iGaming Acquirer Underwriting 2026: Files That Win, What Kills It

License approval is the floor, not the ceiling. An iGaming operator with a clean MGA license can still see an acquirer reject the merchant application on inputs the operator never saw coming: a chargeback ratio in the processing statements, a five-year MATCH listing on a director, or the simple fact that the license-acquirer combination has no commercial path in 2026. The article below walks through what an iGaming acquirer actually reads, the dispute math that kills the application, the MATCH mechanics that follow the principals not the company, and which licenses commercially pair with which acquirer pool in May 2026.

The kit an iGaming acquirer actually reads

The "underwriting kit" is the package an operator submits with the merchant application. For an iGaming operator, the acquirer asks for a specific shape of kit and reads it in a specific order. Generic high-risk advice gets the document list partly right and the priority order completely wrong.

These are the files an acquirer asks for, ordered by the weight each carries on the underwriting decision:

1. Six months of merchant processing statements from the current processor, full pages, every month. Three months is the floor any reputable acquirer accepts; six is the threshold that removes the SMMP early-merchant flag for new merchants under six months of Mastercard acceptance history. New books with no processing history are not the same risk profile as established books with clean six-month statements, and the underwriter prices it differently from the first read.
2. Three to six months of operating bank statements with full account and routing numbers, business and personal. Cash-flow stability and reserve-coverage math come from these.
3. The gambling license document itself, plus the original Memorandum and Articles of Association, certificate of incorporation, and the shareholder register.
4. KYC/KYB programme documentation including UBO identification, source-of-funds escalation rules, sanctions and PEP screening configuration, transaction monitoring thresholds, and SAR escalation flow. The acquirer is reading this to confirm the operator is not the AML weak link in the rail.
5. Traffic source and affiliate disclosure. Acquirers in 2026 want explicit visibility into acquisition channels because affiliate-driven traffic patterns are a reliable predictor of dispute volume.
6. Website compliance: terms and conditions, privacy policy, refund and payout policy, AML and responsible-gambling policy, complaints handling. Working URLs, not draft PDFs.
7. Financial statements and projections (cash flow, balance sheet, income statement) plus working-capital evidence sufficient to cover rolling reserves for at least the first six months.
8. Refund and chargeback handling SOPs, with the customer service flow that backs them.

Most of these eight categories pass or fail on a yes/no basis. One file is read in detail, and it decides whether a human underwriter ever opens the rest of the kit.

What the processing-statement file actually says

The acquirer reads four numbers from the processing-statement file: the trailing chargeback ratio, the volume trend, the issuer-level decline rate, and the refund-to-deposit ratio. Each number is computed against a specific denominator and read against a specific threshold; together they decide whether the application moves from the queue to a human underwriter or terminates on the file alone.

The chargeback ratio is the ratio that ends most conversations. The numerator combines TC40 fraud reports and TC15 chargeback transactions; the denominator is the count of settled card-not-present transactions in the same monitoring window. Authorization declines do not enter the denominator. The trailing six-month ratio is read first, then each individual month within the trailing six is read for spike risk, because Visa enforcement under VAMP is monthly and a single bad month can trigger flags even when the trailing average reads clean.

The volume trend tells the underwriter whether the operator is growing into the application or out of it. A declining trailing volume is read as the prior acquirer tightening risk on the merchant before termination. A spiking volume is read as the operator outgrowing the prior relationship and needing capacity, which is a different conversation entirely.

The issuer-level decline rate maps to the approval-rate uplift the new acquirer can offer. A high decline concentration on specific BINs hints at issuer-side flags that follow the merchant rather than the acquirer, which constrains what the new acquirer can fix and prices into the offer.

The refund-to-deposit ratio is read as a chargeback-prevention proxy. High refund volume can suppress chargeback ratios artificially because some operators refund disputes pre-emptively to keep the chargeback count low; the underwriter cross-checks this against the dispute count to see whether the merchant is operating at a real low chargeback rate or just absorbing dispute risk through refund spend.

The dispute-ratio cutoff that ends the conversation

The publicly published Visa and Mastercard thresholds set the floor, not the cutoff acquirers actually use for iGaming books.

Visa's Acquirer Monitoring Program tightened the merchant excessive ratio from 2.2 percent to 1.5 percent on April 1, 2026, with $8 per disputed transaction and no warning tier, per the Visa fact sheet and Cside's 2026 playbook. The acquirer-level Above Standard threshold sits at 0.5 percent and Excessive at 0.7 percent, both unchanged in April 2026. Mastercard's parallel ECM has run at 1.5 percent with a 100-chargeback-per-month floor for years.

For an MCC 7995 application specifically, the published 1.5 percent is not the cutoff. The mechanical levers that drive the ratio down (cascade, code-keyed retry, network tokens) are in the card approval and soft-decline playbook. Acquirer-side risk teams price iGaming portfolios against their own 0.5-to-0.7 percent acquirer ceiling, and an operator carrying any portion of a portfolio above the published merchant threshold consumes disproportionate acquirer-level allowance. Industry references put production-tier rejection well below the published 1.5 percent, in the sub-1 percent band, with the exact cutoff depending on portfolio composition, the acquirer's existing iGaming exposure, and the operator's six-month monthly variance.

The conversation ends at three places. First, six-month rolling chargeback ratio above the acquirer's internal cutoff: the file is declined on the processing-statement read alone. Second, ratio above 1.5 percent in any single month within the trailing six: the underwriter flags it even if the trailing average reads clean, because Visa enforcement is monthly. Third, a director or UBO already on a current MATCH listing: the application terminates without the chargeback math being read at all.

MATCH list mechanics for an iGaming application

The Member Alert to Control High-Risk Merchants list (still called MATCH, or TMF for Terminated Merchant File, depending on whom you ask) is the Mastercard-maintained database of merchants whose accounts an acquirer terminated for cause, per Chargebacks911's reference. Every reasonable acquirer reads it during underwriting. A current listing on the operator entity or any director listed in the kit is, in practice, an automatic decline at all but the most explicitly high-risk acquirers, and the listing duration is five years from the date of termination.

Fourteen reason codes exist. Three are the ones that hit iGaming applications most often:

• Code 04, Excessive Chargebacks. The most common iGaming-relevant code by a wide margin. Triggered when the prior acquirer terminated the merchant for breaching chargeback thresholds. An iGaming book that ran 2.5 percent for a season under the old VAMP regime, was terminated, and is now reapplying under a new entity is exactly the case Code 04 was written to flag.
• Code 12, PCI-DSS Noncompliance. Triggered by a documented PCI failure. Less common in iGaming than retail e-commerce, but appears when a sub-licensed operator inherited a non-compliant cashier from the licensing intermediary.
• Code 13, Illegal Transactions. Triggered when the prior acquirer determined the merchant processed transactions illegal in the cardholder jurisdiction. The high-incidence iGaming case is processing US deposits from a non-US license without Geo-IP enforcement, which made Code 13 the dominant reason for offshore-licensed terminations during 2023 to 2024.

Two operational details matter for the underwriter's read. First, the listing follows the principals, not just the company entity. An operator who closed Curaçao Co. A after a termination and applied as Curaçao Co. B with the same UBO will surface in the MATCH search. Second, removal before five years happens only on documented error correction or PCI compliance achievement (the PCI-only carve-out). Excessive Chargebacks listings serve the full five years.

Why your license decides the acquirer pool: MGA, UKGC, Curaçao, Anjouan

The license-acquirer pairing decides which production acquirers will entertain the application before any of the document or ratio analysis matters. The four jurisdictions below each have a distinct underwriting reality in May 2026.

MGA (Malta). Tier-1 acquirers underwrite MGA-licensed books at production volume. Worldpay, Nuvei, Paysafe, Adyen, and orchestrators IXOPAY and Solidgate route MGA traffic without jurisdictional caveats. The MGA's player-funds-account requirement, where operators hold customer funds in a segregated payment-acquirer account or equivalent structure per the MGA's own guidance, lines up with the segregation that European acquirers want to see anyway, which is part of why MGA underwriting is straightforward. The friction point is the operator's KYB/KYC programme matching MGA AML standards, which exceed most jurisdictions and which acquirers cross-check against the FIAU's published guidance.

UKGC (United Kingdom). Tier-1 acquirer access exists, but the practical PSP roster is narrower than MGA's because UKGC licence condition 4.1.1 on segregation of customer funds, plus the FCA-regulated payment chain, rules out PSPs that cannot evidence ring-fenced player-fund handling end-to-end. Worldpay is the long-standing UKGC default; Nuvei and Paysafe both underwrite UKGC books at production volume. The FCA segregation requirement and the LCCP fund-protection-tier disclosure (operators must classify fund protection as either "not protected", "medium protection", or "high protection" and disclose to players) layer an audit obligation on the acquirer that smaller PSPs cannot service. The October 31, 2025 LCCP update on six-month protection-status reminders to players added a documentation step that the acquirer's compliance team reads.

Curaçao (post-LOK 2026). The full Curaçao and Anjouan payment-access map is the sister analysis. The licensing reality changed materially. The Curaçao Gaming Authority replaced the master-license sub-licensing system in January 2025 under the LOK ordinance, and as of April 2026 the CGA has processed roughly 140 direct license applications, approving 87 and rejecting or shelving the rest at a rejection rate close to 38 percent. The acquirer underwriting effect is mixed. A direct CGA license is meaningfully better than a legacy sub-license for acquirer perception because the CGA's fit-and-proper, AML, and responsible-gambling controls are now closer to MGA in shape. But operators carrying over a sub-license book hit two MATCH-adjacent risks: terminations from the master-license era still surface against the directors, and the acquirers that pulled out of Curaçao volume in 2023 to 2024 have not all returned. The tier-1 acquirer roster has been quiet on Curaçao re-entry beyond Paysafe's documented post-reform underwriting, and CGA-direct volume routes through orchestrators or crypto-native rails. CoinsPaid, NOWPayments, and CoinGate serve the bulk of CGA volume in 2026.

Anjouan. The license is registrable; the merchant account is not commercially available from international acquirers. The structural reason sits upstream of the acquirer's risk decision: the AOFA's licensing authority is not recognized by Comoros' central bank, which means third-party screening tools used in acquirer KYB pipelines surface AOFA paperwork as non-regulatory, and most acquirers' onboarding workflows escalate or auto-decline at that point. The few PSPs that do route Anjouan volume are crypto-native gateways CoinsPaid, NOWPayments, CoinPayments and orchestrators that abstract the underlying acquirer relationship through merchant-of-record structures. Operators carrying both an Anjouan license and a tier-1 license (Curaçao CGA, MGA dual-licensed) can apply with the tier-1 license; an Anjouan-only book has no card-acquiring path with any published acquirer roster.

The four inputs that decide an iGaming acquirer application are the kit's completeness, the chargeback ratio in the processing statements, the MATCH list state of the principals, and the license's commercial viability with the acquirer pool. Three of those are unrecoverable in the short term: a current MATCH listing runs five years, a six-month chargeback history needs six months to fix, and an Anjouan-only license cannot be paired with a tier-1 acquirer at all. The fourth, the kit, is the only input the operator controls in the week before submission. An iGaming operator who treats the kit as a generic checklist exercise and submits the same package a retail e-commerce merchant would submit is the operator whose application gets declined on the first underwriter read, on the basis of inputs that were inside the file the whole time.