Mastercard AN 5196 / SPME Manual §9.4.1
Published April 13, 2021; effective October 15, 2021. Now codified in Mastercard SPME Manual §9.4.1 (current edition: February 3, 2026). The February 2026 update extends coverage to AI-generated and synthetic adult imagery.
What AN 5196 requires
- Written agreements with all third-party uploaders, including provisions on written consent and identity/age verification of every depicted person
- Only permit uploads from verified content providers, functionally requires a creator KYC platform with government-ID verification (this is AN 5196's unique requirement vs. VIRP)
- Review all uploaded content prior to publication, hard pre-publication mandate, not after-the-fact moderation
- Full control over live streaming with real-time monitoring and an immediate kill-switch
- Any depicted person may appeal for content removal
- Complaint resolution within seven business days
- Monthly compliance reports to your acquirer, nil reports required even with no incidents
- Effective anti-trafficking policies (18 U.S.C. §§ 1591, 2421A)
- Acquirer may provide Mastercard with temporary credentials to view paywalled content on request
- Marketing and search terms must not suggest CSAM or non-consensual content
Penalties and mitigation
BRAM (Business Risk Assessment and Mitigation) non-compliance: up to $200,000 per violation. Fine mitigation of 75-100% is available when the merchant uses an approved Merchant Monitoring Solutions Provider (LegitScript, Austreme, G2 Web Services), Visa offers no equivalent mitigation program.
VIRP vs. AN 5196, what overlaps, what differs
Both require: Pre-publication moderation, performer verification, written consent, 7-day complaint resolution, monthly acquirer reports, appeal rights, anti-trafficking policies.
AN 5196 uniquely requires: "Only verified content providers", which mandates a creator KYC platform.
VIRP uniquely requires: Named consumer-facing age-verification vendor; banned-uploader identity persistence across re-registration attempts.
Build your compliance program to the more stringent element of each requirement. A single program can satisfy both if structured correctly.






