Compliance Configuration

Applies to: PayPlus Enterprise v3.2 Last updated: March 2026

Mandatory Compliance Controls OFAC screening and BSA Travel Rule compliance are mandatory for all US financial institutions processing payments. You cannot disable these controls in a production environment. All changes to compliance rules require your BSA/Compliance Officer's approval — log each change in your change management system.

OFAC Sanctions Screening

PayPlus Enterprise performs mandatory OFAC screening on every outgoing payment before submission to the payment network. Screening checks the payment against the OFAC Specially Designated Nationals (SDN) List and applicable country-level sanctions programs. For instant payment rails (RTP, FedNow), screening must complete within seconds — PayPlus uses an in-memory screening engine to meet real-time processing requirements.

Screening Engine Configuration

Navigate to Administration > Compliance > OFAC Screening.

Parameter	Description	Recommended Value
`ofac.screening.enabled`	Master switch for OFAC screening. Cannot be set to `false` in production environments — the system will refuse to start with screening disabled.	`true` (mandatory)
`ofac.list.update.mode`	How OFAC lists are updated: `AUTOMATIC` (PayPlus polls OFAC SDN API daily) or `MANUAL` (administrator uploads updated list file).	`AUTOMATIC`
`ofac.list.update.time`	Time of day (UTC) for automatic SDN list update. OFAC updates lists weekdays; schedule during low-traffic hours.	`02:00`
`ofac.match.threshold`	Fuzzy match score (0–100) above which a name match is treated as a Possible Match and routed to compliance hold. Lower values reduce false negatives but increase false positive hold volume.	`85`
`ofac.exact.match.action`	Action when an exact SDN match is found: `HOLD` (route to compliance hold for officer review) or `BLOCK` (automatically reject payment).	`HOLD` (recommended — exact blocking without human review creates legal risk)
`ofac.possible.match.action`	Action for fuzzy possible matches above the match threshold.	`HOLD`
`ofac.screen.fields`	Payment fields screened against OFAC lists. Comma-separated list. Always include originator name, beneficiary name, and intermediary bank.	`originator.name,originator.address,beneficiary.name,beneficiary.address,intermediary.name`
`ofac.timeout.action`	Action if the screening engine does not respond within the timeout window. `HOLD` (route to compliance hold) is required for instant payments; `BLOCK` is not recommended (would block all payments during outage).	`HOLD`

Sanctions List Management

PayPlus screens against the following OFAC-maintained lists (updated automatically when ofac.list.update.mode = AUTOMATIC):

SDN List — Specially Designated Nationals and Blocked Persons. Primary screening list for all payments.
Consolidated Sanctions List — Includes all OFAC-administered programs (SDN, FSE, NS-ISA, SSI, and others).
Country Embargo Programs — Comprehensive embargoes (Cuba, Iran, North Korea, Syria, Russia SDN). PayPlus flags payments to/from embargoed countries regardless of name match score.

To manually upload an updated OFAC list (if using MANUAL update mode): Navigate to Administration > Compliance > List Management > Upload OFAC List. Upload the OFAC-provided XML file. PayPlus validates the file format, imports the list, and logs the update in the audit trail.

List Currency Requirement OFAC sanctions lists must be updated at minimum daily. If automatic updates are configured, verify that the last successful update timestamp (shown in Administration > Compliance > List Status) is within the past 24 hours. Stale list alerts are generated if no update has occurred within 48 hours.

Hold Queue Management

Payments routed to compliance hold appear in the OFAC Hold Queue, accessible to Compliance Officers at Compliance > Hold Queue. Each held payment displays: payment details, screening match information (matched field, matched name, SDN entry, match score), and the hold timestamp.

Compliance Officer Actions

Action	Condition	Result
Release — Clear	Officer determines the match is a false positive (e.g., common name, different individual). Must document the basis for the clear decision.	Payment proceeds to the next workflow step (approval or submission). Compliance decision logged in audit trail.
Release — Escalate to BSA	Match is possible but requires senior BSA review before a release decision can be made.	Payment remains in hold. BSA manager is notified. Payment flagged for senior review in the hold queue.
Reject	Officer determines the payment involves a sanctioned party. Payment must not be processed.	Payment is rejected. Originator is notified per compliance procedure. SAR filing evaluation is triggered. Blocked funds procedures apply (OFAC report may be required).

OFAC Blocked Funds Reporting If a payment is rejected because the funds are blocked (matched against a sanctioned party), the institution is required to file an OFAC Blocked Property Report within 10 business days. PayPlus generates a draft report in PDF format from the compliance hold record. The BSA Officer must review, complete, and submit the report to OFAC.

