Gambling's payment stack has been repriced. Most operator reporting hasn't caught up.

Across eleven listed gambling operators, every one now discloses payment processor risk, but the depth varies widely enough that disclosure quality has become a useful, if imperfect, proxy for treasury maturity, counterparty exposure and underwriting friction. For payment companies pricing the next round of gambling acquiring relationships, that spread reads as more useful external intelligence than the average risk factor on its own.

Disclosure depth as a proxy signal

The most useful thing an investor, acquirer or counterparty can currently read about a gambling operator's payment risk is how the operator chooses to disclose it. This is an external-read signal, not a definitive measure of internal capability. Disclosure depth may indicate treasury and counterparty-management maturity; it may equally reflect counsel, audit treatment, listing venue (UK and EU issuers tend to disclose more granular risk language than US 10-K filers, regardless of the substance underneath), or board appetite for granular risk language. The signal measures what an operator will write down, not what it does in treasury. With those caveats stated, the spread across the sample is wide enough to be analytically useful, and it sorts the sector into recognisable tiers.

Across the eleven operators reviewed, every one discloses payment processor exposure in some form, though not always through a dedicated PSP risk factor distinct from broader operational, cybersecurity or external-services language. The presence of the risk factor is not the differentiator. The depth is: whether processor concentration is named, whether settlement and reserve mechanics are described, and whether a real loss is disclosed rather than a generic exposure. That depth has begun to function as an underwriting input, because acquirers pricing gambling merchants read these filings, and operators whose disclosure documents concentration and reserve mechanics give underwriters more to work with than those that leave it to inference.

Ceiling: explicit dependency-limitation policies

evoke anchors the ceiling. Its accounts categorise PSPs as intermediaries whose credit risk is that a processor "would fail to discharge its obligation with regard to the balance owed to the Group," and set out three concrete mitigations: the "shortest possible cash settlement intervals," "replacing rolling reserve requirements … with a Letter of Credit," and policies "to reduce dependency on any specific PSP and limit any concentration of risk." (evoke plc, FY2025 results.) Entain sits alongside it, the other operator with an explicit dependency-limitation policy and creditworthiness checks on critical suppliers; its FY2025 accounts disclose £120.3m held with payment service providers as part of "Other debt related items" in the net debt reconciliation, down from £136.8m at year-end 2024, and the PSP receivable is significant enough to feature as a key audit matter in PwC's audit report. (Entain plc, Annual Report 2025.)

Explicit concentration in plain terms

DraftKings, Bally's and Rush Street Interactive disclose concentration directly. DraftKings' FY2025 10-K opens its risk factor by stating it relies on "a limited number of third-party payment processors," discloses termination and non-renewal risk, and discloses that it has agreed to reimburse processors for card-network fines. (DraftKings Inc., Form 10-K FY2025, filed 13 February 2026.) Bally's states it will be "reliant on effective payment processing services from a limited number of providers in each of the markets in which we operate." (Bally's Corporation, Form 10-K/A FY2025.) RSI carries a dedicated PSP risk factor warning that if a payment processor "refuses to renew its agreement with us on commercially reasonable terms" the company may not be able to secure similar terms in a reasonable time frame. It also discloses a distinctive structural exposure in its related-party note: certain affiliated land-based casinos maintain the bank accounts that process customer cash deposits and withdrawals, with receivables from those affiliates of $19.9m at year-end 2025. RSI also discloses $31.3m in surety bonds securing customer cash, a $6.2m letter of credit for its Colombia operations, and a further $6.4m in surety bonds for jurisdictional regulatory requirements. (Rush Street Interactive, Inc., Form 10-K FY2025.) Penn Entertainment's audited financial statements add a hard number from a different angle: $80.1m in year-end 2025 receivables from "payment processors, credit card, and other advances to customers," down from $86.1m at year-end 2024. Penn is the only operator in the sample to put a balance-sheet figure on its PSP exposure that an external reader can use directly. (Penn Entertainment, Inc., Form 10-K FY2025, filed 26 February 2026.)

