Compliance & Eligibility.
Noviuz Compliance and Eligibility Framework — Version 2.0
Clear Language Summary
The Noviuz Platform was conceived to allow structures, relations, authorities, documents, decisions, and processes to be organized with greater clarity, traceability, and accountability.
These principles also guide the approach to compliance in the Noviuz Ecosystem.
The Platform can be used in relationships involving different:
- Users;
- Organizations;
- Operators;
- Relevant Providers;
- Partners;
- Service Providers.
Each participant is responsible for the obligations related to the activities they actually control, decide, or execute.
Therefore, there is not necessarily a single, universal compliance process applicable to every relationship or to every participant in the Noviuz Ecosystem.
Depending on the service, relationship, risk, jurisdiction, and applicable obligations, the responsible participant may perform verifications, request information, establish eligibility criteria, apply additional controls, or restrict activities within the scope under their control.
This Framework describes the public principles that guide this architecture.
1. OBJECT AND SCOPE
1.1. Purpose
This Compliance and Eligibility Framework, referred to as “Framework”, describes the general principles related to:
- lawful use of the Platform;
- eligibility;
- integrity of relationships;
- risk-based approach;
- identification and representation;
- understanding of structures and relevant participants;
- prevention of fraud and abuse;
- applicable sanctions and restrictions;
- cooperation between participants;
- review of relationships when necessary.
1.2. Contextual application
The applicable compliance measures depend on the concrete activity.
Different participants may have different:
- responsibilities;
- legal obligations;
- risk policies;
- eligibility criteria;
- procedures;
- monitoring duties;
- documentary requirements.
Responsibility for a specific control must be assigned to the participant who actually:
- controls the relationship;
- provides the service;
- makes the relevant decision;
- executes the activity;
- holds the corresponding legal obligation.
1.3. Relevant Provider
When a specific Interface, feature, or service is under the responsibility of a Relevant Provider, they may apply controls and criteria within the scope they actually control.
The use of the Platform or participation in the Noviuz Ecosystem does not automatically transfer regulatory obligations from one participant to another.
1.4. Public nature
This Framework presents general principles.
It does not disclose confidential internal controls, including:
- detection rules;
- risk parameters;
- thresholds;
- scoring models;
- monitoring scenarios;
- internal lists;
- investigation procedures;
- security controls.
Preserving the confidentiality of these elements helps protect the effectiveness of the applicable controls.
2. RESPONSIBILITY MODEL
2.1. Responsibility by function
Each participant is responsible for the activities they actually control, decide, or execute, considering:
- the nature of the relationship;
- the service provided;
- the applicable contracts;
- the incident legislation;
- their own obligations.
2.2. Absence of universal compliance
Approval, verification, or acceptance carried out by one participant does not mean automatic approval by another.
Each Relevant Provider, Operator, Partner, or Service Provider may apply:
- their own legal obligations;
- their own risk criteria;
- their own eligibility requirements;
- their own documentary requirements;
- their own service limitations.
2.3. Infrastructure and regulated activity
The existence of technical integration, registration, authentication, data organization, or operational support through the Platform does not mean, by itself, that the participant responsible for the technology is also responsible for the underlying regulated activity.
Responsibility must reflect the actual activity.
2.4. Cooperation
Participants involved in the same relationship may cooperate, when necessary and legally permitted, to:
- verify information;
- investigate inconsistencies;
- respond to incidents;
- prevent fraud;
- comply with applicable obligations;
- protect the integrity of the relationship.
3. FUNDAMENTAL PRINCIPLES
3.1. Legality
The Platform and related services must not be used for illegal activity or to facilitate the deliberate violation of mandatorily applicable obligations.
3.2. Proportionality
Controls must be proportional:
- to the activity;
- to the service;
- to the relationship profile;
- to the identified risks;
- to the applicable obligations.
Not every relationship requires the same level of diligence.
3.3. Functional transparency
When necessary for the relationship or service, it must be possible to adequately understand:
- who participates;
- who represents whom;
- who controls;
- who decides;
- who can instruct;
- who can execute;
- who possesses a relevant economic benefit.
Legitimate complexity should not be automatically confused with opacity or irregularity.
3.4. Legitimate origin
The Platform and related services must not be knowingly used to organize, facilitate, or support assets, resources, or activities of illegal origin.
