On the 20th of October 2021, the Malta Gaming Authority (the “MGA”), published a series of amendments to the Gaming Authorisations and Compliance Directive (Directive 3 of 2018) (the “Directive”), in parallel with a new Policy on the Eligibility and Ongoing Competency Criteria for Key Persons (the “Eligibility Policy”).

This article shall briefly discuss the main changes brought about to Malta’s gaming regulatory framework due to Directive’s amendments and the MGA’s publication of the Eligibility Policy.

The main changes can be summed up into 7 key headings, namely:

Change 1: The Overall Number of Key Function (KF) Roles and their Underlying Responsibilities

With regards to remote/online gaming B2C licensees (“B2Cs”), the amendments to the Directive reduce the required number of KF roles that a B2C Licensee must hold from 15 such roles to 8. Such reduction was implemented by the MGA, by essentially merging certain KF roles which are inherently interlinked and which often, in practice, in any case used to be generally occupied by the same person.  .

In terms of the amendments to the Directive, B2C Licensees are now required to hold the following  8 Key Functions:

  1. The chief executive role, or equivalent;
  2. The management of the day-to-day gaming operations, including but not limited to, the management of the financial obligations of the licensee, such as the payment of tax and fees due to the Authority, the processes of making payments to, and receiving payments from, players, the management of the risk strategies for the operation of the licensee, and the prevention of fraud to the detriment of the licensee;
  3. Compliance with the obligations of the licensee as may be applicable by virtue of the Act and any binding instrument issued thereunder, including but not limited to, obligations relating to responsible gaming, obligations relating to player support, obligations relating to the rules relating to marketing, advertising and promotional schemes, and where applicable, obligations relating to sports integrity;
  4. The legal affairs of the licensee, including but not limited to matters relating to contractual arrangements and dispute resolution;
  5. The adherence to applicable legislation relating to data protection and privacy;
  6. The prevention of money laundering and the financing of terrorism;
  7. The technological affairs of the licensee, including but not limited to the management of the back-end and control system holding essential regulatory data, and the network and information security of the licensee; and
  8. Internal audit.

In view of the above, while the roles of CEO, CLO, Key Privacy, MLRO and Internal Audit remained unchanged, other roles have been removed by essentially absorbing the same into a previously existing closely associated role.

More specifically, under the Directive’s updates, it can be observed that:

  1. The COO’s role has been expanded to also include the previously existing Key Function roles of Key Finance, Fraud Officer and Risk Officer;
  2. The Compliance Officer’s role has been expanded to also include the previously existing Key Function roles of Player Support Officer, CMO and RG Officer and has also been extended to clarify that it also captures obligations relating to sports integrity, where the B2C Licensee offers sports betting products;
  3. The CTO role was extended to also include the previous CISO’s role.

Similarly, for B2B Licensees, the required Key Function roles have been reduced from 9 to 7, by essentially:

  1. extending the previous CTO Key Function to also encapsulate the previous obligations of the CISO; and
  2. extending the COO’s role to also encapsulate responsibility for management of the financial obligations of the licensee, such as the payment of tax and fees due to the MGA and the management of the risk strategies for the operation of the licensee.

Effectively, the Key Function roles now required by B2B Licensees are the following:

  1. The chief executive role, or equivalent;
  2. The management of the day-to-day gaming operations of the licensee, including but not limited to, the management of the financial obligations of the licensee, such as the payment of tax and fees due to the Authority, and the management of the risk strategies for the operation of the licensee;
  3. Compliance with the obligations of the licensee as may be applicable by virtue of the Act and any binding instrument issued thereunder, including but not limited to obligations relating to sports integrity where these are applicable;
  4. The legal affairs of the licensee, including but not limited to, matters relating to contractual arrangements and dispute resolution;
  5. The adherence to applicable legislation relating to data protection and privacy, where applicable;
  6. The technological affairs of the licensee, including but not limited to, the management of the back-end and control system holding essential regulatory data, and the network and information security of the licensee; and
  7. Internal audit.

It should also be noted that other KF related changes have also been introduced by the amended Directive with regards to the National Lottery Licensee and B2Cs that operate gaming premises (both controlled and not controlled gaming premises).

Change 2: Sports Integrity

Previously, sports integrity suspicious betting reporting obligations applied only for B2Cs. In terms of the Directive’s amendments, such requirements will now also apply to B2Bs (critical gaming suppliers) that also offer sports betting supplies.

Further, it should be noted that the amendments designate Key Person sports integrity related responsibility to the Compliance Officer.

Change 3: Continuous Professional Development

In addition to a Key Person’s requirement to be deemed “fit and proper”, that is for the said person to be deemed to have the required integrity, honesty, reputation, competence and capability, the MGA also introduced continuous profession development (“CPD”) requirements.

Such CPD requirements consist in a number of hours of CPD which, as a minimum, a Key Person must fulfil.

An exhaustive list of methods applicable for the attainment of CPD requirements was also published by the MGA in the Eligibility Policy, which include professional educational activities (such as courses, in-house training, conferences, seminars and workshops), presentations (including vendor /system-specific presentations), teaching, lecturing and presenting, publication of articles and professional examinations.

