Compliance Guide
Overview
At Productfy we understand navigating the world of banking regulations can be a major challenge in launching a fintech experience. This guide is meant to clearly outline some of the places Productfy clients need to pay attention to in order to ensure compliance and a smooth implementation. Financial Institutions are highly regulated and subject to regular audits and oversight. As a bank partner and service provider, it is important you understand and follow the Compliance policies and procedures that we have established for the Program. Don’t worry, we are here to help you navigate these policies and procedures, and we will conduct training for you as part of the onboarding process. The process of this guide is to provide you with an overview of the Compliance requirements. If you have any questions along the way, please reach out to us through your service coordinator.
Disclosure Documents
Depending on what product(s) you're implementing, the legal documents you need to display in your app will differ. Don’t worry, Productfy will provide template legal documents for you during your implementation. While Productfy cannot provide legal advice, we can provide you with sample privacy notices for your reference. The PDF documents will be sent to you to host and display in your app, once we have received a completed Client Onboarding Information Form. Productfy will also give you a specific DisclosureID with each document for our tracking purposes (see Tracking Disclosure Data for more info).
Changes to Disclosure Documents
As you add or change functionality of your application, disclosures may need to be updated. Any disclosure changes will need to be re-presented to your customer and re-accepted. Please work with your Productfy representative to notify us of any upcoming changes to your functionality.
Tracking Disclosure Data
Bank auditors require that Productfy store a record of customers accepting disclosures in two places:
- At time of account opening
- At time of each 1-time ACH transfer We provide a Save Disclosure Acceptance API for you to call at the time of account opening for each disclosure document presented and accepted. The API should be connected to the button your customer hits when they accept the disclosure documents presented there. Additionally, within the Initiate Fund Transfer API or Initiate ACH Transfer API there is a disclosureAcceptance object with the same fields that will need to be filled out. Please fill out the fields as indicated below:
| Field | Value |
|---|---|
| acceptanceTime | The current date/time (in PST) |
| disclosureId | The disclosure ID provided by Productfy or enter ‘ACH’ for the ACH authorization |
| disclosureType | The disclosure type associated with the disclosure ID |
| ipAddress | The IP address of the customer |
| organizationId or personId | The ID associated with the organization or person on Productfy |
Dealing With Changes To Customer Information
Some data fields stored on Productfy are considered Personally Identifiable Information (PII), such as Name, Date of Birth, Social Security Number, Address, Email, Phone Number, etc. When these fields get changed after they have already been entered, it may be a sign of fraud. For this reason there are greater controls around how to handle these changes. Please see the chart below for direction on how to handle changes to each PII field:
| Field that's changing | Client action needed |
|---|---|
| Change the name via Productfy API, and follow up with emails to the old email address and new email address letting the know the email on the account has been changed | |
| Phone Number | Change the name via Productfy API, and follow up with an email to the email address on file |
| Address | Change the name via Productfy API, and follow up with an email to the email address on file |
| Name | Send in a support ticket to Productfy for all name changes to be reviewed |
| Social Security Number | Send in a support ticket to Productfy for all SSN changes to be reviewed |
| Date of Birth | Send in a support ticket to Productfy for all DOB changes to be reviewed |
Marketing and Advertising
Regulatory requirements set forth certain guidelines when advertising and/or marketing banking and financial products. We will work with you to ensure the marketing and advertising for the program is consistent with regulatory guidelines. So, for example, we will review your website pages or app screens, as well as social media messages about the program. Essentially, the regulators expect marketing and advertising to be fair and balanced, easy to understand, and not misleading.
Clients are provided training regarding Marketing and Advertising Guidelines, with a copy of the presentation being found here.
The Marketing Compliance Guide provides detailed information regarding regulatory and Productfy requirements related to the development of marketing and advertising materials.
Complaint Tracking Process
Per banking regulations we must keep an official record of any concerns/complaints/issues raised by an end user regarding their account or the product. The data provided will be used by our Compliance Team to review the matter and help address the matter to find a timely resolution for the end user.
A complaint is defined as an oral or written particularized statement of dissatisfaction from a consumer or his or her representative concerning offered products or services. Routine service inquiries are not complaints, nor are generalized statements of dissatisfaction with a product or service, if the statement does not contain actionable information.
Please fill out the Complaint Handling Form here and send it to Productfy when you receive a complaint. This form needs to be provided within 24 hours of receipt of a customer complaint. You are responsible for ensuring the complaint handling form is provided to Productfy within the required timeframes.
Clients are provided training regarding Complaint Handling, with a copy of the presentation being found here.
