The State of High-Risk Payments 2026

Table of Contents

SECTION 01 · EXECUTIVE SUMMARY

Six findings that define high-risk payments in 2026

The high-risk acquiring market in 2026 is not a tougher version of 2025 — it is structurally different. Visa's Acquirer Monitoring Programme has rewritten chargeback economics, MiCA and the FCA's cryptoasset regime have redrawn the crypto perimeter, iGaming is fragmenting along licence lines, and reserves have moved from rolling to hybrid. The merchants winning placements and pricing in 2026 are not chasing the lowest rate. They are industrialising compliance, diversifying acquirers, and treating processing infrastructure as a multi-year strategic asset. This summary captures the six findings that the rest of the report develops in detail.

The high-risk acquiring market entered 2026 structurally different from the one that existed twelve months earlier. Three forces converged: scheme-led monitoring programmes that punish chargebacks and fraud with hard financial consequences rather than soft warnings; a wave of regulatory perimeter expansion across crypto, gambling and consumer credit that has redrawn which acquirers can legally board which merchants; and a contraction in offshore capacity as correspondent banking relationships tightened. The result is a market where the merchants who win are not the ones who hunt the cheapest rate, but the ones who industrialise compliance, diversify processing, and treat acquirer relationships as a multi-year asset class. This report distils six months of partner interviews, scheme circulars, regulatory filings and live placement data into the findings below.

The six findings that define 2026

1. VAMP has rewritten the chargeback economics of high-risk merchant accounts. Visa's Acquirer Monitoring Programme, which replaced VDMP and VFMP in April 2025, now combines fraud and disputes into a single ratio measured at the acquirer level. The 'above standard' threshold of 1.5% (dropping to 0.9% on 1 January 2026 and to the planned 'excessive' tier of 1.5% being enforced more aggressively) means acquirers are pricing risk earlier in the funnel — merchants are seeing reserve requirements and rolling holdbacks attached to onboarding terms rather than triggered after incidents. Section 02 details the operational changes merchants must make before Q3 2026 to stay placeable.

2. The UK and EU crypto perimeters have closed in opposite directions, and acquirer appetite has followed. MiCA came into full application on 30 December 2024, and the FCA's cryptoasset authorisation regime under the FSMA 2000 (Regulated Activities) order is moving from the financial promotions phase into full conduct supervision through 2026. EU credit institutions with cryptoasset programmes are now the dominant on-ramp for regulated exchanges and stablecoin issuers; meanwhile, unregulated or grey-market crypto merchants have lost roughly half their acquiring options since 2024, with capacity concentrating in specialist Tier-3 offshore acquirers operating under non-EU licences. Section 03 maps the surviving routes.

3. iGaming acquiring is fragmenting along licence lines, not vertical lines. The UK Gambling Act review white paper measures — affordability checks, stake limits on online slots, statutory levy from April 2025 — have made UK-licensed operators more expensive but more bankable, while .com operators targeting grey markets face a shrinking pool of acquirers willing to underwrite reputational risk. Operators holding MGA, Isle of Man, or Gibraltar licences alongside a UK licence are commanding materially better commercial terms than single-licence competitors. Section 04 explains why a multi-licence structure is now table stakes for any operator processing above EUR 50m annually.

4. Reserve structures have shifted from rolling to hybrid. The historic 10% rolling reserve held for 180 days remains the published standard for high-risk merchants, but in practice acquirers are now layering an upfront reserve (typically 5-15% of projected monthly volume, posted at boarding) on top of a reduced rolling component. This protects the acquirer's VAMP exposure during the first 90 days when chargeback data is thin, and it shifts working-capital pressure onto the merchant. Section 05 models the cash-flow impact across vertical-typical volumes and proposes three structures that reduce upfront drag without spooking underwriters.

5. Decline-rate optimisation has overtaken approval-rate optimisation as the highest-leverage merchant metric. With 3DS2 now the universal SCA standard across the EEA and UK, and with issuer-side AI fraud models increasingly opaque, the gap between best-in-class and median authorisation rates in high-risk verticals has widened to 8-14 percentage points depending on geography. Merchants achieving the upper band share three characteristics: intelligent BIN-level routing across at least three acquirers, locally-acquired processing in their top three issuing markets, and a structured retry strategy aligned to scheme soft-decline reason codes. Section 06 publishes our benchmark data by vertical.

6. The high-risk PSP landscape is consolidating, and merchant leverage is shifting accordingly. Three of the last eighteen months' largest deals in the payments stack have involved high-risk specialists being absorbed into broader platforms, and a further wave of consolidation is widely anticipated through 2026 as smaller PSPs struggle with the cost of VAMP, MiCA, and PSD3 readiness simultaneously. Merchants on month-to-month commercial terms with a single PSP face genuine continuity risk; merchants with multi-acquirer redundancy and signed back-up boarding agreements do not. Section 07 sets out the diversification playbook.

How to use this report

The remaining sections are designed to be read independently. Operators should start with their primary vertical (Sections 03-08), then read Section 02 (scheme rules) and Section 05 (reserves and underwriting) as cross-cutting context. CFOs and treasury teams will find Section 05 and the consolidation analysis in Section 07 most directly actionable. Founders preparing for first-time high-risk placement should begin with Section 09, our underwriting readiness checklist.

SECTION 02 · REGULATION

The 2026 Regulatory Turning Point

2026 is the year four years of consultation became four years of consequence. The UK cryptoasset perimeter, MiCA's transitional cut-off, Dubai's VARA rulebook refresh, Visa's tightened VAMP threshold, the Online Safety Act's Part 5 duty, the FCA-adjacent affordability stack and the Digital Services Act's adult-platform enforcement now all sit live, in transition, or imminent within a single twelve-month window. The combined effect is not regulatory adjustment. It is a structural recalibration of who is permitted to acquire high-risk volume, on what terms, and at what cost.

Nothing about 2026 looks accidental in retrospect. Four years of consultation papers, draft statutory instruments, scheme circulars and Ofcom code drops have converged into a single window in which crypto, adult content, gambling and the cards rails themselves all change their operating rules at once. For high-risk merchants and their acquirers, the consequence is not a regulatory event — it is a regulatory phase change. Pre-2026 frameworks were largely voluntary, advisory or transitional. The frameworks coming into force this year carry licensing perimeters, hard scheme thresholds, age-assurance duties and platform liability. By the end of 2027, the universe of firms permitted to acquire high-risk volume in the UK and EU will be measurably smaller, and the cost of remaining inside that universe will be measurably higher.

The UK cryptoasset regime: policy to perimeter

The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026 were made by Parliament on 4 February 2026, formally extending the FSMA regulatory perimeter to cover a defined set of cryptoasset activities — issuing fiat-backed stablecoins, operating a cryptoasset trading platform, dealing in cryptoassets as principal or agent, arranging deals, safeguarding (custody), and staking. This is the legislation that ends the long period in which UK crypto firms operated under the AML-only Money Laundering Regulations 2017 supervisory regime. From the moment the new perimeter is in force, the activity itself becomes a regulated activity under section 22 of FSMA, with all the Senior Managers and Certification Regime, prudential, consumer duty and financial promotions consequences that flow from that classification. The implementation timeline is unusually long by FCA standards, which tells you how concerned the regulator is about a cliff edge. The Cryptoasset Gateway application window is scheduled to open on 30 September 2026 and close on 28 February 2027. Firms that submit during that window enter a transitional permissions arrangement; firms that miss it must either stop conducting the regulated activity to UK customers or wait for the standard authorisation queue. The substantive rules — the Conduct of Business Sourcebook chapter for cryptoassets, the Prudential Sourcebook treatment, the financial promotions overlay — go live on 25 October 2027. For acquirers, the practical implication is that the boarding question for a UK crypto exchange or on-ramp changes between Q4 2026 and Q4 2027. A merchant boarded in early 2026 with an MLR registration may, by October 2027, either hold a full FSMA Part 4A permission, hold transitional permissions, or have exited the UK market. Acquirer credit and compliance committees are already inserting a Gateway-status warranty into their merchant agreements with a right to terminate if the merchant fails to submit by 28 February 2027 or fails the substantive review. The Gateway is not a light-touch registration: the FCA has signalled that firms holding an MLR registration since 2020 without material issues will not be auto-passported in. Each firm will be assessed against the full Threshold Conditions, including business model viability, capital adequacy and the appropriateness of senior management.

MiCA closes, VARA hardens

The Markets in Crypto-Assets Regulation became fully applicable to crypto-asset service providers on 30 December 2024, but the 18-month transitional period under Article 143 means the EU-wide cut-off does not arrive until 1 July 2026. After that date, any entity providing crypto-asset services to EU clients without a MiCA authorisation — or without the benefit of a national grandfathering arrangement that extends beyond the EU-wide deadline — is in breach of EU law and must cease offering services. Several member states deliberately chose a shorter window: Germany, Ireland, Greece, Spain and Liechtenstein closed transitional access at 12 months; Finland, Latvia, Lithuania, Hungary, the Netherlands, Poland and Slovenia closed at six months. The market has not yet absorbed that 1 July 2026 is a hard date for the long tail of unlicensed offshore exchanges that have historically served EU residents through reverse-solicitation arguments. The acquiring consequence is direct: EU credit institutions and electronic money institutions with cryptoasset programmes are now refusing to board any merchant that cannot evidence a MiCA Crypto-Asset Service Provider (CASP) licence or a credible application in flight. Specialist Tier-3 offshore acquirers that previously absorbed unlicensed EU-facing volume are repricing accordingly — reserves on EU-facing crypto exchange volume have widened materially through Q2 2026, and several have pulled out of the segment entirely. Dubai's Virtual Assets Regulatory Authority spent 2022–2024 building a reputation as the pragmatic alternative to MiCA — a real licensing regime, but a faster path. That positioning has changed. The Exchange Services Rulebook Version 2.1, effective 31 March 2026, formalises the regime for exchange-traded virtual asset derivatives (futures, options, contracts for difference, perpetuals), introduces leverage, suitability and disclosure requirements for retail access, and prohibits proprietary trading by the venue or its affiliates. VARA has issued parallel updates across the Advisory, Broker-Dealer, Custody, Lending and Borrowing, Investment Services, Transfer and Settlement, and Issuance rulebooks, each tightening supervisory mechanisms and raising the threshold for product approval. Read together with the DFSA's expansion in the DIFC and the FSRA's activity in ADGM, the UAE picture in 2026 is one of three regulators raising market-entry costs in lockstep. The era in which a UK or EU founder could relocate a crypto business to Dubai to escape MiCA-equivalent obligations is functionally over.

