This is Gratipay's Risk Management Program.
Gratipay is an online payment processor for companies and organizations offering open work. We define "open work" as work that individuals can begin to perform without requiring explicit permission from the company offering it, with a clear path to further engagement and eventual compensation.
As a responsible participant in the global financial system, Gratipay manages the risk of enabling crime and consumer harm. To serve our customers without disruption, we manage business continuity risk. Serving customers as a participant in the financial system involves collecting and storing sensitive information, and so we also manage information security risk. Therefore, we organize our risk management program under these four headings:
- Anti-Money Laundering
- Consumer Protection
- Business Continuity
- Information Security
We regularly review this document as our business evolves; here is a history of changes. If you have suggestions for improving this document, you may communicate them to us privately via email, or publicly via GitHub.
Anti-money laundering (AML) is a catch-all term for policing of the global financial system against the funding of crime, particularly terrorism. As a third-party payment processor, Gratipay provides its customers with limited, indirect access to the financial system, and therefore we are at some risk of enabling the funding of crime. Since the access we provide is limited, we're not a big enough risk for FinCEN to regulate: "[payment processing] is a relatively controlled flow of money that poses little money laundering risk" (p. 43593). However, we are a bigger risk to our banking partners than most of their clients. As FFIEC's Examination Manual states:
Processors generally are not subject to BSA/AML regulatory requirements. As a result, some processors may be vulnerable to money laundering[.]
(Here is a full discussion of the AML regulatory environment within which Gratipay operates.)
To mitigate the risk of money laundering on Gratipay, we implement know-your-customer (KYC) controls, including a customer identification program (CIP) and customer due diligence (CDD), appropriate to the size and type of our business and the make-up of our customer base.
Our target clientele are low-risk businesses and organizations generally involved in open-source software and related fields. We require every company that receives payments on Gratipay to go through an underwriting process, which includes an assessment not only of their legitimacy as a business or organization offering open work, but also of their alignment with our mission and brand values. The underwriting process includes a public review period, and we provide a public listing of our current, prospective, and rejected customers. Approximately half of Gratipay's customers are outside of the United States, which, all things being equal, does heighten our AML risk. However, our target clientele and our underwriting process put us at low risk of money laundering.
We identify customers in the United States by collecting their name, address, and date of birth, which we programmatically verify. For customers outside of the United States, we require a PayPal account, and are dependent on PayPal's AML program. We perform CDD by reviewing the websites and social media accounts linked to customer profiles (all customers are required to link at least one social media account).
As we migrate to new processing infrastructure, our AML risk profile is actively changing. We are currently assessing our risk, and developing AML, CIP, and CDD capabilities sufficient to mitigate our risk, while at the same time assessing and responding to the implications for our information security risk.
As a third-party payment processor, Gratipay presents two primary risks to consumers.
The first risk Gratipay presents to consumers is the risk of confusion.
Gratipay charges generally appear on bank and credit card statements as
GRATIPAY 4129254220 PA. However, if a consumer is not aware enough of the
Gratipay brand when configuring a payment to a Gratipay user, then they may not
remember the purpose of the transaction when reviewing their statement,
especially since we charge on a recurring basis and the charge may occur
significantly later then the payment was configured. We mitigate this risk by
sending an email notification whenever we charge a user, informing them of the
charge from Gratipay and reminding them of the purpose of their payment. When
confused consumers contact us, we respond promptly according to our support
procedures. We might further mitigate this risk by:
The second risk Gratipay presents to consumers is the risk of fraud: a thief might use a stolen credit card on Gratipay. We mitigate this risk chiefly by implementing a business model that is unattractive to thieves. First, because all receivers on Gratipay must pass an underwriting process, it is highly difficult for a thief to recover stolen funds. Second, because Gratipay is recurring weekly and not instant, it is not as useful for the time-sensitive process of determining whether stolen cards still have value. We further mitigate this risk by reviewing accounts of Gratipay users that attach a credit card.
The regulatory environment for consumer protection in which Gratipay operates is determined largely by the Consumer Financial Protection Bureau.
Gratipay, LLC is a sole-member LLC. We are looking at bringing on a second owner as a next step toward reducing the risks associated with a single owner. We are also considering reorganizing as a cooperative.
Gratipay operates primarily as a web application at https://gratipay.com/.
We follow industry-standard procedures for encrypting all traffic to/from our application (via SSL/TLS), and we have policies in place for accepting responsible disclosure of and handling security issues with our systems.
We provide our contractors with access to our sensitive information systems on an as-needed basis, and we regularly review permissions across our systems.
We classify our vendors into two tiers:
Low-risk vendors providing secondary services. We manage access via 1Password.
Hi-risk vendors, including production hosting systems and financial partners. We manage access manually.
We use private GitHub repositories for most private internal communications. These are encrypted when using their web interface, though not through their email interface. Email is inherently insecure.
Our policy on user support includes a section on protecting user privacy.
As we migrate to new processing infrastructure, our information security risk profile is actively changing. We are currently assessing our risk, and developing a PCI DSS-based security risk management program.