🇲🇹 Office 1, Piazzetta Business Plaza, Ghar il-Lembi Street, Sliema SLM 1560, Malta. 📱Contact us on: +356 99408536

Contact Us

    iGaming mergers acquisitions: Deals and Risks

    iGaming mergers acquisitions: Deals and Risks

    iGaming licence requirements. iGaming mergers acquisitions create the same assumption gap. Every operator thinks they’ve researched them. Most have read a summary somewhere — application fee, timeline, compliance officer needed — and budgeted accordingly. Then the application starts and the gap between the summary and the reality becomes clear, usually in the form of an information request that adds eight weeks and a legal bill that wasn’t in the plan.

    This happens consistently enough that it’s worth being direct about what’s behind the headline requirements, not just what the headlines are.

    The headline items — UBO disclosure, AML framework, key functions, technical certification — are all real requirements. What they actually involve operationally is where most operators underestimate the scope.

    iGaming mergers acquisitions: Mapping Ownership Chains

    Every major licensing jurisdiction in iGaming mergers acquisitions requires full disclosure of the ownership chain up to the ultimate beneficial owners. That sentence is simple. The exercise it describes is not, particularly when the ownership structure has been built over years across multiple jurisdictions for reasons that had nothing to do with iGaming.

    The chain needs to show every entity between the applicant and the UBOs, with ownership percentages at each level. Each entity needs its own documentation — incorporation certificate, shareholder register, director list. Any entity that’s been dissolved, reorganised, or renamed at any point in the chain needs documentation of that history too.

    Source of wealth — where most applications slow down

    Source of wealth documentation for UBOs is the most consistent cause of application delays. The regulator wants to understand how the UBO generated the funds being invested in the gaming operation. Recent salary from a publicly traded employer: straightforward. A UBO who sold a manufacturing business in one country, reinvested in property across two others, participated in a private equity exit, and is now funding a gaming operation: not straightforward.

    The documentation needs to tell a coherent, verifiable story from income source through to funds available today. Gaps in the chain generate information requests. Each request adds six to ten weeks. The operators who go into the application knowing this and prepare the documentation properly in advance are in a materially different position from those who discover it mid-process.

    Fit-and-proper checks for UBOs and directors — criminal convictions, regulatory sanctions, insolvency history — are also part of the picture. Most pass. Some don’t, and discovering a historic sanction three months into an application is expensive. Preliminary checks before the application is submitted save time when the answer is complicated.

    Why corporate structure decisions made before the application affect the disclosure process — and what structures consistently cause documentation problems — is covered in iGaming corporate structure in 2026.

    Malta: What the MGA Actually Requires

    The Malta Gaming Authority publishes its requirements in detail. The gap isn’t in the information being hidden — it’s in what the published requirements actually involve operationally.

    iGaming mergers acquisitions: Financial Requirements

    Minimum share capital of €100,000, paid up. Player fund protection — ring-fenced accounts, insurance, or bank guarantee — before go-live. Three-year financial projections that the MGA will actually assess for coherence. Not whether the numbers look good. Whether they make commercial sense. Projections showing €50 million revenue in year one from a standing start don’t pass that test — they generate questions about the underlying assumptions.

    The player fund protection requirement surprises operators who assumed it was covered by the share capital. It isn’t. Separate arrangement, separate cost, needs to be in place before the platform opens to real-money players.

    Technical requirements — the certification timeline problem

    RNG certification from an MGA-approved testing laboratory. Game mathematics certification per title. Platform technical approval. All three need to complete before the go-live condition is met.

    The timeline problem: these certifications run on lab schedules, not application schedules. Testing labs have booking queues. The most in-demand labs have lead times of three to six weeks before they can start. Testing itself takes time. Total elapsed time from lab engagement to certificate: eight to fourteen weeks for a standard scope. Operators who treat technical certification as something to start after the compliance review is complete add three to four months to the timeline unnecessarily.

    Start the certification process at the same time as submitting the application. Not after it. That’s the fix.

    Key functions — the substance problem

    The MGA has reviewed a lot of key function nominee submissions. It recognises nominees who appear across too many companies simultaneously to plausibly fulfil each role. It recognises nominees who have financial services compliance backgrounds but no gaming experience. The assessment is looking for substance — people actually doing these jobs with actual authority — not form.

    This is the requirement that generates the most follow-up questions for operators who haven’t thought it through. Nominative compliance doesn’t pass MGA scrutiny in 2026 the way it sometimes did five years ago.

    iGaming mergers acquisitions: Post-LOK Regulatory Changes

    The Curaçao Gaming Authority now issues licences directly. The old sub-licence system is gone. Any content describing Curaçao iGaming licence requirements from before 2025 is describing a different system.

