Remote Gaming in Malta

Malta has cemented its position as one of the most trustworthy and well-respected players in the remote gaming industry. Back in 2004, the Maltese government set the general framework of remote gaming, and over the following years, several operators, including some of the biggest players in the industry flocked to Malta, attracted by its clear licensing criteria and attractive fiscal measures.

To date, there are over four hundred (400) licensed entities, employing thousands of employees in Malta, ranging from odds compilers, to IT programmers, marketing, call centre agents etc;. It is estimated that the remote gaming industry now accounts to over 10% of Malta’s Gross Domestic Product, without taking into account, the inevitable spill-over effect in real estate, local recruitment agencies and service providers.

Licensable Activity

The carrying out or abetting of remote gaming through a remote medium in and from Malta, requires a licence. The licensing authority is the Lotteries and Gaming Authority, which also is the regulatory arm over land-based gaming and gambling in Malta.

Specifically to remote gaming, there are four types of gaming licences. Applicants are required to apply for a licence or more licences, depending on the type of gaming activity which they purport to carry out. The applicable licence is therefore dependent on the actual mechanics of the game. It is therefore very important to clearly identify the scope and mechanics of the game, as the choice of licence shall determine the (i) share capital requirements; and (ii) the gaming tax that is payable by the remote gaming licence holder

Licence Classes

The remote gaming regulations are applicable to all games of chance, or games of chance and skill. Purely skill games, are currently outside the scope of the remote gaming regulations, albeit, this may be subject to further review by the Lotteries and Gaming Authority. Currently, the four applicable remote gaming licences are the following:

  • Class 1: Operators who partake in gaming risk on games based on repetitive events and whose outcome is solely determined by an independent arbitrator – a random number generator. Such games include Casino / Lotteries / Slots / Arcade Games / Bingo;
  • Class 2: Operators who partake in gaming risk on markets based on singular events (betting) e.g. Traditional bookmaker who, contrary to betting exchanges, undertakes the risk management of the sporting event directly with the player;
  • Class 3: Operators who promote games and in return get a commission in a Player to Player (P2P scenario).  Typically includes multiplayer games and betting exchanges such as Poker rooms. The characteristic of a Class 3 operator is the P2P element and shall include not only poker rooms but also betting exchanges and any other variations, whereby the outcome of the victory is determined between the outcome between two players.
  • Class 4: Operators who run a software platform to host the service of any of the above classes.  These licence holders merely provide a platform from which other licensees can operate and are not involved in the actual management and running of the event.

Share Capital Requirements

As a licensed entity, remote gaming companies are subject to greater degree of probity and scrutiny than non-licensed companies. This is justified on the understanding that as a recipient of player’s moneys, licensed entities should also have financial stability. One way to gauge financial stability is naturally the issued share capital of the Company. For this reason, the Lotteries and Gaming Authority has prescribed a minimum threshold of share capital which must be satisfied by each licensed entity. The share capital is commensurate to the risk inherent in each class licence. The following is the minimum share capital requirements which would be expected from the Lotteries and Gaming Authority, albeit, it is clear that the following is merely an indicate amount, and the Authority, reserves the right, regard being had to the business model and financial projections of each applicant, to recommend a higher share capital requirement:

  • Class 1: EUR 100,000 issued and fully paid up share capital
  • Class 2: EUR 100,000 issued and fully paid up share capital
  • Class 3: EUR   40,000 issued and fully paid up share capital
  • Class 4: EUR   40,000 issued and fully paid up share capital

Application Process

Having established the licence categories, the application process follows a very linear pattern.

At the outset, it is strongly advisable that the purported project be discussed in all the thorough and meticulous details with our representatives. This shall allow us to provide you with bespoke advice, as well as advising on the specific intricancies of each class licence. After which, it is strongly advisable that a preliminary meeting be set up with the Authority to discuss the proposed application, and seek confirmation regarding the licence class being applied for. Whilst it is true that the class licences are well delineated, it is possible that the mechanics of the game being proposed by the applicant, ensure that the game is classified under one particular gaming class in lieu of another. It is therefore empirical that the mechanisms and rules of the game be described thoroughly to ensure maximum clarity regarding the class licence.

Following this meeting, we shall start the compiling of the necessary documentation, which must be submitted for the evaluation of the Authority. It is important, that the information be complete and thorough, so that it may be deposited with the Authority in one clean sweep.

Documentation Required

At the outset, the Authority must ensure that the applicant (and the promoters therein having a controlling interest) are all ‘fit and proper’ persons with the necessary expertise and integrity to carry out a remote gaming operation. Every proposed director with the licensed entity, as well as every shareholder having more than 5% interest (in terms of equity, voting rights, options, pledge etc;) must fill in a Personal Declaration Form.

This shall allow the Authority to gauge the applicants’s expertise and experience and ascertain that the applicant shall not jeopardise the good standing of the Authority and reputation of the island, nor will he jeopardise the players.

Although it is possible for corporate entities to apply as shareholders and/or directors within a Maltese company, a full transperancy check shall be required, in order to ascertain, identify and verify the credentials of the ultimate beneficial owners therein. The following documentation must be submitted together with the Personal Questionnaire:

  • A true copy of the birth certificate;
  • A true copy of the passport;
  • Passport size photo;
  • A conduct certificate;
  • Statement of Affairs;
  • Credit and Financial references;
  • Bookmaker licences if issued in another country;
  • A document issued by a legal entity stating that all documentation submitted is a true copy of the original.

