Legal

Compliance Framework

Updated 2026-05-18

This page describes what OpenSettle has actually shipped to meet merchant compliance expectations, and what is on the roadmap. We publish this distinction explicitly because the diligence memo of 2026-05-16 flagged that conflating shipped controls with roadmap items is a fundraising-disclosure risk and a procurement-killer.

Sanctions screening (shipped, in-house). Every inbound payer wallet is screened at settlement-confirmation time against the OFAC SDN crypto-address list maintained by OpenSettle in source (apps/api/src/services/screening/ofac-list.ts). The verdict is persisted on the payment row (screening_verdict, screening_provider='ofac_local', screening_provider_ref='ofac:<list-version>', screening_screened_at) and exposed to the merchant via the audit-pack export. The HALT_ON_FLAGGED_PAYER environment flag, when enabled, causes the platform to refuse to credit settlements from flagged payer wallets pending operator review. Coverage matches direct-address SDN matches — explicitly NOT vendor-style indirect-exposure heuristics. The list is refreshed by the OpenSettle team from Treasury OFAC publications; we do not pay per-check fees to a screening vendor.

Merchant KYB (in-house, no vendor). The KYB_REQUIRED_FOR_LIVE environment flag, when enabled, blocks live-mode money routes for any workspace whose KYB status is not 'approved'. The compliance status endpoint exposes per-workspace KYB state. KYB review is an operator step — merchant submits via the dashboard's Verification tab, the founder approves or rejects via the admin queue at /app/admin/kyb-queue. We do NOT integrate identity-verification vendors (Veriff / Sumsub / Persona / Onfido / Yoti); the sub-1% margin does not fund per-verification fees and we don't want the vendor lock-in. Documented at /legal/terms clause 16.

Audit-pack export (shipped). Per-merchant CSV and JSON export of every settlement with on-chain transaction hash, payer wallet, screening verdict, KYB reference, FMV-at-confirmation, and constructive-receipt timestamp. Designed to be the artefact a regulator-driven licensing review actually accepts. Path: /v1/workspaces/{id}/audit-pack.

Non-custodial architecture (load-bearing). Funds settle directly from payer wallet to merchant wallet on-chain. OpenSettle is never in the signing path and at no point holds, routes, or controls funds. Technical exhibit at /legal/non-custodial-architecture. This is the most-important compliance claim on the platform and the one we hold ourselves to most strictly.

SOC 2 (roadmap). Type I scoping in motion with target issuance D+120 from vendor selection; Type II observation window begins immediately on Type I issuance with target report at D+365.

Money-transmitter opinion (roadmap, gated by funding). Self-prepared MSB / 31 CFR 1010.100(ff) analysis is on file in our source repository. Outside-counsel opinion (target firms: Cooley, Davis Polk, Anderson Kill, DLx Law) is sized at USD 50–80K.

MiCA position (roadmap). EU counsel position memo on CASP scope, France / Malta grandfathering, and geofencing defensibility is on the roadmap. June 2026 is the hard deadline for the FR / MT grandfathering windows.

Right to challenge. Merchants, regulators, and counterparties who believe this page misrepresents what is shipped versus on the roadmap are invited to email legal@opensettle.io. We will revise this page within 5 business days or explain why we believe the description is accurate.

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.