PAYzz (“the “Company”) does not permit the Company or its Customers to be used to facilitate money laundering, nor any other illicit activities and the financing of terrorist activities.
It is the policy of the Company to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Bank Secrecy Act (“BSA”) and its implementing regulations.
Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the "placement" stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the "layering" stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.
Although cash is rarely deposited into securities accounts, the securities industry is unique in that it can be used to launder funds obtained elsewhere, and to generate illicit funds within the industry itself through fraudulent activities. Examples of types of fraudulent activities include insider trading, market manipulation, ponzi schemes, cybercrime and other investment-related fraudulent activity.
Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.
Our AML policies, procedures and internal controls are designed to ensure compliance with all applicable BSA regulations and FINRA rules and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business.
Rules: 31 C.F.R. § 1023.210; FINRA Rule 3310.
Compliance Program Background & Purpose
The Bank Secrecy Act (“BSA”) establishes the basic framework under which financial institutions are responsible for adherence to various anti-money laundering (AML) regulations. It authorizes the United States Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports on financial transactions that may be useful in investigating and prosecuting money laundering and other financial crimes.
The Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions implement effective due diligence, monitoring, and reporting systems. In connection with its role as a registered Payment Facilitator, the Company is performing such obligations on behalf of its sponsor financial institution.
The Company has therefore developed this Policy and implemented the Compliance Program described in this Policy in accordance with the requirements of the Bank Secrecy Act (BSA) as a risk-based program to identify and prevent fraud, identify and report the suspicious transaction, to ensure adequate identification, investigation, and monitoring of Customers, and to comply with other applicable laws and industry requirements.
Scope AML
The actions and conduct of the Company’s directors and employees, (collectively, “personnel”), as well as others
acting on the Company’s behalf, are essential to maintaining these standards. To that end, personnel involved in the Company’s business activities must read, become familiar and comply with this Policy on Anti-Money Laundering (AML Policy), as well as future updates to this Policy and other similar Policy materials issued from time to time.
The Compliance Program is designed to, at a minimum:
To effectively address the company’s risk profile, the Company has adopted a risk-based approach to the application of internal controls and monitoring systems. This risk-based approach encompasses the following:
You likely need to reiterate a person responsible:
AS noted below, the Company has designated Abhishek Bhosale as its Anti-Money Laundering Program Compliance Person (Director of Compliance), with full responsibility for the firm’s AML program. The duties of the AML
Compliance Person will include monitoring the firm’s compliance with AML obligations, overseeing communication and training for employees, and ensuring the AML policy is updated time to time. The AML Compliance Person will also ensure that the firm keeps and maintains all of the required AML records and will ensure that Suspicious Activity Reports (SARs) are filed with the Financial Crimes Enforcement Network (FinCEN) when appropriate. The AML Compliance Person is vested with full responsibility and authority to enforce the firm’s AML program.
The Director of Compliance will ensure risk is appropriately assessed and will conduct a comprehensive risk assessment of the AML program on at least an annual basis. This assessment must include the identification and analysis of areas of legal and compliance risk to the Company, including the type, impact and likelihood of the risk. The Director of Compliance may delegate such risk analysis, but in all cases, he or she must review all such analyses for accuracy and adequacy.
The risk assessment will be performed through:
2.Dynamic Nature of Compliance Program and AML Policy
As with the underwriting of Customer accounts, the Company’s approach to Compliance is dynamic. As new fraud trends and high-risk activity related to credit card processing are identified across the industry, and technology evolves to provide new solutions, our policies and procedures, exception criteria, and periodic monitoring are evaluated and adjusted accordingly.
Designation of the AML Compliance Officer
The Director of Compliance oversees the AML Policy and is the AML Compliance Officer. The Director of Compliance is vested with full responsibility and authority to implement and enforce this, Policy. The Director of Compliance may establish a team of the Company’s personnel (Compliance Team) to assist with compliance to this Policy. The Director of Compliance is responsible for:
A.Customer Identification Program Policy
It is the policy of the Company to ensure proper adherence to the provisions and intent of the USA Patriot Act regarding the identity verification of any person seeking to open an account or otherwise use the Company’s services. The Company will, as part of its due diligence process:
The Company will implement and maintain identification, documentation, verification, and recordkeeping procedures to:
1. Know Your Customer Procedures and Processes
The Company uses Experian to conduct collection and verification of Know Your Customer (“KYC”) required data.
