Book a Demo

Back

Shufti — Malta iGaming: 3D globe, Malta flag and certifications

Malta iGaming · 2026

Malta iGaming KYC and AML compliance, rebuilt for the post-Stanleybet FIAU standard

After the Stanleybet penalty, the FIAU treats iGaming KYC as an architecture question, not a document check. This is the control framework an examination will assess.

Schedule a Malta iGaming KYC demo

EUR 225,730

+ EUR 2,000 / day until remediation

Source: FIAU Publication Notice, March 2026

On 23 March 2026 the FIAU imposed this administrative penalty on Stanleybet Malta Limited. The grounds were failures to identify customers, conduct CDD, carry out customer risk assessments, monitor relationships, and link cumulative transactions across the betting network. Stanleybet has filed an appeal, and the decision remains subject to that process.

01 · What changed after Stanleybet

What changed for Malta iGaming KYC after the Stanleybet penalty

A clean MGA licence record no longer tells you whether you would pass an FIAU examination. The case turns KYC from an onboarding document check into a question about whether your data architecture can link one customer across every product and channel.

Many operators share the same blind spot. Systems track deposits per outlet or per transaction rather than per customer across every product, brand, and channel. An operator whose platform stores casino, sportsbook, and retail data in separate databases carries the same structural vulnerability the FIAU identified in Stanleybet's network. After this action, operators should be able to evidence who the customer is, when the EUR 2,000 CDD threshold was reached, which controls fired, what documentation was collected, and how suspicious activity was escalated to the MLRO and the FIAU.

02 · Malta's Regulatory Stack

Who regulates AML compliance for Malta iGaming operators

Two regulators do, and their powers overlap. The Malta Gaming Authority handles licensing and gaming compliance under the Gaming Act, Chapter 583. The FIAU supervises AML and CFT under the PMLFTR, S.L. 373.01. A single KYC or AML failure can trigger enforcement by both.

Regulatory Overlap — the MGA handles Licensing & Gaming with fines up to EUR 500k, the FIAU handles AML/CFT with administrative fines; one failure, both fine.

2024 Enforcement Comparison — 43 AML examinations initiated and 60 concluded in 2024.

AMLR 2027

Direct application, no transposition

The EU Anti-Money Laundering Regulation (Regulation 2024/1624) applies directly to gaming operators from 10 July 2027. Operators offering cross-border services fall within scope. Malta left the FATF enhanced monitoring list in June 2022.

MGA Directive 3 of 2020

The PMLFT Function Holder requirement

Every licensed operator must designate at least one PMLFT Function Holder. The MLRO must be registered with the FIAU, meet qualification standards, and complete ten hours of CPD annually.

03 · The Stanleybet Failure Matrix

Why the Stanleybet failures were architectural, not procedural?

The FIAU described five separate failures, but all five trace back to one missing thing: a customer-level view that spans every product and channel. Fix the architecture and the five failures close together.

Failure mode	Control required	Evidence to produce
Deposits not linked across outlets	Customer-level transaction spine across all outlets and products	Cumulative 180-day deposit ledger per customer
Customer not known at the control point	Identity verification at onboarding, verified before the threshold	Verification timestamp, document check result, liveness result
No customer risk assessment	Risk scoring at the CDD trigger across geography, game type, velocity, VIP	Risk tier assignment, scoring criteria, date of assessment
Monitoring not possible	Ongoing monitoring tied to a unified customer identity	Monitoring log per customer, alert history, risk-score changes
Inadequate STR workflow	MLRO escalation workflow with same-day filing capability	Internal report, MLRO decision log, goAML filing timestamp

Stanleybet ran retail shops, but the exposure is identical online. For online operators the format is irrelevant. The question is whether you can produce a single ledger showing every deposit a customer made, across every product and channel, over the preceding 180 days. If the answer is no, the structural gap is the same.