Middle: risk factor present, concentration unquantified

Super Group's FY2025 20-F is the most developed of the middle band: a detailed processor risk factor, the same card-network fine-reimbursement disclosure DraftKings makes, two further payment-access risk factors, and, unusually, a line naming payment processing as a cost lever, observing that regulation brings "increased taxation and compliance costs, offset by improvements in other costs of doing business such as payment processing." (Super Group (SGHC) Limited, Form 20-F FY2025.) Flutter and Betsson each disclose the dependency in real terms without quantifying it, with Flutter warning of "limited availability of alternative systems, particularly in light of recent consolidation in the financial services industry." (Flutter Entertainment plc, Form 10-K FY2025.) Penn and Zeal sit slightly below, with payment processor risk bundled into a broader external-services risk factor rather than carried as a dedicated PSP disclosure: Penn groups it with geolocation, identity verification and sports data; Zeal lists "IT infrastructure, cloud services, payment processing, communication services, platform access and interfaces to state lottery companies" together, warning that "cooperation will be restricted or terminated" only as a generic external-services scenario. (Zeal Network SE, Annual Report 2025.) The absence of a dedicated PSP risk factor is the giveaway in both cases, though Penn's $80.1m receivables figure noted above gives an external reader a balance-sheet anchor that Zeal's filing does not provide.

Thinner end

Boyd sits at the thinner end, addressing processors largely inside its cybersecurity and CCPA framing, with no concentration, settlement, reserve or loss disclosure. (Boyd Gaming Corporation, Form 10-K FY2025, filed 20 February 2026.) This is a lighter treatment of the same risk, and partly a function of US 10-K convention rather than a demonstrable management gap, but for a counterparty comparing across the sector, the operator that discloses less is the operator harder to assess from the outside.

Commercial consequence. Where disclosure runs deep, underwriting friction may be lower because the counterparty has more public evidence to work from. Where it is thin, the external reader must work harder, and the cost of that uncertainty can feed into pricing, reserves and due diligence.

The disclosed event: Bally's settlement-failure write-off

The most precisely quantified instance of payment counterparty risk on the public record sits in Bally's FY2024 accounts. In Q3 2024 Bally's recorded a $6.3m charge to reduce amounts due from a payment service provider after, in its own words, "the payment processer [sic] for certain online sports wagering deposits failed to capture and settle funds with patrons of the Company." It could not recover the full amount and wrote the receivable down. The charge appears as a discrete line, "Payment Service Provider write-off," $6,333 thousand, first in the Q3 2024 10-Q and the 6 November 2024 8-K, and carried into the FY2024 10-K. (Bally's Corporation, Form 8-K dated 6 November 2024; Q3 2024 Form 10-Q; Form 10-K FY2024.) In the same disclosure, Bally's recorded a $5.1m signing bonus from that same processor for agreeing to extend the relationship.

This is treated here as an operational and treasury-risk disclosure event, not a misconduct allegation. Nothing in the record suggests impropriety by either party, and none is implied. Bally's disclosed an operational loss and continued the commercial relationship; both are ordinary outcomes for a regulated operator absorbing a payment-stack failure. The analytical value lies in the precision of the disclosure: a discrete, audited line on the public record that quantifies the materiality of in-flight processor exposure for an operator at scale.

The wider operational backdrop is worth setting out, because it shapes how processor relationships look across the sector. Replacing a processor in a tier-one cashier stack is not a quarter's procurement; it is typically six to nine months of tokenisation mapping, fraud-rule recalibration, settlement-file alignment, chargeback and reconciliation integration, KYC handover, reserve negotiation and PCI re-scoping, competing for engineering resource against the product roadmap. For any operator that has absorbed a settlement failure, the switching cost is real and visible while the cost of staying is invisible until it isn't. Extension and renewal in such cases are commercial outcomes shaped by integration economics, not statements of confidence.

Commercial consequence. The disclosure also moves the floor for peers. Once one US-listed operator has booked a processor settlement failure as a discrete line item, auditors and the SEC have a reference point for reviewing comparable disclosures elsewhere. Operators with similar histories but lighter disclosure become more exposed to the question of why over time.

