Regulatory Coverage
TrustGate provides operational compliance tooling that maps directly to requirements under major AML, KYC, and data protection regulations. This page outlines which regulatory obligations the platform addresses and which capabilities fulfill them. It is intended for compliance directors evaluating whether TrustGate satisfies their program requirements.
TrustGate does not replace legal counsel or a compliance program. It provides the technical infrastructure to execute the verification, screening, monitoring, and record-keeping that regulations require.
Coverage Matrix
The following matrix maps specific regulatory requirements to TrustGate platform capabilities.
| Regulation | Requirement | TrustGate Capability | Feature |
|---|---|---|---|
| BSA / USA PATRIOT Act | Customer Identification Program (CIP) | Identity document collection, OCR extraction, biometric face matching | Document Verification, Biometrics API |
| BSA / USA PATRIOT Act | Customer Due Diligence (CDD) | Risk-scored applicant assessment with automated workflow rules | Risk Engine, Workflow Rules |
| BSA / USA PATRIOT Act | Enhanced Due Diligence (EDD) | Configurable escalation for high-risk applicants, PEP/sanctions screening with tiered thresholds | Workflow Rules (escalate/manual_review actions), Screening API |
| BSA / USA PATRIOT Act | Suspicious Activity Reporting | AI-assisted SAR narrative generation (5-paragraph FinCEN format) and PDF report output | SAR Service, Cases API |
| BSA / USA PATRIOT Act | Recordkeeping (5-year retention) | Status-based retention policies with configurable periods per applicant status | Data Retention Service |
| OFAC | Sanctions list screening (SDN) | Real-time screening against OFAC SDN via global sanctions database provider with configurable confidence thresholds | Screening API (us_ofac_sdn dataset) |
| OFAC | Blocked persons identification | Name, DOB, nationality, passport, and national ID matching with weighted scoring | Screening Service (field weighting) |
| OFAC | Ongoing sanctions monitoring | Batch re-screening of approved applicants with delta detection and alert generation | Ongoing Monitoring Service, Monitoring Alerts |
| FATF Recommendations | Recommendation 10: CDD | Document verification, biometric matching, risk-based assessment | Document Verification, Biometrics, Risk Engine |
| FATF Recommendations | Recommendation 12: PEP screening | Dedicated PEP screening with tier classification (Tier 1/2/3) and position tracking | Screening API (pep dataset), PEP tier detection |
| FATF Recommendations | Recommendation 15: Virtual assets | Crypto wallet screening and transaction monitoring | Wallet Screening API |
| FATF Recommendations | Recommendation 20: Suspicious transaction reporting | SAR-ready report generation with AI narrative drafting | SAR Service |
| FATF Recommendations | Recommendation 24/25: Beneficial ownership | KYB company screening with beneficial owner tracking (ownership %, roles, flags) | Company Screening, KYB Models |
| EU 4AMLD / 5AMLD / 6AMLD | CDD and identity verification | Document OCR, face comparison, liveness detection | Document Verification, Biometrics API |
| EU 4AMLD / 5AMLD / 6AMLD | PEP and sanctions screening | Screening against EU Consolidated List, UN Security Council, and PEP databases | Screening API (eu_fsf, un_sc_sanctions, pep datasets) |
| EU 4AMLD / 5AMLD / 6AMLD | Adverse media screening | Brave News Search with GPT-4o-mini analysis for negative news detection | Adverse Media Screening |
| EU 4AMLD / 5AMLD / 6AMLD | Risk-based approach | Automated risk scoring from screening results, document status, country risk, device signals, and behavioral signals | Risk Engine |
| EU 4AMLD / 5AMLD / 6AMLD | Ongoing monitoring | Scheduled batch re-screening with new-hit detection and automated case creation | Ongoing Monitoring, Monitoring Worker |
| EU 4AMLD / 5AMLD / 6AMLD | Record retention (5-year minimum) | Status-based retention: 5 years for approved/rejected, 7 years for flagged, with AML override preventing premature deletion | Data Retention Service |
| EU 4AMLD / 5AMLD / 6AMLD | Beneficial ownership transparency (5AMLD) | Company verification with UBO identification, ownership percentages, and role tracking | KYB Company Model, Beneficial Owner Model |
