Malta iGaming License, MiCA & Banking: Scaling to Full Compliance in 2026
How Web3 iGaming operators scale into Malta and MiCA
Anurag Sinha Roy
Back to all posts
Malta and MiCA: When Do You Need Each?
The Malta iGaming license is used by operators ready to scale, requiring €40,000–€100,000 in capital and 4–6 months to set up, while MiCA applies to crypto platforms that hold or transfer user funds, requiring €50,000–€150,000 and 3–6 months for approval.
The decision to leave an offshore license for full compliance depends on the maturity of the business. New operators need speed. However, established platforms must trade that flexibility for European legal approval, access to major banks, and strict internal audits.
Summary:
The MiCA Deadline (July 2026): By July 1, 2026, the transition period ends. If a platform interacts with EU users, a formal CASP (Crypto-Asset Service Provider) license is required to operate legally.
The Custody Rule: If a platform holds or controls player funds, the law views the entity as a custodian. This triggers MiCA’s strict rules for safeguarding user money.
Malta’s High Standard: A Malta Gaming Authority (MGA) license provides strong global credibility. Depending on game types, platforms must maintain €40,000 to €100,000 in paid-up capital, with additional ongoing compliance and operational costs.
Unlocking Bank Accounts: Access to SEPA and SWIFT banking requires compliance with FATF Travel Rule obligations. This includes collecting and transmitting sender and receiver identity data. But approval is not guaranteed as banks apply independent risk and compliance assessments.
The Dual License Reality: A CASP authorization only covers crypto activity. To handle regular fiat money, a partnership with an EMI (Electronic Money Institution) or a separate Payment Institution setup is necessary.
The most effective approach is phased. Moving from jurisdictions like Anjouan and Curaçao into Malta typically happens once revenue is stable, compliance teams are in place, and access to major fiat banks becomes necessary.
Feature:
Feature | MiCA / CASP | Malta iGaming License |
Primary Intent | Crypto asset compliance & custody | Institutional iGaming operations |
Capital Requirement | €50k – €150k | €40k – €100k |
Entry Time | 3–6 months | 4–6 months |
Banking Access | Required for approval, not guaranteed | Improves access to EMIs/banks |
Scope | EU-wide via passporting | Jurisdiction-specific |
Operational Requirement | CASP authorization + governance | Local entity, directors, compliance staff |
Navigating the 2026 European Regulatory Directives
Legislative frameworks across the continent are rapidly consolidating to eliminate gray-market operations and enforce unified consumer protection standards. At the center of this systemic shift is Regulation (EU) 2023/1114, widely recognized within financial sectors as MiCA. This comprehensive legislative package establishes a harmonized rulebook for digital asset issuance, trading, and service provision across all twenty-seven member states.
A critical threshold arrives on July 1, 2026, marking the definitive expiration of the 18-month transitional regime for legacy operators. Following this specific date, the deployment of tokenized services without formal authorization becomes a severe legal liability.
However, treating this date as a universal extension is a dangerous miscalculation. The European Securities and Markets Authority (ESMA) explicitly permits national regulators to shorten this grandfathering window. Several member states have aggressively compressed their transition periods to 12 or even 6 months, creating a highly fragmented enforcement map prior to the 2026 ceiling.
Securing official CASP status unlocks the mechanism of passporting, fundamentally altering the total addressable market for compliant entities. Operating a fully authorized infrastructure theoretically grants the legal right to serve users across the European bloc without establishing redundant local corporate entities. In reality, successful passporting still heavily depends on specific national implementation nuances and the explicit approval of the home-state regulator.
Conversely, failing to achieve this standard invites punitive enforcement actions orchestrated by supervisory authorities. Operating an unauthorized platform post-transition carries catastrophic risks, primarily heavy administrative fines, immediate suspension of operations, and the formal withdrawal of authorization.
New EU Crypto Rules (MiCA 2026)
What is MiCA and who does it apply to?