Concentration is structural, not chosen

The "limited number of processors" language several operators use reads like a reversible commercial choice. In a multi-jurisdictional licensed business it is closer to a constraint. Each licensed market specifies who may handle player funds: Banco Central-authorised institutions in Brazil, ADM-registered methods in Italy, the DGOJ list in Spain, AGCO-registered processors in Ontario. Every market entered adds a processor relationship that cannot be consolidated away. The "limited number" is the residue of licensed-market fragmentation, not a procurement preference.

There is also a concentration layer the filings miss. Operators may run eight to thirty PSPs in the cashier, but those PSPs route through a far smaller set of underlying acquirers and processors, which can share back-end infrastructure. An operator that believes it has diversified across a dozen PSPs may, at the processor layer, be materially more concentrated than its risk factor implies. The question a treasury function should ask is not how many PSPs, but how many processors, and what share of daily deposit flow each ultimately controls. No audited filing in the sample answers it.

Commercial consequence. Single-processor exposure measured at the underlying acquirer layer is the metric an audit committee should be asking for, and one that few operators are currently equipped to produce on demand.

Four pressures repricing the stack

Four developments in twelve months have raised the cost of carrying a poorly designed payment stack. Each is individually familiar; the analytical point is their combination, and where the official framing understates the operational reality.

Scheme monitoring, repriced

Visa's Acquirer Monitoring Programme consolidated the former fraud and dispute monitoring programmes into a single regime, with updated thresholds effective 1 June 2025 after an advisory period to 30 September 2025. Its ratio combines fraud and disputes over settled card-not-present transactions; portfolios are flagged "Above Standard" at 50 basis points and "Excessive" at 70, and the developed-market merchant threshold was cut from 220 to 150 basis points on 1 April 2026. (Visa, VAMP Fact Sheet 2025.) The commercial point is less the precise assessment schedule, which depends on scheme and acquirer documentation, than the architecture: a merchant’s fraud and dispute profile now feeds directly into the acquirer’s monitored portfolio position.

The architecture is what matters, and the "fraud reduction" framing understates it. Enforcement attaches to the acquirer, but the acquirer can only manage its ratio by managing the merchants in its book. The behavioural response, visible in acquirer commentary, is that acquirers servicing gambling re-tier their portfolios and ease marginal merchants toward the exit before the scheme intervenes, quietly, ahead of any rate-card change. The April 2026 threshold cut narrows the band a gambling merchant can occupy before it becomes its acquirer's problem.

UK notice reform, and its reporting tail

The Payment Services and Payment Accounts (Contract Termination) (Amendment) Regulations 2025 come into force on 28 April 2026. They amend the UK framework for payment-contract termination by extending minimum notice requirements and requiring more specific reasons for termination, subject to exceptions. The consumer-protection framing is accurate but partial.

For a UK remote gambling licensee, a change to the payment processors through which it accepts customer payments is also a key event reportable to the Gambling Commission under LCCP 15.2.1(8). The reporting obligation sits on the operator, not the PSP.

Localised payment perimeters

Brazil is the clearest current example. Its betting framework confines player deposits to authorised electronic rails, including Pix, TED, debit cards and prepaid cards, while barring cash, boletos, cryptoassets and other alternative deposit methods. The direction of travel is clear: payment architecture is becoming part of the licensing perimeter, not merely a cashier preference. Brazil is one instance of a pattern. Several regulated markets are moving toward payment perimeters the regulator specifies, so rail redundancy becomes a compliance requirement rather than a commercial preference, and cross-border flows are increasingly closed by architecture rather than choice.

Worldline, read precisely

Europe's largest payments group has reduced exposure to the high-brand-risk segment in which gambling sits. Its 2025 Universal Registration Document states that "since 2023, in connection with BaFin's investigation and decision, Worldline terminated a significant number of merchants in its HBR portfolio," affecting "merchants representing €130 million run rate revenue in 2024." (Worldline 2025 URD, Section D.)

