iGaming Payment Solutions
The published its post-pilot update on financial risk assessments on April 16, 2026. The headline number is 97 percent frictionless completion across roughly 1.7 million Stage 2 assessments. The number every operator's payments and compliance lead has to sit with is the other 3 percent: deposits that do not clear a frictionless check inside whatever budget the cashier allocates. This article is about what that budget looks like when the call sits inside a 1.5 second end-to-end window with an Experian, Equifax, or TransUnion lookup inside it, and what the fallback does when the budget is blown.
The legal floor is not new. Light-touch financial vulnerability checks under LCCP Condition 3.4.4 went live August 30, 2024 and tightened to a £150 net-deposit threshold on February 28, 2025. What the post-pilot update changes is the trajectory. Stage 1 frictionless checks rooted in credit-reference-agency data must be operating at every UKGC-licensed remote site by the end of Q3 2026. Stage 2 enhanced checks become the next operator deliverable across Q1 2027.
That sets the planning question. Operators that wired the LCCP 3.4.4 check as a cheap public-records lookup at the desktop have a cashier flow that already roughly works. The parallel build landing on 30 June 2026 is RTS 12B gross deposit limits, and Stage 2 affordability sits inside the same data-pipeline real estate. Operators about to retrofit a real CRA API call into the deposit path on a 1.5 second budget have a different problem.
The three tiers and what each one pulls from the CRA
The data the operator pulls and the trigger that fires it differ at each tier. Conflating them is a common operator-side planning mistake.
Stage 1 under LCCP 3.4.4 is a public-records check, not a credit-score check. The minimum required signals are county court judgments, individual voluntary arrangements, and bankruptcy markers from publicly available registers. Each of the 's three pilot CRAs (Experian, Equifax, TransUnion) sells that bundle as a thin product separate from full bureau scoring. The trigger is £150 net deposits over a rolling 30-day window, per Poppleston Allen's note on the February 2025 threshold reduction. The check has 12-month validity per LCCP 3.4.4: a player whose first deposit of the calendar quarter crossed the threshold is checked once and not re-checked at every subsequent deposit. The cashier-experience burden is low because the data set is light and the pass rate is close to 100 percent.
Stage 2 is the new tier coming out of the financial risk assessments pilot. The trigger is materially different. Where Stage 1 asks "is there a public-record red flag," Stage 2 asks "what is this player's broader financial-risk picture per CRA-held data," and the trigger threshold runs higher. Per the consultation proposals the tested, the Stage 2 trigger sits around £1,000 net loss in a single 24-hour window or £2,000 net loss across 90 days. The data set is the CRA's full credit-reference profile (defaults, arrears, credit-utilisation patterns, and the CRA's own RAG rating or proprietary score). Per the Gambling Commission's Stage two update, 97 percent of Stage 2 cases in the pilot cleared frictionlessly across the three CRAs.
Stage 3 is what the industry calls the residual escalation tier. When a Stage 2 query returns inconclusive (the player is not matched in the CRA file, or the CRA returns a flag the operator's policy treats as needing further review), the operator escalates to documentary affordability evidence. Open Banking AIS data, bank statements, payslips, and P60s land in that tier. The pilot's tightest figure is 0.1 percent of active accounts, per Harris Hagan's reading of the April 2026 update: roughly one player in a thousand will need full-document affordability across the remote sector. The cashier latency budget at Stage 3 is no longer a 1.5 second pre-auth question. It is hours-to-days back-office work.
| Tier | Trigger | Data | Latency profile | 12-month validity |
|---|---|---|---|---|
| Stage 1 (LCCP 3.4.4) | £150 net deposits / 30-day rolling | Public records: CCJs, IVAs, bankruptcies | Sub-second; light bundle | Yes, per 3.4.4 |
| Stage 2 (Financial Risk Assessment) | Around £1,000 net loss / 24h or £2,000 / 90d | Full CRA file: score, RAG rating, arrears, defaults | 200 to 800ms typical | Per pilot scope; final rules pending |
| Stage 3 (escalation) | Stage 2 inconclusive or higher-spend trigger | Open banking AIS + documents + manual review | Hours to days | Case-by-case |
The engineering implication is that "frictionless affordability" means three different things in three different parts of the cashier. Stage 1 fits cleanly inside any deposit path because the data and the trigger are both light. Stage 3 sits outside the cashier entirely. Stage 2 is the integration that is hard to get right, because it has to feel like Stage 1 to the player while running the data weight of Stage 3 inside a sub-second window.
