Geolocks and payment policies

1) Why do you need it

Compliance with licenses and sanctions regimes.
Reduction of payment and penalty risks (chargeback, scheme penalties).
Operational predictability: controlled deposit/disbursement corridors.
Honest monetization: transparent rules for users and partners.

2) Basic concepts and levels of control

Geolocation - prohibition/restriction of access or payment transactions based on geography.
Payment policy - a set of rules for receiving/paying by country/method/currency/license.

Implementation levels

1. DNS/CDN/Edge: country block, geo-redirection, geo-fencing API.
2. Application/Backend: phicheflags, allow/deny-rules, step-up KYC/SoF.
3. Payment gateway/Router: PSP/method selection, 3DS strategies, limits.
4. PSP/Bank: contractual geo-restrictions, BIN/issuer country filters.
5. Anti-fraud: anti-VPN/proxy, device graph, velocity and behavioral signals.

3) Legal grounds and risk areas

License restrictions by market (allowed/prohibited/gray).
Sanctions (OFAC/EU/UK and secondary): bans on admission/payment, FX and correspondents restrictions.
Local payment laws: prohibitions on iGaming operations for cards/banks/methods.
Consumer protection: mandatory KYC, limits, self-exclusion.

Policies must have a version and an action window (effective_from/to), change log, and legal basis).

4) Geolocation signals and bypass detection

IP/ASN/GeoIP (country, region, ASN risk).
VPN/Proxy/Tor detection: commercial lists, latency patterns, TTL anomalies.
GPS/Location Services (mobile).
SIM/MCC/MNC, carrier country.
BIN/IIN cards and issuer country.
Billing country and KYC documents (passport/ID).
Payee address/bank.
The solution is multi-signal: at least 2 independent country testimonies, conflict → step-up KYC/SoF.

5) Policy matrix (example)

6) Acceptance and payment policies

Method whitelists/blacklists by ISO country, currency, MCC, provider.
BIN-routing: reject/route cards by issuer's country and 3DS requirements.
Same-method & return-to-source: returns of deposit funds according to the same method and up to the net deposit amount.
Corridor health: monitoring of payment corridors (success rate, returns, SLA).
FX rules: currency of acceptance/payments, prohibition of conversions from PSP, if required.
Limits and velocity: caps by country and exposure (day/week/month).

7) Anti-VPN/anti-proxy strategy

VPN/hosting provider lists (ASN), Tor Exit, proxy pools.
Mismatch detection: IP country vs GPS/SIM/BIN/KYC.
Behavioral features: serial logins from the same subnets, frequent change of IP/trusted devices.
Reactions: step-up KYC, temporary payment block, bonus ban, manual payment check.

8) Data architecture (minimal model)

ref. geo_policies (
policy_id PK, version, iso2, class, legal_basis,
deposit_methods_whitelist, withdraw_methods_whitelist,
kyc_level, sof_required, bonus_mode,
fx_rules, t_plus_withdrawal, enabled, effective_from, effective_to, meta
)

risk. geo_evidence (
user_id, snapshot_at,
ip_country, gps_country, sim_country, bin_country,
billing_country, issuer_country, payout_bank_country,
vpn_flag, proxy_flag, conflict_score
)

payments. routing_rules (
rule_id PK, iso2, bin_country, method, provider,
require_3ds, max_amount_daily, decline_codes_map, priority, enabled
)

payout. corridors (
corridor_id PK, from_iso2, to_iso2, method, provider,
success_rate_7d, return_rate_7d, avg_eta_hours, status, updated_at
)

9) Processes (ETL/orchestration)

1. Daily import of legal updates → update'ref. geo_policies' (versioning).
2. Enrichment of events (login, deposit, within) with geo-evidence → writing to'risk. geo_evidence`.
3. Rule-engine → step-up/deny.
4. Routing deposits by'payments. routing_rules`.
5. Monitoring payout corridors. corridors' and auto-switch to backup PSP.

