Embed
Weave (KYB Decisioning)
Introduction
Straddle provides account-to-account payment processing services for qualified businesses. Through Straddle, Users can accept bank payments from their customers, or they can send funds payments to their customers, vendors, or employees through a combination of A2A payment rails
In order to facilitate payments between two parties, Straddle assumes the role of a third-party in the payment process. This simply means that the funds for every payment must first be cleared into a Straddle account at a sponsor before being routed to the intended party.
There are federal laws, state laws, Nacha rules, and other forms of banking regulations that govern how payment service and initiation activities are conducted. These laws and regulations establish structure for the A2A payment process and they help to protect both the consumer and the originator from fraudulent and unethical behavior by the other party in the transaction.
By assuming, on behalf of the User, the position of a third-party in a transaction, Straddle exposes itself to significant legal and financial risks because it is now responsible, along with the originator, for the legal obligations of the originator and for the penalties that apply to the originator for their misconduct.
Each user must, therefore, be carefully examined, evaluated, and approved before Straddle will process payments on behalf of that entity. It is the job of the Onboarding and Compliance Department to properly assess the level of risk each originator represents and make decisions accordingly.
The purpose of this document is to discuss the specific financial and legal risks involved in third- party processing, to lay out a comprehensive set of procedures for properly assessing the level of risk represented by each originator and to establish the criteria by which an analyst determines whether or not an originator will be approved to process A2A payments through Straddle.
Risk exposure
For the purposes of this document, the word “risk” means any exposure of Straddle to financial loss, regulatory compliance actions, audits and penalties, criminal investigations, lawsuits, criminal and civil penalties, or negative publicity due to actions of any originator or third-party partner, regardless of whether such actions were deliberate or unintentional.
There are several ways that Straddle is exposed to risk via its relationships and external factors. These risks can be segmented into those that Straddle mitigates through customer due diligence and those that are inherent due to third-party relationships and external factors.
Risks Mitigated Through Customer Due Diligence
These are risks that Straddle can proactively manage and mitigate by performing thorough due diligence on its customers (users) before and during the business relationship.
Credit Risk
Credit risk is the risk that a user or other third party is unable to meet the terms of the contractual arrangements with Straddle or to perform as otherwise financially agreed. The basic form of credit risk involves the financial condition of the user itself. Appropriate monitoring of the activity of the user prior to activation and periodic review of the user's financial condition are necessary to ensure that credit risk is understood and remains within company-approved limits.
Compliance Risk
Compliance risk arises from violations of laws, rules, or regulations; noncompliance with internal policies, procedures, or with Straddle's or its Sponsor Bank/ODFI(s) business standards. This risk exists when the products or activities of users are not consistent with governing laws, rules, regulations, policies, or ethical standards. For example, some originators may engage in deceptive product marketing practices violating Unfair, Deceptive, or Abusive Acts or Practices (UDAAP), or engage in collection practices that violate the Fair Debt Collection Practices Act. Ensuring that users maintain the privacy of customer records and implement appropriate information security and disclosure programs is another compliance concern. Compliance liability could potentially extend to Straddle for actions of its customers and their end-users.
Legal Risk
Legal risk is the risk of legal action being taken against Straddle as a result of activities of its users. This risk could relate to any of the parties in the relationship: Straddle, the user, or the user's customers. The complexity of these relationships and increased intervention of law enforcement in the financial services sector at both federal and state levels, as well as class action lawsuits, heighten Straddle's legal risk. Through comprehensive due diligence and contractual agreements, Straddle can mitigate legal risks associated with its users.
Reputational Risk
Reputational risk arises from negative public opinion. Third-party relationships that result in dissatisfied customers, interactions not consistent with Straddle policies, inappropriate recommendations, security breaches resulting in the disclosure of customer information, and violations of law and regulation can harm the reputation and standing of Straddle. Negative publicity involving Straddle's users can also result in reputational risk to Straddle and its bank partners. By carefully selecting and monitoring users through due diligence, Straddle can mitigate reputational risks.
Risks Inherent with Third-Party Relationships and External Factors
These are risks that are inherent due to Straddle's reliance on third-party partners and external systems, which require ongoing oversight and risk management strategies.
Third-Party Risk
Third-party risk is associated with relying on external service providers or partners, such as Originating Depository Financial Institutions (ODFIs), payment networks, or vendors. These risks stem from the possibility that these third parties may fail to meet their obligations or may expose Straddle to additional risks through their actions or inactions. For example, if an ODFI fails to comply with regulatory requirements, Straddle may be held accountable or experience disruptions in service. Regular due diligence, strong contractual agreements, and ongoing monitoring of third-party performance are critical components in managing third-party risk.
Operational Risk
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events that directly affect Straddle's operations. This includes internal errors, system failures, fraud, or any event that disrupts Straddle's normal business activities due to internal factors or external events not related to third parties. Effective mitigation strategies include implementing strong internal controls, regular employee training, maintaining robust IT systems, and developing comprehensive disaster recovery and business continuity plans.
