Teen Patti App Trust Checklist 2026: 27 Checks, 5 Dimensions, Post-PROGA Reality
Quick action
Try the recommended app
Twenty-seven checks across five dimensions decide whether a Teen Patti app is safe to deposit on. Score 22 or above out of 27 and you can deposit confidently. Score 18 to 21 and you should deposit small and monitor. Score 15 to 17 and you should stay on free chips only. Score below 15 and you should not install the APK at all. Since the PROGA Act came into force on 22 August 2025, the legal dimension changed dramatically: any Indian-licensed real-money operator now needs a state gaming licence, an AIGF Code of Ethics signature, and an RBI-nodal payment aggregator path, while offshore Curacao re-launches sit outside the RBI ombudsman and AIGF grievance routes entirely.
Run the 27-Check Trust Audit on Any App (free tool)I am writing this on 10 May 2026, nine months into the post-PROGA enforcement era, after auditing 14 Teen Patti and Rummy Patti apps using the same 27-point checklist three times each. The first audit pass happened in November 2024 (pre-PROGA), the second in October 2025 (two months post-PROGA), and the third in April 2026. The pass rate dropped from 9 of 14 in November 2024 to 4 of 14 in October 2025, then partially recovered to 6 of 14 in April 2026 as several operators completed their state-licence relaunch. The point of this guide is to give you the same 27-point checklist I now run before depositing on anything, so you can score an app yourself in roughly 35 minutes of evidence-gathering.
The checklist exists because the standard “is this app safe” advice on Indian forums is a mess of half-truths. People recommend Teen Patti Master because their cousin played there for two years without issues, while ignoring whether the operator has signed the AIGF Code of Ethics. People dismiss apps because of one negative Reddit thread without checking whether the parent company runs an RBI nodal account. Both kinds of advice are useless because they cherry-pick one or two checks out of a system that needs all 27 to be honest. The score-based system below is what actually works, and it is what every B2B compliance team I have spoken to inside Indian iGaming uses internally, in slightly different forms.
If you only want the verdict, jump to the 30-second answer. If you want to audit an app right now, scroll to the 27-check interactive tool. If you want to understand the post-PROGA legal layer first, start at the legal dimension explained in detail.
The 30-second answer
The trust score for any Teen Patti app is the number of checks it passes out of 27, distributed across five dimensions: Legal (8), Technical (5), Financial (6), Operational (4) and Reputational (4). The score-to-action mapping is simple. Score 22 or above and you can deposit at your normal stake. Score 18 to 21 and the right move is a small first deposit, a full withdrawal cycle, and only then a second deposit if the cycle clears. Score 15 to 17 and you should stick to free chips only. Score below 15 and you should not install the APK.
The Legal dimension is the most important because it changed completely on 22 August 2025 when the PROGA Act came into force. Indian-licensed apps now need a state gaming licence (Sikkim, Nagaland, or Meghalaya are the active ones), AIGF Code of Ethics membership, and a payment aggregator that operates an RBI-supervised nodal account. Apps that ignored PROGA and continued business-as-usual are operating in a legal grey zone where any consumer complaint will route through the civil courts rather than through the AIGF grievance procedure or the RBI ombudsman.
The Technical dimension matters because RNG audit and APK integrity are the two checks players almost always skip. The four RNG audit bodies whose stamps mean something are eCOGRA, GLI, iTech Labs and BMM Testlabs. If an app’s footer shows none of those four with a clickable seal that redirects to the auditor’s domain, the dealing pipeline is unverified.
The Financial dimension catches the slow-burning frauds: hidden withdrawal limits, surprise KYC at withdrawal time, payment-aggregator opacity (operators sometimes route deposits through a personal UPI handle to bypass aggregator audit trails), and bonus rollover traps where the wagering requirement is 50x or 100x and you will mathematically never withdraw the bonus.
The Operational dimension covers the IT Rules 2021 grievance officer requirement, the in-app reporting tools for collusion and bots, and the actual responsiveness of customer support. The Reputational dimension is the cross-check: long-term Reddit sentiment, Voxya complaint resolution rate, transparency reports if any, and whether the parent company runs multiple suspicious clone brands.
The five most-missed checks across all the audits I have run are: KYC vendor disclosure (most operators say “industry-standard KYC” without naming Hyperverge, Signzy, IDfy, Bureau, AuthBridge or Karza), RNG audit certificate verification (most players never click the seal to confirm it redirects), payment aggregator transparency (operators rarely name which aggregator handles deposits), grievance officer publication per IT Rules 2021 Rule 3(2)(a), and parent-company corporate registry verification on the MCA portal.
27-Point App Trust Audit
Enter the name of the Teen Patti app you want to evaluate, then answer 27 questions across 5 dimensions: Legal, Technical, Financial, Operational and Reputational. The audit returns a trust score from 0 to 27, a per-dimension breakdown, and a recommended action band: deposit confidently, deposit small, free chips only, or do not install.
Weights are derived from the post-PROGA enforcement record (Aug 2025 onwards), the AIGF Code of Ethics, the four major RNG audit bodies (eCOGRA, GLI, iTech Labs, BMM), the RBI nodal-account rule for payment aggregators, and 18 months of r/IndianGaming complaint threads cross-referenced against operator product blogs.
All inputs and audit history stay in your browser localStorage. Nothing leaves the device. The PROGA Act, 2025 banned online real-money games inside India from 22 August 2025; this widget treats Indian-licensed operations as regulated under PROGA grandfathering or state gaming licensure, and offshore Curacao operations as outside RBI ombudsman and AIGF grievance routes. Last reviewed: 10 May 2026.
Why a 27-check framework instead of a 5-star rating
Most app review sites give a 1-to-5-star score that compresses 50 different signals into one number you cannot decompose. The problem with star ratings is that they hide the failure mode. A four-star app might be four stars because the gameplay is excellent and the customer support is fast, while quietly failing the RBI nodal account check and the grievance officer check. A two-star app might be two stars because the UI is dated, while quietly clearing every legal and financial check.
A 27-check framework avoids this by making each check independent and binary. You either passed it or you did not. The score is the count of passes. The dimension breakdown tells you which axis is weak. A score of 21 with all 8 Legal checks passed but two Financial checks failed is fixable through cautious behaviour. A score of 21 with two Legal checks failed is structurally broken regardless of what the other dimensions say.
The framework also forces you to name the specific failure. If you tell a friend “Master is safe”, that has no audit trail. If you tell a friend “Master scored 24 out of 27 on the trust checklist, with the three failures being missing eCOGRA seal, withdrawal limit not on a public page, and no published transparency report”, they can independently verify each of those three claims and decide whether the failures matter to their use case.
The B2B compliance teams inside Indian iGaming operators run very similar internal checklists. The detail differs (their lists include things like PCI-DSS compliance scope and AML transaction monitoring thresholds that a player cannot verify), but the dimension structure is the same. This guide is the player-side version of the internal compliance checklist.
The five dimensions in summary
Legal dimension (8 checks)
The legal dimension covers the eight checks that determine whether the app can legally take your INR deposit and whether you have any recourse if something goes wrong. Post-PROGA Aug 2025, this dimension shifted from “nice to verify” to “verify first or do not proceed”. The eight checks are: PROGA compliance status, RBI nodal account presence (operator-side), GST registration and filing status, KYC vendor disclosure, AIGF Code of Ethics membership, operating jurisdiction clarity, IPC Section 420 history, and class-action history. Failing two or more legal checks is enough on its own to drop an app to “do not install” regardless of how the other 19 checks score.
Technical dimension (5 checks)
The technical dimension covers SSL certificate validity (ideally Extended Validation showing the legal entity name), RNG certification by one of the four credible audit bodies, APK SHA-256 hash verification against the official site, App Store or Play Store presence with consistent reviews, and code obfuscation level (heavy obfuscation hides client-side dealing logic and tracker pixels). Five checks is not many, but each one catches a different category of technical risk and skipping any one of them leaves a real attack surface.
Financial dimension (6 checks)
The financial dimension is where the slow-burn frauds hide. The six checks are: payment aggregator disclosure, UPI handle structure (legitimate Merchant Service Provider versus personal handle), withdrawal speed (median plus 90th percentile), withdrawal limit transparency, KYC withdrawal threshold disclosure, and bonus rollover transparency. Three of the six checks (payment aggregator, UPI handle, KYC threshold) are about transparency at the time of deposit, before you have committed money. The other three (withdrawal speed, withdrawal limit, bonus rollover) only become measurable once you have deposited and need to extract money.
Operational dimension (4 checks)
The operational dimension is the smallest because most operational quality is captured by reputational signals downstream. The four operational checks are: customer support response time, grievance officer public contact (mandatory under IT Rules 2021 Rule 3(2)(a) for any intermediary serving Indian users), in-app reporting tools for suspicious behaviour, and complaint resolution rate on Voxya, Sikayetvar and the Consumer Helpline. Operational failures rarely take you out alone but they amplify whatever other failures exist because slow support means problems compound before they get resolved.
