Post Licence Compliance 2026 Guide

Post Licence Compliance 2026 is where operators find out whether the compliance programme they built for the application actually runs. Most of the time, in the first twelve months, the answer is: partly. Some elements run well. Other elements drift. Some were never really operational they described a functioning system in the application documents without that system being built.

An MGA-licensed operator entered its second year and received a compliance review request. The reviewer asked for the AML monitoring outputs from the previous twelve months. Alert generation volumes. Review timelines. Closure documentation. The operator produced them. The volumes were low lower than the regulator expected for the transaction patterns the business showed. The reviewer asked how monitoring thresholds had been set. The operator’s compliance team looked at the application documents. The thresholds described in those documents hadn’t been implemented in the actual monitoring system. The system was running on the platform provider’s defaults.

Three things in one finding: the monitoring thresholds weren’t right, the compliance team hadn’t known, and the application documents had described a programme that didn’t exist operationally. Remediation took four months.

This article is about what post licence compliance actually requires not the application-phase framework, but the ongoing obligations that run from go-live through every year of the licence term.

The Compliance Calendar Nobody Builds Until They’re Late

Post licence compliance has a rhythm. Monthly returns. Quarterly submissions in some jurisdictions. Annual audits. Incident notifications within specific timeframes. Change notifications before material platform changes go live. Each of these has a deadline. Each missed deadline is a compliance event.

The operators who handle this well build a compliance calendar before go-live. Not after the first missed return. Before. The calendar maps every regulatory reporting obligation against its deadline, assigns ownership, and triggers reminders with enough lead time to gather the data. It’s not a sophisticated system a well-structured document with someone responsible for it works but it needs to exist and someone needs to own it.

The operators who discover compliance calendars by missing something are in a different position. A missed quarterly return submitted proactively with an explanation is a different regulatory event from a missed return discovered when the regulator follows up. The latter is harder to resolve.

Post Licence Compliance Change Notifications Operators Must Track

Material platform changes require notification before they go live not after. Adding a significant new payment method. Changing the RNG system. Material updates to games that may require recertification. Structural changes to the corporate entity. These trigger notification requirements that vary by jurisdiction but share the same principle: the regulator needs to know before the change is live, not when they find out in the next routine review.

Development teams operating on agile release cycles need a process for flagging releases that trigger notification requirements. Without that process, releases go live before notifications are submitted. Repeatedly. It’s probably the most common post licence compliance gap for operators with active development teams.

AML Post-Licensing: The Drift Problem

The AML framework submitted in the application describes the programme at a point in time. The business changes. New markets. New payment methods. Different player volumes. New game types. The AML risk assessment which should reflect the current business often doesn’t get updated to reflect those changes.

This is the drift problem. Not negligence, usually. Just the reality that the AML risk assessment was a significant effort at application time and updating it doesn’t feel as urgent as the hundred other things the business needs. So it sits. And the gap between what it describes and what the business actually is widens.

Regulators assess whether the AML risk assessment describes the current business. When the assessment describes a business that had half the current player volume, didn’t accept cryptocurrency, and wasn’t operating in the markets the operator now serves that’s a finding. The assessment needs to be updated at least annually and whenever material business changes occur, not just at licence renewal.

Transaction monitoring — the threshold calibration problem

Related to the drift problem: monitoring thresholds set at application time that were calibrated for projected transaction patterns rather than actual ones. Once the business is running, the actual patterns may differ from projections different average deposit sizes, different withdrawal frequencies, different geographic distribution of transactions.

Thresholds not recalibrated to actual patterns either flag too much generating an alert queue nobody can realistically review or flag too little, letting through transactions that should be examined. Both outcomes are compliance problems. The operator should review monitoring calibration as part of the ongoing AML programme instead of setting it once at application and leaving it unchanged.

What functioning AML looks like post-licensing and the specific monitoring gaps that regulatory reviews most consistently find is in iGaming AML compliance in 2026.

Post Licence Compliance 2026 Annual Audit Requirements

Required under major licensing frameworks. Annual. Independent. The audit assesses whether the compliance framework that was submitted and approved is the one actually running.

That’s the test. Not whether policies exist. Whether the operational programme matches the documented programme.

Operators who treat the annual audit as an administrative requirement rather than a substantive test sometimes find the results uncomfortable. The gap between the documented programme and the operational reality which accumulates gradually through drift becomes visible when an independent auditor compares them systematically.

The operators who produce clean audit results are those who maintain the compliance programme as a living operational tool throughout the year, not those who scramble to update documentation in the weeks before the auditor arrives. The scramble approach works for paper. It fails when the auditor asks for monitoring records, intervention documentation, and board reporting history that the operator should have generated throughout the year.

Post Licence Compliance 2026 and Corporate Structure Obligations

Post licence compliance extends beyond the licensed operating entity to the full corporate structure. For operators using holding companies in other jurisdictions Bulgaria, Malta, offshore each entity in the structure has its own compliance obligations.

A Bulgarian holding company above a Malta operating entity, for example, has its own corporate compliance obligations. Annual corporate tax returns filed with Bulgaria’s National Revenue Agency. Annual financial statements filed with the Commercial Register. Monthly VAT filings where applicable. Transfer pricing documentation for intercompany transactions with the Malta entity. Companies must meet these obligations independently of the gaming licence obligations, regardless of how the gaming operation performs.

The most common failure mode: operators who set up a Bulgarian holding to benefit from the 10% corporate tax rate and then don’t properly maintain the accounting and reporting obligations. The tax advantage is real. The obligation to maintain the company properly to access it is also real. Missing annual filings does not remove the tax benefit it creates a compliance problem on top of a structure designed to provide that benefit.