Adequate identification information must be obtained for each actual and beneficial owner of a customer. The Company will review the Customer’s corporate documents to verify that those individuals specified by the Customer constitute all actual and beneficial owners of such Customer.
Prior to opening an account for a customer, at minimum the following information will be obtained and evaluated in accordance with this Policy:
The Company will NOT open an account for:
If a customer refuses to provide the information requested by the Company in connection with its due diligence or ongoing risk evaluation, or appears to have provided misleading information, the Company will NOT open the account (or close the existing account), evaluate any associated risks, and will escalate the matter to the Director of Compliance for a determination as to the necessity of filing a SAR (as described later in this Policy).
2. Beneficial Ownership Rule Standards
The Company uses Experian verification tools to verify Beneficial Owners, Controlling Managers, and their identities.
a.Beneficial Ownership
The collection and identity verification of all individuals who directly or indirectly own 25% or greater equity interest in the Customer business (legal entity) establishing the Customer processing account, or the largest percentage owner(s) is there is no individual with a 25% or greater equity interest. The required information must be collected and verified at the time of account opening.
b.Controlling Manager
The collection and identity verification of a single individual with significant responsibility to control, manage, or direct the Customer business (legal entity). For example, an executive officer or senior manager.
c.Collection and Verification
The collection and verification of the following information for controlling individuals and beneficial owners:
The Office of Foreign Assets Control (OFAC) is an office of the U.S. Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against entities such as targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.
All U.S. persons must comply with OFAC’s regulations. In general, the regulations require:
It is the policy of the Company to ensure proper adherence to OFAC-related laws and regulations.
The Company reviews all accounts and transactions for potential OFAC violations utilizing Experian, automatically reviewing at the time of onboarding and monthly OFAC check tools. In addition, the Company will be performing a manual check every quarter to audit the continuous check tool.
Experian provides continuous monitoring of OFAC lists to the Company.
OFAC publishes the Specially Designated Nationals and Blocked Persons List (SDN), a list of individuals and entities, which are owned or controlled by, or acting for, or on behalf of, the governments of targeted countries or one associated with international narcotics trafficking or terrorism. This SDN list is updated and republished from time to time, and the Company utilizes this list to identify persons subject to the OFAC regulations.
In addition to the individuals and entities included on the SDN list, OFAC regulations impose prohibitions on transactions with sanctioned countries, governmental units of the sanctioned countries (including officials), in some cases on citizens of sanctioned countries (wherever located), and on individuals residing or traveling in a sanctioned country.
For US:
For Canada:
The Compliance Team will complete screening at the following intervals and through ongoing monitoring:
Through the course of monitoring, the Compliance Team will screen the following fields:
5.Identification of High-Risk Business Areas
The Company conducts a periodic risk assessment of its specific product lines, Customers, and the nature of transactions to identify potential high-risk areas for OFAC transactions. The initial identification of high-risk or prohibited Customers for purposes of OFAC is performed as part of the Company’s due diligence procedures completed regarding each Customer application. It is the responsibility of the Director of Compliance to consider all types of transactions, products, and services when conducting the company’s risk assessment process. The Director of Compliance may establish additional policies, procedures, and processes, especially those established for high- risk Customers located in high-risk geographic locations if any. All such policies, procedures, and processes will be written and documented in an update or amendment to this Policy or as a separate policy. The principals and/or owners of each Customer will be evaluated in connection with the review of each Customer.
6.Implementation and Support of Internal Controls Methods
The Company maintains a system of internal controls that help identify suspect accounts and report such instances to OFAC. This system includes evaluating each Customer, principal of each Customer at the time the foregoing is on-boarded to the Company’s system and thereafter on a monthly basis comparing the most recent OFAC lists to the Company’s databases to identify any overlap, providing proper training to the Company’s personnel to assist in timely and accurately identifying any OFAC risks or violations, and having a properly trained manager or supervisor review the findings of each of the foregoing as well as a random sample of the Company’s Customer and customer databases. In addition to Experian’s OFAC check tools, the Company will be performing a manual check every month to audit the continuous check tool.
The Compliance Team conducts internal audits on the effectiveness of its OFAC Compliance Program on an annual basis. Audit personnel is instructed to conduct a comprehensive evaluation of this Policy and its related procedures and processes to ensure that the Company has:
It is the policy of the Company to promptly correct and reports any detected violations discovered during the audit process to both OFAC and its executives. The team will develop a comprehensive report that summarizes the audit activities, analyzes the results, and offers an implementation plan for any changes or updates to the AML program.
