High-Risk Merchant Account in 2026: How to Pass Underwriting on the First Try

--

Press enter or click to view image in full size

What underwriters actually check, why first applications get declined, and the exact file that gets approved.

“High-risk” is a classification, not a verdict on your business. Card networks assign it at the level of your Merchant Category Code (MCC) and your chargeback exposure — not your honesty. Crypto, gambling, forex, CBD, nutra, adult, and travel all sit here by default.

What changed is the underwriting standard. In 2026, it is tighter than in 2024 — by rule, not by mood. Acquirers underwrite defensively because, under the current card-network monitoring programs, they are the ones fined when a merchant misbehaves. To pass on the first try, you have to answer their real question before they ask it. Will this merchant push our portfolio over a network threshold?

If you are reading this because an application was declined or a processor just put you on notice, the rest of this is the checklist we run before filing.

What “high-risk” actually means

A high-risk merchant account is a payment-processing account for a business that card networks and acquiring banks consider more likely to generate chargebacks, fraud, or regulatory friction. The categories that are high-risk by default:

• Crypto / digital assets (MCC 6051) — irreversible settlement, fraud vectors, evolving regulation
• Gambling / iGaming (7995) — licensing complexity, jurisdictional bans, high dispute rates
• Forex / CFD (6211, 6051) — leverage losses become disputes; regional bans
• CBD / hemp / nutra (5993, 5122) — claims scrutiny, recurring-billing disputes
• Adult/dating (5967, 7273) — elevated chargebacks, friendly fraud
• Travel/ticketing (4722, 7991) — delivery delay, cancellation, large tickets

Being high-risk is not the obstacle. The obstacle is that the standard for these MCCs is higher, and acquirers apply it defensively.

The rules that drive underwriting in 2026: VAMP and ECP

When an underwriter reviews your file, they are not asking, “Isthis a good business?” They are modeling your future against two specific programs.

Visa Acquirer Monitoring Program (VAMP). Effective 1 April 2025, VAMP consolidated five legacy fraud and dispute programs (including VDMP and VFMP) into one acquirer-level program. Enforcement began 1 October 2025; acquirer-level fines started in January 2026. The metric is a single count-based ratio:

Fraud (TC40) + non-fraud disputes (TC15) ÷ settled transactions

The thresholds:

• Acquirer portfolio — 0.50% “above standard”, 0.70% “excessive”
• Merchant, non-CEMEA — 1.5% “excessive”, in effect since 1 April 2026 (down from 2.2%)
• Merchant, CEMEA — 2.2%

Two consequences for you. First, 1.5% is the cliff — roughly 15 disputes per 1,000 transactions, and on high-ticket crypto or forex, you can cross it with a surprisingly small count. Monitoring starts at 1,500 combined fraud-plus-dispute events; penalties are $4 per event for “above standard” portfolios and $8 per event for“excessive,” with no warning tier. Second, pre-dispute resolution now counts. Disputes resolved through RDR, Order Insight, CDRN, or Compelling Evidence 3.0 are excluded from the VAMP calculation. Having those tools in place is a green flag that underwriters look for.

Mastercard Excessive Chargeback Program (ECP). A parallel two-tier program where the ratio is this month’s chargebacks ÷ last month’s sales. The Excessive Chargeback Merchant (ECM) tier is 100–299 chargebacks per month at a 1.5%–2.99% ratio; the High Excessive (HECM) tier is 300+ chargebacks at 3% or higher — both the count and the ratio must be met. Fines escalate the longer you stay in: nothing in month one, four-figure assessments through months 2–6, climbing into six figures for chronic offenders. Exit requires three consecutive months below the threshold.

Walk in with a chargeback-control story that maps to these numbers, and you are speaking the underwriter’s language. Walk in without one, and you are an unpriced risk.

What underwriters actually check and how to be ready

A high-risk file is a substantive review, not a form. Six areas decide it.

1. Corporate and ownership. Certificate of incorporation, license, registration number, proof of good standing, plus director and shareholder KYC. Critically, a UBO chain is traced to natural persons. UBO opacity — shell layers or nominees the underwriter cannot see through — is one of the fastest declines.

2. Processing and financial history. Three to six months of processing statements and bank statements that reconcile to each other. The most common failure is processing volume that does not match the bank — if money flowed through a route the underwriter cannot see, they assume the worst. New businesses substitute a credible plan with realistic projections.