04 · The Player Journey Compliance Map

Where compliance obligations fire in the Malta player journey

Obligations fire at six specific points in the lifecycle, not once at registration. The architecture question is whether your systems hold the data they need at the moment each trigger fires.

STEP 1

Registration

Name, date of birth, address, government ID, age 18+, initial PEP screening.

STEP 2

Deposit stage

Customer-level deposits aggregated over a 180-day rolling window across all products.

STEP 3

EUR 2,000 threshold

CDD triggered. Identity verified, Customer Risk Assessment completed.

STEP 4

Withdrawal gate

No withdrawal is permitted until the required CDD information is obtained.

STEP 5

Ongoing monitoring

Markers of Harm detection active. STR workflow on alert.

STEP 6

STR escalation

MLRO review, goAML same-day filing when suspicion exists.

Basic KYC at registration is the foundation for CDD, not CDD itself. The CDD obligation triggers later, based on customer activity. The deposit stage is where the Stanleybet failure originated, because the system must aggregate deposits per customer, not per transaction, per day, or per product silo.

05 · The EUR 2,000 CDD Threshold

How the EUR 2,000 CDD threshold actually works

FIAU Implementing Procedures Part II require CDD and a Customer Risk Assessment by the first withdrawal, or when cumulative deposits over any 180-day rolling period reach EUR 2,000, whichever comes first. Tracking is customer-level, the window rolls, and the relationship must end if documentation is not provided within 30 days.

Customer-level

Tracking is per customer, never per transaction or per outlet. Every product, brand, channel, and outlet rolls into one cumulative total.

180-day rolling

The window is a 180-day rolling period, not a calendar month and not a fixed period from account creation.

30-day deadline

If CDD information is not provided within 30 days of the threshold being reached, the customer relationship must be terminated.

How the EUR 2,000 customer due diligence threshold is tracked over a 180-day rolling window

Date	Deposit	Product / outlet	180-day total	Action required
Day 1	EUR 500	Retail sportsbook	EUR 500	Monitor
Day 32	EUR 700	Online casino	EUR 1,200	Monitor
Day 74	EUR 400	Online sportsbook	EUR 1,600	Monitor
Day 91	EUR 300	Retail shop	EUR 1,900	Monitor
Day 103	EUR 200	Live gaming	EUR 2,100	CDD trigger fires
Day 181	Any	Any	Recalculate	Day 1 exits window

If a withdrawal is requested before CDD is complete, it must be held. CDD has to be complete by the first withdrawal or by Day 133, the 30-day mark after the threshold, whichever is earlier. An examiner can ask for the customer-level deposit ledger, the date the threshold was reached, the date CDD was initiated and completed, and the Customer Risk Assessment result with the criteria applied.

Build and price a Malta-ready verification stack

Configure document verification, liveness, AML screening and risk assessment for your accepted markets, and see plans and pricing for every tier from the self-serve portal.

See plans and pricing

06 · CDD vs EDD

CDD vs EDD in Malta gaming, and when each applies?

Reaching EUR 2,000 triggers CDD and a Customer Risk Assessment, not Enhanced Due Diligence. EDD is a separate obligation triggered by the risk outcome. A standard-risk player completes CDD. A high-risk player, a PEP, or a suspicious case goes to EDD.

CDD (Customer Due Diligence)

•Full identity verification
•Document check
•Customer Risk Assessment
•Source confirmation if required

EDD (Enhanced Due Diligence)

•Enhanced identity and address verification
•Source of funds documentation
•Ongoing enhanced monitoring
•Mandatory for PEPs and high-risk

The PEP trigger is unconditional. If a customer is identified as a Politically Exposed Person at any point, EDD applies regardless of the Customer Risk Assessment outcome. Former PEPs remain subject to EDD for a period set by risk assessment. VIP players reach EDD thresholds faster because of deposit velocity, so operators need documented protocols for when source-of-funds evidence is required and how refusals escalate to the MLRO.