Visa VAMP: a 32% tightening in one step

On 1 April 2026, Visa's Acquirer Monitoring Programme (VAMP) tightened the merchant Excessive threshold from 2.2% to 1.5%. VAMP replaced the legacy Visa Dispute Monitoring Programme (VDMP) and Visa Fraud Monitoring Programme (VFMP) on 1 April 2025, combining TC40 fraud reports and TC15 chargebacks into a single ratio against total settled transactions. The acquirer-level bands did not move in April 2026 — Above Standard remains 0.5% and Excessive 0.7% — but the merchant ratio tightening flows downstream as acquirers manage their portfolio totals. There is no warning tier, and the assessment regime applies an $8 fine per transaction once a merchant is classified as Excessive. A 32% headline tightening in a single step is not, in scheme-rule history, a small move. It is the most aggressive recalibration of a Visa risk programme since the original VFMP refresh in 2018, and it lands on a merchant population whose dispute baseline has been drifting upward for three years under the pressure of friendly fraud, subscription-trap chargebacks, and crypto-related first-party misuse. The high-risk verticals most exposed — adult subscription, nutra continuity, forex/CFD, and crypto on-ramp — are precisely the verticals where the legacy 2.2% threshold was already being approached in normal months. Acquirers have responded by lowering their internal monitoring trigger to ~1.0% against the 1.5% scheme line to preserve headroom, which in practice means many high-risk merchants are now being placed on remediation plans, 3DS-mandation, or chargeback-management vendor mandates at ratios that would not have triggered any action twelve months ago.

OSA Part 5, gambling and DSA: the content perimeter

The duty under Part 5 of the Online Safety Act 2023 — covering services that publish their own provider pornographic content — came into force on 17 January 2025. From that date, Part 5 services have been required to deploy "highly effective" age assurance to prevent children from normally encountering regulated content. Ofcom's published guidance recognises photo-ID matching, facial age estimation, open-banking-based confirmation, mobile-network-operator age signals, credit-card checks and digital-identity-wallet attestations as capable of meeting the standard. Self-declaration does not. The user-to-user limb of the Act — covering platforms that host third-party pornographic content — followed on 25 July 2025. For high-risk acquirers, the Part 5 duty changes the boarding diligence on every UK-facing adult merchant: the KYC pack now must include evidence of the merchant's Ofcom-aligned age-assurance vendor, the deployment scope, and an attestation of independent testing. On the gambling side, the Gambling Commission's financial vulnerability checks moved into force in stages from August 2024, with the lower £150 net-deposit threshold taking effect in February 2025 and the enhanced affordability assessments rolling forward through 2025 and 2026. The 2026 layer is the tightening interaction between Gambling Commission rules, the FCA's Consumer Duty as it applies to firms in the gambling value chain that hold FCA permissions, and the joint FCA/ICO statement of March 2026 confirming that UK data protection law does not prevent firms from identifying vulnerability, sharing relevant data across distribution chains, or monitoring outcomes — provided they do so lawfully and proportionately. That statement removes the data-protection objection several PSPs and acquirers had used to resist sharing player-risk signals upstream. The FCA is separately consulting on revised advertising rules for consumer credit in Q1 2026 with read-across to gambling-adjacent BNPL and player-funding products. In parallel, the European Commission designated Pornhub, Stripchat and XVideos as Very Large Online Platforms (VLOPs) under the Digital Services Act in December 2023, with XNXX added in July 2024 once its EU monthly-active-user figures crossed the 45 million threshold. Formal proceedings opened against all four platforms focus on age-assurance failings and minor-protection duties under Articles 28 and 35 DSA. Stripchat was de-designated in 2025 after a sustained decline in EU user numbers below the threshold — a useful data point for the wider adult market, which has seen measurable migration to smaller platforms specifically to stay below the VLOP line. The DSA does not directly regulate payments, but its enforcement consequences ripple into acquiring: both Visa's and Mastercard's brand-protection programmes treat unresolved regulatory proceedings against a host platform as a material risk factor. Read together, the regimes shrink the legitimate crypto-acquiring universe in Europe (Gateway plus MiCA), close the soft-landing alternative (VARA), squeeze the operational headroom for fraud and disputes (VAMP at 1.5%), and add three new categories of liability — age-assurance failure, platform-designation enforcement, and affordability-check enforcement — that did not exist as boardable line items two years ago. The events that close out this cycle are the 28 February 2027 close of the UK Cryptoasset Gateway, the 25 October 2027 commencement of substantive UK cryptoasset rules, and the first full enforcement cycle of VAMP at 1.5% landing in the Q3 2026 acquirer review. Any merchant operating in crypto, adult or iGaming that does not have a Q1 2027 board-paper-ready position on all three is operating without a plan.

“The duty requires the use of age verification or age estimation (or both) to secure that children are not normally able to encounter regulated provider pornographic content; and that the age verification or age estimation is highly effective at correctly determining whether or not a particular user is a child.”

Online Safety Act 2023, Part 5, section 81 (UK Public General Acts)

SECTION 03 · CRYPTO

Crypto: Acquiring in the Authorised Era

Crypto card acquiring in 2026 is no longer a question of risk appetite — it is a question of regulatory permission. The convergence of MiCA going fully live across the EU, the FCA's transition from MLR registration to full FSMA authorisation, and the schemes' hardening of MCC 6051 and CCM rules under VAMP has turned acquirer underwriting into a function of which licence a merchant holds, in which jurisdiction, and how long it will remain valid. The bifurcation between authorised and unauthorised firms is now visible in pricing, reserves, and addressable acquirer rosters — and it is widening every quarter.

For most of the last decade, crypto card acquiring in the UK and EU operated on a simple premise: if you could get an MCC 6051 BIN, you could process. That premise is dying. The combination of the FCA's transition from the Money Laundering Regulations registration regime to full FSMA authorisation, MiCA going fully live across the 27 EU Member States in late 2024 and bedding in through 2025, and the schemes' tightening of Crypto Currency Merchant rules under VIRP and the equivalent Mastercard programmes, has turned acquiring into a function of regulatory permission rather than risk appetite. Acquirers no longer ask whether they can underwrite a crypto exchange; they ask which licence it holds, in which jurisdiction, and whether that licence will still be valid in 18 months.

MCC 6051, CCM registration, and the scheme overlay

MCC 6051 — "Quasi Cash – Merchant" — remains the mandatory coding for any merchant whose primary purpose is the sale of cryptocurrency, stablecoins, or wallet top-ups funded by card. The MCC itself has not changed. What has changed since Visa's CCM (Crypto Currency Merchant) framework and Mastercard's parallel Crypto Asset Programme registration is the depth of reporting required around it. Acquirers must register crypto merchants with the schemes ahead of boarding, attesting to the licence the merchant holds, the asset universe being sold, and the geographic scope of activity. Visa's CCM registration sits alongside the Visa Integrity Risk Program (VIRP), and chargeback ratio drift now pulls the merchant into Visa's Acquirer Monitoring Programme (VAMP), which replaced VFMP and VDMP at the start of Q2 2025. The practical consequence is that MCC 6051 boarding is no longer a sales-desk decision: it is a compliance gate involving the acquirer's MLRO, the scheme registration team, and — for European acquirers — a documented MiCA licence reference or a written carve-out for non-EU activity. Mis-coding under MCC 5967 or 7995 is now treated by both schemes as a Tier-1 acquirer compliance failure rather than a merchant-side issue.

FCA registration versus FSMA authorisation

Inside the UK, the most consequential change shaping 2026 acquiring decisions is the move from the MLRs cryptoasset registration regime — applicable since 10 January 2020 — to the full authorisation perimeter under the Financial Services and Markets Act. HM Treasury published its draft statutory instrument bringing cryptoassets into FSMA in late 2024, with the FCA setting out its approach across DP24/4 and the CP25 consultation series covering the new regulated activities: operating a cryptoasset trading platform, dealing in cryptoassets as principal or agent, arranging deals, custody, and stablecoin issuance. The authorisation gateway opens in tranches through 2026 with the perimeter expected to apply in full from the early-to-mid 2027 cutover, after which the existing MLR register closes. This matters at the acquiring layer because UK acquirers are already pre-positioning. The merchant question is no longer "are you on the FCA register?" but "have you submitted, or do you have a credible plan to submit, a Variation of Permission or full Part 4A application for the new perimeter?" Firms holding MLR registration but showing no engagement with the FSMA gateway are being repriced or sunset by Tier-1 UK acquirers, on the basis that an unauthorised firm in 2027 is an unboardable firm and a wind-down case for any acquirer carrying the relationship. The MLR register has always been a financial-crime registration, not a prudential one — it says nothing about a firm's capital, governance, or conduct standards. The FSMA gateway is the first time UK crypto firms face threshold conditions, SM&CR, consumer duty, and prudential capital requirements, and the first time UK acquirers can rely on a regulator-attested baseline rather than running the full conduct file themselves at underwriting.

