- NACHA mandate rules
- Authorization copy meets NACHA rules for WEB, TEL, PPD and CCD SEC codes; consent language versioned per capture.
- PCI DSS Level 1 (card side)
- PCI L1 posture covers the wider platform; the ACH-side authorization form doesn't handle PAN data but shares the same audited environment.
- Evidence retention
- Mandate + consent-language version + capture metadata (timestamp, IP) retained per NACHA requirements for the life of the debit relationship plus 2 years.
- R-code handling
- R-code-aware processing per NACHA — R07 (customer revoke) and R08 (stop payment) auto-flag mandates as revoked.
- Sanctions & AML alignment
- Sanctions screening at onboarding; ACH velocity rules per merchant vertical and volume profile.
- Licensed verticals only
- Licensed gaming, regulated financial services and other compliance-bound verticals supported only where current operating licences exist. Grey and black-market verticals are out of scope.