High-Risk Payment Processing In The UK And EEA

Tal Miller

CEO

Banks and payment processors don’t treat all merchants equally. Businesses in certain industries face account rejections, higher fees, and stricter contract terms because providers consider them disproportionately exposed to chargebacks, fraud, or regulatory risk. High-risk payment processing is the term the industry uses for the specialised merchant services that serve these businesses.

This article explains which industries face that classification, how UK and EEA bank regulations apply, and what to look for when choosing a specialist payment provider. It covers everything from how processors assess risk to chargeback thresholds and compliance requirements.

Table of Contents

What makes a merchant account high-risk

Banks and payment processors classify merchant accounts as high-risk based on three structural characteristics:

The industry the business operates in.
Its business model.
Its transaction profile.

Industry is the most immediate factor. Sectors like CBD, online dating, and cryptocurrency trading carry elevated risk classifications because of regulatory complexity, reputational exposure, or historically high dispute rates. A business in one of these sectors inherits that classification regardless of its own track record.

The business model amplifies the risk profile. Subscription-based billing, high average order values, and cross-border transactions all increase a processor’s exposure. A CBD merchant selling low-value one-off products presents a different risk profile to one running a recurring billing model with an international customer base.

Transaction profile is the third factor. Businesses with no prior processing history, inconsistent monthly volumes, or a high ratio of card-not-present transactions face additional classification pressure, particularly during initial underwriting.

How payment processors assess risk

Once a business applies for a merchant account, processors run a formal risk assessment before approving or declining. This goes beyond industry classification. Five factors drive the decision.

Merchant Category Code (MCC). Processors assign an MCC to every business. It determines which card scheme rules apply, what chargeback thresholds are enforced, and in some cases whether a processor will accept the application at all.
Volume and ticket analysis. Processors examine whether projected monthly volume and average transaction value are consistent with the business’s financials. Large discrepancies between stated and actual volumes are a common trigger for account termination after approval.
Business model evaluation. Subscription billing, high average order values, and card-not-present transactions all increase processor exposure. These factors are assessed alongside industry classification, not separately.
Chargeback history. Processors review any prior processing records to assess dispute rates. A history that pushes the combined fraud and dispute ratio above card scheme thresholds raises immediate flags and can result in reserve requirements or outright rejection.

For Visa, the excessive merchant threshold in the EU region is 220bps under the Visa Acquirer Monitoring Program (VAMP). Mastercard’s equivalent thresholds under the Excessive Chargeback Program are communicated through acquiring banks and aren’t publicly disclosed.

» Fibonatix specialises in restricted-category onboarding. Talk to our team about what your application will need

Industries classified as high-risk

Payment processors apply elevated classification to a defined set of industries. The reasons vary, but the common thread is some combination of regulatory complexity, elevated chargeback exposure, or reputational risk that standard processors are unwilling to absorb.

CBD and cannabis

CBD merchants face restricted access to payment processing primarily because of regulatory ambiguity. CBD’s legal status varies across EEA markets, and card schemes have historically applied inconsistent rules to transactions in this category. This section covers the classification factors; the full picture on CBD and online trading payment processing is addressed in a dedicated section below.

Cryptocurrency/trading

Cryptocurrency exchanges and online trading platforms face classification pressure because of market volatility, cross-border transaction complexity, and AML exposure. Processors apply additional scrutiny to businesses in this category because transaction patterns can be difficult to distinguish from money laundering activity without robust KYC infrastructure in place.

Bank regulations for high-risk merchants

Banks don’t de-risk entire sectors arbitrarily. They do it because the regulatory cost of serving merchants in certain industries, combined with the liability exposure from non-compliance, outweighs the commercial benefit. For high-risk merchants, this has a direct consequence: fewer processor options, stricter onboarding requirements, and ongoing compliance obligations that standard merchants don’t face.

Chargeback thresholds are the most immediate regulatory pressure point. Visa and Mastercard both operate formal monitoring programmes that trigger penalties and ultimately account termination if dispute ratios breach defined limits. The table below sets out what merchants operating in the UK and EEA need to know.

