Function Holders iGaming 2026

Key function holders in iGaming are among the most consistently misunderstood requirements in gaming licensing. Not because the requirement is obscure the MGA publishes exactly what it expects. Because operators read ‘appoint five key functions’ and treat it as a documentation exercise rather than an operational one.

An operator went through an MGA compliance review in 2024. Fourteen months into the licence. The reviewer asked the Compliance Officer who was present what the main AML risk changes in Q3 had been. The operator had added two payment methods and entered a new market that quarter. Both are material AML risk changes. The Compliance Officer didn’t know. Not because the information was unavailable. Because they hadn’t been engaged closely enough with the programme to have tracked it.

Formal finding. Replacement. Remediation cost that substantially exceeded what a properly resourced compliance officer would have cost across the full fourteen months.

That’s the story this article is about. What each key function actually requires not the CV requirements, but the operational reality.

The Board Report Test Nobody Prepares For

Before getting into individual functions: there’s a single test that reveals more about whether key functions are genuinely operating than any CV or org chart does. Ask for the board reports.

What the compliance officer produced. What’s in them. Whether they contain real data monitoring statistics, specific escalations, findings, remediation status or whether they’re one-paragraph summaries saying compliance is satisfactory.

Thin board reports mean one of two things. Either the compliance programme doesn’t generate data worth reporting, which means the monitoring isn’t running properly. Or the compliance officer isn’t engaged closely enough with the programme to report on it meaningfully. Neither is a good outcome in a regulatory review.

Regulators ask for board reports. When the reports are thin or infrequent, the follow-up question is what the underlying monitoring data shows. If that data doesn’t exist because the programme wasn’t running the finding follows. This is probably the most consistent pattern in post-licensing compliance reviews across major licensing jurisdictions in 2026.

Function Holders iGaming and the Compliance Officer Authority Problem

The Compliance Officer requirement gets discussed mostly in terms of experience gaming-specific background, relevant qualifications, demonstrable sector knowledge. That matters. But the authority structure problem is at least as common and arguably harder to fix.

A compliance officer who reports to the commercial director rather than the board doesn’t have organisational independence. The MGA assesses the reporting line. An officer who needs commercial approval before escalating compliance concerns or whose escalations can be overridden by commercial decisions isn’t functioning in the way the role requires. This is a structural problem, not a qualification problem. It means the org chart needs to change, which is more disruptive mid-application than fixing a CV gap.

What gaming-specific experience actually means

Financial services compliance experience is real experience. It’s just not the same as gaming compliance experience. The risk typologies differ. The specific regulatory requirements differ. Gaming compliance reviews differ significantly from banking reviews in what reviewers request and what they consider adequate, so sector experience is material.

An MGA application presenting a compliance officer with strong banking compliance credentials and no gaming background will probably generate a follow-up question about gaming-specific experience. That question isn’t unanswerable there are ways to address it but it needs to be prepared for, not encountered for the first time in an information request.

What the compliance officer role actually requires operationally throughout the licence term beyond the application phase is in the iGaming compliance officer role in 2026.

Function Holders iGaming: Why Zero SARs Can Signal MLRO Risk

Internal teams report suspicious activity to the Money Laundering Reporting Officer, who makes the SAR filing decision and remains accountable to the regulator for the monitoring programme’s performance. That’s the formal description.

The practical reality: an MLRO who needs commercial approval before filing a suspicious activity report doesn’t have the independence the role requires. Filing a SAR is a regulatory obligation, not a commercial decision. The authority to file without sign-off from a commercial director, without delay for business reasons needs to be genuine and documented in the MLRO’s authority structure 

The Financial Action Task Force framework that underlies gaming AML requirements places specific obligations on the MLRO function. Regulators assess against that framework. An MLRO who can demonstrate familiarity with FATF guidance not just the licensing jurisdiction’s specific rules is in a stronger position than one whose knowledge stops at the minimum local requirement.

The SAR filing history as evidence

An operation that has processed millions of transactions over several years with no suspicious activity reports is not running a uniquely clean operation.

It’s almost certainly running AML monitoring that isn’t detecting what it should. Or an MLRO who isn’t making the filing decisions that the monitoring should be generating. Either way, zero SAR histories across meaningful operating periods get scrutinised. When regulators review AML, they examine the MLRO’s filing record early not only whether the MLRO filed SARs, but whether the filing pattern looks plausible for the business’s risk profile.

What functioning AML monitoring looks like and the specific gaps between documented monitoring and what’s actually happening is covered in iGaming AML compliance in 2026.

Function Holders iGaming and the Responsible Gaming Integration Problem

The responsible gaming function holder is responsible for player protection. Not for writing the responsible gaming policy for making sure the monitoring actually runs and the interventions actually happen.

The European Gaming and Betting Association has been pushing member operators toward more rigorous responsible gaming standards over the past three years. Regulators have followed. Compliance reviews now test whether responsible gaming monitoring produces alerts, whether the team reviews those alerts, and whether the responsible gaming function documents interventions with outcomes.

The intervention record is the equivalent of the board report test for this function. How many interventions were made in the last quarter. What triggered them. What happened as a result. A large active player base that generated zero responsible gaming interventions over six months isn’t unusually safe the monitoring probably isn’t working properly.

Independence from Commercial Decisions in iGaming Key Function Appointments

A responsible gaming function cannot operate properly when commercial decisions override it. Promotions approved over player protection concerns. Marketing sent to players who set deposit limits last week. Bonus offers reaching players in cooling-off periods because the marketing system and the responsible gaming system don’t share data.

These failures happen more often than they should, and they happen at operators who have a named responsible gaming function holder. The problem isn’t the appointment. The issue is integration. The responsible gaming function needs organisational authority that commercial decisions cannot override. It also needs system integration that enforces player protection rules, regardless of the marketing calendar.

