing monitoring should capture meaningful changes in behaviour and trigger escalation where risk increases.
Source-of-funds controls need clear escalation rules
Source-of-funds and source-of-wealth checks remain sensitive areas for gaming operators. They can affect customer experience, operational workload and regulatory exposure.
Operators should define when checks are triggered, what evidence is acceptable, who approves escalation decisions, and how unresolved concerns are handled. This should be documented in policy and tested in practice.
Payment providers and B2B suppliers should not ignore the reforms
AML/CFT risk in gaming does not sit only with the licence holder. Payment providers, platform suppliers, wallet providers, crypto rails, affiliates, white-label partners and outsourced service providers can all affect the operator’s risk profile.
Gaming operators should review third-party due diligence and contractual controls. They should confirm whether providers can support monitoring, reporting, data access, incident escalation and regulatory requests.
Payment-linked businesses should also pay attention to the direction of EU AML reform. Even where they are not the gaming licence holder, their services may be central to how customer funds enter, move through and leave the gaming ecosystem.
Third-party arrangements should support AML evidence
Operators should avoid outsourcing arrangements that create gaps in AML evidence. If a third party handles data, payments, onboarding or monitoring support, the operator should still be able to evidence compliance.
Contracts should address access to records, audit rights, reporting duties, data sharing, incident timelines and cooperation with regulatory inquiries.
What investors and acquirers should check in Malta gaming transactions
AML/CFT exposure is also a transaction issue. Investors and acquirers reviewing Malta gaming businesses should assess whether the target’s compliance framework is ready for a more harmonised EU AML environment.
Due diligence should include licence or recognition notice status, AML/CFT policies, business risk assessments, MLRO reports, internal audits, board minutes, customer risk methodology, source-of-funds procedures and transaction monitoring rules.
Buyers should also review correspondence with the MGA and the FIAU, where available. Unresolved remediation plans, compliance findings, high-risk markets, affiliate exposure, payment risk and historical customer-file weaknesses can affect valuation and post-completion obligations.
Recognition notice exposure should be part of deal review
Where a business relies on a recognition notice, investors should check whether the underlying foreign authorisation remains valid and whether the operator’s business model still matches the recognition basis.
They should also assess whether the proposed MGA framework changes could increase documentation, monitoring or remediation obligations after completion.
Practical steps before AMLA and MGA expectations develop further
Malta gaming businesses should not wait for final standards before reviewing their controls. The consultations already show the direction of travel: stronger risk assessment, clearer group-wide controls and more structured monitoring.
For Malta licensees
Malta licensees should update their business risk assessments and review whether their AML/CFT policies reflect current products, customer types, markets and payment methods.
They should also test customer due diligence, enhanced due diligence, transaction monitoring, source-of-funds escalation and board reporting. Where gaps are identified, remediation should be documented and tracked.
For recognition notice holders
Recognition notice holders should review current recognition conditions, foreign authorisation status, group structure, beneficial ownership records and compliance history.
They should also prepare for a more structured monitoring approach. This may require clearer evidence of ongoing compliance, stronger reporting processes and updated documentation for MGA review.
For cross-border gaming groups
Groups with EU and non-EU structures should review group-wide AML/CFT policies and information-sharing arrangements. They should also consider whether non-EU subsidiaries or branches can meet group standards where local law or operational practice differs.
Outsourcing, payments, affiliate arrangements, technology functions and data access should be reviewed as part of the same exercise.
How Legasset can support Malta iGaming AML compliance
The MGA and AMLA developments show that gaming AML/CFT expectations are becoming more detailed and more operational. Malta operators should use this period to review policies, controls, documentation and group structures before new standards are finalised.
Legasset assists gaming operators, B2B suppliers, payment providers, investors and market-entry teams with Malta gaming licensing, recognition notice support, AML/CFT framework review, risk assessments, regulatory gap analysis, policy drafting, internal remediation, consultation responses and transaction due diligence.
We help gaming businesses assess how EU AML reform and MGA expectations may affect their operating model, compliance framework and market-entry strategy.
FAQ about Malta gaming AML compliance and AMLA consultations
Why is AMLA relevant to Malta gaming operators?
AMLA is developing technical standards and guidelines under the EU AML framework. These materials may affect how gaming operators conduct risk assessments, customer due diligence, group-wide controls and ongoing monitoring.
What did the MGA announce in May 2026?
The MGA informed stakeholders that AMLA had launched additional public consultations on draft Guidelines for Business-Wide Risk Assessment and draft RTS on Group-Wide Requirements under the AMLR.
What are the AMLA consultation deadlines?
The deadline for feedback on draft RTS on Group-Wide Requirements is 15 June 2026. The deadline for feedback on draft Guidelines on Business-Wide Risk Assessment is 15 July 2026.
What is the MGA Recognition Notice Framework consultation?
The MGA launched a targeted consultation on proposed enhancements to the Recognition Notice Framework. The proposed changes aim to strengthen assessment at authorisation stage and introduce more structured ongoing monitoring.
What should Malta gaming operators review now?
Operators should review business risk assessments, customer due diligence, source-of-funds controls, transaction monitoring, group-wide AML policies, payment arrangements, affiliate risk, governance and recordkeeping.
Should recognition notice holders take action?
Yes. Recognition notice holders should review foreign licence status, beneficial ownership information, group structure, AML/CFT controls, compliance history and documentation supporting ongoing recognition.
Why does this matter for investors in gaming businesses?
AML/CFT weaknesses can affect valuation, regulatory risk and post-completion remediation. Investors should include AML controls, recognition notice status and regulatory correspondence in due diligence.
Malta Gaming AML Reform: MGA, AMLA and EU Resources
MGA notice informing relevant stakeholders of AMLA consultations on draft Guidelines for Business-Wide Risk Assessment and draft RTS on Group-Wide Requirements under the AMLR.
II. Malta Gaming Authority — Targeted consultation on proposed enhancements to the Recognition Notice Framework
MGA consultation notice on proposed changes to the Recognition Notice Framework, including stronger assessment at authorisation stage and more structured ongoing monitoring.
III. AMLA — Consultation on draft Guidelines on Business-Wide Risk Assessment
AMLA consultation page for draft Guidelines under Article 10(4) of Regulation (EU) 2024/1624, including the consultation deadline and public hearing information.
IV. AMLA — Consultation on draft RTS on Customer Due Diligence
AMLA consultation page on draft RTS under Article 28(1) of Regulation (EU) 2024/1624, relevant to CDD requirements and non-financial sector feedback.
V. EUR-Lex — Regulation (EU) 2024/1624 on anti-money laundering and countering terrorist financing
Official EU text of the Anti-Money Laundering Regulation, which establishes directly applicable AML/CFT requirements across the EU.
VI. Malta Gaming Authority — News and regulatory updates
MGA news page containing recent gaming regulatory updates, AML-related notices and consultation announcements.
