The NUSDpay platform has a comprehensive built-in compliance and security framework, ensuring that every merchant transaction complies with anti-money laundering (AML) and counter-financing of terrorism (CFT) regulatory requirements.

Compliance Architecture

NUSDpay has a built-in professional compliance engine that provides automated transaction monitoring and risk assessment capabilities.
Risk control review flow

KYA — Know Your Address

Know Your Address (KYA) technology performs risk assessments on the blockchain addresses involved in transactions:
  • Address Profile: Identifies the type of entity to which the address belongs (exchange, mixer, darknet, sanctions list, etc.)
  • Risk Score: Generates a risk score based on the address’s historical behavior
  • Real-Time Screening: Automatically screens the target address of every Payin/Payout transaction

KYT — Know Your Transaction

Know Your Transaction (KYT) technology performs real-time monitoring of every transaction:
  • Transaction Screening: Automatically analyzes dimensions such as transaction amount, frequency, and counterparties
  • Risk Rating: Three-level classification: High Risk / Medium Risk / Low Risk
  • Post-Processing Policies: Triggers automatic approval, manual review, or interception based on the risk level

Screening Flow

Payin Screening

For every deposit by an end user, the system automatically performs:
1

On-chain transaction detection

After NUSDpay detects a deposit transaction, it extracts the sender’s address and transaction information.
2

KYA address screening

Performs risk profiling on the sender’s address to check whether it is associated with sanctions lists, mixers, or other high-risk entities.
3

KYT transaction screening

Analyzes dimensions such as transaction amount, frequency, and route to generate a risk rating.
4

Risk handling

  • Low Risk: Automatically credited
  • Medium Risk: Enters the manual review queue
  • High Risk: Automatically frozen, awaiting handling by the compliance team

Payout Screening

For every payment initiated by a merchant, the system automatically performs:
  • KYA screening of the recipient address (address whitelist + risk profile)
  • KYT analysis of transaction amount and frequency
  • When risk control rules are triggered, the transaction enters review status (Webhook notification Sub-Status: PendingAML/KYCReview)

Screening Results

StatusDescription
PassedScreening passed; transaction processed normally
Pending ScreeningAwaiting screening completion
ScreenedScreening completed; awaiting post-processing
Manual ReviewRequires manual review
RejectedScreening failed; transaction rejected

Post-Screening Policies

NUSDpay supports configuring Post-Screening Policies that automatically perform corresponding actions based on the risk rating:
Risk LevelDefault PolicyConfigurable Actions
Low RiskAuto ApproveApprove / Alert / Reject
Medium RiskManual ReviewApprove with Alert / Manual Review / Reject
High RiskAuto BlockReject / Freeze
Post-Screening policies can be customized in the risk control module of the admin console.

API Security

Request Signature

All API requests use the Ed25519 signature + nonce anti-replay mechanism:
  • Each request carries a unique nonce (timestamp)
  • The request body is signed with the Ed25519 private key
  • The server verifies the signature + checks nonce validity to prevent replay attacks
For the detailed signature algorithm, see Signature Specification.

Webhook Security

The Webhook notifications pushed by NUSDpay are also protected by signatures:
  • Each Webhook carries a signature header, so merchants can verify the message source
  • We recommend responding within 2 seconds; the system automatically retries on timeout
  • Use request_id for idempotent handling to prevent duplicate consumption
For detailed information, see Webhook Configuration.

Security Best Practices

  • The private key should only be used on the server side; do not hardcode it in front-end code
  • Rotate API keys regularly
  • Store keys using environment variables or a secrets management service
  • All API communication must use HTTPS
  • We recommend configuring an IP allowlist to restrict API call sources
  • We recommend configuring HTTPS + signature verification on Webhook endpoints
  • Follow the principle of least privilege; assign console permissions by role
  • Sensitive operations (settlement, transfer) require secondary verification with a code
  • Audit operation logs regularly

Next Steps

Transaction Status Reference

Learn the meaning of each status and sub-status, including AML review-related statuses.

Webhook Configuration

Configure Webhooks to receive transaction and compliance review notifications.