First, the headline truth: it’s not a separate licence class
Malta’s shake-up isn’t a brand-new “crypto casino licence.” In January 2023 the Malta Gaming Authority (MGA) published a Policy on the use of Distributed Ledger Technology (DLT) by Authorised Persons. It lets existing or new MGA licensees accept virtual assets and/or run DLT components—but only with prior MGA approval and under extra safeguards.
What Malta actually changed (and why it matters)
Prior approval, not a free-for-all. Any operator that wants to use DLT or accept virtual assets must apply through the MGA’s LRMS portal. Approvals cover things like accepted coins/tokens, wallet set-ups, third-party providers and whether any “innovative technology arrangements” (smart contracts, on-chain components) are used.
Classify the assets and show legal opinions. Applicants must list every DLT asset they will accept and its legal classification (e.g., “virtual financial asset” under Malta’s VFA Act) and may be asked for a legal opinion. Adding new assets later needs fresh approval.
Wallet rules and player withdrawals. If an operator uses its own wallets to hold player funds, it must demonstrate security controls, respect withdrawal requests, and follow specific procedures if a player changes the destination wallet. Refusals are exceptional and trigger reporting to the MGA.
Using custodians and processors. Third-party providers that offer custody or accept VFAs on the operator’s behalf must themselves be properly authorised under applicable law (e.g., VFA Act). Operators can accept VFAs directly via their own wallets or route via a licensed service provider.
Your platform is not an exchange. If a site accepts both fiat and VFAs, it must treat them separately—no running a de-facto exchange, except limited closed-loop virtual tokens. Fees have to be shown clearly on deposit/withdrawal pages.
Exchange-rate and reporting discipline. Operators must nominate an exchange (or a documented averaging method) and use a consistent month-end EUR rate for player-funds, fees and tax reports—changing the reference requires notice to the MGA.
Audits for DLT components and smart contracts. If games or other essential components run fully/partly on a public chain, the MGA can require an MDIA-registered systems audit. Smart-contract bugs don’t excuse liability—operators remain responsible for player losses and must still meet AML/CDD obligations.
AML/monitoring is front and centre. Policies require risk assessments, transaction monitoring/analytics and procedures that account for VFA-specific risks (custodial wallets, automated payouts, etc.).
Transition from the sandbox. Approvals previously granted under the MGA’s DLT/VFA sandbox stayed valid, but operators had three months to implement the new Policy’s extras. The MGA also updated its system documentation/audit checklists to reflect the change.
The 2025 context: EU Travel Rule and MiCA turned “nice to have” into “must have”
From 30 December 2024, the EU’s Travel Rule applies to crypto transfers. The EBA’s binding guidelines set what sender/recipient information must accompany transfers and when “self-hosted wallet” checks apply. That directly affects the payment partners and custodians many MGA operators rely on.
At the same time, the EU’s MiCA regime entered application, with ESMA rolling out Level-2/3 policy and market-abuse guidance in 2024–2025. For casinos touching EU rails, these frameworks shape token/custodian selection and incident handling.
Malta’s FIAU also echoed the EU stance with local Travel-Rule guidance (Dec 30, 2024), reinforcing that PSPs/CASPs moving crypto must carry the prescribed information.
Case study: an MGA operator adds crypto the “Malta way”
Background. A mid-market .com operator with an MGA B2C licence wants to accept USDT/USDC and BTC withdrawals. Pre-2023, it experimented under the sandbox; in 2025 it formalises via the DLT Policy route.
Step 1 — Scope and assets. The team defines the exact coin list and files an LRMS application, classifying assets and attaching a legal memo. Any future coin additions are documented as separate updates.
Step 2 — Wallet architecture. They choose a licensed custodian for deposits while keeping an internal hot-wallet for payouts, documenting key-management and access controls. They also implement per-currency gaming wallets so deposit limits work cleanly.
Step 3 — Player experience and disclosures. The cashier shows network/fees up front and warns that changing a withdrawal address can trigger verification or exceptional refusal/reporting.
Step 4 — Reporting and finance. Finance nominates a reference exchange and locks the month-end EUR rate for liabilities/fees/tax reports, notifying the MGA if the reference changes next month.
Step 5 — AML + Travel Rule. Compliance deploys blockchain analytics and counterparty screening and updates procedures so the custodian’s Travel-Rule messages reconcile with KYC files for withdrawals.
Step 6 — Tech governance. If any game logic uses smart contracts, they commission an MDIA-registered audit and build a fallback plan to compensate players if code misbehaves.
Result. Approval lands with conditions. The operator can market crypto payments—but with exchange-rate, reporting and AML obligations that make it look a lot like fiat from a governance standpoint. That’s the point.
How this “shook” the industry
It raised the compliance bar in a popular hub. Malta’s approach effectively told crypto-curious brands: you can offer it, but you’ll do it under bank-grade rules—and show your homework. That repositioned Malta versus historic “light” regimes.
It arrived as other hubs tightened too. In 2025 Curaçao extended provisional “Green Seal” licences to 24 December 2025 while it processes applications under its stricter LOK regime—ending the era of easy sub-licensing and pushing operators toward fuller compliance.
It clarified player protections in crypto contexts. Deposit limits, exchange-rate rules, and withdrawal-address handling are spelt out, reducing grey areas that used to create disputes at cash-out.
It aligned iGaming plumbing with EU finance law. With the Travel Rule and MiCA now live, Malta’s DLT policy fits neatly into the EU compliance stack—making it easier for regulated PSPs/custodians to service MGA-licensed brands.
What players actually notice on MGA-licensed crypto sites
Clearer fees and rates. Cashiers must show network fees and use a consistent reference rate in monthly reporting; no “surprise spreads” mid-month.
Withdrawal address friction. Changing destination wallets may require extra checks and, in rare cases, refusal plus reporting to the MGA.
No in-platform swapping. You won’t find a built-in exchange between fiat and coins; assets are treated separately except for limited closed-loop tokens.
Operator checklist for a smooth MGA crypto approval
- Map your coins, networks and providers; classify assets and plan legal opinions.
- Decide wallet custody (own vs licensed third-party) and document security controls.
- Lock an exchange-rate policy and build month-end reporting routines.
- Wire up Travel-Rule messaging with your custodian and AML analytics for on-chain risk.
- If using smart contracts/on-chain game logic, budget for MDIA audits and recovery plans.
- File via LRMS and be ready for conditions/extra safeguards.
FAQs
Is there a special “crypto casino licence” in Malta?
No. Crypto use sits under the MGA DLT Policy as an approval on top of your MGA licence, not a separate licence class.
Can an MGA operator accept crypto without a custodian?
Yes, with approval—either via its own wallet structure or via an authorised third-party provider. Each path has documentation and control requirements.
Why is 2025 different from the old sandbox era?
The sandbox ended with a three-month transition; today the policy integrates EU-level obligations (Travel Rule/MiCA), so partners and auditors expect tighter controls.
How does this compare to Curaçao now?
Curaçao’s 2024-25 LOK reform also raised standards and extended provisional licences to December 24, 2025 while the new authority processes applications. Both hubs are converging on stricter AML and consumer-protection norms.