Post-Licensing Substance Requirements After Go-Live

The MGA’s substance requirements don’t end at go-live. Real employees performing real functions in Malta. Management decisions made with genuine Malta-based involvement. A registered address representing actual operations. These are ongoing requirements that compliance reviews assess continuously, not once at licensing.

Operators who met substance requirements at go-live and then gradually shifted real management activity elsewhere as the team grows, as commercial pressures point management resources toward markets rather than Malta can find that the substance position has drifted by year two. Probably not a problem if there’s still genuine substance. Potentially a significant problem if the substance has become nominal.

Financial Obligations That Continue Post-Licensing

Player fund protection isn’t a one-time arrangement. It needs to cover the current player liability. A significantly larger operation may now need more player fund protection than the original arrangement provides. That gap is a post licence compliance obligation reviewing and adjusting the player fund protection to match current liability is ongoing.

The International Monetary Fund‘s Financial Sector Assessment Programme, which reviews how jurisdictions implement financial stability standards, is one of the frameworks that drives how gaming regulators approach player fund protection requirements. Regulators want proof that operators protect player funds at the current level not only at the level set when they granted the licence.

Compliance contribution scaling

The MGA’s compliance contribution scales with GGR. As the operation grows, the contribution increases. This is worth tracking specifically it’s not a fixed annual cost that can be budgeted once and left. An operator whose GGR doubled in year two without recalculating the compliance contribution creates a payment deficit that generates regulatory correspondence.

Post Licence Compliance 2026 for Responsible Gaming

The responsible gaming tools need to keep working. That sounds obvious. In practice, platform updates, payment processor integrations, and CRM system changes can break integrations that were working at go-live.

A deposit limit that enforced correctly at go-live may stop enforcing after a payment processor integration update if nobody tested the integration post-update. A self-exclusion that worked six months ago may no longer reach the marketing database after a CRM migration. These aren’t hypothetical failures they’re the kind of integration drift that responsible gaming audits consistently find.

Periodic testing of responsible gaming tool functionality actually trying to deposit past a limit, actually checking that self-exclusion blocks marketing as well as account access is probably worth doing quarterly rather than assuming the tools continue to work because they worked at go-live.

The compliance officer role in overseeing responsible gaming post-licensing and what the board reporting on player protection needs to contain is in the iGaming compliance officer role in 2026. The full post licence compliance obligations across all areas is in iGaming post licensing in 2026. The compliance checklist covering what needs to be in place and maintained throughout the licence term is in the iGaming compliance checklist in 2026. And what key function holders owe within those ongoing obligations is in key function holders in iGaming in 2026.

Frequently Asked Questions

What does post licence compliance actually require from iGaming operators?

Regular regulatory reporting —monthly statistical returns, incident notifications within defined timeframes, change notifications before material platform changes go live, and annual submissions. An annual independent compliance audit assessing whether the framework described in the application is the one actually running. Ongoing AML framework maintenance risk assessment updated at least annually and when material business changes occur, monitoring thresholds calibrated to actual transaction patterns. Responsible gaming tools maintained and tested to ensure they continue to function after platform updates. Player fund protection reviewed to ensure it covers current player liability. Key function outputs board reports, monitoring records, intervention documentation — produced consistently throughout the year.

What is the most common post licence compliance failure in year two?

AML framework drift. The risk assessment submitted at application describes the business at that point. By year two, the business has usually changed — new markets, new payment methods, higher volumes, possibly new game types. The risk assessment hasn’t been updated to reflect those changes. The monitoring thresholds set at application for projected transaction patterns don’t match actual patterns. Together, these issues create a monitoring programme that does not properly match the business it monitors. Regulators find it when they compare the documented programme against the operational outputs and see the gap.

How does the annual compliance audit differ from the initial licensing review?

The licensing review assesses whether the framework is adequate in design. The annual compliance audit assesses whether the framework is actually operating as designed. The auditor looks at what the compliance programme said it would do and checks whether it did it — monitoring records, intervention documentation, board reporting history, change notification records, AML risk assessment currency. Operators who maintained the programme as a living operational tool produce clean audit results. Operators who maintained the documentation without running the underlying programme produce findings.

Do post licence compliance obligations apply to holding companies as well as the licensed entity?

Yes, each entity in the corporate structure has its own obligations under its own jurisdiction. A Bulgarian holding company above a Malta licensed entity has its own corporate tax, VAT, and financial reporting obligations to Bulgarian authorities — independently of the gaming licence. The substance requirements of the MGA apply to the Malta operating entity on an ongoing basis, not just at licensing. Transfer pricing documentation for intercompany transactions needs to be maintained and current. Post licence compliance is a group-level exercise, not just a licensed-entity exercise.

What happens when a change notification isn’t submitted before a material platform change goes live?

The change went live without regulatory approval, which is a compliance event regardless of whether the change itself was compliant. The severity of the finding depends on the materiality of the change — a significant RNG system change that went live without notification is treated differently from a minor interface update. The consistent failure mode is development teams operating on agile release cycles without a process for identifying which releases require regulatory notification. Each release that should have triggered a notification and didn’t is a separate finding.

How often should responsible gaming tools be tested for Post Licence Compliance 2026?

Probably quarterly, at minimum. Platform updates, payment processor changes, and CRM migrations can break integrations that were working at go-live without anyone noticing until a responsible gaming audit asks whether the deposit limit enforced on a test account actually blocked the deposit. Operators should actively test deposit limits, self-exclusion blocks for both account access and marketing, and cooling-off period enforcement through the payment layer instead of assuming the tools still work because they worked at the previous test.