iGaming Law

Valuable Insights pertaining to AML/CFT within the Gaming Sector

28 Mar 2024

11 min read

Authors: Andrew J. Zammit & James Bartolo

Anti-Money Laundering (AML) in the gaming sector encompasses laws and procedures to prevent the laundering of illicit funds through gaming activities. This sector, spanning from casinos to online gaming platforms, is vulnerable to financial crimes due to high-volume transactions and global reach. AML measures include strict Know Your Customer (KYC) policies, transaction monitoring, and employee training to detect suspicious activities. Gaming companies must navigate evolving technologies and diverse global regulations, balancing effective AML practices with customer privacy. As the industry grows, robust and adaptive AML strategies are crucial for maintaining integrity and complying with international regulatory standards.

In this paper we are setting out key take-aways published by the Financial Intelligence Analysis Unit (FIAU) in collaboration with the Malta Gaming Authority (MGA), with a view towards assisting gaming operators to better understand the AML risks facing the industry and the best practices that should be adopted in order to mitigate these risks.

1. Risks pertaining to the Gaming Sector

In accordance with the 2018 Results of The Money Laundering/Terrorist Financing (ML/TF) National Risk Assessment report issued by the Ministry for Finance, remote gaming is intrinsically susceptible to money laundering due to the high number of players, the quantitative volume of transactions, the non-face-to-face nature of the business, high percentage of non-resident players, as well as the use of prepaid cards that are not linked to a bank account. In remote gaming, certain gambling activities are more vulnerable to ML/TF than others. Fixed Odds Betting poses a high risk due to match-fixing and hedging, while Table Games, Peer-to-Peer games and Fantasy Sports also pose a higher risk of collusion.

In terms of land-based gambling, Fixed Odds Betting, Table Games and Peer-to-Peer games pose the same risks as remote gambling. In addition, land-based gaming also poses a high risk of ML/TF from its Gaming Machines[1] since it facilitates manipulating the outcome of the game and refines the opportunities of ML/TF.

From the summary of Malta’s ML/TF sectoral vulnerability assessment, the Gaming industry poses a medium to high inherent risk[2] as well as a medium to high residual risk[3].

The most common ML/TF threats across the Gaming sector are:

A. Cash and cash-like Payment Methods

These include cash payment within land-based operators as well as vouchers, e-wallets, outlets and cryptocurrency payments within remote operators.

B. Smurfing and Mules

These are commonly found through walk-ins in land-based operators and players holding multiple or linked accounts in remote operators.

C. Unlicensed activities

2. The MGA Key AML/CFT Role

In accordance with the MGA Policy on the Eligibility and Ongoing Competency Criteria for Key Persons[4], the Malta Gaming Authority considers the below eligibility criteria with respect to Key AML/CFT function applications:

  • The person must have a minimum of two (2) years of working experience as a money laundering reporting officer or similar senior and/or a related managerial role and must be in possession of a related bachelor’s degree or money laundering specific qualification; or have four (4) years working experience as a money laundering reporting officer or similar senior and/or related managerial role.
  • The person must also be knowledgeable in terms of the rules relating to AML/CFT in terms of the Gaming Act (Cap. 583 of the laws of Malta) and the binding instruments issued thereunder, and any other applicable binding instrument relating to AML/CFT.
  • The person must be knowledgeable in terms of the AML/CFT procedures of the Authorised Person.
  • The person must not hold a role considered to be incompatible with the Key AML/CFT role by their nature, such as the CEO, Data Protection and Internal Audit roles. Furthermore, UBOs shall also be precluded from taking on any Key AML/CFT roles.

Furthermore, such applicants must also submit a signed MLRO Eligibility Form[5], confirming certain criteria.

Following a thorough review of the application, MGA will invite the applicant for an interview wherein such individual is assessed on their knowledge of the Maltese AML/CFT Legal framework, the risk-based approach, customer due diligence, record keeping, sanctions and politically exposed persons, as well as core functions of an MLRO and reporting obligations. Common shortfalls outlined by the Authority include:

  • Insufficient knowledge of the Maltese AML/CFT Legislation, particularly on the FIAU Implementing Procedures Part I and Part II;
  • Inadequate understanding of sector-specific risk factors and typologies;
  • Lack of knowledge of the core functions of the MLRO;
  • Lack of understanding of the risk-based approach; and
  • Lack of awareness on the timing of CDD Measures.

Following the interview process, MGA may approve, reject, or schedule a follow-up interview with the applicant within six months. Should the applicant be approved, MGA will issue a three-year Key Function certificate.

3. FIAU Remote Gaming Thematic Review

In a 2023 Remote Gaming Thematic Review – Key Findings report[6], the FIAU recommended that gaming operators should ensure that MLROs employed by such operators do not hold other roles which may give rise to potential conflict of interest. In addition, MLROs should have the capacity to commit enough time to fulfil their role effectively.

In effectively managing their workload, MLROs should assess their operational needs and appoint designated employees to assist and potentially fill in for the MLRO when handling a high volume of internal reports or in their absence.

During this study it transpired that MLROs were not aware that certain functions cannot be outsourced. MLROs were also not always aware of the exact activities that are deemed outsourced activities as per the Ips Part I, or their own Company’s outsourcing arrangements. These issues highlight a lack of awareness among certain AML/CFT staff within the subject persons regarding their outsourcing obligations and the delineation of what can or cannot be outsourced. It is important that the employees are made aware of the outsourcing obligations covered in Chapter 6 of the Ips Part I and 4.3 of the IPs Part II.

In identifying areas of improvement, the FIAU notes that the quality of the AML/CFT training might not be adequate given that the employees were not able to mention the main AML/CFT obligations throughout the interviews. External training was also found to not be customized to align with Maltese legislation and regulations. While obtaining international qualifications are indeed beneficial, further training on the Maltese regulatory framework as well as how this is then implemented from the Company’s point of view may need to be improved.

A more in-depth analysis is expected to be published by the FIAU in a Guidance Paper.

4. FIAU Enforcement within the Gaming Sector

Common breaches identified by the FIAU relating to the Business Risk Assessment (BRA) include:

  • Lack of consideration to all four risk pillars comprehensively;
  • Lack of quantitative data in determining the likelihood of risks materializing;
  • Failure to provide an evaluation of the strength of mitigating measures for each scenario identified;
  • Different mitigating measures for each identified risk;
  • Omission of pertinent risks which are applicable to the modus operandi of the Company;
  • Failure of mentioning the overall resulting inherent and residual risk rating.

Common breaches identified by the FIAU relating to the Customer Risk Assessment (CRA) include:

  • No CRA carried out for customers who had exceeded the €2,000 deposit threshold;
  • Customers’ risk rating was not re-assessed upon hitting the €2,000 deposit threshold;
  • Lapsing the 30 days from when the €2,000 deposit threshold is reached to carry out a CRA;
  • CRA methodology does not take into consideration all factors which could potentially pose a ML/FT risk to the subject person.

Common breaches identified by the FIAU relating to Customer Due Diligence (CDD) include:

  • Failure to identify the customers’ place of birth and permanent residential address;
  • Failure to obtain documented evidence in order to verify the customer’s identity and residential address documents within 30 days of reaching the €2,000 deposit threshold.
  • No source of wealth or source of funds information was obtained from medium to high risk players. For medium risk players neither was any statistical data obtained.

5. FIAU Reporting within the Gaming Sector

In 2022, the FIAU received 5,049 Suspicious Transaction Reports (STRs) and Suspicious Activity Reports (SARs) related to the gaming sector, contributing to around 60% of all STRs and SARs received from all sectors. There are 8 types of reports that can be submitted to the FIAU:

Suspicious Transaction Report (STR)  Suspicious Activity Report (SAR)  Terrorism Financing Report (TFR)  
Terrorism Financing Transaction Report (TFTR)  Politically Exposed Person Report (PEPR)  Politically Exposed Person Transaction Report (PEPTR)  
Transaction Report Notification (TRN)  Additional Information File (AIF)   

These reports may be accepted or rejected by the Unit following an internal quality vetting exercise. Reports are commonly rejected due to:

  • Incorrect or incomplete data;
  • Insufficient supporting documents or reason for suspicion;
  • Incorrect report type i.e. submitting an STR instead of an SAR or submitting a new report instead of an Additional Information Report (AIF); and
  • Failure to specify a Predicate Offence[7].