| GDPR | Article 6/7: Lawful basis and consent | Consent recording with timestamp, IP address, and withdrawal tracking | Consent API endpoint |
| GDPR | Article 15: Right of access | Full data export of all personal data held about an applicant in portable format | GDPR Data Export endpoint |
| GDPR | Article 17: Right to erasure | GDPR deletion endpoint with AML override checks (legal hold, SAR linkage, flagged status) | GDPR Delete endpoint |
| GDPR | Article 5(1)(e): Storage limitation | Configurable retention periods by applicant status (30 days to 7 years) | Data Retention Service |
| GDPR | Article 5(1)(f): Data security | PII encrypted at application level using Fernet (AES-128-CBC) before database storage | Applicant Model encryption |
| GDPR | Legal hold management | Legal hold flag prevents deletion, with reason tracking and audit logging | Legal Hold API endpoints |
| eIDAS | Electronic identity verification | Document OCR with data extraction, biometric face comparison against ID photo, liveness detection | Document Verification, Biometrics API |
| eIDAS | Biometric verification | Face comparison via biometric verification engine, passive and interactive liveness detection via face liveness service | Biometrics API (compare, liveness, sessions) |
| FinCEN | SAR filing support | AI-generated 5-paragraph narratives (Who/What/When/Where/Why), professional PDF output with case data pre-filled | SAR Service |
| FinCEN | SAR tracking | Reference number generation, filing status tracking, report count per case | Cases API (SAR endpoints) |
| FinCEN | CTR-related recordkeeping | Tamper-evident audit logs with chain hashing for all compliance-relevant actions | Audit Log Service |
Capabilities by Regulation
BSA / USA PATRIOT Act
TrustGate supports Customer Identification Program (CIP) obligations through document collection with OCR extraction (via document extraction engine) and biometric face matching. The Risk Engine calculates composite risk scores based on screening results, document verification status, country risk, and device intelligence signals. Workflow Rules allow teams to define automated actions -- auto-approve, manual review, auto-reject, escalate, or hold -- based on configurable conditions and risk thresholds, fulfilling the risk-based CDD and EDD requirements.
For Suspicious Activity Reporting, the SAR Service generates 5-paragraph narratives following FinCEN's Who/What/When/Where/Why format using Claude AI, pre-filled from case data including screening hits, applicant details, and analyst notes. Reports are output as professional PDF documents with reference number tracking.
OFAC Compliance
Screening integrates with a global sanctions database provider, which provides unified access to the OFAC SDN list along with EU, UN, UK, Australian, Canadian, Japanese, Swiss, Hong Kong, and Singapore sanctions lists. The platform supports 17+ configurable screening datasets. Confidence thresholds are adjustable, and field weighting allows teams to tune how heavily name, date of birth, and country matches influence scoring.
Ongoing monitoring runs batch re-screening of approved applicants on a scheduled basis. The system compares current results against previous screenings and generates alerts only for new hits, reducing analyst fatigue from duplicate findings. Alerts can automatically escalate to cases for investigation.
FATF Recommendations
The platform addresses FATF Recommendation 10 (CDD) through its identity verification pipeline: document upload, OCR extraction, biometric face comparison, and liveness detection. Recommendation 12 (PEP screening) is handled through dedicated PEP list screening with automatic tier classification -- Tier 1 for national/head-of-state level, Tier 2 for regional/ministry level, and Tier 3 for local-level officials.
For Recommendation 15 on virtual assets, the Wallet Screening API provides crypto wallet address screening and transaction monitoring. Recommendations 24 and 25 on beneficial ownership are addressed through the KYB (Know Your Business) module, which tracks company beneficial owners with ownership percentages, directorship roles, signatory status, and compliance flags.