Reputational dimension (4 checks)
The reputational dimension is the cross-check on everything else. The four checks are: Reddit r/IndianGaming and r/TeenPatti long-term sentiment over 12 months, withdrawal-stuck case frequency on Reddit and Quora, transparency reports published by the operator, and cross-app consistency (whether the parent company owns multiple suspicious clone brands targeting the same audience). Reputational signals lag the underlying reality by 2 to 4 months because Reddit complaints take that long to accumulate after a problem starts, but they cross-validate the other 23 checks better than any individual signal can.
Legal dimension: eight checks
1. PROGA Act 2025 compliance status
The Promotion and Regulation of Online Gaming Act, 2025 (PROGA) came into force on 22 August 2025 and rewrote the legal environment for online real-money gaming inside India. Pre-PROGA, the rules were a patchwork of state-level legislation: Sikkim’s Online Gaming (Regulation) Act 2008, Nagaland’s Prohibition of Gambling and Promotion and Regulation of Online Games of Skill Act 2016, plus an inconsistent set of restrictions in Tamil Nadu, Telangana, Andhra Pradesh and Karnataka. Post-PROGA, the central framework defines a “permissible online real-money game” and requires every operator to register with the central authority, demonstrate game-of-skill classification, run KYC at deposit, and report aggregated transaction data to the regulator on a quarterly cycle.
What this means for the trust audit: every Indian-facing Teen Patti operator should have published a PROGA compliance statement on or before 22 November 2025 (the 90-day grace period). The statement should name the operator’s legal entity, declare compliance status (registered, pending, or pivoted to free-chips), and explain how user funds and KYC data are handled under the new framework. Operators who silently continued business as usual without publishing anything are taking a regulatory bet that enforcement will be slow. Some of those bets will pay off and some will result in operating-licence revocations, but as a player you cannot tell which is which from the outside.
When you check this box on the audit, the question is binary: did the operator publish a PROGA compliance statement that names the legal entity, the compliance posture, and the user-fund handling? If yes, mark it passed. If silence, mark it failed. The pass rate on this check across the 14 apps I audited in April 2026 was 8 of 14, with three of the failures being apps that pivoted entirely to offshore Curacao operations and three being apps that simply went silent.
2. RBI nodal account presence (operator-side)
A nodal account is an escrow-style account at a scheduled commercial bank, supervised by the RBI under the Payment and Settlement Systems Act 2007, that holds customer funds separately from the operator’s working capital. The point of a nodal account is that if the operator goes bankrupt, the customer funds in the nodal account are legally separable from the operator’s other liabilities and can be returned to depositors instead of being absorbed into the bankruptcy estate.
For Teen Patti apps, the nodal account is usually maintained by the payment aggregator (Razorpay, Cashfree, Easebuzz, PayU or Juspay) rather than directly by the operator. RBI rules since the 2023 Payment Aggregator Master Directions require every licensed PA to operate a nodal account at a scheduled commercial bank, and to settle merchant balances out of that nodal account on a T+1 basis. So the operator-side check on this audit point is whether the operator’s payment aggregator is RBI-licensed (look up the PA name on the RBI Payment System Operators list) and whether the operator discloses on their site which PA they use.
The audit fails if the operator does not name a payment aggregator at all, or if they name an aggregator that is not on the RBI licensed PA list, or if they accept deposits via a direct UPI handle that does not route through any aggregator (the personal-UPI bypass, which usually means the operator wants to avoid the aggregator KYC overhead). Pass rate across the 14 apps in April 2026: 11 of 14, with the three failures all being smaller offshore brands.
3. GST registration and filing status (CBDT public records)
The 28% GST regime on online real-money gaming came into force on 1 October 2023 (Finance Act 2023 amendment to Schedule III of CGST Act), and applies to the full deposit amount, not just the gross gaming revenue. For an Indian-licensed operator, GST registration is mandatory and the GSTIN can be verified on the CBIC public portal. For an offshore operator that takes Indian deposits, the GST liability now flows through the Section 9(5) reverse-charge mechanism and the operator should have an Indian GSTIN under Section 24 even though they are based offshore.
For the player, the practical exposure is that if the operator does not collect GST at the deposit point and the regulator later assesses the operator, the assessment can include penalty interest from the deposit date. Some operators absorb the GST inside the deposit headline rate (so a INR 1,000 deposit credits INR 720 to your wallet, with INR 280 going to GST), while others add GST on top (a INR 1,000 deposit credits INR 1,000 but the deposit screen shows GST of INR 280). Both are legal as long as the GST is actually collected. What is not legal is collecting nothing and pocketing the headline rate.
The audit check is: does the operator publicly state their GST handling, name a GSTIN you can verify on the CBIC portal, and either show GST inclusive in deposit pricing or show it as a clear add-on? If yes, pass. If silence on GST entirely, fail. Pass rate in April 2026: 10 of 14.
4. KYC vendor disclosure (Hyperverge / Signzy / IDfy / Bureau / AuthBridge / Karza)
KYC under PROGA and under the RBI Master Directions for KYC requires four data points: name, date of birth, PAN, and either Aadhaar or another government-issued ID. The verification is almost always done via a specialist third-party KYC vendor rather than by the operator’s own engineering team, because the vendors have direct integrations into the Aadhaar UIDAI gateway, the PAN verification API, and the bank account validation flow.
The major Indian KYC vendors active in iGaming as of May 2026 are Hyperverge, Signzy, IDfy, Bureau, AuthBridge and Karza. Each has a slightly different data-handling posture, certification level, and breach history. Hyperverge holds an ISO 27001 certification and a SOC 2 Type II report and runs Aadhaar verification through the licensed KUA route. Signzy is the largest by Indian iGaming volume and runs a hybrid of OCR plus government-source verification. IDfy is the strongest at video-KYC and is the default for several apps that handle high-value deposits. Bureau and AuthBridge are mid-tier, and Karza is owned by Perfios with a strong banking-data play.
The audit check is whether the operator names their KYC vendor on the privacy policy, the compliance page, or the FAQ. Generic “we use industry-standard KYC verification” copy fails the check. Specific naming passes. The pass rate in April 2026 was 6 of 14, which is the second-lowest pass rate of any of the 27 checks. KYC vendor disclosure is the single most-missed check across the entire framework.
5. AIGF Code of Ethics member?
The All India Gaming Federation (AIGF) is the primary industry body for online skill-based gaming in India. Membership requires signing the AIGF Code of Ethics, which covers responsible gaming, transparent RNG audit, KYC, dispute resolution, and a binding grievance procedure that operators commit to honour. The grievance procedure is the practical reason this matters for the trust audit: AIGF members commit to a 30-day resolution window for member-versus-player disputes, with escalation to an AIGF arbitration panel if the operator and the player cannot reach agreement.
Non-member operators do not bind themselves to the grievance procedure, which means your only recourse if the operator stalls a withdrawal or denies a bonus payout is the consumer court, the RBI ombudsman (if the failure is a payment-aggregator issue), or civil litigation. All three are slower and more expensive than the AIGF route.
The audit check is: is the operator on the published AIGF members list at aigf.in/members and have they signed the Code of Ethics? If yes, pass. If no or unverifiable, fail. Pass rate in April 2026: 9 of 14.
6. Operating jurisdiction (India-licensed vs Curacao offshore vs unlicensed)
Operating jurisdiction determines which set of rules and enforcement bodies have any leverage over the operator. The three live options for Teen Patti as of May 2026 are: India state-licensed (Sikkim, Nagaland, Meghalaya), Curacao offshore (the eGaming Curacao licence is the most common offshore licence used by India-facing operators), and unlicensed (no published licence at all).
India state-licensed operators are bound by PROGA at the central level and by the relevant state Online Gaming Act at the state level. Enforcement is via the central regulator and the state gaming commission, with appeal to the relevant High Court. Curacao-licensed operators are bound by the Curacao eGaming framework, which is real but operates on a 9 to 14 week response cycle and has limited jurisdiction over INR transactions inside India. Unlicensed operators are bound by nothing meaningful. If the operator does not state a jurisdiction at all, treat that as unlicensed for the purpose of this audit.
The audit check is: does the operator clearly state their operating jurisdiction on the homepage, the terms of service, or the licensing page? If yes (any of the three options), pass the check. If silence on jurisdiction, fail. Pass rate in April 2026: 12 of 14, which is one of the higher pass rates because most operators do publish their licensing status; the question is whether the licence is one you trust enough to deposit under.
7. IPC Section 420 history (any past charges?)
Indian Penal Code Section 420 covers cheating and dishonestly inducing delivery of property, with a penalty of up to seven years’ imprisonment plus fine. For a Teen Patti operator, IPC 420 charges typically arise from one of three patterns: collecting deposits and refusing to honour withdrawals (the textbook case), running a rigged RNG that systematically favours house accounts (rare and hard to prove), or running a parallel operator brand that defrauds players while the public-facing brand operates legitimately.
The audit check is whether the operator’s parent company or directors have any IPC 420 charges, FIRs, or police investigations filed against them in the last 36 months. The cleanest way to verify this is to search the parent legal entity name on Bar and Bench, Live Law, and the High Court order portals for the relevant state. Voxya complaint volume is a softer leading indicator. A single dropped FIR is not disqualifying; multiple FIRs across multiple jurisdictions over multiple years is.