Change 4: Key Function Compliance Deadlines

The Third Schedule of the Eligibility Policy clarifies the timeframes that must be adhered to with regards to Key Function’s changes, by both Key Function certificate holders and Licensees. Namely:

  1. Any new Key Function certifications must immediately be made in accordance with the new requirements.
  2. By the end of May 2022, existing Key Persons must apply to the MGA to be approved to fulfil the newly designated Key Roles in terms of the Directive (as amended). For clarification, it should be noted that Key Persons that are solely authorised to fulfil a Key Role which was not changed by virtue of the Directive’s changes, shall not be required to apply for a new Key Function Certificate, while if in addition to such unchanged Key Role, the Key Function Certificate holder is also authorised to fulfil another Key Role which has been changed by means of the Directive’s amendments, the requirement referred to apply by end of May 2022 would need to be adhered to.
  3. By the end of September 2022, the MGA shall approve/reject the applications made in accordance with the previous paragraph.
  4. By the end of December 2022, existing Licensees shall notify the MGA with the designation of the new Key Persons in accordance with the amended Directive.
  5. Following the notification made in accordance with the previous paragraph, the MGA shall either approve/reject the designation of the new Key Persons by the end of March 2023.
  6. Existing Key Persons shall be required to fulfil the CPD requirements outlined in the Eligibility Policy with respect to each of the Key Roles which they are authorised to fulfil upon their first application for renewal of their Key Function Certification following the approval issued by the MGA in terms of paragraph 3. Provided that with respect to those Key Roles that were not changed by means of the Directive as amended on 20 October 2021, CPD requirements shall be required to be adhered to upon their second renewal of their Key Function Certification following the coming into force of the Eligibility Policy.

Change 5: Key Function Eligibility Requirements

The minimum experience and/or qualifications required for a person to occupy a Key Function role have also been enshrined within the Eligibility Policy.

The requirements to occupy the main Key Roles are set out below:

Key RoleMinimum Experience and/or Qualifications
CEOMinimum of 3 years working experience in a managerial role and a related bachelor’s degree or higher, or a minimum of 5 years working experience in a managerial role. Knowledgeable in terms of the Authorised Person’s business model, operations and organisational infrastructure. Knowledgeable in terms of the obligations of the Authorised Person in terms of general regulatory compliance
Operations Minimum of 2 of working experience in a managerial role and a related bachelor’s degree or higher, or a minimum of 4 years working experience in a managerial role.Knowledgeable in terms of the Authorised Person’s payment, risk management and fraud prevention procedures.Knowledgeable in terms of the obligations of the Authorised Person in terms of general regulatory compliance.
ComplianceMinimum of 2 years working experience in a compliance-related role and a related bachelor’s degree or higher, or a minimum of 4 years working experience in a compliance-related role. Knowledgeable in terms of the obligations of the Authorised Person in terms of the Gaming Act including obligations relating to responsible gaming, advertising and, where applicable, sport integrity.Knowledgeable in terms of the Authorised Person’s business model, operations, systems, and procedures adopted by the Authorised Person to ensure regulatory compliance.
Legal Minimum of 2 years working experience in the role of legal counsel and/or in a similar senior role and a bachelor’s degree in law or higher.Knowledgeable in terms of the Gaming Act.Knowledgeable in terms of the legal affairs of the Authorised Person, including those relating to contractual arrangements, litigation proceedings and dispute resolution.
PrivacyMinimum of 2 years working experience in the role of data protection lead or data protection officer and a related diploma or certificate, or 3 years  working experience in the role of data protection lead or data protection officer.Knowledgeable in terms of the GDPR and the relevant local data protection legislation.Knowledgeable of the Authorised Person’s policies and procedures relating to data protection.
Prevention of Money Laundering and the Financing of TerrorismMinimum of 2 years working experience as a money laundering reporting officer or similar senior and/or a related managerial role, and must be in possession of a related bachelor’s degree or money laundering specific qualification, or have 4 years working experience as a money laundering reporting officer or similar senior and/or related managerial role. Knowledgeable in terms of the rules relating to AML/CFT in terms of the Gaming Act and any other applicable binding instrument relating to AML/CFT.Knowledgeable in terms of the AML/CFT procedures of the Authorised Person.
TechnologyMinimum of 2 years working experience in a role related to IT and a related bachelor’s degree or higher, or 4 years working experience in an IT-related role. Knowledgeable in terms of the Authorised Person’s technical set-up, systems and infrastructure
Internal AuditMinimum of 2 years working experience as an internal auditor or a similar role and be in possession of the relevant certificate to perform the role of internal auditor or have 4 years of working experience as an internal auditor or similar role. The person must be knowledgeable in terms of the auditing requirements applicable to the Authorised Person.

Change 6: Compatibility / Conflicting Roles

The MGA also published the Key Function roles that it considers to be incompatible, that is those roles which an individual will not be allowed to fulfil simultaneously, effectively consolidating previous MGA policy and practice into the Eligibility Policy.

A compatibility table/illustration was helpfully published by the MGA in the Eligibility Policy’s Fourth Schedule, which is being reproduced hereunder:

Change 7: Responsibility Absent of Duly Appointed Key Functions

The updates to the Directive also introduce a new article, namely article 5A, which sets out that without prejudice to the requirements for licensees to designate persons responsible for the carrying out of Key Functions as set out in the Directive, where no person is approved by the MGA to fully any required Key Function role, whether temporarily or otherwise, the responsibility for such Key Function shall vest on the directors of the Licensee.

Article written by Senior Associate Dr Terence Cassar with the support of Legal Trainee Mr Joseph John Galea. 

For further information on how we can be of assistance in providing qualified Key Persons, please contact  Mr Reuben Portanier and Dr Terence Cassar.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content