Operational Documents

Having submitted the aforesaid due diligence documents, the applicant must also submit the operational documents which can better explain to the Authority, the purported class licence to be undertaken by the applicant. The following is a non-exhaustive, yet comprehensive description of the documentation which the Authority would expect from the prospective applicant. These documents, are to be prepared and submitted together with the Personal Questionnaire

Business Plan

By far, the central document, a lot of effort and preparation should be afforded to the correct compilation and finalization of this document. The business plan should ensure that it clearly projects the purported gaming activity to be undertaken by each applicant. It is the expectation of the Authority, that this document covers, at least the following areas:

  • The objectives of the operation;
  • The proposed company structure including business functions and human resources deployed (this shall allow the Authority to ascertain that the operations are adequately staffed at all times;
  • The nature of games to be offered – (this shall allow the Authority to confirm that class licence of the games that shall be offered by the applicant. The inclusion of additional games, post licence, shall always require the pre-notification and pre-approval of the Authority, in order to ascertain that the proposed game falls with the remit of the class licence currently held by the licence holder;
  • The medium through which the gaming activity shall be conducted – (although remote gaming is usually associated with an internet medium, it also includes gaming activity undertaken on mobile means – such as telephony, tablets etc;)
  • A technical overview of the application software to be used as gaming and control systems;
  • A three-year business plan which should include (i) marketing and sales projections; (ii) forecast balance sheet; and (iii) financial planning / budget

Corporate Documents of Licence Holder

At the outset, it is important to note that a remote gaming licence shall only be provided to corporate entities. Physical persons are excluded, since the licence holder must ascertain that the tenure of the licence is independent of the personal liabilities and risks (incapacitation, death, insolvency, bankruptcy etc;) that physical persons are subject too.

The applicant must furnish the Authority with unequivocal evidence regarding the incorporation of the licence holder, and ensure that the corporate documents fully reflect the proposed corporate shareholding and directorship that was disclosed by the applicant in the application form.The trading objects of the company must also unequivocally reflect the fact that the company shall carry out the activity of remote gaming.Other forms of corporate entities are permissible. If the applicant wish to undertake the activity via a partnership, then a copy of the partnership deed is necessary.

Business Entity Information Form

One of the bespoke forms to be filled in the applicant is the business entity information form (BEIF). The BEIF contains details relating to the company’s registered and operational office, the website domains, the credit institution entrusted to the safekeeping of player’s monies as well as the financial year of the licence holder.

The financial year end is relevant since each licence holder is legally required to produce management accounts on a semester basis, as well as file audited financial statements with the Authority to allow the scrutiny thereof.

With regard to the credit institution entrusted to the safeguarding of the player’s funds, this may be located in or outside Malta, but has to be a reputable credit institution which is licensed in a reputable jurisdiction. Furthermore as an additional safety measure such credit institution shall be requested to furnish the Authority with a written declaration that:

  • It will not attempt to enforce or execute, any charge, write-off, set-off or other claim against the moneys held in the Clients’ Accounts;
  • It will not combine the Clients’ Accounts with any other account in respect of any receivable owed to it by the licensee;
  • It shall credit any interest payable on the above indicated Clients’ accounts only to that account/s;
  • It shall disclose any information with regard to the Clients’ Accounts as may be requested by the Lotteries and Gaming Authority.

This shall assure that the segregation and protection of clients’ funds and full transperancy are assured at all times.

Information Security Policy

As a remote gaming company, a licence holder shall have access to very sensitive information, such as players’ banking details and personal information. It is therefore essential, that the licence holder prove to the Authority that it has integrated the technical and human resources to ascertain that there are no security leakages and the players’ data is secure and protected at all times.

Data breaches are possible in two main manners – (i) technical; and/or (ii) human intervention.

On the technical front, the applicant is expected to have a series of measures that mitigate the risk of any malicious intrusion and unauthorized extraction of data such as firewalls in protection of player’s data, payment security measures, encryption, password change policies, audit trails etc;

All these technical measures however, must be complemented and enhanced by a tight and rigid human resources policy, with a clear and unequivocal system of accesses and rights. Information must be segregated and key information accessible only to senior management. Prospective licence holders should ascertain that information is accessible on a strict ‘need-to-know’ basis, and audit trails in place to allow evidence and proof of such access. It is important that the company has a consistant and swifly executable password policy. Employees, who have access to any information through VPNs and who have their employment terminated, must have their password access immediately severed, to prevent the leakage of information.

Incident Response & Asset Removal Policy

No matter the budget allocated and the measures in place, remote means shall always retain inherent risk, and the possibility of an incident happen may only be minimized and mitigated but never fully eradicated. The scope of such document would therefore be to classify the incident or problem, and to have a clear ‘cookbook’ approach on the diagnosis, escalation paths and methods to sanitise such incident, ensuring that the core information held by the licence holder is never compromised.

The licence holder must therefore have in place a manual and provide staff with clear and unequivocal training of the escalation paths to be followed whenever an incident is triggered. The licence holder would be expected to have a procedure whereby the key personnel and technical teams are deployed to diagnose the problem and ensure measures to isolate the matter and identify time and measure to sanitise the problem. The Authority must be informed of such incident by means of a specific incident report form. Thereby, the Authority reserves the right to recommend and seek the implementation of technical measures, if it believes that the licence holder has an incident-prone or compromised infrastructure which may jeopardise players’ data.

Where the incident is caused by a failure to one component, the licence holder should also inform the Authority, including an overview of the hardware replaced, and a description of the technical part decommissioned and replaced. Where the hardware replacement is with regard to a key component, e.g database, server or random number generator, it is advisable that apart from notifying the Authority, the licence holder retain onsite spares, to ensure that there is no downtime or compromise to the operations of the Company.

User Management Policy

This document draws strong parallels to the information security policy. However, its main focus is for the licence holder to have a clear and unequivocal policy outlining the segregation of rights, accesses and roles of the staff of the licence holder, as well as a policy which covers external, non-staff components, such as affiliates and consultants engaged for one specific task.

