Compliance Framework

State Licensing

OmniPay requires all Customer dispensaries to maintain valid state cannabis licenses. We verify license status during onboarding and monitor for revocations, suspensions, or expirations. Currently operating or preparing to operate in:

Seed-to-Sale Integration (METRC)

OmniPay's patent-pending METRC Bridge provides real-time seed-to-sale reporting integration:

• Fire-and-forget transaction sync with automatic retry queues;
• Circuit breakers to prevent METRC outages from blocking sales;
• Inventory reconciliation and audit trails;
• COA (Certificate of Analysis) hash verification from 50+ labs;
• State-specific tax calculation and reporting.

Federal Schedule I Acknowledgment

Cannabis remains a Schedule I controlled substance under federal law. OmniPay:

• Operates strictly within state-legal frameworks;
• Does not process federal interstate commerce;
• Does not offer credit card processing for cannabis;
• Partners with cannabis-friendly financial institutions operating under FinCEN Cannabis Banking Guidance;
• Prepared to adapt operations upon federal rescheduling (anticipated Schedule III).

NACHA Operating Rules

All ACH transactions comply with NACHA Operating Rules:

• Web Debit Rule (effective March 19, 2021) — fraud detection and account validation;
• Account Validation — bank account verification before first transaction;
• Unauthorized Return Rate — monitored and maintained below 0.5%;
• Return Rate — monitored and maintained below 3%;
• Risk Assessment — annual third-party NACHA risk assessment.

BSA / AML / KYC

OmniPay complies with Bank Secrecy Act, Anti-Money Laundering, and Know Your Customer requirements:

• FinCEN registration as a money services business (where applicable);
• Customer Identification Program (CIP) with government ID verification;
• Ongoing transaction monitoring with automated suspicious activity detection;
• Suspicious Activity Reports (SARs) filed as required;
• Currency Transaction Reports (CTRs) for transactions over $10,000;
• OFAC sanctions screening on all customers and counterparties;
• Annual BSA/AML training for all staff.

Money Transmission Licensing

OmniPay operates under applicable state money transmission frameworks:

• New Jersey Money Transmitter License (in application);
• Partnership with NMLS-registered sponsoring financial institutions;
• State-specific licensing as business expands;
• Surety bonding and capital reserve requirements maintained.

Regulation E (Electronic Fund Transfer Act)

Consumer protections under Regulation E are fully implemented:

• Clear disclosure of fees and terms before transactions;
• Receipt of transaction confirmations;
• 60-day consumer error resolution procedures;
• Reversal procedures for unauthorized transactions.

SOC 2 Type II (In Progress)

OmniPay is undergoing SOC 2 Type II audit covering all five Trust Service Criteria:

• Security — protection against unauthorized access;
• Availability — 99.9% uptime SLA with disaster recovery;
• Processing Integrity — accurate and authorized processing;
• Confidentiality — protection of confidential information;
• Privacy — handling of personal information per commitments.

Expected Report Issuance: Q3 2026.

PCI DSS Compliance

While OmniPay does not process credit cards directly, our infrastructure exceeds PCI DSS Level 1 standards for payment data:

• Network segmentation and firewalls;
• Encryption of cardholder data (AES-256 at rest, TLS 1.3 in transit);
• Access controls with MFA;
• Quarterly vulnerability scans;
• Annual penetration testing;
• Incident response procedures;
• Self-Assessment Questionnaire D completed.

Biometric Privacy Acts

Our patent-pending biometric authentication complies with the strictest biometric privacy laws:

• Illinois BIPA — written consent, public retention schedule, no sale of biometric data;
• Texas CUBI — reasonable security measures, consent requirements;
• Washington Biometric Privacy Act — notice and consent for commercial use;
• California CCPA/CPRA — sensitive personal information protections;
• New York SHIELD Act — reasonable safeguards for biometric data.

See Privacy Policy Section 4 for detailed biometric handling.

HIPAA (Medical Cannabis)

Where medical cannabis operations trigger HIPAA requirements, OmniPay operates as a Business Associate with:

• Signed Business Associate Agreements (BAAs);
• HIPAA Privacy Rule safeguards;
• HIPAA Security Rule technical safeguards;
• Breach notification procedures (72-hour requirement);
• Minimum necessary standard for PHI access.

Continuous Compliance Monitoring

• Daily — 50,000-transaction automated stress tests at 6 AM ET;
• Every 5 Minutes — disk, memory, and database connection monitoring;
• Every 6 Hours — verified database backups with restoration testing;
• Monthly — security patch reviews and vulnerability scans;
• Quarterly — internal compliance audits and policy reviews;
• Annually — third-party SOC 2, NACHA, and security audits.

Incident Response

OmniPay maintains documented incident response procedures:

• 24/7 monitoring with automated alerts;
• SMS/email escalation with SOS alerts for critical issues;
• Documented playbooks for common incident types;
• Breach notification within 72 hours where legally required;
• Post-incident review and remediation.