Factors	Visa Acquirer Monitoring Program (VAMP)	Mastercard Excessive Chargeback Program (ECP)
Programme metric	Combined fraud and dispute count ratio (VAMP ratio) on card-not-present transactions.	Chargeback ratio monitored at merchant level.
Excessive merchant threshold (EU)	220bps VAMP ratio and 1,500 combined fraud and dispute count per month.	Thresholds published in Mastercard’s Data Integrity Monitoring Program documentation, accessible through your acquiring bank or Mastercard Connect.
Monitoring period	Monthly	Monthly
Financial penalties	Penalty structure communicated through acquiring banks; not publicly disclosed by Visa.	Penalty structure communicated through acquiring banks; see Mastercard’s Data Integrity Monitoring Program documentation.
Ultimate consequence	Account termination and potential MATCH list placement.	Account termination and potential MATCH list placement.
Remediation requirement	Acquirer must implement risk mitigation control measures.	Merchant must submit and execute a dispute reduction plan.

Beyond chargeback thresholds, four regulatory frameworks directly affect how high-risk merchants access and maintain payment processing in the UK and EEA.

FCA authorisation. Any payment service provider operating in the UK must hold FCA authorisation as a Payment Institution or Electronic Money Institution. For merchants, this matters because it determines whether your processor can legally hold client funds, issue refunds, and operate across UK and EEA markets post-Brexit. Working with an unauthorised provider exposes your business to serious regulatory risk.
PSD2 and Strong Customer Authentication (SCA). PSD2 mandates SCA for online transactions across the EEA, requiring two-factor authentication at the point of payment. High-risk merchants with above-average cart abandonment rates need processors that implement 3D Secure 2 correctly, since a poorly configured SCA flow compounds existing conversion challenges.
KYC and AML. Know Your Customer and Anti-Money Laundering obligations require merchants to verify customer identities and monitor transactions for suspicious activity. For high-risk industries, regulators apply a higher standard of due diligence. Processors will request extensive KYC documentation during onboarding and may conduct ongoing transaction monitoring as a condition of the account.
PCI DSS. The Payment Card Industry Data Security Standard applies to any business that stores, processes, or transmits card data. Non-compliance exposes the merchant to fines imposed by card schemes on their acquiring bank, which are typically passed through to the merchant, and shifts liability for fraud losses directly onto the business. The acquiring bank may also terminate the merchant account.

Non-compliance in any of these areas can result in account termination, financial penalties, and in serious cases, MATCH list placement, which makes future merchant account approval significantly harder to obtain.

How to choose a high-risk payment gateway

The terms a specialist gateway offers differ substantially from a standard processor. The table below covers the practical differences merchants should expect.

Factor	High-risk payment gateway	Standard payment gateway
Typical fee ranges	Higher transaction fees reflecting elevated risk and specialist underwriting.	Lower flat-rate fees for standard e-commerce merchants.
Approval timelines	Longer due to manual underwriting and compliance checks.	Fast or instant for aggregators.
Reserve requirements	Rolling reserves are common, held as security against chargebacks and disputes.	Rarely required.
Chargeback thresholds	Monitored against Visa VAMP and Mastercard ECP programme thresholds.	Standard card scheme thresholds apply.
Contract terms	Longer commitments with early termination fees are typical.	Month-to-month common with major aggregators.
Support models	Dedicated account manager with industry-specific knowledge.	Ticket-based or automated support.

Beyond the structural differences, six criteria should drive the selection decision.

Industry experience. A processor’s familiarity with your specific vertical determines whether they understand your chargeback patterns, compliance obligations, and volume profile, or whether they’re applying generic risk rules that will create problems at renewal.
Regulatory credentials. For UK and EEA merchants, FCA authorisation is non-negotiable. Verify the processor’s status directly on the FCA register before onboarding.
Chargeback management. Ask whether the provider offers access to Verifi and Ethoca alert networks, which allow disputes to be resolved before they escalate to formal chargebacks. This is a meaningful differentiator for merchants already operating close to scheme thresholds.
Payment method coverage. Ensure the gateway supports the payment methods your customer base expects, including local EEA payment methods if you operate across multiple markets.
Transparent pricing. Request a full fee schedule in writing before signing, including monthly fees, chargeback fees, reserve terms, and any PCI compliance charges. Surprises in month three are a common complaint with processors in this space.
Scalability. Confirm that the processor can support your projected volume growth without requiring renegotiation or account review at an arbitrary threshold.

CBD and online trading

CBD merchants and online trading platforms share a common challenge: both operate in sectors where regulatory ambiguity gives mainstream processors a reason to decline, regardless of how compliantly the business operates.

» Learn more about CBD payment processing

The regulatory picture for CBD payments in the UK and EEA

In the UK, CBD products sold for consumption must comply with FSA novel food authorisation requirements. Payment processors operating in the UK must hold FCA authorisation, and many apply their own internal policies on top of regulatory requirements, making bank access inconsistent even for compliant merchants.

