The Gaming Authorisations Regulations1 (hereinafter referred to as the “Regulations”) in Malta establishes a comprehensive framework for authorising various gaming activities, including online gaming, sports betting, casino operations, and lotteries. They dictate that any entity engaging in or providing services related to gaming must obtain the appropriate authorisation from the Malta Gaming Authority (MGA). This encompasses both operators directly offering gaming services to consumers (B2C) and businesses providing critical supplies to other businesses (B2B). The regulations ensure that all gaming activities are conducted fairly, transparently, and responsibly, with strict adherence to legal and regulatory standards to protect players and the public interest. This article shall focus on the instances that impose the legal obligation on a company to obtain an authorisation from MGA, including authorisation requirements for outsourced service providers.
When does a person require an authorisation in Malta?
The Regulations stipulate that an authorisation in Malta is required when an entity is providing a gaming service or a critical gaming supply, in any of the following circumstances:
- From Malta;
- To a person in Malta; or
- Through a Malta-registered entity.
In addition, whether as part of a gaming service, a critical gaming supply or otherwise, no person shall offer a licensable game unless such game is approved or recognised by MGA.
In dissecting this concept, it is important to understand the following:
An authorisation means a licence, approval, certificate, recognition notice or similar instrument issued by MGA, authorising a person to provide a gaming service or a gaming supply, or a key function2. In interpreting this definition, any company providing a gaming service or a critical gaming supply from Malta, to a person in Malta, or through a Malta-registered entity does not necessarily require a gaming licence in Malta. If such an entity is already in possession of a gaming licence issued by any other regulatory authority within the European Union or European Economic Area3, an application may be made with MGA requesting a Recognition Notice Certificate4, which shall have the same effect as a licence issued by MGA.
In accordance with the First Schedule of the Regulations, a gaming service shall constitute (i) the offering, provision, or operation of a gaming service; and/or (ii) the hosting by a person in his premises accessible to the public or in premises accessible to the public that are in his possession or under his control, the operation or in any other manner the making available for use of a gaming device5 or gaming system6.
In turn, a critical gaming supply shall comprise of either (i) supply and management of material elements of a game; and/or (ii) supply and management of software, whether as a stand-alone or as part of a system, to generate, capture, control or otherwise process any essential regulatory record; and/or (iii) the supply and management of the control system itself on which such software resides7.
Operating from Malta in the context of the Regulations typically refers to operations that are either based in Malta or are conducted in a way that they are governed by Maltese law, including the below scenarios:
- If the physical servers are located in Malta, this would mean that the gaming service is being provided from Malta. The physical presence of servers on Maltese territory subjects the gaming operations to Maltese jurisdiction and regulations.
- Operations managed from Malta, even if the servers are located elsewhere, can also fall under the scope of providing services from Malta. This includes decisions made, operations controlled, or any significant portion of the gaming business being conducted from Malta.
To a person in Malta refers to both a legal person as well as a natural person.
Addressing natural persons, B2C companies providing a gaming service to players residing in Malta would require an authorisation from MGA. In terms of remote gaming companies, even if an operator is based outside of Malta, and targets Maltese players specifically (for example, by offering the website in Maltese, using Maltese advertising, or accepting payments in euros without blocking Maltese IP addresses), it shall be considered as providing services to persons in Malta. Thus, the company would need to adhere to the Regulations and obtain the necessary authorisation.
It is important to note that B2B companies providing critical gaming supplies to entities registered in Malta would also be deemed as providing such services to a (legal) person in Malta, hence requiring an authorisation by MGA. In turn, the B2C customer receiving such services would also require an authorisation based on providing the aggregated gaming service through a Maltese-registered entity. This refers to any business, corporation, or organization that is registered, incorporated, or officially established under the laws of Malta. When it comes to gaming services or critical gaming supplies, if these services or supplies are provided by, managed by, or associated with an entity that is legally recognised and registered in Malta, then according to the regulations, such an entity is required to obtain authorisation from MGA.
Do third-party service providers require a licence?
Outsourcing, as outlined by MGA's Policy on Outsourcing by Authorised Persons8 (hereinafter referred to as the “Policy”), refers to the practice were licensed gaming companies delegate certain business activities or functions to third-party service providers. This strategic move allows gaming operators to leverage external expertise, improve operational efficiencies, and focus on their core competencies. However, it is crucial that such outsourcing does not compromise the integrity and security of gaming operations. The Policy sets forth guidelines to ensure that outsourced services are delivered in a manner that maintains compliance with regulatory requirements, protects player interests, and upholds the reputation of the Maltese gaming industry.
As previously noted, any operator providing critical services from or to Malta, or through a Maltese entity may not do so without an authorisation in Malta. As a result, critical services shall only be outsourced to entities that either hold an MGA authorisation (whether by form of a gaming licence or a recognition notice) or are corporate entities forming part of a corporate group licence by MGA. When faced with outsourced services, authorised persons may still find it challenging in establishing whether a service is critical, hence requiring an authorisation, or material, where such services may be outsourced with more flexibility9.
