Malta Remote Gaming Licence Documents – Operational and Statutory Requirements
As part of the business and technical assessment, the applicant for a Malta remote gaming licence shall be asked to submit the following operational and statutory requirements documentation:
For quick navigation click on the links below
A Maltese Company Registration Certificate;
Memorandum and Articles of Association of the Maltese Company;
Business Entity Information Form;
Information Security Policy;
Incident Response & Asset Removal Policy;
User Management Policy;
Human Resources Roles & Responsibilities;
System Access Control Procedures;
Financial Accounting Procedures;
Business Continuity and Disaster Recovery Plan;
Data Backup Procedures;
Change Management Procedures;
Fraud Management Procedures;
Details of the Random number generator (if required);
Name of the owner of the software;
Name of the organisation that did the testing;
Online text / content;
Contracts with Business Partners
Upon incorporation, the Maltese Registrar of Companies shall, after ascertaining compliance with the statutory provisions of the Maltese Companies Act, issue a certificate of registration, as evidence of the company’s corporate existence.
The applicant must satisfy minimum criteria of local presence, one of which is that the licence holder must be a Maltese registered corporate entity, the most common form being a private limited liability company. However, the Lotteries and Gaming Authority (“LGA”) have extended the possibility of the licence holder being another form of corporate entity, such as a limited partnership.
Irrespective, of the designated form, the LGA shall require the applicant to submit a certified copy or original of the constitutive statutes of the corporate entity. If the licence holder is a Maltese limited liability company, a copy of the Memorandum and Articles of Association shall be required. In the case of a limited partnership, a copy of the partnership deed shall suffice.
The applicant shall also need to fill in a purposely prepared form. The Business Entity form shall contain details relating to the registered office and operating address in Malta, websites, details of credit institution entrusting to the safekeeping of players’ monies, player account number, financial year end etc;
The credit institution holding players’ monies may be located in and outside Malta, and must issue a written declaration attesting that:-
(i) It will not attempt to enforce or execute, any charge, write-off, set-off or other claim against the afore-mentioned Clients’ Accounts;
(ii) It will not combine the Clients’ Accounts with any other account in respect of any debt owed to it by the licensee;
(iii) It shall credit any interest payable on the above indicated Clients accounts only to that account/s;
(iv) It shall disclose any information with regard to the Clients’ Accounts as may be requested by the Lotteries and Gaming Authority.
The Information security policy must contain a comprehensive and all-encompassing description of the means, technical and human resources that shall be implemented by the applicant for the better protection of the confidentiality, integrity and availability of all of the business information to safeguard the company’s assets, customers, staff and reputation.
By technical provisions, the applicant should emphasise the use of firewalls that shall be used to protect sensitive player database, payment security measures e.g. the use of 3-D secure credit card validation when the client is management payments /withdrawals , the use of an encryption when player is entering password, password validation processes etc;
From the human resources aspect, it is important to ensure that the applicant operates through a system of authorisations and “need-to-know” basis. Sensitive information, regarding players’ details and credit card validity shall only be accessible by senior management, e.g. key official, chief financial officer etc;
The applicant should also secure a change of password policy on a periodical basis, and ensure that effective technical counter-measures are implemented when an employee / consultant leaves the applicant (immediate closures of accesses) etc;
The essential elements here are classification of the incident or problem, diagnosis, escalation and trouble-shooting of the problem.
If the incident is such that it hinders the operations of the applicant, causes downtime or worse still if the incident is critical, and causes loss of data, what is the escalation path, from diagnosis to solution?
The applicant must devise a policy which encompasses a wholistic approach to cater for all incidents, by training staff to detect incident and establishing a rapid and effective escalation path to take all measures as are necessary to (i) contain the incident; (ii) diagnose problem; and (iii) find solution.
This calls for a classification of the incident response e.g. whether it is software related or hardware related, and a classification of how serious the incident is. Segregation measures may be undertaken, to ensure that the incident does not spill-over to other key areas, which may hinder operability and/or cause downtime.
The Key official must be informed at the earliest, and he must, inform the LGA by means of a specific incident report form.