3. Website and checkout. The acquirer will open your site and click through checkout. They want a clear product description; visible refund, cancellation, terms, and privacy pages; 3-D Secure 2/SCA; a billing descriptor a cardholder will recognize; and working support contacts. Missing policies or a vague product read as a transaction-laundering risk.

4. Chargeback and fraud controls. Your current ratio with an explanation of any spike, a documented fraud stack (3DS2, AVS/CVV, velocity rules, device fingerprinting), and pre-dispute tooling. A spike with no narrative reads as an unmanaged operation.

5. AML / KYC. A real AML/CFT policy with a named compliance officer, customer due diligence, transaction monitoring, sanctions and PEP screening, and Travel Rule readiness for crypto. A downloaded template with no officer behind it does not pass.

6. The license. For regulated verticals, the question is blunt: are you allowed to do this? A MiCA-CASP authorization, an EMI or PSP license, a CySEC or Mauritius forex license, a gaming license — each moves you from “unknown risk” to “someone a regulator already examined.” For crypto, gambling, and forex, it is increasingly mandatory under the acquirer’s own rules; even where optional, it is the single strongest signal you can send.

Why are first applications declined

Most first-try declines are not “your business is unacceptable.” They are “your file did not answer the question.” The recurring causes: thin or inconsistent documentation; an untraceable ownership structure; a website that fails the click-test; a chargeback history with no narrative; volume projections detached from the bank statements; AML as a template with no substance; operating a regulated activity unlicensed; or simply applying to an acquirer that does not serve your MCC or geography.

The asymmetry matters: a decline is not free. Reapplications are visible, and a pattern of them — especially a placement on MATCH (Mastercard’s Member Alert to Control High-Risk Merchants, which typically lasts five years) — makes the next application harder. The first try is the cheapest try, which is the entire argument for preparing properly before you file.

Reserves, fees, and timeline

A high-risk approval rarely comes unconditioned. Expect a rolling reserve — the standard in 2026 holds 5–10% of daily revenue for 90–180 days, rising to as much as 15% for the hardest verticals. Reserves are a risk buffer, not a penalty, and they are negotiable downward over time on clean performance. Do not try to negotiate the reserve away at application; accept it cleanly, perform, then renegotiate from data. Pricing runs above standard retail — higher discount rate, monthly and per-transaction fees, and chargeback fees of around $25–$50 per dispute. Volume caps start low and rise with history.

On timing, expect 3–7 business days to approval for a clean, straightforward file — and two to six weeks for the hardest cases (new crypto, multi-jurisdiction gaming, recovery from a prior closure). The bottleneck is almost always file quality, not acquirer speed.

The licence-and-bank connection

The fastest way to pass underwriting is to remove the underwriter’s biggest unknown: whether this operator is allowed to do this, and whether anyone competent has already checked. A relevant license answers both — the acquirer inherits the regulator’s diligence on your ownership, AML, and model. Licensed applications move faster, attract lower reserves, and unlock acquirers that will not touch unlicensed operators in the same MCC.

This is why treating “the license” and “the bank” as two separate projects six months apart is the most expensive mistake in this space. A granted license with no working payment account is a paperweight. The two should be solved in parallel, under one plan: the license structured to satisfy the acquirer, banking, and processing lined up to go live the moment authorization lands.

What Incluence does

We are a legal consultancy headquartered in London, with offices in Hong Kong and the UAE. Since 2014, we have handled licensing and high-risk banking for fintech, crypto, forex, and gambling businesses across the EU, UK, Asia, and offshore jurisdictions — including more than 200 high-risk merchant and banking accounts for clients in segments most consultancies refer out.

For high-risk payment acceptance, we audit your underwriting readiness against the exact criteria above, build the file — corporate, UBO, financial, AML, website to a standard that minimises request-for-information loops, match you to acquirers and PSP that actually serve your MCC and geography, secure the licence in parallel where one helps (MiCA-CASP, EMI, forex, gaming) so licensing and banking go live together, and handle recovery when a processor or bank has closed an account.

If your situation is urgent — an application declined, a processor on notice, or a bank that just closed your account — we can typically respond within 24 hours.

At Incluence, we work with crypto and fintech companies on the full path — licensing, structure, and banking access — across 30+ jurisdictions in the EU, UK, Switzerland, the UAE, and APAC. If you’ve been rejected and want a second-attempt diagnostic, you can reach Yuliia directly on Telegram at Incluence or visit incluence.com.