Send

SettleySend
KYC/AML Policy · v0.1 draft

Settley KYC/AML Policy

Document owner: Compliance / Legal
Version: 0.1 draft
Effective date: [Insert date]
Review cadence: At least annually and after any material product, jurisdiction, banking, crypto, or payout-provider change
Status: Draft for partner onboarding and legal review

1. Purpose

Settley provides a claim-code remittance product that allows a sender to fund an escrow with supported digital assets and allows a recipient to claim value through supported payout methods, including bank transfer, wallet transfer, airtime, data, gift card, or virtual card where available.

This KYC/AML Policy sets out Settley's baseline controls for:

Identifying and verifying customers and recipients.
Preventing money laundering, terrorist financing, sanctions evasion, fraud, scams, and other prohibited activity.
Monitoring payments, claims, and payouts.
Escalating and reporting suspicious activity where required.
Maintaining records for partner, audit, and regulatory review.

This policy is designed to support a risk-based compliance program. It must be reviewed by qualified counsel before production use in any regulated market.

2. Scope

This policy applies to:

Settley employees, founders, contractors, agents, and service providers who operate or support the product.
Senders who fund transfers.
Recipients who claim transfers.
Business partners, payout providers, off-ramp providers, card providers, gift-card providers, infrastructure providers, and other third parties involved in the transfer lifecycle.
All supported chains, assets, wallets, payment methods, claim codes, and payout methods.

3. Regulatory Orientation

Settley will operate its compliance program according to generally accepted AML/CFT principles, including:

Risk-based customer identification and verification.
Customer due diligence and enhanced due diligence for higher-risk users or activity.
Sanctions, politically exposed person, and adverse media screening where appropriate.
Transaction monitoring and suspicious activity escalation.
Recordkeeping and auditability.
Third-party provider diligence and oversight.

Settley will also align its controls with applicable requirements in the jurisdictions where it operates, including partner-specific requirements imposed by off-ramp, card, gift-card, banking, and virtual-asset service providers.

4. Product Risk Statement

Settley involves digital assets, cross-border transfers, claim codes, and third-party payout rails. These features create specific financial crime risks, including:

Use of stolen or sanctioned funds to fund escrow.
Use of claim codes to obscure the relationship between sender and recipient.
Structuring transfers to avoid limits or review.
Fraud, romance scams, mule activity, account takeover, or coercion.
Sanctions evasion through wallet transfers or indirect beneficiaries.
Abuse of gift cards, airtime, or virtual cards for resale or laundering.
Mismatch between stated transfer purpose and actual behavior.
Payout to false identities, compromised accounts, or unauthorized recipients.

Settley will mitigate these risks through identity controls, transfer limits, wallet screening, payout provider controls, monitoring rules, manual review, and audit records.

5. Roles and Responsibilities

5.1 Founder / Executive Management

Executive management is responsible for:

Approving this policy and material changes.
Ensuring adequate resources for compliance operations.
Setting risk appetite, transfer limits, and supported corridors.
Suspending product features or markets when compliance risk is unacceptable.

5.2 Head of Legal / Compliance Lead

The Head of Legal or designated Compliance Lead is responsible for:

Maintaining this policy.
Reviewing partner requirements and regulatory obligations.
Approving KYC/KYB standards and escalation procedures.
Reviewing high-risk cases and suspicious activity escalations.
Coordinating with outside counsel and regulated partners.
Ensuring recordkeeping, audit readiness, and staff training.

5.3 Operations and Product Team

Operations and Product are responsible for:

Implementing this policy in workflows, product screens, APIs, and back-office tooling.
Ensuring payout status is based on provider confirmation, not user assertion.
Ensuring claim and payout records are durable, auditable, and protected.
Maintaining controls against duplicate payouts and unauthorized claims.

6. Customer Identification and Verification

Settley will apply a tiered, risk-based KYC model. The minimum required information depends on the role, value, jurisdiction, payout method, and partner requirements.

6.1 Sender Information

For senders, Settley may collect:

Full name.
Email address and/or Telegram handle.
Phone number.
Wallet address.
Country of residence.
Date of birth where required.
Government identification where required.
Source of funds or purpose of transfer where required.
Device, IP, and session metadata.

For lower-risk, low-value transfers, Settley may apply simplified due diligence if permitted by applicable law and partner requirements. Higher-risk activity requires enhanced due diligence.

6.2 Recipient Information

For recipients, Settley may collect:

Full name.
Email address, Telegram handle, and/or phone number.
Country of residence.
Payout method selected.
Bank name and account number for bank payout.
Wallet address for wallet payout.
Cardholder information for virtual card issuance.
Gift-card or airtime delivery information.
Government identification, BVN, NIN, or other local identity fields where required by provider or law.