If the incident cannot be solved remotely or by debugging software, but is caused by a failure to one of the hardware components, which may only be rectified by substituting the hardware component, the policy should include a description of the escalation path necessary to implement changes, how fast these changes can be implemented, the procedure to inform the LGA with no undue delay and whether the changes were made policy by having on-site spares, as well as keeping an inventory on such on-site spares.
This document shall delineate the necessary procedures for the implementation of all integrity checks of the company’s operational information systems, to minimise any risk to the company’s assets and reputation or to its customers’ personal and financial data resulting from unauthorised access to or modification of those systems.
The objectives of the policy are therefore to ensure that only selected users have access to the information as necessary for their legitimate business. The objectives are therefore in a way similar to the aforesaid Information Security Policy, but the accent is strongly on privileges and accesses afforded to the human resources within the Company. The privileges of each employee must be clearly delineated, to ensure that all information is compartmentalised. No employee should have access to information which is extraneous to his work description, and access should be given on a strict “need-to-know” basis.
The policy should also cover a policy for consultants and affiliates.
The applicant shall need to illustrate the organisational structure of the remote gaming company. It is highly advisable that an organisational chart delineating the hierarchy of the Company, is provided, specifying the role, responsibilities and duties of each employee.
The Key official must be a director of the Company, and in order to fulfill his reporting duties to the LGA and comply with statutory obligations, have a pivotal role with full access to the policies and financials. The key official must be in a position to extract information directly and without hindrance, and all employees should, if necessary, provide him with the necessary information.
The human resources roles and responsibilities are dependant on the operator’s structure; however, typically, the document should contain a descriptive overview of the following roles:
(i) Financial Comptroller;
(ii) Accounting Staff;
(iii) Head Chat Manager;
(iv) Chat Moderator;
(v) Customer Moderator; etc;
This memo should be seen as drawing-closely and being complementary to the User Management Policy. Whereas, the User Management Policy should describe the policy relating to user management, accesses and privileges, the System Access Control Procedures should show how in practice, these procedures are implemented.
A detailed account of the staff password policies – frequency of changes to password / password strength / lost password policies, should be included, specifying who can implement such technical measures.
Furthermore, this memorandum should outline the technical measures that need to be implemented whenever an employee ceases employment, thereby ensuring that access is terminated immediately, and cannot be reactivated by the employee. A similar policy should be implemented with regard to consultants and whenever tasks are outsourced to third parties, if any.
A flow chart explaining the privileges and accesses, as well as the technical measures in place between each department is strongly commendable.
Transparency is a key issue for remote gaming companies licensed by the LGA. Apart from filing audited financial statements after the end of year of assessment, all remote gaming companies must file management accounts on a semester basis to the LGA.
Furthermore, the LGA shall approve the place, other than the licensee’s registered office where the applicant keeps the remote gaming records. These records and accounts must show a true and fair view of the financial position and state of affairs of the licensee. These accounts must be prepared in accordance with international financial reporting standards (IFRS).
The audited accounts of a corporation form the basis of the tax computation but certain statutory adjustments may be carried out. Compliance with International Accounting Standards (IASs) has been mandatory for all Maltese companies since 1995 for annual accounts and consolidated accounts, and have implemented the IAS Regulation of June 2002. Accounting standards relating to the presentation, content and publication of annual accounts, annual reports and consolidated accounts with respect to companies with limited liability have fully transposed the Fourth and Seventh Company Law Directives.
Furthermore, the Maltese Companies Act governs the content and form of individual accounts and of consolidated accounts respectively. According to both articles, accounts shall be drawn up clearly and in accordance with the provisions of the Act and with generally accepted accounting principles and practice. Compliance with “generally accepted accounting principles and practice” is defined in Article 2 (4) of the Companies Act as adherence to International Accounting Standards as may be issued from time to time by the International Accounting Standards Board, or any other body succeeding it by whatever name it may be known, and to any accounting standards as may be made applicable from time to time in terms of the Accountancy Profession Act.
In the event that a provision of the Act is in conflict or is not compatible with generally accepted accounting principles and practice, the accounts are required to be drawn up so as to give a true and fair view of the assets, liabilities, financial position and profit or loss of the company (or companies in the case of consolidated accounts).
Audited sets of financial statements must be presented to the LGA, within sixty (60) days from the end of its financial year and the licensee shall, within thirty (30) days from the end of the half yearly period, lodge interim financial statements showing the licence holder’s results and signed by the key official.
The LGA may require any additional financial information in the format specified by the LGA. Furthermore, the LGA may, at its own discretion, conduct an investigation if it has reason to believe that the Licensee or key official is not conforming to the Act.
The applicant must therefore show that is it implementing the aforesaid policies to give a true and fair view of its financials and the procedure into force to ensure that this is always an accurate assessment of the company’s financial situation e.g. the four-eye principal approach (accounts vetted by financial comptroller and Key official (who must have access to the financials).
The name of the accountants / auditors may also be specified in the memo.
Business continuity and disaster recovery is one of the most pivotal memorandum for the application form. Notwithstanding, the operator’s best endeavours, it is not possible to entirely exclude the possibility of a disaster or catastrophe (such as earthquakes, thunder strikes, flooding, fire etc;) which may severely impede / hinder the continuity of the operator’s business.
It is therefore imperative, that the operator devise a well-detailed plan, explaining what measures, has been implemented to minimise risks, and to efficiently neutralise disasters, should they occur.
A classification of the types of disasters and the escalation path to ensure swift rectification is essential here. All the personnel of the operator should be familiar with the disaster recovery plan and procedure. Regular drills should be carried out, and any developments thought to the employees. The disaster recovery plan should be in the form of a workable “cookbook” detailing the counter-measures to be implemented, depending on the severity of the disaster, as well as the escalation path to be followed for the swift and effective counter-measures to address the disaster.
Although co-location companies may have 24:7 support services, the operator should not depend entirely on the co-location personnel, and devise his own strategies, including the training of a specialised task force to remedy the problem efficiently and in the most efficient way possible.
Closely linked to the Business Continuity and Disaster Recovery Plan, is the notion of data backup procedure.
The operator should be well aware that data is his most prized and valuable asset, and that the loss of any such data, may hinder the continuity of his business, severely effect his revenues and give rise to a liability exposure, for loss of data.
The onus is always on the operator to ensure that the data is stored safely and may be retrieved effortlessly and efficiently. It is therefore important that backups be done periodically and punctually, through a number of methods, including but not limited to remote dual copy, automated off-site tape backups and off-site tape backup storage.
This memorandum should be broadly divided into the following three (3) sections;
(i) Human Resources
(ii) System mechanisms, maintenance and updates;
(iii) Hardware changes
The common thread throughout is to show how efficiently and smoothly, an operator may manage changes, which are not only innate in every company, but especially frequent in a dynamic industry such as the Gaming One.
Every Maltese remote gaming company must inform the LGA in writing of any appointment / termination of an employee with the licensed gaming company. The termination of an employment or the creation of a new employment post may bring about changes to escalation path / reporting requirements. It is therefore important, that the policies and procedures be amended periodically to reflect the true company structure of the firm.
This memorandum should also cross-reference to other memoranda, including the user management policy and security access policy but outlining the escalation path that need to be undertaken, whenever an employment is terminated / created e.g. security checks for engagement of new personnel – change of passwords etc;
This memorandum should also include changes re: consultancy agreements and affiliates.
System Mechanisms, Maintenance and Updates
The very nature of the gaming business requires periodic changes to the product offering and mechanisms to ensure that the operator maintains its cutting edge. Constant upgrades are needed to maintain top security, as security breaches become more and more sophisticated, to increase browsing speed, with the integration of different source-codes e.g. flash.
Whereas, some updates may be merely aesthetical e.g. facelift to the webpage, new colour codes, company logos etc; others may require changes to the very essence of the system mechanics or business rules.
The memorandum must therefore explain the procedure needed to implement thhese changes i.e. escalation paths, as well as the methods of effecting such changes, and the measures undertaken to ensure that the changes are effected as seamlessly as possible, without the risk of losing any data and/or minimising the inconvenience to players.
The memorandum should include, but not be limited to the following changes-
(i) Marketing – text and graphics changes – banners / promotions etc;
(ii) New functionality – Requested by the Management;
(iii) Bugs: Detected in live or develop environment etc;
Every change should also be tested in a “dummy run” prior to implementation to ensure that any inconvenience is minimalised.
A simple flow-chart showing the escalation of events of the persons directly involved in this technical change, would be very important.
The changes to the hardware is central and is mainly triggered off by two events-
(i) Failure replacement;
Although all efforts are afforded to circumvent the possibility of failure, this may never be completely eradicated. In this case, the operator must furnish a memorandum, explaining the processes which are implemented whenever there is a system failure, such as how the change procedure is effected from a decision level. The Key Official must, liaise with the LGA, and formalise the report of the incident, through the filling in of an Incident Report form.
With regard to upgrades, it is important that operators espouse new technologies, which shall allow him to maintain a competitive edge, and render the gaming experience more captivating to players.
The implementation of upgrades may, depending on their extent, cause disruption and/or interruption of the service, therefore all measures should be undertaken to circumvent loss of data and downtime, such as that upgrades are effected during off-peak hours.
Contrary to failure replacements which occur randomly, upgrades may be planned ahead. The key official should inform the LGA of the planned upgrade and shall, post implementation, notify the LGA with a Decommissioning of equipment report form.
The operator must be aware that accountability, good corporate governance and a flawless reputation, which scores highly on player trust are pivotal to the gaming business. The Players must have the serenity and peace of mind that they are depositing funds with a trustworthy operator licensed by a reputable body.
With internet fraud and computer crime involving ever-more sophisticated methodology, the operator must devise a system of checks and balances aimed at minimising the risks of fraud, abuse and unsolicited money movements.
The Operator must therefore have a well delineated Know-Your-Client procedure, requiring the player to submit documents, through a safe channel, which may conclusively establish his identity and place of residence. Complementing the documentary evidence is the use of IP tracking, to ensure that the actual geographical location of the player, tallies with the residence provided in the documentary information.
The operator should also monitor suspicious payout requests, such as a payout request shortly after a deposit, as well as unusual payment patterns. All payment requests in the excess of €2330 may only be effected upon receipt of the necessary KYC documentation.
The player details should then be verified by the card service providers / payment gateways through and e-processor verification function and their in-built scrubbing and verification system in collaboration with the acquiring banks. It is important that the operator makes use of reputable service providers, who make use of technical measures aimed at severely reducing the incidence of fraud e.g. 3-D Secure verification for card payments.
This two-pronged approach is important because it provides a safety-net to attest the veracity of the player. Even if the customer registration and deposit registration processes are intrinsically intertwined, the operator should not be relying blindly on the information supplied to it by the card service providers / payment gateway providers. An independent KYC shall be carried out and a re-conciliation shall subsequently be made between the two processes.
A possible vehicle for fraud may be represented by lost passwords requests. When processing requests for lost passwords, the operator should verify the login logs, to ensure whether the request is compatible with sporadic uses of the account. No information should be forwarded in ‘Live Help’ to players who have lost their IDs or Passwords. Bona Fide requests for new passwords should be sent to the players’ registered email.
The operator shall need to adequately explain the technical architecture of the gaming platform – composed of the following.
(i) The Front End Tier – this consists of the player browser, which resides in the player PC, plus the website and game servers;
The memorandum should contain an explanation of the use of HTTP as a communication protocol between the client browser and the website, and perhaps a private protocol over TCP/IP to communicate the flash applications (running in the client browser) and the game servers.
(ii) The Middle Tier – composed of the website and the database;
The middle tier administers all interactions between the website and the game servers as well as the databases. The operator must illustrate how this works, from the moment the player logs in (username / password verification), passing onto the retrieval of data from the database and, if there is match, the creation of a session key that is stored in database for future reference. The same interaction should be recorded for any payment and/or withdrawal of payment requests.
(iii) The Backend Tier – formed by the database, the Game Management System, the Administrator browser and other application running analytical and other internal processes.
The Back end tier regulates the interactions between the Game management system and the database. This level contains all the site administration components: the analytical processes for the calculation of aggregates, and the database itself as main information source.
