A crypto deposit can land in a regulated operator’s account in seconds, from a wallet that names no one. When a Malta examiner asks an operator to prove end-to-end compliance across its crypto-funded accounts, that evidence has to already exist in the record.
For most licensed operators, that proof used to be treated as a hypothetical. In March 2026, the MGA published its 2026 supervisory priorities, naming a thematic review of crypto-asset control frameworks alongside a parallel review of cash and cash equivalents.
Shufti, a global identity verification and AML screening platform, has confirmed that its control framework for MGA-licensed operators is ready to support the Malta Gaming Authority’s 2026 thematic review of crypto-asset internal controls.
The framework delivers the identity records, source-of-funds documentation, and audit trails that the review is designed to test, captured at onboarding and kept current throughout the player relationship.
The Authority’s stated concerns are the anonymity of pseudonymous wallets, the speed of cross-border settlement, and the difficulty of establishing who is transacting and where funds originate. Its supervision is risk-based, evidence-led, and outcomes-focused. The review does not ask whether a crypto AML policy exists. It asks whether an operator can show, with evidence, that it knows who is transacting and has checked the money involved.
This is an Identity Problem, Not a Blockchain One
Shufti position is direct. The MGA’s crypto review is a question of customer due diligence, not blockchain forensics. A pseudonymous wallet traced across the chain tells an operator little without a verified identity attached to the account it funded. The control that is under examination is knowing who is behind the deposit, and being able to show that the evidence was captured, documented, and retrievable on demand.
Crypto raises the stakes in four ways:
- Pseudonymous wallets that say nothing about who is transacting.
- Instant, cross-border settlement that outruns manual review.
- Deposits that carry no source-of-funds context unless an operator collects it.
- Player identities are verified once at signup and never checked again.
What the Platform Delivers for Crypto-Accepting Operators
For MGA-licensed operators handling identity verification in Malta, Shufti’s framework covers the full evidence chain an examiner expects to see:
- Identity verification at onboarding, with document checks and biometric liveness across 10,000+ actively processed document types and 240+ countries and territories, backed by iBeta Level 3 certified face verification.
- Sanctions, PEP, and adverse-media screening at onboarding and on an ongoing basis.
- Crypto deposit and withdrawal monitoring with counterparty screening and examination-ready audit records per account.
- A full evidence trail per player, covering verification timestamps, screening logs, risk-score history, and documentation retrievable in a single pass without reconstruction.
- Flexible deployment via SaaS, Private Cloud, or On-Premise, with ISO 27001 certification and GDPR-compliant processing.
The platform does not perform blockchain tracing, and its argument is that operators rarely need it. What a Malta examiner asks for is concrete: a verified identity attached to the account, source-of-funds evidence for the deposit, and a screening log showing the player was checked and monitored. Shufti builds and retains that record from the moment the account opens.
“The instinct in crypto compliance is to follow the coin. Malta’s review is a reminder that the coin is not the question. The question is who is behind the account and whether the operator can prove it. That evidence either exists at onboarding or it has to be rebuilt. Rebuilding it under a remediation order is a much harder way to find out it was missing,” said Shahid Hanif, Founder and CEO of Shufti.
The Cost of Reconstructing Evidence After a Review Begins
Most operators who struggle in a thematic review already have policies in place. What they lack is the ability to produce one account’s complete compliance history, the identity, the source of funds, the screening log, and the monitoring record, in a single pass, on the day an examiner requests it.
When that evidence does not exist at the point of request, the operator reconstructs it under a remediation order. That means back-filled checks across live accounts, extended examination timelines, and compliance resources pulled from forward operations. The operators who clear the review cleanly share one characteristic. The evidence was already there.
Shufti’s framework makes that the default for every account. Verification becomes a record that the regulator can reopen at any point, rather than a gate that closes after signup.
The thematic review is set for 2026. The operators treating onboarding as a living evidence trail are the ones who can answer it without reconstructing anything.
Operators preparing their crypto-asset controls ahead of the MGA’s 2026 review can find further information on Shufti’s compliance support in Malta.
About Shufti
Founded in 2017, Shufti builds and owns its full identity verification stack end to end, from document and biometric capture to AML screening and deepfake detection. Its technology verifies people across 240+ countries and territories and 10,000+ document types, with proprietary OCR trained natively on 150+ languages. Shufti holds iBeta Level 3 certification under ISO/IEC 30107-3 for liveness attack detection and serves 2,000+ clients worldwide. Shufti is a technology provider and does not offer legal or regulatory advice.
SOURCE SHUFTI