EU AML Directives (4AMLD / 5AMLD / 6AMLD)
TrustGate screens against the EU Consolidated List (eu_fsf) and UN Security Council sanctions list in addition to OFAC and other regional lists. Adverse media screening uses the Brave News Search API with AI-powered analysis to detect negative news coverage, categorizing findings by type (financial crime, fraud, terrorism, trafficking, war crimes, cybercrime).
The Risk Engine implements the risk-based approach required under EU AML Directives by combining signals from AML screening, document verification, jurisdiction risk (with FATF grey/black list integration, Transparency International CPI scores), and device intelligence. Jurisdiction risk data is ingested from FATF, OFAC, EU, UN, and US state regulatory sources.
5AMLD beneficial ownership requirements are supported through the Company model with full UBO (Ultimate Beneficial Owner) tracking, including ownership percentages, multiple role types, and compliance flags.
GDPR
The platform provides four specific GDPR compliance mechanisms:
Consent management (Articles 6/7): The consent endpoint records when consent is given or withdrawn, capturing timestamp and IP address for audit purposes.
Right of access and portability (Articles 15 and 20): The GDPR data export endpoint compiles all personal data held about an applicant into a portable format.
Right to erasure (Article 17): The GDPR delete endpoint removes applicant data while respecting AML obligations. It checks for legal holds, SAR linkage, and flagged status before allowing deletion. Applicants under legal hold cannot be deleted until the hold is removed by an authorized user.
Storage limitation (Article 5(1)(e)): The Data Retention Service defines retention periods by applicant status -- 5 years for approved and rejected applicants, 7 years for flagged applicants, 90 days for pending and in-progress applications, and 30 days for withdrawn applications.
PII fields (first name, last name, date of birth, email, phone, nationality) are encrypted at the application layer using Fernet (AES-128-CBC) before storage in the database.
eIDAS
Electronic identity verification is supported through document OCR with a document extraction engine for data extraction from identity documents, biometric face comparison via the face comparison service to match selfies against ID photos, and liveness detection (both passive and interactive via the face liveness service) to prevent presentation attacks.
FinCEN (SAR Filing)
The SAR Service generates reports pre-filled from investigation case data. It uses Claude AI to draft 5-paragraph narratives following FinCEN's standard format, covering subject identification, activity description, timeline, geographic details, and suspicious indicators. The service supports both individual and business entity subjects, automatically adapting narrative language and data fields.
Generated PDFs include cover page metadata, subject information tables, filing institution details, suspicious activity summaries, the AI-drafted narrative with labeled paragraphs, supporting evidence from screening hits, and filing information with generated reference numbers.
Audit Trail
All compliance-relevant actions are recorded in a tamper-evident audit log. Each log entry includes a chain hash computed from the previous entry, making it possible to detect any modification or deletion of records. The audit log supports filtering by resource type, action, actor, and date range, and can be exported as CSV.
What Is Not Covered
TrustGate is operational compliance tooling. It provides the technical infrastructure for identity verification, screening, monitoring, and reporting. The following are explicitly outside the platform's scope:
- SOC 2 certification -- TrustGate does not hold SOC 2 Type I or Type II certification at this time.
- ISO 27001 certification -- The platform is not ISO 27001 certified.
- PCI DSS compliance -- TrustGate does not process or store payment card data. Payment processing is handled by Stripe.
- Direct regulatory filing -- SAR reports are generated in a ready-to-file format but are not submitted electronically to FinCEN on your behalf. Your compliance team must review and submit SARs through the BSA E-Filing System.
- Legal opinions -- The platform does not provide legal advice or regulatory interpretation. Consult qualified legal counsel for compliance program design.
- Transaction monitoring -- TrustGate monitors identity and screening data, not financial transaction flows. It does not replace a transaction monitoring system (TMS).
The platform is designed to integrate into your existing compliance program, not to replace it. Risk scoring, workflow rules, and screening thresholds should be configured by your compliance team to match your organization's risk appetite and regulatory obligations.