← Back to Terms of Service
Legal

Customer Identification Program

How PayServices Bank verifies the identity of every person who opens an account, in accordance with section 326 of the USA PATRIOT Act, 31 CFR § 1020.220, and applicable Idaho law.

Last updated: May 5, 2026
This document is provided in English. Translations of other parts of the site are for convenience only; the English version governs.

1. Overview

This Notice explains PayServices Bank's Customer Identification Program ("CIP"), established and maintained in accordance with section 326 of the USA PATRIOT Act, 31 U.S.C. § 5318(l), and its implementing regulations at 31 CFR § 1020.220 (for banks) and Idaho law. The CIP is a foundational element of PayServices Bank's anti-money-laundering and counter-terrorist-financing compliance program.

2. Required federal notice

IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT. To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents.

This notice is the form prescribed by the regulators for use by U.S. banks under 31 CFR § 1020.220(a)(5). It is provided to you in connection with the opening of every new account at PayServices Bank.

3. Information we collect

For each customer who opens an account, we collect, at minimum:

  • Name — full legal name;
  • Date of birth — for individuals;
  • Address — residential or business street address (or, where appropriate, a U.S. Army Post Office or Fleet Post Office address; an Indian reservation address; or, for non-U.S. persons, a residential or business street address in their country of residence);
  • Identification number — for U.S. persons, a Taxpayer Identification Number ("TIN") (Social Security Number, Individual Taxpayer Identification Number, or Employer Identification Number); for non-U.S. persons, a passport number and country of issuance, or other government-issued identification number bearing a photograph or similar safeguard.

For accounts opened by legal entities, we collect additional information about the entity and its beneficial owners, as described in the Beneficial Ownership Disclosure.

4. How we verify your identity

We use a risk-based combination of documentary and non-documentary methods to verify your identity, as required by 31 CFR § 1020.220(a)(2)(ii):

  • Documentary verification — review of unexpired government-issued identification bearing a photograph or similar safeguard, such as a driver's license, passport, or national identity card. For business accounts, we additionally review formation documents, certificates of good standing, or equivalent. We may use trusted third-party identity-verification providers to capture and authenticate identification documents (including by document-image authentication and biometric face-match).
  • Video identity declaration — as part of account opening, you are required to record a short video in which you verbally declare your identity. The declaration is prompted by a script displayed in the ITAM application and must be made in real time; pre-recorded videos are not accepted. The video is analyzed using facial recognition to confirm that the person speaking matches the identity document provided, and to detect whether the same face has been used to open other accounts. This step confirms your identity through real-time biometric and behavioral verification and forms part of our records under 31 CFR § 1020.220.
  • Non-documentary verification — comparison of the information you provide with information obtained from consumer reporting agencies, public databases, or other reputable sources; checks for the logical consistency of identifying information; and other procedures appropriate to the level of risk.
  • Additional procedures for higher-risk circumstances, including politically exposed persons, customers in higher-risk jurisdictions, and accounts where the customer cannot be physically present.

5. Monitoring tiers and what moves an account between them

PayServices Bank's written BSA/AML program, required under 31 U.S.C. § 5318(h) and 31 CFR § 1020.201, organizes accounts into three monitoring tiers. The tiers describe the intensity of ongoing transaction monitoring applied to an account — they are not a judgment about the Member. Every account opens at Tier 1. Tier assignment changes only when transaction activity on the account itself meets one or more of the statutory triggers described below.

We do not use declared account purpose as a factor. A Member's stated intention at account opening is not a meaningful compliance input because it can change at any time without notice. Under our program, every transaction is evaluated on its own facts, as required by 31 CFR § 1020.320(a)(2)(iii), which asks whether a transaction "has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage." That evaluation is transactional, not declaratory.

Tier 1 — Standard monitoring

All accounts open at Tier 1. Standard monitoring applies automated transaction screening against the three SAR triggers in 31 CFR § 1020.320(a)(2) and Currency Transaction Report (CTR) requirements under 31 CFR § 1010.311 for cash transactions exceeding $10,000. No additional documentation is requested at opening or during normal account operation at this tier.

What moves an account to Tier 2

An account is elevated to Tier 2 — enhanced monitoring — when automated or manual review detects either a SAR trigger under 31 CFR § 1020.320(a)(2) or a sanctions-match event under 31 U.S.C. § 5318(l) and applicable OFAC regulations.