Where the CRA call sits: pre-auth gate or asynchronous side-channel
There are two architectural patterns for slotting the CRA call into the deposit flow. The choice has consequences for cashier conversion, regulatory defensibility, and infrastructure cost.
The pre-auth gate runs the CRA call synchronously, before the deposit goes to the card acquirer or to the open-banking initiator. The cashier holds the deposit while the CRA returns. The PSP receives the deposit-authorization request only after the CRA has cleared the player. If the CRA times out or returns a hard flag, the deposit fails or routes to a soft-block path. This is the conservative posture. It is also the latency-tightest one, because the CRA call sits inside the same window as the auth call.
The asynchronous side-channel runs the CRA call in parallel with the deposit auth. The PSP authorizes the deposit on a normal cashier timeline. The CRA call writes its result to the player record on its own clock. The result then gates the next deposit attempt that crosses a relevant threshold, not the deposit that just completed. This pattern is defensible at Stage 1, where the trigger is a 30-day rolling window and the operator has weeks to evaluate the result before the next threshold-crossing deposit. It is not defensible at Stage 2, where a single deposit can cross the £1,000 / 24-hour trigger by itself.
The pragmatic split the pilot data points operators toward: Stage 1 runs side-channel because the LCCP 3.4.4 trigger is rolling, the data is light, and the cost of pre-auth is unrecovered cashier conversion on every deposit. Stage 2 runs pre-auth because a single big deposit can cross the threshold and the operator has no second chance to evaluate before crediting. The Stage 2 path is where the 1.5 second budget bites.
The PSP layer is downstream of this decision. Cashier orchestrators sitting in front of Worldpay, Nuvei, Adyen, or Paysafe build the CRA-call leg into the operator's own backend, then pass an affordability_pass boolean (or a tier code) into the PSP's auth request as merchant metadata. The PSP itself does not run the CRA call. What changes for the PSP is that a pre-auth-gated transaction arriving with affordability_pass=false should not authorize at all, so the orchestrator either suppresses the auth or sends it with a known-decline-policy flag. The vendor-coordination work is contractual, not technical: every PSP doing UK gambling volume in 2026 has had to update its merchant-API contract to accept the affordability tag.
Decomposing the 1.5 second budget, leg by leg
A 1.5 second pre-auth window is achievable on a clean stack and cramped on a noisy one. The legs that matter and their realistic budgets:
| Leg | Typical | p95 ceiling | Notes |
|---|---|---|---|
| Cashier UI to operator backend | 50ms | 100ms | Same-region datacenter; HTTP/2 |
| Trigger evaluator (rolling-sum read, threshold check) | 10ms | 50ms | Player-history DB hit; cache on hot path |
| Cache lookup (existing 12-month-valid result) | 5ms | 20ms | Player-id keyed; Redis or equivalent |
| CRA HTTPS request out (warm TLS) | 80ms | 200ms | Persistent connection; datacenter peering helps |
| CRA processing | 200ms | 600ms | Bureau-side; varies by CRA and product tier |
| CRA response parse + decision | 30ms | 100ms | Operator-side rules engine |
| PSP authorization call | 300ms | 700ms | Card network or open-banking initiator |
| Network jitter / retry-once buffer | 100ms | 200ms | Reserved; eats other budget if used |
| Total p95 | 775ms | 1,970ms | 1.5s realistic only if every leg behaves at typical |
Two things fall out of that table. First, on a clean run with cache hits, the deposit clears comfortably under a second. Second, when the cache misses and the CRA does a full lookup, the p95 stack lands at or above 2 seconds. A hard 1.5 second SLA in that scenario fails a non-trivial share of threshold-crossing deposits.
The lever that compresses p95 most is cache. The 12-month validity rule under LCCP 3.4.4 means a depositing player who has already been checked once in the rolling year already has a fresh CRA result on file. A well-instrumented cashier hits cache on a sizeable share of threshold-crossing deposit attempts and only pays the full CRA bill on the remainder. The next lever is connection state: a warm TLS pool to the CRA, with persistent connections, takes 100ms or more off the request leg. The third lever is the CRA product tier itself: Experian's basic public-record bundle responds faster than the full-bureau profile, and operators running Stage 1 against that bundle stay at the fast end.
