Yur. limitations of payment methods

TL; DR

The legal framework depends on the jurisdiction, the role of the merchant (MoR/agent), the method (cards/A2A/RTP/wallet/voucher/crypto) and where the player and your legal entity are located. Basic approach: keep the tolerance matrix (country × method × use-case), forced controls at the cash desk and at the conclusions, centralized sanction screening, and the policy of returns/source of funds. Any "gray" bypasses (cross-border without admission, proxy providers) create risks: blocks of providers, fines, license revocation, frozen funds.

1) Restriction taxonomy

1. Licensed: whether a local MoR/gambling license is needed to accept/pay for a specific method.
2. Method-specific: rules of networks/schemes (maps, RTP, e-wallet, vouchers, crypto).
3. Regulatory by player: age, residency, prohibited GEO, self-locked/exclugged.
4. Sanctions/AML: PEP/sanctions, SoF/SoW, reporting limits and triggers.
5. Consumer protection: returns, chargeback/dispute order, cooling-off, auto-subscriptions.
6. Privacy/data: data residency, PD export, shelf life.
7. Taxes/currency: VAT/VAT/GST, currency control, FX/repatriation restrictions.
8. Terms and advertising: offer, responsible game, marketing prohibitions on methods.

2) Cards (Visa/Mastercard/local schemes)

MoR and MCC: Gambling activity often requires local MoR and allowable MCC, otherwise acquiring may fail.
CCA/3DS: for EEA/UK - mandatory SCA requirements (PSD2). You cannot systematically bypass the challenge for high-risk segments.
Chargeback/disputes: duty to store evidence; clear SLAs on presentation of materials.
Geo and age: block on banned countries/territories; in some countries, cards for iGaming are limited or require additional permissions.
Recurrent write-offs: explicit opt-in, understandable descriptor, reminders; "quiet" extensions - the risk of a regulatory fine.

Responsible payments: refunds on cards strictly "to the source" (refund-to-source), a ban on "withdrawal to someone else's card."

• Geo-check ≠ GEO-IP (only) - LCC/address required.
• Auto-block cards from prohibited BINs/issuers; a clear descriptor preview.
• 3DS-лесенка: low-risk → frictionless, high-risk → challenge.

3) A2A/Open Banking/local pull/push schemes

Local tolerances: Many A2A methods require local metering/counting and cross-border reception prohibition.
Consent & SCA: explicit consent/initiation by the player, immutability of the amount/recipient.
Returns: differ in scheme; sometimes there is no symmetrical "refund," you need a reverse payment (with the corresponding offer).
Chargeback-analogue: in separate schemes - return by mistake/fraud through the bank; terms and grounds are fixed.
Marketing/UX: prohibition to mislead the player with "instantaneity" unless the scheme guarantees instant.

• Verifies that the legal entity and bank are in the permitted country for the method.
• Separate reverse payment policy in the offer.
• Limits of amounts and frequency, SoF controls for abnormal volumes.

4) RTP/Instant (SCT Inst, Faster Payments, RTP US и др.)

Use-case: payments (payouts) are more often allowed, admission to the cashier is limited.
KYC/SoF: enhanced source of funds checks for large or frequent payouts.
Cut-off and window restrictions: you cannot be misled about the timing of enrollment.
Recall/returns: a process of parsing by erroneous details/mule is required.

• Payments - only to verified accounts in the name of the player (name match).
• Prefund and limits on merchant wallets/accounts; Send/credit confirmation log.

5) Wallets/Super Apps (e-wallets)

Local merchant and MoR registration are often mandatory; separate categories for gambling.
Limits: daily/monthly, user KYC levels; bans on P2P rounds.
Chargeback mechanics: wallet internal dispute system; a communication channel is required.
Ads/Bons: Some wallets prohibit incentive deposits with bonuses in wallet ads.

• Checking matching owner (wallet ↔ KYC player).
• In the offer - the terms of write-offs/returns, wallet fees (if transferred to the player).

6) Vauchery/nalichnyye→tsifra

Retail restrictions: limits of denominations, age, ban on cross-border redeem.
AML/Velocity: high syndicate/mule risks; frequent prohibitions on direct "conclusions" through a voucher.
Refund: as a rule, there is no symmetrical return on the voucher; compensation policy required.

• Binding a voucher to a device/account with redeem, cooldown and turn-over conditions for output.
• Prohibition of cross geo (purchased in country A, redeem in B - if prohibited).

7) Crypto on/off-ramp

Licenses: in a number of countries, registrations/notifications are required to receive/pay through crypto-custom/exchanges.
AML/sanctions: sanction screening of addresses/exchanges, risk score analysis, SoF/SoW.

Volatility/FX: fixing the rate, disclosures in the offer, prohibitions on the "promise of profitability."

Conclusion: Payout - only to addresses verified by the player; mixer/TOR ban.

• Limits and white lists of exchanges/custom, self-custody prohibition without KYC binding.
• Disclosure: moment of course fixation, network commissions, blocking risks.