When necessary for the service, risk, or applicable obligations, the responsible participant may request additional information or evidence.
3.5. Understandable purpose
When relevant to the context, the purpose of a Structure, relationship, or operation must be sufficiently understandable to the participant responsible for the respective analysis.
3.6. Distributed responsibility
Compliance is a functionally distributed responsibility.
Users, Organizations, Operators, Relevant Providers, Partners, and Service Providers must comply with the obligations corresponding to the activities they actually perform.
3.7. Responsible privacy
Diligence does not mean indiscriminate exposure of information.
Data must be processed and shared:
- for a legitimate purpose;
- to the extent necessary;
- with appropriate participants;
- under appropriate controls;
- in accordance with the Privacy Policy and applicable obligations.
4. RISK-BASED APPROACH
4.1. General principle
When applicable, eligibility and risk assessments may consider the concrete characteristics of the relationship.
The objective is to allow the intensity of controls to be proportional to the risks and obligations of the responsible participant.
4.2. Relevant factors
Depending on the context, factors related to the following may be considered:
People
- activity;
- occupation;
- role;
- representation;
- relevant history;
- political exposure;
- materially relevant public information.
Organizations and Structures
- activity;
- ownership;
- control;
- relevant beneficiaries;
- jurisdictions involved;
- complexity;
- purpose;
- economic and operational coherence.
Service or relationship
- nature;
- volume;
- assets involved;
- complexity;
- speed;
- possibility of movement or transfer;
- dependence on third parties.
Geography
- residence;
- incorporation;
- operation;
- source or destination of funds;
- existence of relevant restrictions;
- availability and reliability of information.
Channel
- direct relationship;
- intermediated relationship;
- remote onboarding;
- partner involved;
- documentary availability.
4.3. Proportional measures
The analysis may result, within the scope of responsibility of the relevant participant, in:
- simplified process, when permitted;
- ordinary diligence;
- additional diligence;
- enhanced review;
- request for complementary information;
- limitation of features;
- additional monitoring;
- refusal;
- suspension;
- termination of the relationship.
5. IDENTIFICATION, AUTHORITY, AND TRANSPARENCY
5.1. Identity
When necessary, sufficient information may be requested to identify a person or organization and understand their relationship with the relevant activity.
5.2. Organizations
Depending on the context, information related to the following may be requested:
- incorporation;
- registration;
- activity;
- administrators;
- representatives;
- signatories;
- ownership;
- control;
- relevant beneficiaries.
5.3. Representation
Proof may be requested that a specific person is authorized to:
- represent;
- instruct;
- access;
- approve;
- sign;
- execute;
- act on behalf of another person or Organization.
The existence of a technical permission on the Platform does not replace the legal authority required for the underlying act.
5.4. Ownership, control, and benefit
When relevant to the relationship or required by the responsible participant, information necessary to understand the following may be requested:
- ownership;
- control;
- authority;
- economic benefit;
- relationship between participants.
The criteria and extent of the analysis depend on:
- the Structure;
- the service;
- the jurisdiction;
- the risk;
- the applicable obligations.
5.5. Complexity
Complex structures are not automatically inappropriate.
When necessary, clarification may be requested on elements such as:
- multiple layers;
- different jurisdictions;
- intermediation;
- specific powers;
- separation between formal ownership, control, and economic benefit.
6. ADDITIONAL DILIGENCE
6.1. Complementary information
Depending on the relationship, service, risk, and applicable obligations, the responsible participant may request additional information related to:
- economic activity;
- purpose of the relationship;
- wealth context;
- source of funds;
- source of wealth;
- nature of the operation;
- coherence between declared activity and observed activity;
- other materially relevant elements.
6.2. Proportionality
The nature and extent of the documentation requested must consider:
- materiality;
- risk;
- reasonable availability;
- nature of the information;
- jurisdiction;
- elapsed time;
- purpose of the verification.
It is not assumed that all participants or relationships must present identical documentation.
6.3. Update
Information may be requested again when there is, for example:
- expiration of documents;
- material change;
- change of control;
- change of activity;
- relevant inconsistency;
- change of risk;
- requirement of the service;
- applicable legal obligation.
7. SANCTIONS, RESTRICTIONS, AND RISK FACTORS
7.1. Sanctions and restrictions
When relevant to the context, people, organizations, beneficiaries, or other related parties may be checked against sanctions lists, restrictions, or other sources applicable to the relationship.