Systemic Risk
Systemic risk is the risk that the failure or disruption of one participant in the financial system could lead to widespread financial instability or failure across the entire system. As a payment processor, Straddle is connected to various financial institutions and payment networks. Disruptions or failures at any point in the payment system—including those of ODFIs, clearinghouses, or other critical infrastructure—can have cascading effects on Straddle's operations. Systemic risks are often beyond the control of any single entity but can be mitigated through participation in industry-wide risk management initiatives, adherence to regulatory standards designed to enhance the resilience of the financial system, and developing contingency plans to respond to systemic events.
Data and technology
In order for the Straddle Onboarding Department to perform proper due diligence when underwriting each potential originator, the following information MUST be provided by each originator prior to Straddle commencing due diligence:
Data
The underwriting process does not technically begin until all required information is collected. Failure to provide the required information within a reasonable time period will result in rejection of an originator application.
Technology
Businesses are increasingly accessing financial services online, and to satisfy market demands and expectations Straddle must provide a seamless customer experience starting with simplifying account opening. The struggle that many fintechs and payment providers face is the trade-off between speed and thoroughness during customer onboarding. At Straddle, we understand there is no substitute for a proper due diligence process - and the existing “onboarding automation” products on the market weren’t quite good enough. To fix this, we built Weave: a proprietary business and identity decisioning platform.
We’ve partnered with the best data providers in the industry to connect with Weave and built the infrastructure on a highly customized Salesforce platform.
Weave is powered by custom objects called Threads that connect seemingly disparate sets of data into actionable insights for a holistic view of customer risk:
Weave decision engine
What’s it do?
KYC: Verify Identity of Owner/Officer
Reason
A fraudulent person can obtain a tremendous amount of information about a company and its officers from the Internet alone. This person could then falsely represent themselves as the owner of a company and submit an application that is accurate in every area except the things like the settlement bank account. The fraudulent individual could then use their Straddle originator account to collect payments and defraud the public under the name of this business.
Source data
Assessment Guidelines
The only real protection from identity theft is to have the owner of an “identity” provide a preponderance of information that should only be known by the real owner of the identity and that can be verified independently of the owner.
Straddle’s Identity+ module combines KYC, Identity Fraud and Synthetic Identity detection into an actionable decision with included reason codes. Use the credit report as a secondary source for validating the name, residential address, and place of employment as provided on the application. The listed “Owner” on all new originator applications is automatically sent a link to validate the provided settlement account via open-banking connectivity. Straddle uses open banking API credential service to verify the individuals’ name(s) who are authorized to transact on a given bank account. People Data Labs provides supplemental information on the individual in the form of social profiles and background data.
If the prospective merchant is unable to validate with credentials, Straddle will use internal connection to EWS verification service to match the account owner’s name to the name on the Straddle application. If the individual’s identity is still unable to be authenticated via credential based identity solutions, they will be required to complete the Socure biometric or document authentication by uploading a picture of a valid government ID along with a ‘selfie’ picture.
Straddle, via Middesk, will then confirm business ownership or executive authority through state government business registration listings. This service is automated and will retrieve the business formation documents from any states that make them available. Additional ownership confirmation is received via an automated web crawl that matches the “Owner Name” to information on .
If the above methodology is not successful in determining if an individual is who they say they are and authorized to transact on behalf of the business applying for Straddle services, then the Straddle onboarding team will reject the application for Straddle services.
KYC: Evaluate Legal, Business, & Financial History of Owner
Source data
Reason
If the owner or primary officer of a company has a proven track-record of legal problems, involvement, or ownership in fraudulent or failed businesses, or has demonstrated a consistent pattern of mismanaging personal finances, then it may be safe and reasonable to conclude that a significant risk exists for the same character issues to affect the management and practices of the current business applying for payment services.
Assessment Guidelines
Start by reviewing the credit report. A history of debt write-offs or liens or a recent bankruptcy would demonstrate the owner’s attitude toward paying his/her debts and could be an indicator of the current financial stability of the company. Excessive unsecured debt and/or credit scores of <650 should be reviewed with enhanced due diligence. If the owner demonstrates a commitment to honoring debt, then late payments on a credit report should be noted but not given the same weight as write-offs, liens, or bankruptcies.
In addition to a personal credit report, the primary officer and any other listed contacts are screened via no less than 14 international watchlists.
Office of Foreign Assets Control (OFAC)
U.S. Department of Treasury
Bureau of Industry and Security
U.S. Department of Commerce
Directorate of Defense Trade Controls
U.S. Department of State
Bureau of International Security and Non-Proliferation
U.S. Department of State
Socure provides additional watchlist coverage coupled with Adverse Media detection and ongoing monitoring for Beneficial Owners and Companies (detailed below)
If any information is surfaced that is incongruous with the Straddle enrollment form, such as the primary officer “home address” being a UPS store, the data is highlighted in red and triggers an enhanced due diligence investigation by the Straddle onboarding analyst.
The other search tools can be used to find lawsuits, bad press, FTC investigations, FTC judgments, criminal investigations, prosecutions, customer complaints and other negative information tied to the owner’s name, address, or other personal information. A complete background check may be performed for those individuals or entities where enhanced due diligence is required.
If the owner/officer of an originator shows a proven history or a significant incidence of personal legal, business, or financial problems, without proof of remedy, Straddle should choose to decline the application for processing services.
KYB: Verify legitimacy of the business
Is the business legitimate and is the sign-up data valid/correlated to the business?
Reason
Know Your Business has the same objective as KYC in the sense that it is a way for Straddle to assess and understand the various risks that new business relationships pose. The KYB process should enable Straddle to examine the entities that they are dealing with and help them to determine whether they are authentic or are being used to conceal the identities of owners for illegitimate purposes.
A business may apply for Straddle services using the name of a business that does not really exist, the name of a business that does exist but is not located at the address provided, or a name that purposely violates all or part the registered or trademarked name of an existing business. In each case, the goal of submitting such an application would usually be to defraud unsuspecting customers and use Straddle to collect fraudulent payments.
Source data
Assessment Guidelines
Rather than have our compliance analysts scour the internet for disparate data sources relating to the business, the proprietary Straddle onboarding platform aggregates various data sources into a human-readable format and alerts the analyst when the package is ready for review.
Initially, the system prompts the analyst to review “Industry Type” – if the potential business customer falls under a prohibited industry the application for payment services is to be immediately declined. Subsequently, the business website is confirmed to be active and to correlate with the email domain used by the individual submitting the application.
Inconsistencies in merchant name, industry, email address, address, phone numbers and other data should be considered as significant problems, and if not resolved should result in the rejection of a merchant application.
A “business report” is compiled validating the following:
Taxpayer Identification Number (TIN)
A Taxpayer Identification Number (TIN) is a unique identification number used by the Internal Revenue Service (IRS) in the administration of tax laws. While there are various types of TINs, all businesses will have some form of TIN, which will act as a unique identifier of a business entity.
The list of TIN types are the following:
Today, Straddle only offers payment services to customers that have EINs, also known as a Federal Tax Identification Numbers (FEIN), which are assigned to business entities, as well as estates and trusts.
All valid business entities will have an EIN issued by the IRS. The Federal government requires a legal entity have an EIN in order to pay employees and to file business tax returns. To be considered a Partnership, LLC, Corporation, S Corporation, Non-profit, etc., a business must obtain an EIN when incorporating.
EIN vs SSN
Businesses that are registered as sole proprietorships use the Owner / Operator's SSN in the place of the EIN.
EINs do not expire. Once an EIN has been issued to an entity, it will not be reissued. As such, each EIN is unique to a business and persists over time.
Verifying the EIN of a business is a crucial part of business verification. When creating a Business through Straddle with a TIN, Straddle will verify that the EIN is valid and that it matches the name passed to Straddle. If the EIN is unable to be verified or does not match the name provided, Straddle via its Middesk integration will perform a series of lookups to identify alternate names that may be associated with that EIN.
Verifying a TIN and Business Name match is important for a couple of reasons:
When a TIN is passed for verification, Straddle will receive one of the following responses:
TIN Response
status
label
sub_label
Success
The IRS has a record for the submitted TIN and Business Name combination
Found
Failure
We believe the submitted TIN is associated with a different Business Name
Mismatch
Failure
The IRS does not have a record for the submitted TIN and Business Name combination
Not Found
Failure
TIN/name failure - Duplicate request
Duplicate
Failure
TIN/name failure - IRS is unavailable
Unavailable
There are no rows in this table
Business Formation
Businesses are formed or incorporated at the beginning of their existence. This happens through an act called "incorporation" or "formation," which is typically handled through a state's Secretary of State. A business owner files the required paperwork with this government body, and the Secretary of State issues a set of Articles of Incorporation or Organization to commemorate the act of creating the entity. That state of incorporation is referred to as the entity's domestic jurisdiction.
At the time of formation, the entity owner also decides the formation type of the entity. The formation type determines the personal liability of the founders, how taxes are paid, and other important details.
The main formation structures are:
A business must also decide in which states to establish themselves. While a business forms in a domestic jurisdiction, it is not required to operate only in that market. For example, more than 65% of Fortune 500 firms incorporate their business in Delaware, despite residing elsewhere.
Understanding the formation of an entity is key to evaluating the risk profile of a business. When creating a Business review in Middesk, we evaluate the Business in all U.S. markets to determine the entity's footprint, including its domestic and all foreign jurisdictions.
Determining the actual formation of a business is important to answer questions like:
Secretary of State Filing
As mentioned in Formation, while a business can be formed and established in one jurisdiction, a business can operate in many other states. When filing to conduct operations in another jurisdiction with a state's Secretary of State, a business entity files a registration with that government body. This new state is referred to as one of the entity's foreign jurisdictions.
An entity is considered as conducting business in a state when:
Want to print your doc?
This is not the way.
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.