Skip to content

BSA/AML Policy

PAYzz (“the “Company”) does not permit the Company or its Customers to be used to facilitate money laundering, nor any other illicit activities and the financing of terrorist activities.


It is the policy of the Company to prohibit and actively prevent money laundering and any activity that facilitates money laundering or the funding of terrorist or criminal activities by complying with all applicable requirements under the Bank Secrecy Act (“BSA”) and its implementing regulations.


Money laundering is generally defined as engaging in acts designed to conceal or disguise the true origins of criminally derived proceeds so that the proceeds appear to have derived from legitimate origins or constitute legitimate assets. Generally, money laundering occurs in three stages. Cash first enters the financial system at the "placement" stage, where the cash generated from criminal activities is converted into monetary instruments, such as money orders or traveler's checks, or deposited into accounts at financial institutions. At the "layering" stage, the funds are transferred or moved into other accounts or other financial institutions to further separate the money from its criminal origin. At the "integration" stage, the funds are reintroduced into the economy and used to purchase legitimate assets or to fund other criminal activities or legitimate businesses.


Although cash is rarely deposited into securities accounts, the securities industry is unique in that it can be used to launder funds obtained elsewhere, and to generate illicit funds within the industry itself through fraudulent activities. Examples of types of fraudulent activities include insider trading, market manipulation, ponzi schemes, cybercrime and other investment-related fraudulent activity.


Terrorist financing may not involve the proceeds of criminal conduct, but rather an attempt to conceal either the origin of the funds or their intended use, which could be for criminal purposes. Legitimate sources of funds are a key difference between terrorist financiers and traditional criminal organizations. In addition to charitable donations, legitimate sources include foreign government sponsors, business ownership and personal employment. Although the motivation differs between traditional money launderers and terrorist financiers, the actual methods used to fund terrorist operations can be the same as or similar to methods used by other criminals to launder funds. Funding for terrorist attacks does not always require large sums of money and the associated transactions may not be complex.


Our AML policies, procedures and internal controls are designed to ensure compliance with all applicable BSA regulations and FINRA rules and will be reviewed and updated on a regular basis to ensure appropriate policies, procedures and internal controls are in place to account for both changes in regulations and changes in our business.


Rules: 31 C.F.R. § 1023.210; FINRA Rule 3310.



Compliance Program Background & Purpose


The Bank Secrecy Act (“BSA”) establishes the basic framework under which financial institutions are responsible for adherence to various anti-money laundering (AML) regulations. It authorizes the United States Secretary of the Treasury to issue regulations requiring financial institutions to keep records and file reports on financial transactions that may be useful in investigating and prosecuting money laundering and other financial crimes.


The Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions implement effective due diligence, monitoring, and reporting systems. In connection with its role as a registered Payment Facilitator, the Company is performing such obligations on behalf of its sponsor financial institution.


The Company has therefore developed this Policy and implemented the Compliance Program described in this Policy in accordance with the requirements of the Bank Secrecy Act (BSA) as a risk-based program to identify and prevent fraud, identify and report the suspicious transaction, to ensure adequate identification, investigation, and monitoring of Customers, and to comply with other applicable laws and industry requirements.


Scope AML


The actions and conduct of the Company’s directors and employees, (collectively, “personnel”), as well as others

acting on the Company’s behalf, are essential to maintaining these standards. To that end, personnel involved in the Company’s business activities must read, become familiar and comply with this Policy on Anti-Money Laundering (AML Policy), as well as future updates to this Policy and other similar Policy materials issued from time to time.


Program Requirements


The Compliance Program is designed to, at a minimum:


  1. Incorporate policies, procedures, and internal controls (each designed based upon the company’s assessment of the money laundering and fraud risks associated with its products and services) to identify and minimize or, to the extent reasonably possible, prevent money laundering and fraud and comply with applicable laws regarding the foregoing.
  2. Provide for customer due diligence procedures with regard to Customers with whom business relationships are established and to ensure that appropriate information has been obtained before a decision is made to enter into a business relationship.
  3. Designate a Director of Compliance who has ultimate responsibility for oversight and implementation of the AML Policy and is responsible for ensuring:
    1. The Compliance Program is implemented effectively.
    2. The Compliance Program is updated as necessary.
    3. All appropriate employees are educated and trained.
  4. Provide for testing to monitor and maintain an adequate Compliance Program. The scope and frequency of the testing is commensurate with the risks posed by each Customer and the Company’s products and services, but such testing occurs at least once per calendar year. Such testing will be performed by an independent party, which may be a third party or an officer or employee of the Company, other than the designated compliance or operations officer or any other person on the Compliance Team.