    The new requirements under the LOK are more demanding than what existed before, though still less demanding than Malta’s framework. This matters for operators who planned a Curaçao application based on pre-LOK research.

    The substance requirement that gets missed

    Operating entity incorporated under Curaçao law. Mandatory. Resident managing director — someone actually living in Curaçao. Also mandatory. The managing director requirement is the one that gets missed most often, usually by operators who find a nominee service offering a ‘resident director’ and assume that satisfies the requirement.

    The CGA has been checking this more carefully since the LOK came into force. Genuine residency means genuine residency — real presence, real involvement in the company’s management, not a signature service from someone who technically has a Curaçao address. Whether the specific nominee a particular service provides actually meets this standard is a question worth asking explicitly before the application is submitted.

    AML and responsible gaming under the LOK

    The AML framework submitted needs to describe the actual business. Not a generic online casino template — the specific markets, payment methods, and player profile of the operation being licensed. Generic submissions generate CGA information requests.

    Responsible gaming tools need to be live and working before go-live, not just described in a policy document. Deposit limits, self-exclusion, session management. The CGA has been more active in verifying technical implementation since the LOK. A policy that says ‘deposit limits are available’ when the platform doesn’t actually enforce them at the payment layer is not compliant with the requirement.

    The AML Requirement: What ‘Framework’ Actually Means

    AML compliance appears on every list of iGaming licence requirements. The listing doesn’t capture what meeting it actually involves.

    A written AML policy exists. Somewhere. In most operators’ filing systems. That’s not the same thing as a functioning AML framework. The policy is the documented description of a system. The framework is the system. And the system needs to work — needs to produce alerts when it should, needs those alerts to be reviewed by qualified people with authority to act, needs SAR filings to happen when they should, needs records to be kept in the format and for the duration the regulations require.

    The risk assessment specificity problem

    The AML risk assessment is the foundation of the framework. It describes the risk profile of the specific business — the markets served, the payment methods accepted, the player demographics, the transaction patterns, the specific money laundering typologies relevant to this operation.

    A risk assessment written for a generic European fiat casino and submitted for a crypto-native operation targeting Latin American markets is not an adequate risk assessment. It’s adequate paperwork. Those are different things.

    Regulators reviewing applications in 2026 are assessing whether the risk assessment describes the actual business. Generic submissions — those that could apply to any online gaming operator — generate information requests asking for specificity. The requests are usually very specific: what is the expected geographic distribution of players, what payment methods will be accepted and what is the assessed risk level of each, what is the enhanced due diligence trigger for high-value players. If the risk assessment doesn’t address these specifically, the application pauses until it does.

     

    What consistently gets flagged: Transaction monitoring thresholds set to numbers that seem defensible in a document but bear no relationship to the actual deposit and withdrawal patterns of the player base the operator expects to serve. A high-volume slots platform setting AML monitoring thresholds calibrated for a high-stakes poker room. The thresholds look like compliance. They aren’t.

     

    What AML requirements look like operationally — and the specific gaps between documented frameworks and what regulators actually find when they look — is in iGaming AML compliance in 2026.

    **Responsible Gaming Requirements: Tools Versus Integration**

    Deposit limits. Self-exclusion. Session limits. Reality checks. Cooling-off periods. These appear on every responsible gaming requirements list and most operators have implemented something for each of them.

    The question regulators are now asking more consistently is not whether the tools exist. It’s whether they work — specifically, whether they enforce at the payment layer and whether they’re integrated with the marketing system.

    The integration iGaming mergers acquisitions: System Integration Gaps

    A deposit limit that exists as an account setting but doesn’t block deposits at the payment processor level when the limit is reached is not a functioning deposit limit. A self-exclusion that closes account access but doesn’t trigger immediate removal from the marketing database is not a functioning self-exclusion. These tools exist in the compliance documentation. They don’t exist as compliance infrastructure because the systems don’t communicate.

    This is probably the most consistent technical compliance gap across licensed operators. Not bad faith. System architecture. The responsible gaming module and the payment processor and the CRM were built separately, integrated loosely, and nobody tested what happens when a limit is reached.

    iGaming mergers acquisitions: Behavioural Monitoring

    Most licensing frameworks now require proactive monitoring of at-risk behaviour. Not just making tools available for players who self-identify problems. Watching for escalating deposit sequences, session length changes, rapid redeposit after losses, and intervening before the player makes the request.

