MGA Policy on the use of Distributed Ledger Technology by Authorised Persons

Authors: Jackie Mallia & James Bartolo

On 30^th January 2023, the Malta Gaming Authority (MGA) issued a Policy (‘the Policy’) on the use of Distributed Ledger Technology (DLT) by Authorised Persons (that is gaming operators licensed in Malta), following a consultation period with the industry on the Sandbox Regulatory Framework initiated in 2018 and its supporting Guidance Paper. Below is a breakdown of the changes implemented to this Policy in comparison to the previous Guidance Paper.

The MFSA Financial Instrument Test appears to be removed as a required submission to MGA, to be replaced by a list of all DLT assets and their classification in terms of the VFA Act. Any additions and/or changes to DLT assets outlined in this list would need be pre-approved by MGA.

The declaration letter confirming that the services being provided are compliant with the requirements of applicable legislation and/or regulatory instruments is also to be replaced by a signed Legal Opinion. Such Legal Opinion must confirm the nature of the DLT asset in terms of the VFA Act (or any other regulation), and identify any outsourced third-party service providers providing custodial wallet services and/or accepting VFAs from players (while allowing operators to deal solely in FIAT currency). The Legal Opinion must also declare whether such providers are authorised in terms of the VFA Act or any other law and/or applicable binding instrument.

Any VFAs having inbuilt anonymization that obscures the address of the sender, receiver and/or amount are prohibited and shall not be accepted by operators.

According to the previous Guidance Paper, where virtual tokens are acquired from the operator’s platform, players were only able to purchase virtual tokens in fiat currency with subsequent withdrawals relating to the virtual tokens to be effected in fiat. In line with the Policy however, players are now allowed to convert both fiat and/or VFA to virtual tokens, to use on the platform. Similarly, withdrawals relating to virtual tokens used by players on the platform can be effected in the same currency (fiat/VFA) that was used for acquiring the virtual token.

Operators accepting VFAs shall be required to seek MGA approval when:

1. Deposits are initiated by the player in VFA and received by the operator in VFA;
2. Deposits are initiated by the player in VFA and received by the operator in FIAT; and
3. Deposits are initiated by the player in FIAT and received by the operator in VFA.

Operators must also retain and submit wallet management policies and procedures to the Authority, addressing (inter alia):

• the wallet structure and respective payment flows;
• the entities and/or persons permitted to access wallets storing player funds, including other permissions relating to such wallets. Should custodial service providers be engaged by the operator to hold player funds, such policy shall also mention whether such provider has permission to access such wallets.
• in case of player funds being held by the operator’s own wallet, the policy shall include security measures used to prevent misuse and/or unauthorised access to wallets holding player funds.

While operators are generally prohibited from not affecting withdrawals to players, there may be instances where withdrawals are not issued by operators due to justified AML/CFT-related concerns. In such cases, these funds are not to be used by operators for financial gain, but must be appropriated towards responsible gambling purposes. Prior to appropriating such funds in this manner, operators are to seek MGA approval. In line with the aforementioned, players are to be forewarned about these potential implications in cases of requests for withdrawals to a different wallet address, or lost access to their player wallet.

In terms of player-specified limits, operators must provide the option for any limits requested by players to be applicable to either FIAT currency or VFA, or both. In case of the latter, the specified limits shall be determined through a cumulative approach, summing up deposits made in both currencies. If a player exceeds the deposit limit in place the operator shall reject the incoming transaction and where such transaction is not rejected, the excess amount above the deposit limit shall be reverted to the player within a reasonable time frame.

The Policy has also removed the one thousand euro (€1,000) monthly deposit limit threshold required to be set by operators accepting DLT assets.

Reporting player liabilities, fees and tax to the Authority still involves taking the exchange rates of different VFAs against the Euro as at midnight (CET) on the last day of the reporting month, and albeit exchange rates may change from month to month, such rate must remain constant within the same reporting month. The Policy notes however, that should the exchange rate/s change within the same reporting month, operators are to notify MGA by way of an application, prior to the commencement of that affected reporting month.

Dealing with Innovative Technology Arrangements (ITAs), the Policy has omitted the Authority’s assessment of administrators, as defined in the ITAS Act, on their competence in context of them performing key function roles.

In terms of smart contracts, automated processes shall not preclude operators from adhering to their obligations as subject persons. For example, smart contracts need to be implemented in a manner allowing operators to adhere to any CDD measures in line with AML/CFT legislation. Such operators are reminded to carry out risk assessments in line with their relevant policies and procedures, while taking appropriate measures to mitigate such AML/CFT risks.

Notably for AML/CFT requirements, certain thresholds present in the previous Guidance Paper have also been removed by virtue of the Policy, including the validation of customer details to be completed within thirty (30) days of the first deposit, as well as the one hundred and fifty euro (€150) threshold triggering CDD obligations in terms of section 3.3.2 of the FIAU’s Implementing Procedures.

By way of good practice, the Policy encourages operators and third-party service providers to use analytical tools or transaction monitoring systems with pre-designed and, or evolving parameters to detect suspicious transactions.

Regulatory Approval Requirements

While prospective authorised persons need to apply through a New Licence application to be approved in accepting DLT assets, existing authorised persons may apply for new payment methods through an Operational – Payment Methods application, with any additional currencies under approved payment methods to be added through an Operational – Updated Policies and Procedures application.

Additionally, if an authorized person would like to apply for the use of Innovative Technology Arrangements may do so through a Technical – New Games application.