Settley will not promise bank, OPay, card, or gift-card payout unless the relevant provider confirms the payout method is supported and the recipient passes required checks.

6.3 Business Customers and Partners

For business customers, partners, and vendors, Settley may collect:

Legal entity name.
Registration number.
Registered address.
Tax identification number where applicable.
Beneficial ownership information.
Director or controller information.
Proof of authorization.
Business activity and expected volumes.
Licenses or regulatory registrations where applicable.
Sanctions, PEP, adverse media, and watchlist screening results.

7. Sanctions and Watchlist Screening

Settley will screen, directly or through vendors and partners where applicable:

Senders.
Recipients.
Business customers.
Beneficial owners and controllers.
Wallet addresses.
Payout accounts.
High-risk counterparties.

Screening may include sanctions lists, PEP lists, adverse media, law enforcement lists, blockchain risk scores, and provider-specific watchlists.

Settley will not process a transfer, claim, or payout where it knows or has reason to believe that a party is sanctioned, blocked, prohibited, or otherwise ineligible.

8. Wallet and Blockchain Risk Controls

For on-chain deposits and wallet payouts, Settley will apply controls appropriate to the asset, chain, value, and jurisdiction, which may include:

Screening sender and recipient wallet addresses.
Detecting exposure to sanctioned addresses, mixers, darknet markets, scams, stolen funds, ransomware, or high-risk services.
Requiring additional review for indirect high-risk exposure.
Rejecting or holding transfers linked to prohibited activity.
Preserving transaction hashes, chain IDs, token addresses, timestamps, and confirmation records.

Supported chains and tokens must be approved before production support. New chains or assets require a compliance and operational review.

9. Risk Rating

Settley will assign risk ratings to users, transfers, claims, and payouts. Risk factors may include:

Country of sender or recipient.
Transfer amount and frequency.
Payout method.
Chain and asset used.
Wallet risk score.
Use of privacy tools, mixers, bridges, or high-risk exchanges.
Inconsistent identity or account information.
Multiple claims to the same payout account.
Multiple accounts controlled by the same device, IP, phone number, wallet, or beneficiary.
Scam indicators or user reports.
Provider alerts, failed checks, or manual review outcomes.

Risk ratings may be low, medium, high, or prohibited. High-risk activity requires enhanced review before payout.

10. Enhanced Due Diligence

Enhanced due diligence may be required when:

Transfer value exceeds internal or provider thresholds.
Activity is unusual for the user's profile.
User, wallet, corridor, or payout method is high risk.
Recipient requests a high-risk payout method.
There is adverse media, sanctions proximity, PEP exposure, or law enforcement concern.
A partner or provider requests additional information.

Enhanced due diligence may include:

Government ID verification.
Selfie or liveness verification.
Proof of address.
Source of funds or source of wealth.
Relationship between sender and recipient.
Purpose of transfer.
Additional wallet or transaction history review.
Manual compliance approval.

11. Transfer and Payout Limits

Settley will maintain configurable transfer limits by:

User verification tier.
Country.
Chain and token.
Payout method.
Provider limit.
Daily, weekly, monthly, and lifetime volume.
Risk score.

Initial production limits should be conservative until provider reliability, fraud controls, and compliance workflows are validated.

Suggested draft limits for legal review:

Tier	Requirements	Single transfer	Monthly volume
Tier 0	Contact-only, wallet screened	USD 50	USD 100
Tier 1	Basic KYC, contact verified	USD 250	USD 1,000
Tier 2	Government ID and enhanced checks	USD 1,000	USD 5,000
Tier 3	Manual approval / business review	Case-by-case	Case-by-case

These draft limits are placeholders and must be confirmed by legal counsel and payout providers.

12. Transaction Monitoring

Settley will monitor the full transfer lifecycle:

Payment intent created.
Stablecoin deposit detected.
Deposit verified.
Claim code issued.
Recipient claim initiated.
Payout method selected.
Recipient and payout details validated.
Payout created with provider.
Provider webhook confirms success, failure, or reversal.

Monitoring rules may include:

Multiple failed claim attempts.
Repeated transfers below review thresholds.
Rapid claim-and-payout behavior.
Multiple recipients using the same payout account.
Multiple senders funding one recipient.
Multiple recipients linked to one wallet, IP, device, email, or phone.
Wallet exposure to high-risk services.
Attempts to claim from sanctioned or unsupported jurisdictions.
Gift-card or virtual-card abuse patterns.
Mismatches between sender instructions and recipient details.

Alerts will be reviewed by the Compliance Lead or designated operations staff.

13. Claim Code Controls

Claim codes are sensitive financial instruments. Settley will:

Generate unique, high-entropy claim codes.
Store claim codes securely.
Associate each claim code with one funded payment intent.
Prevent reuse after successful payout.
Expire unclaimed codes after a defined period.
Allow sender cancellation or refund where permitted and safe.
Lock claim codes after excessive failed attempts.
Require additional verification when claim behavior is suspicious.

