Compliance Topic
KYC / AML Standards
Due-diligence controls, disclosure expectations, and review cadence.
Core Objective
Method v1.2 ยท Reviewed 2026-02-10
Define the minimum identity and transaction controls required before a brand is presented as operationally reliable.
Why it matters: KYC/AML gaps are one of the fastest ways a platform accumulates payment abuse, account takeovers, and regulatory escalation.
Control Checklist
| Control | Evidence | Cadence |
|---|---|---|
| Identity verification before first withdrawal | KYC flow screenshots and completion event logs | Each release touching onboarding |
| Sanctions and PEP screening in onboarding | Screening provider report + blocked cases sample | Weekly sample review |
| Transaction monitoring for structured deposits | Rule set export + alert handling outcomes | Daily automated, weekly human review |
| Escalation path for high-risk profiles | Case management workflow and SLA definition | Quarterly tabletop review |
| Retention and data minimization boundaries | Data retention matrix with deletion policy | Quarterly legal + security check |
Operating Sequence
- 1 Collect identity data with explicit purpose labels and consent language.
- 2 Run automated checks (document integrity, sanctions lists, velocity flags).
- 3 Escalate medium/high-risk profiles to manual analysts with defined SLA.
- 4 Apply account restrictions when risk remains unresolved.
- 5 Log decisions with reason codes for auditability.
Topic Summary
Identity checks must happen before sensitive actions such as first withdrawal, account recovery, or high-value deposits.
Risk scoring should combine identity confidence, payment behavior, geolocation mismatch, and velocity anomalies.
Manual review must have a documented handoff path, not an ad-hoc inbox process.
Evidence Pack
KYC/AML policy version with change history Risk scoring model documentation Alert triage runbook and escalation contacts Audit log sample with redacted user identifiers
Common Gaps
Relying on a single KYC vendor score without manual exception handling.
Keeping broad permissions after a failed identity check.
No clear expiry or revalidation trigger for stale identity records.