Fundamentals of good quality reporting include:

Player DetailsPlayer Account Details and Status  Transactional Analysis (incl. full payment details)  
Suspicious Activity  Gameplay Activity  IP Addresses  
CDD documentation, Source of Funds & any Supporting DocumentationDevice LinksAdverse Media Articles

The 5W2H Model serves as a beneficial guideline for subject persons to adhere to when reporting:

  • WHO?

Who is the person(s) who raised suspicion? (including their alias, associates and relationship(s).

  • WHAT?

What is the product, instrument, channel, transaction or mechanism used by the subject?

  • WHEN?

Specification of the date of detection, date of occurrence, and the span of time.

  • WHERE?

Specification of the location(s), the accounts and products affected.

  • WHY?

What were the results of the analysis which resulted in suspicion?

  • HOW?

Description of how the activity and/or transaction was completed and/or attempted.


Specification of the values and/or amounts involved.

6. Anti-Money Laundering Authority

It is relevant to highlight that on 13th December 2023, the Council and the Parliament reached a provisional agreement on creating a new European authority for countering money laundering and financing of terrorism (AMLA) – the centerpiece of the anti-money laundering package, which aims to protect EU citizens and the EU’s financial system against money laundering and terrorist financing. The new AMLA is essential to address the current shortcomings in AML/CFT supervision within the EU. It will also serve as an integrated AML/CFT supervisory system.

The AMLA’s Supervisory functions, powers and tasks include:

  • Setting up a harmonized AML/CFT supervisory methodology;
  • Develop instruments & convergence tools to promote common supervisory approaches and best practices;
  • Coordinate thematic reviews across the Union;
  • Establish a central AML/CFT database.

Other non-Financial AML/CFT Supervisors:

  • Conduct periodical peer reviews of AML/CFT Supervisors; and
  • Investigate possible breaches or non-application of EU Law by AML/CFT Supervisors.

The AMLA shall be established in line with the European Anti-Money Laundering Authority Regulations (AMLAR) which was intended to be established at the beginning of 2023. EU Parliament is already behind schedule however, with the legislative process being delayed due to the EU Parliament elections this year.

The AMLAR’s contribution to the gaming sector will include:

Exemptions from obligations Possible restriction beyond casinos  Parliament proposal Special measures for online gambling operators  Application of CDD Different thresholds for land-based and remote operators  
Prohibition PSP not to process transactions for non-EU licensed operators  Limitation on cash Possible impact on land-based operators  Other obligations clarified Outsourcing, compliance structures, groups, etc.  

7. Revision of the Implementing Procedures

The FIAU is expected to revise its Implementing Procedures for both land-based and casinos. Topics already identified include:


  • Linked transactions
  • Establishment of a business relationship
  • Carrying out CDD measures
  • Other form of land-based operators apart from casinos
  • Recycled winnings


  • Anticipated level of activity
  • Revision of Source of wealth and source of funds
  • VFAs as a mainstream means of payment
  • Corporate Licences

This project is expected to be launched in the 2nd half of 2024.

In conclusion, AML practices are crucial in Malta, being a hub for both online and offline gaming. The sector faces unique challenges due to its dynamic nature and the island’s position as a gaming industry leader. Malta’s AML efforts focus on stringent compliance with EU regulations, ensuring gaming companies adopt rigorous KYC and transaction monitoring protocols. Despite these efforts, the sector continues to grapple with evolving financial crimes and technology. The Maltese gaming industry’s commitment to enhancing AML frameworks demonstrates its dedication to safeguarding its reputation and contributing to the global fight against money laundering.

[1] Amusement Machine as identified in the Gaming Definitions Regulations.

[2] Inherent risk is the risk a subject person is exposed to prior to adopting and applying any mitigating measures, policies, controls, and procedures.

[3] The frequency and level of supervision.

[4] https://www.mga.org.mt/app/uploads/Policy-on-the-Eligibility-and-Ongoing-Competency-Criteria-for-Key-Persons.pdf

[5] https://www.mga.org.mt/app/uploads/MGA-F-013-MLRO-Eligibility-Form-v1.docx

[6] https://fiaumalta.org/wp-content/uploads/2023/10/Supervision-Gaming-Thematic-Review.pdf

[7] The predicate offence is the underlying criminal activity from which the illegal funds originate (FIAU IPs I)