Malta iGaming Compliance: One Onboarding Record or Two Parallel Trails?

An operator passes MGA’s quarterly review in Q1. In Q3, the FIAU issues a finding on the same player cohort. The onboarding system ran a liveness check on every player. The CDD records show the results: all passed. But the FIAU inspector asks a different question. Which liveness method ran? Was it active 3D liveness, passive liveness, or a static image comparison? The CDD record does not say. The inspection outcome is there. The evidential basis, the method behind that outcome, is absent.

This is not an edge case. The FIAU conducted 187 supervisory interventions in 2024, with remote gaming operators among the leading sectors for suspicious transaction report (STR) submissions, according to the FIAU 2024 Annual Report. The record deficiency above, correct conclusion, missing methodology, is the most common gap the FIAU finds in iGaming CDD files.

This guide gives Malta-licensed compliance officers and MLROs a three-question diagnostic to run on their current setup before the next supervisory visit, and explains exactly where MGA and FIAU inspection scopes diverge so one onboarding record can satisfy both.

Malta’s Two-Regulator Structure

The Malta Gaming Authority (MGA) governs gaming conduct, licence obligations, and player protection under the Gaming Act and the Player Protection Directive. The Financial Intelligence Analysis Unit (FIAU) governs AML/CFT obligations under the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR).

Same player. Same onboarding event. Different inspection scope, different evidentiary standards. When MGA and FIAU inspect the same operator, they each pull records for the same players and ask different questions of the same file. The file must answer both.

The Self-Diagnostic: One Record or Two Parallel Trails?

Before the next supervisory visit, pull a sample of ten player CDD records and run these three checks.

Where MGA and FIAU Inspection Scopes Stop Overlapping?

Both regulators require identity verification at onboarding. That is where the overlap begins and, for many operators, where their mental model of the overlap ends.

The MGA’s Player Protection Directive focuses on player protection outcomes: was the player’s identity confirmed before the account was activated? Were virtual currency wallet holders verified within 30 days of account opening? Were responsible gaming intervention thresholds applied correctly?

The FIAU’s PMLFTR inspection reaches further into the risk file. Customer due diligence (CDD) triggers at the first transaction or at €150 for remote gaming operators. The FIAU wants to see not only that CDD ran, but also: what risk category was assigned, why, what source-of-funds evidence was collected, and what justified the EDD decision when the €2,000 threshold or first-withdrawal trigger applied.

The divergence point is methodology. The MGA needs evidence that a player protection step happened. The FIAU needs evidence that the underlying risk decision was reasoned and documented. A verification outcome satisfies the first question. Only the documented method and risk logic satisfy the second.

A Worked Example: The Same Check, Two Different Outcomes

A Malta-licensed operator onboards a player in Q4 2023. Document verification runs, a liveness check runs, and AML screening runs. All pass. The onboarding system logs: “KYC, passed. Liveness, passed. AML screening, clear.”

MGA inspection, Q1 2025. The inspector examines the player protection file. Identity verified, yes. Liveness completed, yes. The file passes.

FIAU supervisory visit, Q3 2025. The FIAU visits the same operator following a spike in STR volumes from the remote gaming sector. The FIAU received 9,430 STRs in 2024 across all subject persons, with remote gaming operators among the top contributing sectors (FIAU 2024 Annual Report). The inspector pulls the same player cohort. The question is not “did liveness pass?” but “what liveness method was used, and is it adequate for the risk category this player was assigned?”

The record says: liveness, passed. It does not say: active 3D liveness, iBeta-certified, method logged at [timestamp], risk basis: low-risk self-declaration plus document match.

FIAU finding: CDD record incomplete. The outcome is present. The evidentiary basis for the risk classification is not.

Same operator. Same player. Same underlying check. Two inspections, one pass, one finding. The gap is not in what the system did. It is what the system recorded.

How Does Shufti Close the Diagnostic Loop?

Shufti’s KYC and AML Screening capture both the result and the method in a single, structured record. Every verification event is logged with the method used, document classification, liveness type, AML data sources queried, alongside the outcome, timestamp, and risk signals detected.

That means Check 1 is answered: method and outcome are both in the file. Check 2 is answered: EDD decisions log the risk-reasoning chain, not just the flag. Check 3 is answered: the same record that satisfies an MGA player protection query can produce the CDD file a FIAU inspector needs, from one API call, without manual reconstruction, without a second parallel trail. Ready to enhance your compliance workflow with Shufti? Explore more insights tailored to Malta’s regulatory framework on our dedicated page.

One onboarding record. One source of truth. Both regulators served.

Three Actions Before Your Next Supervisory Visit

First, audit your CDD record template. Does every field the FIAU may ask about, verification method, risk-category basis, EDD trigger, source-of-funds evidence, exist as a structured data field, not a free-text note that gets lost on export?

Second, run a dual-export test. Pull one player’s record in the format you would hand to the MGA and then again in the format you would hand to the FIAU. If the content differs, you have two trails. If it is the same file, you have one source of truth.

Third, review your EDD documentation for the €2,000 threshold cohort specifically. EDD flags present without a documented reasoning chain represent the highest-risk gap going into any FIAU visit. This is the cohort the FIAU focuses on when STR volumes in remote gaming are elevated.

Looking to streamline your compliance processes and ensure complete audit readiness? Request a demo to see how Shufti can support you.

See how Shufti’s KYC and AML Screening give Malta iGaming operators one audit-ready record that satisfies both the MGA and the FIAU, without parallel trails or manual reconstruction.