Papaya Ltd and Blackcatcard Compliance Under Scrutiny

Papaya Ltd and Blackcatcard: When compliance explanations raise more questions than they answer!

Papaya Ltd presents itself as a tightly regulated Electronic Money Institution, operating in a complex payments environment that includes iGaming operators, crypto on-ramps and non-card payment rails. On paper, the company stresses robust governance, layered compliance controls and strong oversight at board level.

Yet when the company recently responded on the record to detailed questions from Malta Media, the answers themselves became part of the story.

This article does not allege wrongdoing. It sets out what Papaya has stated, examines whether those explanations are internally coherent and considers why regulators, counterparties and consumers may reasonably ask further questions.

Why this article has not been written lightly?

Before addressing substance, context matters. Papaya Ltd has previously taken legal steps to suppress reporting, including actions directed at Times of Malta. That history alone imposes a higher standard of care on any publication examining the company. It also explains why this article has not been rushed, sensationalised or framed as an accusation.

No article was drafted before Papaya provided detailed answers. Those answers are incorporated throughout this piece, sometimes at length, because a company’s own words deserve to be seen and tested in context.

This article is therefore built around one central question: when a regulated entity offers comprehensive compliance explanations, do those explanations resolve the issues raised or do they invite closer scrutiny?

The LinkedIn messages and the hacking explanation

The trigger for this exchange was a series of LinkedIn messages promoting Papaya and Blackcatcard services to operators. The messages referenced topics such as bypassing friction, reducing chargebacks, faster withdrawals and crypto to fiat flows.

Papaya’s response was clear. The messages, the company says, did not originate from an authorised campaign. According to the Chief Compliance Officer, a colleague’s personal LinkedIn account was subject to unauthorised access. The account was then used to send messages without the employee’s knowledge or approval. Access was secured and internal controls were tightened.

On a purely factual level, this explanation exists on the record and must be taken as such. No external evidence has been presented that directly contradicts it.

At the same time, it is not unreasonable to ask whether this explanation aligns with how account compromises typically manifest in practice. A hostile actor seeking to harm a company would normally publish content that damages reputation, exposes wrongdoing or causes disruption. Promotional outreach that advances the company’s commercial interests is an unusual choice of weapon if the objective is sabotage.

That observation does not imply fabrication. It simply highlights why regulators often look beyond explanations and assess plausibility alongside process and outcome.

Marketing controls versus messaging outcomes

Papaya underlines that it does not alter, mask or reroute merchant category codes. It states that all external communications are subject to compliance sign-off and that prohibited claims are tracked through internal lexicons, sampling, takedown procedures and disciplinary escalation.

If those structures are as robust as described, a reasonable follow-up question arises. How did multiple messages containing high-risk phrasing circulate to third parties in the first place, even through a personal account?

Again, this is not a conclusion of breach. It is a question of coherence between controls described and outcomes observed. Regulators tend to examine precisely that gap. Controls are judged not by their existence, but by whether they prevent foreseeable risks from materialising.

Non-card rails and consumer understanding

A substantial portion of Papaya’s response focuses on account-to-account and open-banking payments. The company explains, correctly, that such payments do not involve card chargebacks, but that PSD2 protections still apply. It describes recall procedures, SEPA frameworks, liability allocation and timelines for complaint resolution.

What remains less clear is how prominently these distinctions are conveyed to users at the point of transaction. For consumers and small operators, the difference between a card payment and a push payment is not merely technical. It determines whether funds can be clawed back quickly or are effectively final.

From a consumer-protection perspective, transparency around that distinction is not a minor issue. It is central to informed consent. Whether Papaya’s disclosures are sufficient is a question that sits squarely within regulatory scrutiny rather than journalistic judgment.

Crypto adjacency without crypto responsibility

Papaya repeatedly stresses that it is not a crypto-asset service provider. Crypto functionality, it says, is delivered exclusively by licensed third-party CASPs. Papaya’s role begins only once fiat proceeds are credited as e-money.

This structure may be formally correct. It is also structurally common.

However, from an AML and consumer-risk perspective, separation on paper does not always mean separation in perception. Users experience a single branded ecosystem. When crypto is converted to fiat and quickly moved through e-money accounts, questions naturally arise about traceability, return-to-source discipline and layering risk.

Papaya states that its default policy is return-to-source and that divergences are risk-assessed and restricted. That statement is important. It is also precisely the sort of claim that regulators typically validate through transaction testing rather than accepting at face value.

Complaints, Arbiter decisions and performance claims

Papaya’s response highlights improvements following past decisions by the Office of the Arbiter for Financial Services. The company cites a 92 percent reduction in complaint volumes and notes that most published cases have been decided in its favour.

These statements may be accurate. They may also be incomplete without context.

Complaint volumes can fall for many reasons, including changes in onboarding, account closures or stricter controls that reduce transaction activity. Positive outcomes in individual Arbiter cases do not negate the relevance of systemic issues that led to complaints in the first place.

The key issue is not whether Papaya has improved. The issue is how such improvements are measured, verified and communicated, particularly when legal or supervisory processes remain unresolved elsewhere.

Governance, filings and structural visibility

Public records show interconnected entities, overlapping directors and offshore elements within the wider Papaya structure. None of this is inherently improper. It is common in international fintech.

At the same time, delayed financial filings, absence of an appointed auditor at registry level and concentration of ownership inevitably invite questions. This is especially true when the operating entity holds a financial licence and deals with customer funds.

These are matters of governance and transparency, not allegations of misconduct. They are also matters that regulators exist to assess more thoroughly than any publication can.

The broader question of regulatory confidence

Taken individually, each explanation offered by Papaya can be read as plausible. Taken together, they paint a picture of a company operating at the edge of multiple risk frameworks, relying heavily on internal controls, third-party relationships and post-incident remediation.

That does not make Papaya unique. It does, however, make the company an obvious candidate for continued regulatory attention.

This article does not seek to resolve those questions. It documents why they exist.

Our Final Thoughts and Conclusion

Papaya Ltd has engaged with Malta Media. It provided comprehensive answers through its Chief Compliance Officer. That willingness to respond is positive and should be recognised.

At the same time, effective compliance is not judged by the length or sophistication of explanations. It is judged by outcomes, internal coherence and whether reasonable third parties remain confident after those explanations are given.

The LinkedIn incident, the structure of marketing controls, the interface between crypto and e-money, the handling of consumer redress and the visibility of governance structures all remain areas where further clarification would benefit not only journalists, but regulators and counterparties as well.

This article has deliberately avoided conclusions of wrongdoing. It does not accuse. It does not speculate. It sets out why scrutiny continues and why dialogue matters.

Malta Media remains open to meeting Papaya’s leadership in person. Constructive engagement is still possible. It may also be preferable to litigation and silence. Sometimes the most responsible form of investigative journalism is not to shout, but to ask whether the answers given truly settle the questions raised.

FAQs

What is Papaya Ltd and what services does it offer?
Papaya Ltd is a regulated Electronic Money Institution providing payment solutions, including account-to-account transfers, open banking and services for iGaming operators.

Did Papaya Ltd face issues with LinkedIn messages promoting its services?
Yes, unauthorised LinkedIn messages promoting Papaya and Blackcatcard services were sent via a compromised employee account, which the company later secured.

Does Papaya Ltd provide crypto services directly?
No, Papaya Ltd is not a crypto-asset service provider. Crypto transactions are handled by licensed third-party CASPs, with Papaya processing fiat proceeds as e-money.

How does Papaya handle consumer complaints and disputes?
The company reports improvements following decisions by the Office of the Arbiter for Financial Services, including a 92% reduction in complaint volumes, alongside clear processes for complaint resolution.

What controls are in place for Papaya’s marketing and messaging?
Papaya states all communications undergo compliance sign-off, with internal lexicons, sampling, takedown procedures and disciplinary escalation for prohibited claims.

How transparent is Papaya about non-card payment risks?
Papaya explains account-to-account and open-banking payment protections under PSD2, but the visibility of these distinctions to users at transaction points may require additional clarity.

Are there concerns about Papaya’s governance structure?
Public records show interconnected entities, overlapping directors and offshore elements, which are legal but can raise questions about transparency and delayed filings.

Has Papaya engaged constructively with media and regulators?
Yes, Papaya has provided detailed on-the-record responses through its Chief Compliance Officer and is open to further dialogue to clarify compliance questions.

Does Papaya’s explanation resolve all regulatory and consumer concerns?
While explanations are plausible, questions about internal coherence, risk management and consumer transparency suggest continued scrutiny may be required.

What is the key takeaway about Papaya and Blackcatcard compliance?
The company demonstrates a structured compliance framework, but real-world outcomes, internal coherence and transparency ultimately determine regulatory confidence.

 

Legal disclaimer

This article is published by Malta Media for journalistic and public interest purposes concerning regulatory, governance and consumer protection issues within the financial services sector.

All statements of fact are derived from publicly available records, company filings or on-the-record correspondence provided directly by the companies or individuals referenced. Any interpretation, commentary or opinion expressed is clearly identified as such and is based solely on those disclosed materials.

Nothing in this article alleges or asserts criminal conduct, regulatory breach, fraud, dishonesty or unlawful activity by any individual or corporate entity. References to regulatory actions, administrative measures, complaints or proceedings are included for contextual reporting only and do not imply liability, fault or outcome.

All parties mentioned were offered an opportunity to respond prior to publication and responses received have been reflected fairly. This article is published in good faith and is not intended to defame, misrepresent or harm the reputation of any person or organisation.