The scope of the policy therefore is to ensure a clear hierarchy regarding access to sensitive player data, and to prevent unauthorized access, as well as having technical measures to monitor and if need be, severe access to key information.

Human Resources Roles & Responsibilities

It is evident from the information set forth above, that the human resource element, is just as pivotal to the Authority as the technical aspects of the business. The Authority must ascertain that the licence holder is adequately staff, as well as well managed. Whilst the due diligence exercise is restricted only to the directors, shareholders and beneficiaries of the Company, the Authority shall also need to ascertain that the company has the necessary resources to undertake and ascertain the seamless day-to-day management of operations. Therefore, a comprehensive organigram, outlining the roles, functions and responsibilities of each staff member is to be drawn up and provided to the Authority. It is also recommended that the licence holder identify the escalation paths and reporting duties of each member, so as to identify any flaws or weaknesses in the system, and ensure that the ‘four-eyes’ principle (double monitoring and scrutiny) via a system of checks and balances is in force at all times.

System Access Control Procedures

The system access control procedures is a sister document to the user management policy, and the two documents should be read in tandem, and ensure that they dovetail with each other. The user management policy should be designed to describe the user management, access and privileges – in other words a ‘what’ approach. The system access control procedures, adopts a ‘how’ approach – and should therefore focus on the technical measures in place to ensure that the procedures set forth in the user management policy are implemented.

This procedure should therefore give a breakdown of the systems in place to ensure security and protection (e.g the type of firewall in place / DDOS protection measures / updates to anti-virus and other software to protect against worms and other malicious software).

The procedures should also explain the decision making process and speed by which certain technical measures may be implemented, from proposition to resolution to testing in a beta environment to effective implementation of the technical measure.

Financial Accounting Procedures

One of the criteria for the successful running of the business is the economic health of the licence holder. This is requested by the Authority at inception stage, when the applicant applies for a remote gaming licence, but naturally has to be maintained on a continuing basis. Transparency and accountability are the hallmarks of all licensed entities. The Authority therefore requires the maximum probity into the financial health of the licence holder. All licence holders must file semester management accounts with the Authority, as well as copies of audited financial statements. As a corporate entity, the licence holder is also expected to file copies of the audited financial statements with the registrar of companies (thereby allowing any interested party, to request a copy).

The licence holder must also indicate the place where he shall retain the remote gaming records, which may be accessible by the remote gaming inspectors, during an onsite visit. All accounts must be prepared in accordance to the international financial reporting standards. Furthermore, all accounts must be reviewed and audited by an independent auditor, in an abridged or unabridged form (depending on the size of the operation as prescribed by the accounting precepts of the Companies Act).

Audited financial statements must be filed with the Authority within sixty (60) days of the end of the financial year end. The Authority shall, nevertheless, have a discretion to request additional information of an ad hoc basis, if it believes that additional information may be required. When such request is made, the licence holder must ensure that it has the necessary resources to deploy and implement the measures within the time-frames which may be dictated by the Authority.

Business Continuity and Disaster Recovery Plan

Business operating by remote means and whose existence draws strongly on infrastructural and technical measures, must have adequate procedures in place to ensure that the risk of a major disruption, which could result in downtime, failure, loss of data, disruption of services etc; are identified, and the risks mitigated in a series of counter measures.

At the outset, disasters may be caused irrespective of the best endeavours of the licence holder, and caused by natural calamities such as fires, earthquakes, flooding, thunder strike or by civil unrest e.g. wars / riots etc;

In order to minimize these risks, the licence holder must ensure that the physical infrastructure is stored in secure facilities, which would be expected to have a series of protections e.g. alarms, temperature control, fire alarms, restricted access, strong infrastructural measures to prevent damage, automated generators, 24:7 support system, onsite spares etc;

It is also important to identify the measures that shall be implement to minimize loss of data. In this respect, the licence holder, who after all retains the onus of player data and storage, must have adequate measures in place to ensure that data is stored and secured in a separate environment, by means of a series of measures, such as remote mirror services, off-site spares, backups via extractable media etc;

This is a central concept, as data remains the most prized possession of the licence holder. Hardware and software may be replaced, by player data, including the details, access, winnings, losses, incoming and pending payouts etc; may be irreplaceable. The loss of this information may hinder or paralyse the operations of the business. The licence holder carries the burden of storing the data safely and to ensure swift and effortless retrieval, not only in the case of an emergency, but also in the case of minor disputes which may arise e.g. player payouts etc;

If the licence holder is unable to produce this information, than the onus is lopsided strongly against him. The Authority shall not provide recommendations regarding the technical safeguards that should be implemented by each licence holder, allowing the latter discretion on which measure is best suited, regard being had to the scope and size of the organization. However, popular measures include remote dual copy and off-site backup storage.

The licence holder should also ensure that staff are adequately trained for this eventuality through a series of drills and the organization into teams, trained into minimizing damage, diagnosing and restoring full operability.

Change Management Procedures

No organization is static, and this is especially true of companies operating in a dynamic industry such as remote gaming. Changes can be broadly divided into three facets:

  • Human resources;
  • System infrastructure; and
  • Hardware changes

Each licence holder must therefore have a procedure in place, identifying ways in which such changes may be effected seamlessly without any impact on the operability of the business, and without jeopardizing the continuity of the gaming activity. The escalation path and time-frames for the implementation of each measures are paramount.

Fraud Management Procedures

As a corollary to operating in a highly regulated industry, the Authority expects each licence holder to implement and ensure strict adherence to a series of measure which can ensure and preserve accountability, corporate governance and protection of players’ funds. The players must have total confidence that they are entrusting their funds to a reputable player, licensed and approved by a reputable operator.

With internet fraud and computer crime, being the order of the day, the licence holder must implement a series of legal and technical measures to minimize the risk of fraud, identity theft and unauthorized payments.