Books and Records Guidance
By participating in a debit card program, you are acting as a service provider of our partner bank. All records of the program are required to be retained for a minimum of seven years so they can be audited by bank regulators and others. Moreover, they must be preserved in a way that retains the integrity of the record. So, they must not be susceptible to alteration. We have provided below a list of the artifacts that are considered to be records of the program. If you have any questions, please do not hesitate to reach out to the Productfy Compliance Team.
Records that must be preserved:
- Each page of your website or App that references or pertains to the debit card program
- Each end user customer application for a debit card
- Evidence of acceptance of the disclosures and agreements by the end user customer
- Evidence that you have replaced a prior version of a disclosure or agreement with a new version (for version control purposes)
- Evidence that an end user customer has authorized each ACH transfer
- Evidence of any change on the end user customer’s account, such as a change in name, address, email address, or phone number
- Evidence of your confirmatory email to the customer when the end user customer changes his or her name, address, email address or phone number (this provides us with an audit trail of the changes and provides evidence that we notified the customer of the change on the account to prevent fraud)
- Evidence of delivery of any program disclosure, notice or document, such as delivery of monthly statements to end user customers. Each end user customer must be notified of the availability of the monthly statement, so that the end user customer has the ability to review the statement for accuracy and notify us of any inaccuracies.
All clients are required to provide Productfy with information regarding vendors that are used for their specific program with Productfy, and for communication with customers.
Americans With Disabilities Act
Title III of the Americans with Disabilities Act requires certain businesses that serve as “places of public accommodation” to remove “access barriers” that inhibit a disabled person from accessing goods or services. As we understand it, businesses such as our sponsor bank, as issuer of your consumer debit cards, may be subject to Title III of the ADA. We also understand that Title III does not directly address whether places of public accommodation include websites, mobile applications, or other web-based technology, and that courts are split on this issue. We, therefore, ask that you consult with counsel regarding the applicability of the ADA to the debit card program and, specifically, what steps you should take to ensure that your website or App complies with the Web Content Accessibility Guidelines (WCAG) 2.1 or other applicable ADA standards.
Yodlee Security Standards
Clients using our account linking or data aggregation services through Yodlee must adhere to their security standards outlined here: www.productfy.io/data-source-policy.
Unusual Activity Reporting Process
Per banking regulations, Productfy must monitor for and report on unusual activity to its sponsor bank(s). Clients have direct access and interaction with their customers on a regular basis which places you and your employees in the financial services industry’s first line of defense against illicit activity such as money laundering, fraud, terrorist financing, elder abuse, tax evasion, etc. As part of the first line of defense, you and your employees are a vital part of the unusual activity monitoring and reporting process. Any time unusual or out of pattern activity is detected in association with your business, its customers, their accounts and/or their transactions, you are responsible for filling out a new row in your Unusual Activity Reporting Log (located in Box).
Please fill out the Unusual Activity Reporting log in Box and send a notification to Productfy’s Client Success team any time a triggering event is identified. This log needs to be provided within 24 hours of detecting the unusual or out of pattern event/activity. You are responsible for ensuring the unusual activity log is updated and Productfy is notified within the required timeframes.
KYC / KYB Information Security Standards
Clients using our KYC or KYB services must adhere to the Federal Reserve's guidance on information security outlined here: www.federalreserve.gov/supervisionreg/interagencyguidelines.htm.
Final_V3.0_Mkt Compliance Guidlines_2023.03.06.pdf
Account Closure
Productfy may initiate the closure of accounts based on either a request from the end user customer, the client or based on self-identified issue/concern related to non-compliance such as potential fraud or money laundering activity. Clients should not attempt to collect funds from end user customers after an account has been closed.
Mandatory Notice for Commercial Deposit and Debit Card Program
If you are an API client that is partnering with us on a Commercial Deposit and Debit Card program, you must post the following message on your website in a location where commercial deposit and debit card program applicants can read it. The notice warns commercial customers that they must not engage in unlawful internet gambling. For Latinum clients, this notice will be posted by Productfy in the UI.
Notice to our Commercial Deposit Customers:
Under federal banking regulations (12 CFR 233.6) commercial customers must receive notice of the prohibition of conducting unlawful internet gambling transactions through banking systems. This statement provides you with the required notice.
You agree that your account shall not be used for the payment or receipt of any gambling transactions which are unlawful under the Unlawful Internet Gambling Enforcement Act of 2006. We reserve the right to decline any transaction which we believe or suspect is prohibited under the Act.