High-Risk Merchant Account Underwriting: The Fatal Flaws That Get Your iGaming Application Rejected in Malta and Curacao

The iGaming industry’s growth across Malta and Curaçao has created unprecedented demand for merchant accounts that can handle high-volume, multi-currency card payments. Yet, for every operator that succeeds in opening an account, dozens face rejection, sometimes after months of preparation. These rejections are not random; they stem from specific underwriting flaws that experienced risk teams see as fatal.

At its core, underwriting in high-risk payments is a hybrid of data analysis and human risk perception. While regulations in both Malta and Curaçao formally permit iGaming operations, the decision to grant a merchant account lies with the acquirer’s risk committee, not the gaming regulator. And those committees think like bankers, not licensors.

The goal of this guide is to show iGaming operators, CFOs, and compliance leads exactly how to pre-empt those rejection points, by understanding how banks interpret risk, how MGA and Curaçao licensing requirements map to payment onboarding, and how to present a file that communicates both control and credibility.

Underwriting 101 for iGaming

Before a single transaction is approved, your payment processor performs what’s known as merchant underwriting, a rigorous due-diligence process to determine whether your iGaming business represents a manageable level of financial and regulatory risk.

For high-risk sectors like online casinos, sports betting, or e-sports wagering, underwriting is not just a compliance exercise; it’s a liability assessment. The processor is effectively extending you an unsecured line of credit every time they settle funds before the chargeback window closes.

That means if your business collapses, is fined, or triggers excessive disputes, the acquiring bank pays the cost. Hence, underwriters don’t just ask, “Is this merchant licensed?” They ask, Can this merchant survive a worst-case scenario without exposing us?

Why iGaming Is Classified as High Risk

The iGaming vertical is universally tagged as high risk under Merchant Category Code (MCC 7995), a category closely monitored by Visa, Mastercard, and European acquirers. Several risk elements define this status:

1. High Chargeback Exposure:
   Players can dispute transactions weeks or even months after gameplay, particularly when bonuses, delayed payouts, or self-exclusion issues arise. Average chargeback ratios for online gaming exceed 0.9%, compared to the Visa compliance threshold of 0.65%.
   
2. Regulatory Fragmentation:
   Every jurisdiction interprets AML, player protection, and data privacy differently. For example:
   
   • Malta requires Key Function approvals and RG (Responsible Gaming) integration.
   • Curaçao’s new LOK framework (2024) demands full AML/CFT policy submission and UBO transparency.
   • UKGC expects proof of affordability checks and anti-money-laundering audits.
     A single gap in one region can make the entire group structure non-uniform, a red flag for acquirers.
     
3. Delayed Service Fulfilment:
   Gaming transactions don’t always settle immediately; deposits and withdrawals can remain open for weeks. To a bank, this is similar to future delivery, a common risk indicator in sectors like travel and ticketing.
   
4. Cross-Border Payment Risk:
   Most iGaming operators process funds in multiple currencies (EUR, USD, GBP, and crypto-to-fiat channels). Each adds conversion risk, potential for fraud, and compliance obligations under PSD2 and FATF travel rules.
   
5. Reputational and Regulatory Pressure:
   Acquirers themselves face audits from Visa’s Global Acquirer Risk Standards (GARS) and the European Banking Authority (EBA). Any link to problematic gaming operators can trigger scheme penalties or licence suspensions.

In short: Even if your platform is fully licensed, underwriters treat every iGaming applicant as a potential liability until proven otherwise.

What Underwriters Actually Score

Contrary to what many merchants believe, underwriting isn’t about a single approval form,  it’s about risk scoring across multiple domains. Below is what risk teams evaluate before approving or rejecting a file:

Risk Domain	What Underwriters Look For	Why It Matters
Corporate Structure & Ownership	Certificate of incorporation, share registry, UBO chart, board resolutions.	Unclear UBOs or offshore layers suggest AML risk.
Licensing & Compliance	Active MGA licence or Curaçao LOK transitional proof; AML/CFT & RG policies.	Confirms legal legitimacy; missing AML/RG documents trigger instant rejection.
Processing History	6-12 months of bank or acquirer statements showing chargeback ratio <1%, refund trend, average ticket size.	Predicts financial discipline and dispute exposure.
Website & Product Presentation	Working links for T&Cs, refunds, complaints, and RG; no misleading bonuses or unverifiable claims.	Non-compliant websites indicate operational immaturity or deception.
AML/KYC Controls	Proof of customer verification, source of funds checks, MLRO appointment letter.	Core regulatory compliance requirement; lack thereof leads to fatal decline.
Technical Security	PCI DSS v4.0 certification or SAQ, 3DS2 authentication readiness, encryption standards.	Protects acquirer from card data breach liability.
Market Geography	Country list of accepted players, geo-blocking for restricted regions, proof of IP filtering.	Serves FATF & sanctions compliance; exposure to grey markets = automatic fail.
Banking & Settlement Setup	Settlement account jurisdiction, matching entity name, transaction routing clarity.	Cross-border mismatch or nested banking raises AML/ML concerns.

An underwriter’s job is to combine all these inputs into a Risk Rating (Low, Medium, High, or Severe). In practice, most iGaming operators fall between Medium-High, which means approval is possible, but only if the documentation is flawless and the risk narrative is credible.

Why Having a Licence Isn’t Enough

A gaming licence may allow you to operate legally, but it does not guarantee a payment account. Licensing authorities focus on player fairness and local compliance; acquiring banks focus on liability, liquidity, and loss recovery.

Here’s how underwriters interpret licences:

• MGA Licence: High credibility in the EU, but still requires evidence of player fund segregation, RG compliance, and AML integration. Missing Key Function approvals or weak AML systems = decline.
• Curaçao Licence (post-LOK): Now more credible, but underwriters check if you’ve transitioned from the old sub-licence regime. Legacy setups or shell entities are red flags.
• UKGC Licence: The most respected globally, but its requirements (like affordability and source-of-funds checks) must still be operationally enforced, not just declared.

In short: a licence grants you the legal right to trade, but underwriting approval gives you the financial ability to transact.

The Cost of Poor Preparation

Applications that are rushed, inconsistent, or incomplete can lead to a MATCH listing (Terminated Merchant File) or blacklisting by multiple acquirers. Once flagged, it becomes significantly harder to get future approvals, even in other jurisdictions.