On Worldline's own description, the underlying driver is an AML and financial-crime-controls matter, not a generic risk-appetite trim. The €130m followed Worldline's reinforcement of its risk-appetite policy in connection with the BaFin matter. Worldline describes the BaFin matter as resulting in a decision; the cited record does not establish findings of wrongdoing, and a separate Belgian investigation Worldline has referred to as concerning possible historic AML matters remains, on the available record, in progress with no published findings. Worldline frames the move as a strategic refocus on Europe. The most recent corporate-development signal is the completed divestment of the PaymentIQ orchestration platform to Incore Invest on 2 March 2026, together with Worldline’s broader disposal programme. The Pacific disposals are explicable on distance and scale alone and are weak evidence of a vertical retreat; the high-brand-risk offboarding, the gambling-relevant part, is not unique to Worldline. It fits a broader repricing of acquirer risk appetite that includes the post-Wirecard tightening across EU e-money and continuing supervisory scrutiny of e-money institutions in Europe. Worldline is the most-disclosed example of the pattern, not a singular one.

Commercial consequence. The four pressures reprice the stack from above, below, the geographic edge and the supplier level simultaneously. The combined effect raises the cost of a concentration the operator often cannot see, and was not previously priced to carry.

Why the rare-event argument misreads the risk

The counter-argument is that processor failures are rare enough to stay peripheral. It does not hold, on three grounds.

The supplier-side retreat is structural. Worldline's €130m offboarding was regulator-influenced, not a commercial dispute, and VAMP extends the same logic to every gambling merchant on an acquirer's book.

The largest operators already manage payment economics openly. On Flutter's Q2 2025 earnings call, CFO Rob Coldrake confirmed 90 basis points of US gross-margin benefit from "payment processing fees," attributed to deposit-to-handle improvement and "renegotiation of payment costs more broadly." (Flutter Entertainment, Q2 2025 earnings call, 7 August 2025.) The deposit-to-handle ratio is itself a friction measure (how much of an intended deposit completes), and on gambling card deposits, strong-customer-authentication challenge rates and MCC blocking make that conversion materially harder than in general e-commerce. The upside is a quantified management lever; the audited risk factor does not present it as evidence of a corresponding downside.

Changing the stack is genuinely hard. RSI's CEO Richard Schwartz described pioneering payment methods as "extraordinarily complicated," requiring engineering, compliance, operations "and every sort of partner" to align (RSI, Q3 2025 earnings call, 29 October 2025); a description of the multi-quarter integration programme that explains why operators carry concentration they would prefer not to.

Super Group attaches numbers to the cost. CEO Neal Menashe put African processing at "anything from 3% to 6%" of deposits, with the cost driven by a churn cycle in which customers "deposit, they cash out … redeposit … cash out," so the operator pays on the same money repeatedly. Its response is to build rather than renegotiate: a ZAR-pegged stablecoin, Super Coin, and a wallet due in South Africa around end-Q1 2026 to keep balances inside its ecosystem. (Super Group, Q3 2025 earnings call, 4 November 2025.) That an operator will build its own rails confirms processing cost is a managed variable, not a fixed input; the execution path runs through South African exchange control, FSCA oversight and FATF Travel Rule obligations simultaneously.

Commercial consequence. The largest operators treat payment economics as a P&L lever and have the data infrastructure to do so. The middle and lower tiers tend to treat it as a fixed input because they lack that infrastructure, and the asymmetry shows up in disclosure depth.

An exposure framework, and the infrastructure gap

The right analytical frame is exposure, not event: in-flight exposure × termination probability × recovery profile.