Technical and Financial Functions — Less Scrutinised, Still Real

These two attract less attention in compliance reviews than the compliance officer, MLRO, and responsible gaming function. That’s probably because the outputs they produce are more straightforward to verify. But regulators can issue findings for both functions when operators do not resource them properly.

Technical Function

The most common gap: technical function holders who understand the technology but aren’t tracking regulatory certification requirements. RNG certification has renewal requirements. Game mathematics certifications apply to specific build versions a material game update may require recertification. Platform security standards evolve. A technically excellent operation running on lapsed certification because the technical function holder didn’t track renewal dates is a compliance problem. The technology works. The regulatory status doesn’t.

Financial Function

Player fund protection arrangements need to cover the current player liability, not the liability at the time the arrangement was set up. An operation that has grown significantly since the original player fund protection was arranged may have a gap between what the arrangement covers and what it actually needs to cover. The financial function holder is responsible for tracking that gap. The financial function holder can easily miss this gap if they do not stay genuinely engaged with the operation’s financial position.

Why Nominal Function Holders iGaming Appointments Become Expensive

Not all nominal key function appointments are deliberate. Some are budget decisions the operator did not plan for the full cost of genuinely resourcing each function, so it makes appointments at a level of engagement that does not match what the roles actually require. Some are genuine misunderstanding operators who read the requirement as ‘appoint five qualified people’ rather than ‘run five genuine compliance functions with real outputs.’

Either way, the post-licensing review surfaces it. The remedy is the same regardless of cause.

Replacing a key function holder mid-licence means the operator must find a replacement with genuine experience, onboard them into a programme that has probably fallen behind, rebuild the compliance outputs the team should have produced, and address any regulatory findings that emerged from the gap. That process happens while the operation is running commercially, consuming management attention that has other demands on it.

Whether that’s more expensive than properly resourcing the functions from the start almost certainly yes, in most cases. Whether the original saving was real in that light probably not.

Key Functions in the Curaçao Framework

Curaçao’s LOK framework doesn’t prescribe the same five-function structure as the MGA. But the underlying principle is the same: compliance responsibilities need real people with real experience who are genuinely doing the work.

The AML responsibility holder, the responsible gaming oversight, the technical compliance responsibilities all need to be clearly assigned and the assignment needs to be genuine. The CGA identifies nominal structures, probably more quickly now than before the LOK came into force.

What specifically differs from Malta: the CGA framework gives operators more flexibility in how they structure the functions. What it doesn’t give operators is flexibility on whether the functions are real. The flexibility is in structure, not in substance.

What securing a Curaçao or Malta licence requires in terms of key function appointments and how appointment quality affects both the application and the post-licensing review is in how to secure an iGaming licence in 2026. The post-licensing obligations that key function holders need to produce outputs for throughout the term is in iGaming post licensing in 2026. The full compliance checklist covering what each function needs to produce is in the iGaming compliance checklist in 2026.

Frequently Asked Questions

What are the mandatory key function holders in iGaming under the MGA?

Five: Compliance Officer, Money Laundering Reporting Officer, Responsible Gaming Function, Technical Function, and Financial Function. Regulators assess each function holder individually through a fit-and-proper check, experience review, and authority structure review. The assessment checks whether the nominee is qualified for the role and the specific operation. It also checks whether the organisational structure gives them the authority they need. Curaçao’s LOK does not require the same five-function structure. However, it requires operators to assign AML, responsible gaming, and technical compliance responsibilities to qualified people who genuinely perform the work.

What does ‘nominal’ mean in the context of key function appointments?

A nominal appointment occurs when a person passes the fit-and-proper assessment and appears in the org chart, but does not actively manage the function they are supposed to lead. The compliance officer who doesn’t know the current monitoring outputs. The MLRO who hasn’t reviewed the alert queue this month. The responsible gaming function holder who can’t say how many interventions were made last quarter. Regulators identify nominal appointments by asking for outputs the function should produce board reports, intervention records, monitoring statistics and finding them absent, thin, or inconsistent with the compliance programme documentation.

Why does gaming-specific experience matter for key function appointments?

Gaming creates different risks, regulatory requirements, and compliance review expectations than financial services, so regulators treat sector-specific experience as material not just useful. An MGA application presenting a compliance officer or MLRO with strong banking credentials but no gaming background will likely generate follow-up questions. That does not necessarily make the application unacceptable, but the operator should anticipate and address it early rather than face it for the first time in an information request.

What is the most telling indicator that a key function is genuinely operating?

The board report test. What the compliance officer produced over the last twelve months. Whether the reports contain real data monitoring statistics, specific escalations, findings, remediation status or one-paragraph summaries saying compliance is satisfactory. Thin or infrequent board reports indicate either a monitoring programme that isn’t generating data worth reporting, or a compliance officer not engaged closely enough with the programme to report on it meaningfully. Both are findings in a regulatory review.

Is the authority structure of key function appointments assessed?

Yes, by the MGA and increasingly by the CGA. A compliance officer reporting to a commercial director rather than the board doesn’t have the organisational independence the role requires. An MLRO who needs commercial approval before filing a suspicious activity report doesn’t have the filing authority the role requires. These are structural assessments, not just CV assessments. Fixing a reporting line mid-application is more disruptive than building the correct structure before submission.

What happens when a key function holder fails a post-licensing compliance review?

A formal finding requires remediation within a defined timeframe. That typically means the operator must replace the key function holder if the finding concerns the individual’s performance or qualifications, rebuild the compliance programme outputs that the team should have produced, and address any regulatory consequences that emerged from the gap all while the operation continues to run commercially. The total cost of remediation advisory fees, management time, potential regulatory exposure, timeline pressure is in almost every case higher than properly resourcing the function from the start would have been.