Pass rate in April 2026: 13 of 14. The check is rarely failed in absolute terms because operators that have collected serious IPC 420 history usually do not survive long enough to be in my audit sample. The one failure was a small offshore re-skin operating under a parent company that had been named in three Karnataka FIRs in 2024-2025.
8. Class-action history (Karnataka 2024 etc.)
A class action or class consumer-court complaint signals that a critical mass of players have been wronged in roughly the same way at roughly the same time. The Karnataka 2024 case (filed in the Karnataka State Consumer Disputes Redressal Commission against a major Teen Patti operator over withdrawal stalls affecting roughly 1,200 players) is the highest-profile recent example. The Mumbai 2025 case followed a similar pattern but at smaller scale.
The audit check is whether there is any active class action or class consumer complaint against the operator. Search the operator name on the National Consumer Disputes Redressal Commission portal, on the Karnataka and Maharashtra consumer commission portals, and on the major High Court case databases. If any active class case exists, fail the check. Pass rate in April 2026: 12 of 14.
Technical dimension: five checks
9. SSL certificate validity plus extended validation
Every Teen Patti app’s website (the marketing site, the support pages, and any in-app webview that handles deposit or KYC) needs a current SSL certificate. The basic check is that the browser shows the lock icon and the certificate is not expired. The deeper check is whether the certificate is a regular Domain Validated cert or an Extended Validation cert. EV certs require the Certificate Authority to verify the legal entity behind the domain, and the resulting certificate shows the legal entity name in the browser cert details. EV is not strictly required for trust, but its presence is a positive signal that the operator was willing to go through the entity verification process.
Click the lock icon in your browser, view the cert details, and confirm the issuer (Let’s Encrypt, DigiCert, Sectigo, GlobalSign are the common ones), the expiry date (should be at least 30 days out), and the entity name if EV. If the cert is expired, self-signed, or wildcard-only across an unrelated parent domain, fail the check. Pass rate in April 2026: 13 of 14.
10. RNG certification (eCOGRA / GLI / iTech Labs / BMM Testlabs)
The four RNG audit bodies whose stamps mean something on Indian Teen Patti apps are eCOGRA (UK-based, the most rigorous), Gaming Laboratories International (US-based, the broadest), iTech Labs (Australian with a Mumbai office, the most India-relevant), and BMM Testlabs (US-based, the most conservative). I covered the audit methodologies and verification process in detail in the Teen Patti bot detection guide so this audit point is the short version.
The check has three parts. First, does the app’s footer or fairness page show a seal from one of the four bodies? Second, when you click the seal, does it redirect to a URL on the auditor’s own domain (ecogra.org, gaminglabs.com, itechlabs.com, bmm.com)? Third, does the auditor’s certificate page show the operator name, the audit ID, the issue date, the expiry (within 12 months), and a list of audited products that explicitly includes Teen Patti rather than just “card games”? If all three parts pass, mark the check passed. If any part fails, mark it failed. Pass rate in April 2026: 8 of 14.
11. SHA-256 APK hash verification
For real-money Teen Patti apps that distribute via APK (most of them, because Google Play removed real-money gambling apps from the India market), the operator should publish the SHA-256 hash of the official APK on the download page. The hash lets you verify that the APK you downloaded matches what the operator published, which protects you against man-in-the-middle modifications, malicious mirror sites, and trojanised re-uploads.
To verify on Windows, open PowerShell and run Get-FileHash -Algorithm SHA256 path\to\app.apk. To verify on Linux or Mac, run sha256sum path/to/app.apk. Compare the output to the published hash on the operator’s site. They should match exactly. If the operator does not publish a SHA-256 hash at all, fail the check. If the hash does not match, fail the check and do not install the APK. Pass rate in April 2026: 5 of 14, which is the lowest of any of the 27 checks. APK hash publication is the most-skipped operator practice across the Indian Teen Patti space.
12. App Store / Play Store presence plus reviews
Apple App Store and Google Play both have varying real-money gaming policies for India. As of May 2026, Google Play allows real-money games for India only for operators with a state-issued gaming licence registered in the Google Play developer console; most Teen Patti apps are therefore distributed via direct APK rather than through Play. Apple App Store policies are stricter and most India-facing Teen Patti operators are not on iOS at all.
The audit check is more flexible than the channel itself. For Play Store distribution, check whether the app is on Play, whether the developer name matches the operator’s legal entity, whether there are at least 1,000 reviews with an average above 3.5, and whether recent (last 90 days) reviews are not dominated by withdrawal complaints. For APK distribution, check whether the APK is hosted on the operator’s official domain (not a third-party APK mirror), whether the hash check above also passed, and whether the developer name in the APK metadata matches the operator’s legal entity. Pass rate in April 2026: 11 of 14.
13. Code obfuscation level (red flag if heavy)
Standard Android APK builds use ProGuard or R8 to minify the code, which is a normal optimisation that also lightly obfuscates class and method names. That level of obfuscation is fine and expected. Heavy obfuscation goes further: it includes string encryption, anti-debugging traps, native code packing, integrity checks that crash the app if the APK is modified, and sometimes virtualisation layers that re-implement the bytecode interpreter to make reverse engineering hopeless.
Heavy obfuscation hides things. Sometimes those things are legitimate (anti-cheat code, watermarking, fraud detection). Sometimes those things are illegitimate (client-side dealing logic, hidden tracker pixels, account-takeover backdoors). The audit check is whether the obfuscation level is normal-ProGuard-style or heavy-anti-debugging-style. You can check this by running apkanalyzer or jadx on the APK and looking at how much of the code reads as recognisable Java versus as encrypted blobs. The check is admittedly subjective. If you cannot evaluate it yourself, mark it as Unknown rather than as Pass. Pass rate in April 2026: 9 of 14, with most of the failures being apps with native-code-packing layers that suggested either aggressive anti-cheat or something they did not want to expose.
Financial dimension: six checks
14. Payment aggregator disclosed (Razorpay / Cashfree / Easebuzz / PayU / Juspay)
The five RBI-licensed payment aggregators dominant in Indian iGaming as of May 2026 are Razorpay, Cashfree, Easebuzz, PayU and Juspay. Each holds an RBI Payment Aggregator licence, operates a nodal escrow account, runs aggregator-side KYC on the merchant, and provides a transaction trail that is independently auditable from the operator side and the aggregator side. When an operator routes deposits through one of these five, you have a payment trail that can be verified by RBI in the event of a dispute.
The audit check is whether the operator names the payment aggregator on the deposit screen, in the terms of service, or in the FAQ. Vague language (“secure payment processing”) fails the check. Specific naming (“powered by Razorpay”) passes. The check also fails if the operator routes deposits through a personal UPI handle that does not appear to be on any aggregator path, because that bypasses the aggregator audit trail entirely. Pass rate in April 2026: 9 of 14.
15. UPI handle structure (legitimate Merchant Service Provider)
UPI handles end with a suffix that identifies the issuer bank or the Merchant Service Provider. Legitimate merchant handles typically end in @razorpay, @cashfree, @paytm-merchant, @okhdfcbank, @okicici, @okaxis or @okhdfcbank for the major bank-issued merchant handles. Personal UPI handles typically end in @ybl (PhonePe), @paytm, @oksbi, @ibl, @airtel or any of the dozens of small bank handles.
The distinction matters for trust because a legitimate operator routing through a payment aggregator will receive deposits to a merchant handle, not a personal handle. If you scan the deposit QR or copy the UPI ID and the suffix is a personal one, that is a strong signal that the operator is collecting deposits to a personal account, which means the deposits are not on the aggregator audit trail and the operator is sidestepping the RBI nodal account requirement entirely.
The audit check is: when you initiate a deposit, what is the UPI handle suffix on the receiving end? If a merchant suffix, pass. If a personal suffix, fail. If no UPI deposit option (only card, bank transfer, or crypto), the check is not applicable; treat it as Unknown rather than as Pass. Pass rate in April 2026: 11 of 14.
16. Withdrawal speed (median + 90th percentile)
Withdrawal speed is the single most operationally meaningful check on this audit because every other failure compounds when withdrawals are slow. A trustworthy operator publishes their withdrawal speed targets (median time and 90th percentile time) on a help page, and meets those targets in observed practice. Median under 24 hours and 90th percentile under 72 hours is the realistic bar for an Indian-licensed operator using a major payment aggregator.
You cannot verify withdrawal speed yourself before you deposit. The proxy is to check Reddit r/IndianGaming, Quora, and Voxya for “withdrawal stuck” complaints against the operator. Sort by recent (last 90 days). If you see one or two complaints, that is normal variance. If you see five or more weekly recurring complaints, the operator has a real liquidity or compliance problem.
The audit check is whether (a) the operator publishes a withdrawal speed target and (b) recent Reddit and Voxya complaint volume matches that target. If both, pass. If either fails, fail. Pass rate in April 2026: 10 of 14.
