Compliance & Trust
What this covers / who it's for. The platform's compliance machinery framed as product guarantees: what a client, an operator, a regulator, or an auditor can rely on the system to do — case handling, account freezes, regulatory filings, the tamper-evident audit trail, and the encrypted document vault. Enforcement is in code, not policy documents.
Compliance cases — nothing waits forever
Compliance work items (sanctions hits, transaction alerts, held deposits, onboarding reviews…)
become cases with a lifecycle of open → in_review → escalated → closed
(compliance module).
The guarantee: a case cannot silently rot. An SLA engine scans every minute; a case that breaches its deadline is escalated automatically, one rung at a time, and re-scans of an already-escalated case are no-ops (idempotent — no notification storms). Deadlines are severity- tuned per case type: sanctions/watchlist hits get 1 hour, RFIs 4 hours, re-KYC and crypto travel-rule 24 hours, transaction alerts 48 hours. Closing a case requires a recorded disposition with a written rationale.
Account freeze & closure — precise levers, precise effects
| Intervention | What the user experiences | Reversible? |
|---|---|---|
| Freeze | Login still works; every action — including reads on the money surfaces — is refused with ACCOUNT_FROZEN (403). Incoming items park as held items. | Yes — unfreeze releases held items. |
| Closure | Terminal. Login itself is refused. | No. |
Honest scope statement: V1 freezes the whole account only. Narrower scopes (a single asset,
a single address) are designed for but deliberately rejected today
(FREEZE_SCOPE_UNSUPPORTED) rather than half-enforced. The freeze gate is wired into the command
bus itself — every money-moving command checks it — with a route-level backstop, so there is no
code path around it. Freeze, unfreeze, and close are operator actions behind step-up MFA.
Regulatory filings — separation of duties in code
- SAR (suspicious activity reports). A three-officer ladder:
draft→in_review→submitted, where the drafter, reviewer, and submitter must be three distinct people. Reviewing your own draft is refused (SELF_REVIEW_FORBIDDEN); submitting a report you drafted or reviewed is refused (SELF_SUBMIT_FORBIDDEN) — and an unattributable submission is refused outright rather than waved through. - CTR (currency transaction reports). Candidates are surfaced on demand — the system
aggregates a customer's completed incoming volume per day, converts to USD, and flags anyone
above the configured $10,000/day threshold; operators then record the filing
(
candidate→recorded). - Travel-rule records. Opened automatically when a deposit is held for missing sender
information (Money movement); an operator attaches the encrypted
originator/beneficiary detail to move it from
pending_originator_infotorecorded. The encrypted detail is never surfaced back through any API or export. - Filing is a handoff in V1. Stables prepares the evidence and durably records the filing; the actual submission to regulators is performed by the finance rail (Conduit). The seam for direct filing exists; the current implementation records the handoff reference.
The audit trail — every attempt, tamper-evident
The strongest guarantee on the platform (audit module):
- Every command attempt becomes an audit record — including the ones that failed, were denied permission, or were rejected by a business rule. A denied action leaves the same durable trace as a successful one; the denial record survives even though the action itself was rolled back. ("Show me everything this user tried to do" is answerable.)
- Records are immutable and hash-chained. The database refuses updates and deletes on the audit table outright, and each record is linked to the previous one by a cryptographic hash — altering or removing any record breaks the chain visibly. Signed checkpoints anchor the chain, and a verification job re-checks it hourly (enabled by default).
- Daily export to write-once storage (WORM — storage that physically refuses modification) exists and is verified after export, but ships disabled until the storage target is provisioned — a deploy-time gate, called out per the wiki's ship-state honesty rule.
The document vault — our copy first, controlled exits
Sensitive documents (KYB/KYC evidence and the like) live in an encrypted vault (documents module):
- Store-before-forward. Our own encrypted copy exists and is committed before anything is forwarded to the provider. A provider outage can delay forwarding — never lose the document. Forwarding failures that exhaust retries land on an operator triage register (transient ones are re-driven automatically, hourly).
- Per-document encryption. Each document has its own encryption key (envelope encryption) — which is what makes per-document crypto-shred possible.
- Downloads only via ~90-second signed URLs, and every access is logged — who fetched which document, when. There is no unauthenticated or permanent link to document bytes.
- Malware-scan quarantine is built (uploaded bytes are quarantined until scanned
clean;rejectedbytes are never served) but config-gated and ships disabled until a scanner is deployed. With scanning off, documents are admitted as clean. - Right to be forgotten = crypto-shred: the document's key is destroyed, leaving an
unreadable tombstone. Shredding is refused inside the regulatory retention window
(
SHRED_BLOCKED_BY_RETENTION) — by default the 7-year compliance floor — so an erasure request can never delete evidence the law requires keeping.
Where the trust lives, in one line each
| Guarantee | Enforced by |
|---|---|
| No case rots | Per-minute SLA scan, idempotent escalation |
| No unilateral money movement | Maker/checker + co-sign (Money movement) |
| No self-approved filings | Three-officer SAR ladder, refused in code |
| Frozen means frozen | The command-bus freeze gate + route backstop |
| Every attempt is on the record | Hash-chained, append-only audit trail, hourly verification |
| Documents can't leak quietly | Signed-URL-only downloads, per-access logging |
| Erasure vs retention resolved honestly | Crypto-shred blocked inside the retention floor |