The full guide adds the five-segment player routing table, mapping standard EU players, high-volume and VIP players, PEPs, players from FATF high-risk jurisdictions, and corporate affiliates to their verification route, CDD trigger, EDD status and applicable obligation.

07 · Fraud Threats That Break KYC Controls

Which fraud threats break Malta iGaming KYC controls

Deepfakes, multi-accounting, account takeover and mule networks each defeat identity controls, and each creates AML exposure directly. When a liveness check is beaten by a deepfake, the operator has accepted a fraudulent identity, and the liability for verification adequacy stays with the operator.

Venn diagram: fraud and AML overlap creating operator liability

Deepfake and synthetic identity

A liveness check that cannot tell a live person from a deepfake is a CDD adequacy issue with direct enforcement exposure.

Bonus abuse & multi-accounting

Multiple accounts on synthetic or stolen documents. Detection needs cross-product customer linking, the same blind spot as threshold tracking.

Account takeover

Credential stuffing exploits password reuse. A fraudster controlling a real player's account can generate suspicious transactions the MLRO may not know are tied to a compromised account.

Mule accounts & smurfing

Malta's National Risk Assessment names mule networks as a specific threat to the gaming sector. Detection needs cross-product monitoring, geographic patterns, and payment-method velocity checks.

Advanced liveness combines behavioural biometric analysis, document forensics, and presentation attack detection certified under independent standards such as iBeta PAD Level 1 and Level 2. The operator without a unified customer identity layer has the same exposure to multi-accounting as it does to missed CDD triggers.

08 · Markers of Harm Monitoring

The five Markers of Harm Malta operators must monitor

The MGA Player Protection Directive requires every B2C licensee to monitor five mandatory markers across active accounts and respond within documented procedures. Above a few thousand active players, near-real-time automated detection is the only practical way to keep up.

Markers of Harm sit at the intersection of player protection and AML. A player showing Markers of Harm may also be exhibiting patterns consistent with a mule account. The MLRO and responsible-gaming teams must share information on flagged accounts, so symptoms of the same underlying issue are not treated as separate matters.

09 · Suspicious Activity and STR Workflows

How STR reporting works under Malta's same-day rule

A Suspicious Transaction Report must be filed on the same day the MLRO determines that knowledge or suspicion exists. Staff must escalate to the MLRO no later than the next working day from detection. The deadline tightened from five working days in September 2020.

Red flags that should trigger STR consideration

Rapid deposit and withdrawal cycles with minimal or no gaming activity
Deposits clustering just below EUR 2,000, a structuring indicator
Multiple payment methods on one account in a short period
Geographic inconsistency between declared residence and transaction IP
Sudden large deposits inconsistent with prior history
Withdrawal reversal patterns consistent with Markers of Harm

The MLRO must document every decision: Automated monitoring scores and queues suspicious activity. The MLRO documents the reasoning behind every decision to file or dismiss. A dismissed suspicion that is not documented is as much an audit risk as a missed filing.

Tipping-off is prohibited: Operators cannot notify a customer that an STR has been filed, and the prohibition extends to all staff with knowledge of the filing.

10 · Evidence to Prepare for an FIAU Examination

What evidence an FIAU examination requires

An examiner asks for records, not narrative. Across eight control areas you need timestamps, ledgers, screening logs, decision logs and retention proof. This is the minimum set, and operators who cannot produce it face greater enforcement exposure.

Customer identity

Document check result, liveness result, timestamp, and audit trail for every customer at the CDD stage

EUR 2,000 threshold

Customer-level deposit ledger across products and outlets, calculation log, date reached, date CDD initiated

CDD completion

Documents requested and received, date of completion, Customer Risk Assessment result and criteria applied

PEP and sanctions screening

Screening date and method, match logic, false-positive resolution reasoning, re-screening schedule

EDD where applicable

Source-of-funds documentation, risk-based rationale, senior management approval for PEPs

STR workflow

Internal suspicion report, MLRO decision log, goAML filing reference and timestamp

Ongoing monitoring

Alert rule configuration, risk-score change history, Markers of Harm trigger log, player interaction records

Record retention

Retention schedule, documented basis, evidence records held for the required minimum period under PMLFTR

Source: MGA Annual Report 2024, AML/CFT examination statistics. In 2024, controls were reviewed through 43 new examinations while 60 reports were completed.

