> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stablepay.global/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & Licensing

> Regulatory framework and compliance requirements

## Licensing

StablePay is operated by **Fincrypt LLP**, a registered Virtual Digital Asset Service Provider (VDASP) with **FIU-IND** (Financial Intelligence Unit - India). This registration is mandated under the Prevention of Money Laundering Act (PMLA) for all entities facilitating virtual digital asset transactions in India.

## PMLA Requirements

All transactions processed through StablePay are subject to PMLA requirements:

* **KYC is mandatory** — no anonymous transactions are permitted. Every user must complete identity verification before transacting.
* **Transaction monitoring** — StablePay monitors all transactions for suspicious activity, including unusual patterns, rapid fiat-crypto cycles, and use of mixers or privacy-enhancing tools.
* **Record keeping** — transaction records are maintained as required by regulation.
* **Suspicious Transaction Reporting (STR)** — StablePay files reports with FIU-IND when required.

## Responsibilities

### What StablePay Handles

| Area                       | Details                                                                  |
| -------------------------- | ------------------------------------------------------------------------ |
| **KYC verification**       | Identity document verification, bank account verification, PEP screening |
| **Transaction monitoring** | AML/CFT monitoring, suspicious activity detection, STR filing            |
| **Sanctions screening**    | Screening against UNSC, OFAC, and India's designated lists               |
| **Record keeping**         | Maintaining transaction and KYC records per PMLA requirements            |
| **Regulatory reporting**   | Filing CTRs and STRs with FIU-IND                                        |
| **Data security**          | Encryption, access controls, and secure storage of user data             |

### What Partners Are Responsible For

| Area                       | Details                                                                                            |
| -------------------------- | -------------------------------------------------------------------------------------------------- |
| **End-user terms**         | Maintaining your own terms of service and privacy policy for your users                            |
| **User due diligence**     | Not knowingly onboarding sanctioned individuals or entities                                        |
| **Accurate data**          | Providing correct user information (name, phone, email) during user creation                       |
| **Compliance cooperation** | Responding to information requests from StablePay's compliance team                                |
| **Prohibited use**         | Ensuring your platform is not used for money laundering, terrorism financing, or sanctions evasion |

## AML/CFT

StablePay maintains an Anti-Money Laundering and Combating the Financing of Terrorism (AML/CFT) program that includes:

* **Risk-based approach** — users and transactions are risk-scored based on geography, volume, patterns, and product usage
* **Enhanced Due Diligence (EDD)** — triggered for high-risk customers, PEPs, non-profits, and unusual transaction patterns. See the [Limits & EDD guide](/guides/limits-and-edd) for details.
* **Sanctions screening** — all users are screened against applicable sanctions lists at onboarding and on an ongoing basis

<Warning>
  Partners must not knowingly facilitate transactions for sanctioned individuals, entities, or jurisdictions. If you become aware that a user on your platform is subject to sanctions, notify StablePay immediately at [compliance@stablepay.global](mailto:compliance@stablepay.global).
</Warning>

## Data Residency & Security

* **Storage** — all user PII is encrypted with AES-256-GCM and stored in India (AWS `ap-south-1`)
* **Access** — PII access is restricted to authorized personnel and audit-logged
* **Retention** — records are retained per PMLA requirements (minimum 5 years after account closure)
* **API security** — all API traffic is encrypted via TLS 1.2+, with Bearer token authentication and optional IP whitelisting

## Partner Agreement

By integrating the StablePay API, partners accept the [Partner Agreement](https://stablepay.global/partner-agreement) and agree to:

* Comply with applicable laws in their jurisdiction
* Maintain appropriate end-user terms and privacy policies
* Not use the API for prohibited activities
* Cooperate with StablePay's compliance team when requested

<Note>
  For questions about compliance, licensing, or regulatory requirements, contact [compliance@stablepay.global](mailto:compliance@stablepay.global).
</Note>