This is why experienced operators treat underwriting as part of their compliance architecture, not an afterthought. A well-prepared file signals maturity and can even reduce rolling reserve percentages or improve settlement cycles.

Underwriting isn’t a mystery, it’s a mirror. Your financial data, documentation, and tone all reflect how much risk your operation carries. The cleaner and more consistent that reflection, the faster and cheaper your approval.

(Source: Malta Gaming Authority – Compliance & Key Function Guidelines, Curaçao Gaming Control Board – LOK Transition Framework 2024, Visa – Global Acquirer Risk Standards (GARS) 2024, European Banking Authority – Risk Factor Guidelines, 2023 Update, PCI Security Standards Council – PCI DSS v4.0 Overview)

The Human Factor: Why Good Files Still Get Rejected

In theory, a clean application, full documentation, valid licence, low chargeback ratio, should pass underwriting easily. In practice, more than 60% of iGaming merchant account applications are rejected despite technical compliance. The reason is deceptively simple: underwriters are human.

While algorithms handle risk scoring, the final decision almost always lies with a human risk officer who evaluates tone, credibility, and behavioural cues. Understanding how they think, and what subconsciously triggers a decline, is essential if you want your file to land in the approved stack.

The Psychology of Underwriting

Unlike licensing authorities, bank underwriters are not assessing your business to encourage innovation. They are assessing it to avoid liability.

Their mindset can be summed up in one question:

If this merchant fails, will I be blamed for approving it?
That single concern drives a deeply conservative, defensive approach. Even a hint of uncertainty, in documentation, communication, or presentation, can lead to rejection.

In Europe, risk officers face both internal accountability and scheme audits from Visa, Mastercard, or the European Banking Authority (EBA). A single merchant linked to fraud, AML breaches, or player complaints can cause an acquirer to lose its BIN sponsorship or be fined hundreds of thousands of euros.
It’s safer for an underwriter to decline a potentially good merchant than to approve one that later fails.

Common Cognitive Biases in Underwriting Decisions

Underwriting teams are composed of humans, and humans rely on heuristics, mental shortcuts, when making decisions under time pressure.

Three major biases repeatedly appear in high-risk payment reviews:

1. Availability Heuristic
   If an underwriter has recently dealt with a failed Curaçao operator or an MGA audit on chargebacks, your application will be viewed through that lens, even if your numbers are spotless.
   Mitigation: Provide hard data to counter assumptions, e.g., player retention statistics, refund response times, and proof of dedicated chargeback management.
   
2. Anchoring Bias
   The first impression of your website, business description, or tone of email sets the anchor.
   If your site looks outdated, lacks compliance disclosures, or contains aggressive bonus messaging, every subsequent document will be judged harshly.
   Mitigation: Treat your onboarding like an investor pitch. Clean, branded documentation and consistent UX reduce subconscious friction.
   
3. Confirmation Bias
   Once an underwriter suspects something is off, e.g., conflicting bank details or unclear UBO structure, they unconsciously look for evidence that confirms their suspicion rather than disproves it.
   Mitigation: Pre-empt concerns. Include a cover note explaining your corporate structure, compliance controls, and future growth projections.

The Behavioural Red Flags That Kill Applications

Beyond documents and data, certain behavioural signals automatically downgrade your credibility during onboarding.

These are small but deadly errors:

Red Flag	How It’s Interpreted by Underwriters
Multiple simultaneous applications to several acquirers	Suggests desperation or history of terminations; triggers cross-checking via MATCH or informal ISO channels.
Inconsistent business descriptions (different products listed on website vs. application)	Indicates lack of transparency or possible laundering of activity.
Fragmented entity setup (e.g., Curaçao licence, Cyprus account, Hong Kong company, UK phone number)	Creates jurisdictional confusion and perceived AML risk.
Aggressive communication (frequent calls, demanding updates, we process huge volumes claims)	Signals poor risk awareness and emotional volatility, both red flags for financial institutions.
Missing or generic policies on refunds, RG, or AML	Suggests template compliance without operational depth.

Mitigation:
Approach onboarding like due diligence for investment. Be calm, factual, and transparent, even when asked difficult questions. Risk officers reward professionalism.

Portfolio Pressure: When It’s Not About You

Sometimes, rejection isn’t personal at all. It’s portfolio-driven.

Acquirers operate under internal limits known as:

• BIN concentration caps (maximum number of iGaming merchants allowed under one BIN)
• Vertical quotas (e.g., only 10 active gaming MIDs per quarter)
• Audit freezes (temporary pauses during Visa/Mastercard or regulator review)

If your file lands during a quota freeze, you may be declined simply due to timing. Smart operators reapply 30-60 days later with updated data or through a different acquiring partner.

The Malta-Curaçao Bias Differential

There’s also a psychological hierarchy among underwriters:

• MGA Malta: Seen as structured, regulated, and lower AML risk.
• Curaçao (pre-2024): Historically viewed as loose, opaque, and over-represented in chargeback statistics.

Although Curaçao’s 2024 LOK reforms have improved credibility, many acquirers still apply a 6-12 month watch period before fully trusting new licensees. Merchants from Curaçao therefore need extra documentation, financial audits, AML reports, and independent supplier due diligence, to match the perception of a Maltese operator.

How to Make Underwriters Feel Safe

The ultimate objective isn’t just to look compliant, it’s to make the underwriter feel safe.

To achieve that:

• Provide context: If your chargebacks spiked last quarter, explain the cause and corrective actions.
• Demonstrate accountability: Include bios of compliance and finance officers with LinkedIn profiles or certificates.
• Offer predictability: Show stable monthly processing forecasts instead of exaggerated revenue claims.
• Use local alignment: Mention your MGA or GCB relationships, AML audits, and local banking partners to show regulatory grounding.

When you address risk perception, you transform underwriting from confrontation into collaboration.

Most iGaming merchants lose approvals not because they are non-compliant, but because they appear unpredictable. Underwriting is 50% documentation and 50% psychology, and the operators who master both consistently win approvals even in red-flag jurisdictions.

Malta Underwriting Deep Dive: How MGA Rules Shape Approval Odds

Malta remains the gold standard in European iGaming licensing, yet even MGA-certified operators frequently find their merchant account applications delayed or declined.

Why? Because while the Malta Gaming Authority (MGA) certifies gaming compliance, banks and acquirers perform an entirely separate risk evaluation based on financial exposure, AML traceability, and EU-level compliance alignment.

In Malta, payment institutions, electronic money issuers, and acquirers are regulated by the Malta Financial Services Authority (MFSA) and bound by both EU 5AMLD/6AMLD and EBA Risk Factors Guidelines.

So, while your MGA licence allows you to operate, the underwriter’s question remains:
Can this operator safely move player funds through the banking system without regulatory blowback?

The MGA Licensing Structure and Why It Matters

The MGA’s framework divides licensees into B2C Gaming Service Licences (operators) and B2B Critical Supply Licences (software/platform providers). From an underwriting perspective, this structure matters because it defines who holds player funds and therefore who carries AML liability.

Licence Type	Underwriting Implication
B2C (Gaming Service Licence)	The operator holds player funds, triggering full AML/KYC obligations. Must show proof of segregated player balances, AML officer appointment, and quarterly reports to the FIAU.
B2B (Critical Supply Licence)	Acts as a technology provider only. Often exempt from reserve requirements, but must still provide PCI DSS compliance and contractual proof that it doesn’t touch player funds.

For underwriters, confusion between these roles is a red flag. Applications that list a B2B licence but show direct customer deposits on their website are typically rejected, this indicates licence misuse or payment misrepresentation.

The Documentation Underwriters Expect from MGA Operators

Malta’s mature licensing ecosystem means acquirers expect institutional-grade documentation.

A complete submission file typically includes:

1. Corporate Formation Package
   • Certificate of Incorporation (MFSA-issued)
   • Memorandum & Articles of Association
   • Shareholder Registry & Ultimate Beneficial Owner (UBO) chart
   • Local registered address & director identification
     
2. MGA Licence Documentation
   • Copy of active licence and Key Function approvals (MLRO, Compliance Officer, Risk Manager)
   • Recent FIAU AML Audit report or Self-Assessment Questionnaire (SAQ)
   • Player Protection & Responsible Gaming (RG) framework
     
3. Operational Evidence
   • Bank statements from the last six months
   • Processing history (chargebacks, refunds, net settlements)
   • Live screenshots of website compliance pages (T&Cs, refund, complaint, RG links)
     
4. Technical Compliance
   
   • PCI DSS v4.0 Attestation of Compliance (AOC)
   • 3DS2 readiness certificate from payment gateway provider
   • Secure hosting certification or penetration-test summary

Missing or incomplete documentation here immediately triggers a KYC fail and often a decline without review.

Common MGA-Linked Rejection Reasons

Even among licensed operators, underwriters flag recurring issues that cause automatic rejections:

Rejection Reason	Why It’s Fatal
Outdated AML Manual or no MLRO signature	Indicates non-compliance with 5AMLD, banks can be fined for onboarding you.
Player fund segregation unclear	Breach of MGA licence condition 2.2; acquirer can’t confirm capital adequacy.
Inconsistent UBO declarations vs MFSA registry	Suggests nominee structures or hidden ownership, AML trigger.
Responsible Gaming policy absent or inactive link	Seen as non-compliance; acquirers equate it with reputational risk.
Mismatch between declared jurisdiction and website domain (.com instead of .mt)	Perceived attempt to bypass geo-blocking and AML monitoring obligations.

The irony is that these are often minor administrative oversights, but to an underwriter, they imply governance failure, which equals financial risk.

Optimising Your MGA Application for Payment Approval

To increase your success rate with acquirers, implement the following:

• Prepare an Underwriting-Ready Dossier: Consolidate all documents in one indexed PDF with a cover summary explaining your licence scope, compliance controls, and financial projections.
• Show Proof of Player Fund Segregation: Maintain a Maltese-registered player account with monthly reconciliation reports certified by your auditor.
• Include an MLRO Statement: A signed letter from your MLRO confirming AML/CFT controls, risk assessments, and use of third-party transaction monitoring tools (such as ComplyAdvantage or SumSub).
• Demonstrate PCI DSS & RG Integration: Link your KYC tools and responsible-gaming modules directly on your website. Underwriters verify these URLs manually.
• Maintain a Clean Chargeback Record: Keep ratios below 0.7% and document your dispute management process (chargeback alerts, representments, etc.).

If your operation shows control, traceability, and accountability, you’re not just licensed, you’re bankable.

Why Malta Is Still Favoured Despite Strictness

Underwriters often approve MGA merchants faster than those from Curaçao or other jurisdictions, for three reasons:

1. EU Alignment: Malta’s financial and gaming regulators adhere to EU AML directives and EBA oversight.
2. Reputation: The MGA’s disciplinary framework (suspensions, fines, and licence audits) builds long-term trust in compliance culture.
3. Transparency: Public licence registers, open company data (MFSA), and FIAU audit reports enable faster verification.

In underwriting terms, Malta represents structured risk, high-risk business, but within a transparent and enforceable legal environment. That transparency is precisely what banks need to justify approval.

Curaçao Underwriting Deep Dive: The Post-Reform Reality and New Risk Filters (2024-2026)

For years, Curaçao was a byword in high-risk gaming, easy to license, hard to bank.
That changed dramatically after the introduction of the National Ordinance on Games of Chance (LOK), which replaced the outdated sub-licensing regime.

Now, the island’s regulator, the Curaçao Gaming Control Board (GCB), demands a level of transparency, AML enforcement, and financial accountability that brings it closer to Malta’s standards.

But despite these reforms, acquirers remain cautious. To them, Curaçao still triggers enhanced due diligence (EDD). Understanding why, and how to offset that perception, is key to approval.

From Sub-Licensing to Full Regulation

Under the old regime, master licence holders (e.g., Cyberluck, Antillephone, Curaçao eGaming) issued sub-licences to operators. These sub-licences offered little supervision beyond annual renewals. Underwriters viewed this as a paper licence, legal enough to operate, but not robust enough to rely on for AML or player-fund protection.

