Skip to content
Legal

AML / KYC policy

VEREID's anti-money-laundering and KYC program.

VEREID AML / KYC Policy (Public Summary)

Effective Date: May 20, 2026 Version: 1.0 Provider: VEREID, a product of AIARCO Pty Ltd, ABN [TBD: counsel review], NSW, Australia. Owner: Money Laundering Reporting Officer (MLRO) / Head of Compliance — compliance@vereid.com. Scope: VEREID Social, VEREID Auth, VEREID ID, and AIARCO ID (collectively, the "Services").

This Policy is a public summary. The full internal Programme covers internal procedures, screening thresholds, escalation matrices and SAR templates that are not published for security reasons.


1. Programme summary

VEREID operates a risk-based Anti-Money Laundering / Counter-Terrorism Financing ("AML/CTF") and sanctions programme designed to comply with:

  • AustraliaAnti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) and AUSTRAC Rules.
  • EU — Directives 2015/849 (4AMLD), 2018/843 (5AMLD), 2018/1673 and the forthcoming AML Regulation / AMLA where applicable to a regulated digital identity provider.
  • UK — Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended).
  • US — Bank Secrecy Act / FinCEN where the provision of identity-verification services to US regulated entities draws us into a supervised role; OFAC sanctions for all dealings.
  • FATF — 40 Recommendations, applied as a baseline.

We are not a financial institution in our own right and we do not custody customer funds beyond Stripe-processed subscription fees. Our AML obligation arises primarily because (i) we provide identity-verification services to obliged entities who rely on our output for their own CDD, and (ii) we transact with B2B customers globally for whom sanctions screening is required.


2. Roles and governance

  • MLRO (Money Laundering Reporting Officer / Head of Compliance). Accountable for the Programme. Independent of revenue.
  • Compliance team. Triages alerts, performs Enhanced Due Diligence (EDD), files Suspicious Matter Reports (SMRs in AU) / Suspicious Activity Reports (SARs in US/UK) / equivalent in other jurisdictions.
  • Engineering — Identity squad. Owns the verification pipeline, sanctions-screening service, and the audit-log immutability guarantee.
  • Board. Annual review of risk assessment and Programme effectiveness. Approves Programme updates.

Whistleblowing: compliance-whistle@vereid.com. Protections per AU Treasury Laws Amendment (Enhancing Whistleblower Protections) Act 2019 and equivalent regimes.


3. Customer Due Diligence (CDD)

We perform CDD on:

  1. B2B Customers (subscribers of VEREID Auth and VEREID ID) and their beneficial owners holding ≥ 25%.
  2. End-users being verified through VEREID ID — at the tier requested by the relying B2B Customer.
  3. VEREID Social users — at the tier requested for the activity they intend (T4 minimum for posting / commenting / messaging).

3.1 B2B Customer onboarding

  • Legal name, registration number, country of incorporation, registered address, principal place of business.
  • Beneficial-owner identification (≥ 25% threshold; reduced where law requires).
  • Director list and authorised signatory.
  • Source of business / use-case description.
  • Sanctions and adverse-media screening on the company, owners and directors.
  • Excluded-use attestation (see TERMS_OF_SERVICE.md Schedule 1).

3.2 End-user CDD tier ladder (per PRIVACY_POLICY.md Section 11)

TierMethodWhen required
T1EmailAlways
T2PhoneAlways for VEREID Social
T3Document OCRWhen the relying party requires document-level assurance
T4T3 + liveness face-matchDefault for VEREID Social posting; default for most B2B verifications
T5T4 + NFC chip Passive AuthenticationWhen relying party explicitly requires chip-auth
T6T5 + issuing-authority lookupDisabled until counsel sign-off

3.3 Enhanced Due Diligence (EDD) triggers

  • Politically Exposed Person (PEP) hit on any list.
  • Sanctions or adverse-media hit not cleared on first pass.
  • B2B Customer in a higher-risk jurisdiction per FATF grey/black list.
  • Customer use-case overlapping any of the EU AI Act prohibited practices.
  • Repeated failed verifications from the same device/IP cluster.
  • Document raised in tamper-detection (template-mismatch, MRZ checksum failure, font-substitution flag).
  • Anomalous geo/device signals (e.g. IP geolocation differs from claimed residence country by > 5,000 km with no travel history on file).

EDD output is approved by a second-line reviewer and logged to the immutable audit_events table.

3.4 Simplified Due Diligence (SDD)

Available for the AIARCO ID free tier in jurisdictions that permit SDD for low-value, low-risk digital-identity services with no monetary value transfer. Not available where local law requires full CDD.


4. Sanctions screening

4.1 Lists screened

We screen against the consolidated set:

  • US — OFAC SDN, Consolidated Sanctions, Foreign Sanctions Evaders, Sectoral Sanctions, Non-SDN Iran Sanctions.
  • EU — Consolidated Financial Sanctions List.
  • UK — HMT/OFSI Consolidated List.
  • UN — Security Council Consolidated List.
  • AU — DFAT Consolidated List.
  • Additional adverse-media list (commercial provider — vendor [TBD: counsel + vendor due diligence]).