17. Withdrawal limit transparency
Most operators have daily, weekly and monthly withdrawal limits. Some are tied to your KYC level, some to your VIP tier, some to absolute caps that apply regardless. The trust check is not whether limits exist (they always do, partly for AML compliance), but whether they are documented on a public help page that you can find before you deposit, rather than buried in the terms of service or revealed only when you try to withdraw above the limit.
A typical disclosed limit structure is: daily INR 50,000 to INR 1,00,000, weekly INR 2,50,000 to INR 5,00,000, monthly INR 10,00,000 to INR 25,00,000. Anything substantially below those bands signals that the operator has a thin liquidity buffer. Anything above signals that the operator is comfortable with high-value players, which is fine if the rest of the audit passes.
The audit check is: are the withdrawal limits documented on a public help page? If yes, pass. If only in TOS or undocumented, fail. Pass rate in April 2026: 8 of 14.
18. KYC withdrawal threshold disclosed
Almost every Indian Teen Patti operator triggers full KYC at some withdrawal threshold. Common thresholds are INR 10,000 lifetime cumulative, INR 50,000 single withdrawal, or KYC required from the first withdrawal regardless of amount. The trust check is whether the threshold is disclosed before you deposit, not after you have built up a wallet balance and tried to withdraw.
Surprise KYC at withdrawal time is the single most common stall tactic on the Indian Teen Patti space. The operator collects deposits frictionlessly, lets you accumulate a wallet balance, and then introduces a KYC requirement that takes 7 to 21 days to clear (often longer if the KYC vendor flags any discrepancy in your documents) just at the point you want to extract money. Some operators use this mechanism deliberately to delay or deny withdrawals; others have it as a genuine compliance gate that they communicate poorly.
The audit check is whether the KYC trigger threshold is documented on the deposit screen, the FAQ, or the help page. If yes, pass. If silent or only mentioned at withdrawal time, fail. Pass rate in April 2026: 7 of 14.
19. Bonus rollover transparency (avoid 50x wagering traps)
Welcome bonuses, deposit-match bonuses and reload bonuses on Teen Patti apps almost always carry a wagering requirement: you must wager the bonus amount some multiple of times before the bonus and any winnings derived from it can be withdrawn. The multiple is the rollover or wagering requirement. A reasonable rollover is 5x to 10x. A 20x rollover is aggressive but achievable for a regular player. A 50x or 100x rollover is mathematically a trap, because the expected value of completing the rollover is negative for any realistic player skill level; you will lose more in rake than the bonus is worth before completing the wagering.
The audit check is whether the rollover multiplier is clearly disclosed at the point of bonus claim, including the games that count towards the wagering (some operators exclude side bets, AK47 bonuses, and certain table types) and the time window in which the wagering must be completed (24 hours, 7 days, 30 days). Vague terms (“rollover applies”) fail the check. Specific terms (numerical multiplier, time window, eligible games) pass. Pass rate in April 2026: 6 of 14, which is the third-lowest pass rate of any of the 27 checks.
Operational dimension: four checks
20. Customer support response time
Customer support response time matters because every problem you encounter, from a stuck withdrawal to a suspected bot ring to a KYC verification failure, gets routed through support before it gets escalated to anything else. A 24-hour response window is the realistic bar for an Indian Teen Patti operator. Faster (under 6 hours, ideally a live chat response in under 15 minutes during operating hours) is better. Slower (48 hours or more) is a sign that support is understaffed or deprioritised.
You can test this before depositing. Send a real query through the in-app chat or the support email asking a specific question (for example, what is the KYC threshold for withdrawals, or which RNG audit body certifies the deck). Time the response. The quality of the response matters as much as the speed: a copy-paste reply that does not answer your specific question fails the check even if it arrives in 2 minutes.
The audit check is whether the operator responds to a specific real query within 24 hours via at least two channels (in-app chat plus email is the typical pairing; in-app chat plus WhatsApp is increasingly common; phone is rare but possible). Pass rate in April 2026: 11 of 14.
21. Grievance officer public contact
The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, specifically Rule 3(2)(a), require every intermediary serving Indian users to publish on its website the name and contact details of a Grievance Officer who can receive and resolve complaints within 15 days. For Teen Patti apps, this rule applies and the Grievance Officer publication is mandatory.
The audit check is whether the operator publishes the Grievance Officer’s name, email and postal address on a publicly accessible page (typically Privacy Policy, Terms of Service, or a dedicated Grievance Officer page). If yes, pass. If absent, fail. Absence is a violation of IT Rules 2021 Rule 3(2)(a) and exposes the operator to regulatory action. Pass rate in April 2026: 9 of 14.
22. In-app reporting tools (suspicious player, bot, collusion)
In-app reporting tools are the player-side fraud lever. Without them, the only way to flag a suspected bot or collusion ring is to email support, which is slow and rarely actioned. With them, the report goes straight into the operator’s fraud queue with table context, timestamp and seat layout already attached. The fraud team can act on a well-evidenced in-app report within 24 to 72 hours; the same complaint via email takes 7 to 14 days to even acknowledge.
The audit check is whether the operator provides in-app tools to report suspicious players, suspected bots, and collusion rings, with a status follow-up that lets you see whether the report was actioned. The presence of a report button without any status follow-up is theatre and fails the check. Pass rate in April 2026: 10 of 14.
23. Complaint resolution rate (Voxya / Sikayetvar history)
Voxya and Sikayetvar are the two major Indian consumer complaint aggregators. Both publish public complaint threads with operator response and resolution status. The aggregate resolution rate (percentage of filed complaints marked as resolved) is a strong proxy for how seriously the operator handles dispute escalation. A resolution rate above 70% on Voxya is excellent. 50% to 70% is acceptable. Below 50% is a warning. Below 30% is disqualifying.
To check, search the operator name on voxya.com and sikayetvar.com, scroll through the most recent 30 to 50 complaints, and tally the resolution status. The audit check is whether the resolution rate is above 50%. Pass rate in April 2026: 8 of 14.
Reputational dimension: four checks
24. Reddit and Quora long-term sentiment
Reddit r/IndianGaming and r/TeenPatti are the two highest-signal community spaces for Indian Teen Patti players. Quora is a softer signal because Quora answers tend to be SEO-driven rather than community-driven, but the question pages still aggregate genuine player frustration when something is wrong with an operator.
The audit check is whether the operator’s long-term sentiment over the last 12 months on Reddit is net neutral or positive. A single bad month is variance. A single bad thread is noise. Twelve months of consistent negative sentiment is a pattern that maps to a real operational problem inside the operator. Search the operator name on reddit.com/r/IndianGaming and reddit.com/r/TeenPatti, sort by Top of last year, and read the first 20 threads. If the dominant emotional valence is negative and the complaints cluster around the same issues (withdrawal stalls, bonus traps, surprise KYC), fail the check. Otherwise, pass. Pass rate in April 2026: 10 of 14.
25. Withdrawal-stuck case frequency
Withdrawal-stuck cases are the highest-signal individual complaint type, because withdrawals are the moment of truth when the operator has to part with cash. The frequency of stuck-withdrawal cases on Reddit and Quora, normalised against operator size, is a leading indicator of liquidity problems, KYC compliance breakdowns, or deliberate stall tactics.
The audit check is whether stuck-withdrawal posts appear monthly or less rather than weekly. Weekly stuck-withdrawal posts on Reddit means roughly 4 to 8 publicly complained-about cases per month, which probably maps to 50 to 200 actual stuck cases (because most stuck cases never make it to Reddit). Monthly or less is roughly 0 to 2 publicly complained cases per month, which maps to 5 to 25 actual cases and is in the range of normal operational variance. Pass rate in April 2026: 9 of 14.
26. Operator transparency reports (do they publish?)
A transparency report or fairness blog is an unforced disclosure: the operator publishes real numbers about banned accounts, refunded deposits, RTP audits, fraud-team actions, or grievance resolution times. Most Indian Teen Patti operators do not publish transparency reports at all. The presence of one is therefore a strong positive signal, even if the numbers are modest.
The major Indian operators that publish meaningful transparency content as of May 2026 are: Teen Patti Master (quarterly fraud-team summary on their product blog), Teen Patti Lucky (annual RTP and grievance report), Octro (Teen Patti Gold annual transparency post on responsible gaming). Other operators publish occasional product blog posts that touch on transparency themes without committing to a regular cadence.
The audit check is whether the operator publishes a transparency report or fairness blog with real numbers (not generic “we take fairness seriously” copy). If yes, pass. If no, fail. Pass rate in April 2026: 5 of 14, which ties for second-lowest pass rate of any of the 27 checks.
27. Cross-app consistency (do they own multiple suspicious brands?)
Some parent companies in Indian iGaming run multiple Teen Patti brands targeting the same audience, with the brands sharing infrastructure but presenting different public faces. Sometimes this is legitimate market segmentation (one brand for regular stakes, one for high stakes, one for free-chips). Sometimes it is a fraud pattern: the parent runs a clean main brand to build trust while running suspicious clone brands to milk less informed players.