97%
Stage 2 frictionless completion rate, UKGC pilot
Across approximately 1.7 million Stage 2 financial risk assessments in the pilot, 97 percent cleared without the player needing to provide documents. Stage 1 ran at 95 percent. The remaining 3 percent of Stage 2 cases need a Stage 3 escalation path, which is where documentary affordability and Open Banking AIS data sit. Source: UKGC blog, Stage two update, July 2025.
Experian, Equifax, TransUnion at the API layer
The three CRAs that ran the pilot all sell affordability products to gambling operators in 2026. The product surfaces, the data backbones, and the integration patterns differ enough that the choice matters.
| Experian | Equifax | TransUnion | |
|---|---|---|---|
| UK gaming product | Affordability for Gaming, packaged via CrossCore decisioning | RiskScan + Open Banking Insights | Affordability Solution for Gaming |
| Data backbone | UK credit file + bureau scoring + Aggregated Income | UK credit file + Open Banking AIS | Income model + sociodemographic + property + credit |
| Open banking | Available via partner integration | Native (Open Banking Insights as a separate product) | Available via partner |
| API model | REST/JSON over CrossCore; sub-second target | REST/JSON; sub-second target marketed | REST/JSON; sub-second target marketed |
| UKGC pilot participant | Yes | Yes | Yes |
Source pages: Experian's gaming-vulnerability blog, Equifax's RiskScan page, and TransUnion's Affordability Solution for Gaming page.
The pilot exposed one issue that vendor brochures do not. The same player can return materially different findings across CRAs. Two of the three may clear a player frictionlessly while the third returns a flag, per the Racing Post's read of the post-pilot brief, because the underlying credit files are not synchronized and each CRA's risk model weights signals differently.
The implication for the operator is a vendor-strategy question, not a technical one. Single-CRA integration is faster to ship, simpler to cache, and gives a consistent decision per player. It also accepts the loss when a player has a thin file with the chosen CRA. Multi-CRA integration costs more and requires reconciliation logic when CRAs disagree, but improves match coverage on thin-file segments (under-25 players, recent immigrants, players who have never held UK credit). The operator's mix of player demographics is what tips the choice. A book skewed to under-25s with thin files probably cascades; a book on a mature audience does not.
Timeout fallback that does not break the cashier
The hard problem is what the cashier does when the CRA does not return inside the budget. The honest framing is that there is no perfect answer, only a tradeoff between regulatory defensibility and player conversion. The operator has to pick a posture.
Four patterns are in production at operators in May 2026.
Cache-first. Every CRA result is cached against the player-id with a 12-month TTL. A deposit attempt checks the cache before issuing a CRA call. If a fresh result exists, the cashier proceeds without an outbound call. This is the non-negotiable foundation under LCCP 3.4.4's 12-month rule, and operators that did not build it have been re-running checks on the same player at every threshold-crossing deposit at unnecessary data spend.
Cascade on timeout. The cashier issues the primary CRA call with an aggressive timeout, often 600 to 800 milliseconds. If the primary times out, the cashier issues a secondary CRA call (typically to a different bureau on a different network path). The cashier accepts the first response back. This buys reliability against a single CRA having a regional outage, at the cost of doubling the per-deposit data spend on the misses.
Soft-block to next deposit. If both the cache and the synchronous CRA call fail, the cashier authorizes the current deposit but flags the player for a mandatory synchronous check on the next deposit attempt. This is defensible at Stage 1, where the rolling-30-day trigger gives the operator runway. It is not defensible at Stage 2, where the player has just crossed the £1,000 threshold and a check has to land before the funds settle.
Hard hold and operator-message UX. When the deposit alone crosses Stage 2 threshold and no CRA result is available, the cashier holds the deposit, surfaces a "we are checking your account, this usually takes a minute" message to the player, and continues retrying the CRA in the background. The hold lasts up to a few minutes. If the CRA never returns, the deposit is declined and the player is redirected to a Stage 3 documentary path. This is the conservative regulatory posture. It is also the one where cashier abandonment runs highest.
