Compliance, in detail.

Regulatory status

QairoPay operates as a Money Services Business (MSB) registered with the U.S. Department of the Treasury's Financial Crimes Enforcement Network (FinCEN). State money-transmission licensure is maintained or pursued as required by program scope and the residency of payors and payees.

• Federal registration: FinCEN MSB — registration number on file with our compliance team.
• State MTLs: held directly or covered via partner agreements where appropriate; the live list is provided to customers as part of contract due diligence.
• Card issuance: delivered via a sponsor-bank arrangement; bank identity is disclosed to enterprise customers under NDA.

QairoPay does not provide investment advice, brokerage services, or fiduciary custody.

KYC and KYB

All customers (tenants) complete Know Your Business (KYB) onboarding before being granted production credentials. Where end-user accounts hold balances, those end-users complete Know Your Customer (KYC) verification before funds can move.

• KYB: entity formation documents, beneficial ownership disclosure to the 25 percent / control threshold, sanctions and adverse-media screening on the entity and on each UBO and controller.
• KYC: identity-document verification, liveness, address and date-of-birth match, and ongoing screening. Performed by Persona under a Direct Verification Agreement; QairoPay receives a verification result and audit trail, not raw documents.
• Enhanced due diligence: triggered by jurisdictional risk, structural complexity, high-value flows, or adverse-media hits. EDD outcomes are reviewed by a human analyst before approval.
• Continuous monitoring: sanctions and PEP screening are re-run on a rolling basis; material changes (sanction listing, adverse media) generate a case in the compliance queue.

End-user IDs are encrypted, segregated by tenant, and retained for the period required by the Bank Secrecy Act (five years after account closure) or longer where contracts or regulations require.

BSA / AML and sanctions

QairoPay maintains a written Anti-Money-Laundering Program that meets the Bank Secrecy Act, USA PATRIOT Act, and FinCEN rule requirements for MSBs.

• A designated BSA Officer reporting to the CEO is responsible for the program; the role is filled and disclosed on request.
• Transaction monitoring runs continuously across pass top-ups, card transactions, and settlement legs; rules cover structuring, velocity, geographic risk, sanctioned counterparties, and on-chain heuristics for the USDC leg.
• Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) are filed within statutory windows where applicable.
• Sanctions screening covers OFAC SDN and consolidated lists, EU consolidated list, UK OFSI list, and UN sanctions; the screening dataset is refreshed daily.
• Annual independent AML program review and annual employee training.

Card program (PCI DSS)

The QairoPay Spend Card is issued via a sponsor-bank partnership through a regulated issuer-processor. The cardholder-data environment (CDE) is scoped narrowly and validated against PCI DSS 4.0 by a Qualified Security Assessor (QSA) annually.

• QairoPay scope: Service Provider Level 1, validated by an external QSA. The Report on Compliance and current Attestation of Compliance are available to customers under NDA.
• Primary Account Numbers (PANs) are never stored on QairoPay-owned systems. Tokens issued by the processor are stored in their place.
• Customer scope: integrators who handle a PAN on their own systems are responsible for their own PCI scope. Integrators using QairoPay's hosted card fields or wallet provisioning flows do not bring a PAN into their environment.

Stablecoin and on-chain compliance

QairoPay settles eligible flows in USD Coin (USDC) on Aptos. Compliance is anchored to two principles: customers never touch unregulated crypto rails directly, and on-chain activity is subject to the same monitoring as the off-chain leg.

• On-ramp: fiat-to-USDC conversion runs through Bridge (by Stripe) under a typed OnRampAdapter contract. Bridge holds the relevant licensing and performs its own KYC; QairoPay does not directly custody fiat in connection with the on-ramp.
• On-chain monitoring: counterparty address risk is screened against blocklists from Chainalysis-class providers. Sanctioned and high-risk counterparties are blocked at the application layer before broadcast.
• Travel Rule: where transmittals to external wallets exceed the FinCEN Travel Rule threshold, originator and beneficiary information is collected and transmitted using the relevant industry protocol.
• Treasury operations: USDC treasury balances are managed by QairoPay or by a qualified custody partner; reserves backing customer-held balances are segregated and reconciled daily.

Privacy regulation

QairoPay complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA, and analogous laws in covered jurisdictions. See the Privacy Policy for full detail, including the lawful bases on which we process personal data and the rights available to data subjects.

• A Data Protection Addendum (DPA) is offered to all customers and is executed automatically upon contract acceptance for customers in the EEA, UK, or California.
• Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum govern cross-border transfers.
• A designated EU representative and a Data Protection Officer are appointed; contact information is on the Privacy Policy.

Consumer protection

Where the QairoPay Spend Card is issued to consumers, the program operates under Regulation E (electronic fund transfers), Regulation Z (where credit features apply), and applicable state-law analogs. Cardholder agreements, error-resolution procedures, and disclosure schedules are delivered by the issuing bank and surfaced through customer-facing flows that QairoPay does not modify.

Regional coverage

The Phase 1 launch market is the United States. QairoPay is currently expanding coverage in the following sequence; precise availability is committed in the order form.

• United States — live; all 50 states plus DC, subject to state MTL coverage and program eligibility.
• European Economic Area and United Kingdom — under licensing in partnership with a regulated e-money institution; GA targeted by end of Phase 2.
• Asia-Pacific — country-by-country rollout; coverage decisions are driven by sponsor-bank partnerships and stablecoin licensure clarity.

Audit and assurance

QairoPay's control environment is independently examined annually. Reports are shared with customers and qualified prospects under NDA via our Trust Center.

• SOC 2 Type II — annual examination by a Big Four firm; bridge letters issued between report periods.
• ISO/IEC 27001 — annual surveillance audit; full re-certification every three years.
• PCI DSS 4.0 — annual QSA assessment of the cardholder data environment.
• AML program review — annual independent review by an external compliance firm.
• Penetration testing — at least annually, supplemented by continuous internal red-teaming; sanitized executive summaries are available on request.

Contacting compliance

For diligence requests, regulatory inquiries, or compliance documentation, email [email protected]. Trust Center access (SOC 2, ISO 27001, AoC, AML policies, BCP, sub-processor list) is granted through [email protected] under a standard mutual NDA.

Law-enforcement requests are handled at [email protected] in accordance with our published Law Enforcement Guidelines and applicable customer notice obligations.

This page summarizes the QairoPay compliance program at a point in time. It is not legal advice and does not create rights beyond those granted in your executed contract. Where this page conflicts with executed contract language, the contract governs.