8) Sanctions, AML/KYC/KYB, SoF/SoW

Centralized sanction and PEP screening for deposits and conclusions is required.
KYC levels: method limits are tied to the verification level.
SoF/SoW: thresholds and checks for high-risk: large deposits, frequent withdrawals, RTP/crypto.
Transaction monitoring: velocity scenarios, geo-anomalies, account chains.

• Escalation on MLRO on hit lists/abnormal patterns.
• Storage of screening evidence and audit decisions.

9) Date residency and privacy

PD/financial data storage may be required in a specific country/region.
Data export - SCC/similar mechanisms; DPIA for high-risk treatments.
PCI DSS: PAN-safe, tokenization, prohibition of logging sensitive data.
Retention periods: separate for CCM/transactions/disputes.

• Data map: where the PDs are and who has access; masking in reports/logs.
• DSAR and breach notification procedures within the scheduled time frame.

10) Taxes, currency controls, repatriation

VAT/GST for player services (if applicable), registration at the place of consumption.
Corporate taxes and Permanent Establishment risk in active local activities without LocalCo.
Repatriation: Country withdrawal restrictions, FX notices/licences.
Withholding on royalties/services between HQ and LocalCo - check DTT.

11) Tolerance matrix (example structure)

country, method_group (card/a2a/rtp/wallet/voucher/crypto),
merchant_role (MoR/agent/xb),
allowed (Y/N/Restricted),
local_entity_required (Y/N),
local_account_required (Y/N),
user_age_min,
user_residency_required (Y/N),
SCA_required (Y/N/partial),
refund_rules (to_source/credit_note/manual_return),
chargeback_model (card-like/local/arbitration/none),
sanctions_lists (local+global),
data_residency (Y/N/special),
notes (citations to internal policy)

This matrix is the source of truth for the cash/output orchestrator and for compliance.

12) Control policies in the product

Gate at the checkout: 'country × method' matrix check; if Restricted - show alternatives.
Default refund-to-source (for cards/many wallets).
Name match on pins (RTP/SEPA/ACH/crypto).
Age/Geo: Tough lockdown on minors/banned GEO (KYC> IP).
Descriptor preview and subscription policy (reminders/cancel-flow).
Disclosure by FX/instant promises/network commissions.

13) Provider/bank onboarding: checklist

• KYB package: charter/UBO/address/substance, AML/KYC policies/sanctions.
• Use-case letter: description of the gambling service, MCC/methods, geo.
• Target Market Licenses/Notifications.
• Data & Security: PCI/SOC/ISO, data-map, DPA.
• Refund/Chargeback procedures and contact matrix.
• SLA: SCA/Webhook/Settlement/Reports, credits.
• Testing/UAT: negative scenarios, idempotency, polling backup.

14) Operational playbooks

Regulator request: freeze for risk methods, unloading the tolerance matrix, screening logs, offer/UX screenshots.
Sanctioned hit: block, MLRO escalation, report, evidence retention.
Disallowed method use: auto-refand/refusal, letter with alternatives, incident in the registry.
Data residency breach: source isolation, notifications, storage migration.

15) KPI of compliance in the payment loop

Share of compliant methods at the box office (by country).
Blocked attempts (policy )/turnover - not higher than the agreed corridor (signal to UX/localization).
Refund-to-source% (target ~ 100% where required).
Disallowed payout attempts (name mismatch/geo) - tends to 0.
Sanctions false positives - in a valid corridor; time-to-clear.
Regulatory incidents/quarter and penalties = 0.

16) Data and validation model (minimum)

tx_id, user_id, user_country, kyc_level, method_group, provider,
is_mor_local, is_local_account, allowed_flag,
sca_applied, refund_policy, chargeback_model,
sanctions_check_id, sanctions_result, pep_flag,
payout_name_match, data_residency_zone, storage_location,
created_ts, action (attempt/blocked/approved/refunded/paid_out)

SQL: lock and violation monitor

sql
SELECT
DATE_TRUNC('day', created_ts) d, user_country, method_group,
COUNT() FILTER (WHERE action='attempt' AND allowed_flag=false) AS blocked_attempts,
COUNT() FILTER (WHERE action='approved' AND payout_name_match=false) AS name_mismatch_approved -- должно быть 0
FROM compliance_payments_audit
GROUP BY 1,2,3
ORDER BY d DESC;

17) Governance and policy updates

Single owner: Head of Compliance (with Payments).
Matrix versioning: each edit - ticket, justification, date of entry.
Change-notice: updates to counterparties/product, UX migration.
Quarterly review: selective audits of countries/methods, drills of incidents.

18) Frequent errors

Open method without local MoR/account when required.
Promise "instant" where the method is legally T + N or with windows.
Ignore refund-to-source and make "cross-method" returns.
Accept deposits from prohibited GEOs through proxies/wallets.
Store PD outside the permitted zone, log PAN/email without masking.
Do not have a name match policy and SoF/SoW cascades for large payouts.

Summary

The legal limits of payment methods are the rules of the game, not an option. Build a tolerance matrix, stitch it into the cash/output orchestrator, provide a sanction/AML loop, refund-to-source, SCA/age/geo-controls and data-governance. Then the portfolio of methods will expand legally, monetization metrics will grow, and the risk of locks, fines and frozen funds will remain minimal.