Arcorapay

Compliance posture

Sanctions screening (Plan-5) and merchant KYB (Plan-8) — what's live, what's pending, what flips at mainnet.

Arcora has two compliance layers. Both are off-chain by design — on-chain blocklists are gas-expensive, slow, and bypass the merchant relationship. Card processors work the same way.

Sanctions screening (Plan-5)

Live in shadow mode on testnet. Two checkpoints:

  1. POST /api/invoices — when a merchant creates an invoice, Arcora screens the merchant's payout address (flow=merchant_payout).
  2. POST /api/checkout/authorize — when a customer connects their wallet at the hosted checkout, Arcora screens the customer's address (flow=customer_pay) before the Pay button is enabled.

Provider adapters

Three implementations behind one interface:

  • NoopProvider — always low. Default on testnet; nothing is blocked.
  • EllipticProvider — Elliptic Lens API.
  • TRMLabsProvider — TRM Labs Forensics API.

Selection via env (COMPLIANCE_PROVIDER=noop|elliptic|trmlabs). At mainnet T-0, flip to a real adapter and provide the API key — no code change.

Decision matrix

RiskDecisionUI
lowallowPay button enabled
mediumreviewDisabled; review banner with ticketId, merchant gets a compliance.review_queued webhook
highrejectDisabled; neutral "this wallet can't be used" copy
sanctionsrejectSame. Internal log records the OFAC/EU list match.

Cache + retention

  • Read-through cache by (address, flow). TTL 24h on stable risk, 1h on customer_pay flows in Phase 2+.
  • compliance_screenings audit table retains every screen. Sanctions hits 7 years; non-flagged 13 months.

Merchant KYB (Plan-8)

Spec'd, not yet built. Two-track strategy:

  • ManualKybProvider (today, $0) — daily cron pulls free OFAC SDN + EU Consolidated lists into Postgres; entity + UBO names checked via pg_trgm; doc upload to Vercel Blob; ops manual review on /m/admin/kyb.
  • PersonaProvider (post-revenue) — Persona's Cases API, automated UBO + sanctions, HMAC-signed webhooks. Free unlimited sandbox, production billing per verification.

Adapter swap is env-flip, no code change.

Workflow

entity form → vendor session → green / yellow / red
  green → Plan-5 payout screen → ToS sign → on-chain registerMerchant → active
  yellow / red → /m/admin/kyb queue → ops decision → approved or rejected

Jurisdictions

  • OFAC + EU sanctions lists day-one. UN/UK optional via vendor flag.
  • TR-incorporated merchants rejected at the policy layer — domestic crypto-payment ban as of 2026. TR-resident UBOs of non-TR entities still get screened normally.

Reporting a suspected issue

compliance@arcorapay.xyz. We aim to respond within 24 hours. See SECURITY.md for security disclosures.