The memorandum should provide in detail knowledge of the Game Management System – showing how its use as a tool not only to change the system configuration (e.g. game setups, deposit bonus rules) and player profiles etc; but also its important for analysis and support, including but not limited to the following functions.
(i) Search player;
(ii) See player profile;
(iii) Edit Player profile;
(iv) Manage player balances;
(v) Get player game details;
(vi) Get player session history / deposit history; etc
The processes for obtaining the following reports should also be allow the generation of the following reports:
(i) Bonuses reports;
(ii) Game Logs reports;
(iii) IP Address reports;
(iv) Progressive jackpots reports;
(v) Search for duplicate accounts;
(vi) Get pattern summary report;
(vii) Get new signups reports;
(viii) Manage incidents; etc
And also allow the generation of reports for key financial information, such as-
(i) Business summary report;
(ii) Chargeback report;
(iii) Get hourly trends reports;
(iv) Float balance reports;
(v) Purchase summary reports;
(vi) Transaction summary reports;
(vii) Payouts reconciliations reports
This is a technical document, in which the applicant should include a description on the physical infrastructure used by the applicant for the carrying out of the gaming operation. The memorandum should include a detailed explanation on the number of servers used and the role
of each server. The interlink between servers should also be explained by means of a flowchart and/or organigram.
Other details should include a description of the system firewall, the I.P range of the servers, and the applications used by the website / game servers / database etc;
In this memorandum the applicant must give a thorough description of the network infrastructure used and technology choices made to ensure top security, in line with the industry’s demands.
The applicant needs to describe the network infrastructure as well as the network management, such as which components can be remotely administered and maintained. Alerts may be sent to operational staff, which may be managed by using a ticket queue. The performance and capacity parameters should be logged and graphed, to retrieve historical information for monitoring and capacity planning purposes.
This memorandum should also include a detailed VLAN overview, describing the firewall rules created with a restrictive policy. Ports may only be opened for services which are to be made available from other VLANs and then only to the VLANs or specific IP addresses which require access.
Detailed information, including the use of a diagram illustrating the VLANs involved when a HTTP request for a website is processed, should also be attached, for ease of reference.
A random number generator (“RNG”) shall be required whenever there is a chance element in a game, i.e. the outcome of the game does not depend on the skill and/or dexterity of the player. Sportsbooks are naturally excluded from the requirement of a RNG, whereas poker and casino games all have chance elements and necessitate an RNG. In the memorandum, the operator should specify whether the RNG is:-
a. Hardware / Software based;
d. Copy of Test Certificate
e. Conclusion of Certification Authority report.
A RNG is determined in accordance with the Third Schedule of the Regulations, whereby the RNG must satisfy the Schneier test of Randomness – i.e.
(i) The data must be randomly generated, passing appropriate statistical tests of randomness;
(ii) The data must be unpredictable; i.e. it must be computationally infeasible to predict what the next number will be, given complete knowledge of the algorithm or hardware generating the sequence, and all previously generated numbers;
(iii) The series cannot be reliably reproduced, i.e. if the sequence generator is activated again with the same input it will produce two completely unrelated random sequences.
White-listed, hard-based RNGs, which are approved by the applicant, may be exempted from producing a test certificate. However, all software-based RNGs shall require testing of their mathematical algorithm to ensure that the outcome is truly random
The software may be licensed or developed by the operator. In either case, the Intellectual Property Owner of the software must be identifiable, through the provision of the required corporate details e.g. name of company, company registration number, registered office, place of incorporation, contact details; etc;
Include the organisation / company involved in the process and their credentials. As with the abovementioned case, kindly specify the name of name of company, company registration number, registered office, place of incorporation, contact details involved in the testing thereof;
This memo should also include details regarding the processes, rules and parameters of the games, ensuring that these dovetail to the game rules published by the operator. The game also needs to respect the configuration decided by the operator in terms of –
(i) percentage payouts;
(ii) progressive jackpot payouts; etc;
(iii) provide no more than the expected house advantage to the operator; – i.e. outcome not piloted in any way by the operator;
(iv) both the gaming and financial transactions must be congruent and secure;
(v) the outcome of any game event, and the return to the player must be independent of the CPU, memory, disk or other components used in the playing device used by the player;
(vi) The Game or any game event outcome must not be affected by the effective bandwidth, link utilisation, bit error rate or other characteristic of the communication channel between the gaming system and the playing device used by the player;
(vii) The gaming system must be able to display for each game the following information on the current page or on a page directly accessible from the current page via a hyperlink-
(a) the name of the game;
(b) restrictions on play;
(c) instructions on how to play, including a pay-table of all prizes and special features;
(d) the player’s current account table;
(e) unit and total bets permitted;
(f) the rules of the game.