4.2 When we screen

  • Onboarding for every B2B Customer, beneficial owner, director, authorised signatory.
  • Onboarding for every end-user verified through VEREID ID where the relying party requests sanctions screening (add-on, +$0.20).
  • Ongoing — daily refresh; any update to a screened list triggers a re-screen of the affected population within 24 hours.
  • Real-time at login for B2B Customer principals.

4.3 Match handling

  • Confirmed true match → account frozen; assets in scope (e.g. paid invoices) frozen; SMR/SAR filed within statutory deadline; no tipping-off to the customer; legal escalation.
  • Possible / fuzzy match → manual review within 24 hours by Compliance; result and rationale recorded.
  • False positive → cleared with a documented reason; written to audit_events; no notification to the customer.

4.4 Geographic blocks

We will not knowingly provide any Service to a person ordinarily resident in, or a B2B Customer principally operating from: Cuba, Iran, North Korea, Syria, the so-called "Crimea / DNR / LNR" regions of Ukraine, or any other comprehensively sanctioned jurisdiction. The block is enforced at Cloudflare edge for api.vereid.com/v1/verify and at signup for B2B and end-user accounts.


5. Risk assessment and tiering

We maintain a written Risk Assessment, refreshed at least annually and on material change (new product, new geography, regulatory update, material incident). Risk factors include customer type, product, geography, channel, and transaction patterns.

Each B2B Customer is assigned a risk tier (Low / Medium / High):

TierOnboardingOngoing reviews
LowStandard CDDAnnual
MediumStandard CDD + use-case attestationSemi-annual
HighEDD + source-of-funds for prepayments ≥ $25,000 + senior-management sign-offQuarterly

Risk tier is recomputed on each ongoing review and on any new alert.


6. Ongoing monitoring

  • Sanctions list deltas — daily re-screen of all active principals.
  • PEP list deltas — daily re-screen.
  • Usage anomalies — automated rules detect: sudden spike in T4/T5 verifications from a single B2B Customer (potential synthetic-identity farm); high failure rates; high reverse-image-search hits on selfies (potential reuse); device-fingerprint clustering.
  • Adverse media — weekly batch on B2B Customer principals.
  • B2B Customer behavioural alerts — first chargeback, first refund request, first material change in IP geolocation of admin logins.

7. Suspicious Activity reporting

7.1 Triggers

  • Confirmed sanctions match.
  • Reasonable grounds to suspect money laundering, terrorism financing, proliferation financing, or tax-evasion in our service usage.
  • Identification of synthetic-identity or impersonation patterns (sustained automated submission of altered documents).
  • Bribery or corruption indicators in B2B Customer interactions.

7.2 Process

  1. Analyst raises internal STR with evidence package.
  2. MLRO reviews within 48 hours.
  3. If filed: SMR to AUSTRAC (Australia), SAR to FinCEN (US, if in scope), SAR to UK NCA, equivalent to FIU of jurisdiction.
  4. No tipping-off — neither the customer nor any unauthorised internal party is informed.
  5. Record retained 7 years on S3 Object Lock WORM.

7.3 Law-enforcement requests

  • Validated through legal-process portal (legal@vereid.com).
  • Disclosed only on lawful instrument (warrant, MLAT, court order, or comparable statutory production notice).
  • Logged; transparency report published annually (counts only, redacted).
  • Customer notified of the request unless law prohibits.

8. Record retention

RecordPeriodStorage
KYC evidence (B2B + end-user)7 years after relationship endS3 PII-VAULT bucket, KMS CMK pii-vault-and-audit
Sanctions-screening result snapshots7 yearsSame
SMR / SAR filings and evidence packages7 years (or longer where law requires)S3 Object Lock WORM, restricted-IAM role
Training records7 yearsInternal HRIS
Risk assessment versions10 yearsConfluence + S3 archive

9. Training

  • All new joiners — AML/CTF + sanctions module within 30 days; pass quiz ≥ 80%.
  • All staff — annual refresher.
  • Compliance staff — annual external CPD (ACAMS, ACSS, AUSTRAC, ICA or equivalent), minimum 20 hours/year.
  • Engineering staff working on identity flow — annual session on biometric law (BIPA, GDPR Art. 9, EU AI Act).

10. Independent review

  • Annual independent review of the AML/CTF Programme by external counsel or audit firm (per AML/CTF Act 2006 s. 165).
  • Reports presented to the Board; remediation tracked to closure.

11. Vendor and sub-processor due diligence

Sub-processors handling identity or screening data undergo annual review: SOC 2 / ISO 27001 evidence, sub-processor list, breach history, data-residency commitment, DPA + SCC posture. See SUB_PROCESSORS.md.


12. Customer obligations

B2B Customers using VEREID ID for their own regulated CDD remain primarily responsible for compliance with their home AML regime. VEREID provides:

  • Honest tier labels (so the Customer can map our output to their internal risk model).
  • Sanctions add-on at +$0.20 per verification.
  • Webhook signatures so Customer cannot accept a forged "verified" event.
  • A "deny on policy" flag rather than a silent allow, so a Customer cannot inadvertently treat an inconclusive verification as a pass.

A Customer that misrepresents our output to its own regulator (e.g. marketing T5 as "issuing-state verified") is in material breach.


13. Contact

[TBD: counsel review — AUSTRAC enrolment number, US MSB analysis, UK supervisor, choice of adverse-media vendor, formal Risk Assessment v1.0 sign-off, Board approval.]