AML Integration

PayPlus Enterprise integrates with external AML platforms (NICE Actimize, Oracle FCCM, and others) via the PayPlus Compliance API. AML integration is optional — institutions that perform AML transaction monitoring outside of PayPlus (e.g., in the core banking system) do not need to configure this integration.

Configure AML integration at Administration > Compliance > AML Integration.

Parameter	Description
`aml.integration.enabled`	Enable the AML integration adapter. Default: `false`.
`aml.provider`	AML platform type: `ACTIMIZE`, `ORACLE_FCCM`, or `GENERIC_REST`.
`aml.endpoint.url`	REST API endpoint of the AML platform for real-time transaction event submission.
`aml.event.mode`	`SYNCHRONOUS` — PayPlus waits for AML response before proceeding (adds latency; not suitable for instant payments). `ASYNCHRONOUS` — PayPlus submits the event and continues processing; AML response triggers a compliance hold if flagged.
`aml.event.types`	Payment events forwarded to AML: `PAYMENT_INITIATED`, `PAYMENT_SETTLED`, `PAYMENT_RETURNED`. For AML transaction monitoring, at minimum submit `PAYMENT_SETTLED`.

Travel Rule (31 CFR 103.33 / FinCEN)

The BSA Travel Rule requires financial institutions to pass certain identifying information about the originator and beneficiary with wire transfers and certain electronic funds transfers of $3,000 or more. PayPlus automatically includes required Travel Rule fields in applicable payment messages.

Rail	Threshold	Required Fields	PayPlus Implementation
Fedwire (pacs.008)	$3,000+	Originator name, address, account number; Beneficiary name, address, account number	Included in pacs.008 Debtor/Creditor fields. PayPlus validates these fields are populated before submission for amounts ≥ $3,000.
SWIFT (MT 103 / pacs.008)	$3,000+	Ordering customer full details (Field 50K); Beneficiary customer full details (Field 59)	Field 50K and Field 59 are mandatory for MT 103 above threshold. PayPlus blocks submission if these fields are incomplete.
ACH	$3,000+ (IAT SEC code)	Required for International ACH Transactions (IAT): originator and beneficiary name, address, identification number	IAT addenda records automatically populated from payment instruction data. CCD/PPD domestic ACH follows separate FinCEN requirements.
RTP / FedNow	No current threshold — FinCEN rulemaking pending	Originator/beneficiary information passed in ISO 20022 pacs.008 structured fields	PayPlus populates structured debtor/creditor fields in all RTP and FedNow pacs.008 messages regardless of amount.

Travel Rule Validation Settings

Navigate to Administration > Compliance > Travel Rule:

travel.rule.threshold — Default: 3000. Adjust only if regulatory guidance changes the threshold.
travel.rule.block.on.missing.fields — Default: true. When true, PayPlus blocks submission of payments above threshold if required originator/beneficiary fields are incomplete. Set to false only for testing — never in production.
travel.rule.address.required — Default: true. When true, structured address fields (street, city, state, country) are required in addition to the name and account number for amounts above threshold.

Compliance Audit Trail

All compliance actions are logged in the PayPlus Compliance Audit Trail — a dedicated audit record separate from the general system audit log. The compliance audit trail captures:

Every OFAC screening result for every payment (Clear / Possible Match / Match / Error)
Hold queue actions by Compliance Officers (Release / Reject / Escalate) with full decision text
AML event submissions and responses (if AML integration enabled)
Travel Rule validation results and any overrides
Sanctions list update events (update timestamp, list version, record count)
Changes to compliance configuration (who changed what, when)

Access the compliance audit trail at Compliance > Audit Trail. The trail is accessible to Compliance Officers and Read-Only Auditors. Export to PDF or CSV for regulatory examination support.

Regulatory Reporting

PayPlus generates the following compliance reports to support regulatory obligations:

Report	Regulatory Basis	Generation
OFAC Blocked Funds Report	OFAC requirement — file within 10 business days of blocking	On-demand from the compliance hold record
OFAC Annual Report (31 CFR 501.603)	Annual census of blocked funds	Auto-generated January 1; Compliance > Reports > OFAC Annual Report
CTR Support Data	BSA Currency Transaction Report (FinCEN Form 112) for cash transactions — not a direct wire report, but supporting data	On-demand; exports transaction data for CTR filing in FinCEN XML format
Wire Transfer Record (31 CFR 103.33)	BSA record-keeping for wire transfers of $3,000+ — 5-year retention required	Auto-generated daily; archived automatically per retention policy

Examination Readiness Configure Read-Only Auditor accounts for examiners (bank examiners from the OCC, Federal Reserve, FDIC, or FinCEN) before examination begins. Provide time-limited access (set account expiry date). All examiner actions in the system are audit-logged automatically.

← Monitoring & Alerts Next: Troubleshooting →