Across the EEA, no ingestible CBD product has received EU-wide Novel Food authorisation under Regulation (EU) 2015/2283. The EFSA published an updated safety assessment in December 2025 establishing a provisional safe intake level of 0.0275 mg/kg body weight per day—roughly 2 mg daily for a 70 kg adult—and concluded that safety can’t be established for those under 25, pregnant or breastfeeding women, or people on medication.

How CBD and online trading merchants can process payments

Both sectors are processable with the right provider. The key steps are the same regardless of vertical.

First, ensure your business documentation is complete before approaching a processor: company registration, compliance certifications, processing history if available, and evidence of regulatory authorisation where applicable.
Second, work with an FCA-regulated processor that has demonstrable experience in your specific sector. Generic high-risk processors apply rules designed for other industries that may not reflect your actual risk profile.
Third, implement chargeback prevention infrastructure from the outset. Access to Verifi and Ethoca alert networks, clear billing descriptors, and a robust refund policy materially reduce dispute rates before they become a scheme monitoring issue.

» Find out how Fibonatix supports merchants with chargeback management before penalties apply

What to do next

Securing stable payment processing in a restricted industry comes down to three actions.

Audit your compliance position before approaching processors. Incomplete documentation, unresolved chargeback issues, or gaps in KYC/AML infrastructure will slow down or derail onboarding. Address these first, and you will move through underwriting faster with better terms.
Verify your processor’s regulatory credentials independently. FCA authorisation status is publicly verifiable on the FCA register. Any processor serving UK and EEA merchants that cannot provide a valid FRN should be disqualified immediately, regardless of the rates they quote.
Choose a processor with documented experience in your specific vertical. Generic high-risk processors apply rules designed for other industries. A processor that understands your chargeback patterns, compliance obligations, and volume profile will structure your account appropriately from the outset, rather than revisiting terms at the first sign of friction.

Fibonatix is an FCA-regulated payment service provider specialising in merchant accounts for restricted-category businesses across the UK and EEA.

If you want a processor with direct experience in your sector, contact our team to discuss your requirements

Disclaimer: Fibonatix is a UK-based, FCA-regulated payment service provider (FRN 768776) specialising in merchant accounts for B2C businesses globally, but B2B exclusively to the UK and EEA. Verify our regulatory status on the FCA Financial Services Register.

FAQs

What is a high-risk payment gateway and how does it differ from a standard gateway?

A high-risk payment gateway is a specialised merchant account and processing service built for businesses in industries that standard processors decline to serve. Unlike standard gateways, they include specialist underwriting, chargeback management tools, and higher fee structures that reflect the elevated risk profile of the merchant.

Why are certain industries classified as high-risk by payment processors?

Industries are classified as high-risk because of elevated chargeback exposure, regulatory complexity, or reputational factors that standard processors are unwilling to absorb. Common examples include CBD, online dating, and cryptocurrency trading.

How does a high-risk merchant account differ from a standard merchant account?

A high-risk merchant account is tailored for businesses with greater risk exposure. It typically involves higher fees, more stringent contract terms, and specialised services like chargeback management and enhanced fraud protection.

What compliance requirements apply to high-risk merchants in the UK and EEA?

High-risk merchants must adhere to several compliance requirements, including PCI DSS for payment security, KYC and AML regulations to prevent fraud, and industry-specific regulations such as PSD2 in the EEA.

How can high-risk businesses reduce chargebacks below card scheme thresholds?

The most effective measures are clear billing descriptors, a straightforward refund policy that resolves disputes before they escalate, and access to Verifi and Ethoca chargeback alert networks. Visa’s VAMP programme monitors merchants against a 220bps threshold, so intervention needs to happen well before that level is reached.

How do bank regulations affect payment processing for high-risk merchants?

Banks apply FCA authorisation requirements, PSD2 compliance obligations, and internal de-risking policies that together restrict which merchants they will serve. For high-risk merchants, this means fewer processor options, more stringent onboarding requirements, and higher fees that reflect the compliance burden processors absorb on their behalf.

What should high-risk businesses consider when choosing a payment gateway?

When choosing a payment gateway, high-risk businesses should consider factors such as the gateway’s ability to handle high transaction volumes, support for multiple payment methods, compliance with industry regulations, and the level of customer support provided.

Share