MiCA or Markets in Crypto-Assets Regulation is the EU Regulation 2023/1114 created to regulate gray markets and protect users. It requires companies that handle crypto (like wallets, exchanges, or platforms holding user funds) to get a license, follow strict compliance rules, and protect users’ money. Once approved, these companies can operate across all EU countries under one license.
Crypto-Asset Service Provider Status under MiCA
CASP under MiCA is a company that can legally offer services like holding crypto for users, running exchanges, or transferring crypto assets. To get CASP status, a company must follow three things:
1. Be authorized by a national regulator
No one can provide crypto-asset services in the EU unless authorized as a CASP.
2. Meet capital and compliance requirements
Under MiCA (Article 67 + ESMA standards), CASPs must meet capital requirements. A CASP must hold the higher of:
A fixed minimum amount:
€50,000
€125,000
€150,000
(depending on the service) OR25% of its yearly operating costs (fixed overheads)
What this means in practice
The company must always have enough financial buffer
This capital must be:
real company funds (equity, reserves)
available at all times
It is used to:
cover losses
protect users
ensure the business doesn’t collapse suddenly
3. Governance, risk, and internal systems
Governance systems
The iGaming business must have a clear structure of control and responsibility. Under MiCA, this includes:
Identifiable management (people responsible for decisions)
Clear roles and responsibilities
Oversight of operations
Someone must be in charge, accountable, and qualified to run the business properly.
Risk controls
The brand must identify, monitor, and manage risks.
Under MiCA, this includes:
Detecting financial risks
Preventing fraud or misuse
Monitoring operational failures
The company must have systems to spot problems early and prevent losses or abuse.
Internal procedures
The organisation must have written rules for how it operates.
Under MiCA, this includes:
How transactions are handled
How complaints are managed
How compliance checks are done
The company must follow clear internal rules for daily operations, not act randomly.
4. Follow rules related to safeguarding funds
What does MiCA actually require?
1. Do not use client funds for your own business
Client assets cannot be used by the company
They must only be used for the client
You cannot spend or trade with user money.
2. Keep client funds separate
Client funds must be kept separate from company funds
Must be clearly identifiable
User money and company money must never be mixed.
3. Protect ownership rights (even if the company fails)
Systems must ensure users still own their assets
Protection applies even in insolvency
If the company collapses, user funds should still belong to the users.
4. Store funds safely (bank / central bank)
Client funds must be placed in a bank
And in separate accounts
User money must be stored safely, not just kept internally.
Securing CASP status allows a company to use passporting. So it can offer services across the EU without needing to set up a company in every country. But this is not completely automatic. The company has to inform its regulator to follow all the necessary processes. Only then can they extend to other countries.
If a company does not get authorization, it cannot operate legally. After the transition period, regulators can impose fines, stop operations, and block the company from providing services.
License Cost and Wait Times
It is one thing to have a strategy, another to have a tactical approach to execute it. Getting CASP approved under MiCA is not the same for every company. The requirements change depending on the types of services provided. The country where the brand will operate first also matters.
For custodial Web3 casinos, capital requirements are intrinsically linked to risk.
MiCA establishes strict capitalization tiers:
Service Type | Capital Requirement | What it Means |
Order Execution (Class 1) | €50,000 | Basic services with lower risk exposure |
Custody (Class 2) | €125,000 | Holding and safeguarding user funds |
Trading Platform / Exchange (Class 3) | €150,000 | Highest risk, handling trading and liquidity |
How Long Does MiCA Approval Take and What Delays It?