In-flight exposure is the value a processor holds at any moment: deposits, withdrawals, pending settlements, reserves, chargeback collateral. For an operator running daily volumes in the tens of millions, peak single-processor exposure can exceed audit materiality without appearing in any risk factor. Termination probability is no longer a tail event: acquirer category exits, VAMP monitoring, AML interventions and CDD-driven terminations all operate concurrently. Recovery profile is the question for the audit committee. The Bally's $6.3m is the disclosed event, the $5.1m bonus the disclosed offset. Whether that represents the floor of plausible or merely disclosed loss is operator-specific, and the answer should come from an operator's own chargeback and reserve history, not a sector average; there is no credible public baseline, and any number presented as one should be treated sceptically.

Many operators outside the largest tier may struggle to produce the single-processor deposit-share figure their boards should be asking for. The treasury and reconciliation infrastructure to measure in-flight exposure at peak, by processor, by market, in near real time is concentrated among the largest operators; the rest rely on processor-supplied reporting for visibility into their own flow. Asking the question is easy. Answering it requires infrastructure many have not built, which is itself a procurement brief, and a vendor opportunity in treasury, reconciliation and payment-data aggregation. The regulatory obligation is unambiguous even where the capability is not: UK gambling compliance advisers have repeatedly stressed that source-of-funds and CDD duties cannot be outsourced to payment partners. The test is whether an operator can demonstrate, not merely describe, that the question has been worked.

Commercial consequence. The capability gap is itself the supplier intelligence. Operators that cannot answer the in-flight exposure question are buyers of treasury, reconciliation and payment-data aggregation capability, whether they have issued the RFP yet or not.

What this means for each stakeholder

PSPs and specialist acquirers. The €130m Worldline has offboarded is, by definition, addressable, and one of the larger discrete redistribution opportunities on the public record. Incentive structure decides who pursues it. Generalist PSPs treat gambling as a portfolio-risk question, since it raises scheme-side reserve requirements across the whole book, the calculus that makes a Worldline-style retreat rational. Specialists with concentrated books treat it as core. Revenue flows toward specialists and toward generalists with the appetite to underwrite it, and the operators absorbing it fastest will be those whose disclosure already documents concentration and reserve mechanics, because their acquirers face less underwriting friction. The winning pitch leads on acceptance-rate uplift, settlement and reserve terms, not headline rate.

Payment orchestrators. The PaymentIQ divestment to Incore Invest, completed 2 March 2026, opens a contract-renegotiation and roadmap-review moment for operators with PaymentIQ in their stack. New ownership brings a new strategic thesis, and the gambling-vertical roadmap is among the first things any change of control is likely to prompt a review of. Operators are well advised to reopen the agreements this quarter, covering roadmap and integration-support commitments, API change-control notice, change-of-control protections and exit assistance. The broader category signal is positive for orchestration: orchestration value rises when operator stacks face higher counterparty turnover.

PAM and platform vendors. In many stacks the PAM and cashier are tightly integrated. Super Group's reliance on Apricot, the platform partner whose technology underpins its sportsbook product, is one visible case. A processor or orchestration change can therefore require PAM-level work, and a single platform-vendor decision can move a large volume of deposit flow. Orchestration does not sit cleanly between operator and processor; the PAM is in the way, and that is procurement intelligence platform vendors can use, both defensively in retention conversations and offensively in displacement opportunities created by acquirer churn.

Reconciliation and treasury infrastructure suppliers. The capability gap is the opportunity. Operators outside the largest tier typically cannot produce a single-processor deposit-share figure at peak, by processor, by market, in near real time, because they have not built the underlying reconciliation and aggregation infrastructure. Audit committees are beginning to ask for it; treasury and reconciliation vendors should be positioning against that demand now, not in twelve months.

Fraud and chargeback vendors. VAMP has converted dispute-rate management from a chargeback question into an acquirer-relationship question. Every basis point of disputed-transaction ratio is now an input into the acquirer's portfolio VAMP position, which feeds back into the operator's reserve terms and acquirer renewal economics. Vendors that can quantifiably reduce chargeback ratios have a sharper commercial story to tell than a year ago, and a more receptive operator audience.

