Soren PaySoren Pay
Get started

Compliance overview

Soren Pay is a technology platform, not a bank or money services business. Every regulated function is delegated to a partner who holds the appropriate license or accreditation.

Provider responsibility split

| Function | Provider | Their cert/license | |---|---|---| | FBO bank accounts + ACH/FedNow/wire | Our partner bank | OCC-chartered national bank | | Business KYB + KYC of owners | Our banking partner | BSA/AML CIP compliance | | Card issuing + Visa membership | Visa issuing partner | Visa Principal Member | | PCI-DSS (card data) | Issuing partner | PCI-DSS Level 1 | | Cardholder verification | Issuing partner | Issuing partner KYC | | Consumer KYC (standalone) | Persona | SOC 2 Type II, GDPR, CCPA | | Travel Rule for crypto >$3k | Issuing partner | FATF-aligned per their MSB filings | | OFAC / sanctions screening | Banking + issuing partners + Persona (continuous) | OFAC SDN list integration |

What Soren Pay owns

We never custody money or hold the bank charter. We're responsible for:

  • Ledger (double-entry, hash-chained audit trail)
  • Authorization policy (MCC, merchant, velocity, balance — server-side enforcement)
  • Webhook signing both directions (HMAC-SHA256, ±5min replay window)
  • Idempotency (24h replay protection on every POST/PATCH)
  • Row-Level Security (workspace-scoped, role-gated writes)
  • Customer onboarding UX (forms route to the right provider)
  • Compliance program documentation (this section)
  • Runbooks for incident response, reconciliation breaks

Subpages

← All docsEdit on GitHub →