(viii) All financial reports produced by the gaming system must be congruent with gaming transaction reports;
(ix) The gaming system must (a) be capable of producing monthly auditable and aggregate financial statements for gaming transactions and (b) calculate all taxation and monies due to the Authority;
(x) The gaming system must maintain information about all games played, including-
(a) the identity of the player;
(b) the time the game began as recorded on the games server;
(c) the balance of the player’s account at the start of the game;
(d) the stakes placed in the game (time stamped by the games server);
(e) the game status (in progress, complete etc;)
(f) the result of the game (time stamped by the games server);
(g) the time the game ended as recorded by the game server;
(h) the amount won or lost by the player;
(i) the balance on the player’s account at the end of the game.
(xi) The gaming system must maintain information about significant events as follows
(a) large wins;
(b) transfers of funds in excess of such amount that the LGA may serve/ give notice to the operator;
(c) changes made by the operator to game parameters;
The terms and conditions must be posted on the homepage of the applicant, and shall include the following fields:
a. Operator details;
Details of the Maltese registered company (name, company registration number, registered address, operating address etc;)
b. Jurisdiction and Regulation;
The governing law must be the Laws of Malta;
c. Languages Displayed;
d. Player Terms & Conditions;
Kindly note that any changes thereto must be pre-approved by the LGA.
e. Bonus Scheme Conditions;
f. Rules & Regulations of the Games (text)
g. Player Registration Process in screen shots;
h. Data Protection Statement;
This may have to be amended to comply with the provisions of the Data Protection Act – Chapter 440 of the Laws of Malta
Hyperlinks to the emails of your call centre / complaints officer etc; Contact details.
j. Provision of self protection / exclusion;
The operator must display at all times, a warning of the addiction possibilities of gaming and hyperlinks to assisting compulsive gamers.
Furthermore, a registered player must have the option of:-
(i) Setting a limit to the amounts wagered within a specific period of time;
(ii) Set a limit on the losses which the player may incur within a specific period of time
(iii) Set a limit to the amount of time the player may play in one session;
(iv) Exclude the player from playing for a definite period of time / indefinitely.
The operator may not accept a wager contrary to the abovementioned set limits.
Moreover, the operator must make available an automatic reality check showing the following info:-
(i) How much the player has been playing;
(ii) Display the person’s winnings and losses during such period of time;
(iii) Require the player to confirm that he has read the message;
(iv) Give an option to the player to end the session or return to the game.
Kindly note that the operator’s homepage must contain the following-
(i) The registered name of the licensee’s company;
(ii) The address of the company’s registered office;
(iii) The official number and date of issue of the licence; (post licence)
(iv) A statement that the licensee’s operations are regulated by the LGA;
(v) Hyperlinks to organisations specialising in curbing gaming addiction;
(vi) Hyperlinks to rules of the games;
(vi) Kite-mark of the LGA’s website (post licence)
The applicant must submit originals or certified true copies of the following agreements:
a. Payment Systems / Gateways;
b. Contracts with Software Providers;
c. Contracts with Class 4 Platform, if applicable
d. Other Contracts with Parent / Group / Affiliate Companies
Full disclosure is required by the LGA.
It is very important that the actual contracts are concluded by the Maltese registered company and not by any parent or subsidiary thereof.
Contact one of our officers to initiate the licensing process for a Maltese registered gaming company and start reaping the full benefits of an onshore, low-tax, reputable, EU jurisdiction. Simply fill in the contact box below or contact us by email on firstname.lastname@example.org or by calling at +356 2338 1500
We are committed to providing you with a swift solution best suited to your needs.