The licence holder must therefore have a well delineated Know your client procedure and this is necessary to identify and verify the identity of the player. Players shall be requested to provide, via a safe channel, key documents such as passport, residence and credit card details to the licence holder, who must ascertain and verify his identity.

The operator must implement a procedure regulating the collection of documentation, as well as the approval and processing of payments (inwards and outwards). Analysis should be undertaken to detect and prevent unnatural gaming patterns. Furthermore, all payments in excess of EUR 2,330 may only be approved, upon receipt of all the statutory know-your-client documentation.

The licence holder must also ensure technical safeguards and measures to prevent unauthorized intrusions and unsolicited payments. The incidence of these two threats may be mitigated via the use of additional safety measures such as 3-D secure verification for card payments.

These technical measures much however be matched with adequate human resources and analysis. There must be a manual review, not blind adherence to technical measures. This is particularly relevant, to areas, where albeit there may be no unsolicited or unauthorized use of payments, the measures undertaken may be equally damaging to the licence holder, such as collusion in P2P games, such as poker rooms, to the detriment of the licence holder and/or other players.

Other areas worthy of measure are having a robust lost password process, with verification to log records and IP tracking to be able to distinguish requests undertaken in good faith, with malicious ones.

Application Architecture

The licence holder must provide and comprehensive overview of the technical architecture of the gaming platform. This is typically composed of the following three (3) components:

  • Front End Tier – this the interface between the player’s browser and access to the website of the licence holder and game servers;
  • Middle Tier – interface between the website and the database. In other words, the must be a precise description of the processes in place which allow the player to log on (access), password verification, retrieval of data from database, creation of session key, and storage of information in a database;
  • Backend Tier – this is composed of the database, game management system, administration browser and all applications running analytical and internal processes. This process should allow the administrator to extract all the key details of the clients accounts, such as deposit history, IP addresses, player profile, manage incidents and all other facets, expected of an online business.

System Architecture

Another technical document, this memo requires the applicant to provide a full description of the physical infrastructure used by the licence holder to ensure the seamless execution of the gaming operation. A description of the servers, full specs, and role of each hardware should be included.

A flowchart explaining the interlink between each server, I.P range of the servers and applications used by the web server / game servers and database should also be included.

Network Infrastructure

Similarly to the system architecture, the applicant should give a thorough description of the network infrastructure used and technology choices to ensure the utmost security in the operating environment.

A description of the network infrastructure, as well as the network management, and components that can be remotely maintained and administered should be included. Typically, this document would include a detailed description of the VLANs used and specific reference to ports and IP addresses which require access. An organigram illustrating the VLANs interactions upon a HTTP request is also strongly recommended.

Details of the Random Number Generator

One of the tests in determining the applicable class licence, rests as to whether the outcome of the game is decided by an independent arbitrator, or a random number generator (“RNG”). By way of illustration, an RNG is not necessary in purely skill games, where the outcome of the game is dependent on the expertise of the player. Nor is it relevant in the context of running a sportsbook, when there can be no outcome on the game, other than the expertise of the contestants of the sporting event themselves.

However, in the case of games of chance, or games of chance and skill, the outcome, total or partial, shall be decided by a RNG, which determines the sequence of the game, irrespective of the skill and/or dexterity of the players. A classic example of this would be lotteries or roulette, whereby the outcome of the event is burely based on a chance element. In games which require a mix or both chance and skill (e.g. poker), the players will require skill and strategy to maximize the outcome of the game, which remains however, dependent on an element of chance. In the case of poker, the sequence of the cards, which determine the hands are entirely based on chance, albeit the player can manage the hand being served by skill and/or strategy.

RNGs may either be hardware or software based. In any case the model and brand specifications must be communicated to the Authority, and a copy of the test certificate be also presented. The necessity of undertaking the testing is especially daunting for software based RNGs, since there must be unequivocal evidence that the outcome of the game is truly casual, and there is no finite pattern or sequence which may be replicated by either of the contestants and/or participants to the event. More specifically, the test adopted by the Authority is that of the Schneier test of randomness, which requires all the following criteria to be reached:

  • The data must be randomly and casually generated;
  • The generation of this data must be totally unpredictable. In other words, it should not be possible to predict the sequence of the next outcome, based on the knowledge of the previous sequence, or through an analysis of a previously generated sequence of events – unpredictability at every draw, as if it were the first; and
  • The sequence cannot be reliably reproduced. If one were to input the same number, the sequence produced would be completely different to the previous one.

The undertaking of the following testing, in accordance with the Schneier test of randomness, may be extremely time-consuming and expensive to undertake in a regulated environment. For this reason, clients are well advised to discuss the installation of a RNG with our officers, in that it may be more convenient, and certainly more expedient and less onerous to select a hardware based RNG in lieu of a software-based one. Hard-ware based RNGs would, provided that they are known and disclosed to the Authority, be exempt from the necessity of obtaining a certification.

Ownership of the Software and Testing thereof

Another document which need to be provided to the Authority is the document attesting the ownership of the software. Software may be developed by the licence holder or it may be licensed for use, under a royalty agreement.

In any case, the owner of the software must be identified, and full details thereof, be provided to the Authority, such as full name and details, and in the name of a corporate developer, full corporate history, company registration number, place of incorporation, company registration number, and contact details of the directors and/or legal representatives.

Licence holders who have licensing agreements with the operator of the software are well advised to devise contingency plans to allow for the deployment of alternative arrangements, in the eventuality, for any reasons whatsoever, the use of such licensed software is discontinued by the proprietor of the intellectual property rights. Any retraction of the same licence, would have a material effect on the continuity of the business operations of the licence holder. Therefore, it is possible to mitigate such risk, through multiple arrangements with other licence holders, thereby ensuring that there is no overly dependence on just one provider.