The criteria depend on:
- the jurisdiction;
- the legal obligation;
- the service;
- the Service Provider;
- the risk policy of the responsible participant.
7.2. Potential matches
The initial identification of a possible match does not mean, by itself, that the person or organization is actually subject to the identified restriction.
The following may be necessary:
- review;
- validation;
- additional information;
- investigation.
7.3. Politically exposed persons
The identification of a politically exposed person or a relevant relationship with a PEP does not automatically imply refusal.
When applicable, it may result in:
- additional diligence;
- additional approval;
- additional understanding of the source of funds or wealth;
- proportional monitoring.
7.4. Relevant public information
Legitimate and materially relevant public information may be considered in assessments related to:
- fraud;
- corruption;
- sanctions;
- financial crimes;
- other relevant illicit risks.
Isolated, unverified, or irrelevant mentions should not, by themselves, automatically determine a conclusion.
8. REVIEW, ELIGIBILITY, AND MEASURES
8.1. Dynamic nature
Eligibility and risk may be reviewed when there is a material change in circumstances.
8.2. Relevant events
A review may occur due to:
- change of ownership or control;
- new relevant beneficiary;
- material change of activity;
- change of jurisdiction;
- new material risk information;
- significant inconsistency;
- legal requirement;
- requirement of the service or the Service Provider.
8.3. Decisions within scope of control
The participant responsible for a specific relationship, Interface, feature, or service may, within the scope they control:
- request information;
- condition access;
- limit features;
- temporarily suspend;
- refuse;
- terminate the relationship.
These measures may be adopted when there is, for example:
- insufficient information;
- unresolved inconsistencies;
- unmitigatable risk;
- reasonable suspicion of fraud;
- applicable sanction or restriction;
- legal obligation;
- contractual requirement;
- inability to adequately understand the relationship.
When permitted and appropriate, clarifications may be requested before a final decision.
9. PROHIBITED ACTIVITIES, COOPERATION, AND AUTHORITIES
9.1. Illicit use
The Platform must not be used for illicit activity, including fraud, money laundering, terrorist financing, corruption, illegal evasion of sanctions, or other serious forms of illicit conduct.
The Acceptable Use rules of the Terms of Use also apply.
9.2. Necessary sharing
Information may be shared, when necessary and legally permitted, with participants legitimately involved in:
- verification;
- service provision;
- investigation;
- fraud prevention;
- security;
- risk management;
- obligation compliance.
Sharing must observe the Privacy Policy and applicable instruments.
9.3. Independence of decisions
Approval, verification, or determination of eligibility carried out by one participant does not automatically bind another participant.
Each responsible party may apply their own:
- legal obligations;
- risk policies;
- verifications;
- eligibility criteria;
- service requirements.
9.4. Communications and mandatory measures
When a participant is legally obliged or authorized to:
- report;
- communicate;
- preserve information;
- restrict activity;
- block assets;
- provide data to a competent authority;
they must act in accordance with the legislation applicable to their activity and the relevant relationship.
Nothing in this Framework requires communication to a person when such communication is prohibited by applicable law.
10. RESPONSIBILITIES OF USERS AND ORGANIZATIONS
Users and Organizations must:
- provide true and materially complete information;
- not provide false or altered documents;
- not deliberately conceal material information legitimately requested;
- report relevant changes when applicable to the relationship;
- respect legitimately imposed restrictions;
- cooperate with reasonable verifications;
- use the Platform and related services only for lawful purposes;
- respect the limits of their authority.
The obligation to cooperate does not require providing information that cannot be legitimately requested or processed.
11. CHANGES AND CONTACT
11.1. Updates
This Framework may be updated to reflect:
- evolution of the Platform;
- new services;
- operational changes;
- new risks;
- evolution of compliance standards;
- relevant legal changes.
Each version will be identified by a version number or identifier and effective date.
11.3. Legal questions
11.4. Privacy
11.5. Sensitive communications
When there is a specific channel for reports, incidents, or sensitive communications, it will be indicated on the Platform, website, or applicable relationship.
When a specific question is related to a specific Relevant Provider, Operator, or Service Provider, the person may be directed to the responsible participant.
Questions about compliance?
Our compliance team is at your disposal for institutional clarifications.