SAR triggers (31 CFR § 1020.320(a)(2)):

  • Illegal-activity indicator (§ 1020.320(a)(2)(i)): the transaction involves funds that appear to be derived from illegal activities, or appears intended to hide or disguise funds or assets derived from illegal activities — including concealing their ownership, nature, source, location, or control — as part of a plan to violate or evade any federal law or regulation or to avoid any transaction reporting requirement;
  • BSA-evasion indicator (§ 1020.320(a)(2)(ii)): the transaction appears designed to evade any requirement under 31 CFR Chapter X or any other regulation promulgated under the Bank Secrecy Act, including structuring under 31 CFR § 1010.314; or
  • No-apparent-lawful-purpose indicator (§ 1020.320(a)(2)(iii)): the transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and we know of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

Elevation via a SAR trigger activates enhanced monitoring and a mandatory SAR evaluation. Under 31 CFR § 1020.320(b)(3), a SAR must be filed within 30 calendar days of detection. We may contact the Member in-app to obtain facts needed to resolve the evaluation. We are prohibited by 31 U.S.C. § 5318(g)(2) from disclosing to the Member whether a SAR has been filed.

Sanctions-match trigger (31 U.S.C. § 5318(l); OFAC regulations):

A transaction or the account holder themselves matches a designation on a sanctions list administered by OFAC or another authority to which we are subject. Because sanctions programs are jurisdiction-specific, a match does not automatically block every transaction on the account — it blocks only transactions within the scope of the program under which the designation was made. Every transaction is evaluated on its own facts: the parties, the corridor, the currency, and the applicable sanctions program. OFAC blocking or rejection reports are filed as required. The transaction-by-transaction evaluation standard is described in Terms of Service, Section 3.

Elevation via a sanctions match activates enhanced monitoring of transactions involving the same parties or corridors, and triggers any mandatory OFAC reporting. We may be legally prohibited from disclosing the reason a specific transaction was blocked if doing so would reveal the existence of a regulatory filing.

What moves an account to Tier 3

An account is elevated to Tier 3 — intensive monitoring and senior review — when the pattern of activity presents ongoing or repeated SAR or sanctions triggers that cannot be resolved through a single evaluation cycle, or when the volume and frequency of indicators require sustained monitoring beyond what the standard Tier 2 process provides. Tier 3 involves periodic re-review by senior compliance staff and, where necessary, direct engagement with the Member. If the pattern cannot be resolved, we may limit account functionality or close the account in accordance with Section 18 of the Terms of Service.

Moving back down — how tier elevation ends

Tier elevation is not permanent. Under 31 CFR § 1020.201(b)(1)(v)(B), customer information must be maintained and updated "on a risk basis," which means tier assignments are reviewed and revised when the underlying basis changes. An account returns to a lower tier when the condition that caused elevation is resolved:

  • SAR trigger resolved: the evaluation completes — a SAR is filed and no continuing pattern is detected, or a reasonable explanation is confirmed and no SAR is required. Monitoring returns to Tier 1.
  • Sanctions match resolved: the specific transaction was blocked and reported as required, subsequent transactions involving the same parties or corridors show no further matches, and no ongoing pattern is detected. The account returns to Tier 1 for transactions outside the scope of the applicable sanctions program.
  • Tier 3 pattern resolved: a sustained period without new triggers passes and senior compliance review confirms the pattern is no longer active. The account steps down to Tier 2 first, then to Tier 1 if the Tier 2 evaluation also closes cleanly.

If your account has been elevated and you believe the underlying basis no longer exists, contact us through the in-app compliance channel (Account → Help → Compliance question). We will review the account and explain, to the extent permitted by law, what information we need to close the evaluation.

What this means for you. Tier assignment is driven entirely by what happens on your account — not by who you are. The overwhelming majority of Members remain at Tier 1 throughout their relationship with ITAM. If your account is elevated, you will receive a clear in-app explanation of what we need and why. Tier elevation is reviewable and reversible.

6. How account profiles are built

31 CFR § 1020.201(b)(1)(v)(A) requires our AML program to include procedures for "understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile." This is a mandatory element of a written BSA/AML program — not examiner preference. The profile is also the operational prerequisite for applying the third SAR trigger correctly: 31 CFR § 1020.320(a)(2)(iii) requires us to assess whether a transaction is "not the sort in which the particular customer would normally be expected to engage." Without an account-level baseline, that assessment cannot be made accurately.