D.Risk-Based Approach


To effectively address the company’s risk profile, the Company has adopted a risk-based approach to the application of internal controls and monitoring systems. This risk-based approach encompasses the following:


  1. A risk assessment of the Company’s and each Customer’s business activities.
  2. Implementation of controls to manage and minimize identified risks.
  3. Keeping Customer identification, beneficial ownership and business relationship information up-to-date for each Customer. This includes, but is not limited to, investigating the ownership structure of each Customer, obtaining supporting documentation for such ownership, identifying any beneficial owners, and obtaining copies of sufficient identification information (such as passports, licenses, social security numbers, and other relevant information) for all such actual and beneficial owners.
  4. The ongoing monitoring of the Company and each Customer’s office locations activities and business relationships; and performing due diligence, or if applicable enhanced due diligence, on each Customer prior to facilitating any transactions on behalf of such Customer.
  5. Appropriate limitations on anonymous activity including:


  1. Anonymous or numbered accounts, cards, and transactions must all be documented
  2. Enhanced Due Diligence (EDD) is conducted when appropriate


  • Beneficial ownership identification and verification - Location of the business, occupation or nature of business is checked if EDD is required
  • Purpose of the business transactions
  • Expected pattern of activity in terms of transaction types, dollar volume and frequency
  • Expected origination of payments and method of payment
  • Articles of incorporation, partnership agreements and business certificates
  • Understanding the customer’s customers


  • Identification of beneficial owners of an account or customer
  • Details of other personal and business relationships the customer maintains
  • Approximate salary or annual sales
  • Local market reputation through review of media sources
  • Clients who are politically exposed persons (PEPs), in other words people with high-profile political roles or who perform prominent public functions
  • Clients who are special interest persons (SIPs), in other words those who have a known history of involvement with financial crimes. A person doesn’t have to have been convicted to be considered an SIP. They could have been previously accused of financial crimes, or be currently facing court proceedings.
  • Clients who have sanctions against them
  • Clients who feature in a high volume of adverse media, in other words negative media coverage about them
  • Adverse information checks are usually part of our Customer Due Diligence and KYC procedures. This kind of information includes news of involvement in fraud, money laundering, terrorism financing, human rights abuse, narcotics dealing, and tax evasion etc.
  • Clients who have a high net worth
  • Clients who are involved in unusual, complex, or seemingly purposeless transactions


  1. No activity to be conducted with shell banks or any activities with payable through accounts at a shell bank



You likely need to reiterate a person responsible:


AS noted below, the Company has designated Abhishek Bhosale as its Anti-Money Laundering Program Compliance Person (Director of Compliance), with full responsibility for the firm’s AML program. The duties of the AML

Compliance Person will include monitoring the firm’s compliance with AML obligations, overseeing communication and training for employees, and ensuring the AML policy is updated time to time. The AML Compliance Person will also ensure that the firm keeps and maintains all of the required AML records and will ensure that Suspicious Activity Reports (SARs) are filed with the Financial Crimes Enforcement Network (FinCEN) when appropriate. The AML Compliance Person is vested with full responsibility and authority to enforce the firm’s AML program.



1.Annual AML Risk Assessment


The Director of Compliance will ensure risk is appropriately assessed and will conduct a comprehensive risk assessment of the AML program on at least an annual basis. This assessment must include the identification and analysis of areas of legal and compliance risk to the Company, including the type, impact and likelihood of the risk. The Director of Compliance may delegate such risk analysis, but in all cases, he or she must review all such analyses for accuracy and adequacy.


The risk assessment will be performed through:


  1. Compliance reviews designed or approved by the Director of Compliance in accordance with the Compliance Program.
  2. Investigations.
  3. Due diligence and screening of boarded Customers.
  4. Ongoing monitoring of transactions and Customer activity.
  5. National trends and publicity regarding areas of industry exposure, government enforcement programs, and priorities, and changes in laws and regulations.
  6. The policies and procedures set forth in this Policy.


2.Dynamic Nature of Compliance Program and AML Policy


As with the underwriting of Customer accounts, the Company’s approach to Compliance is dynamic. As new fraud trends and high-risk activity related to credit card processing are identified across the industry, and technology evolves to provide new solutions, our policies and procedures, exception criteria, and periodic monitoring are evaluated and adjusted accordingly.