The new LOK framework (effective 2024) ends that system. Now, every operator must:

• Apply directly to the GCB for a full licence.
• Submit a detailed AML/CFT policy aligned with FATF standards.
• Disclose full UBO ownership and related entities.
• Undergo annual audits of financials and gaming operations.
• Appoint a local compliance officer in Curaçao.

These measures have already improved credibility, but in underwriting, reputation recovery takes time.

(Source: Curaçao Gaming Control Board)

How Underwriters Now Evaluate Curaçao Entities

Banks and processors no longer reject Curaçao merchants outright, but they apply stricter filters than for Malta or the UK.

A 2025 risk review typically covers:

Underwriting Category	Malta Baseline Expectation	Curaçao Requirement (Post-LOK)	Common Pitfalls
Licence Verification	Public MGA Register	Proof of full GCB licence (not sub-licence)	Sub-licence masquerading as full licence
AML/Compliance Docs	FIAU/5AMLD Audit	FATF-aligned AML Manual & Officer CV	Outdated “template” AML document
Corporate Transparency	MFSA public data	Certified UBO list & notarised ID	Offshore nominee UBOs
Financial Statements	Annual audit filed	Audited accounts or CPA-verified balance sheet	Missing or unsigned reports
Banking Location	EU-based	Local or regional (Caribbean/EU)	Mismatch between entity and settlement account
Technical Controls	PCI DSS + 3DS2	Same, plus confirmation of geo-blocking for restricted markets	No evidence of geo-restriction tools

Each deviation raises a risk score. Curaçao entities can still be approved, but only if they demonstrate operational maturity equivalent to EU-licensed peers.

The New Grey Market Problem

Even post-LOK, many Curaçao operators continue accepting players from restricted jurisdictions such as the Netherlands, the US, or Germany. Visa and Mastercard treat this as cross-border compliance leakage, a violation that can lead to heavy fines for acquirers.

Underwriters now use geo-analysis tools to cross-check traffic and IP origins. If your site shows player logins from sanctioned or excluded countries, your file will be immediately declined.

Mitigation Steps:

• Implement geo-fencing and IP-based blocking for all restricted markets.
• Include traffic reports showing region breakdowns in your underwriting dossier.
• Document your player KYC policy demonstrating enforcement of these limits.

Transparency beats silence; attempting to hide grey-market exposure nearly always results in long-term blacklisting.

How to Improve Curaçao Approval Odds

To overcome bias and prove credibility to EU acquirers:

• Show Evidence of Full LOK Compliance: Attach the official licence, AML policy approval letter, and local compliance officer details.
• Provide an Independent Legal Opinion: A short legal confirmation (from a Curaçao-based firm) that your entity meets all LOK and FATF requirements builds trust.
• Align with EU Standards: Adopt PCI DSS v4.0 and ISO/IEC 27001 cybersecurity frameworks, even if not mandatory.
• Display Operational Controls: Include screenshots of player-fund segregation, responsible-gaming tools, and dispute-resolution portals.
• Use EU-linked Settlement Partners: Where possible, maintain a secondary EU bank account (e.g., Lithuania or Malta) for settlement transparency.

Smart positioning tip: Label yourself Curaçao-licensed under LOK 2024 – AML/FATF Compliant in correspondence. It signals awareness and maturity.

Why Curaçao Still Matters for iGaming Expansion

Despite stricter scrutiny, Curaçao remains strategically vital for global operators because:

1. Speed & Cost: Licensing takes 60-90 days versus 6-12 months in Malta.
2. Tax Incentives: Corporate tax capped around 2% for qualifying operators.
3. Market Access: Suitable for emerging LATAM, African, and Asian markets.
4. Crypto-Friendly Environment: Compatible with digital-asset payment rails under AML oversight.

For payment acquirers, the risk profile of Curaçao is evolving, from unregulated offshore to emerging compliant hub. Merchants who embrace transparency and international standards are now seeing approvals that were impossible five years ago.

The Underwriter’s Checklist: How to Prepare a Winning Application

In high-risk payments, success is not about persuasion, it’s about presentation. Underwriters rarely “decline” a good business; they decline incomplete, inconsistent, or unverified applications.

This section gives you a comprehensive, step-by-step underwriting checklist, based on real-world feedback from EU acquirers, PSPs, and risk officers specialising in iGaming verticals.

The 3 Core Principles of a Successful Application

Before diving into the paperwork, understand the mindset of a professional underwriter.

Every merchant application is assessed using three primary filters:

Filter	Key Question	Merchant Objective
Transparency	Can I clearly understand what this company does and who runs it?	Present an unambiguous, well-documented business model.
Traceability	Can we verify every transaction trail, owner, and flow of funds?	Provide clear ownership charts, AML policy, and banking details.
Control	Does this operator have systems in place to prevent risk?	Demonstrate operational discipline, KYC, refunds, chargebacks, RG tools.

Your task as an applicant is to remove friction and answer these three questions before the underwriter even asks.

Core Documentation Set (Must-Have)

A high-risk application can fail if even one of these items is missing or unclear.

Ensure you have the following documents ready, signed, and verified:

Corporate & Legal

• Certificate of Incorporation
• Memorandum & Articles of Association
• Company extract (from MFSA or Curaçao Chamber of Commerce)
• UBO (Ultimate Beneficial Owner) declaration with ownership %
• Passport and proof of address for all directors and UBOs
• Local registered address certificate (utility bill or lease)

Licensing & Compliance

• Active gaming licence (MGA, GCB, or sub-licence transition letter)
• AML/CFT manual, signed by the MLRO
• Appointment letters for key functions (Compliance Officer, MLRO, Risk Manager)
• Proof of player fund segregation (separate account statement)
• Latest compliance audit report (FIAU or GCB-approved auditor)

Operational

• Six months of processing statements (showing chargebacks, refunds, settlements)
• Bank statements for the same period
• Screenshot of website homepage, T&Cs, refund policy, and RG policy
• Screenshot of payment page (PCI DSS compliant)
• Description of fraud and chargeback management tools (e.g., Ethoca, Verifi, Sift)

Financial

• Last year’s audited financial statements
• Management accounts (if less than 12 months old)
• Forecast of expected processing volume (monthly)
• Average ticket size and geographic distribution of players
• Capital adequacy statement or balance confirmation from bank

Tip: Consolidate everything into a single indexed PDF (with a clear naming convention). It reduces friction and accelerates risk scoring.

Compliance-Driven Attachments (Highly Recommended)

These aren’t mandatory but dramatically increase approval odds:

• Transaction Flow Diagram: Visual showing how player deposits flow from the website → payment gateway → acquiring bank → merchant account → settlement account.
• KYC/AML Process Flow: Visual mapping your verification steps, from player onboarding to withdrawal.
• Risk Policy Statement: 2-3 pages summarising internal chargeback mitigation, fraud screening, and dispute handling.
• Data Security Certification: Copy of PCI DSS v4.0 Attestation or ISO/IEC 27001 certificate.
• Independent Legal Opinion (where applicable): Especially important for Curaçao entities to prove LOK compliance.

Website & UX Compliance Checklist

Most underwriters start by visiting your website before reviewing your file. A non-compliant or incomplete website can cause an immediate rejection.

Your website must visibly include:

Requirement	Purpose
Clear refund & cancellation policy	Reduces risk of chargebacks
Terms & Conditions + Privacy Policy	GDPR & consumer protection compliance
AML, KYC, and Responsible Gaming sections	Demonstrates regulatory integrity
Company details in footer (legal entity, licence number, address)	Confirms transparency
Secure checkout (https:// + PCI-compliant gateway logos)	Validates payment security
Age restriction notice (18+) and jurisdiction disclaimer	Ensures regulatory compliance
Customer support details (email, phone, chat)	Reinforces legitimacy and accessibility

Pro Tip: Make sure your WHOIS registration, domain, and licence jurisdiction all match.
Underwriters often cross-check domain ownership as part of KYC.

Underwriter’s Internal Notes (What They Actually Record)

Few merchants realise that every underwriter creates an internal log that follows your file between PSPs.

Here’s what they often write (and score):

Internal Note Field	What It Means
File quality	Structure, readability, and document consistency
Merchant responsiveness	How quickly and professionally you reply
Operational maturity	Perceived stability based on policies and setup
KYC confidence level	Risk of UBO mismatch or unclear ownership
Reputational exposure	Mentions of merchant online, reviews, complaints
Portfolio fit	Whether your profile matches the acquirer’s risk appetite

Maintaining professionalism and clarity ensures that your file travels with positive legacy notes, essential if you ever reapply elsewhere.

The Final 24-Hour Pre-Submission Audit

Before submitting your package:

1. Recheck all signatures and dates.
2. Verify website links and policies are live and accurate.
3. Ensure all names and company details match across documents.
4. Run a quick Google and LinkedIn search on your business and key officers, underwriters will too.
5. Include a one-page executive summary: Why we are a low-risk high-risk merchant.

That single page, combining humility with clarity, can transform your approval odds.

The High-Risk Red Flags: What Triggers Immediate Rejection

Underwriters rarely give second chances. A single inconsistency, missing document, or risk signal can trigger an automatic decline. This section lists the most common red flags that kill high-risk merchant account applications, and what to do to avoid them.

The Four Categories of Fatal Red Flags

Every rejection stems from one of four categories:

Category	What It Means	Typical Result
Regulatory Non-Compliance	Missing, expired, or mismatched licences and AML documentation.	Automatic fail (KYC).
Operational Mismatch	Website, business description, or product type doesn’t match declared activity.	Decline (potential laundering or misrepresentation).
Financial Instability	Poor bank history, large unexplained refunds, or unstable settlements.	Decline or additional rolling reserve.
Behavioural or Reputational Risk	Aggressive communication, multiple simultaneous applications, or bad online reputation.	Decline for merchant conduct / reputational exposure.

Psychological & Behavioural Red Flags (the Hidden Ones)

Not all red flags are technical. Some are perceptual, and these are the hardest to fix.

Behavioural Cue	Underwriter Interpretation
Rushed or defensive tone in emails	Merchant is under stress / hiding risk
Unrealistic projections (We’ll process £2M/mo in 3 weeks)	Inflated or fabricated data
Over-emphasis on licence equals approval	Merchant doesn’t understand banking compliance
No clear CFO or finance contact	Weak internal structure
Lack of proof of address for directors	KYC gaps likely

To avoid these perceptions, treat your application like a professional funding pitch, calm, data-driven, and verifiable.

Technical Red Flags in iGaming Sites

Underwriters run live tests on your website, they check deposits, data security, and responsible gaming tools.

Common Technical Fails:

• Payment pages without SSL encryption (no HTTPS).
• Third-party payment widgets without PCI DSS mention.
• Player verification (KYC) triggered only at withdrawal, not registration.
• No geolocation controls for restricted markets.
• Bonus abuse loops or unclear wager conditions (seen as fraud vectors).

Pro Tip: Before submission, perform a mock audit using Visa’s Merchant Risk Data Standards (MRDS) checklist or PCI DSS self-assessment.

How Red Flags Escalate (The Underwriter’s Internal Escalation Ladder)

When a potential issue appears, underwriters escalate files internally as follows:

1. Tier 1: Simple clarification (email query).
2. Tier 2: Enhanced Due Diligence (EDD) triggered, requires full AML file and MLRO call.
3. Tier 3: Group Compliance Review, portfolio-wide risk check.
4. Tier 4: Decline / Blacklist entry in internal CRM shared across partner acquirers.

Avoid Tier 2 triggers whenever possible, once EDD begins, even a small compliance gap can lead to rejection.

The Golden Rule: No Surprises

Banks can manage risk, but they hate uncertainty. If something could surface later, declare it early.

Whether it’s a pending MGA audit, a delayed tax return, or prior reserve account, honesty builds credit.
A transparent merchant with minor issues will almost always outscore a secretive one with perfect numbers.

Processing History Analysis: How Underwriters Read Your Bank Statements and MID Reports

Your processing history is the most powerful evidence of your reliability. For high-risk iGaming operators, it acts as both your credit score and your reputation report.

Underwriters study your statements and reports like forensic analysts, not just for the numbers, but for the patterns they reveal. This section breaks down exactly how they interpret those data points, what they flag, and how to present them in a way that increases your approval odds.

Why Processing History Matters

Even the best compliance file can’t override weak processing behaviour.

A strong, transparent, and consistent payment history tells underwriters:

• You have a sustainable business model (not a high-turnover, high-refund scheme).
• You manage chargebacks and refunds effectively.
• You maintain healthy settlement relationships with prior processors.
• You demonstrate predictable liquidity, lowering financial exposure.

In high-risk verticals like iGaming, this data can outweigh even geographic bias, a Curaçao entity with clean, verified processing reports will often be approved faster than an MGA licensee with patchy statements.

The 5 Key Metrics Every Underwriter Examines

Metric	Why It Matters	Ideal Range / Standard
Chargeback Ratio	Indicates customer satisfaction and fraud exposure.	Below 0.9% for Visa / Mastercard compliance.
Refund Ratio	Measures refund policy abuse or poor product quality.	Below 3% of total monthly volume.
Average Ticket Size (ATS)	Large fluctuations suggest transaction manipulation or arbitrage.	Consistent ±10% monthly variance.
Settlement Timeliness	Shows whether acquirer payouts are stable or delayed due to risk.	Regular 7-10 day settlement cycle.
Volume Consistency	Sharp increases (>50% MoM) can trigger EDD.	Predictable growth trend preferred.

Underwriters don’t just look at these metrics in isolation, they compare them to industry benchmarks and peer data across similar MCC codes (e.g., 7995 for gaming).

What Your Bank Statements Reveal

Bank statements are a mirror of operational health. Underwriters scan them line by line for inconsistencies.

They check for:

• Name Consistency: The account holder name must match the corporate applicant (no third-party settlements).
• Payment Source Diversity: Healthy inflow from multiple sources signals real player activity; single large deposits can indicate artificial funding.
• Return or Refund Codes: Frequent returns marked as chargeback reversal or merchant dispute suggest instability.
• Negative Balances or Delays: Repeated overdrafts imply poor liquidity management.
• Geographic Mismatch: Bank domiciled outside your licence jurisdiction = AML trigger.

How Underwriters Correlate Data Between Reports

Underwriters perform cross-referencing, they match your bank statements, processing reports, and financial forecasts for internal consistency.

Cross-Check Example	What It Reveals
Merchant sales in MID report = £250,000 / month vs. bank deposits = £180,000	Missing settlement or parallel processor, red flag
Processing report shows 0.5% chargebacks / bank shows heavy refund entries	Likely hiding real dispute volume
Declared average ticket £50 / bank credits suggest £120+	Possible misclassification of product type
Forecast volume £1M/month / no supporting traffic data	Inflated projection to bypass rolling reserve

A mismatch greater than 20% variance between documents triggers EDD or rejection.

Always ensure your application tells one coherent financial story.

How to Present Processing Data the Underwriter’s Way

Organise your processing data like this:

1. 6-Month Processor Statement (CSV or PDF): Highlight total processed, refunds, chargebacks, settlements.
2. Monthly Summary Sheet (Your Own Table):
   • Gross volume
   • Refunds
   • Chargebacks
   • Net settlement
   • Notes on any spikes (promo campaigns, migration, seasonality).
     
3. 1-Page Processing Overview: Include the acquirer’s name, MID, start date, and termination reason (if applicable).
4. Attach Screenshots: From your PSP dashboard showing real-time risk data (Ethoca, Verifi, or Visa Resolve Online).
5. Include Merchant Reference Letters: A short statement from a previous PSP confirming clean processing behaviour is gold in underwriting.

How Bad History Can Still Be Salvaged

If you’ve had chargeback issues or a terminated account, it’s not the end.
What underwriters value most is accountability and trend improvement.

To repair credibility:

• Show evidence of reduced chargebacks over the past 3 months.
• Document any new fraud tools or customer service changes.
• Provide a written explanation of past issues (e.g., spike due to COVID cancellations).
• Attach a corrective-action timeline, underwriters respect operational maturity.

Processing Behaviour Patterns That Signal Merchant Laundering

Acquirers are increasingly using AI-based pattern recognition to detect hidden laundering or risk signals.
Here’s what their algorithms look for, and what you should avoid:

Pattern	Why It Raises Red Flags
Sudden 300% increase in volume after approval	Suggests aggregation or hidden sub-merchants.
Large number of small identical transactions	Looks like card testing or synthetic identity fraud.
High ratio of cross-border transactions vs. declared market	Indicates geo-block evasion.
Disproportionate refunds after weekend spikes	Could signal player manipulation or bonus abuse.
Irregular payment methods (crypto inflow, e-wallet outflow)	AML inconsistency in transaction flow.

Underwriters cross-verify this using tools like SAS AML Analytics and Visa Merchant Monitoring Service (VMMS).

How to Forecast Credibly (and Impress Underwriters)

Your volume forecast should never be a sales pitch, it’s a data-driven projection.

Use this model:

• Base forecast on past 3-month average volume, not theoretical revenue.
• Include traffic source data (SEO, paid, affiliate %).
• Correlate forecasts with seasonality (e.g., football tournaments, holiday spikes).
• Mention mitigation plans for volume growth (staffing, payment routing, support).

A detailed forecast shows that you operate like a financially literate merchant, the kind underwriters trust.

The Green Flag Signals That Lead to Faster Approvals

Want to stand out? Make sure your file displays these:

Consistent processing statements from reputable acquirers (e.g., Nuvei, Worldline, Emerchantpay).

• Chargeback ratio under 0.8%.
• Refund ratio under 3%.
• Transparent transaction trail (matching bank inflows).
• Signed CPA or financial report verifying liquidity.
• Executive summary with risk commentary and forecast.

These signals make an underwriter’s decision simple, and simple decisions get approved.

License Vetting: Why a Current License Doesn’t Guarantee Approval (MGA vs. Curaçao vs. UKGC)

For many iGaming operators, the first shock in the onboarding process is discovering that a valid gaming licence, even one issued by a respected regulator like the Malta Gaming Authority (MGA) or UK Gambling Commission (UKGC), is not enough to secure merchant approval.

Underwriters view licences as necessary but not sufficient. They verify what lies behind the licence: financial control, corporate substance, AML integrity, and transaction monitoring systems.

This section explores how payment acquirers actually vet licences, what differences exist between the major jurisdictions, and how to present your file in a way that builds trust across regulatory lines.

The Reality: A Licence Is a Regulatory Permission, Not a Banking Guarantee

Gaming authorities assess whether you’re fit to operate legally. Banks assess whether you’re fit to handle financial risk safely.

These are two different worlds.

Aspect	Regulators (MGA/UKGC/GCB)	Underwriters / Acquirers
Objective	Protect players and ensure fair gaming	Protect payment networks from loss & AML exposure
Focus	Game fairness, player funds, responsible gambling	Transaction flow, chargeback exposure, financial reporting
Review Period	Annual compliance audits	Real-time ongoing monitoring
Decision Criteria	Licensing conditions and capital adequacy	Risk scoring, portfolio exposure, and KYC integrity

So, while a licence gives you legal legitimacy, it does not reduce your payment risk score unless accompanied by a robust operational and financial compliance package.

How Underwriters Vet Licence Authenticity

Every reputable underwriter conducts independent verification of your licence before approval.

Here’s what that process involves:

1. Regulatory Cross-Check:
   • Underwriters visit the regulator’s online register (MGA, UKGC, or Curaçao GCB).
   • They confirm the exact licence number, scope (B2C/B2B), and expiry date.
2. Document Validation:
   • They require the original licence certificate and renewal confirmation letter.
   • Some acquirers even request a direct verification email from the licensing body.
3. Activity Match:
   • The domain and product offering must match the activity approved by the licence.
   • Example: An MGA Type 1 licence covers casino RNG games, not sports betting or binary options.
4. AML & RG Policy Alignment:
   • Your internal AML and Responsible Gaming policies must mirror the regulator’s framework
   • A mismatch here can suggest non-compliance or incomplete implementation.

Comparing the Big Three Jurisdictions

Let’s break down how underwriters perceive each licensing region from a risk and compliance perspective.

Jurisdiction	Strengths	Underwriter Concerns	Documentation Expected
Malta Gaming Authority (MGA)	Strong EU AML alignment, high audit frequency, transparent registry.	Complex ownership structures, slow response times from local banks.	Licence certificate, MFSA company extract, AML manual, compliance audit letter.
Curaçao Gaming Control Board (GCB)	Cost-efficient and flexible for startups; renewed credibility post-2023 reform (LOK system).	Transition from sub-licences is still unclear for many; inconsistent AML enforcement across service providers.	GCB-issued direct licence, MLRO appointment letter, Curaçao CoC extract, local address verification.
UK Gambling Commission (UKGC)	Gold standard of compliance; strict player fund segregation.	Costly and over-regulated; UK entities must prove affordability checks & safer gambling integration.	Full UKGC licence, proof of bank trust account, AML training logs, safer gambling policies.

Why MGA and Curaçao Operators Face Rejections

Despite both being legitimate jurisdictions, MGA and Curaçao operators are frequently rejected by EU acquirers.

Here’s why:

1. Licence Mismatch vs. Business Model

If your licence covers B2C casino but your site runs affiliate links or crypto deposits, it’s flagged as activity outside licence scope, a compliance breach.

2. AML Policy Inconsistency

Underwriters review your AML manual against FATF and EBA guidelines.
If your internal document lacks risk scoring matrices, transaction monitoring workflow, or PEP screening, they assume it’s decorative, not functional.

3. Lack of Local Substance

PO Box or shared office addresses in Malta or Curaçao are immediate risk signals.
Underwriters expect at least one locally registered director or MLRO to validate operational presence.

4. Sub-Licence Confusion (Curaçao Legacy Model)

Merchants still operating under the old Curaçao sub-licensing framework without transition proof to the GCB’s direct licence structure are rejected on legal grounds.

5. Banking Alignment Issues

Malta-licensed operators often use offshore settlement banks. If your acquiring bank can’t verify your settlement partner (e.g., in Mauritius or Georgia), the risk matrix triggers an automatic decline for AML opacity.

Documentation You Must Prepare for Licence Vetting

To strengthen your underwriting file, attach the following:

• Copy of valid licence certificate (MGA, GCB, or UKGC).
• Screenshot from regulator’s public registry showing active status.
• Official audit confirmation (from an MGA-approved or GCB-registered auditor).
• AML/CFT Manual aligned with FATF Recommendation 10 & EU Directive (EU) 2015/849.
• Local representative appointment letters (Compliance Officer, MLRO).
• Proof of responsible gaming features (self-exclusion, deposit limits, RG icons).
• Legal opinion confirming the licence covers all offered gaming types (optional but powerful).

Underwriters are trained to detect when documentation is regulatory window dressing. Every file must demonstrate operational enforcement, not just compliance paperwork.

Multi-Jurisdiction Operators: Dual-Licence Strategy

If your business operates under both MGA and Curaçao (or MGA + UKGC), explain the jurisdictional flow clearly.

Include a Licence Mapping Table:

Brand / URL	Jurisdiction	Licence Number	Processing Entity	Settlement Bank
playwin.bet	Malta	MGA/B2C/123/2024	Playwin Limited	Bank of Valletta
luckystream.io	Curaçao	GCB/2025/098	LStream N.V.	Novo Banco (PT)

This transparency prevents cross-licence confusion, one of the leading causes of dual-brand rejections.

When a Licence Works Against You

Ironically, having a licence can sometimes increase scrutiny.

Here’s why:

• A regulated entity implies higher AML obligations, so underwriters will expect your transaction monitoring logs, SAR filings, and player KYC records to be well-documented.
• A dormant or under-audited licence (no transaction reports submitted to MGA/GCB) signals operational inactivity, which can suggest shell operations.
• If your licence is pending renewal, processors may freeze onboarding until the updated status is confirmed.

The Licence Strength Index (LSI): How Acquirers Score Jurisdictions

Internally, acquirers often apply a Licence Strength Index (LSI) score, an internal numeric measure (1-5) used to grade jurisdictional risk. While not public, here’s a reconstructed average based on 2025 EU acquirer standards:

Licence Type	LSI Score (1-5)	Perceived Risk Level
UKGC	5	Very Low
MGA	4	Low
GCB (Curaçao, post-2023 reform)	3	Medium
Isle of Man	4	Low
Kahnawake	2	High
Unregulated Offshore	1	Extreme

If your licence jurisdiction scores below 3, expect tighter reserve terms (10-15%) or limited acquiring partners.

How to Turn Licence Vetting into an Advantage

• Provide a compliance summary: a one-page document mapping each regulator’s condition to your internal controls (e.g., FIAU AML – §4.2 matched by Company Policy §3.1).
• Include an independent legal opinion confirming licence validity for online betting.
• Maintain cross-border transaction logs for each licensed brand.
• Attach ongoing audit results (RG checks, KYC sample reports).
• Be transparent about any pending renewal or jurisdiction migration.

Remember: Banks don’t decline licences, they decline unclear governance.

Source: Malta Gaming Authority – Licensing & Compliance Manual (2025), Curaçao Gaming Control Board – LOK Framework 2024, UK Gambling Commission – Licence Conditions and Codes of Practice (LCCP), Financial Action Task Force (FATF) Recommendation 10 – Due Diligence on Virtual Asset Operators, European Banking Authority – Payment Risk Guidelines for Gaming Sector (2024)

Structuring for Approval: Entity Setup and Banking Architecture That Builds Trust

If the previous sections explained what not to do, this one is about building your foundation the right way, so that underwriters, compliance officers, and acquirers all see your business as low-risk, even within a high-risk vertical.

Your corporate structure and banking setup are the two cornerstones of that perception. Most rejections can be traced back to one of these two things being wrong, unclear, or misaligned.

Why Entity Structure Matters More Than Branding

To an underwriter, your flashy gaming brand is irrelevant. What matters is the legal spine, the entity that processes funds and holds liabilities.

A well-structured entity answers three questions clearly:

1. Who controls the business (UBO clarity)
2. Where risk is located (jurisdiction alignment)
3. How liabilities are managed (banking & reserves)

If these answers aren’t evident within two minutes of file review, you’ll lose credibility.

The Ideal Entity Structure for iGaming Operators

A clean, transparent hierarchy typically looks like this:

Parent HoldCo (EU or UK) 
↓
Licensed Operating Entity (Malta / Curaçao)
↓
Processing Subsidiary / Payment Entity
↓
Local Bank Account + PSP Settlement Account
↓
Player Wallet / Gaming Platform

The Golden Triangle of Approval Readiness

Underwriters look for harmony between three components:

Component	Purpose	What Underwriters Expect
Legal Entity	Holds licence and contractual responsibility	Clear UBOs, audited financials, real office presence
Banking Partner	Handles settlements, KYC, and chargeback exposure	EU or EEA bank preferred; no anonymous or offshore IBANs
Payment Flow	Defines how funds move between players, merchants, and acquirers	Transparent settlement path, AML reporting, PCI compliance

The tighter your alignment, the shorter your underwriting timeline.

The Final Takeaway: 

If you want your iGaming application approved, stop thinking like a merchant.
Think like a risk analyst.

Ask yourself:

• Can my payment flow be audited in one traceable path?
• Does every entity in my structure serve a real purpose?
• Is there anything in my file I’d hesitate to explain to a regulator?

If your answer is no surprises, you’re approval-ready.

FAQs

1. Why do iGaming operators in Malta or Curaçao often get rejected for merchant accounts?

Rejections typically occur due to incomplete documentation, unclear UBO structure, or AML/website non-compliance.Underwriters are highly sensitive to regulatory misalignment (e.g., holding a Curaçao licence but processing through a non-registered EU entity). Failing to present a coherent financial history or using offshore settlement accounts without clarity also leads to immediate rejection.

2. Does having an MGA or Curaçao licence guarantee approval from a payment processor?

No. A gaming licence confirms legal legitimacy, not financial reliability. Underwriters still assess your chargeback history, AML controls, local presence, and bank relationships. Many licensed operators are declined because they lack audited financials or have mismatched entity names between their licence and merchant application.

3. What documents do underwriters require for iGaming merchant onboarding?

A complete underwriting file should include:

• Certificate of incorporation & shareholder register
• Gaming licence and AML manual
• Six months of processing statements and bank statements
• Organogram (ownership chart)
• Proof of local substance (lease, director appointment, utility bill)
• Website screenshots showing responsible gaming and refund policies

Missing any of these slows approval or triggers enhanced due diligence (EDD).

4. How can I reduce the chances of rejection when applying for a merchant account?

Being transparent about your operations is the best way to build trust with underwriters.

• Keep your chargeback ratio below 1%.
• Maintain consistent processing history with stable volume.
• Ensure your website and licence jurisdiction match.
• Include a cover letter explaining your business model and risk controls.
• Use an EEA-based settlement bank.

5. Why do underwriters dislike Curaçao sub-licences?

Legacy sub-licences (pre-2023) lacked regulatory oversight and AML uniformity.
Post-reform, the Curaçao Gaming Control Board (GCB) now issues direct licences under the LOK framework. If you still operate under a sub-licence without transition proof, most EU acquirers will decline your application.

6. Can I apply for multiple merchant accounts at once to increase my chances?

Applying to several acquirers simultaneously can hurt your credibility. Underwriters share information through MATCH and risk consortiums. It’s better to apply sequentially with tailored applications, and disclose previous declines honestly.

7. How long does the underwriting process usually take for a gaming merchant?

For complete applications, approvals typically take 2-4 weeks. If your file triggers EDD (due to high chargebacks, offshore banking, or unclear ownership), expect 6-8 weeks. MGA-licensed entities with clean records are usually faster than new Curaçao licensees.

8. What are fatal flaws that automatically get an application rejected?

• Unverified UBOs or offshore nominees
• Unlicensed brands under a regulated entity
• Missing refund/responsible gaming pages on website
• Contradictory KYC data (different entity names)
• Bank statements with crypto inflows without a VASP licence

Fixing these before applying can save weeks of review time.

9. Can I operate under one licence and process payments for multiple brands?

Only if each brand is explicitly listed under your licence and regulator approval is documented. Otherwise, underwriters treat it as merchant aggregation, a major compliance violation that can lead to blacklisting.

10. How can Payment Mentors help me secure approval?

Payment Mentors specialises in high-risk merchant onboarding for regulated gaming operators.

We assist in:

• Preparing compliant underwriting packs
• Liaising with acquirers for risk reviews
• Optimising chargeback prevention strategies
• Aligning corporate and banking structure for approval readiness

By working with Payment Mentors, operators increase their approval rate while maintaining full AML and regulatory compliance.