All personnel receive adequate training on OFAC compliance, consistent with its OFAC risk profile, and how OFAC compliance relates to an employee’s specific responsibilities in connection with their initial hire training, and periodically thereafter as appropriate to ensure employees remain up to date on OFAC requirements and related
policies and procedures.
OFAC requires the company to implement a system of internal controls designed to screen all individuals and entities with which the Company may conduct business and confirm whether or not the entity or individual is subject to OFAC regulations. OFAC checks are done prior to onboarding new Customers and monthly as stated in Section B.4 OFAC Screening Timing.
a.Onboarding New Accounts
The Company will provide notice to each Customer on the application form or in a document agreed to by such person or entity (which may be, without limitation, the terms and conditions, privacy policy, or Customer agreement) notice that the information provided by such Customer and its owners will be used to verify their identities as required by federal law. The Company has instituted and follows due diligence protocols designed to ensure all new accounts and Customers are verified against the SDN list or other applicable OFAC lists, as published on the official OFAC web site at www.treas.gov/ofac. In no case will the Company board any Customer without performing a check of such individual, or such entity and its principals, against the appropriate OFAC lists. If there is a potential match, the Compliance Team will appropriately document the findings, escalate the findings to the Director of Compliance, consult with the Company’s legal counsel for appropriate next steps, request additional information if appropriate, and file necessary documents with OFAC if appropriate.
b.Monthly Monitoring
The Company’s use of Experian will provide the Compliance Team with the list of potential match transactions via an immediate report or by electronic mail delivered no later than the next morning. This email will be reviewed the day it is received with each identified potential match investigated and evaluated by a member of the Compliance Team (as set forth below).
c.False Positive Matches
It is the responsibility of the Company’s Compliance Team and other personnel to immediately contact the Director of Compliance if it is suspected that a potential OFAC match is found. The impacted Customer account will be immediately frozen until a final determination about OFAC requirements is made by the Director of Compliance. It is the responsibility of the Director of Compliance to make a final determination if the suspect match is a true match with the applicable OFAC list and document the issue as applicable. In general, this is accomplished by reviewing the Customer’s file, gathering or obtaining any additional information as appropriate, and contacting OFAC’s hotline for further verification assistance. The Compliance Team maintains a separate file for all true, positive matches identified by Experian. False Positive decisions will be recorded as part of the Company internal account management system.
If it is determined that it is not a match, the Director of Compliance is to notify the reporting employee of the decision in writing and document the finding to the Customer’s file so business between such Customer and the Company may begin or resume.
a. True Matches
If it is determined that the user is a positive match to the OFAC List, the Director of Compliance is to notify the reporting employee in writing of the decision, place an appropriate hold on the Customer’s transaction or account, document the issue within the Customer’s file and the company’s OFAC Reporting File, notify the sponsor bank, notify the Acquiring Bank, notify OFAC of the positive match, and file a Suspicious Activity Report (SAR) or cause the sponsor bank to file a SAR, as warranted. For each identified positive OFAC match, the Director of Compliance will consult with internal legal counsel regarding the identified OFAC violation to determine further actions which should be taken, if any. All Customers with True Matches are terminated or declined and funds are blocked.
The Compliance Team will immediately decline/terminate true matches and report the incident to OFAC. The Company will also notify the Acquiring Bank of any true matches for existing customers.
d. OFAC Reporting Requirement
The Compliance Team is responsible for completing OFAC reporting requirements, including the following activities:
e. OFAC Process Responsibilities Summary The Compliance Team:
Customer’s participation in the Company’s programs. All accounts identified as a match and funds received in connection therewith are immediately frozen and placed in a locked account until a legal opinion is obtained. All transaction and account details must be recorded.
10. Response to Government Agencies
Upon the Company’s receipt of any request concerning a Customer account or transaction from any government agency, including FinCEN, or the Company’s sponsor bank, the Compliance Team will work with counsel to immediately search the Company’s records to determine if it maintains or has maintained any account for, has engaged in any transaction with, or processed any transaction on behalf of the individual, entity, or organization named in such request.
C.AML Policy Administration 1.Compliance Activities
The Company documents its compliance with the foregoing processes with respect to each Customer and third-party service provider and maintains such documentation in accordance with applicable laws and the card brand rules. If any risk is identified, it will be reviewed and evaluated, and if appropriate the relevant Customer will be contacted to obtain additional information.
The risk assessment program is not static but reviewed and adjusted periodically: every year, or when a change in the business activities occurs, and when new risk factors are identified. The following aspects of a risk-based approach are considered during monitoring and review of the program:
All employees must receive AML training upon hire and annually thereafter.
The Compliance Team provides the Company’s workforce with Compliance Program training that is appropriate and proportional with regard to their responsibilities. This effort provides general information on laws, regulations and internal policies that is:
Such training includes, as applicable based on the employee’s role and responsibility: how to identify red flags and signs of money laundering that arise during the employee’s duties, what to do once the risk is identified (including appropriate escalation procedures), the Company’s record retention policy, the disciplinary consequences for the employee and the Company for noncompliance.
This training may be conducted through educational pamphlets, videos, emails, in-person lectures, conference calls, explanatory memos, webinars, or other events as deemed appropriate by the Director of Compliance.
Each employee at the Company is instructed to report any identified deficiencies or actual or suspected fraud, suspicious activities, money laundering, terrorist activities, or other unusually risky transactions to the Director of Compliance. Such reports are confidential, and the employee will suffer no retaliation for making them.
In addition to training, the Company’s Compliance Team has regularly scheduled meetings to identify trends, support ongoing and earlier detection and mitigation of potential issues, and perform joint postmortem exercises on large losses or repeat loss patterns. These meetings include personnel performing underwriting, risk, compliance, dispute management, and collections.
Each Customer’s private records held by the Company are updated based on flags relating to risk and underwriting and additional information received from or related to such Customer (including but not limited to information from any periodic review or investigation). The Compliance Team calculates expected performance and activity for each Customer, compare actual numbers to expected numbers, and prepare variance reports to identify any unusual or unexpected activity or performance.
The Compliance Team conducts an independent test of its procedures and adherence to this Policy on an annual basis, or more frequently as deemed appropriate by the Director of Compliance. Such independent testing, at a minimum, includes:
The Compliance Team provides remediation training on issues raised from the testing and remediation if a failing grade occurs.
4.Annual Review of Suspicious Activity
A least once a year, the institution’s internal auditor or an independent third party will review the Compliance Officer’s suspicious activity file. The auditor ensures that all identified suspicious activity was reviewed and appropriately handled.
To the extent any exception is made to the policies, procedures, or requirements set forth in this Policy, such exception shall only be made if: (a) it has been completely and adequately documented in a writing setting forth the reason for the exception and the name and title of the senior executive of the Company authorizing the exception;
(b) the exception has been approved in writing by the Company’s legal department; (c) if applicable, the exception has been reported to and approved by the Company’s sponsor institution; (d) the funds released or other actions taken have been clearly documented; (e) an expiration or review date for the exception has been set; and (f) the Director of Compliance maintains such records and tracks such exception as appropriate under the circumstances.
The Director of Compliance shall maintain records and track all exceptions granted, including related documentation and approvals for a minimum of five (5) years post account closure. Records are to be stored in a safe place not susceptible to destruction.
Suspicious Activities Monitoring & Reporting
The objective of the Suspicious Activities Reporting (SAR) requirement is to identify, as part of the Company’s larger Policy and Compliance Program, the Company’s obligations with respect to filing Suspicious Activity
Reports with appropriate governmental entities. This operates in conjunction with the Company’s other anti-money laundering obligations set forth in this Policy.
2.Suspicious Activity Detection
The awareness of what constitutes suspicious activity, and when appropriate filing an SAR directly or through its acquirer, is a cornerstone in the Company compliance reporting responsibilities. The Company consults with its acquirer for any identified activities which warrant the filing of an SAR, and based on such consultation, the Company will file the appropriate SAR.
a.Responsibility
The Director of Compliance or their designee is responsible for monitoring suspicious activity on an ongoing basis, whether it is reviewing activity as detected by their team, or through any other notification channel.
b.Training
In addition to using the system, all employees receive training once a year on how to identify money laundering operations. New employees that have direct contact with customers receive initial training within the first four weeks of employment.
c.Specific Monitoring
monitoring are available in the Company’s URL Monitoring Policy.
The Company reports suspicious transactions to its acquirer promptly and will file (or allow the acquirer to file) a SAR no later than 15 calendar days after the date of the initial detection of the facts that constitute a basis for filing such report. A review must be initiated promptly upon identification of unusual activity that warrants investigation. Any activity identified as illegal activity should be made known directly to law enforcement, as well as to appropriate state and federal regulatory agencies. In accordance with regulatory guidelines, the Director of Compliance or his