11 · Vendor Evaluation Scorecard

How to evaluate a Malta iGaming KYC vendor

Score each vendor 0 to 5 against criteria drawn from Malta's actual requirements, and rule out any vendor that scores below 3 on a mandatory row. The full guide carries all 18 criteria. The first five are below.

#	Evaluation criterion	Score 0–5
1	Customer-level deposit aggregation across all products, brands, and outlets
2	Automated CDD trigger at the EUR 2,000 threshold with a configurable 180-day window
3	Document verification covering every accepted jurisdiction with authenticity checks per document type
4	Liveness and PAD conformant with ISO/IEC 30107-3, iBeta Level 1 minimum, Level 2 for high-risk
5	Synthetic identity document detection

13 additional criteria in the full guide

AML watchlist coverage, PEP re-screening, Markers of Harm alerting, MLRO STR workflow, device fingerprinting, audit-trail logging, GDPR cross-border handling, deployment options, ISO 27001, AMLR 2027 readiness, and examination-support SLAs.

Download the full 18-criterion scorecard

Red flag: A vendor that confirms AML screening but cannot show PEP re-screening logs, alert timestamps, and MLRO decision workflow evidence may not have sufficient monitoring evidence for Malta gaming. Confirm capability with evidence, not with sales claims.

12 · Implementation Blueprint

A 30/60/90-day Malta compliance remediation plan

Remediation is a structured programme, not a single purchase. Close the highest-enforcement-risk gap first, cross-product customer data architecture, then work outward to vendor selection and operational readiness.

The full guide expands each phase into a week-by-week plan, from the two-week self-audit to the cutover KPI baseline.

13 · How Shufti Maps to Malta Gaming Controls

How Shufti supports Malta iGaming compliance

Shufti is a global identity verification and AML screening platform serving 2,000+ enterprise customers in 240+ countries and territories. It combines document verification, face verification, AML screening, device intelligence and risk assessment in one system, and produces the timestamps, logs and audit trails an FIAU examination asks for.

	Evidence produced	Shufti capability
Customer identity at CDD trigger	Verification timestamp, document result, liveness result, audit log	Document Verification across 10,000+ types and 240+ countries, plus iBeta PAD Level 1 and 2 Face Verification
PEP and sanctions screening	Screening date, match logic, false-positive resolution	AML Screening across 1,700+ watchlist sources with 15-minute update cycles
Multi-accounting and mule detection	Device fingerprint log, velocity alerts, linked-account flags	Device Intelligence, fingerprinting, VPN, proxy and emulator detection
Deepfake and synthetic ID detection	PAD test result, document authenticity log	Face Verification with iBeta PAD, Document Verification with zero-shot AI
Markers of Harm and risk scoring	Alert timestamp, risk-score history, trigger rule applied	User Risk Assessment, configurable rules engine, real-time scoring
MLRO workflow and STR support	Decision log, queue timestamp, escalation record	MLRO dashboard with configurable alert queues and routing
Data residency and GDPR	DPA documentation, transfer-mechanism records	SaaS, Private Cloud and On-Premise deployment, ISO 27001, GDPR-compliant processing

Deposit aggregation, Markers of Harm workflows, STR routing, and cross-product audit trails depend on integration with operator transaction, player-activity, and case-management systems. Shufti supports these workflows when the relevant operator data is connected and configured. Shufti is a technology provider and does not offer legal or regulatory advice.