What the profile consists of

We do not ask Members to declare how they intend to use their account. A stated intention at opening can change at any time and is not a reliable compliance input. Instead, every account profile is built from two sources that are grounded in verifiable facts:

  • CIP data collected at opening — the customer's full legal name, date of birth, address, and identification number collected under 31 CFR § 1020.220, together with the account type (personal or business) and the Member's country of residence as established during identity verification. These facts establish the account category and inform what transaction patterns are plausible for that category.
  • Observed transaction history — the actual pattern of transactions that develops on the account over time: amounts, frequency, counterparties, corridors, and transaction types. This is the primary source. It is built from what the Member actually does, not from what they said they would do.

How the profile feeds the monitoring system

The profile is the baseline used by our transaction-monitoring system to evaluate each new transaction against the third SAR trigger. A transaction is flagged for SAR evaluation when it deviates materially from the established pattern for that specific account in a way that produces no apparent lawful explanation from the available facts. The profile is therefore never static — it updates continuously as transaction history accumulates, and it is account-specific rather than derived from a generic peer-group average.

This approach satisfies the 31 CFR § 1020.201(b)(1)(v)(A) profile requirement without requiring a declared-purpose questionnaire, and it produces a more reliable baseline for the third SAR trigger than a declaration would, because it reflects what actually happens on the account rather than what a Member anticipated at opening.

No profile data is shared. The account profile is an internal compliance tool. It is not shared with other Members, third parties, or the PayServices Network. It is accessible only to authorized PayServices Bank compliance staff and to competent authorities on lawful request.

7. Watchlist screening

For each customer, we screen the customer's identifying information against the lists of known or suspected terrorists, sanctioned persons, and other restricted parties maintained by the U.S. Treasury Office of Foreign Assets Control ("OFAC"), the United Nations, and other competent authorities. Screening is performed at account opening and on an ongoing basis as required by 31 U.S.C. § 5318(l). Where a screening match is identified, we follow the applicable regulatory procedure, which may include freezing of property, blocking of transactions, or reporting to FinCEN, OFAC, or another competent authority.

Inclusion on a sanctions list does not in itself prohibit use of ITAM. Sanctions regimes are jurisdiction-specific: a person may be designated under one OFAC program but not another, and each program defines precisely which transactions it covers. The compliance status of each transaction is evaluated on its specific facts — the identity of the parties, the counterparty jurisdiction, the currency corridor, and the applicable sanctions program. Access to specific transaction types is limited only where required by an applicable sanctions regime. This transaction-by-transaction standard is described in Terms of Service, Section 3.

A sanctions match on a transaction is a trigger for Tier 2 elevation as described in Section 5. Tier elevation resulting from a sanctions match is reversible when the specific transaction is resolved and no continuing pattern is detected — the conditions for returning to Tier 1 are set out in Section 5.

8. Recordkeeping

We maintain records of the identifying information you provide and the methods we used to verify it, for the period required by law (generally five years after an account is closed). These records are protected by appropriate security measures and are accessible only to authorized PayServices Bank personnel and competent authorities.

9. If we cannot verify your identity

If we cannot reasonably verify your identity through the methods described above, we will not open the account, will close any account that has been opened, or will limit the account's functionality until verification can be completed, in accordance with our written CIP. We will provide you with a clear explanation in such cases, and where possible, an opportunity to provide additional information or documentation.

10. What federal law requires — individual, business, and government accounts

The following is a precise statement of what U.S. federal law mandates for each account type. It is grounded in the Bank Secrecy Act (31 U.S.C. §§ 5311–5336), its implementing regulations in 31 CFR Chapter X, and the 2016 FinCEN Customer Due Diligence Rule (81 FR 29397). Nothing beyond what the law requires is stated here as a legal obligation.

Individual accounts (natural persons)

For a natural person opening an account on their own behalf, four requirements apply under federal law:

  1. Identity verification (31 CFR § 1020.220 — CIP). We must collect, at minimum, the customer's full legal name, date of birth, address, and identification number, and verify that information through documentary or non-documentary methods, as described in Section 3 and Section 4 of this notice.
  2. Watchlist screening (31 U.S.C. § 5318(l); OFAC regulations). We must screen the customer's identity against applicable sanctions lists before opening the account and on an ongoing basis.
  3. Developing a customer risk profile (31 CFR § 1020.201(b)(1)(v)(A)). Our AML program must include procedures for understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile. FinCEN's 2016 CDD Rule preamble makes clear this does not require a declared-purpose questionnaire; the profile may be inferred from the customer type, the account type, and observed transaction activity.
  4. Ongoing transaction monitoring and SAR filing (31 CFR §§ 1020.201(b)(1)(v)(B) and 1020.320). We must maintain ongoing monitoring sufficient to identify and report suspicious transactions. A SAR is mandatory whenever a transaction of $5,000 or more meets any of the three triggers in 31 CFR § 1020.320(a)(2): involvement of funds from illegal activity, design to evade BSA requirements, or no apparent lawful purpose with no reasonable explanation available after examining the facts. The SAR must be filed within 30 calendar days of detection (31 CFR § 1020.320(b)(3)).