MiCA passporting and the EU acquiring map

MiCA's stablecoin provisions (Titles III and IV) took effect on 30 June 2024 and the CASP regime (Title V) on 30 December 2024, with a transitional grandfathering window that varies by Member State — France set 18 months, Germany set 12, the Netherlands offered no grandfathering, and several jurisdictions including Italy and Spain landed in the middle. By the time this report goes to press, that window is closing. A meaningful subset of CASPs that operated under national registrations through 2024 and early 2025 have either secured MiCA authorisation, withdrawn from the EU, or are processing on borrowed time under acquirer relationships that will be terminated at the grandfathering cliff edge. For acquirers, the MiCA licence is now the single most reliable underwriting artefact in European crypto. A CASP authorisation from a credible National Competent Authority — BaFin, AMF, CNMV, CySEC under its tightened MiCA-aligned framework, Banca d'Italia, or the Central Bank of Ireland — gives acquirers a passportable basis to onboard EU-wide. Acquirers based in EU credit institutions and EMIs are openly pricing MiCA-authorised firms 80-150 bps cheaper than equivalent non-EU firms with comparable volume, and offering rolling reserves at the lower end of the spectrum. The flipside is that NCAs are not equivalent: a CySEC-issued CASP authorisation, while legally passportable, is treated by some German and Dutch acquirers with the caution that CySEC CIF licences received in CFD acquiring — accepted, but with additional file review.

VARA Dubai, reserves, and corridor segmentation

VARA — Dubai's Virtual Assets Regulatory Authority, established under Law No. 4 of 2022 — has become the most consequential destination for firms that either cannot meet MiCA's organisational and capital thresholds or that want to retain a derivatives and margin-trading product set that MiCA constrains. VARA's full Market Product (MP) licence covers VA Exchange Services, Broker-Dealer Services, Custody, Lending and Borrowing, VA Management and Investment Services, and Advisory Services. The Compliance and Risk Management Rulebook and the Market Conduct Rulebook updated through 2024 and 2025 give acquirers a documented basis to underwrite the firm. VARA is not, however, a substitute for MiCA in EU acquiring: EU credit-institution acquirers will not passport a VARA-licensed firm into the EU consumer market on the basis of the VARA licence alone. What VARA does is unlock a second tier of acquiring relationships — specialist non-EU acquirers (frequently routed through Mauritius, Georgia, or selected EU EMIs operating under reverse-solicitation interpretations) that will board VARA firms for a defined non-EU customer base. Reserves typically sit in the 15-25% range on rolling 180-365 day terms, settlement is weekly rather than daily, and KYB requires UBO attestation down to the 10% threshold rather than 25%. More broadly, the 2021-2022 acquiring environment of T+2 settlement on 5% rolling reserves has not returned in the post-FTX climate. For MiCA- or FSMA-authorised firms with audited segregation of customer funds and a documented wind-down plan, rolling reserves of 5-10% over 90-180 days are achievable from EU credit-institution acquirers; for MLR-registered UK firms in the FSMA transition window, 10-15% over 180 days is the standard ask, explicitly contingent on hitting authorisation milestones. Acquirers also now treat crypto as three distinct underwriting categories: fiat-to-crypto on-ramp (highest volume, tightly bound to MCC 6051 and CCM rules); crypto-to-fiat off-ramp (which triggers the FCA's financial promotions regime for cryptoassets that came into effect on 8 October 2023); and OTC above retail thresholds, which has largely migrated to bank wire and stablecoin settlement, with cards retained only for smaller retail-sized fills.

The FATF Travel Rule — Recommendation 16, requiring originator and beneficiary information to travel with virtual asset transfers above defined thresholds — has been a stated standard since 2019 but only became a meaningful acquiring underwriting factor as enforcement caught up. In the UK, the Money Laundering and Terrorist Financing (Amendment) Regulations 2022 brought the Travel Rule into UK law from 1 September 2023. In the EU, the recast Transfer of Funds Regulation, Regulation (EU) 2023/1113, came into effect for crypto-asset transfers on 30 December 2024, eliminating the de minimis threshold that previously existed for traditional fiat transfers and applying full originator and beneficiary information requirements to every CASP-to-CASP transfer regardless of size. Acquirers underwriting crypto firms in 2026 now treat Travel Rule compliance as a binary gate, not a soft factor. The diligence is not whether the firm has a Travel Rule policy — every credible firm does — but which protocol provider it uses (TRP, Sumsub Travel Rule, Notabene, VerifyVASP, and competing protocols all have different counterparty coverage), what its policy is for the sunrise problem (transfers to or from VASPs that have not yet implemented Travel Rule), and what its policy is for unhosted wallet transfers. A firm with an unworkable unhosted wallet policy — blanket acceptance with no risk-based controls — is being declined or repriced by EU credit-institution acquirers on the basis that it will not survive its next NCA inspection. UK rules retain a GBP 1,000 threshold under the 2022 amendment regulations, but EU-facing UK firms have generally adopted the EU zero-threshold approach for operational simplicity, and acquirers expect to see this in policy documentation. The net effect is that the crypto acquiring market in 2026 is bifurcating along licence lines more sharply than at any point since card acquiring became available to the sector. Authorised firms — MiCA CASPs and FSMA-permissioned UK firms once the gateway is operational — are seeing real acquirer competition, sub-2% effective MDR on Tier-1 EU corridors, and reserve terms approaching parity with traditional e-money businesses. Unauthorised firms, including UK MLR-only firms without a credible FSMA plan, are being progressively offboarded by Tier-1 acquirers as the regulatory clock runs down. The offshore-pivot cohort — VARA, BVI, Seychelles — is finding acquiring available but at a cost structure that requires meaningful per-transaction margin to absorb. For merchants weighing acquiring strategy this year, the single most consequential decision is the licensing posture, not the acquiring choice: the acquiring market will price the licence. A merchant that secures MiCA authorisation in a credible NCA jurisdiction or completes the FSMA gateway in the UK will have its choice of competitive acquirers; a merchant that delays will find the addressable acquirer roster shrinking quarter by quarter through 2026 and 2027.

SECTION 04 · FOREX & CFD

Forex / CFD: The Two-Tier Market

Retail forex and CFD acquiring entered 2026 as the most structurally bifurcated vertical in high-risk payments. The Tier-1 perimeter — FCA, CySEC, BaFin, ASIC — operates under tight leverage caps, mandatory negative balance protection, and standardised loss disclosure. The offshore tail — Mauritius, Vanuatu, Anjouan, what remains of SVG — operates without any of those constraints, at materially different pricing, with a materially different acquirer pool. The comfortable middle ground that defined 2018-2023 has been squeezed out by CySEC reporting intensity, SVG strike-offs, VAMP enforcement, and the prop-firm reckoning that followed My Forex Funds.

Forex and CFD acquiring entered 2026 as the most bifurcated vertical in high-risk payments. On one side sit the Tier-1 jurisdictions — FCA in the UK, CySEC in Cyprus, BaFin in Germany, ASIC in Australia, MAS in Singapore — where leverage caps, negative balance protection, and standardised risk warnings have created a tightly bounded retail product. On the other sits the offshore tail: St. Vincent and the Grenadines, Vanuatu, Mauritius, Comoros, Seychelles, Anjouan, and a thinning roster of Caribbean shells, where 1:500 to 1:2000 leverage, opaque execution models, and aggressive affiliate funnels continue to drive volume. The card schemes treat these two worlds as one MCC — 6211 — but acquirers underwrite them as if they were entirely separate verticals. They are. What changed between 2024 and 2026 is not the structural divide, which has been visible since ESMA's 2018 product intervention measures. What changed is the squeeze on the middle: CySEC's reporting tightening, MetaQuotes' platform-licence enforcement, the prop-trading reckoning that followed My Forex Funds, and the SVG FSA's struck-off notices have all conspired to remove the comfortable grey zone where Cyprus-light brokers booked aggressive volume through SVG entities and waved at compliance from a distance.

The Tier-1 Perimeter: ESMA's Long Shadow

The regulatory architecture for retail CFDs in Europe and the UK has not fundamentally shifted since ESMA's product intervention measures were converted into permanent national rules. Leverage is capped at 30:1 for major currency pairs, 20:1 for non-major pairs, gold and major indices, 10:1 for other commodities and minor indices, 5:1 for individual equities, and 2:1 for cryptoassets. Margin close-out at 50% of required initial margin is mandatory. Negative balance protection on a per-account basis is mandatory. Monetary and non-monetary inducements to trade are prohibited. A standardised risk warning disclosing the firm's loss-making retail account percentage must appear on all communications. The FCA implemented these measures permanently under PS19/18 with effect from 1 August 2019 for CFDs and 1 September 2019 for CFD-like options. In February 2026 ESMA issued a public statement (ESMA35-243228190-8024) reminding firms that derivatives marketed as 'perpetual futures' or 'perpetual contracts' — increasingly offered against crypto underlyings — fall within the CFD product intervention scope where they meet the economic definition of a CFD. That single statement closed the most active product-engineering loophole of 2024-2025, where brokers attempted to relabel leveraged crypto exposure as a non-CFD instrument to escape the 2:1 cap. For acquirers, the Tier-1 perimeter is the easy part of the underwriting conversation. An FCA-authorised CFD broker with full investment-firm permissions, audited financials, segregated client money under CASS 7, and an acceptable retail-loss-disclosure percentage is a normal merchant. Pricing tends to land between 1.4% and 2.2% blended MDR, with rolling reserves of 5-10% over six months for established firms and 10-15% for newer ones. Cyprus remains the operational centre of gravity for European retail CFD distribution, but the regulatory cost of operating a CIF has risen sharply. In 2025 CySEC migrated from Excel-based reporting toward structured submissions through its Transaction Reporting System, with a hard deadline of 8 May 2026 for 2025 prudential and conduct data. Missed filings now trigger administrative penalties without prior reminder. ESMA's Common Supervisory Action for 2026 has directed CySEC to focus on-site inspections on staff compensation structures, digital platform design (specifically, whether UX nudges retail clients toward higher-risk products), and conflicts between firm revenue targets and client outcomes.