Irrespective of the ownership of the software, the licence holder must provider the Authority, with full details of the organization and/or company which undertook the licensing of the software. Similarly, to the aforesaid, the full corporate details must be disclosed to the Authority, which shall then undertake a verification on the credentials of the company. This document should also include the processes, parameters and rules of the game, to ensure that they dovetail with the description that is being provided by the licence holder.

The Authority would expect, depending on the types of games that the licence holder would purport to provide, that the software be able to generate, any of the following parameters:

(i) percentage payouts – this shall indicate the margins allowed for the operator, and also be of relevance to the calculation of the actual remote gaming tax;

(ii) progressive jackpot payouts – in the case of rollover jackpots, the retention of a margin to increase the pot, and the probability of winnings, are important factors, to assess the viability of the outcome.

(iii) provide no more than the expected house advantage to the operator – this ensures fairness. Whilst the operator should always retain a margin to fund his profitability, this factor shall ensure that the outcome is truly fair within the accepted parameters of industry practice, and the outcome is not being piloted in favour of the house and/or any other player.

(iv) security of both the gaming and financial transactions – the licence holder must implement a series of measures, e.g. encryption / firewalls, limited access to particularly sensitive information, and ensure that they are protected at all times against unauthorized accesses;

(v) impartiality of the outcome irrespective of the technical means being used by either player. The outcome of any gaming event should be impartial, and no player should have the edge, based on entirely technical means, such as the speed of internet connectivity, the speed of the computer processor, and any other external component which may be used by the player when playing such game;

(vii) In order to ensure that the player is always adequately informed of the permutations of each gaming system, the operator is obliged to enlist a minimum set of requirements on the current page, which include but are not limited to the following:

(a) the name of the game;
(b) restrictions on play;
(c) playing instructions, including but not limited to a pay-table of all prizes and special features;
(d) the player’s current account table;
(e) unit and total bets permitted;
(f) the rules of the game; etc

(viii) All financial reports produced by the gaming system must be compatible with gaming transaction reports;

(ix) The gaming system must (a) be capable of producing monthly auditable and aggregate financial statements for gaming transactions and (b) calculate all taxation and monies due to the Authority. The extraction of this seed information, is important not only for the Authority, in the calculation of the relevant gaming tax, but especially so, for the licence holder himself, who should ensure adequate margins at all times.

(x) The gaming system must maintain information about all games played, including-

(a) the identity of the player;
(b) the time the game began as recorded on the games server;
(c) the balance of the player’s account at the start of the game;
(d) the stakes placed in the game (time stamped by the games server);
(e) the game status (in progress, complete etc;)
(f) the result of the game (time recoded on the games server);
(g) the time the game ended as recorded by the game server;
(h) the amount won or lost by the player;
(i) the balance on the player’s account at the end of the game.

Online Text / Content

The Authority puts special emphasis on transparency and maximum disclosure to be provided to players. The player must be an informed one, basing his decision to place his trust and open a contractual relationship with the licence holder on accurate, truthful and comprehensive information. For this reason, the licence holder is expected to have the following information in the hompage / landing page:

(i) Full Operator details – company registration number, name, registered address, operating address (if different from the registered address), full company name, jurisdiction of incorporation and full regulatory details – gaming licence number etc;

(ii) All languages display;

(iii) Player terms and conditions – including the acceptance policy, regulations regarding the event etc;

(iv) Bonus scheme conditions;

(v) Player registration process – preferably with screenshots;

(vi) Data Protection Statement and cookies policy

(vii) Complaints – including full disclosure of complaints officer and call centre;

(viii) Self exclusion policy and self protection. The operator must display at all times a warning regarding the possibility of addiction linked to compulsive gaming. In order to curb, this potentially detrimental addiction, the player should be able to access any of the following information:

(i) Setting a limit to the amounts wagered within a specific period of time;

(ii) Setting a limit on the losses which the player may incur within a specific period of time;

(iii) Setting a limit to the amount of time the player may play in one session;

(iv) Allow the player to exclude himself for a definite period of time or even indefinitely.

It is expressly prohibited for any licence holder to accept wagers or bets in contravention to the aforesaid parametres.

Contracts with Business Partners

In addition to the aforesaid documentation, the licence holder must provide original copies of a series of key agreements, entered or to be entered by the licence holder (not by the parent or subsidiary thereof). These include, amongst others the following set of documents:

(i) Payment Systems / Gateways;

(ii) Contracts with Software Providers;

(iii) Contracts with Class 4 Platform, if applicable

(iv) Other Contracts with Parent / Group / Affiliate Companies

Start of Operations

Upon examining all of the aforesaid documentation, the Authority shall, via its external auditors, set forward a series of recommendations and/or other enhancements to be implemented by the licence holder. The applicant shall thereinafter apply for the submission of a technical and system audit before going live, to assess, the integrity and correct implementation of the recommendations, confronting them with live and actual data. This said compliance audit shall include but not be limited to the examination of the following:

  • The Service Provider Authorisation Form. This form must include a comprehensive and all-ecompassing list of all equipment hosted in Malta. A site plan of the data floor indicating the location of the equipment must be attached to the agreement.  Serial numbers for all equipment used and installed are to be attached;
  • The Control System – Sample reports and tests shall be made from the live system, in order to extract information and show how the effective management of the gaming system is in place;
  • The information management in the operations.  Recommendations and implementation of measures e.g. encryption necessary to improve security of the player’s data and other sensitive information may be made;
  • The backup and disaster recovery procedures will be reviewed and tested;
  • The online website operability will be tested via a dummy account. This shall ensure that all measures in extracting information and player safeguards e.g. self-exclusion are in place and may truly be implemented.
  • Bank account balances.  A reconciliation exercise shall be made with online player account balances to ensure that the liabilities are sufficiently covered;
  • Routine data such as spot checks on odd, payout ratios and randomness as may be requested and compared to the information submitted to the Authority to attest veracity and accuracy thereof.
  • Any agents acting for the operator will be scrutinised for probity.  Copies of contractual agreements will be requested.
  • Staff lists and duties will be checked against the records held at LGA.