LCCP versus cashier conversion: the soft-block decision
LCCP 3.4.4 requires the operator to undertake a financial vulnerability check at the trigger, not later. A literal reading is that authorizing a deposit at the trigger without the check is a license breach. The pragmatic reading at Stage 1 is that the 30-day rolling trigger gives the operator a window to complete the check before the next threshold-crossing deposit, so a soft-block to the next attempt does not violate the rule in spirit. The Stage 2 trigger is single-deposit, not rolling, so the same soft-block logic does not survive. Operators with conservative compliance counsel run hard-hold at Stage 2 even when conversion bleeds; operators with appetite for the conversion lift soft-block and document the policy.
The operator-side posture is therefore tier-specific: cache-first at every tier, cascade-on-timeout at Stage 1 and Stage 2, soft-block at Stage 1 only, hard hold at Stage 2 with a UX that does not feel broken. Operators that hard-block at Stage 1 lose conversion they did not need to lose. Operators that soft-block at Stage 2 are running on legal risk the post-pilot rulemaking is likely to remove the wiggle room from.
The 12-month cache and the multi-CRA divergence problem
Cache architecture is where the 12-month rule lives in production. The cache key is the player-id. The cache value carries: the CRA reference of the result, the timestamp, the tier of the original check (Stage 1 vs Stage 2), the raw decision (pass / flag / unmatched), and the operator's downstream classification of the decision. Five fields, indexed on player-id, with a 12-month TTL keyed off check timestamp.
The detail that bites operators retrofitting the cache is the CRA-divergence problem. The Racing Post note on the post-pilot brief is explicit: different CRAs return different findings for the same player. If the operator runs cascade-on-timeout, the cache will accumulate results from the secondary CRA on the misses where primary timed out. Six months later, when the same player crosses a threshold again, the cache returns the secondary's result. If the secondary returned "pass" while the primary would return "flag" for the same player today, the cached pass is now load-bearing for a deposit decision the operator's policy would have flagged.
The fix is a cache-policy choice, not a code change. Two clean options.
- Pin the cache to one canonical CRA per player. On a cascade, the cache stores the primary's result if it returns, the secondary's result only when the primary returns no-match, and never overwrites a primary result with a secondary one inside the 12-month window. The next deposit may re-query the primary if the cached entry came from the fallback, to refresh the canonical signal.
- Cache per-CRA findings independently, with a reconciliation rule that rejects on the strictest finding when CRAs disagree. This keeps the underlying disagreements visible but adds reconciliation logic to every cache read.
The first option is simpler to ship and cheaper to operate. The second option is more defensible to a regulator who asks why an operator's cached pass diverges from a current flag. Operators with thin compliance teams ship option one. Operators expecting scrutiny ship option two.
The April 2026 post-pilot update is silent on which the regulator prefers. The technical-standards drafting that follows the Commission's next-steps decision is where that question lands. Operators building the cache today on the simpler model should keep the per-CRA-finding option in their roadmap, because the rulemaking that lands across late 2026 and early 2027 may force it.
What clears in May 2026 is the legal floor. LCCP 3.4.4 light-touch checks at the £150 / 30-day trigger with public-records data, cached for 12 months, are the work the operator has to be doing right now whether the post-pilot rulemaking accelerates or slips. The Stage 2 build is the work the operator has to be doing in parallel to land it before Q1 2027. The 1.5 second pre-auth window is the constraint the cashier orchestrator runs against on the Stage 2 path, and the cache plus cascade plus tier-specific fallback are what make the constraint hold up under traffic.
Sources (12)
- 01UKGC: LCCP Condition 3.4.4 Financial vulnerability check
- 02UKGC blog: Financial risk assessments pilot, post-pilot analysis (April 2026)
- 03UKGC blog: Financial risk assessments pilot, update on Stage two
- 04Harris Hagan: Gambling Commission post-Pilot update on financial risk assessments
- 05Racing Post: Frictionless affordability checks pilot shows potential for confusion
- 06SBC News: UKGC says 97% of financial checks completed frictionlessly
- 07SBC News: UKGC nets 95% of frictionless checks at Stage-1 of pilot
- 08Experian UK: What gaming operators need to know about basic financial vulnerability checks
- 09Equifax UK: RiskScan product page
- 10TransUnion UK: Affordability Solution for Gaming
- 11iGaming Business: Financial risk checks, what we know about the affordability rebrand
- 12Poppleston Allen: Light-touch financial vulnerability checks threshold reduced