The Offshore Tail: SVG's Forced Exit and the Anjouan Wave

For a decade, St. Vincent and the Grenadines was the default offshore jurisdiction for retail forex. The FSA explicitly disclaimed jurisdiction over forex brokerage activity, allowing firms to register a BC or LLC and operate without any local supervisory regime — a fact often misrepresented to retail clients as 'SVG regulation'. That arrangement ended on 10 March 2023, when the SVG FSA, responding to fraud complaints, required all registered companies engaged in forex trading or brokerage to produce a notarised, apostilled licence from the jurisdiction where they actually carry out business. Companies that failed to comply were struck off under Article 1, Section 37(1) of the FSA Act and the IBC Act 2018 Amendment. The strike-off list grew through 2023-2025 and by Q1 2026 had materially thinned the population of SVG-shell forex entities. The practical consequence is a migration to Mauritius (under an FSC Investment Dealer licence), Vanuatu (under VFSC Principal's Licence), Comoros and Anjouan (under the Offshore Finance Authority's brokerage licence) and, increasingly, South Africa's FSCA Over-the-Counter Derivatives Provider regime. None of these jurisdictions impose ESMA-style leverage caps. None require negative balance protection. None mandate a retail loss disclosure. They function, for retail card acquiring purposes, as the same category: a corporate registration in a jurisdiction the card schemes recognise but Tier-1 acquirers will not touch. Anjouan (Comoros) brokerage licences proliferated through 2024-2025 as the cheapest route to nominal 'regulation' after SVG closed; several scheme-side risk officers have privately flagged Anjouan in line for elevated scrutiny under Visa's Global Brand Protection Programme and Mastercard's Business Risk Assessment and Mitigation programme, and acquirers writing Anjouan-domiciled forex risk in 2026 are typically building in 18-month rolling reserves of 15-25% in anticipation.

Acquiring Economics and the Prop-Firm Reckoning

The pricing divergence between Tier-1 and offshore forex acquiring widened materially over 2024-2026, driven primarily by Visa's consolidation of VDMP and VFMP into the Visa Acquirer Monitoring Programme (VAMP) effective 1 April 2025, with enforcement live from 1 October 2025 and the stricter Above Standard thresholds taking effect 1 January 2026. VAMP measures combined fraud-plus-dispute basis points at the acquirer portfolio level. An acquirer flagged Above Standard at ≥50 bps incurs $4 per dispute across its entire forex book; Excessive at ≥70 bps incurs $8. That economic exposure flows directly into merchant pricing. Tier-1 CFD merchants — FCA/CySEC authorised, with mature dispute defence and clean fraud profiles — typically clear at 1.4-2.2% blended MDR with 5-10% rolling reserves over 180 days. Offshore forex merchants on Mauritius, Vanuatu, or Anjouan licences typically see 4.5-7.5% MDR, with rolling reserves of 10-20% over 180-365 days, plus annual MATCH-risk monitoring fees. On the rails side, Tier-1 books increasingly route through EU credit institutions and licensed e-money institutions that can hold the merchant settlement account directly. Offshore books route through a narrowing pool of specialist Tier-3 acquirers — typically Eastern European banks with high-risk programmes, a small number of Asian acquirers willing to write Vanuatu and Mauritius paper, and a residual set of niche Caribbean acquirers. APMs — open banking pay-ins in Europe, PIX in Brazil, UPI in India, and crypto on-ramps — have moved from supplementary to dominant in the offshore book, with card volume often below 40% of total deposit mix by 2026. Proprietary trading firms — the 'challenge fee' prop-firm model popularised by FTMO, The5ers, MyForexFunds, FundedNext and the wave of imitators that followed — have separated from the forex broker underwriting category entirely. The 2023 CFTC enforcement action against My Forex Funds, alleging roughly $310m in fees collected from approximately 135,000 traders against a backdrop of opaque virtual-versus-live execution, established the regulatory frame. MetaQuotes' February 2024 revocation of MT4 and MT5 platform licences from prop firms serving US clients without licensed broker partnerships triggered the operational reckoning; industry estimates suggest 80-100 firms exited the market across 2023-2024. The prop merchant is not selling FX execution; it is selling an evaluation product with a contingent payout obligation if the trader passes the challenge and meets profit thresholds on a funded account. That creates a future-delivery liability profile, a 'service not as described' dispute pattern, and an outsized affiliate marketing footprint — none of which fit a conventional broker underwriting template.

• Card acquirer appetite for prop-firm merchants in 2026 is concentrated in a small number of Tier-3 specialists; most Tier-1 acquirers carry explicit prop-firm exclusions in their high-risk underwriting policy.
• Typical pricing for prop-firm merchants ranges from 5.5-9% blended MDR, with reserves of 15-25% held for 12-18 months to cover contingent payout liability.
• MID structure increasingly requires segregated MIDs for challenge fees versus payouts, with payouts routed through alternative rails (bank transfer, crypto, e-wallet) rather than card refunds.
• Strategic partnerships between prop firms and licensed brokers — FTMO's December 2025 acquisition of OANDA being the most prominent — are reshaping the underwriting conversation by bringing regulated entities into the prop-firm corporate group.
• The Prop Trading Association's certification regime, launched as a self-regulatory response in 2024-2025, is beginning to feature in acquirer questionnaires as a soft signal but is not yet a substitute for licensed broker affiliation.

“Those derivatives that meet the definition of a CFD would be subject to measures including leverage limits, a mandatory risk warning, a margin close-out and negative balance protection, and the prohibition of monetary and non-monetary benefits.”

ESMA Public Statement ESMA35-243228190-8024, 24 February 2026, on derivatives in scope of the CFD product intervention measures

The two-tier market is now a strategic decision, not a tactical one. A forex or CFD operator choosing FCA, CySEC, BaFin or ASIC authorisation accepts a defined product economics envelope — 30:1 maximum on majors, negative balance protection, no inducements, mandatory risk disclosure — in exchange for Tier-1 acquirer access, sub-2.5% MDR, and a viable institutional growth path. An operator choosing Mauritius, Vanuatu, or Anjouan accepts a Tier-3 acquiring stack, materially higher pricing, longer reserve periods, and a permanent ceiling on which markets and which payment partners will write their volume. The historical strategy of using a CySEC entity for EU distribution and an SVG shell for everything else has been compressed by FCA enforcement on UK-resident routing, CySEC inspection intensity, SVG strike-offs, and scheme-level monitoring under VAMP. For acquirers, the underwriting question has become more about which tier the merchant credibly belongs to than about whether forex is acceptable risk. A licence document alone no longer settles the question. Underwriters now triangulate the licence with the firm's retail loss disclosure percentage, dispute and fraud ratios under VAMP, the affiliate marketing surface, the trader demographic mix by IP and KYC, and — increasingly — whether the same group is operating an offshore mirror that bleeds the regulated entity's risk profile. The two tiers can coexist commercially, but they no longer share an acquirer.

SECTION 05 · IGAMING

iGaming: Multi-Jurisdictional Pressure

The single biggest change to high-risk gaming acquiring in a decade arrived not from a card scheme but from a Caribbean parliament. Curaçao's LOK transition, the Gibraltar Gambling Act 2025, MGA's enforcement-driven 2026 plan and the UKGC's deposit-limit deadlines have collapsed the licence file and the merchant-account file into one document. Acquirers are not just pricing chargeback risk on MCC 7995 — they are pricing regulator risk, scheme-programme risk and responsible-gambling integration risk simultaneously.

Of the six high-risk verticals IceTree places, iGaming is the one where the licence file and the merchant-account file have become almost the same document. A card-acquiring decision in 2026 is no longer 'can we underwrite gambling?' — it's a multi-jurisdictional read on which regulator stands behind the deposit flow, which markets the licence actually covers, and whether the responsible-gambling stack will survive a card-scheme audit. The Curaçao LOK transition, the Gibraltar Gambling Act 2025, the MGA's 2026 supervisory plan and the UKGC's deposit-limit deadlines have collectively rewritten the underwriting checklist. Acquirers are not just pricing risk — they are pricing regulator risk, and they are pricing it merchant by merchant.

The four-tier licensing reality

There is no longer a single 'iGaming acquirer market.' There are four, and they barely overlap. Tier 1 is UK-facing volume under a UKGC operating licence, processed by UK or EU credit institutions with dedicated gambling programmes — heavily regulated, low margin, fully on-shore. Tier 2 is the .com EU/EEA business under MGA, Gibraltar or Isle of Man licences, processed through EU acquirers with gambling registrations and dual-MID structures separating regulated from unregulated geographies. Tier 3 is the post-LOK Curaçao estate — operators newly licensed by the Curaçao Gaming Authority (CGA) after the National Ordinance on Games of Chance came into force on 24 December 2024 — served by specialist offshore acquirers, EMI rails and a growing share of APMs. Tier 4 is the grey-market residual: legacy sub-licensees whose master-licence rights lapsed in early 2025, operators on Anjouan or Tobique credentials, and brands running under no recognised licence at all. Card acquiring at Tier 4 has effectively closed; what remains is crypto on/off-ramp, voucher rails and informal banking.

Curaçao after 24 December 2024

The Landsverordening op de Kansspelen (LOK) is the single biggest structural change to high-risk gaming acquiring in a decade. The old master-licence/sub-licence model — under which four master licensors issued thousands of effectively unsupervised sub-licences — has been wound down. The CGA is now the sole issuing authority. To hold a B2C or B2B licence, the operator must be incorporated in Curaçao with a registered office on-island and at least one resident managing director; the previous practice of running a Curaçao-incorporated entity under a foreign sub-licence (Anjouan, Kahnawake, Tobique, Comoros) is explicitly prohibited. For acquirers, this matters because the regulatory paper trail is finally legible. A CGA licensee has named beneficial owners, a fit-and-proper test on file, AML and responsible-gambling policies submitted to a regulator that can actually revoke, and a published licence reference an underwriter can verify. EU specialist acquirers that previously refused all Curaçao paper are now opening selective programmes for CGA-licensed groups — typically at 4.5–6.5% MDR with 10% rolling reserve held 180 days, dual-MID separation by geography, and no traffic from FATF grey-list jurisdictions or US states. The friction sits in the transition itself: the last valid sub-licences expired in early 2025, but CGA application throughput has been slower than the regulator forecast, and a material share of formerly sub-licensed brands have spent 2025–26 in a regulatory grey zone while applications sit pending. Acquirers are increasingly asking for the CGA application reference plus a legal opinion on transitional standing — a 'licence pending' letter no longer underwrites.

MGA, Gibraltar and the UKGC stack

The MGA's 2026 supervisory plan is explicit about a 'firmer, enforcement-driven posture.' The H1 2025 thematic review across 20 licensees and 58 active URLs — focused on self-exclusion implementation and responsible-gambling safeguards — has fed directly into 2026 priorities: crypto payments oversight, athlete-betting risk, esports markets, and tightened player-protection auditing. The underwriting-relevant change is the 2025 Minimum Capital Requirements Policy: licensees in negative equity must restore positive equity, which has pushed several thinly capitalised .com operators into either recapitalisation or licence surrender. Acquirers reading MGA licences in 2026 are reading the financial statements as carefully as the licence number. Gibraltar's Gambling Act 2025, in force from 1 October 2025, replaced the 2005 Act after twenty years — introducing six licence categories, a £10,000 per-licence application fee and annual fees that can total £200,000 for a B2C operator running casino plus sportsbook. With roughly 54 licensed remote operators as of late 2025, Gibraltar remains the closest thing to a quality kitemark in offshore-facing gaming: small population, intentionally tight roster, no walk-in licensees. The UK is where the merchant account and the regulatory file converge most tightly. The 2023 white paper's implementation has now reached the deposit layer: light-touch financial vulnerability checks went live on 28 February 2025, triggered at £150 net deposits per 30 days; direct-marketing opt-in rules took effect on 1 May 2025; the Remote Technical Standards update of October 2025 introduced standardised self-exclusion procedures and the new deposit-limit architecture. From 30 June 2026, all online operators must offer customers a true 'deposit limit' — a cap on amounts paid into the account over a defined period — and only this construct may be marketed as a 'deposit limit.' The Commission extended the second-phase compliance deadline by three months to 30 September 2026, but the substantive rule did not move. The card-present deposit, the 3DS challenge, the BIN-level affordability metadata and the post-deposit responsible-gambling prompt are all now part of a single scheme-reportable chain the acquirer is expected to reconstruct on demand. A merchant who cannot wire responsible-gambling signals into the authorisation message is, in 2026, increasingly unboardable at Tier 1.

MCC 7995 and the scheme programmes

Every iGaming transaction routes under MCC 7995 (Betting, including Lottery Tickets, Casino Gaming Chips, Off-Track Betting, Wagers at Race Tracks). The classification is not optional and not negotiable: routing gambling volume under a non-gambling MCC is a registration breach that ends acquirer relationships and triggers scheme fines. What has changed in 2026 is what 7995 attracts on top — a layered enforcement stack that lands directly on the merchant's chargeback ratio.

• VAMP enforcement (live since 1 October 2025) applies a single count-based ratio combining TC40 fraud and TC15 disputes against settled CNP transactions. The merchant 'Excessive' band sits at 2.2% through Q1 2026 and drops to 1.5% from April 2026 across North America and the EU — directly inside the historical iGaming chargeback range of 2–4%.
• Mastercard's dispute programmes continue to treat gambling as enhanced-monitoring volume with mandatory acquirer registration and dedicated MID structures.
• UK and EU retail issuers apply blanket declines on 7995 by default unless the cardholder has affirmatively enabled gambling spend — an interaction layer that did not exist five years ago.
• Visa gambling-merchant registration carries six-figure initial and annual programme costs that the acquirer recovers in MDR or reserve.
• Even a perfectly licensed UKGC operator can enter VAMP early-warning on a single bad quarter, typically driven by friendly-fraud disputes (industry data continues to put these at 60–70% of iGaming chargeback volume).

SECTION 06 · NUTRACEUTICALS

Nutraceuticals: Subscription, Free-Trial, Continuity

Nutra is the vertical the schemes built their subscription rulebooks around. The category that gave the world the "free trial that wasn't free" — collagen peptides, nootropic blends, weight-loss capsules, hair-growth gummies — has spent a decade triggering chargeback dispute spikes that pulled Visa and Mastercard into prescriptive billing law. By 2026 the bifurcation is complete: single-purchase, compliant-label DTC nutra now clears at mid-risk pricing through generalist acquirers, while continuity, rebill and free-trial models sit inside a separate, named scheme programme with its own registration, monitoring and reserves. They are no longer the same business.

The schism inside MCC 5122 and 5499

Acquirers used to treat 'nutra' as a single risk bucket. The label covered everything from a clean-label protein powder sold once on Shopify to an aggressive free-trial weight-loss capsule funnelled through Facebook ads with a six-cycle rebill behind a pre-checked consent box. By 2026 that bucket has been broken in two — and the split is now codified in scheme rules, acquirer underwriting templates, and PSP placement criteria. The driver is not regulatory pressure on the supplement itself (DSHEA in the US, the UK Food Supplements (England) Regulations 2003 as amended, and EU Directive 2002/46/EC have been stable for years), but rather on the billing model wrapped around it. Schemes have decoupled the product question (is this supplement legal to sell?) from the billing question (is this subscription compliant?), and acquirers price each independently. The result is a market where a single-SKU, single-charge DTC vitamin brand can now obtain card acquiring at effective rates inside 2.0%, with no rolling reserve, from generalist EU and UK acquirers that would not have quoted nutra at all in 2021. The same acquirer will decline a free-trial joint-supplement merchant outright — not because of the ingredient, but because the merchant cannot evidence Mastercard Negative Option Billing registration or pass the Visa Trial Subscription disclosure test.

Mastercard NOB and Visa Trial Subscription

Mastercard's revised standards for subscription and negative option billing merchants, first announced under AN 4934 and progressively tightened through subsequent Acquirer Notification bulletins, now function as a de facto licensing regime. Any merchant offering a free or reduced-price introductory period that automatically converts into a recurring charge must be registered by their acquirer in Mastercard's Subscription Billing Merchant programme before processing begins. Registration is not free, is not automatic, and is the gating event that determines whether a merchant gets a live MID at all. The programme imposes pre-transaction disclosure of trial price, trial length, the price and frequency of the post-trial recurring charge, and an express, separate cardholder consent capture. For digital-goods trials longer than seven days, a reminder notice must be sent no less than three and no more than seven days before trial expiry, restating subscription terms and the cancellation method. An electronic receipt must follow every billing event with cancellation instructions, and an online cancellation mechanism must be provided. Visa's parallel framework — communicated through the Trial Subscription Updates bulletins and incorporated into the Visa Core Rules and Visa Product and Service Rules — covers the same territory. Visa requires express consent through a dedicated click-to-accept that is separate from acceptance of general terms and conditions, full disclosure of trial and recurring amounts on the receipt, and a pre-billing reminder sent at least seven days before the first recurring charge if a trial, introductory offer or promotional period is about to convert. Underwriting now routinely includes a checkout walkthrough by a human reviewer, a screen capture of the consent flow, and a live test purchase where the analyst attempts to cancel and times the friction. Merchants whose cancellation path runs longer than ninety seconds, or that involves a phone tree, are routinely refused by Tier-1 EU acquirers regardless of chargeback ratio. The 2025 consolidation of the legacy Visa Dispute Monitoring Programme, Visa Fraud Monitoring Programme, and the original VAMP into a single Visa Acquirer Monitoring Programme has further changed how nutra portfolios are surveilled. The single count-based VAMP ratio — fraud (TC40) plus disputes (TC15) over settled CNP transactions — replaces the historic separate dispute and fraud ratios. With the Above Standard threshold sitting at 50bps and the Excessive threshold at 70bps for acquirer portfolios from 1 June 2025, and merchant-level enforcement from 1 October 2025, continuity nutra has become the most-watched single sub-vertical inside the programme. Acquirers carrying material continuity exposure now actively portfolio-balance: blending high-volume low-risk merchants alongside continuity books to keep the aggregate ratio inside the Standard band. The arithmetic is unforgiving — a continuity book running at 90bps will pull an entire acquirer portfolio toward the Excessive threshold without diluting volume, which is why specialist subscription acquirers now price the underlying book separately from their generalist activity and reserve aggressively against tail risk.

The acquirer landscape in 2026

The middle cohort — the specialist subscription acquirers — is the most strategically interesting layer. These are typically EEA credit institutions or UK-authorised acquirers with dedicated subscription billing teams, often partnered with a billing-platform provider that handles the consent capture, pre-billing notification, and cancellation infrastructure on the merchant's behalf. The acquirer takes the registration and ongoing monitoring; the billing platform takes the compliance plumbing; the merchant pays a premium that, by 2026, has stabilised around 90–180 basis points above generalist DTC pricing. For a continuity nutra brand doing eight-figure annual volumes, the spread is material but bearable. The third cohort — Tier-3 offshore and aggregator MID arrangements — is shrinking as a share of total continuity volume, but remains the placement of last resort for merchants whose creative, claims, or cancellation friction cannot survive Tier-1 underwriting. Separately, the US regulatory architecture for supplements — the Dietary Supplement Health and Education Act of 1994 and its structure/function claims regime — shapes acquirer attitudes more than it shapes the FDA's docket. Because DSHEA places the burden of substantiation on the manufacturer rather than requiring pre-market approval, the FDA's enforcement footprint on supplement marketing claims is narrow. Acquirers fill the gap. Underwriting teams now treat structure/function claim review as a first-pass filter: any product whose marketing language crosses from supporting a normal physiological function ('supports joint comfort') into disease-treatment territory ('relieves arthritis pain') will be refused regardless of MCC, billing model, or chargeback history. The mandatory FDA disclaimer — 'This statement has not been evaluated by the Food and Drug Administration. This product is not intended to diagnose, treat, cure, or prevent any disease' — is now a routinely-checked underwriting item, including on landing pages, upsell flows, and email creative. Aggressive direct-response nutra creative — the long-form video sales letter, the 'one weird trick' ad copy, the doctor-endorsement testimonial — has become structurally incompatible with Tier-1 acquiring, and the acquiring market has, in effect, priced the creative risk.

UK CBD: from Public List to authorisation

CBD ingestibles — gummies, oils, capsules, drinks — sit at the awkward intersection of nutra acquiring and the UK Novel Foods regime. The Food Standards Agency's CBD Public List, maintained under retained EU Regulation 2015/2283 (the Novel Foods Regulation), remains the legal gating mechanism: only products linked to a validated novel-food application can be lawfully sold in Great Britain. After the FSA's August 2025 public consultation on authorising three named CBD-containing foods — closing 20 November 2025, and feeding into a Q1 2026 review of authorisation opinions with first authorisations expected to take effect through Q2–Q3 2026 — the market is moving from a transitional 'on the list' position toward genuine product-by-product authorisation. For acquirers this matters because the transitional Public List was always a soft compliance signal — a SKU's presence on the list told the underwriter that an application had been validated, not that the product was definitively legal. Once formal authorisations begin to land in 2026, UK acquirers — particularly the small group of UK-PRA-authorised institutions willing to write CBD MIDs — are expected to migrate from list-presence checks to authorisation-reference checks at SKU level. Merchants whose product range did not pass safety assessment, or whose 102-product list-removal cohort earlier in 2025 included material revenue lines, face the prospect of MID restriction or termination at the moment authorisations take effect. The acquirer conversation around CBD nutra in 2026 is no longer 'is it on the list?' but 'is the specific SKU authorised, and at what ADI?'. Three forces will shape nutra acquiring through 2026 into 2027: continuing convergence of Mastercard and Visa disclosure standards; the institutionalisation of the specialist subscription acquirer cohort, narrowing the pricing gap with generalist acquirers; and the first UK CBD authorisations, giving acquirers a clean documentary basis to write CBD MIDs at standard high-risk pricing rather than the punitive pricing of the Public List era. The era of treating nutra acquiring as a single problem with a single solution is over. A single-purchase DTC brand should not be paying continuity pricing; a continuity brand should not be looking for a generalist acquirer. The acquirer market has bifurcated faster than most merchants have noticed, and those who close the information gap first will spend the next two years paying meaningfully less in scheme fees, programme charges and reserves than peers who continue to shop the market as if nutra were one thing.

SECTION 07 · ADULT

Adult Content: Age-Verification as Underwriting Gate

Adult acquiring in 2026 is not a content-risk story. It is a controls-evidencing story, in which the merchant's age-assurance flow, performer-consent documentation, and moderation pipeline are inspected by acquirers with the same intensity that a banking regulator inspects a payments licence. The Online Safety Act's Part 5 regime, live since 17 January 2025, and the EU Commission's July 2025 Article 28(1) Guidelines have pushed the underwriting question upstream of payments entirely: if the access gate and the upload pipeline cannot be evidenced, no Tier-1 VIRP acquirer will board the file regardless of chargeback history.

Adult acquiring in 2026 is no longer a content-risk vertical. It is an underwriting vertical defined almost entirely by upstream controls: age verification of viewers, age and identity verification of performers, consent documentation, and takedown SLAs. The merchant's content library is now treated by acquirers and the schemes as a regulated dataset. The card networks spent four years rebuilding their adult programmes around this premise, and 2025 added two regulatory layers that hardwire it into national law: Part 5 of the UK's Online Safety Act, live for pornography providers since 17 January 2025, and the European Commission's Guidelines on the Protection of Minors under Article 28(1) of the Digital Services Act, published 14 July 2025. The combined effect is that an adult merchant's acquiring file now contains more compliance evidence than a Tier-2 EMI's onboarding pack.

How the schemes redefined the category

The 2021 Mastercard programme, formalised in the Specialty Merchant Registration (SMR) requirements that took effect on 15 October 2021, set the template every other actor now follows. Adult merchants must enter a written agreement with each content provider; each provider must verify the identity and age of every person depicted; documented, unambiguous consent must be retained; pre-publication content review is required; and the merchant must operate a complaints process that resolves illegal or non-consensual material within seven business days, alongside an appeals process that lets any depicted person request takedown. Acquirers must certify these controls, not merely tick a box. Failure to evidence them is treated as an acquirer-side breach, not just a merchant-side one — which is why several Tier-1 acquirers exited the vertical between 2022 and 2024 rather than maintain the certification infrastructure. Visa's parallel rebuild landed under the Visa Integrity Risk Program (VIRP), which replaced the legacy Global Brand Protection Program in April 2023. VIRP classifies adult content (MCCs 5967, 7273 and certain 5816 use cases) at Tier 1 — the highest-scrutiny band, sharing the tier with non-face-to-face gambling and pharmaceuticals. Tier-1 registration carries a $950 annual fee per MCC per acquirer and obliges the acquirer to perform a full assessment for each merchant in the category, including independent content review, age-assurance testing of the viewer flow, and ongoing transaction monitoring under the Visa Acquirer Monitoring Programme. Adult merchants without VIRP Tier-1 registration cannot be boarded onto Visa; acquirers without an active Tier-1 programme cannot acquire them.

UK Part 5 and EU Article 28 as underwriting checkpoints

The Online Safety Act 2023 carves out a distinct regime for "Part 5 services" — providers that publish or display their own pornographic content, as opposed to user-to-user services that fall under Part 3. From 17 January 2025, Part 5 providers were required to have "highly effective age assurance" in place at the point of access. Ofcom's statutory guidance interprets that phrase against four cumulative criteria: technical accuracy, robustness, reliability, and fairness. Self-declaration, click-through, and unverified payment-card checks are explicitly excluded. Acceptable methods include facial age estimation, photo-ID matching against a liveness check, open-banking-derived identity confirmation, mobile network operator checks, and digital identity wallet attestations. UK-acquired adult merchants — and in practice any merchant accepting UK-cardholder transactions — must demonstrate the age-assurance flow during underwriting and on every periodic content review. Ofcom's enforcement programme, opened in January 2025, had by early 2026 produced more than 90 active investigations and a published seven-figure penalty against an adult-site operator, with maximum exposure of £18 million or 10% of global qualifying revenue. From an acquirer's perspective, an Ofcom enforcement notice is a hard underwriting event: it triggers reserve increases, MCC review, and in several documented 2025 cases mid-contract termination, even where chargeback ratios remained inside Visa and Mastercard thresholds. The risk being priced is no longer fraud; it is regulatory contagion to the acquirer's licence. The European framework arrives through a different door. Article 28(1) of the Digital Services Act requires providers of online platforms accessible to minors to put in place "appropriate and proportionate measures" to ensure a high level of privacy, safety and security. The 14 July 2025 Commission Guidelines operationalised that obligation and recommended age verification (not estimation) as the proportionate response for platforms whose terms restrict access to adults — which captures all pornographic platforms regardless of size or VLOP designation. The Commission's reference implementation is the EU Digital Identity Wallet age-verification mini-app, with national rollouts staged through 2026. The European Board for Digital Services opened a coordinated enforcement action against the four pornography platforms designated as VLOPs in May 2025; non-VLOP adult platforms remain subject to national-level enforcement under the same standard. For acquirers, the DSA layer matters less for what it prohibits than for what it harmonises. Through 2023 and 2024 adult merchants navigated a fractured patchwork — France's ARCOM regime, Germany's KJM standards, Spain's Cartera Digital Beta pilot, Italy's AGCOM decree. By H2 2026 the wallet-anchored blueprint is converging these into a single technical baseline, which means acquirers can finally underwrite a single age-assurance flow across the EU rather than vetting twenty-seven. The cost of running country-specific bypass flows now exceeds the cost of a single conformant integration.

Creator subscriptions vs hosted UGC

The category split that defines 2026 placement economics is between creator-subscription platforms (the OnlyFans/Fansly model) and hosted user-generated content platforms (the tube-site model). They share an MCC but almost nothing else from an acquiring perspective. Creator-subscription platforms have, on balance, become bankable. The 1:1 performer relationship maps cleanly onto SMR consent requirements, age verification of depicted persons is a solved onboarding flow, and the recurring-billing economics align with how acquirers underwrite subscription risk generally. The vertical's residual challenge is friendly fraud and dispute management under the Mastercard Dispute Resolution and Visa Compelling Evidence 3.0 regimes — solvable with the right MATCH-aware processor and a tight refund policy. Hosted UGC remains the hard end of the market. The legacy library problem — content uploaded under earlier consent standards — has been mostly resolved by surviving platforms through library purges in 2021-2023, but the acquirer underwriting question now centres on the ongoing moderation pipeline: pre-publication review latency, takedown SLA evidence, hash-matching against NCMEC and IWF databases, and the per-upload identity verification stack. Acquirers in this sub-vertical typically require monthly compliance attestations rather than annual ones, and several have moved to a co-managed moderation model where the acquirer's risk team has read-access to the moderation queue.

Reserves, escrows, and the placeable file

Reserve structures in 2026 reflect the underwriting reality that long-tail risk is regulatory, not financial. Standard rolling reserves of 10% over 180 days remain the baseline for hosted platforms, with creator-subscription platforms generally placing in the 5-8% range. The newer instrument is the content-compliance escrow: a separately ringfenced sum (typically 1-3% of gross processed volume) released against quarterly third-party audits of the moderation pipeline. The acquirer is not pricing chargebacks here — it is pricing the cost of unwinding the relationship if Ofcom, ARCOM, or the Commission lands an enforcement notice mid-contract. A placeable file in 2026 contains five things: a live, tested highly-effective age-assurance flow at the access gate (UK) and an Article 28-aligned verification flow for EU traffic, with a third-party assurance report dated within the last six months; a documented SMR pack covering written content-provider agreements, performer ID-and-age verification records, unambiguous consent documentation, pre-publication review evidence, and a seven-business-day takedown SLA with audit log; a VIRP Tier-1 narrative covering MCC justification, transaction-level monitoring, and chargeback ratios held inside Visa Acquirer Monitoring Programme thresholds for the trailing 12 months; a moderation pipeline description that names the hash-matching partners (NCMEC, IWF, StopNCII), the human-review headcount, and queue SLAs — with read-access offered to the acquirer's risk team for hosted-UGC files; and clean regulator correspondence, with no open Ofcom enforcement notice, Commission Article 28 proceeding, or national-regulator order under the French, German, or Spanish regimes. Files that hit all five are placeable today, generally inside four to six weeks, with EU credit institutions running specialty programmes and a small set of US and APAC acquirers maintaining active Tier-1 VIRP registrations. Files that miss two or more typically need remediation before placement is realistic; we have stopped attempting to place files missing the age-assurance evidence at all, because the acquirer rejection rate during 2025 ran above 95% on that single dimension. The vertical has become bankable for operators who treat it as a regulated content business and unbankable for operators who treat it as a content-only business with a payments problem bolted on.

SECTION 08 · CROSS-CUTTING TRENDS

Cross-Cutting Trends: Reserves, Settlement, Geography

Read the six vertical chapters of this report in sequence and the same machinery shows up under different labels. Reserves are being priced more granularly, settlement cycles are compressing, MCC enforcement has tightened, and scheme-side monitoring has consolidated into a single dominant programme per network. Underneath all of it, the geographic centre of gravity for high-risk acquiring has moved — the UK is effectively closed for new crypto and CFD onboarding, the EU has stabilised under MiCA, Cyprus has tightened, and Dubai has emerged as the fastest-growing alternative. This section pulls the cross-vertical threads together.

Read sections 02 through 07 in sequence and the same machinery shows up under different vertical labels. A crypto on-ramp negotiating a 12% rolling reserve in Vilnius and a nutra subscription merchant negotiating a 10% reserve in Sofia are not, structurally, having different conversations. They are both renting balance-sheet against the same scheme-level risk signal, on terms set by the same handful of card-scheme programmes, in jurisdictions that are converging faster than the trade press suggests. This section pulls those threads together: how rolling reserves have evolved from 2023 to today, why settlement cycles are compressing toward T+7, how scheme-side enforcement has matured into a single dominant programme per network, and where the geographic centre of gravity for high-risk acquiring has shifted.

Rolling reserves: from blunt instrument to priced product

In 2023, the rolling reserve was still treated by most high-risk acquirers as a binary risk control. A merchant either had one (typically 5%–10% held for 180 days) or did not, and the number was negotiated on gut feel. The reserve was opaque, rarely reviewed after onboarding, and almost never tied to live performance. By mid-2026 that has changed materially. Three years of scheme enforcement, two years of merchant insolvencies (most visibly in CFD and crypto), and one round of EU Payment Services Regulation drafting have pushed reserves into something closer to a priced, performance-linked instrument. The first shift is range. Across IceTree's PSP and acquirer panel, the dispersion of opening reserve terms for high-risk MCCs has widened substantially. Genuinely clean nutra and CBD merchants with mature dispute infrastructure now place at 3%–5% / 90-day on Tier-2 EU acquirers, terms that did not exist in 2023. At the other end, freshly-incorporated crypto on-ramps and unlicensed gaming skins routinely see 15%–20% / 180-day, sometimes layered with a separate fixed cash deposit. The middle of the market — the 8%–10% / 180-day default that dominated 2023 — has hollowed out. Underwriting now sorts merchants into a clean bucket and a punitive bucket, with fewer placements in between. The second shift is review cadence. Two years ago, reserves were set at onboarding and effectively forgotten unless something went wrong. Today, performance-linked step-downs are standard at any acquirer worth working with. A typical clause now reads: reserve reduces by two percentage points after six months below a 0.65% Visa dispute ratio and 0.50% Mastercard dispute ratio, with a further step-down at twelve months conditional on chargeback-to-fraud ratio staying below scheme advisory thresholds. Merchants who do not negotiate these clauses at onboarding are leaving 40–80 basis points of working capital on the table per year. Equally, acquirers now reserve the right to step reserves up on a 30-day notice if scheme metrics breach — a clause that did not appear in most 2023 high-risk MSAs but is now near-universal.

Settlement compression and the funding-cost question

Standard settlement on high-risk MIDs in 2023 was T+7 to T+14, with T+14 the more common offer for fresh merchants and any vertical the acquirer considered watch-list. Over the last eighteen months that median has compressed. Tier-1 EU acquirers writing crypto and regulated gaming are now offering T+3 to T+5 on established accounts. Specialist Tier-3 offshore acquirers have moved their default from T+14 to T+10. T+21 — once a default offer for high-risk forex — is now flagged by most merchant-side advisors as a placement to walk away from. The compression is not driven by acquirer generosity. Three forces are at work. First, scheme-side enforcement has made early-warning data — fraud ratios, dispute ratios, decline curves — visible to acquirers in near-real-time, which reduces the information asymmetry that long settlement cycles were partly designed to cover. Second, the cost of capital embedded in delayed settlement is now explicit to merchants in a way it was not three years ago: with policy rates having peaked and the yield curve normalising through 2025–26, the implicit financing rate inside a T+14 cycle is being benchmarked against treasury yields and called out in RFPs. Third, fintech-banked acquirers (those settling via EMI or credit-institution rails rather than correspondent banking) have a structural T+1 advantage they are willing to share to win merchants off legacy Tier-1s. The practical implication: settlement cycle is now the single most negotiable lever on a high-risk MID. Reserves are constrained by scheme programmes and acquirer policy; pricing is constrained by interchange-plus-plus; settlement cycle is the discretionary lever where acquirers can win business without changing committee-approved underwriting. Any merchant accepting a T+14 in 2026 without explicit performance-linked step-downs to T+7 is overpaying for capital.

MCC re-coding and scheme-side enforcement

Less visible than reserves and settlement, but materially more dangerous, is the cycle of MCC re-coding that has run through every vertical in this report. The pattern is consistent: a vertical operates on a generic or adjacent MCC, scheme transaction-laundering surveillance flags concentration in a specific BIN range, the scheme issues guidance, acquirers re-code, and merchants lose either the placement or 200–400 basis points of decline performance overnight. Crypto on-ramp legacy 6051 (quasi-cash) holdouts have been progressively migrated to 6051 with specific identifier flags throughout 2024–25. Nutra subscription has cycled from 5499 / 5912 toward 5122 and explicit health-and-beauty codes, combined with Mastercard's Negative Option Billing rules. iGaming MCC 7995 enforcement has tightened so consistently that running gaming volume on adjacent retail MCCs is no longer survivable on any acquirer of scale. CBD remains the most fragmented, split across 5912, 5499, and 5992 depending on acquirer policy — expect a scheme-led consolidation push in the next 18 months. MCC is not a clerical detail; it is the single most consequential field on a placement, because it determines which scheme programmes the merchant falls under, which interchange categories apply, and which issuer-side decline rules trigger. The most important governance change of the last 24 months is the consolidation, on both networks, of what was previously a patchwork of overlapping monitoring programmes into a single dominant framework per scheme. On Visa, the Visa Acquirer Monitoring Programme (VAMP) replaced the Visa Dispute Monitoring Programme (VDMP) and Visa Fraud Monitoring Programme (VFMP) effective 1 April 2025, consolidating five previous fraud and dispute programmes into a single acquirer-level metric, as described in Visa's Acquirer Monitoring Program Fact Sheet 2025. The VAMP ratio is a single count-based ratio combining fraud and disputes on card-not-present VisaNet transactions, calculated at the acquirer level and cascaded to merchants. Crucially, it excludes Rapid Dispute Resolution, Cardholder Dispute Resolution Network, and confirmed Compelling Evidence 3.0 cases — meaning the days of using RDR and CE3.0 as a synthetic ratio-suppression tool are over. An initial advisory period ran from 1 April 2025 through 30 September 2025; enforcement thresholds are tightening in further iterations through 2026. On Mastercard, the Excessive Chargeback Programme framework — ECM (Excessive Chargeback Merchant) and HECM (High Excessive Chargeback Merchant), alongside the parallel Excessive Fraud Merchant (EFM) programme — remains the dominant lever. ECM triggers at 100–299 chargebacks in a single month combined with a 1.5% or higher chargeback ratio; HECM at 300 or more chargebacks combined with a 3% or higher ratio. Fines escalate from USD 1,000 in months two and three to USD 5,000 in months four through six, with Issuer Recovery Assessments of USD 5 per chargeback above the 300 threshold and total exposure capped at USD 100k for ECM and USD 200k for HECM. The previous architecture allowed sophisticated merchants to optimise one ratio at the expense of another and to use intervention tools as ratio-management instruments rather than genuine dispute prevention. The consolidated regime makes both tactics harder. Merchants and PSPs have had to rebuild dispute infrastructure around prevention — 3DS2 step-up policies, descriptor hygiene, subscription cancellation flows, refund timing — rather than around scheme-side dispute mechanics.

Geography: where high-risk volume is actually being written

The geographic story of high-risk acquiring in 2026 is one of accelerated divergence. The United Kingdom, historically the most important Western jurisdiction for high-risk placement, has effectively exited the market for new merchant onboarding in crypto and most CFD verticals. The Financial Services and Markets Act 2000 (Cryptoassets) Regulations 2026, made by Parliament on 4 February 2026, brings cryptoassets within the regulatory perimeter, with the substantive new cryptoasset regime expected to come into force on 25 October 2027. Combined with the FCA's existing financial-promotions regime for cryptoassets and the CP25/40 and CP25/41 consultations, the UK is now a high-friction jurisdiction for any high-risk merchant without a clear authorisation pathway. The EU has, somewhat counter-intuitively, stabilised. The Markets in Crypto-Assets Regulation (MiCA) provided a single rulebook that, while restrictive, is predictable, and acquirers in Lithuania, Estonia, Ireland, and Germany have built underwriting capacity around it. Cyprus has tightened materially: CySEC capped notional exposure on CFDs to 10% of value for certain commodities and stock indices, implemented new European Banking Authority guidelines on group capital tests under the Investment Firms Regulation from early 2025, and brought a new sanctions framework into force on 1 August 2025. The 46% rise in complaints against Cyprus-based brokers in 2024 has pushed CySEC to shed its lenient-watchdog reputation, with on-site inspections and ESMA's 2026 Common Supervisory Action focused on staff compensation and conflicts between revenue targets and client interests. Dubai is the clear winner of the last 24 months. VARA-licensed and DMCC-coordinated placements for crypto, and DFSA-aligned placements for regulated trading, have grown substantially, and acquirer settlement infrastructure has caught up with the licensing momentum. Singapore remains open but selective — MAS is unwilling to be a substitute jurisdiction for merchants that could not get UK or EU approval, and acquirer pricing reflects that. The offshore Tier-3 pool (Caribbean, Mauritius, Seychelles) is surviving but the pool of acquirers willing to write meaningful volume there is thinning, and placement costs have widened materially against EU equivalents. The four trends in this section are not independent: tighter scheme programmes generate more granular performance data, which lets acquirers price reserves and settlement cycles more accurately, which forces merchants to compete on operational quality rather than on regulatory arbitrage. The market in 2026 is more efficient than it was in 2023, but efficiency cuts both ways: clean merchants are getting materially better terms, and everyone else is paying for the regime that polices them.

SECTION 09 · OUTLOOK

2027 Outlook and Recommendations

If 2026 was the year high-risk merchants learned to live with permanent supervision, 2027 is the year supervision becomes consolidated, automated and unavoidable. MiCA's transitional reliefs expire, the FCA's FSMA cryptoasset regime moves from consultation into authorisation gating, VARA's tiered VASP framework matures, and the schemes complete their migration from event-based fines to continuous ratio-driven monitoring. The merchants who treat H2 2026 as a strategic preparation window — not tactical breathing space — enter 2027 with optionality. The ones who don't will spend Q1 firefighting deadlines, reserve recalibrations and programme placements they could have avoided.

If 2026 was the year high-risk merchants learned to live with permanent supervision, 2027 will be the year that supervision becomes consolidated, automated and unavoidable. The transitional reliefs that softened MiCA's first eighteen months expire. The FCA's bespoke cryptoasset regime under the Financial Services and Markets Act moves from consultation into authorisation gating. VARA's tiered VASP framework matures into a more granular capital and conduct stack. And the schemes — Visa under VAMP, Mastercard under its consolidated acquirer risk framework that absorbs the legacy ECM, EFM and BRAM programmes — finish migrating from event-based fines to continuous, ratio-driven monitoring. The merchants who treat H2 2026 as a strategic preparation window, rather than a tactical breathing space, will enter 2027 with optionality. The ones who don't will spend Q1 firefighting authorisation deadlines, reserve recalibrations and scheme programme placements they could have avoided.

The regulatory calendar that shapes 2027

FSMA, MiCA, VARA: the perimeter consolidates

The UK has moved from a position of regulatory ambiguity — cryptoassets covered partially by the MLR 2017 registration regime and partially by the FPO financial promotions perimeter — to a fully scoped FSMA authorisation regime. Any firm carrying on a designated cryptoasset activity in or from the UK in 2027 will need Part 4A permission, not just AML registration. The FCA's Cryptoasset Authorisations team has signalled the application bar will resemble e-money and payment institution authorisation rather than the lighter-touch MLR process — meaning capital adequacy, governance, safeguarding, wind-down planning and a Threshold Conditions assessment. For acquirers servicing UK-facing crypto flow, this changes the counterparty risk calculus. A UK CEX, OTC desk or fiat on-ramp without an in-flight FSMA application by Q3 2026 is a counterparty that may not exist in its current form by Q4 2027. Merchants who can demonstrate either a credible FSMA application, a documented withdrawal from the UK market, or a partnership with an authorised firm, will receive materially different commercial terms than those waiting to see what happens. MiCA's CASP regime has been in force since 30 December 2024, but most EU member states elected to use the full 18-month transitional window permitted under Article 143(3). That window closes for the majority of jurisdictions during 2026. By Q1 2027 the reality is binary: a firm is either an authorised CASP, or it is operating without lawful authority in the EEA. Passporting becomes the strategic choice it was always meant to be — one CASP authorisation in (for example) Ireland or the Netherlands, passported across the EEA, versus the legacy model of multiple national VASP registrations. Stablecoin issuance under MiCA Titles III and IV faces its first full reporting cycles, with EBA technical standards on own funds, liquidity and recovery plans bedding in. Market-abuse provisions under Title VI generate their first enforcement test cases. EU credit institutions and EMIs with cryptoasset programmes will narrow their CASP counterparty lists to the authorised cohort. Specialist Tier-3 offshore acquirers will continue to serve the longer tail, but at materially higher reserve requirements (commonly 10-20% rolling for crypto-adjacent flow, rising with chargeback exposure) and shorter settlement cycles. Dubai meanwhile remains viable but is no longer a regulatory arbitrage shortcut — VARA's Compliance and Risk Management Rulebook and Market Conduct Rulebook set out expectations that in substance sit closer to MiCA than to legacy offshore regimes.

Scheme rules at steady state

By 2027 both networks will have completed multi-year migrations to consolidated risk frameworks. Visa's Acquirer Monitoring Programme (VAMP) operates as the unified lens, replacing the historic split between dispute monitoring and fraud monitoring and combining fraud and dispute signals into a single enumeration-aware ratio. Mastercard's Excessive Chargeback Merchant and Excessive Fraud Merchant programmes will be running under refreshed thresholds, with the Negative Option Billing programme still expanding in scope to capture more subscription and free-trial patterns common in nutra and adult verticals. The most common cause of unexpected programme placement we see at IceTree is a merchant tracking 'chargeback rate' on their internal PSP dashboard, finding it comfortably under 0.9%, and being placed into VAMP because the scheme's enumeration-aware fraud-plus-dispute ratio tells a different story. The numerator and denominator definitions matter; the lookback window matters; the inclusion of pre-authorisation fraud signals matters. By 2027 the merchants succeeding under these programmes are the ones who have rebuilt their internal reporting around scheme definitions — not the legacy PSP-defined chargeback rate that has anchored high-risk operational thinking for a decade.

“VAMP introduces a more comprehensive approach to monitoring acquirer performance by combining fraud and dispute activity into a single ratio.”

Visa, VAMP programme documentation

Seven recommendations for H2 2026

• 1. Decide your authorisation posture by end of Q3 2026. For UK-facing crypto activity, that means either an FSMA Part 4A application in flight, a documented market exit, or a partnership with an authorised firm. For EU-facing crypto activity, it means CASP authorisation submitted in a chosen home state with passporting rights mapped. Acquirers will start pricing this in during Q4 2026 underwriting reviews.
• 2. Run a scheme-definition reconciliation now. Pull six months of transaction, fraud and dispute data. Recompute your ratios using VAMP's enumeration-aware methodology and Mastercard's current ECM/EFM definitions — not your PSP's dashboard. If you're inside 50% of a programme threshold on either, you have a chargeback strategy problem to fix before year-end, not after placement.
• 3. Restructure billing descriptors and refund policy disclosure ahead of expanded Negative Option Billing scope. Subscription, free-trial and continuity merchants in nutra, adult and CBD should assume Mastercard's NOB controls will continue widening. Plain-language renewal disclosure, pre-renewal notification cadence, and frictionless cancellation are no longer differentiators — they're table stakes that prevent programme entry.
• 4. Diversify acquiring before you need to. The pattern we see repeatedly is merchants on a single Tier-3 acquirer discovering at renewal that reserves have moved from 10% to 18% and settlement has gone weekly to fortnightly. Building a secondary or tertiary acquiring relationship — even at lower volume splits — costs nothing in H2 2026 and buys negotiating leverage in 2027.
• 5. Get your safeguarding and segregation evidence ready in audit-grade form. Whether the regime is MiCA's CASP requirements, FSMA cryptoasset safeguarding, or scheme-side merchant funds-handling expectations, the documentary standard has moved up. Annual auditor sign-off on segregated accounts, daily reconciliation logs, and a written safeguarding policy approved at board level should be in place by Q4 2026.
• 6. Map your stablecoin exposure on the payments perimeter, not the crypto perimeter. If stablecoins are part of your settlement, treasury or payout stack, treat them as payment instruments subject to payments-side regulation. That means EMI-equivalent capital planning, wind-down logic, and reserve attestation — not a continuation of the lighter-touch crypto operational posture.
• 7. Build a 12-month chargeback ratio runway model. Take your current trailing-12-month chargeback rate and project it under three scenarios (flat, +20%, +50%), showing at what month each scenario crosses programme thresholds under current scheme definitions. This converts compliance from reactive to schedulable — the conversation we'd rather have with your acquirer in October than in February.