🇲🇹 Office 1, Piazzetta Business Plaza, Ghar il-Lembi Street, Sliema SLM 1560, Malta. 📱Contact us on: +356 99408536

Contact Us

    MGA Key Function Requirements

    MGA Key Function Requirements

    MGA Key Function Requirements sit at the heart of the Malta Gaming Authority’s supervision model. In fact, Key Functions for B2C and B2B gaming licences in Malta do not simply regulate products and systems. Instead, the framework regulates accountability. The MGA expects specific, clearly defined senior roles to exist, remain fit and proper, and actively control day-to-day operations.

    In practice, therefore, MGA Key Function Requirements determine how your licence operates, how you evidence governance, and how you respond to regulatory scrutiny.

    The MGA defines a “key function” as an important function, role, or task carried out by a person in connection with a gaming service or gaming supply, as prescribed by the Gaming Authorisations and Compliance Directive (Directive 3 of 2018). Accordingly, and importantly, that framework makes it clear that key functions must be assigned to natural persons who can access and understand the operation well enough to control it. In addition, those individuals must obtain the relevant approval through a Key Function certificate process.

    For a complementary operational breakdown, see Malta gaming licence functions explained.

    This guide explains MGA Key Function Requirements for B2C and B2B gaming licences in Malta in a practical, operator-focused way. You will learn what the MGA expects each function to do, how B2C and B2B requirements differ, how role compatibility works, what happens when a function is unfilled, and how to design governance so that your key persons genuinely protect the licence rather than merely “exist on paper.”

    What the MGA Means by Key Functions and Key Persons

    Under MGA Key Function Requirements, Key Functions are regulated responsibilities rather than simple job titles. The individuals performing them are Key Persons who must be approved by the MGA through certification.

    The Authority’s guidance explains that Key Persons must have full knowledge, understanding, and access to the licensee’s operations. Furthermore, they must remain fit and proper on an ongoing basis, not only at application stage.

    The recent update regarding MGA portal company details further strengthens transparency around approved Key Persons and directors.

    This principle shapes how the MGA evaluates governance. If responsibility sits with someone who does not actually control the relevant area, the Authority may treat that as a governance failure. Therefore, naming a Key Person is not sufficient. The person must have genuine authority, information flow, and independence where required.

    MGA Key Function Requirements also connect directly to operational integrity. Suitability is assessed on integrity, honesty, reputation, competence, and capability. Moreover, ongoing expectations include renewal requirements and continuous professional development elements.

    Why MGA Key Function Requirements Matter for B2C and B2B Licensing

    The MGA relies on continuous supervision, reporting, and intervention tools. Oversight does not end after licensing. Instead, compliance audits and monitoring continue throughout the licence lifecycle.

    For B2C operators, MGA Key Function Requirements become particularly sensitive because player-facing activity creates higher consumer risk. Consequently, B2C functions explicitly include responsible gaming, player support obligations, marketing and advertising controls, and, where relevant, sports integrity.

    For B2B suppliers, governance remains equally important. However, the focus shifts toward service delivery integrity, regulatory data control, and technology oversight. While the structure differs, accountability remains central.

    If you are comparing regulatory governance frameworks, you may also review the Anjouan gaming authority as a structural contrast point.

    MGA Key Function Requirements for B2C Gaming Licences

    Under Directive 3 of 2018, the key functions for a B2C remote gaming licensee include:

    • Chief Executive role

    • Management of day-to-day gaming operations

    • Compliance obligations (responsible gaming, player support, marketing, sports integrity)

    • Legal affairs

    • Data protection and privacy

    • AML/CFT prevention

    • Technological affairs and regulatory data control systems

    • Internal audit

    These categories reflect the MGA’s expectation that governance must cover both commercial and compliance realities.

    Chief Executive Role Under MGA Key Function Requirements (B2C)

    The chief executive function represents ultimate accountability. Therefore, the individual must demonstrate that governance operates in practice.

    During licensing, material changes, audits, or incidents, the CEO must explain strategy, operational readiness, resourcing, and remediation actions.

    Under MGA Key Function Requirements, this role cannot be ceremonial. Instead, it must have real decision-making authority.

    Management of Day-to-Day Gaming Operations (B2C)

    This function extends beyond operations. Specifically, it includes financial obligations, player payment processes, fraud prevention, and risk strategy implementation.

    Accordingly, a strong operations Key Person must understand payment flows, chargeback management, third-party oversight, withdrawal controls, and regulatory reporting dependencies.

    As a result, operational governance supports the wider compliance framework and ensures MGA reporting obligations remain accurate.

    Compliance Obligations (B2C)

    MGA Key Function Requirements for B2C explicitly include:

    • Responsible gaming

    • Player support

    • Marketing and promotional compliance

    • Sports integrity (where applicable)

    This function protects consumers and safeguards regulatory credibility. Therefore, it must maintain independence from commercial growth pressures.

    In practice, a strong compliance Key Person oversees policies, internal monitoring, incident reporting, staff training, and risk assessments aligned with real operational practices.

    Legal Affairs (B2C)

    The legal function covers contracts, dispute resolution, and regulatory interpretation.

    Legal oversight ensures that third-party relationships enable compliance rather than undermine it. In Malta’s ecosystem, where outsourcing and supplier reliance are common, this becomes particularly important.

    Data Protection and Privacy (B2C)

    Under MGA Key Function Requirements, data protection represents a core operational risk.

    In particular, responsibilities typically include GDPR compliance, data breach response, vendor due diligence, lawful processing documentation, retention policies, and player rights handling.

    The Key Person must oversee real data practices rather than simply maintain policy documents.

