Most platform decisions made under an MGA licence aren’t technology decisions at all. They’re constraint decisions. The provider you select determines your compliance ceiling, your integration flexibility, your ability to respond to regulatory change within weeks rather than quarters, and ultimately, your margin structure for the next three to five years. This piece lays out the specific technical, regulatory, and commercial criteria we use when evaluating MGA platform providers, and the framework we apply when advising operators on whether to buy, build, or migrate.

Why Your MGA Platform Choice is a Core Architectural Decision

The platform layer in a regulated iGaming operation isn’t middleware. It’s the regulatory surface area. Every player interaction, every transaction, every responsible gaming intervention, every AML check passes through or originates from your platform. When the MGA issues a directive or updates its technical standards, your platform is the thing that has to absorb it.

This is where white-label solutions start to hurt. The initial pitch is compelling: fast time to market, pre-built compliance, turnkey integrations. What’s rarely discussed upfront is the cost structure over time. Revenue share models that seemed reasonable at launch compound as GGR grows. Roadmap dependency means you’re waiting on your provider’s priorities, not yours. And the technical debt accumulates silently. When the MGA tightened its AML reporting requirements, operators on certain white-label platforms discovered their wallet architectures couldn’t support real-time transaction monitoring without a full re-integration. That’s not a feature request. That’s a structural problem.

For operators generating north of €5M in annual GGR, the total cost of ownership calculation almost always favours more architectural control. Not necessarily a ground-up custom build, but at minimum a platform strategy where you own the compliance-critical components: the wallet, the PAM layer, the data pipeline feeding your AML and responsible gaming systems.

The decision isn’t “which MGA platform provider should we pick?” It’s “what level of architectural control do we need, given our regulatory exposure, our market ambitions, and our three-year cost model?”

Deconstructing MGA Licensing: B2B vs. B2C Frameworks

The MGA operates a two-tier licensing model, and the distinction matters more than most technical teams realise.

A B2C licence (Type 1 through Type 4, now consolidated under the Gaming Act 2018) authorises an operator to offer gaming services directly to players. This is your operating licence. It covers casino, sports betting, poker, and other verticals depending on the specific authorisation.

A B2B Critical Gaming Supply Licence authorises a company to supply or manage a component of the gaming supply chain that the MGA deems critical. Platform providers, game developers, and RNG suppliers typically fall here. The MGA’s definition of “critical” centres on whether the supplier’s technology directly affects the outcome, fairness, or integrity of the gaming service, or whether it processes player funds.

Here’s why this matters to you as a platform buyer: if your provider holds a B2B Critical Gaming Supply Licence, the MGA has already assessed their technical infrastructure, their key personnel, and their operational processes. That’s a layer of due diligence the regulator has done on your behalf. If your provider doesn’t hold one (and some aggregators and white-label resellers operate in grey areas here), you may be carrying regulatory risk you haven’t priced in.

When evaluating providers, ask specifically: do they hold a Critical Gaming Supply Licence, or are they operating under a sub-licence or partnership arrangement with an entity that does? The compliance chain matters. If the MGA audits your operation and finds your critical supply chain isn’t properly licensed, the enforcement action lands on you.

The MGA Gauntlet: Core Criteria for Platform Providers

Obtaining and maintaining a B2B Critical Gaming Supply Licence isn’t a checkbox exercise. The MGA’s requirements are substantive, and understanding them helps you evaluate whether your potential provider is genuinely compliant or just licensed on paper.

The Fit and Proper Test

The MGA assesses the integrity, competence, and financial standing of all beneficial owners, directors, and key personnel. This includes criminal background checks, source of funds verification, and an assessment of prior industry conduct. For platform providers, this extends to the individuals responsible for the technical architecture and compliance functions.

What this means in practice: if your provider has high turnover in their compliance or technical leadership, that’s a flag. Each change in key personnel triggers a notification obligation to the MGA, and potentially a reassessment. Stability in the compliance and engineering leadership of your platform provider isn’t just nice to have. It’s a regulatory indicator.

Technical Standards

The MGA’s technical requirements cover several areas that directly affect platform architecture:

Information security. ISO 27001 certification or equivalent. The MGA expects documented security policies, regular penetration testing, and incident response procedures. Your provider should be able to produce their latest pentest results and their ISO certification without hesitation. If they can’t, or if their certification has lapsed, walk away.

RNG and game fairness. For providers whose platform includes game logic (as opposed to pure aggregation), RNG certification from an accredited testing lab is mandatory. eCOGRA, BMM, iTech Labs. The certification must be current.

Data retention and access. The MGA requires that all player data and transaction records be accessible for a minimum period (currently seven years for some categories of data). Your platform provider’s data architecture needs to support this without degradation or prohibitive retrieval costs. This is where some cloud-native platforms actually shine compared to legacy on-premise deployments, but only if the data lifecycle management is properly designed.

System availability and business continuity. The MGA expects documented disaster recovery and business continuity plans, with tested failover procedures. Ask for RTOs and RPOs, and ask when they were last tested under realistic conditions.

AML and Responsible Gaming

Your platform provider’s technology must support your AML obligations under Maltese law (which implements EU AMLD directives). At minimum, this means:

• Real-time transaction monitoring with configurable thresholds
• KYC workflow integration (document verification, PEP/sanctions screening)
• Suspicious transaction reporting capabilities aligned with FIAU requirements
• Player activity audit trails that are immutable and query-able

For responsible gaming, the MGA requires that platforms enable deposit limits, session limits, self-exclusion mechanisms, and reality checks. These can’t be bolt-on afterthoughts. They need to be integrated into the core player journey. If your provider treats responsible gaming features as a separate module that can be toggled on or off, that tells you something about how they view compliance.

Evaluating MGA Platform Providers: An Architectural Review

Broadly, you’re choosing between three categories. Each carries distinct trade-offs.

Full-service white labels give you the fastest path to market. You get a pre-integrated platform with games, payments, CRM, and compliance tooling. The trade-off is control. You’re typically on a revenue share (15-40% of GGR is common), your frontend customisation is limited to skinning, and your backend is shared infrastructure. When you need a custom integration or a non-standard wallet flow, you’re submitting feature requests, not writing code. For operators in their first year targeting a single jurisdiction, this can make sense. Beyond that, the economics and the constraints rarely hold up.

API-first or headless platforms offer a middle ground. You get the compliance and back-office infrastructure (PAM, wallet, game aggregation) as a service, exposed via APIs, while you own the frontend and can build custom integrations. Pricing is typically a combination of setup fees (€100K-€500K depending on scope), monthly platform fees, and per-transaction or per-player charges rather than pure revenue share. The total cost of ownership over three years is usually lower than white-label once GGR exceeds a certain threshold. The risk here is API quality. A well-documented, versioned, and stable API set is one thing. A nominally “API-first” platform where half the endpoints are undocumented and breaking changes ship without notice is another.

Custom-built platforms offer maximum control. You own every layer, from wallet to frontend. At Jadex Consulting, this is where we spend most of our time: working with operators who’ve outgrown their current platform’s compliance or commercial ceiling and need architecture that’s genuinely theirs. The trade-off is time and upfront investment. A full platform build takes 9-18 months depending on scope. The upfront cost is typically €500K-€2M+. But you own the IP, you control the roadmap, and your per-player marginal cost drops dramatically at scale. For operators running multi-brand or multi-jurisdiction portfolios, the ROI calculation usually tips in favour of custom within 18-24 months of launch.

The question isn’t which model is “best.” It’s which model matches your current scale, your regulatory exposure, and where you need to be in three years.

Key Services and Technologies Offered by MGA Platforms

Regardless of the delivery model, an MGA-compliant platform needs to cover specific functional domains. Here’s what to evaluate, and where we see the most variance in quality.

Player Account Management (PAM). This is the core. Registration flows, identity verification, account lifecycle management, player segmentation, and session management all live here. The PAM layer is also where most responsible gaming controls are enforced. Evaluate the granularity of configuration. Can you set jurisdiction-specific deposit limits without code changes? Can you trigger automated interventions based on behavioural markers? Most PAM systems claim this. Fewer deliver it without custom development.

Wallet and payment processing. The wallet architecture is the single most consequential technical decision in your platform. A monolithic wallet that processes deposits, withdrawals, bonus funds, and game transactions in a single synchronous flow will eventually become your bottleneck for everything: fraud detection, AML monitoring, real-time personalisation, and reporting. What you want is a wallet that separates the accounting ledger from the transaction processing layer, supports event-driven architectures (so downstream systems can react to transactions in real-time), and can handle multiple currencies and payment methods without spaghetti integration code.

Game aggregation. Most operators don’t integrate directly with game providers anymore. The aggregation layer (GIG, EveryMatrix, SoftSwiss, and others offer this) normalises the integration interface so you can add or remove game providers without platform changes. Evaluate the breadth of the provider catalogue, the commercial terms (some aggregators take a margin on top of the provider’s fee), and the technical quality of the integration. Specifically: how are free rounds handled? How is bonus wagering tracked across providers? These edge cases reveal the maturity of the aggregation layer.

Back-office and reporting. Real-time dashboards are table stakes. What matters more is the underlying data architecture. Can you run ad-hoc queries against your transactional data without impacting production performance? Can you export data in formats that your BI tooling (Looker, Tableau, Power BI) can consume without transformation? Is the data model documented? If the answer to any of these is no, you’re going to struggle with regulatory reporting and commercial analytics alike.

Data pipelines for AI/ML. This is where vendor promises frequently outstrip reality. A platform that claims to support “AI-powered personalisation” but stores player event data in a relational database with batch ETL processes running overnight isn’t actually ready for real-time ML inference. You need event streaming (Kafka, Kinesis, or equivalent), a feature store or real-time data layer, and clean, well-schemaed event taxonomies. Without this infrastructure, any ML capabilities are either pre-canned models with limited customisation or vapourware.

The Strategic Benefits of a Compliant MGA Partnership

An MGA licence carries weight with players, with payment providers, and with other regulators.

For operators targeting EEA markets, the MGA’s mutual recognition agreements and its standing as one of the most established iGaming regulators simplify market entry discussions. Payment providers and banks are more willing to onboard operators (and their platform providers) with MGA credentials. The due diligence process is faster because the MGA’s standards are well understood.

Player trust is harder to quantify but real. In markets where players have a choice between licensed and unlicensed operators, the MGA badge converts. This is particularly true in markets with educated player bases (Nordics, UK crossover traffic, Germany).

From a risk perspective, operating on an MGA-compliant platform reduces your exposure to regulatory enforcement, which in turn reduces your insurance costs and your vulnerability during any M&A due diligence process. PE firms acquiring iGaming operators scrutinise the platform layer specifically because platform-level compliance failures can trigger licence conditions or, worse, suspension.

A Due Diligence Checklist for Selecting Your Platform Partner

We use a structured evaluation when advising operators on platform selection. Here are the categories and specific questions.

Technical Architecture
– Is the platform monolithic or microservices-based? What’s the deployment model (multi-tenant SaaS, single-tenant, on-premise)?
– What’s the API coverage? Can every back-office function be performed via API, or are some operations UI-only?
– What’s the wallet architecture? Event-driven or synchronous? Can it support real-time downstream consumers?
– What’s the documented uptime over the past 12 months? Not the SLA target. The actual measured uptime.

Compliance and Security
– Confirm the specific MGA licence type and number. Verify it on the MGA’s public registry.
– Request the latest ISO 27001 certificate and penetration test summary.
– Confirm AML transaction monitoring capabilities: real-time or batch? Configurable thresholds per jurisdiction?
– Verify responsible gaming feature set against MGA requirements and, if applicable, UKGC LCCP conditions.

Commercial and Partnership Model
– Full cost breakdown: setup, monthly platform fees, per-player/per-transaction charges, revenue share (if any), game aggregation margins.
– Contract term and exit provisions. What happens to your player data and transaction history if you leave?
– Roadmap visibility. How are feature priorities determined? Do operators have input?
– Integration support. What’s the typical timeline and resource requirement for a new game provider or payment method integration?

Scalability and Performance
– Peak concurrent user capacity tested, not theoretical.
– Geographic latency data for your target markets.
– Auto-scaling capabilities and associated cost implications.

Treat any reluctance to answer these questions directly as a disqualifying signal.

Beyond Licensing: Future-Proofing Your Platform in Malta’s Hub

The MGA has signalled continued tightening of technical standards, particularly around AI-assisted player monitoring and real-time data access for regulatory audits. Operators whose platforms can’t support real-time event streaming and granular audit trails will face growing friction with the regulator.

Malta’s role as an iGaming hub isn’t diminishing, but the bar for operating there is rising. The operators who will benefit most are those whose platform architecture can absorb regulatory change as configuration rather than re-engineering. That means well-defined domain boundaries in your platform services, clean event schemas, and a compliance layer that’s decoupled from your game and payment integrations.

AI and ML in iGaming are real, but the prerequisites are unglamorous. Before you can do meaningful real-time personalisation or predictive responsible gaming interventions, you need clean data, consistent event taxonomies, and a platform that emits events at the right granularity. Most operators we work with need 6-12 months of data infrastructure work before they can realistically deploy production ML models. Any vendor telling you otherwise is either selling you pre-built models of limited value or hasn’t looked at your actual data layer.

Building Your Next-Generation MGA Platform with Jadex

At Jadex Consulting, we work with operators who’ve hit the ceiling of their current platform, whether that’s a white-label arrangement where the revenue share no longer makes sense, a legacy platform where regulatory changes require disproportionate engineering effort, or a multi-brand operation where the monolithic backend can’t support the jurisdictional complexity.

We don’t sell a platform product. We build platform architecture. That means working with your engineering and compliance teams to design and implement the specific components you need: wallet services, PAM layers, data pipelines, game aggregation interfaces, and the compliance infrastructure that ties them together. We’ve done this work for operators Managing MGA, UKGC, and GGC requirements simultaneously, and we understand the differences in what each regulator expects at the engineering layer.

If you’re evaluating a platform migration, scoping an RFP, or trying to determine whether your current architecture can absorb the next round of MGA technical requirements, we’d welcome the conversation. Not a sales pitch. A technical consultation on the specific trade-offs you’re facing, with honest numbers and realistic timelines.