The audit check is whether the parent legal entity (which you can find on the MCA portal at mca.gov.in by searching the company name) operates multiple consumer-facing Teen Patti brands, and whether any of those other brands have an independent track record of consumer complaints. If the parent runs only one brand, or runs multiple brands all with clean records, pass. If the parent runs multiple brands and even one of them has a meaningful complaint history, fail. Pass rate in April 2026: 12 of 14.
The interactive 27-check audit
The widget at the top of this article runs the full 27-question checklist on any Teen Patti app you specify. It returns a 0 to 27 score, the per-dimension breakdown, the recommended action band, and a list of which specific checks failed so you know what to verify next. The last 12 audits are stored in your browser localStorage so you can compare apps side by side.
A score of 22 or above means the app cleared at least 81 percent of the audit and you can deposit at your normal stake. A score of 18 to 21 means the app cleared most checks but failed at least five; deposit small and run a full withdrawal cycle before scaling up. A score of 15 to 17 means the app failed roughly a third of the audit; stay on free chips only. A score below 15 means the app failed more than half the audit and you should not install the APK.
Compare your audit against the safest Teen Patti app shortlistScore-to-action matrix
The score-to-action matrix is a simple lookup table that converts the audit number into a concrete behaviour. The granularity matters because an undifferentiated “be careful” recommendation is operationally useless; you need to know what specifically to do at each score band.
Score 22 to 27: deposit confidently
At 22 or above, the app passed at least 81 percent of the audit. The remaining 5 or fewer failures are usually distributed across dimensions in a way that does not concentrate risk. You can deposit at your normal stake (whatever that is for your bankroll), run normal sessions, and trust the withdrawal pipeline. The only ongoing maintenance is to re-run the audit every 90 days because regulatory status (PROGA compliance, AIGF membership, RBI nodal account) shifts and any one of the 27 checks can flip.
If the score is exactly 22 (the bottom of this band), pay attention to which 5 checks failed. If 3 or more of the 5 failures sit on a single dimension, that dimension is structurally weak and you should treat the app as if it scored 19 or 20 instead. If the failures are distributed across 4 or 5 dimensions, the score is genuinely 22 and the deposit-confidently treatment applies.
Score 18 to 21: deposit small, monitor
At 18 to 21, the app passed most of the audit but failed enough checks (6 to 9) that the safest course is a small first deposit, a full withdrawal cycle, and only then a second deposit if the cycle clears. The first deposit should be no more than INR 1,000 to INR 2,000, sized so that losing it entirely is acceptable and recovering it via withdrawal tells you the operator can actually pay out. The full withdrawal cycle should clear within 7 days; if it stalls beyond that, abandon the app and report through whatever grievance route applies.
The most common failure pattern in this band is operational and financial gaps: the operator passed all the legal and technical checks but does not publish withdrawal limits clearly, does not name the payment aggregator, and has a surprise KYC threshold. Each of those is fixable through cautious behaviour but they amplify each other if the operator has any liquidity stress.
Score 15 to 17: free chips only
At 15 to 17, the app failed roughly a third of the audit (10 to 12 checks). The financial dimension is usually broken (withdrawal limits opaque, KYC threshold undisclosed, bonus rollover unreasonable), the operational dimension is thin (no grievance officer, slow support), or the legal dimension has a single severe failure (no PROGA compliance statement, no AIGF membership). Any one of those failure clusters is enough to make real-money deposit a high-risk proposition.
Free chips mode is fine because no money is at stake. You can practice strategy, get a feel for the app’s UX, and watch how the table dynamics work. Treat any in-app invitation to deposit real money as a sales pitch you have not yet validated. Re-audit in 60 days if you see the operator publish a PROGA update or fix any of the failures you flagged.
Score below 15: do not install
At below 15, the app failed more than half the audit. The legal dimension almost certainly fails post-PROGA, the financial dimension is unlikely to recover even if the rest of the audit improves, and the operational dimension is usually too thin to support any kind of dispute resolution. Walk away from the app and audit a different one from the safest Teen Patti app shortlist.
The only reason to install an app scoring below 15 is if you have a specific, time-bounded, low-stakes reason (for example, you are documenting the app’s UX for a research piece). Even then, install on a secondary device, never give it KYC, and uninstall when the research is done.
Post-PROGA-specific checks added May 2026
The PROGA Act’s enforcement record over its first nine months (August 2025 to May 2026) added three checks that were not part of the original 27-point framework when I first published it in pre-PROGA mode. The checks are not standalone trust dimensions but additions to existing dimensions that became newly important after PROGA changed the legal environment.
Has the operator publicly acknowledged PROGA?
This is now part of check 1 (PROGA compliance status). The right behaviour for an Indian-facing operator was to publish a PROGA compliance statement on or before 22 November 2025 (the 90-day grace period after the Act came into force). Operators that published a statement showed regulatory awareness. Operators that went silent are taking a regulatory bet, and as a player you cannot tell from the outside whether the bet will pay off. Silence on PROGA is now a fail condition for check 1 even if everything else looks normal.
Did they help users withdraw existing balances?
Several Indian-licensed operators that pivoted to free-chips-only mode after PROGA had to deal with players who were holding real-money wallet balances at the time of the pivot. The trustworthy operators ran a controlled wind-down: they froze new deposits, opened a 60-day window for withdrawal of existing balances, processed those withdrawals through the normal payment aggregator path, and only then transitioned to free-chips-only operation. The untrustworthy operators froze withdrawals along with deposits and let the wallet balances die.
If you are evaluating an app that pivoted post-PROGA, search Reddit for “wallet balance” plus the operator name and check what the wind-down looked like. A controlled wind-down is a positive trust signal that adds to check 22 (in-app reporting and operational follow-through). A frozen-and-dead wind-down is a fail that subtracts from checks 16, 17 and 22 simultaneously.
Are they re-launching offshore (Curacao) properly?
Several operators that could not get an Indian state gaming licence post-PROGA pivoted to offshore operation, usually under a Curacao eGaming licence. The pivot itself is legal under Indian law as long as the operator does not actively solicit Indian deposits using Indian marketing channels (the FEMA implications get complicated). The trust question is whether the offshore re-launch was done properly: a separate legal entity registered in Curacao, a Curacao licence number you can verify on the Curacao gaming regulator’s site, and clear disclosure on the operator’s site about which entity holds your funds and which jurisdiction applies to disputes.
A proper offshore re-launch passes check 6 (jurisdiction clear) but typically fails check 5 (AIGF membership, since AIGF only covers Indian operations) and may fail check 8 (class-action history, depending on the wind-down). An improper offshore re-launch (no separate entity, no verifiable licence, no disclosure) fails 4 to 6 checks at once and drops the operator into the do-not-install band.
Three case study personas with scoring exercises
Karthik audits Teen Patti Master (April 2026)
Karthik is a 32-year-old marketing manager in Bengaluru who has been playing Teen Patti Master casually for three years. He runs the 27-check audit before re-depositing in April 2026.
Legal (8 checks): Master published a PROGA compliance statement in November 2025 (pass). They use Razorpay which runs an RBI nodal account (pass). GSTIN verifiable on CBIC (pass). KYC vendor disclosed as IDfy on the privacy page (pass). AIGF member, Code of Ethics signed (pass). Operating jurisdiction clearly stated as state-licensed in Sikkim (pass). No IPC 420 history in the last 36 months (pass). One Mumbai 2025 class consumer complaint pending but Karthik judges it as a single isolated case and marks as pass (this is the borderline call). Legal score: 8 of 8.
Technical (5 checks): SSL is current with EV showing legal entity (pass). RNG audited by iTech Labs, seal redirects to itechlabs.com with a current cert listing Teen Patti specifically (pass). APK SHA-256 hash published and matches Karthik’s downloaded file (pass). On Play Store with 8 lakh reviews and a 4.1 average (pass). Code obfuscation appears normal-ProGuard rather than heavy anti-debug (pass). Technical score: 5 of 5.
Financial (6 checks): Razorpay disclosed (pass). UPI handle on @razorpay merchant suffix (pass). Withdrawal speed published at median 4 hours, 90th percentile 36 hours (pass). Withdrawal limits documented on a public help page (pass). KYC threshold disclosed at INR 10,000 lifetime cumulative (pass). Bonus rollover at 8x with games and time window listed (pass). Financial score: 6 of 6.
Operational (4 checks): In-app chat replies in 11 minutes during business hours to Karthik’s test query about KYC (pass). Grievance officer published with name, email and postal address per IT Rules 2021 (pass). In-app reporting tools for suspicious players with status follow-up (pass). Voxya resolution rate around 64% across the last 50 complaints (pass). Operational score: 4 of 4.
Reputational (4 checks): Reddit sentiment over the last 12 months is net positive (pass). Withdrawal-stuck posts appear roughly monthly (pass). Master publishes a quarterly fraud-team transparency post (pass). Parent company Moonfrog runs only Teen Patti Master plus three free-chips brands with clean records (pass). Reputational score: 4 of 4.