There is no requirement in U.S. federal law for source-of-funds documentation at onboarding for individual accounts, no requirement for a declared account purpose, and no statutory definition of or mandatory screening obligation for politically exposed persons on domestic individual accounts. Any such steps, if taken, are bank-policy decisions, not legal mandates.

Business accounts (legal entity customers)

For a corporation, limited liability company, general partnership, or other entity created by the filing of a public document with a Secretary of State or equivalent office — defined as a "legal entity customer" under 31 CFR § 1010.230(e)(1) — the four individual-account requirements above all apply, plus one additional requirement:

  1. Beneficial ownership identification and verification (31 CFR § 1010.230). We must identify and verify, at the time a new account is opened: (a) under the ownership prong, each individual who directly or indirectly owns 25% or more of the equity interests of the entity (up to four individuals); and (b) under the control prong, a single individual with significant responsibility to control, manage, or direct the entity — such as a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, or President, or any individual who regularly performs equivalent functions. We may rely on a certification from the person opening the account, provided we have no knowledge of facts that would call its reliability into question. Records of beneficial ownership information must be retained for five years after account closure (31 CFR § 1010.230(i)).

The following entities are excluded from the legal entity customer definition and therefore exempt from the beneficial ownership requirement under 31 CFR § 1010.230(e)(2): federally regulated financial institutions; SEC-registered entities; publicly listed companies on U.S. exchanges; state-regulated insurance companies; registered investment advisers; nonprofit corporations or similar entities that have filed organizational documents with the appropriate state authority; and certain other enumerated entities. Sole proprietorships, unincorporated associations, and trusts (other than statutory trusts) are also excluded per FinCEN FAQ guidance.

Government accounts

U.S. federal, state, local, tribal, and territorial government departments, agencies, and political subdivisions that open accounts in their governmental (non-commercial) capacity are excluded from the definition of "legal entity customer" under 31 CFR § 1010.230(e)(2)(i) and (xv). Accordingly, the beneficial ownership identification requirement (item 5 above) does not apply to such accounts.

The four individual-account requirements (CIP identity verification, watchlist screening, customer risk profile development, and ongoing SAR-threshold monitoring) continue to apply to government accounts to the extent required by 31 CFR § 1020.220 and § 1020.320 and our AML program under 31 CFR § 1020.201. Government accounts are not automatically exempt from SAR filing obligations; a transaction on a government account that meets the triggers in 31 CFR § 1020.320(a)(2) must still be reported.

Non-U.S. government departments, agencies, or political subdivisions that engage only in governmental rather than commercial activities are similarly excluded from the beneficial ownership requirement under 31 CFR § 1010.230(e)(2)(xv). Non-U.S. government entities that engage in commercial activities are treated as legal entity customers and are subject to the full beneficial ownership requirement.

Reporting and information sharing

Where ongoing monitoring identifies activity meeting the SAR triggers, we file a Suspicious Activity Report with FinCEN in accordance with 31 CFR § 1020.320 and 12 CFR Part 353. Federal law (31 U.S.C. § 5318(g)(2)) prohibits us from notifying any person involved in a reported transaction of the existence or contents of a SAR. Where suspicious activity continues after an initial SAR is filed, we file continuing SARs at 90-day intervals for as long as the activity continues, in accordance with FinCEN guidance. We also participate in voluntary information sharing under Section 314(b) of the USA PATRIOT Act (31 CFR § 1010.540) and respond to FinCEN information requests under Section 314(a). Currency transactions exceeding $10,000 are reported on a Currency Transaction Report (CTR) under 31 CFR § 1010.311. The legal consequences for your account of these reporting obligations are described in Terms of Service, Section 14 and Section 18.

11. Additional information for international correspondent banking

Where PayServices Bank establishes or maintains a correspondent account for a foreign financial institution, additional procedures apply under sections 312 and 313 of the USA PATRIOT Act (31 U.S.C. §§ 5318(i), 5318(j)) and 31 CFR § 1010.610. Counterparties on the PayServices Network are required to provide enhanced due-diligence information, including beneficial-ownership information and certifications regarding shell-bank prohibitions.

