d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2633de4d3386f7194663e3d442b017e820fc16de
the_order/docs/governance/kyc-aml-sop.md
defiQUG 2633de4d33 feat(eresidency): Complete eResidency service implementation 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
2025-11-10 19:43:02 -08:00

241 lines
4.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# KYC/AML Standard Operating Procedures (SOP)
**Version:** 1.0
**Date:** November 10, 2025
**Status:** Draft
---
## Overview
This document defines the Standard Operating Procedures (SOPs) for Know Your Customer (KYC), Anti-Money Laundering (AML), and sanctions screening for eResidency and eCitizenship applications.
## Screening Lists
### Sanctions Lists
**Primary Sources:**
* UN Security Council Sanctions
* EU Sanctions
* OFAC (US Treasury)
* UK HM Treasury
* Other relevant jurisdictions
**Update Frequency:**
* Daily automated updates
* Manual review for high-priority updates
* Real-time screening for new applications
### PEP Lists
**Sources:**
* World-Check
* Dow Jones Risk & Compliance
* ComplyAdvantage
* Other commercial providers
**Categories:**
* Heads of State
* Senior government officials
* Senior political party officials
* Senior judicial officials
* Senior military officials
* State-owned enterprise executives
* Close associates and family members
## Risk Scoring
### Risk Factors
**Low Risk:**
* Clear identity verification
* No sanctions matches
* No PEP matches
* Low-risk geography
* Established history
**Medium Risk:**
* Partial identity verification
* Potential PEP match (distant)
* Medium-risk geography
* Limited history
**High Risk:**
* Failed identity verification
* Sanctions match
* Direct PEP match
* High-risk geography
* Suspicious patterns
### Risk Score Calculation
**Formula:**
```
Risk Score = (KYC Risk × 0.4) + (Sanctions Risk × 0.4) + (Geographic Risk × 0.2)
```
**Thresholds:**
* Auto-approve: < 0.3
* Manual review: 0.3 - 0.8
* Auto-reject: > 0.8
## Enhanced Due Diligence (EDD)
### Triggers
**Automatic EDD:**
* PEP match
* High-risk geography
* Risk score > 0.7
* Suspicious patterns
* Large transactions (if applicable)
### EDD Requirements
**Additional Checks:**
* Source of funds verification
* Additional identity documents
* References or attestations
* Background checks
* Enhanced monitoring
### EDD Process
1. Identify EDD trigger
2. Request additional information
3. Verify sources
4. Conduct enhanced screening
5. Risk assessment
6. Decision
## PEP Handling
### PEP Classification
**Direct PEP:**
* Current or former PEP
* Immediate family member
* Close associate
**Indirect PEP:**
* Distant relative
* Former associate
* Historical connection
### PEP Process
**Direct PEP:**
1. Automatic EDD
2. Enhanced screening
3. Manual review required
4. Risk assessment
5. Decision with justification
**Indirect PEP:**
1. Standard EDD
2. Risk assessment
3. Decision based on risk
## Source of Funds
### Requirements
**If Applicable:**
* Fee payments
* Donations
* Service contributions
* Other financial transactions
### Verification
**Methods:**
* Bank statements
* Payment receipts
* Transaction history
* Attestations
* Third-party verification
## Audit Trail
### Requirements
**Documentation:**
* All screening results
* Risk assessments
* Decisions and justifications
* EDD materials
* Audit logs
### Retention
**Periods:**
* KYC artifacts: 365 days (regulatory)
* Application metadata: 6 years
* Audit logs: 7 years
* Credential status: Indefinite
### Access
**Controls:**
* Role-based access
* Audit logging
* Data minimization
* Encryption at rest
* Secure transmission
## Compliance
### Regulatory Requirements
**Jurisdictions:**
* GDPR (EU)
* CCPA (California)
* Other applicable laws
### Reporting
**Obligations:**
* Suspicious activity reports (if applicable)
* Regulatory reporting
* Internal reporting
* Audit reporting
## Testing
### Mock Audit
**Scope:**
* End-to-end process testing
* Risk assessment validation
* EDD trigger testing
* Audit trail verification
* Compliance checks
### Success Criteria
**Requirements:**
* All processes documented
* All decisions justified
* All audit trails complete
* All compliance checks passed
* No critical findings
---
## Revision History
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | 2025-11-10 | CISO | Initial draft |
---
## Approval
**CISO:** _________________ Date: _________
**Chancellor:** _________________ Date: _________
**External Counsel:** _________________ Date: _________
Reference in New Issue View Git Blame Copy Permalink