Malta iGaming KYC & AML Readiness Guide — cover

01 - 04

Certifications

Independently audited and certified for enterprise-grade security and data protection.

Frequently Asked Questions

On 23 March 2026 the FIAU imposed an administrative penalty of EUR 225,730 on Stanleybet Malta Limited, plus a periodic penalty of EUR 2,000 per day until remediation. The grounds were failures to identify customers, conduct CDD, carry out customer risk assessments, monitor relationships, and link cumulative transactions across the betting network. The decision is subject to an operator appeal.

Was This Content Helpful ?

FIAU Implementing Procedures Part II require operators to complete Customer Due Diligence and a Customer Risk Assessment by the player's first withdrawal, or when cumulative deposits over any 180-day rolling period reach EUR 2,000, whichever is earlier. Tracking is customer-level across all products, brands, channels and outlets, not per transaction or per outlet.

Was This Content Helpful ?

No. The threshold triggers CDD and a Customer Risk Assessment. EDD is a separate, higher-intensity obligation that applies when the risk assessment identifies high risk, when the customer is a PEP, or when suspicious activity is detected. A standard-risk customer who reaches EUR 2,000 completes CDD and a risk assessment, not EDD.

Was This Content Helpful ?

Two regulators. The Malta Gaming Authority holds the licensing and gaming-compliance mandate under the Gaming Act, Chapter 583, with penalties up to EUR 500,000 per infringement. The FIAU supervises AML/CFT obligations under the PMLFTR, S.L. 373.01, receives STRs, and issues administrative fines. A single failure can trigger action from both.

Was This Content Helpful ?

Under current FIAU procedures, a Suspicious Transaction Report must be submitted on the same day the MLRO determines that knowledge or suspicion of money laundering or terrorist financing exists. Employees must report internally to the MLRO no later than the next working day from detection. Operators cannot tip off the customer that an STR has been filed.

Was This Content Helpful ?

At minimum, verification records with timestamps and audit trails, a customer-level deposit ledger and threshold calculation log, CDD completion records and the Customer Risk Assessment result, PEP and sanctions screening logs with false-positive reasoning, source-of-funds documentation for EDD cases, the MLRO decision log and goAML filing timestamps, ongoing monitoring and Markers of Harm logs, and record-retention evidence.

Was This Content Helpful ?

The EU Anti-Money Laundering Regulation, Regulation 2024/1624, applies directly to gaming operators from 10 July 2027. Unlike previous directives it applies without national transposition, and gaming operators offering cross-border services fall within scope.

Was This Content Helpful ?

Shufti combines document verification across 10,000+ document types and 240+ countries, iBeta PAD Level 1 and Level 2 certified face verification, AML screening across 1,700+ watchlist sources, device intelligence, and configurable risk assessment in one platform deployable via API, SDK or no-code editor. It produces verification timestamps, screening logs, risk scores and audit trails operators can present in an FIAU examination.

Was This Content Helpful ?

Form submitted successfully!

Thank you for your interest — your report is loading now.

Stop verified Philippine accounts from becoming mule accounts

See the verification path built for the documents Malta issues and the captures that should never pass.

See it working for Malta

Let’s Tailor Your Journey

Which products would you like to check out?

VideoIdent

Address Verification

eIDV (Docless)

KYB

AML Screening

Deepfake Detection

Face and ID Verification

Age Verification

Others

What is your expected yearly verification volume?

1 to 1,000

1,001 to 5,000

5,001 to 20,000

20,001 to 50,000

50,001 to 100,000

100,001 to 1,000,000

1,000,000+

Valid Invalid number

Explore More

Form submitted successfully!

Thank you for your interest — your report is loading now.

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Get the Shufti newsletter

Stay ahead of the curve with fresh takes on the latest identity innovations.

Take the next steps to better security.

Contact us

Get in touch with our experts. We'll help you find the perfect solution for your compliance and security needs.

Request demo

Get free access to our platform and try our products today.

Get started