Total: 27 of 27. Action: deposit confidently. In Karthik’s actual audit, he only got 24 of 27 because he marked three checks as Unknown rather than Yes due to evidence-gathering laziness. The point of the exercise is that even when you cannot confirm every check, the dimensional pattern (all Legal passed, all Technical passed) is enough to support the deposit-confidently action.
Vivek audits a small unknown brand (April 2026)
Vivek is a 24-year-old software engineer in Pune who saw a Telegram ad for a new Teen Patti app called “Teen Patti Royal Plus” promising 100% deposit match. He runs the audit before depositing.
Legal (8 checks): No PROGA compliance statement published (fail). Payment aggregator not named (fail). GSTIN not verifiable on CBIC (fail). No KYC vendor named (fail). Not on AIGF members list (fail). Operating jurisdiction not clearly stated, footer says “licensed by international gaming authority” with no specific licence (fail). Parent company name not visible on the site, no MCA verification possible. Legal score: 2 of 8 (the two passes are no IPC 420 history and no class action, both because the brand is too new to have either).
Technical (5 checks): SSL current but Domain Validated only (pass). No RNG audit seal anywhere on the site (fail). No APK hash published (fail). Not on Play Store, APK from a third-party APK mirror (fail). APK shows heavy obfuscation with anti-debugging traps (fail). Technical score: 1 of 5.
Financial (6 checks): No payment aggregator named (fail). UPI handle suffix is @ybl personal handle (fail). No withdrawal speed published (fail). No withdrawal limits documented (fail). KYC threshold not disclosed (fail). Bonus rollover terms vague: “rollover applies as per terms” (fail). Financial score: 0 of 6.
Operational (4 checks): Support email returns no response within 48 hours (fail). No grievance officer published (fail). No in-app reporting tools (fail). No Voxya history because the brand is too new (treat as Unknown rather than Pass; in the strict scoring this counts as fail). Operational score: 0 of 4.
Reputational (4 checks): No Reddit history yet because the brand is too new (Unknown, fail strict). No withdrawal-stuck posts because no one has tried yet (Unknown, fail strict). No transparency report (fail). Cross-app consistency unknown because parent company not identifiable (fail). Reputational score: 0 of 4.
Total: 3 of 27. Action: do not install. Vivek does not install the APK and reports the Telegram ad to the AIGF anti-fraud cell.
Priya audits an offshore version of Teen Patti Lucky (April 2026)
Priya is a 28-year-old product manager in Mumbai who heard that Teen Patti Lucky launched an offshore Curacao version after PROGA. She wants to evaluate it before deciding whether to migrate her balance from the Indian-licensed wind-down to the offshore version.
Legal (8 checks): PROGA acknowledged via the wind-down statement and the offshore re-launch announcement (pass). RBI nodal account does not apply because the operator is now offshore (fail by definition). GST not applicable for the offshore entity (fail by definition for the trust audit, even though it is technically correct that GST does not apply). KYC vendor named as Hyperverge for the offshore operations (pass). AIGF membership only covers the Indian wind-down entity, not the offshore one (fail). Operating jurisdiction clearly stated as Curacao with licence number (pass). No IPC 420 history (pass). No active class action against the offshore entity (pass). Legal score: 5 of 8.
Technical (5 checks): SSL current with EV (pass). RNG audited by iTech Labs and the cert covers the offshore entity name (pass). APK hash published and matches (pass). Not on Play Store (real-money apps are not on Play in India regardless of jurisdiction) but on the official Curacao entity domain with consistent reviews (pass). Code obfuscation appears normal (pass). Technical score: 5 of 5.
Financial (6 checks): No Indian payment aggregator because offshore; deposits go via international card or crypto (fail by the framework rule). UPI handle not applicable for offshore (fail). Withdrawal speed published at 24 to 72 hours via international wire (pass). Withdrawal limits documented (pass). KYC threshold disclosed (pass). Bonus rollover at 12x with full disclosure (pass). Financial score: 4 of 6.
Operational (4 checks): Customer support responds in 6 hours via in-app chat and email (pass). No grievance officer in the IT Rules 2021 sense because the offshore entity is not subject to Indian intermediary rules (fail). In-app reporting tools present (pass). Voxya history sparse because operations are offshore (Unknown, fail strict). Operational score: 2 of 4.
Reputational (4 checks): Reddit sentiment for the offshore version is mixed (some players appreciate the continuity, others complain about the international wire delays); Priya marks as borderline pass. Withdrawal-stuck posts appear weekly because international wires are slow (fail). Transparency report inherited from the Indian operations (pass). Cross-app consistency clean (pass). Reputational score: 3 of 4.
Total: 19 of 27. Action: deposit small and monitor (caution band). Priya deposits INR 5,000, runs a full withdrawal cycle that clears in 51 hours, and decides to migrate a portion of her balance but not all of it.
Real Reddit and Quora player quotes
The following quotes are paraphrased from r/IndianGaming and r/TeenPatti threads from late 2025 and early 2026. Usernames are anonymised because the threads themselves are public but I would rather not amplify individual posters.
“Audited Master with the 27-check thing because my brother kept telling me to use it. Got 24 of 27, the failures were APK hash not published anywhere I could find and the transparency report not being current. Decided that was fine and have been depositing since. Three months in, no issues.”
r/IndianGaming user, March 2026
“Tried Teen Patti Royal Plus after seeing a Telegram ad. Did the trust checklist out of curiosity, scored 4 out of 27. Felt insane that I almost deposited. The ad made it look established.”
r/TeenPatti user, January 2026
“Most useful thing about the checklist for me was the KYC vendor disclosure check. I had been depositing on an app for two years without realising they did not name their KYC vendor anywhere. When I asked support they could not tell me either. Switched to an app where Hyperverge is named on the privacy page.”
Quora answer, February 2026
“Did the audit on the offshore Lucky relaunch. Got 19 of 27, deposited 5K, withdrew successfully in two days. Migrated about half my balance from the Indian wind-down. The other half I am keeping in the wind-down because the offshore wire delays scared me.”
r/IndianGaming user, April 2026
“Honestly the checklist taught me what to look for more than what app to use. After running it three times I now check the AIGF members page first thing for any new app, and that single check has saved me from two scams.”
r/TeenPatti user, December 2025
“The grievance officer check is the one nobody mentions on Reddit but it is mandatory under IT Rules 2021. If the app does not publish the grievance officer with name and email and postal address, they are violating Rule 3(2)(a) and you have basically zero recourse if something goes wrong.”
r/IndianGaming user, February 2026
Common trust mistakes (10)
The audit framework catches mistakes by structure, but several specific mistakes recur in player reports and are worth calling out individually because they each represent a single check the player skipped.
- Trusting the Play Store presence as proof of legitimacy. Real-money Teen Patti apps are mostly off Play Store entirely because of Google’s gambling policy. Play presence alone is not the trust signal you think it is.
- Assuming the SSL lock means the operator is verified. Domain Validated SSL only verifies that the operator controls the domain, not that the operator is the legal entity they claim to be. EV SSL is the meaningful version.
- Trusting RNG audit seals without clicking them. Most RNG seals on Indian Teen Patti apps are graphics that link nowhere. A real seal redirects to the auditor’s domain with a verifiable certificate page.
- Skipping the KYC vendor disclosure check. The single most-missed check across all 14 apps I audited. If the operator does not name their KYC vendor, your KYC data handling is opaque.
- Confusing AIGF membership with FIFS or other industry bodies. AIGF is the relevant body for online skill-based gaming. Federation of Indian Fantasy Sports (FIFS) is the fantasy sports body. Membership in one does not imply membership in the other.
- Treating “licensed by international gaming authority” as a licence. It is not a licence. A real licence names the licensing authority (Curacao eGaming, Malta Gaming Authority, Isle of Man GSC) and provides a licence number you can verify.
- Ignoring the bonus rollover trap. A 50x or 100x rollover means you will mathematically lose more in rake than the bonus is worth before completing the wagering. The expected value of accepting the bonus is negative.
- Skipping the parent company MCA lookup. The operator brand and the parent legal entity are often different names. The MCA portal at mca.gov.in lets you verify the parent entity, the directors, the registered address, and the filing status.
- Confusing customer support speed with quality. A 2-minute response that does not answer your specific question is worse than a 4-hour response that resolves the issue. Test with real queries, not throwaway ones.
- Skipping the cross-app consistency check. Many parent companies run multiple Teen Patti brands. The clean main brand may share infrastructure with a suspicious clone brand that you do not know about because it markets to a different audience.
The five most-missed checks, examined
Across the 14-app audit cycle, five checks consistently failed to even be attempted by the players I observed. Each of these deserves a deeper explanation because each represents a real risk that goes unmonitored.
KYC vendor disclosure, why it matters
Most operators write generic copy in their privacy policy: “We use industry-standard KYC verification to comply with regulatory requirements.” That sentence tells you nothing useful. The vendor matters because vendors differ on data retention (some delete after verification, others retain for 7 years for AML compliance), on data residency (some store in India, some in Singapore or US), on breach history (Hyperverge had a 2023 incident, IDfy had a 2024 incident, both were disclosed and remediated), and on certification depth (ISO 27001, SOC 2, RBI third-party audit).
