Compliance

Identity verification

The USA PATRIOT Act requires various financial institutions to implement a Customer Identification Program (CIP) to verify the identities of persons with whom it does business. As an extension of our issuing bank, Apto, and therefore your card program, are required to abide by these verification regulations.

Consumer verification (KYC)

In the Instant Issuance program, Apto will handle all aspects of your program’s KYC verification.

You’ll use our mobile SDK to collect the following information from card customers:

  • Cardholder phone number
  • Cardholder full name
  • Cardholder physical address
  • Cardholder date of birth
  • Government tax identification number

We process this information in real time to verify the cardholder’s identity. In other words, if there are no issues then cardholders get approved instantly. If we are unable to verify the customer’s eligibility from the information provided, we may ask for supporting documentation, which includes (but is not limited to) copies of:

  • Social Security card
  • Government issued ID
  • Proof of address, such as a utility bill; applicants must submit a residential address

Apto requests this information by emailing the prospective cardholder on your behalf. We send a secure site for them to upload additional documents.

Each Cardholder object includes a kyc_status, which represents the current state of their identity verification process. The KYC keys and their possible values are:

KYC keyPossible values
kyc_statusRESUBMIT_DETAILS, UPLOAD_FILE, UNDER_REVIEW, PASSED, REJECTED, TEMPORARY_ERROR
kyc_identity_reasonnull, WATCHLIST_MATCH, SSN_MISMATCH, SSN_INVALID
kyc_address_reasonnull, ADDRESS_COMMERCIAL, ADDRESS_PO_BOX, ADDRESS_RISKY
kyc_file_reasonnull, UNRELATED_FILE, WRONG_FILE, BLURRY

If a user changes email address, phone number, or mailing address, you are not required to re-run KYC. Instead, the user should contact Apto support and ask us to change the relevant details in our database. There is an SOP around this with various verification steps—give us your DOB, address, last 4 of the card, last 4 of the SSN, and so on.

If a user changes their email on your side, Enterprise customers can send a POST request to the Core API /cardholders endpoint to update the Apto database.

If you have already completed KYC on your users, or if you are intending to do so, Apto can work with our issuing bank to honor your Customer Identification Program through an Enterprise card program.

In order to comply with CIP standards and record retention laws, Apto will maintain records of all customer identity related information for five years after account closure.

Business verification (KYB)

In corporate card programs, Apto is required to conduct a Know Your Business (KYB) process to verify information about the business being issued cards. The individual cardholders— employees who will ultimately use the cards—act on behalf of this KYB verification without having to submit their own KYC documentation for review.

We will define the KYB requirements of your card program during implementation.

Sanctions compliance screening

In addition to customer identity verification, Apto screens customers against watch lists (including OFAC) and sanctions lists at account opening and daily thereafter. Apto utilizes multiple verification providers to conduct the screening and leverages their automated list updates to ensure ongoing screening is always conducted against the most up-to-date lists.