Skip to main content
OpenSettle
Start building
Legal

Compliance Framework

Effective 2026-05-15

OpenSettle's product architecture is designed to remain outside the scope of money transmission and custody regulation. This document summarizes our reasoning; it is not legal advice.

In the United States, the Bank Secrecy Act defines money transmitters as entities that "receive funds for transmission to another person." OpenSettle never receives customer funds. Customer payments transfer directly from the customer's wallet to the merchant's wallet on-chain. OpenSettle's platform fee is computed at payment confirmation time, recorded against each payment row, and aggregated into a monthly fee statement payable from the merchant's own balance — not netted from a pool of customer funds we control.

In the EU, MiCA classifies Crypto-Asset Service Providers (CASPs) around custody, exchange, and transfer services. OpenSettle does not provide custody, does not operate an exchange, and does not initiate or execute transfers on behalf of third parties.

Merchant onboarding is blocked at signup from comprehensively sanctioned jurisdictions (Iran, North Korea, Syria, Cuba, and the occupied Crimea, Donetsk, and Luhansk regions of Ukraine) and from the State of New York pending state-specific legal review. The current list and the legal basis for each entry is published at /legal/restricted-jurisdictions and enforced in code at workspace creation. On-chain payer-address screening against the OFAC SDN crypto subset is shipped today — in-house, no vendor. The list is maintained in source at apps/api/src/services/screening/ofac-list.ts and refreshed by the OpenSettle team from Treasury OFAC publications. Coverage matches direct-address SDN matches; we explicitly do NOT integrate indirect-exposure heuristics (Chainalysis / TRM-style 'received from a mixer 3 hops ago') because the sub-1% margin does not fund vendor per-check fees. Merchants who require indirect-exposure scoring can build it on top of our raw payment events.

OpenSettle has not yet completed an external SOC 2 audit. Our internal platform security audits (most recent: April 2026 and May 2026) are available on request — email security@opensettle.io. SOC 2 Type I observation is targeted for late 2026; the schedule will be updated on this page once the auditor is engaged.

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.