Main features of the sandbox environment
The sandbox environment started on 1 January 2019 and will last for a period of ten months. It is a live document whereby necessary changes may be enforced throughout the period. This will help the MGA stay up to date with technological and regulatory developments in the industry.
By adopting a ‘one size fits all approach’, the MGA has managed to create flexibility in dealing with the various variable risks. Such risks include, amongst others, the involvement of the authority in formalizing the law and monitoring the gaming operators; resistance from operators; ongoing costs involved in implementing the framework; and the perceived risk that each application will present. By addressing such risks, the authority is in a position to protect players and the reputation of the Maltese jurisdiction gaming license whilst catering for anti money laundering (AML) and/or counter terrorist financing (CTF) safeguards. Additionally, gaming operators may choose to experiment the usage of cryptocurrency on a small scale for a limited duration to a specific audience.
A gaming operator that wishes to use a DLT asset, prior to seeking the required approval from the MGA, must first conduct a financial instrument test. This test, which must be part of the operator’s application process, shall determine from a financial perspective the essence of the DLT asset. If proven to be a Virtual Financial Asset (VFA), the operator will be subject to the regulatory requirements set out in the VFA Act.
Gaming operators must adhere to two primary conditions in order to comply with the sandbox environment:
- Player identification and verification procedures for customer due diligence (CDD) purposes must be completed within 30 days of deposit;
- The CDD obligations carried out by the operator are triggered once the €150 threshold for withdrawals is met and/or surpassed.
When the time comes for a player to make a deposit in a VFA, the operator must follow some procedures. The player must first complete the aforementioned mandatory verification process within 30 days of the initial deposit. If the player fails to do so, the operator is obliged to block the account with the associated funds. Additionally, the operator will use the registered address derived from the player’s VFA wallet for identification purposes. However, if a player deposits from a new VFA wallet, the registered address of that wallet will also be included in the registration details. Once a wallet is identified as belonging to a particular player, withdrawals will be remitted to that address or any other verified wallet address. It gets complicated if the player asks to withdraw in a previously unidentified wallet address, as he/she will have to go through a rigorous CDD process, regardless of meeting the €150 withdrawal threshold.
Early signs in the sandbox period indicate that gaming operators will accept payments in both fiat and VFA. In such circumstances, the fiat currencies and each individual VFA shall be considered as separate mediums of currency, and both operators and players alike are prohibited from exchanging one for another within the gaming ecosystem. Therefore, if a player deposits fiat currency, any bets placed and withdrawals effected shall continue to be channeled in fiat currency. Likewise, if a player deposits in a VFA currency, bets placed and withdrawals effected shall be made in the same VFA currency.
Despite this restriction in interchangeability, gaming operators could limit their operations to fiat currencies, through third party service providers who exchange VFA’s from players on their behalf. The only requirement according to the VFA Act is that such service providers hold a VFAA license. However, during this transitory period of the framework, providers may make use of such a function even without the necessary license issued by the MFSA (or an equivalent EU/EEA or recognised jurisdiction license).
Player protection, particularly when it comes to authorisation of player funds, has been given considerable attention. To address AML and CFT obligations, a wallet verification system has been established: verification procedures include the minimum requirement of players depositing the equivalent VFA value of €1 in their respective wallets, or, otherwise necessitating players to sign their wallets with a private encrypted key.
Dealing with the volatility risk
Given the VFA’s volatility risk, throughout the sandbox period, financial limits are to be considered in Euro terms, irrespective of whether the deposit was made in a VFA or not. Without detriment to any limits outlined in the Player Protection Directive, gaming operators shall not accept deposits in VFA in excess of the equivalent maximum deposit amount set at €1,000 per player per month. It is important to highlight that this restriction is not applied at a brand level but at an operator level. In addition, as from 1 January 2019, operators are mandated to make it possible for players to set maximum ceiling on their own personal deposit limits, distinctively, for both fiat and VFA currencies.
Therefore, if a player places a VFA deposit into his account, the operator must first confirm that the maximum deposit limit of €1000 has not been exceeded by aggregating the player’s monthly-long cumulated deposits with the current deposit. Subsequently, the operator will make sure that the cumulated deposits for that month do not exceed any player’s specified deposit limit. Due to the high volatility surrounding VFA’s, the deposited amount, at any point in time, may be abnormally higher or lower. That is why the VFA converted Euro value is considered at the point of deposit.
As per the Innovative Technology Arrangements and Services (ITAS) Act, ITAs such as smart contracts and DLT platforms require mandatory certification from a registered system auditor approved by the Malta Digital Innovation Authority (MDIA). ITAs may be accepted by the MGA only if a positive audit opinion is achieved from the registered system auditor and that they are compliant to regulatory requirements. It is important to highlight that specified criteria defined by the MGA must be satisfied to allow the use of smart contracts.
The technical infrastructure of the DLT components must be located in either Malta, any EU or EEA member state, or any third party jurisdiction applying the same principles as the MGA. This will help the operator control the nodes in the ledger, as well as the location of the hosting architecture.
To conclude, the MGA had two options during the consultation process: either to block the use of cryptocurrencies, or to adopt a phased-in approach with such financial assets. The sandbox regulatory environment offers some freedom of actions for operators in their dealings, while at the same time allowing the authority to build a track record, monitor risks and ultimately take strides in developing the industry further.
Author: Deborah Gatt, Senior Manager
Contact us