Modern gambling platforms safeguard users' stablecoins and utility tokens. This places them in higher capital requirement tiers and requires stronger treasury planning
A CASP application typically takes 3 to 6 months of regulatory review, creating a delay between applying and becoming operational
Operating while an application is pending is only allowed during the transitional period. It depends on the jurisdiction; new operators cannot rely on 'application pending' to start operations
Delays can be reduced by choosing efficient EU entry points like Cyprus, Lithuania, or France before expanding through passporting
Rules for Handling Player Funds
Crypto iGaming platforms are moving beyond traditional black box systems toward more transparent Web3 architectures. Blockchain enables visibility through models like the Glass Vault, but many crypto casino and sportsbook platforms still operate on custodial infrastructure where the operator controls player funds.
Naturally, depositing tokens into a central vault places a platform under financial regulation. Because the business controls these assets, it is legally classified as a "digital asset custodian." This classification requires compliance with MiCA rules, including strict separation of company funds and player deposits.
It is important to remember that technological transparency does not eliminate legal liability. The blockchain provides a verifiable public ledger of transactions, but the burden of safeguarding those assets, verifying the identities of the depositors, and reporting suspicious activities rests entirely on the corporate entity. Ignoring this custodial reality and attempting to hide behind the label of "decentralized finance" is the fastest route to regulatory enforcement.
How the Malta Licensing System Works
To get a top-tier gaming license, an iGaming brand needs a strong local setup and a serious commitment. The Malta Gaming Authority is a major choice for companies moving into regulated markets. To join, a business must follow strict financial and legal rules to prove it is stable.
So, what are the steps in obtaining a Malta license? The first step is a non-refundable administrative fee of €5,000. This is the first guardrail before even due diligence starts. This is followed by strict technical and corporate auditing. Only when that is done, approved B2C platforms pay a fixed annual license fee of €25,000, payable in advance. B2B providers follow a similar structure, with a €5,000 application fee and a €25,000 annual license fee, but are not subject to the GGR-based compliance contribution.
Rules about keeping money in the business are the core of the safety system. The lowest amount of money required depends entirely on the services being provided.
So, what are the capital requirements for a Malta gaming license, Type 1 operations?
Type 1 (RNG-driven games of chance) requires a minimum statutory paid-up capital of €100,000.
What about Type 2 operations?
Type 2 (fixed-odds betting and sportsbooks) also requires a minimum statutory paid-up capital of €100,000.
What are the requirements for Type 3 operations?
Type 3 (peer-to-peer systems or betting exchanges) requires a minimum statutory paid-up capital of €40,000.
Lastly, what is needed for Type 4 operations?
Type 4 (controlled skill games) also requires a minimum statutory paid-up capital of €40,000. Platforms offering only Type 4 also benefit from a reduced fixed annual license fee of €10,000.
Do B2B providers have the same capital requirements?
Yes. Critical Gaming Supply (B2B) entities are also subject to a €40,000 minimum capital requirement.
With all that in mind, do regulators require more than the minimum capital?
Yes. Regulators may require additional financial buffers depending on the risk profile of the business.
How long does it take to get a Malta gaming license?
Getting a Malta gaming license typically takes 7 to 12 months, depending on how complete the application is and how complex the platform setup is.
Can an iGaming brand start operating while the application is pending?
No. Operators cannot offer any gaming services until the Malta Gaming Authority officially grants the license.
Do they need a Malta company to apply?
Yes. The applicant must be an eligible entity, which typically requires setting up a company registered in Malta.
What are 'Fit and Proper' checks?
The Malta Gaming Authority reviews all owners and directors, checking financial history, criminal records, and professional reputation.
Category | Definition of Service | Statutory Paid-Up Capital | Fixed Annual Levy |
Type 1 | RNG-driven games of chance (Casino, Slots) | €100,000 | €25,000 |
Type 2 | Fixed-odds betting and Sportsbooks | €100,000 | €25,000 |
Type 3 | Peer-to-peer gaming and betting exchanges | €40,000 | €25,000 |
Type 4 | Controlled skill games | €40,000 | €10,000 (if sole service) |
B2B Supply | Critical software and network provisioning | €40,000 | Variable by application |
In addition to fixed fees, the Malta system also uses a tax that is based on how much money the platform makes. For Type 1 games, the fee starts at 1.25% for the first €3 million and drops to 1.00% for the next €4.5 million. This total fee never goes above €375,000 per year.
Getting a license is only the first step. Staying legal is another ball game. Operators must follow strict rules to stop illegal money. Every year, a detailed risk form must be sent to the FIAU (Financial Intelligence Analysis Unit), Malta's anti-money laundering unit. This comprehensive self-assessment report forces operators to make sure that all safety and security systems are working as they should.
Key Points:
The Malta Gaming Authority follows a structured 5-stage process:
Fit and Proper checks on UBOs, directors, and key persons
Source of funds and financial review
Business and operational assessment
Technical system review and staging
Final independent system audit before go-live
Operators cannot legally offer services or process player funds while the application is under review.
After approval, operators are given a 60-day window to complete system integration and go live. Failure to launch within this period can result in the application being closed.
Resolving the Fiat Banking Gap and Dual Licensing
Traditional financial institutions view digital asset flows with extreme prejudice. This friction shows up continuously as de-risking. What we mean by that is a systemic practice where payment providers abruptly terminate the fiat accounts of blockchain-associated businesses. They do so to avoid theoretical legal risks.
To get past this major problem, a business must prove it follows Recommendation 16. This is a global rule known as the Travel Rule, created by the Financial Action Task Force (FATF). It requires crypto companies Virtual Asset Service Providers (VASPs) to ensure that identifying information follows digital transfers, especially for cross-border activities.
This information must include:
The sender's official legal name
Their account details
Either their home address, national ID, or date of birth
At the same time, similar information for the person receiving the money must travel with the transaction. Following these rules does not guarantee that a bank will say yes. But it is the minimum needed to avoid automatic rejection and to start a conversation with an Electronic Money Institution (EMI).
FATF Mandate Component | Required Intelligence Payload | Operational Governance Implication |
Originator Identification | Full legal name, account number, physical address, and national ID/DOB. | Requires stringent, localized KYC onboarding prior to any wallet interaction. |
Beneficiary Verification | Legal name and destination account parameters. | Automated screening of all outbound transaction destinations against sanctions lists. |
Transmission Mechanism | Immediate and secure sharing of data alongside the asset transfer. | Necessitates integrated middleware capable of bundling verified human identity with crypto execution. |
It must be remembered that 2026 also introduces the friction of Dual Licensing. Yes, holding a CASP authorization legally covers the custody and transfer of cryptographic assets. But if the platform requires seamless interaction with traditional fiat rails (SEPA/SWIFT), the CASP alone is insufficient.
Operators now need to navigate the dual requirement of partnering with, or independently acquiring, an authorized Payment Institution (PI) or EMI license to legally process fiat withdrawals.
Closing the Audit Gap with Glass Vault
While regulators still require human oversight (MLROs), the Glass Vault architecture removes the biggest headache in iGaming: the Trust Gap.
By meticulously recording every deposit, wager, and yield on-chain, the platform provides internal compliance officers with immutable, real-time evidence. This replaces traditional 'black box' reporting with a transparent ledger that regulators and banks trust. This makes the annual audit (AUP) and financial reporting significantly faster and more accurate.
Key Takeaways for Compliance
Varying Deadlines: While the final MiCA deadline is July 2026, many countries have much shorter timelines. It is necessary to check the specific rules in each country to avoid missing an early cutoff.
Budget Beyond the Minimum: The €100,000 MGA minimum and the €125,000 MiCA custody capital requirement are only the starting points. More money is required to cover local staff, taxes, and safety buffers.
Custody Responsibility: Controlling player funds removes the decentralized status. The platform must follow the strict custody laws that apply to financial institutions.
The Two-License Gap: A CASP license handles crypto, but it does not cover regular money. To keep bank accounts and cash flowing, a second license (EMI or PI) is usually required.