    An operator whose responsible gaming monitoring has produced zero interventions across six months of active operation is running either an extraordinarily clean player base or a monitoring system that isn’t catching what it should. Regulators, and frankly experienced compliance professionals, are sceptical of the former. Zero-intervention records get scrutinised.

    iGaming mergers acquisitions: Post-Licensing Obligations

    The requirements continue after the licence is issued. Operators who treated the application as the compliance exercise sometimes discover this more abruptly than they’d like.

    Regulatory reporting — monthly statistical returns, incident notifications within defined timeframes, change notifications before material platform changes go live, annual submissions. These need to be built into operations from day one, not retrofitted when the first return is due.

    Annual independent compliance audit. Required under most major frameworks. The audit assesses whether the compliance framework that was submitted and approved is the one actually running. The gap between those two things is what most audits find. Operators who maintain the framework as a living operational document rather than a static approval produce cleaner audit results — and more importantly, actually comply.

    The full ongoing compliance checklist — what iGaming licence requirements look like through the licence term, not just at application — is in the iGaming compliance checklist in 2026.

    How iGaming licence requirements map to the application process — what generates information requests and what moves applications forward — is in the iGaming licence application process in 2026.

    The broader industry context these requirements sit within — what the regulatory environment looks like for operators in 2026 — is in the iGaming industry in 2026.

    Frequently Asked Questions

    What are the core iGaming licence requirements across major jurisdictions?

    Full UBO chain disclosure with source of wealth documentation for each beneficial owner above the jurisdiction’s threshold. Fit-and-proper assessment for UBOs and directors. An AML framework specific to the actual business — its markets, payment methods, and player profile. Key function appointments that pass individual assessment and demonstrate genuine gaming compliance experience. Responsible gaming tools that enforce at the payment layer and integrate with the marketing system. Financial requirements including minimum share capital and player fund protection. Technical requirements including RNG certification and platform approval. These are the consistent elements. The intensity and specificity of each requirement differs between Malta and Curaçao.

    What minimum capital is required for an iGaming licence?

    Malta requires €100,000 minimum share capital, paid up. Curaçao requires approximately ANG 40,000, equivalent to around €22,000. Both jurisdictions also require separate player fund protection arrangements — ring-fenced accounts, insurance, or bank guarantee — which are distinct from the share capital requirement and often surprise operators who assumed share capital covered player protection. The capital needed to sustain operations through the application period and first operating year is substantially higher than the regulatory minimums in both cases.

    How long do iGaming licence requirements take to satisfy?

    Malta: six to twelve months from a complete application to go-live. Curaçao: eight to sixteen weeks for the provisional licence under the LOK framework. The main variables in both cases: complexity of the ownership structure and source of wealth documentation, readiness of the technical submission including RNG certification, and quality of the AML framework. Each information request adds six to ten weeks. Applications with complete documentation and specific rather than generic compliance frameworks move significantly faster than those without.

    What key functions does the MGA require?

    Five: Compliance Officer, Money Laundering Reporting Officer, Responsible Gaming Function, Technical Function, and Financial Function. Each must be individually named, pass fit-and-proper assessment, and demonstrate gaming-specific compliance experience. The MGA assesses whether each nominee has genuine experience relevant to the function — financial services experience alone doesn’t satisfy the gaming compliance requirement. Nominees appearing across an implausible number of simultaneous roles, or nominees whose experience doesn’t match the function, generate follow-up questions that add weeks to the review.

    What does an AML framework need to contain to meet iGaming licence requirements?

    A risk assessment specific to the actual business — not a generic online gaming template but one that describes the real risk profile of the markets, payment methods, and player demographics the operator plans to serve. Customer due diligence procedures for onboarding, ongoing monitoring, and enhanced due diligence for high-risk customers. Transaction monitoring with thresholds calibrated to the expected transaction patterns of the actual player base. SAR procedures. Record retention covering five years from end of customer relationship. The assessment criteria regulators apply in 2026 ask whether the framework describes a system that could realistically catch what it’s supposed to catch — not whether the policies are well-formatted.

    What do responsible gaming requirements actually mean technically?

    Deposit limits that enforce at the payment processor level across all accepted payment methods — not just as an account setting. Self-exclusion that blocks both platform access and marketing communications immediately with no delay. Cooling-off periods that prevent deposit processing for players who request them, even if they attempt to use a different payment method. Reality checks active and working. And proactive behavioural monitoring that identifies at-risk patterns before players self-identify — with documented interventions and outcomes. The consistent gap is integration: these tools often exist as separate system features without real-time communication between the responsible gaming module, the payment layer, and the marketing database.

    Share this article: