FOR SALE: B2B Malta Gaming Licence (MGA) | issued in 2024 | valid for 10 years | active bank account | FOR SALE: B2C Malta Gaming Licence (MGA) | Type 1 Casino | active bank account | licence renewal July 2026 | FOR SALE: Curacao Gaming Licence (CGA) | Curacao entity | CY payment agent | active bank account |

Contact Us

    MGA Key Function Requirements

    MGA Key Function Requirements

    Most operators going into Malta licensing focus on the wrong things early on. Product, platform, payment setup all of that matters, but it’s not what the MGA checks first when something goes wrong. What it checks is whether specific people inside the company genuinely controlled specific risks. That’s what MGA Key Function Requirements are actually about.

    Directive 3 of 2018 the Gaming Authorisations and Compliance Directive sets out the framework. A key function is a role or task connected to a gaming service or supply, carried out by a natural person. Not a team. Not a policy. A specific individual who holds a Key Function certificate from the MGA and can actually demonstrate they control that area.

    The MGA now lists approved Key Persons and directors publicly through its portal. Worth checking what’s visible before a licence application or a material change notification. For how these roles sit within the wider licence picture, Malta gaming licence functions explained covers the operational context.

    What MGA Key Function Requirements Are Measuring — Honestly

    Three things matter to the Authority when it assesses Key Persons: real authority, real access to information, and real independence where independence is required.

    Real authority means the person can actually make decisions, not just sign off on what someone above them has already decided. Real access means they get the data, reports, and operational visibility needed to control their area not sanitised summaries. Compliance and audit functions need more than formal independence in a job description; the structure has to support it.

    Fit and proper assessment covers integrity, reputation, competence, and capability. It’s assessed at application and stays live throughout the licence. Key Persons who fall below that bar after licensing create current regulatory exposure. Not a historic note on the file an active problem.

    When the MGA runs compliance audits or interventions, it works backwards from outcomes to accountability. If the Key Person for a given area can’t explain how controls work, what the current risk picture looks like, or what they did when something went wrong that’s a governance failure in the MGA’s view, regardless of what the organisational chart says.

    The B2C List of MGA Key Function Requirements

    B2C remote gaming licensees have the longer list. Under Directive 3 of 2018: Chief Executive, management of day-to-day gaming operations, compliance obligations, legal affairs, data protection and privacy, AML/CFT prevention, technological affairs and regulatory data control, and internal audit.

    Eight functions. Each one maps to a specific risk category the MGA has decided needs a named, certified individual behind it. The compliance obligations function alone covers responsible gaming, player support, marketing controls, and sports integrity which gives a sense of how much scope sits within a single Key Function.

    The list isn’t structured for convenience. It reflects where the MGA has seen problems in licensed operations and decided accountability needed to be formalised.

    CEO Accountability Under MGA Key Function Requirements

    The Chief Executive function is ultimate governance accountability. Not symbolic actual.

    During licensing reviews, material changes, audits, or incidents, the CEO has to explain strategy, resourcing decisions, compliance readiness, and what remediation is underway. Specifically. With evidence. A CEO who gives general answers about company values and delegates every technical question to someone else doesn’t satisfy MGA Key Function Requirements.

    The common failure here is appointing someone to the CEO Key Function who holds the title commercially but doesn’t engage with compliance or regulatory processes day-to-day. The MGA notices that gap during interviews and document reviews. It tends to become a bigger problem than operators expect.

    Operations, Compliance, and Legal — Where MGA Key Function Requirements Get Specific

    The day-to-day operations function covers more ground than running the platform. Payment flows, fraud controls, withdrawal processing, chargeback management, third-party oversight, and regulatory reporting dependencies sit within it. The Key Person needs genuine financial and operational understanding not just platform familiarity.

    Compliance is the function where structural conflicts cause the most visible problems. It covers responsible gaming, player support, marketing approvals, and sports integrity. The Key Person needs independence from commercial pressure and that independence has to exist in the reporting structure, not just in a policy document. A compliance lead who reports into a commercial director and gets pushed on campaign turnaround times isn’t genuinely independent. The MGA looks at structure, not intent.

    Legal affairs gets underestimated, particularly in operations that rely heavily on outsourced suppliers and third-party platforms. Contracts that don’t preserve access to compliance-relevant data, or that blur responsibility for regulatory obligations, are legal governance failures. The legal Key Person’s job is partly to prevent those situations not just to manage them once they’ve materialised.

    AML, Data Protection, Technology — Three Areas MGA Key Function Requirements Treat Seriously

    AML/CFT prevention is a named B2C Key Function, and the expectations are specific. The MLRO needs to explain risk assessments, monitoring frameworks, enhanced due diligence triggers, suspicious activity procedures, and how AML controls interact with operational teams. Not at a policy level operationally.

    Data protection sits alongside AML in terms of how much regulatory and banking partner scrutiny it draws. GDPR compliance, breach response, vendor due diligence, lawful processing bases, retention schedules, player rights handling the function requires oversight of actual data practices across the organisation, including third parties. Owning the privacy policy document is a starting point, not the job.

    Technology governance is where operators most consistently misjudge what the MGA expects. Back-end system integrity, control system oversight, security governance, access controls, incident response, change management the function is about regulatory data integrity as much as technical performance. The MGA treats technology failures as compliance failures. That framing matters when an incident happens and the Authority asks who was responsible for the systems involved.

    Internal Audit’s Role in MGA Key Function Requirements

    Internal audit has to be genuinely independent. The function tests whether controls work not whether they exist.

    That means testing control design, assessing effectiveness, and reporting findings to a governance level with actual authority to act on them. An internal audit function that reports into the same management layer being audited, or that produces findings which quietly disappear without follow-through, doesn’t meet the standard. Outsourcing the function doesn’t change the independence requirement.

    The small firm audit Malta guide covers related ground on audit preparation in a Malta context. For MGA purposes, internal audit is part of how the Authority assesses whether an operator’s governance picture is real or performative. It’s worth treating it accordingly.

    B2B Licences and MGA Key Function Requirements

    The B2B list is shorter: Chief Executive, day-to-day operations, compliance, legal affairs, data protection where applicable, technological affairs, and internal audit. AML/CFT doesn’t feature the same way. Consumer-facing functions responsible gaming, marketing controls aren’t directly named.

    Shorter list, but the technology function tends to get the most scrutiny in B2B reviews. System integrity, logging practices, SDLC governance, and third-party infrastructure oversight all fall under it. Suppliers whose products create compliance gaps for the operators using them have a governance problem regardless of their own audit record.

    For context on how Malta’s B2B accountability framework compares with other jurisdictions, the Anjouan gaming authority offers a useful structural contrast. The differences in what each regulator requires from suppliers are significant.

    Role Combinations and Independence Under MGA Key Function Requirements

    Some Key Functions can be combined. Not all of them.

    The question is whether combining two functions creates a structural conflict that undermines the independence one of them requires. Compliance and commercial revenue sitting with the same person is the obvious example but there are less obvious ones too, depending on how an organisation is structured. The MGA’s assessment is structural. A trustworthy person in a conflicted role still creates a governance problem.

    Small teams face real practical pressure here. Lean structures mean people wear multiple hats. But solutions exist clear escalation paths, genuinely independent reporting lines for sensitive functions, board-level oversight for compliance and audit findings. The point is to make independence structurally real, not just to state it.

    Vacant Key Functions push responsibility to directors. That raises governance risk at the most senior level and draws regulatory attention. Treat vacancies as urgent compliance issues. The MGA doesn’t view an unfilled Key Function as an administrative gap it views it as a live governance failure.

    Common Ways Operators Fail MGA Key Function Requirements

    Appointing Key Persons without real authority is probably the most frequent mistake. The title is there, the certificate is obtained, but the person defers decisions upward and can’t answer specific questions under audit scrutiny.

    Combining roles that create conflicts nobody has properly thought through is second. Often happens during rapid growth when structures don’t keep pace with the regulatory picture.

    Internal audit treated as a document exercise rather than genuine assurance work. Technology governance that runs adequately until a regulatory data issue surfaces. These aren’t unusual they’re the standard failure modes the MGA’s audit team is experienced at identifying.

    Operators who build functional governance structures from the start real accountability, real information access, escalation mechanisms that get used, audit that tests rather than approves have substantially fewer problems during reviews. The difference between a smooth compliance audit and a difficult one usually comes down to whether governance was built properly or retrofitted under pressure.

    MGA Key Function Requirements and What They Mean for Licence Longevity

    A Malta gaming licence opens commercial doors. Payment providers, banking relationships, and business development opportunities all depend partly on regulatory standing. MGA Key Function Requirements are the mechanism by which the Authority checks that the people running the operation are genuinely capable of protecting it.

    Strong Key Function governance means fewer incidents, better regulatory responses when things do go wrong, and documentation trails that demonstrate control when the MGA asks questions. The inverse is also true weak governance invites scrutiny, limits credibility when it matters, and creates the kind of compounding risk that eventually becomes a licence-level problem.

    The MGA’s experience is that the gap between governance on paper and governance in practice tends to widen over time if it isn’t actively managed. Key Function Requirements are the framework that keeps that gap visible and accountable.

    MGA Key Function Requirements — Common Questions

    What are MGA Key Function Requirements?

    A regulatory framework under Directive 3 of 2018 requiring licensed gaming operators and suppliers to assign specific responsibilities to certified natural persons who genuinely control those areas of the operation.

    Which functions apply to B2C licensees?

    CEO, day-to-day operations, compliance (responsible gaming, player support, marketing, sports integrity), legal, data protection, AML/CFT, technology, and internal audit.

    Which functions apply to B2B licensees?

    CEO, operations, compliance, legal, data protection where applicable, technology, and internal audit. AML/CFT and consumer-facing obligations don’t appear in the same formalised way.

    Do Key Function holders need MGA certification?

    Yes. A Key Function certificate is required before taking on the role. Fit and proper status is assessed at application and remains a live obligation throughout the licence.

    Can one person hold multiple Key Functions?

    Sometimes but only where the combination doesn’t undermine the independence a specific function requires. Some combinations are incompatible regardless of who fills them.

    What happens if a Key Function sits vacant?

    Responsibility reverts to directors, raising governance risk at the most senior level. The MGA treats vacancies as live governance failures, not administrative gaps.

    Share this article: