Last updated: October 2025

Selling CBD, vape, supplements, peptides, or alcohol on Shopify UK? PayPal restricts or bans many legal product categories through automated systems that don't distinguish between compliant and non-compliant merchants. Here's what's allowed, what triggers holds, and where Pay by Bank via Fena provides a stable alternative.

PayPal's restrictions aren't about UK legality — they're about its own risk classification

The most important thing to understand about PayPal's treatment of high-risk product categories in the UK is that legality under UK law and acceptability under PayPal's policies are not the same thing. A business can be fully compliant with MHRA guidance, FSA novel food requirements, Trading Standards requirements, and every relevant UK regulatory framework — and still have its PayPal account frozen or permanently limited because its products fall within PayPal's internal risk classification.

This distinction matters because it changes what can actually be done about it. If the problem were UK regulatory non-compliance, the solution would be compliance. But the problem is often PayPal's automated risk scoring — which uses keyword detection, product imagery analysis, and category heuristics to flag accounts based on patterns associated with higher-risk sellers, regardless of whether an individual merchant's operation is well-run and compliant.

This guide explains how PayPal classifies high-risk products in the UK, which categories are allowed, restricted, or prohibited under its policies, why false positives are common, how to reduce the risk of account action, and where Pay by Bank via Fena provides a structurally more stable payment infrastructure for merchants in these categories.

Quick summary

• PayPal's risk classification operates at two levels: product category risk (elevated scrutiny on specific categories regardless of individual merchant compliance) and merchant-level risk (based on fulfilment patterns, documentation quality, dispute rates, and catalogue changes)

• Many legal UK products — CBD with compliant THC levels, research peptides, vape products, alcohol, supplements with specific claims — are classified as restricted or monitored, meaning they require additional documentation and compliance controls to avoid account action

• Some products are outright prohibited — controlled substances, high-THC cannabis, prescription drugs, and certain items associated with regulated pharmaceutical activity — and accounts selling these face immediate and typically irreversible limitations

• False positives are common: legal products get flagged through keyword scanning and imagery analysis, creating account holds for compliant merchants

• The most effective mitigations are clean, compliant product labelling, published certificates of analysis, age verification, and stable fulfilment patterns

• Pay by Bank via Fena is available to UK merchants in categories that PayPal restricts or prohibits, because it uses open banking infrastructure rather than PayPal's card-network-based risk classification

How PayPal's risk classification works

PayPal evaluates merchant risk on two levels simultaneously.

Product-level risk.

Certain product categories carry elevated regulatory exposure, historically higher chargeback rates, or ambiguous intended use — and PayPal applies category-level scrutiny regardless of individual merchant compliance. A merchant selling research peptides in full compliance with UK food supplement regulations is in the same category as a non-compliant one from PayPal's automated perspective. The automated system doesn't perform the compliance assessment a human reviewer would.

Merchant-level risk.

On top of category risk, PayPal's systems also monitor individual merchant behaviour: fulfilment consistency and dispute patterns, quality and completeness of KYB documentation, changes in catalogue composition or order volume, and the alignment between product descriptions and what's actually delivered. Merchants who perform well on all of these dimensions reduce their risk exposure, but they don't eliminate the category-level scrutiny that comes with the product type.

The result is that even well-run, fully compliant merchants in high-scrutiny categories are operating with a structurally elevated risk of account action that wouldn't apply to merchants in lower-scrutiny categories.

PayPal's product classification for UK merchants: allowed, restricted, prohibited

Allowed but monitored.

These are product categories PayPal permits but flags for elevated review. Basic vitamins, minerals, protein powders, creatine, and standard food supplements without specific health claims fall in this category. The risk of account action is lower than for more scrutinised categories, but it increases significantly if product descriptions include medical-style claims, experimental ingredients, or pharmaceutical packaging and presentation.

Restricted — allowed with conditions.

These categories are legal to sell through PayPal but subject to compliance controls and documentation requirements. The specific conditions vary by category:

CBD products with compliant THC levels are permitted in principle, but require certificates of analysis demonstrating compliance, absence of therapeutic claims, and in practice are frequently flagged despite meeting these requirements because CBD-adjacent keywords trigger automated review. Missing COAs or any language implying medicinal benefit creates immediate hold risk.

Alcohol is permitted with age verification. Inadequate age-gating — including checkout-level controls that PayPal considers insufficient — creates restriction risk. The age verification standard required isn't always clearly communicated.

Vape and nicotine products are restricted due to age restriction requirements and elevated dispute rates. Complete age verification implementation, TPD-compliant product specifications, and absence of health claims reduce risk but don't eliminate it.

Research peptides occupy a genuinely difficult position within PayPal's classification. They are legal in the UK when sold for research purposes with appropriate intended use statements. However, PayPal's automated systems frequently misclassify them as prescription pharmaceuticals or controlled substances — particularly when product descriptions include compound names that appear in pharmaceutical contexts, or when product presentation resembles pharmaceutical packaging.

Prohibited — automatic holds and bans.

These categories trigger immediate limitations that are typically irreversible. Controlled substances, prescription drugs, products containing THC above legal limits, SARMs or peptides marketed explicitly for human consumption with dosing instructions, tobacco leaf, weapons, and any product that violates PayPal's Acceptable Use Policy are in this category. Appeals for prohibited category limitations rarely succeed because they fall within PayPal's core policy boundaries rather than being misclassifications.

Why false positives happen — and why they're common

The majority of account holds for compliant high-risk merchants are false positives — accounts correctly operating within UK law that are flagged by automated systems that don't perform legal assessment.

PayPal's automated risk systems scan product names, descriptions, ingredient lists, and product imagery using keyword detection and pattern matching. The systems look for associations with higher-risk patterns — phrases common in pharmaceutical contexts, terminology associated with controlled substances, packaging that resembles medical products, or ingredient names that appear in both legal supplements and controlled substances.

The problem is that these associations are not the same as violations. A legal peptide has a compound name that also appears in pharmaceutical literature. A compliant CBD product uses terminology adjacent to cannabis. A legal vape product uses language associated with nicotine and tobacco. The automated system can't distinguish between the compliant and non-compliant use of these terms, so it flags both.

Examples of common false positives reported by UK merchants:

Legal research peptides flagged as prescription pharmaceuticals because compound names match pharmaceutical drug names. Compliant CBD products flagged as cannabis derivatives with excessive THC because CBD and THC terminology appears together in product information. Vitamin and mineral supplements flagged as steroids or performance-enhancing drugs because of phrases like "supports muscle function" or "enhances physical performance." Vape products flagged due to terminology overlap with cannabis vaping. Legal alcohol held because checkout age verification was present but not implemented in the specific format PayPal's systems recognise.

In each case, the merchant was operating legally. The flag was an automated error, not a compliance violation.

Early warning signs before a PayPal account action

PayPal account limitations rarely appear entirely without warning. Merchants who are alert to the following signals have time to respond before a full freeze:

An elevated proportion of transactions marked as pending without clear reason. Requests from PayPal for updated KYB or KYC documents, supplier invoices, or product documentation. Notifications referencing acceptable use policy concerns without specifics on what triggered them. Rolling reserves being increased without a clear explanation tied to specific account activity. Conversion drops on orders being routed through PayPal, which can indicate internal transaction reviews causing payment failures before the merchant is explicitly notified.

Each of these signals is an opportunity to respond proactively — completing documentation, reviewing product descriptions for automated flag risks, and ensuring compliance evidence is current and accessible.

What actually reduces PayPal account risk for high-risk merchants

Product labelling and description hygiene.

The single most effective mitigation for false positives is ensuring product descriptions avoid the specific language patterns that trigger automated flagging, while remaining accurate and compliant. This means: avoiding medical claims unless specifically authorised, keeping intended use statements prominent and unambiguous ("for research use only," "food supplement — not intended to diagnose, treat, cure, or prevent any disease"), and not using pharmaceutical-style dosing instructions for products not intended for human therapeutic use. For peptides specifically, intended use framing is particularly important.

Complete and current documentation.

Certificates of Analysis should be available and current for CBD, supplement, and peptide products — ideally linked directly from product pages or accessible to anyone reviewing the account. Supplier verification documentation, business registration evidence, and any relevant compliance certificates should be maintained and current.

Implemented age verification.

For alcohol and vape products, age verification is a documented requirement. For supplements and other categories, age verification reduces the risk of claims involving minors and strengthens the overall compliance posture of the account.

Stable catalogue and volume management.

Sudden additions of new high-scrutiny products, rapid category expansion, or significant volume spikes all increase the probability of automated review triggers. Adding new products gradually and monitoring account status closely during volume increases reduces this risk.

Fulfilment reliability.

High-risk merchants face a disproportionate consequence from delivery issues — a dispute for an ordinary merchant is a dispute; for a high-risk merchant it's a data point that moves the account-level risk score. Using tracked shipping on all orders, dispatching promptly, and maintaining complete fulfilment records provides evidence for dispute resolution and demonstrates the operational reliability that reduces automated risk scoring.

When to reduce PayPal dependency — and when to remove it entirely

For merchants in the restricted and monitored categories, the question isn't whether to use PayPal but how much of their payment volume to route through it.

Signs that PayPal dependency has become operationally risky: any documentation request or policy notification has been received; a rolling reserve has been applied; new high-scrutiny products have been added to the catalogue; dispute or refund rates have risen recently; PayPal accounts for more than 30% of total revenue. At these signals, reducing PayPal's share of payment volume is the prudent step.

For merchants who have received a formal account limitation, who operate in categories that PayPal has restricted repeatedly despite compliance, or whose business model requires reliable same-day settlement that rolling reserves prevent, removing PayPal as a primary method and replacing it with alternative payment infrastructure is the more stable long-term position.

Where Pay by Bank via Fena provides a stable alternative

Pay by Bank via Fena is available to UK merchants in product categories that PayPal restricts or prohibits, because it operates on a fundamentally different infrastructure.

Pay by Bank uses UK open banking payment rails — FCA-regulated, bank-to-bank, without card network intermediaries. Because PayPal's category restrictions flow from PayPal's own risk policies and card network acceptable use policies, they don't apply to the open banking payment model. Fena's eligibility criteria are based on whether the merchant operates legally in the UK and meets Fena's compliance requirements — not on categorical equivalents of PayPal's restricted product list.

For merchants in CBD, vape, supplements, alcohol, research peptides, and adult products who have experienced PayPal account action or who want to reduce their exposure before it occurs, Pay by Bank via Fena provides:

Same-day or instant settlement with no rolling reserves — the reserve model exists to buffer against chargebacks, which don't exist in Pay by Bank. No chargebacks — because Pay by Bank doesn't go through card networks, the card dispute mechanism doesn't apply. No false positive category flags from automated keyword detection — Fena's compliance assessment is based on legal UK operation, not pattern matching against pharmaceutical terminology. FCA-authorised infrastructure — the payment system operates under UK financial regulation rather than PayPal's internal policies.

Fena's integration adds Pay by Bank as a Shopify checkout option alongside any existing payment methods, allowing merchants to retain PayPal for the customer segments where it converts well while routing the balance of volume — particularly UK bank account customers — through a more stable, lower-cost payment infrastructure.

Frequently asked questions

Why does PayPal restrict legal UK products like CBD or peptides?

PayPal's restrictions are driven by its own Acceptable Use Policy and internal risk models, not by UK law. Legal products fall within these restrictions when they match automated risk patterns associated with higher chargeback rates, regulatory ambiguity, or misuse potential — regardless of individual merchant compliance.

Are research peptides allowed on PayPal in the UK?

With significant qualification. PayPal permits research peptides when sold with compliant intended use statements ("for research use only") and without dosing instructions or language implying human therapeutic use. In practice, many compliant peptide merchants experience account holds because automated systems flag compound names or product presentation as resembling pharmaceutical products.

Does PayPal allow CBD products in the UK?

Yes, under specific conditions: compliant THC levels, published certificates of analysis, and absence of therapeutic claims. Missing any of these — or including language that implies medicinal benefit — commonly triggers review or holds.

Why do vape and alcohol merchants experience frequent PayPal freezes?

These categories require robust age verification and carry elevated dispute rates due to the nature of the products. Any gap in the age verification implementation, or any documentation issue, can trigger automated flagging that leads to account action.

Can a PayPal limitation for high-risk products be appealed?

Appeals succeed most often when the limitation is a genuine misclassification — where the product doesn't actually fall within PayPal's restricted categories and the automated system made an error. For merchants whose products sit within the restricted category definition, PayPal's Acceptable Use Policy applies and appeals are less likely to succeed.

Does Pay by Bank via Fena accept product categories that PayPal restricts?

Yes, for products that are legal in the UK. Pay by Bank via Fena is available to merchants selling supplements, CBD, vape products, alcohol, research peptides, and adult products, provided they operate legally and meet Fena's compliance requirements. The card network category restrictions and PayPal's Acceptable Use Policy don't apply to open banking payment infrastructure.

What's the most effective way to reduce PayPal account risk for high-risk merchants?

Clean product labelling without medical claims, published COAs and supplier documentation, implemented age verification, stable catalogue growth rather than sudden SKU expansion, and reliable fulfilment with tracked shipping. These measures reduce the probability of automated flags, but don't eliminate the underlying category risk — which is why payment diversification to include Pay by Bank is the recommended long-term strategy.