Designation of the AML Compliance Officer


The Director of Compliance oversees the AML Policy and is the AML Compliance Officer. The Director of Compliance is vested with full responsibility and authority to implement and enforce this, Policy. The Director of Compliance may establish a team of the Company’s personnel (Compliance Team) to assist with compliance to this Policy. The Director of Compliance is responsible for:


  1. Maintaining a broad view of compliance and ethics issues affecting the Company and a demonstrated personal commitment to the goals of the AML Policy and Compliance Program.
  2. Communicating compliance and ethics goals, standards, and procedures throughout the Company.
  3. Investigating or overseeing the investigation of suspected cases of illegal or improper activity within the Company and ensuring corrective action is taken.
  4. Performing a risk assessment to determine all areas of the Company’s risk exposure related to money laundering, anti-fraud, and collection risk and providing a report about the risk assessment and its conclusions to senior management.
  5. Ensuring that adequate controls are in place to address and mitigate risk before products or services are offered or provided to any third party.
  6. Informing the Company’s senior management of ongoing and planned compliance initiatives, identified compliance deficiencies, corrective action taken, and suspicious activity reports (SARs) filed (as provided in this Policy).
  7. Providing for program continuity despite changes in management or employee composition or structure.
  8. Implementing and maintaining a comprehensive and risk-based Customer onboarding program, which includes appropriate due diligence and enhanced due diligence policies, procedures and processes, including without limitation the accurate identification of each Customer and its principals.
  9. Maintaining all regulatory recordkeeping and fulfilling all applicable reporting requirements, recommendations for compliance policies and procedures, and providing timely updates in response to changes in regulations.
  10. Providing adequate controls for higher risk Customers, transactions, and products, as necessary, such as transaction limits or management approvals.
  11. Enabling the timely identification of reportable Customers and transactions and ensuring accurate filing of required reports.
  12. Monitoring Customers and their transaction activity on an ongoing basis to identify any unusual or fraudulent transactions, violations of the Company’s agreement with such Customer, or violations of applicable laws or card brand rules.
  13. Preparing and presenting regular updates to the Company’s Board of Directors regarding compliance activity undertaken and plans for future activities, including assessments of the effectiveness of the Compliance Program.


Anti-Money Laundering Policy


A.Customer Identification Program Policy


It is the policy of the Company to ensure proper adherence to the provisions and intent of the USA Patriot Act regarding the identity verification of any person seeking to open an account or otherwise use the Company’s services. The Company will, as part of its due diligence process:


  1. Determine if the prospective Customer is opening an account or participating in the program only for purposes that are reasonable and practical.
  2. Maintain records of the information used to verify each Customer’s identity, including name, address, and other identifying information, for those timeframes required by applicable.


  1. Evaluate supporting documentation received from the prospective Customer (government-issued identification documents can generally be relied upon absent some form of fraud).
  2. Verify the identity through a comparison of information received from the Customer with information obtained from a consumer reporting agency, public database, or another source.
  3. Check references with other financial institutions.
  4. Obtain a financial statement (or a bank’s statement, on bank letterhead, that the prospective Customer’s bank account is in good standing).
  5. Determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided by any government agency.
  6. Supplement the identification procedures in this section with non-documentary methods of verification as appropriate.


The Company will implement and maintain identification, documentation, verification, and recordkeeping procedures to:


  1. Comply with state and federal regulations applicable to the Company’s sponsor.
  2. Adhere to Card Brand rules, applicable laws, program standards as required by the Acquirer and best practices and guidelines as given by the payments industry.
  3. Decrease the risk that the Company will become a victim of illegal activities undertaken by a Customer.
  4. Protect the reputation and strategic position of the Company.


1. Know Your Customer Procedures and Processes


The Company uses Experian to conduct collection and verification of Know Your Customer (“KYC”) required data.


Adequate identification information must be obtained for each actual and beneficial owner of a customer. The Company will review the Customer’s corporate documents to verify that those individuals specified by the Customer constitute all actual and beneficial owners of such Customer.


Prior to opening an account for a customer, at minimum the following information will be obtained and evaluated in accordance with this Policy:


  1. For principals and beneficial owners (25%) of the Customer collect and verify:
    1. Name
    2. Physical address (no P.O. Box)
    3. Date of birth
    4. Social security card number (or other forms of government-issued documents evidencing nationality or residence and bearing a photograph or similar safeguard such as a passport)
  2. For Customers, businesses collect and verify:
    1. Legal name
    2. Doing Business As name
    3. Physical address (P.O. Box is not acceptable)
    4. Employee identification number/taxpayer identification number (EIN/TIN)
    5. Date of formation or incorporation


1.Internal Controls


The Company will NOT open an account for:


  1. a foreign business;
  2. any individual or entity that does not have a tax identification number;
  3. any individual or entity for whom the Company is not able to form a reasonable belief that it knows the true identity of such Customer and each of its owners; or
  4. any entity where verification of controlling individuals could not be conducted.