Claim codes must not be considered paid until the payout provider confirms successful delivery or settlement.

14. Payout Provider Controls

Settley may use third-party providers for bank payout, off-ramp, gift cards, airtime, data, virtual cards, or wallet infrastructure.

Before production use, each provider must be reviewed for:

Supported countries and payout methods.
Licensing, regulatory posture, and terms of service.
KYB and KYC requirements.
Sanctions and AML controls.
Data protection and privacy practices.
Fees, limits, and settlement timelines.
API reliability and incident process.
Webhook signing and status reconciliation.
Refund, reversal, dispute, and failed payout handling.

Provider integrations must use:

Unique idempotency keys.
Internal payout references.
Provider payout references.
Webhook signature verification where available.
Status reconciliation and retry logic.
Manual review for ambiguous or delayed payout states.

15. Prohibited Activity

Settley prohibits use of the product for:

Money laundering or terrorist financing.
Sanctions evasion.
Fraud, scams, extortion, blackmail, ransomware, or stolen funds.
Human trafficking, child exploitation, or illegal goods and services.
Illegal gambling or unlicensed financial activity.
Structuring or evasion of limits.
Use by sanctioned persons or persons in prohibited jurisdictions.
Use of another person's identity or payout account without authorization.
Resale or abuse of gift cards, cards, or airtime in violation of provider rules.

Settley may suspend, reject, hold, refund, or report activity that appears prohibited or suspicious.

16. Suspicious Activity Escalation

When activity is suspicious, Settley will:

Pause the transfer, claim, or payout where operationally possible.
Preserve all relevant records.
Conduct internal review.
Request additional information where appropriate.
Escalate to the Head of Legal or Compliance Lead.
Notify or report to regulated partners or authorities where legally required.
Avoid tipping off users where prohibited.

Suspicious activity decisions and rationale must be documented.

17. Recordkeeping

Settley will maintain records of:

Customer and recipient identity information.
KYC/KYB checks and verification results.
Sanctions, PEP, adverse media, and wallet screening results.
Payment intents, deposits, claims, payouts, refunds, reversals, and failures.
On-chain transaction hashes and confirmations.
Provider references and webhook payloads.
Manual reviews and escalation decisions.
Policy versions and approvals.
Staff training records.

Records should be retained for at least five years unless a longer period is required by law, partner agreement, or internal policy.

18. Data Protection

Settley will collect only the information reasonably required for product operation, compliance, fraud prevention, and partner obligations.

Sensitive data must be:

Stored securely.
Access-controlled.
Encrypted where appropriate.
Shared only with providers, partners, and authorities where necessary and permitted.
Retained according to legal and operational requirements.
Deleted or anonymized when retention is no longer required.

19. Training

Settley personnel involved in product, operations, support, engineering, compliance, or partner management must receive AML/KYC training appropriate to their role.

Training should cover:

Product-specific financial crime risks.
Red flags and escalation procedures.
Sanctions and prohibited activity.
Data handling.
Claim-code and payout controls.
Incident and suspicious activity handling.

20. Independent Review

Settley will periodically review the effectiveness of this policy and related controls. Reviews may be conducted internally or by external counsel, auditors, or compliance consultants.

Reviews should consider:

Changes in product functionality.
New payout providers or corridors.
Regulatory changes.
Fraud or suspicious activity trends.
Partner feedback.
Incident reports.
Monitoring rule performance.

21. Current Implementation Gaps to Resolve Before Production

Before Settley launches live fiat, card, or gift-card payouts, the following must be completed:

Durable database for payments, claims, recipients, payouts, and audit logs.
KYC/KYB vendor or provider-led KYC flow.
Wallet screening provider or documented manual wallet review process.
Provider-specific payout integration and signed webhook handling.
Idempotent payout creation and retry controls.
Clear refund and failed-payout process.
Transfer limits approved by legal and providers.
Terms of service, privacy policy, and user disclosures.
Jurisdiction and licensing review.
Incident response process.

22. Approval

By signing below, the undersigned acknowledge that they have reviewed this KYC/AML Policy and approve it for use as Settley's baseline compliance policy, subject to legal review and updates required by applicable law, provider requirements, and product changes.

Head of Legal

Name: ________________________________________________

Title: Head of Legal

Signature: ___________________________________________

Date: ________________________________________________

Founder

Name: Naro Omo-Osagie

Title: Founder

Signature: ___________________________________________

Date: ________________________________________________

Founder

Name: Temisan Gerrrard Agbajoh

Title: Founder

Signature: ___________________________________________

Date: ________________________________________________