Licence Duration and Fees

Once approved, a gaming licence shall be provided to the licence holder.   The licence is a revocable privilege that shall be held by the applicant, insofar that there is conformity, on an ongoing basis, to any licence condition which may have been imposed by the Authority. Provided that the licence is not retracted, or suspended, the licence shall be valid for a period of five (5) years, renewable for further periods of five (5) years.

The application fee is subject to a non-refundable payment to the Authorty of EUR 2,330. The cost of the review of the licensing documents is also subject to a non-refundable fee of approximately EUR 1,900 payable to the external auditor appointed by the Authority.

The retention of the licence, is also conditional to the punctual payment of the licence, which is set forth at EUR 8,500 per annum per licence

Minimum Presence Requirements

The retention of a gaming licence is subject to a strict adherence to the licence conditions. Such conditions must be adhered to on an ongoing basis. These conditions include the retention of a minimum presence requirements. The Authority must ascertain that the licence condition is kept in check, and is able to furnish the Authority of information, whenever requested. The following are a list of minimum presence requirements that the Authority would request for the approval and retention of the licence:

  • The licence holder being a Maltese corporate entity, or a body corporate incorporated in a reputable jurisdiction;
  • The licence holder must have at least one resident director, referred to as the key official. Such director must be a physical person, and must act as the first contact point between the Authority and the licence holder (further information regarding the role and responsibilities of the key official are provided below)
  • The player database must be physically located in Malta and open for inspection by the Authority;
  • The game servers must also be physically located in Malta, for the same reason as the player database.

Conversely, the web server may be located outside Malta, as its role is deemed to be ancillary / logistic, rather than based on control over the activities of the licence holder.

Key Official

As set forth above, one the parameters regarding the approval and retention of a gaming licence, is the appointment of the key official.

The key official must hold the office of director in the Maltese licensed company, and must be resident of Malta. Since this appointment is of a personal nature, and the approval conditional to the submission of the Personal Questionnaire, only physical persons may hold the office of key officials.

Key officials must comply with the statutory responsibilities inherent in the role of all directors. Therefore, they must ensure ongoing compliance with all applicable laws and regulations in general, and not merely the remote gaming regulations to which the licenced company is subject to. As a director, the responsibility of key officials is a personal one, and the responsibilities innate in the office, are such that he must always act honestly and in good faith, in the interest of the company. Consequently, the director should favour the preservation and enrichment of the company, in which he holds the office, over the personal gains of the individual shareholders, even if the shareholders have approved his appointment.

Directors are subject to the laws regarding professional secrecy, as well as the legal representation of the company. They must ensure compliance with all fiscal, corporate and special laws which may be applicable to the licence holder, in addition to any special licence condition which the Authority may have deemed necessary to impose on the licence holder.

The Key official, as the name implies, should have a holistic view over the day-to-day management of the licence holder. It is therefore important that all the internal documentation, manuals and procedures of the licence holder point towards his active involvement. The Key official must be an executive director, and should have access to all sensitive information and be involved in the resolution and implementation of all central matters, be them technical, legal or corporate. As the first point of contact between the Authority and the licence holder, the Key official should always be in the know and able to report comprehensively and fully to the Lotteries and Gaming Authority. The following are a list of non-exhaustive roles that are expected of the Key Official, in the undertaking of his role:

  • Collection of and payment of the gaming tax to the Authority without delay (please refere to comments below regarding the applicability of the gaming tax);
  • Reporting of unusual transactions and raising of suspicious transaction reports to the Authority and relevant local authorities;
  • Inform the Authority of any changes to the staff and employees of the licence holder (both the appointment and the termination thereof);
  • Filing of all statutory reports to the Authority punctually and in accordance to the deadlines set forth by law, including but not limited to the filing of management accounts on a semester basis as well as audited financial statements on a yearly basis;
  • Filing of incident reports whenever there is a downtime or any other technical hinderance to the operations of the company. Whilst this excludes site maintenance upgrades of a planned and temporary nature, the report should most definitely be filed, whenever the hinderance in operability is caused by severe and external means, such as hardware failures, which may require the replacement and decommissioning of hardware. The key official is expected to file a full status report to the Authority, outlining the reasons of the failure, the diagnosis, the implemented solution as well as the time-frame in which such solution was implemented.

Because of the sensitive role of the Key Official, and the access to personal information and data, the key official’s approval is conditional to the declaration of the same individual, attesting that he has duly informed the licence holder of any multiple appointments he may have in other licence holders. All licence holders must also be privy to the proposed key official’s multiple appointments and expressly signal their approval. This is a way inherent to the duties of the director, and more specifically regarding the doctrine of conflict of information and private interest. The Authority reserves the right to refuse the appointment of a key official, on the ground that he has multiple roles in more than one licence holder, and this is especially true when the multiple roles are in licence holders within the same class licence, whereby the potential conflict of interest, is increased.

Whilst the appointment of directors is subject to the prior consent of the Authority, their removal is also subject to the prior consent and approval. Whilst directors in unlicensed entities are able to submit their resignation at any time, by mere letter of resignation, in the case of a licensed gaming entity, this resignation is conditional to the express written approval of the Authority. Likewise, shareholders, may not, by extraordinary resolution remove a director, or not approve his reappointment during the annual general meeting of the licensed company. The rationale behind this, is common to other licensed activities, such as investment services, financial services, banking and insurance companies.

