Document information and change log

Document Information

Change log

Gender And Entity Neutrality

The masculine form is used solely for the sake of better readability. It always refers to persons of any gender identity (m/f/diverse). This document uses the abbreviation “Give” for all legal entities and subsidiaries.

Table of Contents

Introduction        6

Roles and Responsibilities        6

Chief Risk Officer (CRO)        6

Chief Compliance Officer (CCO)        6

Compliance Manager        6

Risk Manager        7

Risk Analyst        7

1. Risk Identification        7

Risk Categories        7

Operational Risk        7

Credit Risk        7

Fraud Risk        8

Compliance Risk        8

Market Risk        8

Liquidity Risk        8

Strategic Risk        8

2. Risk Assessment        9

2.1 Risk Assessment Procedure        9

Categorization of Risks        9

Quantification of Risks        9

Qualification of Risks        9

Prioritization of Risks        9

Documentation of Findings        9

Resource Allocation        10

Development of Risk Mitigation Strategies        10

Monitoring and Review        10

Compliance with Standards and Regulations        10

Reporting and Communication        10

Documentation Maintenance        10

3. Risk Monitoring        10

3.1 Risk Monitoring Strategy        10

Risk Tracking and Reporting        10

Response Mechanisms        11

Performance Evaluation        11

Compliance and Regulatory Alignment        11

Integration with Risk Assessment        11

Stakeholder Engagement        11

Advanced Analytics and Forecasting        11

Training and Awareness Programs        11

Documentation and Record Keeping        11

3.2. Restricted MCC Code Monitoring        11

3.3. Chargeback Monitoring        12

3.4 Account Changes        13

3.5 Red Flags        13

Potential Red Flags Payment Processors are being Used Illicitly        13

Mitigating Third-Party Payment Processor Risk        14

Red Flags Third Party Payment Processors Should Be Aware        15

Red Flags for Merchants        15

3.6 Results Indicates the Risk is Increasing        16

4. Risk Reporting        16

4.1 Key Components of Risk Reporting        16

Regular Reporting Schedule        16

Detailed Risk Information        16

Assessment Overview        16

Mitigation Strategies and Progress        16

Future Risk Outlook        17

Actionable Insights        17

Compliance and Regulatory Updates        17

Clear and Accessible Format        17

4.2 Targeted Risk Analysis Reports        17

Trailing Twelve Month (TTM) Credit and Fraud Loss        17

Suspicious Activity Report (SAR)        18

Merchant Risk Report        18

Complaint Handling Reporting        19

Incident Response Report        19

Exception Reporting        20

1. Tagging and Identification of Exceptions        20

2. Monthly Reporting        20

3. Data Archiving        20

4. Oversight and Compliance        21

5. Mitigation and Response        21

5.1 Key Components of Mitigation and Response        21

Strategy Development and Implementation        21

Training and Culture of Risk Awareness        21

Ongoing Monitoring and Strategy Adjustment        22

Incident Response Preparedness        22

Communication and Stakeholder Engagement        22

Regulatory Compliance and Alignment        22

Documentation and Continuous Improvement        22

Terminating a Merchant Account        22

6. Review and Revision        22

6.1 Key Components of Review and Revision        23

Periodic Evaluation of Risk Management Processes        23

Incorporation of Feedback and Lessons Learned        23

Adaptation to Changing Business and Risk Landscape        23

Alignment with Regulatory Requirements and Industry Standards        23

Stakeholder Engagement and Communication        23

Documentation and Record Keeping        23

7. Custodial Account and Reserves        24

Appendix A: Merchant Risk Monitoring System        25

Risk Activity        25

Risk Indicators        25

Merchant Risk System Screens        26

Merchant Risk Profile Screenshot        26

Merchant Risk Activity Screenshot        27

Merchant Risk Triggers Screenshot        28

Merchant Risk Indicators Screenshots        29

Merchant Risk Point System        30

Appendix B: Transaction Monitoring System        31

Transaction Risk Activity        31

Transaction List        31

Transaction List Screenshot        32

Blocked List Screenshot        33

Quarantine Transaction List Screenshot        33

Transaction Risk Profile        34

Geolocation and VPN Detection Screenshot        34

Transaction Activity Monitor Screenshot        35

Escalation Monitoring Screenshot        36

Transaction Risk Profile Analysis and Assessment Screenshots        37

Appendix C: Risk Alert Notifications System        38

Notification Mechanisms        38

Triggers for Alert Notifications        38

New Chargeback        39

Chargeback Dispute Case Updated        39

Chargeback Reversal        39

Create Merchant        39

Merchant Underwriting Approved        39

Merchant Risk Level Escalation        39

Negative Balance        39

New Bank Account        39

New Team Member Invited        39

OFAC Match        39

PEP Match        39

Blocked Transaction        40

Refund        40

Activity Exceeded Volume and Swipe Limits        40

Multiple Authorizations, Exceeded Settlement        40

No Balance Merchant Batch Total, Activity on Closed Account, No Offset        40

Exhibit A. MCC Restrict List        41

Introduction

Within Give's comprehensive risk management policy and procedure, our commitment is to effectively manage potential threats and vulnerabilities across our operations. Our structured approach involves systematically recognizing, cataloging, evaluating, and addressing risks that our organization may encounter.