12. Contact us

PayServices Bank — Compliance
950 W Bannock Street, Suite 1100
Boise, Idaho 83702-6140
United States

info@payservices.com

1. Overview

This Notice explains PayServices Bank's Customer Identification Program ("CIP"), established and maintained in accordance with section 326 of the USA PATRIOT Act, 31 U.S.C. § 5318(l), and its implementing regulations at 31 CFR § 1020.220 (for banks) and Idaho law. The CIP is a foundational element of PayServices Bank's anti-money-laundering and counter-terrorist-financing compliance program.

2. Required federal notice

IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT. To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents.

This notice is the form prescribed by the regulators for use by U.S. banks under 31 CFR § 1020.220(a)(5). It is provided to you in connection with the opening of every new account at PayServices Bank.

3. Information we collect

For each customer who opens an account, we collect, at minimum:

  • Name — full legal name;
  • Date of birth — for individuals;
  • Address — residential or business street address (or, where appropriate, a U.S. Army Post Office or Fleet Post Office address; an Indian reservation address; or, for non-U.S. persons, a residential or business street address in their country of residence);
  • Identification number — for U.S. persons, a Taxpayer Identification Number ("TIN") (Social Security Number, Individual Taxpayer Identification Number, or Employer Identification Number); for non-U.S. persons, a passport number and country of issuance, or other government-issued identification number bearing a photograph or similar safeguard.

For accounts opened by legal entities, we collect additional information about the entity and its beneficial owners, as described in the Beneficial Ownership Disclosure.

4. How we verify your identity

We use a risk-based combination of documentary and non-documentary methods to verify your identity, as required by 31 CFR § 1020.220(a)(2)(ii):

  • Documentary verification — review of unexpired government-issued identification bearing a photograph or similar safeguard, such as a driver's license, passport, or national identity card. For business accounts, we additionally review formation documents, certificates of good standing, or equivalent. We may use trusted third-party identity-verification providers to capture and authenticate identification documents (including by document-image authentication and biometric face-match).
  • Video identity declaration — as part of account opening, you are required to record a short video in which you verbally declare your identity. The declaration is prompted by a script displayed in the ITAM application and must be made in real time; pre-recorded videos are not accepted. The video is analyzed using facial recognition to confirm that the person speaking matches the identity document provided, and to detect whether the same face has been used to open other accounts. This step confirms your identity through real-time biometric and behavioral verification and forms part of our records under 31 CFR § 1020.220.
  • Non-documentary verification — comparison of the information you provide with information obtained from consumer reporting agencies, public databases, or other reputable sources; checks for the logical consistency of identifying information; and other procedures appropriate to the level of risk.
  • Additional procedures for higher-risk circumstances, including politically exposed persons, customers in higher-risk jurisdictions, and accounts where the customer cannot be physically present.

5. Monitoring tiers and what moves an account between them

PayServices Bank's written BSA/AML program, required under 31 U.S.C. § 5318(h) and 31 CFR § 1020.201, organizes accounts into three monitoring tiers. The tiers describe the intensity of ongoing transaction monitoring applied to an account — they are not a judgment about the Member. Every account opens at Tier 1. Tier assignment changes only when transaction activity on the account itself meets one or more of the statutory triggers described below.

We do not use declared account purpose as a factor. A Member's stated intention at account opening is not a meaningful compliance input because it can change at any time without notice. Under our program, every transaction is evaluated on its own facts, as required by 31 CFR § 1020.320(a)(2)(iii), which asks whether a transaction "has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage." That evaluation is transactional, not declaratory.

Tier 1 — Standard monitoring

All accounts open at Tier 1. Standard monitoring applies automated transaction screening against the three SAR triggers in 31 CFR § 1020.320(a)(2) and Currency Transaction Report (CTR) requirements under 31 CFR § 1010.311 for cash transactions exceeding $10,000. No additional documentation is requested at opening or during normal account operation at this tier.

What moves an account to Tier 2

An account is elevated to Tier 2 — enhanced monitoring — when automated or manual review detects either a SAR trigger under 31 CFR § 1020.320(a)(2) or a sanctions-match event under 31 U.S.C. § 5318(l) and applicable OFAC regulations.

SAR triggers (31 CFR § 1020.320(a)(2)):

  • Illegal-activity indicator (§ 1020.320(a)(2)(i)): the transaction involves funds that appear to be derived from illegal activities, or appears intended to hide or disguise funds or assets derived from illegal activities — including concealing their ownership, nature, source, location, or control — as part of a plan to violate or evade any federal law or regulation or to avoid any transaction reporting requirement;
  • BSA-evasion indicator (§ 1020.320(a)(2)(ii)): the transaction appears designed to evade any requirement under 31 CFR Chapter X or any other regulation promulgated under the Bank Secrecy Act, including structuring under 31 CFR § 1010.314; or
  • No-apparent-lawful-purpose indicator (§ 1020.320(a)(2)(iii)): the transaction has no business or apparent lawful purpose or is not the sort in which the particular customer would normally be expected to engage, and we know of no reasonable explanation for the transaction after examining the available facts, including the background and possible purpose of the transaction.