The role of a key official is more than an office – it is in fact a licence, and the licensing authority may not allow there to be vacuums within a licensed company. An Authority is therefore minded to accept the resignation or removal of a director, only conditional to the prior acceptance and approval of an equally valid candidate, and only conditional to the submission of a personal questionnaire. This said, it is perfectly possible for a company to have more than one key official, provided that the roles underlying the voting rights and powers within the licence holder are workable and unequivocally set out.


Licence holders incorporated in Malta, are subject to two (2) distinct forms of taxation:

  • Corporate Tax; and
  • Gaming Tax

The Corporate tax rate for licence holders incorporated in Malta, are the ones applicable to companies undertaking any active trading activity. The Maltese tax system is essentially a credit imputation system, whereby the company undertakes the payment of a corporate income tax, yet the immediate shareholder of the company is entitled to a series of tax refunds. In the case of a remote gaming company, the tax refund is of 6/7ths of the corporate tax rate of 35%. Thereby, shareholders are entitled, upon a final distribution of dividend, to a tax refund of 6/7ths of the 35% corporate income tax, thereby leaving a tax leakage of just 5%.

Furthermore, any foreign tax which may have been suffered by the Maltese company, may be compounded in the income tax computation, as a tax credit, thereby resulting potentially, in tax leakages which are inferior to the aforesaid 5%.

The following is a concise illustration, of how the tax credit imputation, works in practice.

Maltese Company No Foreign Tax With Foreign Tax
Net Foreign Income 20000 20000
Grossing up with Foreign Tax 0 1050
Chargeable Income 20000 21050
Tax at 35% 7000 7370
Credit- Double Tax Relief 0 1050
Malta Tax Payable
(tax at 35% less tax credit)
7000 6320
Shareholder of Maltese Company
Refund on distribution
(6/7 of Malta Tax Payable)
6000 6320
Effective Tax Paid in Malta 1000 0
Effective Tax leakage in Malta on Net Income 5% 0%


This tax credit, which is very much entrenched in Maltese tax law, having been in place for almost sixty years, is guaranteed by law, and expedited swiftly and efficiently.

Gaming Tax

In addition to the aforesaid corporate income tax, each licensed entity is also subject to a separate gaming tax. This gaming tax, is calculated on each class licence held by the licence holder. Just as the class licence, has a direct bearing on the share capital requirements to be held by the licence holder, an equally important consideration is the gaming tax. The applicable gaming taxes are set forth below:

  • Class 1- €4660 per month (first 6 months) and €7000 per Month thereinafter;
    Operating on a Class 4 Licence €1200 per month;
  • Class 2 – 0.5% on gross amount of stakes accepted;
  • Class 3 – 5% of Net Income (revenue from rake less bonus, commissions and e-commerce fees);
  • Class 4 – The gaming tax payable by a hosting platform is nil for the first six (6) months of operation, €2,330 per month for the subsequent six (6) months (month 7 to month 12) and €4,660 per subsequent month (month 13 onwards) for the entire duration of the licence.

The aforesaid are however subject to a maximum capping fee of EUR 466,000 per gaming licence per annum.

VAT Considerations

Often overlooked in lieu of the corporate income tax and gaming tax, VAT is of prime consideration, which may, if badly managed, have far-reaching consequences in the finances of the licence holder.

This is because of all remote gaming licence holders (as is common for most licensed entities) are currently subject to a very specific VAT return. Whilst the gaming services rendered to player is exempt from VAT, and supply of services acquired by licensed gaming companies is classified into two categories:

  • Services which are intrinsic to the gaming transaction;
  • Services which are not innate to the gaming transaction

The distinction albeit subtle, may be extremely far-reaching. Only those services which are deemed to be intrinsic to the gaming transactions are exempt with credit, thereby meaning that the licenced company can reverse charge any VAT incurred on the acquisition of this services.   The litmus test applied in making the distinction is with regard to those services, that are so innate in the rendition of the gaming service, that realistically it is not possible to render the licensed service without the acquisition of these services. These would include for example any banking or ancillary services, gaming software, RNG testing, integrity checks etc; A non-exhaustive list of these services have been published by the Maltese VAT department.

Inversely, the acquisition of goods which are not deemed to be intrinsic to the gaming service include marketing, advertising, hosting, telephony fees and professional fees. Whilst, the said list may not be deemed to be innate to the gaming transaction, their effect is not be to be underestimated, particularly because some of these services may include some of the most far- reaching, particularly since the marketing and advertising services, tend to absorb a significant part of the budget of any remote gaming company. The effect would therefore be that any VAT suffered by the licensed company on the acquisition of services which are not deemed to be intrinsic to the remote gaming activity, will not be recoverable.

Shared Conduct Agreements

For this reason, many remote gaming operators, are finding it increasingly more beneficial to enter into shared conduct agreements. Essentially shared conduct agreements are joint ventures entered into by a multitude of partners, these being the licensed remote gaming company and other non-licensed entities, who agree, subject to a contractual agreement, to pool their resources for the perusal of a common good, and a division of the proceeds. This therefore, allows the consortium of companies participating in such shared conduct to pool in expertise and a more specialized approach to the multiple facets that is necessary in the seamless running of a gaming company, which is competing in one of the most dynamic and competitive industries.

Though the formation of this shared conduct agreement, the licensed company can form strategic alliances with partners located worldwide, including those in VAT-neutral jurisdictions, which may therefore provide expertise in services which are not deemed to be intrinsic to the gaming transaction.

The entering into a shared conduct activity requires the pre-notification and approval of the Authority, since albeit the management of the licensed activity must always be the responsibility and prerogative of the licensed entity, any contractual agreement, catering for services ancillary to the licensed activity, may still have a far-reaching effect. The licence holder must therefore submit a copy of the share conduct agreement for the scrutiny and assessment of the Authority and the proposed partners to the shared conduct agreement, must in turn submit to a thorough personal questionnaire, in order to assess the fitness and properness of the partner.

The partners in a shared conduct agreement may not deviate from the agreement provided to the Authority, by means of any direct or indirect agreement, aimed at rendering the provisions of the approved shared conduct agreement null or else mitigating its effect.

Apart from the obvious effect of bringing in a pool of expertise in the running of a licensed company, with each partner bringing in specialist expertise, the advantage of a shared conduct agreement, has the advantage of minimizing the VAT repurcussions, which would otherwise, had the ancillary services been undertaken directly by the Maltese company, result in VAT leakages to be incurred by the Maltese company. The partners in the shared conduct agreement would therefore pool their respective resources for the perusal of the same economic goal, in return for a profit-sharing arrangement, and the spoils of such joint venture would be shared in the proportions agreed between the parties.

Gaming Intermediaries

One of the most elements which may make or break a gaming operation, or proof the effective divider between a successful gaming venture and an unperforming one, is the ability to effectively market and increase the client base. Customers, after all, are the main asset of the licensed entity. Whilst marketing and advertising are undoubtedly the most direct ways to increase the customer base, the use of gaming intermediaries is just as central and important.

Intermediaries take a multitude of forms from skins, to white label to affiliates etc; Yet all intermediaries, whichever their form have one scope – that of increasing traffic and consequently the gaming revenue of the licence holder, in return for a commission of the outcome. Today, it is widely recognized that the use of an extensive network of intermediaries is one of the essential elements of business development.

Intermediaries may be physical or legal persons. They may be incorporated in any reputable jurisdiction and are exempt from the licensing exigencies which would normally be incumbent in licensed entities, such as the need to have a key official, to be well capitalized or to pay any form of gaming tax.

In full recognition of this matter, the Authority has implemented a fast-track notification process for the use of intermediaries. Gaming companies wishing to avail themselves of the services of such intermediaries are to notify the Authority in writing, by means of a bespoke form, outlining the details of the intermediary as well as submitted a copy of the contractual agreement.

Whatever the commercial rationale behind the agreement, the contractual instrument must clearly state that the responsibility for the compliance to the remote gaming regulations, remains with the licence holder. In other words, the licence holder may divest or delegate the function in relation to ancillary matters e.g. promotion and advertising but never the responsibility thereof.   It is therefore incumbent in the licensed entity to ascertain that the marketing and advertising material do not fall foul of the advertising guidelines issued by the Authority.

Incentives to CEOs

Malta has successfully implemented a successful gaming regime, with a highly attractive corporate and gaming tax framework. This structure, has contributed to the organic growth of the gaming industry in Malta, which today directly employs thousands of employees in Malta. Whilst the corporate framework has attracted several big names in the industry, the next step was to attract the top talents in the industry.

The success of the company depends on the skills and expertise of its management. In a highly skilled and competitive environment leadership skill and acumen is necessary to differentiate oneself from the rest of the pack. In a push to extend the attractive tax regimes also to the professionals in highly regulated and lucrative industries, an amendment was undertaken to the Income Tax Act, by means of the enactment of the Highly Qualified Rules (“the Rules”)

The Rules, originally enacted in 2011, were initially open solely to high ranking officers within the financial and insurance industries, and solely to companies which were licensed, authorized or recognized by the Malta Financial Services Authorities. Originally, the eligible offices were the following:

  • Chief Executive Officer;
  • Chief Risk Officer;
  • Chief Financial Officer;
  • Chief Technology Officer;
  • Portfolio Managers;
  • Chief Investment Officer;
  • Senior Traders;
  • Senior Analysts;
  • Actuarial Professionals;
  • Chief Underwriting Officers;
  • Head of marketing;
  • Head of Investor Relations

However, subsequently, following a recognition of the tangible benefits that was being contributed to the Maltese economy by the remote gaming companies, the Rules were extended also to high ranking officers within companies licensed by the Lotteries and Gaming Authority

Eligibility Criteria

The main allure of the Rules is that they allow eligible employees to be taxable at a highly appealing rate of just 15% on their taxable income, as opposed to the taxable brackets that would otherwise be applicable to income derived by resident officers.

The eligibility criteria for prospective officers are the following:

  • The officers must all have a qualifying contract of employment in excess of EUR 75,000. Such amount shall not include any fringe benefits received in respect of work and duties carried out in Malta, or in respect of any period spent outside Malta in connection with such work or duties;
  • The applicant must be an employee with a valid contract of employment. This will therefore exclude any forms of consultancy arrangement;
  • The applicant must be in a senior position. This election is effectively reserved only to the decision-makers within the organization or persons of significant rank. Furthermore, the applicant must show a minimum of five years professional experience (this is aimed at elimination fast-track promotions just to claim eligibility to the scheme;
  • The applicant must fully disclose all emoluments received in respect of income arising from an employment in Malta;
  • The applicant must also be able to adequately support his immediate family, without making recourse to the social security and welfare assistance in Malta – therefore it is necessary to show a comprehensive healthcare key plan cover for the applicant and his immediate family;
  • As a corollary to the aforesaid, the applicant and his immediate family would also reside in an adequate residence and be in possession of valid travel documents at all times;
  • Lastly, but very importantly, the applicant must not be domiciled in Malta. The concept of domicile is a connecting factor for tax reasons. Effectively, it acts as an indicator that the applicant considers Malta as his effective and conclusive ‘home’. The Rules will therefore only apply to individuals who acquire residence but are not domiciled in Malta.

Applicants wishing to avail themselves of the Rules, must have a written declaration to the Authority, which is then submitted to the Maltese Commissioner of Inland Revenue and accompanied by a number of supporting documents.