Compliance teams. The consequence is concrete and recurring. Each processor change is a key-event filing under LCCP 15.2.1(8), an AML reassessment, a control-framework update and an audit-committee paper. Under the 90-day rule effective 28 April 2026, these arrive in clusters when an acquirer exits a category, and the Commission sees an earlier and more predictable flow of operator key-event notifications. The trajectory raises the burden further: the EU’s new AML framework brings a more harmonised rulebook for obliged entities from 2027, while PCI DSS 4.0 has changed the cost of being a compliant gambling processor. None of it dilutes operator accountability; "the processor handles it" is not a defence.

Operator CFOs and audit committees. At the next acquirer round the questions are no longer only about rate. They are the acquirer's own portfolio VAMP position, its appetite to hold the operator through a threshold breach, reserve and settlement terms, and dynamic-routing rights. Multi-year exclusivity and minimum-volume commitments in primary-acquirer contracts often penalise the diversification this analysis argues for, and should be examined at renewal against the cost of single-processor concentration. The 90-day rule lengthens contractual runway, but realistic tier-one migration still runs six to nine months and should be planned as such. An operator that cannot measure single-processor in-flight exposure should treat that as a capability to acquire: it is the precondition for answering the questions the risk environment now demands.

Questions for boards

Three questions follow from the documentary evidence for audit-committee chairs, group CFOs and heads of payments.

Can the operator measure its single-counterparty share of daily deposit flow, by processor rather than PSP, on a peak day, and if not, what would building that visibility cost? Has the finance function modelled a Bally's-style settlement failure on its own volumes, and what do the resulting exposure and recovery profile look like? And does the operator have genuine rail redundancy in markets that have consolidated to a regulatory perimeter, such as Brazil, or where the acquirer market has tightened, such as the post-SI 2025/688 UK, bearing in mind redundancy is a multi-quarter programme, not a procurement line?

The operators that can answer are likely the ones already disclosing the most. That is the analytical value of the disclosure gap: not a reporting curiosity but an external read on which operators have built the treasury visibility, priced the counterparty risk, and earned the underwriting confidence that the next phase of acquirer discipline is likely to reward, and which may discover their exposure only when a processor, a scheme or a regulator forces the question for them.

Methodology. This article reviews FY2025 public filings of eleven listed gambling operators (Bally's, Boyd Gaming, Betsson, DraftKings, Entain, evoke, Flutter, Penn Entertainment, Rush Street Interactive, Super Group and Zeal Network), together with the Worldline 2025 Universal Registration Document and selected earnings calls. Disclosure depth is treated here as an analytical signal that may indicate treasury and counterparty-management maturity, not as definitive proof of internal capability. Variation across the sample partly reflects jurisdiction, listing venue, counsel, audit treatment and reporting convention. The article focuses on what an external reader can infer from public documents, and acknowledges the limits of that exercise.

Disclosures. Document-based factual claims in this article are drawn from primary public sources cited inline, including annual reports, 10-K, 10-K/A and 20F filings, earnings call transcripts, regulatory publications and statutory instruments. Quotations have been checked against the relevant filings. Where the article discusses underwriting behaviour, procurement timelines, acquirer incentives or supplier opportunity, those passages should be read as author analysis based on the cited public record and sector context.

References to ongoing regulatory or prosecutorial matters, including the BaFin proceedings concerning Worldline's HBR portfolio and the Belgian investigation referenced in the article, describe matters in progress with no published findings. No wrongdoing is alleged against Worldline or any other named entity, and nothing in this article should be read as such an allegation.

The article distinguishes verified disclosure from author interpretation. Where the text characterises a disclosure as thinner, deeper, bundled or dedicated, those are editorial judgements based on the public record as at the draft date. Forward-looking observations, including those concerning regulator behaviour, acquirer conduct and scheme enforcement, reflect the author's analysis and not the views of any operator, processor, regulator or scheme.

Gaming Eminence has no commercial relationship with any of the entities named in this article that would influence the editorial assessment.

This article is analytical content intended for sophisticated industry readers. It is not investment, legal or commercial advice, and should not be relied upon as such. Readers are responsible for their own assessments and for taking their own professional advice. Comments and corrections to editor@gamingeminence.com.