    AML/CFT Prevention (B2C)

    For B2C licensees, AML/CFT prevention is explicitly a Key Function.

    The MLRO must explain risk assessments, monitoring frameworks, enhanced due diligence processes, suspicious reporting procedures, and coordination with operational teams.

    Given the scrutiny from regulators and banking partners, this function demands technical competence and independence.

    Technology, Regulatory Data, and Information Security (B2C)

    The directive links technological affairs directly to regulatory data integrity.

    The Key Person oversees back-end systems, control systems holding essential regulatory data, security governance, access controls, incident response, and change management.

    Under MGA Key Function Requirements, technology is not merely an IT matter. It is a regulatory integrity matter.

    Internal Audit (B2C)

    Internal audit provides independent assurance that controls function effectively.

    Even if outsourced, the function must test control design, assess effectiveness, and report findings to governance levels capable of enforcing remediation.

    For practical audit preparation aligned with Malta expectations, review the Small firm audit Malta guide.

    Internal audit supports the MGA’s supervision model and strengthens licence resilience.

    MGA Key Function Requirements for B2B Gaming Licences

    For B2B licensees, the required Key Functions include:

    • Chief Executive

    • Management of day-to-day gaming operations

    • Compliance obligations

    • Legal affairs

    • Data protection and privacy (where applicable)

    • Technological affairs

    • Internal audit

    Two distinctions appear when compared with B2C:

    First, AML/CFT does not appear in the same formalised way.
    Second, consumer-centric responsibilities such as responsible gaming and marketing controls do not feature directly.

    CEO Role (B2B)

    The CEO in a B2B context ensures supplier accountability, product integrity, and service stability.

    The individual must demonstrate oversight of product deployment, operator relationships, release management, and cascading risk mitigation.

    Day-to-Day Operations (B2B)

    Operational governance focuses on service continuity, incident handling, and product integrity.

    Suppliers must prevent system failures or data inaccuracies that could compromise operator compliance.

    Compliance (B2B)

    Compliance in B2B centres on supplier obligations, transparent cooperation with the MGA, and ensuring that products support licensees’ regulatory requirements.

    Legal Affairs (B2B)

    Contracts must allow operator clients to access necessary data and maintain compliance.

    Therefore, legal structuring directly impacts regulatory outcomes.

    Data Protection (B2B)

    Even indirect data processing may trigger GDPR responsibilities.

    Suppliers must clarify processor versus controller status and secure cross-border transfer mechanisms.

    Technology and Regulatory Data (B2B)

    For B2B suppliers, this function often receives the highest scrutiny.

    System integrity, logging, SDLC governance, and third-party infrastructure oversight all fall under this responsibility.

    Internal Audit (B2B)

    Internal audit tests SDLC controls, security measures, data governance enforcement, and contractual compliance execution.

    Strong internal audit frameworks improve both regulatory standing and commercial credibility.

    Role Compatibility and Independence

    MGA Key Function Requirements aim to prevent conflicts of interest.

    Certain combinations may undermine independence. For example, compliance ownership should not sit under direct commercial pressure where integrity could be compromised.

    Even in small teams, governance credibility must remain intact.

    Key Function Certificates and Ongoing Suitability

    Key Function holders must obtain MGA approval and remain fit and proper.

    Suitability includes integrity, competence, and continued professional capability.

    Changes in structure, product scope, or personnel require careful reassessment to maintain compliance alignment.

    Building a Practical Governance Model

    Effective implementation of MGA Key Function Requirements requires:

    Clear accountability mapping
    Real information access
    Formal escalation mechanisms
    Active internal audit integration

    The distinction between compliance on paper and compliance in practice lies in how well these elements function.

    Common Mistakes in Meeting MGA Key Function Requirements

    Appointing individuals without real authority
    Combining incompatible roles
    Treating internal audit as paperwork
    Underestimating technology governance

    These weaknesses often surface during audits or regulatory interventions.

    Why MGA Key Function Requirements Protect Licence Longevity

    A Malta gaming licence represents long-term value only when governance maturity remains strong.

    As a result, Key Functions reduce incident frequency, improve regulatory response, and create reliable documentation trails.

    Weak governance, by contrast, invites regulatory scrutiny and risk escalation.

    FAQ: MGA Key Function Requirements

    What are MGA Key Function Requirements?
    In essence, MGA Key Function Requirements define regulated roles that must be fulfilled by approved individuals under Malta’s Gaming Authorisations and Compliance Directive.

    Which Key Functions apply to B2C licensees?
    B2C licensees require CEO, operations, compliance, legal, data protection, AML/CFT, technology, and internal audit functions.

    Which Key Functions apply to B2B licensees?
    B2B licensees require CEO, operations, compliance, legal, data protection where applicable, technology, and internal audit functions.

    Do Key Function holders need MGA approval?
    Yes. All Key Function holders must receive certification and remain fit and proper.

    Can one person hold multiple Key Functions?
    Possibly, but incompatible combinations must be avoided to preserve independence.

    What happens if a Key Function is unfilled?
    Responsibility may revert to directors, increasing governance risk.

    Why does technology receive special focus?
    Because regulatory supervision depends on accurate and secure data control systems.

    Conclusion

    Ultimately, MGA Key Function Requirements represent the Malta Gaming Authority’s mechanism for ensuring that real individuals control real risks.

    As a result, by aligning structure, accountability, and operational evidence, operators and suppliers strengthen compliance, reduce exposure, and protect licence longevity.

    When Key Functions operate as genuine governance pillars rather than nominal titles, the MGA sees a controlled, disciplined operation. That distinction ultimately determines long-term success in Malta’s regulatory environment.

    Share this article: