FIAU Malta REQ 2026: iGaming AML Compliance Guide for Operators

In 2026, Malta-licensed iGaming operators are required to prepare and file a Malta AML REQ 2026, a self-assessment report on anti-money laundering and counter-terrorist financing (AML/CFT) risks.

The Risk Evaluation Questionnaire Malta (REQ) is issued every year by the Financial Intelligence Analysis Unit (FIAU) and must be submitted digitally through the FIAU’s CASPAR portal. For gaming operators, the REQ 2026 submission deadline is 9 April 2026.

This article discusses the requirements of REQ 2026, the parties that need to comply, the key submission schedule, and how iGaming operators should prepare to ensure AML compliance.

What Is the Risk Evaluation Questionnaire (REQ)?

Risk Evaluation Questionnaire (REQ) is an annual compliance report that the FIAU requires subject persons, including iGaming operators, to submit as part of Malta’s AML/CFT supervisory framework. It is used as a means through which the FIAU is able to gather standardized AML risk data of licensed entities. The 2026 REQ covers the full reporting period of 1 January to 31 December 2025. All figures, controls, and risk data must reflect activity conducted during that calendar year. Operators are required to share information that represents their:

• Current AML risk profile
• Monitoring and internal AML CFT controls.
• Governance structure, including the roles of MLROs, compliance officers, and senior management.
• Business model and risk exposure of their operations.

FIAU uses the information provided as part of the risk-based supervision framework when determining priorities and continued supervision. Compared to 2025, it has confirmed that only a few changes have been made to the REQ template 2026.

Who is Required to Submit the REQ in Malta?

Under Malta’s AML/CFT legislation, the FIAU requires subject persons across regulated industries to complete the REQ within prescribed deadlines. For the case of the 2026 REQ cycle relating to the gaming sector, it includes:

• Malta licensed remote gaming operators (online casinos and sportsbooks licensed by the Malta Gaming Authority).
• Land-based casinos operating under a license from the Malta Gaming Authority.
• Other gaming service providers within the regulated ecosystem.

Operators that were not a part of any relevant financial business or activity are not exempt from the obligation of submitting the REQ. They must contact the FIAU by email before the applicable REQ deadline to explain the situation and formally request an exemption. Written approval from the FIAU is required before any submission is skipped.

All in-scope operators are required to meet the REQ 2026 deadline by submitting through the CASPAR portal. Those not  yet registered on CASPAR should complete their registration promptly to be able to access the interface for submitting the REQ.

Malta REQ 2026 Timeline of Deadline and Submission

In 2026, the following are the REQ submission deadlines by the FIAU:

• 9 April 2026 – Crypto-assets sector (VFA service providers and crypto asset service providers), real estate agents, notaries, and gaming operators (remote and land-based).
• 16 April 2026 – Trustees and fiduciaries, company service providers (noting that limited/ registered CSPs are excluded as per FIAU’s September 2025 guidance note), accountants, tax advisors, and advocates.
• 23 April 2026 – Insurance and pensions, financial institutions, credit institutions, investment services, and securities markets.

Note for crypto-asset operators: Subject persons that transitioned from a VFA licence to a MiCA licence during 2025 are required to report figures for the full 2025 reporting period, regardless of when the MiCA licence was obtained. The REQ on CASPAR will correspond to the operator’s current designation, VFA Service Provider or Crypto-Asset Service Provider, as reflected in the portal.

Missing the REQ deadline carries actual legal consequences; it puts the operator in direct breach of Regulation 19 of the Prevention of Money Laundering and Funding of Terrorism Regulations (PMLFTR) and Section 5.12 of the Implementing Procedures. Subject persons found in breach are liable to administrative penalties under Regulation 21, including measures that can escalate based on the severity and frequency of the violation.

The Requirement of the REQ 2026 iGaming Questionnaire

The Malta AML REQ 2026 addresses various areas of AML risks that the FIAU employs to assess the exposure of an operator and the controls.

The exact individual questions in the questionnaires will depend on the industry, but the most important areas in the eyes of the iGaming operators would be:

• Business Risk Assessment (BRA)

The operators’ Business Risk Assessment must be current and rely upon documented internal methodology. This must be a reflection of the inherent risks that the operator has and the way to mitigate them with the proper controls.

• Customer Risk Profile

This covers how the operator risk-assesses and classifies its customer base, including the identification of high-risk individuals, such as Politically Exposed Persons (PEPs), and enhanced due diligence (EDD) procedures applied to them.

• Geographic Risk

The operators are required to disclose the geographic location of their customers and any exposure to high-risk jurisdictions with regard to AML/CFT.

• Supervision and control system.

This covers the transaction monitoring systems in place, the rules configured to trigger alerts, and escalation procedures the operator follows when a potential AML risk is identified.

• Governance and Oversight

Information about the MLRO duties, board or senior management supervisory role of AML practices, employee training, and independent reviews is mandatory.

How To Prepare for FIAU REQ 2026

Preparing for the Malta AML REQ 2026 is primarily an internal exercise, one that demands careful coordination across compliance, senior management, and operations. Here are the practical steps operators should take before the 9 April deadline:

• Revise and Test the Business Risk Assessment (BRA)

The business risk assessment must contain the operator’s current operating model, type of customers, and the risk environment, and must be approved at the senior level.

• Reconcile AML Data

Ensure that internal compliance records (e.g., transaction monitoring alerts, suspicious activity reports (SARS), and customer risk scores) are consistent and can be audited.

• Review Monitoring Systems

Monitoring tools should be assessed for their ability to record relevant triggers, produce manageable quantities of alerts, and support investigators in closing out alerts efficiently.

• Review Governance Documentation

Certify that the appointment and responsibilities of MLROs are current and that governance structures are well documented and internalized.

• Update Profile Information CASPAR

Prior to handing over a REQ, ensure that all details within the Subject Person Profile on CASPAR, such as:

• Ownership structure
• Group membership (if applicable)
• Shareholders, beneficial owners, and directors
• Turnover and net asset values
• Target markets
• External auditor details (if applicable)
• Business Risk Assessment

are fully updated before submitting the REQ. Incomplete or outdated profile information is one of the most common reasons submissions attract further FIAU scrutiny.

• Enable Two-Factor Authentication on CASPAR

The FIAU now requires 2FA to access the CASPAR portal. This should be activated well before the submission window opens, not on the day of. The FIAU published a step-by-step 2FA guide in November 2025, available on the CASPAR resources page.

Common Pitfalls to Avoid When Submitting the REQ

When preparing the REQ 2026 iGaming submission, avoid these common issues:

• Inaccurate or unstable risk documentation.
• Differences between reported measures and internal compliance records.
• Incomplete or missing CASPAR Subject Person Profile information.
• Reporting controls/processes that are not operationally put in place.

The FIAU’s review process is evidence-led. If the reported controls cannot be demonstrated through internal records, the submission becomes a liability rather than a compliance exercise.

The REQ is Important to the Malta iGaming Operators

Risk Evaluation Questionnaire (REQ) in Malta is not just a compliance form. It allows the FIAU to:

• Compare AML risk profiles in sectors.
• Direct supervisory resources toward higher-risk operators.
• Update the risk-based supervisory plans for the next year.

In the case of iGaming operators, where the onboarding, digital payments, and cross-border customer exposures are remote, such structured reporting can provide the regulator with insight into the weak points in operations and controls.

How AML Watcher Simplifies Malta REQ 2026 Reporting For iGaming Operators

The gaming operators licensed in Malta using fragmented AML information and manual reporting frameworks are exposed to irregularities in their submission of the Risk Evaluation Questionnaire Malta, that put them at more risk of regulatory review before the Malta REQ 2026 deadline.

AML Watcher consolidates customer risk profiling,  transaction monitoring metrics, and the STR reporting in a single, organized system that assists operators to align their REQ responses with documented controls and ensure compliance by audit throughout the Malta AML compliance timeline.