Elevation via a SAR trigger activates enhanced monitoring and a mandatory SAR evaluation. Under 31 CFR § 1020.320(b)(3), a SAR must be filed within 30 calendar days of detection. We may contact the Member in-app to obtain facts needed to resolve the evaluation. We are prohibited by 31 U.S.C. § 5318(g)(2) from disclosing to the Member whether a SAR has been filed.

Sanctions-match trigger (31 U.S.C. § 5318(l); OFAC regulations):

A transaction or the account holder themselves matches a designation on a sanctions list administered by OFAC or another authority to which we are subject. Because sanctions programs are jurisdiction-specific, a match does not automatically block every transaction on the account — it blocks only transactions within the scope of the program under which the designation was made. Every transaction is evaluated on its own facts: the parties, the corridor, the currency, and the applicable sanctions program. OFAC blocking or rejection reports are filed as required. The transaction-by-transaction evaluation standard is described in Terms of Service, Section 3.

Elevation via a sanctions match activates enhanced monitoring of transactions involving the same parties or corridors, and triggers any mandatory OFAC reporting. We may be legally prohibited from disclosing the reason a specific transaction was blocked if doing so would reveal the existence of a regulatory filing.

What moves an account to Tier 3

An account is elevated to Tier 3 — intensive monitoring and senior review — when the pattern of activity presents ongoing or repeated SAR or sanctions triggers that cannot be resolved through a single evaluation cycle, or when the volume and frequency of indicators require sustained monitoring beyond what the standard Tier 2 process provides. Tier 3 involves periodic re-review by senior compliance staff and, where necessary, direct engagement with the Member. If the pattern cannot be resolved, we may limit account functionality or close the account in accordance with Section 18 of the Terms of Service.

Moving back down — how tier elevation ends

Tier elevation is not permanent. Under 31 CFR § 1020.201(b)(1)(v)(B), customer information must be maintained and updated "on a risk basis," which means tier assignments are reviewed and revised when the underlying basis changes. An account returns to a lower tier when the condition that caused elevation is resolved:

  • SAR trigger resolved: the evaluation completes — a SAR is filed and no continuing pattern is detected, or a reasonable explanation is confirmed and no SAR is required. Monitoring returns to Tier 1.
  • Sanctions match resolved: the specific transaction was blocked and reported as required, subsequent transactions involving the same parties or corridors show no further matches, and no ongoing pattern is detected. The account returns to Tier 1 for transactions outside the scope of the applicable sanctions program.
  • Tier 3 pattern resolved: a sustained period without new triggers passes and senior compliance review confirms the pattern is no longer active. The account steps down to Tier 2 first, then to Tier 1 if the Tier 2 evaluation also closes cleanly.

If your account has been elevated and you believe the underlying basis no longer exists, contact us through the in-app compliance channel (Account → Help → Compliance question). We will review the account and explain, to the extent permitted by law, what information we need to close the evaluation.

What this means for you. Tier assignment is driven entirely by what happens on your account — not by who you are. The overwhelming majority of Members remain at Tier 1 throughout their relationship with ITAM. If your account is elevated, you will receive a clear in-app explanation of what we need and why. Tier elevation is reviewable and reversible.

6. How account profiles are built

31 CFR § 1020.201(b)(1)(v)(A) requires our AML program to include procedures for "understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile." This is a mandatory element of a written BSA/AML program — not examiner preference. The profile is also the operational prerequisite for applying the third SAR trigger correctly: 31 CFR § 1020.320(a)(2)(iii) requires us to assess whether a transaction is "not the sort in which the particular customer would normally be expected to engage." Without an account-level baseline, that assessment cannot be made accurately.

What the profile consists of

We do not ask Members to declare how they intend to use their account. A stated intention at opening can change at any time and is not a reliable compliance input. Instead, every account profile is built from two sources that are grounded in verifiable facts:

  • CIP data collected at opening — the customer's full legal name, date of birth, address, and identification number collected under 31 CFR § 1020.220, together with the account type (personal or business) and the Member's country of residence as established during identity verification. These facts establish the account category and inform what transaction patterns are plausible for that category.
  • Observed transaction history — the actual pattern of transactions that develops on the account over time: amounts, frequency, counterparties, corridors, and transaction types. This is the primary source. It is built from what the Member actually does, not from what they said they would do.