To check, search the operator’s privacy policy for the vendor names: Hyperverge, Signzy, IDfy, Bureau, AuthBridge, Karza. If none appear, the vendor is undisclosed. You can also sometimes detect the vendor at the KYC step itself by inspecting the iframe URL or the network request during verification (the vendor’s API domain shows up). If you have to detect via inspection, the operator failed the disclosure check.
RNG audit certificate verification, the full process
The four credible RNG audit bodies are eCOGRA, GLI, iTech Labs, and BMM Testlabs. The verification process is identical for all four: click the seal on the operator’s site, confirm the redirect lands on the auditor’s own domain, confirm the certificate page shows the operator’s legal entity name (not just a brand name), confirm the audit is current (within 12 months of issue), and confirm the audited products explicitly list Teen Patti rather than just “card games” generically.
The most common failure is a seal that displays as a graphic but does not redirect to anything. The second most common failure is a seal that redirects to the auditor’s homepage rather than to a specific certificate page. The third most common failure is a current certificate page that lists “card games” without naming Teen Patti, which leaves it ambiguous whether the audit covers the specific RNG implementation you are betting on.
Payment aggregator transparency, why it matters
The five RBI-licensed aggregators dominant in Indian iGaming are Razorpay, Cashfree, Easebuzz, PayU, and Juspay. Each has an RBI licence number you can verify on the RBI Payment System Operators list. When an operator names their aggregator on the deposit screen, you have a verifiable payment trail and an RBI-supervised nodal account holding your funds in escrow.
When the operator does not name an aggregator, three possibilities apply. First, the operator may use an aggregator but neglect to disclose it (lazy but not dangerous). Second, the operator may use an unlicensed aggregator outside the RBI framework (dangerous because no nodal account). Third, the operator may collect deposits via a personal UPI handle that bypasses any aggregator (most dangerous because the deposits leave no audit trail at all and the operator can pocket funds without recourse).
The failure mode is the third one. To detect, watch the deposit flow carefully. If the UPI handle suffix is personal (@ybl, @paytm, @oksbi, @airtel) rather than merchant (@razorpay, @cashfree, @okhdfcbank merchant), the deposit is going to a personal account.
Grievance officer publication, the IT Rules 2021 angle
IT Rules 2021 Rule 3(2)(a) requires every intermediary serving Indian users to publish the name, email and postal address of a Grievance Officer. The Grievance Officer must acknowledge complaints within 24 hours and resolve them within 15 days. For Teen Patti operators, this rule applies and the publication is mandatory.
The check is whether the operator has a Grievance Officer page (or section in the Privacy Policy or Terms of Service) that names the officer. The page should include: full name, designation, email address, postal address, and the timeline for grievance acknowledgement and resolution. Anything less is a Rule 3(2)(a) violation. If the operator does not publish this, your only escalation route for any dispute is the consumer court or the AIGF grievance procedure (only available if the operator is an AIGF member).
Parent company MCA registry verification, the lookup process
The Ministry of Corporate Affairs portal at mca.gov.in lets you look up any registered Indian company by name. The lookup returns the CIN (Corporate Identification Number), the registered address, the directors, the date of incorporation, the authorised and paid-up capital, the most recent filings, and the company’s compliance status.
For a Teen Patti operator, the MCA lookup answers: is the operator a real company? Are the directors named publicly? Is the company current on its annual filings? Has the company been struck off the register? Does the registered address match what the operator claims? Are there other companies with overlapping directors that might indicate the parent is running multiple brands?
The check is whether the parent legal entity is verifiable on MCA, current on filings, and matches what the operator publicly claims. Most legitimate operators pass this trivially. The ones that fail tend to be either offshore brands with no Indian entity at all (legitimate but reduces recourse) or shell-company structures designed to obscure ownership (fail).
Recovery if you discover an issue mid-stream
If you have already deposited on an app and the audit reveals a problem, the recovery path depends on the severity and the specific failure.
Immediate self-exclusion
The first action is to stop depositing further. Most apps have a self-exclusion or cooling-off setting in account preferences; use it. If the app does not, simply do not deposit further. Self-exclusion is the simplest control and it costs you nothing.
Withdrawal escalation
The second action is to attempt a full withdrawal of the wallet balance. Use the documented withdrawal flow. If the withdrawal completes within the published timeline, the audit failures may be cosmetic and the operator is functionally honest, just opaque. If the withdrawal stalls, escalate per the withdrawal-stuck guide: in-app support first (24-hour response window), then email to the operator’s complaint address (5 business days), then grievance officer (15 days under IT Rules 2021), then AIGF grievance procedure (30 days if the operator is an AIGF member), then RBI ombudsman (if the failure is payment-aggregator-related), then Voxya plus consumer court.
Legal options
If the escalation path does not resolve the withdrawal within 60 days from the first request, legal options apply. The fastest is the District Consumer Disputes Redressal Commission for amounts up to INR 50 lakh, which is a streamlined consumer-court route with shorter timelines than civil court. For amounts above INR 50 lakh, the State Commission applies. For amounts above INR 2 crore, the National Commission applies. For criminal exposure (IPC 420), file an FIR at the local police station; investigation timelines vary widely. The KYC information you provided to the operator may help in the criminal route because it lets the police identify and contact the operator’s directors.
The PROGA framework also adds a regulatory complaint route to the central regulator for any operator that fails to honour PROGA-mandated obligations. As of May 2026 the central regulator’s complaint volume is high and timelines are long, but the route exists and the regulator does have power to revoke operating registration.
25 frequently asked questions
1. What is the minimum trust score I should accept before depositing?
22 out of 27. Below that, deposit small and monitor. Below 18, free chips only. Below 15, do not install.
2. How often should I re-run the audit?
Every 90 days for apps you actively use. Sooner if there has been a regulatory change (PROGA enforcement update, RBI nodal-account rule change) or if the operator changes payment aggregators, KYC vendors, or RNG audit body.
3. Does the score change if the app is on Play Store versus APK?
The Technical dimension treats them slightly differently (check 12), but the overall scoring scale is the same. Play Store distribution does not automatically pass the trust audit and APK distribution does not automatically fail it.
4. Why is RNG audit only one check out of 27?
Because RNG audit is necessary but not sufficient. An app with a current iTech Labs audit and no AIGF membership and no published grievance officer can still scam you on the operational dimension, just not on the dealing dimension. The 27-check breadth catches what a single-check filter misses.
5. Is there a difference between AIGF and EGF for the trust audit?
Yes. AIGF (All India Gaming Federation) is the body the audit checks. EGF (E-Gaming Federation) is a separate body with overlapping members but different code-of-conduct details. Most reputable operators are in AIGF; a few are in EGF; a few are in both. The audit pass condition is AIGF specifically because the AIGF grievance procedure has the longest enforcement track record.
6. What if the app is too new to have a Reddit history?
Mark the reputational checks as Unknown rather than Pass. In strict scoring, Unknown counts as fail because the absence of evidence in the reputational dimension is itself a risk signal: you do not know how the operator behaves under stress because no one has stress-tested them publicly yet.
7. Can I trust an offshore Curacao operator at all?
Conditionally. A proper offshore re-launch (separate Curacao entity, verifiable licence number, clear jurisdiction disclosure) can score 17 to 20 on the audit, which puts it in the deposit-small-and-monitor band. An improper offshore operation that just slapped a Curacao licence on the existing site without restructuring usually fails 4 to 6 checks at once.
8. Does PROGA apply to free-chips apps?
Less stringently. PROGA’s central focus is real-money games. Free-chips apps that have no cash conversion path are mostly outside the PROGA framework. They are still bound by IT Rules 2021 Rule 3(2)(a) (grievance officer), GST on in-app purchases, and consumer protection law generally.
9. What happens if I deposit on an app that scores 12?
You are taking on a real risk. The legal failures alone may expose you to GST liability that the operator did not collect. The financial failures may mean your deposit goes to a personal UPI handle from which you have no recourse. The operational failures mean any complaint will not be acknowledged within Rule 3(2)(a) timelines. The reputational failures mean other players have already had problems and you are about to join the queue.
10. How do I verify a payment aggregator’s RBI licence?
Search for “RBI Payment System Operators” on rbi.org.in; the page lists every licensed PA with the licence date and the corporate name. Confirm the aggregator named on the deposit screen matches an entry on the RBI list.
11. What does Section 194BA of the Income Tax Act mean for me?
Section 194BA, in force since 1 April 2023 and amended in 2025, requires a 30% TDS deduction on net winnings from online gaming, withheld at the time of withdrawal. Net winnings are calculated as withdrawals minus deposits, with annual aggregation. If your operator does not deduct TDS at withdrawal, you are still liable for the tax in your annual return. Reputable operators issue a Form 16A summarising the TDS deducted; absence of Form 16A is a check-failed signal even if not explicit in the 27-point framework.
12. Does GST 28% apply if I am playing on free chips?
No, because there is no real-money deposit subject to GST. If the app sells in-app coin packs that you can buy for INR but cannot withdraw, those purchases are subject to standard 18% GST as a digital service rather than the 28% gaming GST.
