ADVERTISEMENT
The Malta Gaming Authority (MGA) has published a thematic review highlighting weaknesses in how some online gaming operators implement self-exclusion and other player protection measures, following a supervisory exercise carried out during 2025.
The review focused on B2C licensees operating online, examining how self-exclusion tools function in practice across multiple brands and platforms. It was prompted by recurring complaints from players who were able to access other brands under the same licence despite having self-excluded.
The Authority assessed 20 licensees and 58 active URLs between Q1 and Q2 2025 through a mystery-shopping exercise. Accounts were created across three brands per operator to test whether exclusions, limits and responsible gambling tools were applied consistently.
While the MGA said overall compliance levels were broadly positive, it identified several areas where controls fell short of regulatory expectations.
Key issues
Delayed self-exclusions: Two operators failed to close accounts within 24 hours of receiving a self-exclusion request via email, while another required KYC verification before applying the exclusion – a practice the MGA said is not permitted.
Cooling-off periods not respected: One licensee allowed a player to reverse a self-exclusion without applying the mandatory cooling-off period, which under current rules must be at least 24 hours for definite exclusions and seven days for indefinite ones.
Cross-brand failures: Three licensees allowed players to register, deposit and play on another brand despite using similar identity details to previously self-excluded accounts. The MGA stressed that exclusions linked to gambling harm must apply across all brands under the same licence.
Missing limit prompts: Four operators failed to prompt players to set responsible gambling limits during registration or before the first deposit – a requirement under the Player Protection Directive.
Incomplete reality checks: Six licensees were found to have reality-check pop-ups that lacked mandatory information such as time spent, money wagered, and winnings or losses during a session.
MGA expectations for operators
The Authority reiterated that self-exclusion requests must be implemented immediately – and in any case within 24 hours – without being delayed by internal processes or verification steps. It also expects operators to maintain systems capable of detecting similar or identical player details across brands to prevent circumvention.
Recommended practices include centralised exclusion databases, real-time identity matching, stronger KYC checks at registration or first deposit, and default-enabled reality-check tools.
All findings were communicated to the relevant licensees, with operators given the opportunity to submit rectification plans and enforcement measures were escalated where necessary.
The regulator described the review as part of a broader effort to strengthen player protection standards and encourage proactive compliance across the sector, noting that most operators assessed demonstrated practices broadly aligned with expectations.