Human Risk Management: Blockchain transparency alone is not enough to satisfy banks. A team of real experts must manage risk and use the ledger as a tool to prove that the business is compliant.
Requirements for Growing a Business
Targeting the Right Country: Applying for a license in Cyprus, Lithuania, or France is a strategic move. These countries are efficient entry points that allow a business to use passporting rights to work across the entire European Union.
Real Presence in Malta: A Malta license requires a real office and local staff. This includes resident directors and a compliance team to handle the mandatory REQ reports for the FIAU.
Following the Travel Rule: Using technology that meets Recommendation 16 is mandatory. This software attaches verified identity data (KYC/KYB) to every digital transfer.
System for Audits: The platform must generate real-time reports on player funds. This data is used by outside accounting firms to perform official checks called Agreed-Upon Procedures (AUPs).
FAQ
How long does it take to prepare a MiCA application?
Preparation typically takes 1 to 3 months before the application is sent. This time is used to organize documents, build a compliance plan, and set up the management team.
Can a company hold both a Malta license and a CASP license?
Yes. Many businesses use a dual structure. One entity holds the Malta license for betting, while a linked entity holds the CASP authorization for crypto activities.
Do MiCA rules apply to companies outside the EU?
Yes. If a platform serves people living in the EU, MiCA laws apply. Being registered in an offshore location does not allow a business to ignore these rules if it has European users.
What happens if a CASP application is rejected?
The business must stop offering crypto services in the EU immediately. A new application is only possible after fixing the specific problems found by the regulator.
Are stablecoins treated differently under MiCA?
Yes. Stablecoins have much stricter rules. Because they are classified as ARTs or EMTs, they require more money in the bank and more frequent transparency reports.
Can a Malta operator use a third-party payment provider?
Yes. Most platforms partner with a licensed EMI (Electronic Money Institution) instead of getting their own payment license. This is a standard way to handle regular money.
Do all crypto transfers require the Travel Rule?
In the EU, yes. Under the Transfer of Funds Regulation (TFR), there is no minimum amount. Every transfer between service providers must include the verified names and IDs of both the sender and receiver.
Is a real office in Malta required after the license is granted?
Yes. Ongoing substance is mandatory. This means keeping a physical office, local directors who live in Malta, and a compliance team on the island.
How often do audits happen for Malta-licensed operators?
Financial audits happen every year. Other checks, called Agreed-Upon Procedures (AUPs), happen periodically to verify that player funds are safe and the technology is working correctly.
What is the biggest risk when moving to full EU compliance?
The biggest risk is the high ongoing cost. Paying for expert staff and monthly reports for two different legal frameworks (MGA and MiCA) is a permanent and expensive commitment.
Anjouan vs Curaçao (LOK) vs Malta (MGA)
Feature | Anjouan | Curaçao (LOK) | Malta (MGA) |
|---|---|---|---|
Primary Intent | Rapid PMF & smart contract testing | Brand standardization & B2B access | Institutional scaling & Tier 1 trust |
Target Audience | Crypto-native / Early-stage startups | Scaling Web3 & Fiat-hybrid platforms | Established global enterprises |
Base Annual Cost | €17,828 | €47,450 (B2C) / €24,490 (B2B) | €25,000 (plus variable tax) |
Application Fee | Included in base cost | €4,592 | €5,000 |
Minimum Share Capital | €0 | €0 (operational funds required) | €40,000 – €100,000 (by Type) |
Tax Rate | 0% GGR / 0% Corporate (IBC) | 2% Corporate (E-Zone) | Variable GGR tax (Max €375k/year) |
Physical Office | Not required | Required (Local entity & director) | Required (Resident staff & office) |
Setup Time | Fast (Weeks to 1 month) | 2–6 months (LOK framework) | 4–12 months |
Banking Access | Crypto-native (Wallets/Crypto EMIs) | Fiat + EMIs | Full Tier 1 SEPA/SWIFT access |
Compliance Overhead | Low (Basic AML/KYC) | Medium (LOK regulations) | High (FIAU REQ, MLRO, AUP audits) |
References:
Markets in Crypto-Assets Regulation (MiCA) – https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32023R1114
Transfer of Funds Regulation (TFR / Travel Rule) – https://eur-lex.europa.eu/eli/reg/2023/1113/oj
ESMA Crypto-Assets Policy – https://www.esma.europa.eu/policy-activities/crypto-assets
EBA Travel Rule Guidelines – https://www.eba.europa.eu/publications-and-data/final-reports/guidelines-travel-rule
Financial Action Task Force (FATF) – https://www.fatf-gafi.org/
Malta Gaming Authority (MGA) – https://www.mga.org.mt/
MGA B2C Remote Gaming Services – https://www.mga.org.mt/licensee-hub/applications/b2c-licences/remote-gaming-services/
MGA B2B Back Office – https://www.mga.org.mt/licensee-hub/applications/b2b-licences/back-office/
MGA Systems Audit – https://www.mga.org.mt/licensee-hub/compliance/systems-audit/
MGA Corporate Reporting – https://www.mga.org.mt/licensee-hub/compliance/corporate-reporting/
MGA Directive on Key Function (PMLFTR) – https://www.mga.org.mt/wp-content/uploads/Directive-on-the-Key-Function-of-the-PMLFTR.pdf
MGA Hosting and Colocation Policy – https://www.mga.org.mt/wp-content/uploads/Hosting-and-Colocation-Policy.pdf
FIAU Malta Procedures & Guidance – https://fiaumalta.org/procedures-guidance-2/
FIAU Risk Evaluation Questionnaire (REQ) – https://fiaumalta.org/what-we-do/supervision/risk-evaluation-questionnaire/
Malta Business Registry (MBR) – https://mbr.mt/
Malta Legislation Database – https://legislation.mt/
Malta Gaming Act (Cap. 583) – https://legislation.mt/eli/cap/583/eng
Gaming Authorisations Regulations (S.L. 583.05) – https://legislation.mt/eli/sl/583.05/eng
Gaming Licence Fees Regulations (S.L. 583.03) – https://legislation.mt/eli/sl/583.03/eng
Gaming Compliance and Enforcement Regulations (S.L. 583.06) – https://legislation.mt/eli/sl/583.06/eng
Gaming Player Protection Regulations (S.L. 583.08) – https://legislation.mt/eli/sl/583.08/eng
Curaçao Gaming Control Board – https://www.gamingcontrolcuracao.org/
Curaçao Gaming Control Board Portal – https://portal.gamingcontrolcuracao.org/
Curaçao Gaming Legislation – https://www.gamingcontrolcuracao.org/legislation
Curaçao LOK Transition Framework – https://www.gamingcontrolcuracao.org/lok-transition
Curaçao Gaming Authority (CGA) – https://www.cga.cw/
Anjouan Gaming Authority – https://anjouangaming.com/
Anjouan Gaming Licence Fee Schedule – https://anjouangaming.com/fee-schedule/
Anjouan Gaming Legislation – https://anjouangaming.com/legislation/
Anjouan Corporate Structuring Guidelines – https://anjouangaming.com/corporate-structuring/
Global Online Gambling Market Size, Share & Trends Analysis – https://www.grandviewresearch.com/industry-analysis/online-gambling-market
Startup Genome Global Startup Ecosystem Report – https://startupgenome.com/reports
The True Cost of Financial Crime Compliance Study (Global Report) – https://risk.lexisnexis.com/global/en/insights-resources/research/true-cost-of-financial-crime-compliance-study-global-report
Chainlink VRF Documentation – https://docs.chain.link/vrf
Ethereum Improvement Proposal 4337 (Account Abstraction) – https://eips.ethereum.org/EIPS/eip-4337