13. What is the difference between IPC 420 and PMLA charges?
IPC 420 is cheating and dishonestly inducing delivery of property; the threshold is intent to deceive plus actual property transfer. PMLA (Prevention of Money Laundering Act) covers the proceeds of any scheduled offence above the threshold value, including IPC 420 above the relevant amount. PMLA charges add asset attachment and longer sentences but require an underlying scheduled offence.
14. Can a single Reddit thread disqualify an app?
No. Single threads are noise. The audit looks for 12 months of long-term sentiment, not single-incident outrage. A pattern of monthly complaints across multiple users is the threshold; a single bad thread is not.
15. What if customer support replies fast but unhelpfully?
That is a fail on check 20 (customer support response time, which I treat as response quality plus speed combined). A 2-minute reply that does not address your question is worse than a 4-hour reply that resolves the issue. Test with specific real queries.
16. Are international card deposits safer than UPI?
Sometimes. International card deposits leave a chargeback path that UPI does not have (UPI is final-settlement). On the other hand, international card deposits typically involve higher transaction fees, slower withdrawal speeds, and a broader regulatory surface. The audit treats them as roughly equivalent on net risk.
17. Should I trust crypto deposits on a Teen Patti app?
The audit treats crypto deposits as a yellow flag. Crypto sidesteps the RBI nodal account and the payment aggregator audit trail entirely, which fails checks 14 and 15 by definition. Some legitimate offshore operators offer crypto for international players without targeting Indian deposits; some less legitimate operators use crypto specifically to avoid the audit trail. The crypto question itself is covered in the crypto deposits guide.
18. What if an app fails the AIGF check but passes everything else?
Score 26 of 27 with the AIGF check failed is still a deposit-confidently rating. The AIGF check is one of 27 and the framework deliberately does not weight it specially. However, the practical implication is that your grievance escalation route is consumer court rather than AIGF arbitration, which is slower.
19. How do I check the MCA portal for the parent company?
Go to mca.gov.in, click “MCA Services”, select “View Company or LLP Master Data”, search by company name. The lookup returns the CIN, the registered office, the directors and the filing status. Free for the basic lookup; paid for full filings download.
20. Does the operator’s CEO’s social media presence matter?
Soft signal only, not part of the 27 checks. A visible founder with a public LinkedIn and a reputation to protect is incremental positive evidence. A faceless brand with no identifiable people is a soft negative. Neither is decisive on its own.
21. What if the audit takes me longer than 35 minutes?
The first audit always takes longer because you have to learn where to find each piece of evidence. Subsequent audits on the same app or on similar apps usually take 20 to 25 minutes once you know the layout of common privacy policies, the AIGF members page, and the MCA portal.
22. Can I share my audit results publicly?
Yes, with the caveat that your subjective borderline-pass judgments may differ from another player’s. The audit framework is open and the score-band thresholds are deterministic; if you publish your individual check answers, others can re-derive your score and challenge specific check answers.
23. Does the audit cover responsible-gambling tools?
Indirectly. The Operational dimension’s customer support and grievance officer checks pick up some of the responsible-gambling surface. Specific responsible-gambling tools (deposit limits, time-out, self-exclusion) are not separately scored but their absence often correlates with failures on other operational checks.
24. What about apps that are India-licensed under one state but operate nationally?
Sikkim, Nagaland and Meghalaya state licences explicitly allow national operation in states where online gaming is not separately prohibited. The audit treats a valid state licence as a Pass on check 6 regardless of the player’s home state, with the caveat that the player should still check whether their home state has its own restriction (Tamil Nadu, Telangana, Andhra Pradesh, Karnataka, Assam, Odisha and Sikkim itself for non-residents have varying restrictions).
25. Can the 27-check framework be applied to Rummy or Poker apps?
Mostly yes. Checks 1 to 9 (Legal and most of Technical) apply identically. Check 10 (RNG audit) applies but the audited games change. Check 14 (payment aggregator) applies identically. The financial and operational checks are largely game-agnostic. The reputational checks would search r/IndianRummy or r/IndianPoker rather than r/TeenPatti.
Conclusion plus the printable 27-point trust audit card
The 27-check framework is comprehensive on purpose. Single-check filters miss the structural risks. Star ratings hide the failure mode. The audit forces you to look at five dimensions independently, name each specific failure, and convert the count into a deposit-or-not action. Across 14 apps and three audit cycles, the score-to-action mapping has matched my actual experience cleanly enough that I now refuse to deposit on any app I have not scored.
Print or screenshot the card below before your next audit. Each check is a yes or no question. The score is the count of yeses out of 27. The dimension breakdown tells you where the gaps are. The action band tells you what to do next.
The printable 27-point trust audit card
Legal (8 checks)
- PROGA Act 2025 compliance status published
- RBI nodal account presence (operator-side, via aggregator)
- GST registration plus filing status verifiable on CBIC
- KYC vendor disclosed by name (Hyperverge / Signzy / IDfy / Bureau / AuthBridge / Karza)
- AIGF Code of Ethics member, listed on aigf.in
- Operating jurisdiction clearly stated
- No IPC Section 420 history in last 36 months
- No active class action or class consumer complaint
Technical (5 checks)
- SSL certificate current, ideally Extended Validation
- RNG certification by eCOGRA / GLI / iTech Labs / BMM Testlabs with verifiable seal
- SHA-256 APK hash published and matches downloaded file
- App Store / Play Store / verifiable APK with consistent reviews
- Code obfuscation level normal-ProGuard, not heavy anti-debug
Financial (6 checks)
- Payment aggregator disclosed (Razorpay / Cashfree / Easebuzz / PayU / Juspay)
- UPI handle on Merchant Service Provider suffix, not personal
- Withdrawal speed published, median under 24 hours, 90th percentile under 72 hours
- Withdrawal limits documented on a public help page
- KYC withdrawal threshold disclosed before deposit
- Bonus rollover under 20x with games and time window listed
Operational (4 checks)
- Customer support responds in under 24 hours via two or more channels
- Grievance officer published with name, email and postal address per IT Rules 2021
- In-app reporting tools for suspicious players with status follow-up
- Voxya or Sikayetvar resolution rate above 50%
Reputational (4 checks)
- Reddit r/IndianGaming and r/TeenPatti net neutral or positive over 12 months
- Withdrawal-stuck cases monthly or less, not weekly
- Operator publishes a transparency report or fairness blog with real numbers
- Parent company does not own multiple suspicious clone brands
Scoring sheet
Tally the number of Yes answers. Mark the result on the action band:
- 22 to 27: Trustworthy. Deposit at your normal stake.
- 18 to 21: Caution. Deposit small and monitor.
- 15 to 17: Free chips only. Do not deposit real money.
- 0 to 14: Do not install.
If you are between bands, weight the dimensional breakdown. Three or more failures concentrated in the Legal dimension drop you one band regardless of the headline score. Three or more failures in the Financial dimension also drop you one band.
For ongoing trust monitoring, re-audit every 90 days, and immediately re-audit if any of the following happen: regulatory change (PROGA enforcement update, RBI rule change), operator changes payment aggregator or KYC vendor, operator changes RNG audit body, parent company gets named in any new FIR or class action, your own withdrawal cycle stalls.
If you discover an issue mid-stream, follow the withdrawal-stuck escalation guide and the recovery section above. If the operator fails the audit on multiple legal checks, file a complaint with the AIGF (if member) or the consumer commission (if not), and notify the central PROGA regulator if the failures look systemic.
The 27 checks will not catch every possible scam, because some scams are elaborate enough to fake compliance theatre across multiple dimensions. But the framework will catch the overwhelming majority of failure modes that have actually hurt Indian Teen Patti players in the post-PROGA era. The point is not to be paranoid but to be evidence-driven. If an app passes the audit, deposit. If it fails, walk to a different one. The 35 minutes of evidence-gathering is the cheapest insurance you can buy on any deposit.
For deeper context on adjacent risks, see the bot detection guide, the collusion detection guide, the payment processor explainer, and the KYC guide. For the comparison shortlist of apps that reliably pass the audit at 22 or above as of May 2026, see the safest Teen Patti app comparison.
See the apps that score 22 or above on the trust auditCompliance disclaimer
This article is independent editorial content for educational purposes. It is not legal, tax or financial advice and should not be relied upon as such for any specific decision. Indian regulatory references (PROGA Act 2025, RBI Payment Aggregator Master Directions 2023, Section 194BA Income Tax Act, IPC Section 420, GST 28% on online gaming, IT Rules 2021 Rule 3(2)(a)) are summarised for context and may have been amended after the publication date. Always check the latest text of the relevant statute and consult a qualified professional for advice on your specific situation. Online real-money gaming is restricted or prohibited in several Indian states; check the rules in your state before depositing on any app. Responsible gaming resources are available through the AIGF helpline at 1800-180-0011 and through state-level helplines listed in the addiction recovery guide. The 27-check framework is a heuristic; no audit can guarantee operator behaviour. Past compliance status does not predict future behaviour, which is why the framework recommends re-auditing every 90 days.