If a customer refuses to provide the information requested by the Company in connection with its due diligence or ongoing risk evaluation, or appears to have provided misleading information, the Company will NOT open the account (or close the existing account), evaluate any associated risks, and will escalate the matter to the Director of Compliance for a determination as to the necessity of filing a SAR (as described later in this Policy).


2. Beneficial Ownership Rule Standards


The Company uses Experian verification tools to verify Beneficial Owners, Controlling Managers, and their identities.


a.Beneficial Ownership


The collection and identity verification of all individuals who directly or indirectly own 25% or greater equity interest in the Customer business (legal entity) establishing the Customer processing account, or the largest percentage owner(s) is there is no individual with a 25% or greater equity interest. The required information must be collected and verified at the time of account opening.


b.Controlling Manager


The collection and identity verification of a single individual with significant responsibility to control, manage, or direct the Customer business (legal entity). For example, an executive officer or senior manager.


c.Collection and Verification


The collection and verification of the following information for controlling individuals and beneficial owners:


  • Legal Name
  • Date of Birth
  • Physical Residential or Business Address (P.O. Box not acceptable)
  • Social Security Number (SSN) [For non-U.S. persons without an SSN, their Foreign Passport Number and Country of Issuance or similar identification]
  • Percent of Ownership


B.OFAC Compliance


1.OFAC Background


The Office of Foreign Assets Control (OFAC) is an office of the U.S. Treasury that administers and enforces economic and trade sanctions based on U.S. foreign policy and national security goals against entities such as targeted foreign countries, terrorists, international narcotics traffickers, and those engaged in activities related to the proliferation of weapons of mass destruction.


All U.S. persons must comply with OFAC’s regulations. In general, the regulations require:

  1. Blocking of accounts and other property of specified countries, entities, and individuals.
  2. Prohibition or rejection of unlicensed trade and financial transactions with specified countries, entities, and individuals.

It is the policy of the Company to ensure proper adherence to OFAC-related laws and regulations.


2.OFAC Screening Tools


The Company reviews all accounts and transactions for potential OFAC violations utilizing Experian, automatically reviewing at the time of onboarding and monthly OFAC check tools. In addition, the Company will be performing a manual check every quarter to audit the continuous check tool.


3.OFAC Screening Lists


Experian provides continuous monitoring of OFAC lists to the Company.

OFAC publishes the Specially Designated Nationals and Blocked Persons List (SDN), a list of individuals and entities, which are owned or controlled by, or acting for, or on behalf of, the governments of targeted countries or one associated with international narcotics trafficking or terrorism. This SDN list is updated and republished from time to time, and the Company utilizes this list to identify persons subject to the OFAC regulations.


In addition to the individuals and entities included on the SDN list, OFAC regulations impose prohibitions on transactions with sanctioned countries, governmental units of the sanctioned countries (including officials), in some cases on citizens of sanctioned countries (wherever located), and on individuals residing or traveling in a sanctioned country.


For US:


  1. OFAC List of Specially Designated Nationals (SDN)
  2. OFAC List of Sanctioned Programs
  3. OFAC List of Sanctioned Countries
  4. OFAC Consolidated List of Non-SDN sanctions
  5. Palestinian Legislative Council (NS-PLC) List
  6. The List of Foreign Financial Institutions Subject to Part 561 (the Part 561 List)
  7. OFAC Foreign Sanctions Evaders (FSE) List
  8. OFAC Sectoral Sanctions Identifications (SSI) List
  9. Non-SDN Iranian Sanctions Act (NS-ISA) List
  10. FinCEN – Financial Crimes Enforcement Network Section 314a Compliance List
  11. FinCEN - PATRIOT ACT - Section 311 List
  12. Bureau of Industry and Security Consolidated Screening List, including Denied Persons
  13. List (DPL), Unverified List, The Entity List, and the Directorate of Defense Trade Controls List of Debarred Parties and others
  14. FBI Most Wanted Terrorists and Top 10 Most Wanted
  15. PEP screening is a process to identify and conduct customer due diligence on any politically exposed person as part of a robust Anti-Money Laundering and Know Your Customer (AML/KYC) program
  16. CIA World Leaders List (Chiefs of State & Cabinet Members of Foreign Governments) Also known as PEP (Politically Exposed Persons) List, including US White House


For Canada:


  1. OSFI List of Names Subject to Terrorist Suppression Regulations
  2. OSFI List of Organizations Subject to Terrorist Suppression Regulations
  3. OSFI List of Names subject to sanctions under the Regulations Implementing the United Nations Resolution on Iran
  4. OSFI List of Organizations subject to sanctions under the Regulations Implementing the United Nations Resolution on Iran
  5. OSFI List of Names subject to sanctions under the Regulations Implementing the United Nations Resolution on the Democratic People's Republic of Korea
  6. Politically Exposed Foreign Persons (PEFP) Lists for Tunisia and Egypt For UK / EU / UN:
  7. HM Treasury Sanctions Lists (formerly maintained by the Bank of England)
  8. Consolidated list of asset freeze targets, designated by the UN, EU and UK
  9. Ukraine: list of persons subject to restrictive measures For France:
  10. FATF List of Non-Cooperative Countries (Money Laundering)


3.Screening Timing


The Compliance Team will complete screening at the following intervals and through ongoing monitoring:

  • Boarding
  • Monthly thereafter

4.OFAC Screening Fields


Through the course of monitoring, the Compliance Team will screen the following fields:

  • Legal Name
  • Doing Business as Name (DBA)
  • Names of (a) owners, (b) principals, and (c) beneficial owners


5.Identification of High-Risk Business Areas


The Company conducts a periodic risk assessment of its specific product lines, Customers, and the nature of transactions to identify potential high-risk areas for OFAC transactions. The initial identification of high-risk or prohibited Customers for purposes of OFAC is performed as part of the Company’s due diligence procedures completed regarding each Customer application. It is the responsibility of the Director of Compliance to consider all types of transactions, products, and services when conducting the company’s risk assessment process. The Director of Compliance may establish additional policies, procedures, and processes, especially those established for high- risk Customers located in high-risk geographic locations if any. All such policies, procedures, and processes will be written and documented in an update or amendment to this Policy or as a separate policy. The principals and/or owners of each Customer will be evaluated in connection with the review of each Customer.


6.Implementation and Support of Internal Controls Methods


The Company maintains a system of internal controls that help identify suspect accounts and report such instances to OFAC. This system includes evaluating each Customer, principal of each Customer at the time the foregoing is on-boarded to the Company’s system and thereafter on a monthly basis comparing the most recent OFAC lists to the Company’s databases to identify any overlap, providing proper training to the Company’s personnel to assist in timely and accurately identifying any OFAC risks or violations, and having a properly trained manager or supervisor review the findings of each of the foregoing as well as a random sample of the Company’s Customer and customer databases. In addition to Experian’s OFAC check tools, the Company will be performing a manual check every month to audit the continuous check tool.


7.Independent Testing Review


The Compliance Team conducts internal audits on the effectiveness of its OFAC Compliance Program on an annual basis. Audit personnel is instructed to conduct a comprehensive evaluation of this Policy and its related procedures and processes to ensure that the Company has:


  1. adopted all processes and procedures necessary to comply with each OFAC requirement
  2. properly and fully implemented such processes and procedures
  3. followed each process and procedure
  4. selected processes and procedures which, individually or in aggregate, effectively identify and flag all OFAC- related concerns
  5. escalated identified issues to the Director of Compliance and, if appropriate, other executives of the Company
  6. properly assessed and responded to all identified OFAC concerns and issues.


It is the policy of the Company to promptly correct and reports any detected violations discovered during the audit process to both OFAC and its executives. The team will develop a comprehensive report that summarizes the audit activities, analyzes the results, and offers an implementation plan for any changes or updates to the AML program.


8.Staff Training


All personnel receive adequate training on OFAC compliance, consistent with its OFAC risk profile, and how OFAC compliance relates to an employee’s specific responsibilities in connection with their initial hire training, and periodically thereafter as appropriate to ensure employees remain up to date on OFAC requirements and related


policies and procedures.


9.OFAC Screening Process


OFAC requires the company to implement a system of internal controls designed to screen all individuals and entities with which the Company may conduct business and confirm whether or not the entity or individual is subject to OFAC regulations. OFAC checks are done prior to onboarding new Customers and monthly as stated in Section B.4 OFAC Screening Timing.


a.Onboarding New Accounts


The Company will provide notice to each Customer on the application form or in a document agreed to by such person or entity (which may be, without limitation, the terms and conditions, privacy policy, or Customer agreement) notice that the information provided by such Customer and its owners will be used to verify their identities as required by federal law. The Company has instituted and follows due diligence protocols designed to ensure all new accounts and Customers are verified against the SDN list or other applicable OFAC lists, as published on the official OFAC web site at In no case will the Company board any Customer without performing a check of such individual, or such entity and its principals, against the appropriate OFAC lists. If there is a potential match, the Compliance Team will appropriately document the findings, escalate the findings to the Director of Compliance, consult with the Company’s legal counsel for appropriate next steps, request additional information if appropriate, and file necessary documents with OFAC if appropriate.


b.Monthly Monitoring


The Company’s use of Experian will provide the Compliance Team with the list of potential match transactions via an immediate report or by electronic mail delivered no later than the next morning. This email will be reviewed the day it is received with each identified potential match investigated and evaluated by a member of the Compliance Team (as set forth below).


c.False Positive Matches


It is the responsibility of the Company’s Compliance Team and other personnel to immediately contact the Director of Compliance if it is suspected that a potential OFAC match is found. The impacted Customer account will be immediately frozen until a final determination about OFAC requirements is made by the Director of Compliance. It is the responsibility of the Director of Compliance to make a final determination if the suspect match is a true match with the applicable OFAC list and document the issue as applicable. In general, this is accomplished by reviewing the Customer’s file, gathering or obtaining any additional information as appropriate, and contacting OFAC’s hotline for further verification assistance. The Compliance Team maintains a separate file for all true, positive matches identified by Experian. False Positive decisions will be recorded as part of the Company internal account management system.


If it is determined that it is not a match, the Director of Compliance is to notify the reporting employee of the decision in writing and document the finding to the Customer’s file so business between such Customer and the Company may begin or resume.


a. True Matches


If it is determined that the user is a positive match to the OFAC List, the Director of Compliance is to notify the reporting employee in writing of the decision, place an appropriate hold on the Customer’s transaction or account, document the issue within the Customer’s file and the company’s OFAC Reporting File, notify the sponsor bank, notify the Acquiring Bank, notify OFAC of the positive match, and file a Suspicious Activity Report (SAR) or cause the sponsor bank to file a SAR, as warranted. For each identified positive OFAC match, the Director of Compliance will consult with internal legal counsel regarding the identified OFAC violation to determine further actions which should be taken, if any. All Customers with True Matches are terminated or declined and funds are blocked.


The Compliance Team will immediately decline/terminate true matches and report the incident to OFAC. The Company will also notify the Acquiring Bank of any true matches for existing customers.


d. OFAC Reporting Requirement


The Compliance Team is responsible for completing OFAC reporting requirements, including the following activities:


  1. Reporting any transaction that has been blocked or rejected to OFAC within 10 business days from the date the property became blocked.
  2. Submitting an annual report of all property blocked as of June 30 by September 30 of each year.
  3. Ensuring the retention of all reports and blocked or rejected transactions records for at least 5 years.


e. OFAC Process Responsibilities Summary The Compliance Team:


  1. Reviews the list of potential match transactions to identify the reason for the potential match.
  2. Initiates an investigation, as necessary or appropriate, to determine the validity of the potential match.
  3. Categorizes each Customer, or transaction as either “False Positive” or “Pending.” All “Pending” cases that are initiated must include the relevant account and transaction identifying information.
  4. Reviews and monitors pending cases as necessary or appropriate to ensure the investigation is diligently conducted, determine the validity of the potential match, and appropriately resolve or escalate as a match to the Company’s legal department.
  5. Places holds as appropriate to prevent any potential violations while conducting investigations.
  6. Reviews all false transactions and clear out to an approved queue.
  7. Escalates matches and potential matches to legal counsel, senior management, and the company’s sponsor financial institution as appropriate.
  8. Reviews and investigate escalated “Pending” cases and respond appropriately.
  9. In the event that a case is determined to be a match, the Compliance Team and the Company’s legal department will work together to submit the required report to OFAC (or cause the Company’s sponsor bank to submit to OFAC) within ten (10) business days (or such shorter timeframe designated by OFAC).
  10. For all matched accounts, the Company’s legal counsel blocks or rejects the transaction, and terminates the

Customer’s participation in the Company’s programs. All accounts identified as a match and funds received in connection therewith are immediately frozen and placed in a locked account until a legal opinion is obtained. All transaction and account details must be recorded.


10. Response to Government Agencies


Upon the Company’s receipt of any request concerning a Customer account or transaction from any government agency, including FinCEN, or the Company’s sponsor bank, the Compliance Team will work with counsel to immediately search the Company’s records to determine if it maintains or has maintained any account for, has engaged in any transaction with, or processed any transaction on behalf of the individual, entity, or organization named in such request.


  • The Compliance Team will verify the validity of the request (contact the requesting agency using contact information obtained from an independent source, such as the official webpage of the agency, and verify that the agency issued the request).
  • The search and response shall be completed within fourteen (14) days from the transmission of the request to the Company unless such other timeframe is specified in the notice received.
  • The Compliance Team will document that it has performed the required search by listing the steps and actions taken, the databases and number of accounts that have been searched, the name of the individual who performed the search, and the signature of the Director of Compliance certifying that all such steps were properly performed.
  • The Compliance Team will also maintain a log of all such requests, including the request date and the response date.
  • The Director of Compliance is the Company’s point of contact for all such correspondence.


  • The Company will not disclose the fact that such information was requested except to the extent necessary to comply with the request or as required by applicable law. The Director of Compliance will review, maintain and implement procedures to protect the security and confidentiality of such requests.


C.AML Policy Administration 1.Compliance Activities

The Company documents its compliance with the foregoing processes with respect to each Customer and third-party service provider and maintains such documentation in accordance with applicable laws and the card brand rules. If any risk is identified, it will be reviewed and evaluated, and if appropriate the relevant Customer will be contacted to obtain additional information.


The risk assessment program is not static but reviewed and adjusted periodically: every year, or when a change in the business activities occurs, and when new risk factors are identified. The following aspects of a risk-based approach are considered during monitoring and review of the program:


  1. Procedures to identify changes in Customer’s operations.
  2. Procedures to identify unusual transaction activity by a Customer or change in business or product mix.
  3. The ways in which products and services may be abused for the furtherance of money laundering or other illicit purposes, including recognition of how these ways can be changed, with reference to the information and typologies supplied by regulatory agencies and other relevant authorities.
  4. The adequacy of staff training and awareness for the customer service team and the Compliance Team, and effectiveness of internal communication processes to ensure accurate reporting and escalation of all relevant issues.
  5. Compliance monitoring system efficiency, which shall be regularly tested either through internal or external audit.
  6. The balance between technology-based and human-based internal controls.
  7. Capturing appropriate management information.
  8. Upward reporting and accountability.
  9. Effectiveness of the liaison with regulatory and law enforcement agencies when applicable.


2.Training & Awareness


All employees must receive AML training upon hire and annually thereafter.

The Compliance Team provides the Company’s workforce with Compliance Program training that is appropriate and proportional with regard to their responsibilities. This effort provides general information on laws, regulations and internal policies that is:


  1. Tailored to the appropriate staff responsibility (e.g. customer contact or operations).
  2. At the appropriate level of detail (e.g. front-line personnel, complicated products or customer managed products).
  3. At a frequency related to the risk level of the business line involved.
  4. Tested to assess knowledge commensurate with the details of information provided.


Such training includes, as applicable based on the employee’s role and responsibility: how to identify red flags and signs of money laundering that arise during the employee’s duties, what to do once the risk is identified (including appropriate escalation procedures), the Company’s record retention policy, the disciplinary consequences for the employee and the Company for noncompliance.


This training may be conducted through educational pamphlets, videos, emails, in-person lectures, conference calls, explanatory memos, webinars, or other events as deemed appropriate by the Director of Compliance.


Each employee at the Company is instructed to report any identified deficiencies or actual or suspected fraud, suspicious activities, money laundering, terrorist activities, or other unusually risky transactions to the Director of Compliance. Such reports are confidential, and the employee will suffer no retaliation for making them.


In addition to training, the Company’s Compliance Team has regularly scheduled meetings to identify trends, support ongoing and earlier detection and mitigation of potential issues, and perform joint postmortem exercises on large losses or repeat loss patterns. These meetings include personnel performing underwriting, risk, compliance, dispute management, and collections.


Each Customer’s private records held by the Company are updated based on flags relating to risk and underwriting and additional information received from or related to such Customer (including but not limited to information from any periodic review or investigation). The Compliance Team calculates expected performance and activity for each Customer, compare actual numbers to expected numbers, and prepare variance reports to identify any unusual or unexpected activity or performance.


3.Annual and Periodic Testing


The Compliance Team conducts an independent test of its procedures and adherence to this Policy on an annual basis, or more frequently as deemed appropriate by the Director of Compliance. Such independent testing, at a minimum, includes:


  1. An evaluation of the overall integrity and effectiveness of this Policy in compliance with AML and BSA requirements.
  2. Evaluating the Company’s procedures for reporting (including without limitation OFAC and BSA reporting) and recordkeeping requirements.
  3. Evaluating the implementation and maintenance of the Customer identification procedures and processes.
  4. Evaluating the Company’s due diligence requirements and procedures.
  5. Evaluating AML compliance controls.
  6. Evaluating the Company’s transaction monitoring and risk processes, with an emphasis on high-risk areas.
  7. Evaluating the adequacy of the Company’s training programs.
  8. Evaluating the Company’s systems for identifying suspicious activity.
  9. Evaluating of suspicious activity monitoring tools including data source integrity and tool parameter settings
  10. Evaluating the Company’s systems for reporting suspicious activity.
  11. Evaluating the Company’s review of accounts that generate SAR filings or are otherwise considered high risk accounts.
  12. Evaluating the Company’s response to any deficiencies identified in this Policy or its program.


The Compliance Team provides remediation training on issues raised from the testing and remediation if a failing grade occurs.


4.Annual Review of Suspicious Activity


A least once a year, the institution’s internal auditor or an independent third party will review the Compliance Officer’s suspicious activity file. The auditor ensures that all identified suspicious activity was reviewed and appropriately handled.




To the extent any exception is made to the policies, procedures, or requirements set forth in this Policy, such exception shall only be made if: (a) it has been completely and adequately documented in a writing setting forth the reason for the exception and the name and title of the senior executive of the Company authorizing the exception;

(b) the exception has been approved in writing by the Company’s legal department; (c) if applicable, the exception has been reported to and approved by the Company’s sponsor institution; (d) the funds released or other actions taken have been clearly documented; (e) an expiration or review date for the exception has been set; and (f) the Director of Compliance maintains such records and tracks such exception as appropriate under the circumstances.


6.Record Keeping Obligations


The Director of Compliance shall maintain records and track all exceptions granted, including related documentation and approvals for a minimum of five (5) years post account closure. Records are to be stored in a safe place not susceptible to destruction.


Suspicious Activities Monitoring & Reporting


  1. Objective


The objective of the Suspicious Activities Reporting (SAR) requirement is to identify, as part of the Company’s larger Policy and Compliance Program, the Company’s obligations with respect to filing Suspicious Activity

Reports with appropriate governmental entities. This operates in conjunction with the Company’s other anti-money laundering obligations set forth in this Policy.


2.Suspicious Activity Detection


The awareness of what constitutes suspicious activity, and when appropriate filing an SAR directly or through its acquirer, is a cornerstone in the Company compliance reporting responsibilities. The Company consults with its acquirer for any identified activities which warrant the filing of an SAR, and based on such consultation, the Company will file the appropriate SAR.




The Director of Compliance or their designee is responsible for monitoring suspicious activity on an ongoing basis, whether it is reviewing activity as detected by their team, or through any other notification channel.



In addition to using the system, all employees receive training once a year on how to identify money laundering operations. New employees that have direct contact with customers receive initial training within the first four weeks of employment.


c.Specific Monitoring


  1. Sanctions/watch list filtering should be used to detect suspicious activity. In situations that may require immediate attention, such as terrorist financing or ongoing money laundering schemes, the Director of Compliance will immediately call the appropriate law enforcement authority. If a Consumer appears on OFAC’s SDN list, the Director of Compliance will consult with the legal department and call the OFAC Hotline at (800) 5406322.
  2. URL monitoring is an essential element of Customer monitoring for suspicious activities. The Company has contracted with Experian to provide URL monitoring for suspicious activities reporting. Details of this

monitoring are available in the Company’s URL Monitoring Policy.


3.SAR Filing Timelines


The Company reports suspicious transactions to its acquirer promptly and will file (or allow the acquirer to file) a SAR no later than 15 calendar days after the date of the initial detection of the facts that constitute a basis for filing such report. A review must be initiated promptly upon identification of unusual activity that warrants investigation. Any activity identified as illegal activity should be made known directly to law enforcement, as well as to appropriate state and federal regulatory agencies. In accordance with regulatory guidelines, the Director of Compliance or his