How the profile feeds the monitoring system

The profile is the baseline used by our transaction-monitoring system to evaluate each new transaction against the third SAR trigger. A transaction is flagged for SAR evaluation when it deviates materially from the established pattern for that specific account in a way that produces no apparent lawful explanation from the available facts. The profile is therefore never static — it updates continuously as transaction history accumulates, and it is account-specific rather than derived from a generic peer-group average.

This approach satisfies the 31 CFR § 1020.201(b)(1)(v)(A) profile requirement without requiring a declared-purpose questionnaire, and it produces a more reliable baseline for the third SAR trigger than a declaration would, because it reflects what actually happens on the account rather than what a Member anticipated at opening.

No profile data is shared. The account profile is an internal compliance tool. It is not shared with other Members, third parties, or the PayServices Network. It is accessible only to authorized PayServices Bank compliance staff and to competent authorities on lawful request.

7. Watchlist screening

For each customer, we screen the customer's identifying information against the lists of known or suspected terrorists, sanctioned persons, and other restricted parties maintained by the U.S. Treasury Office of Foreign Assets Control ("OFAC"), the United Nations, and other competent authorities. Screening is performed at account opening and on an ongoing basis as required by 31 U.S.C. § 5318(l). Where a screening match is identified, we follow the applicable regulatory procedure, which may include freezing of property, blocking of transactions, or reporting to FinCEN, OFAC, or another competent authority.

Inclusion on a sanctions list does not in itself prohibit use of ITAM. Sanctions regimes are jurisdiction-specific: a person may be designated under one OFAC program but not another, and each program defines precisely which transactions it covers. The compliance status of each transaction is evaluated on its specific facts — the identity of the parties, the counterparty jurisdiction, the currency corridor, and the applicable sanctions program. Access to specific transaction types is limited only where required by an applicable sanctions regime. This transaction-by-transaction standard is described in Terms of Service, Section 3.

A sanctions match on a transaction is a trigger for Tier 2 elevation as described in Section 5. Tier elevation resulting from a sanctions match is reversible when the specific transaction is resolved and no continuing pattern is detected — the conditions for returning to Tier 1 are set out in Section 5.

8. Recordkeeping

We maintain records of the identifying information you provide and the methods we used to verify it, for the period required by law (generally five years after an account is closed). These records are protected by appropriate security measures and are accessible only to authorized PayServices Bank personnel and competent authorities.

9. If we cannot verify your identity

If we cannot reasonably verify your identity through the methods described above, we will not open the account, will close any account that has been opened, or will limit the account's functionality until verification can be completed, in accordance with our written CIP. We will provide you with a clear explanation in such cases, and where possible, an opportunity to provide additional information or documentation.

10. What federal law requires — individual, business, and government accounts

The following is a precise statement of what U.S. federal law mandates for each account type. It is grounded in the Bank Secrecy Act (31 U.S.C. §§ 5311–5336), its implementing regulations in 31 CFR Chapter X, and the 2016 FinCEN Customer Due Diligence Rule (81 FR 29397). Nothing beyond what the law requires is stated here as a legal obligation.

Individual accounts (natural persons)

For a natural person opening an account on their own behalf, four requirements apply under federal law:

  1. Identity verification (31 CFR § 1020.220 — CIP). We must collect, at minimum, the customer's full legal name, date of birth, address, and identification number, and verify that information through documentary or non-documentary methods, as described in Section 3 and Section 4 of this notice.
  2. Watchlist screening (31 U.S.C. § 5318(l); OFAC regulations). We must screen the customer's identity against applicable sanctions lists before opening the account and on an ongoing basis.
  3. Developing a customer risk profile (31 CFR § 1020.201(b)(1)(v)(A)). Our AML program must include procedures for understanding the nature and purpose of customer relationships for the purpose of developing a customer risk profile. FinCEN's 2016 CDD Rule preamble makes clear this does not require a declared-purpose questionnaire; the profile may be inferred from the customer type, the account type, and observed transaction activity.
  4. Ongoing transaction monitoring and SAR filing (31 CFR §§ 1020.201(b)(1)(v)(B) and 1020.320). We must maintain ongoing monitoring sufficient to identify and report suspicious transactions. A SAR is mandatory whenever a transaction of $5,000 or more meets any of the three triggers in 31 CFR § 1020.320(a)(2): involvement of funds from illegal activity, design to evade BSA requirements, or no apparent lawful purpose with no reasonable explanation available after examining the facts. The SAR must be filed within 30 calendar days of detection (31 CFR § 1020.320(b)(3)).