The First Schedule of the Regulations highlights the term ‘management' within the context of critical gaming supplies, as being the provision of ongoing active maintenance and support which is indispensable to the provision of the gaming service. This statement emphasises the critical nature of these tasks since the maintenance and support provided are not just additional services but are essential for the gaming service to function. Without such active management, the gaming service could fail to operate correctly, leading to downtime, security risks, or a poor user experience. In determining whether an outsourced service is critical or not, the authorised person must ask:
‘How will the interruption of the outsourced service affect the software and/or game provision?'
For instance, the disruption of a third-party service provider engaged to carry out bug fixes of a software will not have a detrimental effect to the provision of the critical supply. As a result, this service would not be considered a critical service. If it is concluded that a disruption in the third party's services is detrimental to the ongoing operation of the authorised person, then the outsourced service is deemed to be a critical service, falling to the provider of this service to secure the necessary authorisation.
In such an instance, it is still not always clear whether the authorised person or the third party shall be deemed as “providing” the service, and hence requiring the relevant authorisation. When faced with such uncertainties, an important rule of thumb would be establishing which entity owns, manages 10 and/or controls the service in establishing who is legally obliged to obtain the relevant authorisation. For example, developers who sell software are not considered as the owners of the software and hence, do not require such an authorisation. Conversely, any third parties retaining ownership of the software (by means of a licensing agreement with the authorised person), carrying out active management and/or exercising a level of control11 on the critical service, shall be considered as the provider of the service and thus requiring the relevant authorisation.
A practical example
To illustrate, consider ABC Ltd, a B2C entity, holding a license in Malta to provide casino games in a physical casino. XYZ Ltd introduces an innovative product (hereinafter referred to as “the Product”) that is integrated with slot machines, enabling them to stream slot games to players remotely. In a strategic move, ABC Ltd and XYZ Ltd enter into a licensing agreement, allowing ABC Ltd to utilise the Product for their gaming services.
Upon evaluating the indispensability of the service, it becomes evident that should the Product encounter a malfunction, the capability to offer remote gameplay would be severely compromised. As such, the Product is recognised as critical in accordance with the First Schedule of the Regulations. Moreover, despite ABC Ltd's operational use of the Product under the license, XYZ Ltd maintains its proprietorship, along with the oversight and governance of the Product's software. This ownership structure necessitates that XYZ Ltd secures an authorisation in Malta, emphasising its critical role in this operation.
In conclusion
In Malta, companies involved in gaming must secure an authorisation, such as a gaming license or recognition notice, to operate legally. This requirement applies to operations based in Malta, targeting Maltese entities or individuals residing in Malta, or conducted through a Malta-registered entity. Additionally, third-party service providers must evaluate whether their services are critical by determining if a disruption would adversely affect a licensee's offerings. Furthermore, it is crucial for these providers to ascertain who holds the ownership, control, and management of a critical service to determine the need for obtaining proper authorisation from the MGA. In doing so, authorised persons, together with any third party service providers will ensure compliance and the smooth operation of gaming activities within the Maltese regulatory framework.
Footnotes
1. Gaming Authorisations Regulations (S.L.583.05)
2. Gaming Definitions Regulations (S.L.583.04)
3. The Authority has decided that for the time being, the UK still fulfils this condition set out by Article 22 of S.L. 583.05. A UK Licensee is thus eligible to apply for a recognition notice, which recognition notice will be valid for a duration of 12 months. Any subsequent renewal will be subject to the frequent review of the Authority of the safeguards offered by the UK.
4. Article 22, Gaming Authorisations Regulations (S.L.583.05)
5. any device or object, including any electrical, electronic, or mechanical device, any gaming table, ticket or any other thing, that is used or is by its nature intended for use as part of a gaming service or in connection therewith in order to allow a player to place a wager, and, or to obtain the outcome of a game in a gaming premises (Gaming Definitions Regulations, S.L.583.04).
6. the totality of gaming devices, gaming software and related systems, services and facilities connected therewith, used or by their nature, their assembly and combination intended to be used as part of a gaming service or in connection therewith, in a gaming premises (Gaming Definitions Regulations, S.L.583.04).
7. First Schedule, Gaming Authorisations Regulations (S.L.583.05).
8. https://www.mga.org.mt/app/uploads/Policy-on-Outsourcing-by-Authorised-Persons.pdf
9. The Policy lays out all critical, material and non-material services that may or may not be outsourced by an authorised person, based on the eligibility of the third-party service provider.
10. As outlined in the First Schedule of the Regulations.
11. Whether operational control, data control, security control, regulatory compliance control, and/or quality control.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.