10) SQL templates

10. 1. Geo-signal conflict

sql
SELECT user_id, snapshot_at,
(ip_country <> gps_country)::int
+ (ip_country <> sim_country)::int
+ (ip_country <> bin_country)::int
+ (ip_country <> billing_country)::int
AS conflict_score
FROM risk. geo_evidence
WHERE snapshot_at BETWEEN:from AND:to
AND (vpn_flag OR proxy_flag OR ip_country IS DISTINCT FROM gps_country);

10. 2. Policy application by country

sql
SELECT p.
FROM ref. geo_policies p
JOIN risk. geo_evidence e USING ()
WHERE e. user_id =:user_id
AND p. iso2 = COALESCE(e. gps_country, e. ip_country)
AND now() BETWEEN p. effective_from AND p. effective_to
AND p. enabled = TRUE
ORDER BY p. version DESC
LIMIT 1;

10. 3. BIN/Country/PSP Routing

sql
SELECT provider, require_3ds, priority
FROM payments. routing_rules
WHERE enabled = TRUE
AND (iso2 =:country OR iso2 IS NULL)
AND (bin_country =:bin_country OR bin_country IS NULL)
AND method =:method
ORDER BY priority ASC
LIMIT 1;

10. 4. Payment corridor monitoring

sql
SELECT provider, method, to_iso2,
success_rate_7d, return_rate_7d, avg_eta_hours, status
FROM payout. corridors
WHERE updated_at > now() - INTERVAL '1 day'
AND (status <> 'OK' OR success_rate_7d < 0. 95 OR return_rate_7d > 0. 05);

11) Dashboards and KPIs

Geo Compliance Heatmap: Traffic share by A/B/C/D class, blocks and step-up.
VPN/Proxy Incidents: number/percentage of sessions, average conflict_score.
Deposit Routing: authorization rate by PSP/country/BIN, share of enforced 3DS.
Payout Corridors Health: success/returns/ETA, switching to backup.
Loss & Liability: chargeback ratio and scheme penalties by geo/methods.
Policy Coverage:% of sessions with current policy (version), update log.

12) Alerts and thresholds

Sanctions/Legal Update: new country on the list - auto-switch classes, freeze.
VPN Surge: share of VPN sessions> X% in country/channel.
Routing Degradation: AR drop at the selected PSP> Y bps in 1 hour.
Payout Corridor Down: success_rate <threshold or SLA breach.
Policy Drift: events in a country without an active policy/expired version.
Same-method Violation: attempted cross-method return without reason.

13) UX and Communications

Clear rejection texts with reason codes and reference to rules.
Service Availability page (whitelist/blacklist countries and methods).
Mild escalation: Offer to pass KYC/SoF instead of instant ban on signal conflict.
Localization of warnings and alternative payment methods.

14) Best practices (short)

1. Two- and higher-factor geodeterisation: IP + GPS/SIM/BIN.
2. Versioning and legal tracing (legal basis, owner, change log).
3. Routing at the BIN/issuer country level + forced 3DS in risk geo.
4. Same-method and return to source as default; exceptions - by request with audit.
5. Fail-safe design: when the signal is unavailable - safe mode (step-up/deny).
6. Separation of layers: policy engine ≠ antifraud ≠ payment router, but common directories.
7. Regular tabletop exercises: sanctions update, falling payment corridor, mass VPN assault.

15) Implementation checklist

• Directory 'geo _ policies' with versions and legal basis.
• GeoIP, VPN/Proxy, BIN-lookup, GPS/SIM integration.
• Rules of routing 'payments. routing_rules` и backup-PSP.
• Monitor payout corridors and auto-switch.
• Public Accessibility Policy/Methods page.
• Step-up/deny logs and cause of decisions (explainability).
• Urgent "freeze" sanctions/regulatory procedures.

Summary

Geoblocks and payment policies are not an "IP ban," but a holistic system: legal grounds, multifactorial geodetermination, smart routing, strict rules for returning to the source and constant monitoring of payment corridors. With versioned policies, transparent data and automatic alerts, you reduce regulatory and payment risks while maintaining the predictability of monetization.