There is no requirement in U.S. federal law for source-of-funds documentation at onboarding for individual accounts, no requirement for a declared account purpose, and no statutory definition of or mandatory screening obligation for politically exposed persons on domestic individual accounts. Any such steps, if taken, are bank-policy decisions, not legal mandates.

Business accounts (legal entity customers)

For a corporation, limited liability company, general partnership, or other entity created by the filing of a public document with a Secretary of State or equivalent office — defined as a "legal entity customer" under 31 CFR § 1010.230(e)(1) — the four individual-account requirements above all apply, plus one additional requirement:

  1. Beneficial ownership identification and verification (31 CFR § 1010.230). We must identify and verify, at the time a new account is opened: (a) under the ownership prong, each individual who directly or indirectly owns 25% or more of the equity interests of the entity (up to four individuals); and (b) under the control prong, a single individual with significant responsibility to control, manage, or direct the entity — such as a Chief Executive Officer, Chief Financial Officer, Chief Operating Officer, or President, or any individual who regularly performs equivalent functions. We may rely on a certification from the person opening the account, provided we have no knowledge of facts that would call its reliability into question. Records of beneficial ownership information must be retained for five years after account closure (31 CFR § 1010.230(i)).

The following entities are excluded from the legal entity customer definition and therefore exempt from the beneficial ownership requirement under 31 CFR § 1010.230(e)(2): federally regulated financial institutions; SEC-registered entities; publicly listed companies on U.S. exchanges; state-regulated insurance companies; registered investment advisers; nonprofit corporations or similar entities that have filed organizational documents with the appropriate state authority; and certain other enumerated entities. Sole proprietorships, unincorporated associations, and trusts (other than statutory trusts) are also excluded per FinCEN FAQ guidance.

Government accounts

U.S. federal, state, local, tribal, and territorial government departments, agencies, and political subdivisions that open accounts in their governmental (non-commercial) capacity are excluded from the definition of "legal entity customer" under 31 CFR § 1010.230(e)(2)(i) and (xv). Accordingly, the beneficial ownership identification requirement (item 5 above) does not apply to such accounts.

The four individual-account requirements (CIP identity verification, watchlist screening, customer risk profile development, and ongoing SAR-threshold monitoring) continue to apply to government accounts to the extent required by 31 CFR § 1020.220 and § 1020.320 and our AML program under 31 CFR § 1020.201. Government accounts are not automatically exempt from SAR filing obligations; a transaction on a government account that meets the triggers in 31 CFR § 1020.320(a)(2) must still be reported.

Non-U.S. government departments, agencies, or political subdivisions that engage only in governmental rather than commercial activities are similarly excluded from the beneficial ownership requirement under 31 CFR § 1010.230(e)(2)(xv). Non-U.S. government entities that engage in commercial activities are treated as legal entity customers and are subject to the full beneficial ownership requirement.

Reporting and information sharing

Where ongoing monitoring identifies activity meeting the SAR triggers, we file a Suspicious Activity Report with FinCEN in accordance with 31 CFR § 1020.320 and 12 CFR Part 353. Federal law (31 U.S.C. § 5318(g)(2)) prohibits us from notifying any person involved in a reported transaction of the existence or contents of a SAR. Where suspicious activity continues after an initial SAR is filed, we file continuing SARs at 90-day intervals for as long as the activity continues, in accordance with FinCEN guidance. We also participate in voluntary information sharing under Section 314(b) of the USA PATRIOT Act (31 CFR § 1010.540) and respond to FinCEN information requests under Section 314(a). Currency transactions exceeding $10,000 are reported on a Currency Transaction Report (CTR) under 31 CFR § 1010.311. The legal consequences for your account of these reporting obligations are described in Terms of Service, Section 14 and Section 18.

11. Additional information for international correspondent banking

Where PayServices Bank establishes or maintains a correspondent account for a foreign financial institution, additional procedures apply under sections 312 and 313 of the USA PATRIOT Act (31 U.S.C. §§ 5318(i), 5318(j)) and 31 CFR § 1010.610. Counterparties on the PayServices Network are required to provide enhanced due-diligence information, including beneficial-ownership information and certifications regarding shell-bank prohibitions.

12. Contact us

PayServices Bank — Compliance
950 W Bannock Street, Suite 1100
Boise, Idaho 83702-6140
United States

info@payservices.com