MGA's 2025 Regulatory Overhaul: What It Actually Means
The Malta Gaming Authority published its updated regulatory framework in September, and the iGaming press has been doing its usual thing — breathless headlines followed by surface-level analysis. Having spent five years in Malta working directly with MGA-licensed operators, I think most of the commentary is missing the point. Let me try to do better.
Quick Background for the Uninitiated
Malta has been the hub of European online gambling since the mid-2000s. The MGA (Malta Gaming Authority) licenses and regulates a massive chunk of the operators you've probably used. When I moved to Sliema in 2016, there were already hundreds of licensed operators on the island. The MGA licence was considered the gold standard for non-UK markets — not as strict as the UKGC, but vastly more credible than Curaçao or Anjouan.
The 2018 Gaming Act was the last major overhaul. It consolidated the old class system into a single licence type and introduced the "critical gaming supply" framework. It was generally well-received, if a bit vague in places. The 2025 update is building on that foundation.
The Key Changes
Enhanced player verification timelines. Operators now have 72 hours from account creation to complete full KYC verification, down from what was effectively "before first withdrawal" under the previous rules. In practice, most decent operators were already doing this. The ones who weren't were typically running thin margins and relying on high-volume, low-friction sign-ups. Those operators are going to feel this.
Source of funds checks below €2,000. This is the big one. Previously, enhanced due diligence on source of funds was only required at higher thresholds (€10,000+ in cumulative deposits was the informal industry standard). The new rules bring this down significantly. A player depositing €2,000 over, say, a month will now trigger SOF requirements.
I have mixed feelings about this. On one hand, it's obviously sensible from an AML perspective. On the other hand, €2,000 isn't exactly high-roller territory. A regular recreational player betting on football could easily hit that in a few weeks without doing anything unusual. The admin burden on operators — and the friction for players — is going to be substantial.
When I was consulting in Malta, source of funds checks were already the number one reason for player complaints. People don't enjoy being asked where their money comes from when they're trying to withdraw €500 in winnings. Pushing that threshold lower is going to increase those complaints significantly.
Mandatory loss limits and reality checks. All MGA-licensed operators must now offer mandatory loss limit tools (not just optional ones buried in the settings) and reality check notifications at intervals no longer than 60 minutes. The reality checks must include total time played, total wagered, and net position.
Honestly, this is overdue. The UK's been doing something similar since 2020 and the evidence suggests reality checks do reduce session length for a subset of players. They don't solve problem gambling — nothing that simple does — but they're a low-cost measure that helps at the margins.
Advertising restrictions. This is where it gets interesting and where most coverage has been weak. The new rules don't ban gambling advertising (that would require Maltese parliamentary legislation, not just MGA directives). But they do impose stricter requirements on targeting. Operators can't use behavioural data to target lapsed players with re-engagement campaigns for 90 days after a player self-excludes or sets a cooling-off period.
This sounds obvious but it's been a massive grey area. I personally witnessed an operator in 2019 running "we miss you" email campaigns to players who had set deposit limits — the logic being that a deposit limit wasn't the same as self-exclusion. It was technically compliant under the old rules. Under the new framework, it wouldn't be.
What the Press Is Getting Wrong
Most of the coverage I've read frames this as "MGA gets tougher." That's partially true but it misses the strategic context. The MGA isn't tightening up out of pure altruism — they're doing it because they have to stay competitive.
The European regulatory landscape has shifted dramatically. Countries that used to rely on the Maltese licence as a passporting mechanism are increasingly developing their own national licensing regimes. Germany, the Netherlands, Ontario in Canada — these are major markets that now require local licences. The MGA licence is worth less as a market access tool than it was five years ago.
So the MGA is repositioning. They're saying: "Our licence means real consumer protection, not just a rubber stamp." It's a credibility play. They want to maintain the gap between an MGA licence and a Curaçao licence by raising standards, because if operators and players start viewing them as equivalent, Malta's entire iGaming economy is in trouble.
And Malta's iGaming economy is substantial. The sector accounts for roughly 12% of the country's GDP and employs about 9,000 people on an island of 500,000. I lived through the early concerns about Brexit and its impact on the Malta hub — this is an economy that takes its gambling industry seriously because it has to.
Impact on Operators
Small to mid-tier operators are going to struggle. The compliance costs of implementing the new KYC timelines and SOF thresholds are significant. You need more compliance staff, better automated verification systems, and faster document processing. Big operators like Entain, Flutter, and Kindred can absorb this. A 50-person operation running three casino brands? That's a different story.
I'd expect some consolidation. Smaller operators either get acquired, move to lighter-touch jurisdictions (hello, Curaçao), or shut down. The MGA probably views this as a feature, not a bug — fewer, better-capitalised licensees are easier to regulate than hundreds of small ones.
Impact on Players
If you play at MGA-licensed casinos, expect more verification requests. Expect to be asked for documents earlier in your relationship with the site. Expect reality check pop-ups during sessions. None of this is catastrophic — it's mildly annoying at worst.
The upside is genuine. Better-regulated operators are less likely to stiff you on withdrawals, more likely to handle disputes fairly, and less likely to use predatory retention tactics. If you've ever had a large withdrawal "under review" for two weeks while the operator's compliance team decided whether they felt like paying you, you'll appreciate the direction of travel.
For those playing at crypto casinos with Curaçao licences, none of this applies to you. Which is partly the point — the gap between MGA and Curaçao is now even wider.
My Take
The MGA is moving in the right direction. Not every change is perfectly calibrated — the €2,000 SOF threshold feels too low and will create pointless friction for ordinary players — but the intent is sound and the execution is better than most regulatory overhauls I've seen in this industry.
The real question is enforcement. The MGA has historically been criticised for being slow to act against operators who violate the rules. They've improved — the fines and licence revocations in 2023-2024 showed more teeth than previous years — but the test of any regulatory framework is whether it's consistently enforced, not just whether it's well-written.
I'll be watching this closely. If you work in the industry and have a different perspective, I'd genuinely like to hear it — drop me a line.