Our risk management framework encompasses various dimensions, including operational, financial, fraud-related, compliance, and strategic risks. These risks may span a range of factors such as system reliability, evolving regulatory landscapes, data security, fraud prevention, market competition, lending portfolios, interest rate sensitivities, operational integrity, and strategic decisions.

To manage these risks, we utilize a combination of methodologies, including data analytics, collaborative risk workshops, input from team members and stakeholders, and ongoing external monitoring. The objective is to create a comprehensive inventory of risks, allowing us to prioritize, assess, and manage them effectively. This empowers us to develop targeted risk mitigation strategies and establish robust risk management processes, safeguarding our interests and ensuring compliance with industry standards and regulations.

Our overarching Risk Policy and Procedure provide the framework for risk-awareness and resilience, enabling us to make informed decisions, allocate resources effectively, and maintain the integrity of our operations.

Roles and Responsibilities

Identify potential risks that could impact the organization's goals and operations and establish guidelines for recognizing threats and vulnerabilities.

Chief Risk Officer (CRO)

Responsible for overall risk of the entire company and communicating, reporting, and strategizing risk and compliance to CEO, Risk Board, Stakeholders, and public.

Chief Compliance Officer (CCO)

Responsible for the overall compliance of the entire company and communicating, reporting and strategizing to the Chief Risk Officer, CEO, Risk Board, Stakeholders, and public.

Compliance Manager

Responsible for managing compliance internally and communicating with external teams. Schedules, reporting, communication with internal and external teams.

Risk Manager

Responsible for managing the risk team and enforcing Merchant and Transaction Risk policy and procedures, monitoring and reporting. Making final determination in suspension and termination of a Merchant, reporting TTM Credit and Fraud Loss, reviewing and determining how to handle escalated merchant risk profiles per the Merchant Risk Response Playbook guidelines. Review quarantined and suspicious transaction activity and determine to report, manually block, void or refund, or set an automated blocked transaction as a false positive.

Risk Analyst

The Risk Analyst’s role is to review merchant risk alerts and set to ok or escalate the merchants risk per the Merchant Risk Response Playbook guidelines. In reviewing risk alerts to investigate the reasons for the risk alerts and document reasons and collect evidence in proof for or against reducing or elevating the risk level. Review quarantined and blocked transactions and make suggestions, provide evidence for false positives, refunds or suspicions of fraud to the risk manager.

1. Risk Identification

Our Risk Identification process is a foundational step in managing potential threats across Give's operations. It involves systematically recognizing and categorizing risks, covering operational, financial, compliance, and strategic areas. We use various methods, including data analysis, team input, and external monitoring, to create a comprehensive inventory of risks. This approach empowers us to prioritize and address risks effectively, develop mitigation strategies, and ensure compliance with industry standards and regulations.

Risk Categories

Operational Risk

• Service Disruptions 

Risk of technical failures or system outages affecting payment processing.

• Regulatory Compliance 

Risk of non-compliance with payments and applicable industry regulations and standards.

• Data Security Risk

Risk of data breaches, hacking, or cyberattacks on customer payment data.

• Internal Fraud Risk 

Risk of fraudulent activities by employees or insiders.

Credit Risk

• Merchant Default

Risk of merchants failing to meet their financial obligations for processing payments.

• Chargebacks

Risk of excessive chargebacks due to disputes or fraudulent transactions.

• Loan Portfolio Risk

Risk of loan defaults or deteriorating credit quality within the loan portfolio.

• Concentration Risk

Risk of a significant portion of loans being concentrated in a specific industry.

Fraud Risk

• Payment Fraud

Risk of fraudulent transactions or fraudulent use of customer payment information.

• Identity Theft

Risk of customer identity theft leading to unauthorized payments.

Compliance Risk

• Regulatory Changes

Risk of changes in payment industry regulations affecting PSP operations.

• Anti-Money Laundering (AML) Risk

Risk of facilitating money laundering through payment services.

• Regulatory Compliance Risk

Risk of non-compliance with federal, state, or local banking regulations.

Market Risk

• Currency Exchange Rate Risk

Risk of adverse movements in exchange rates impacting cross-border vendor payments..

• Competitive Risk

Risk of losing market share to competitors offering better payment solutions.

• Interest Rate Sensitivity

Risk of adverse interest rate movements affecting the bank's net interest income.

• Reinvestment Risk

Risk of lower yields on reinvested funds from maturing investments.

Liquidity Risk

• Funding Risk

Risk of insufficient funds to meet daily operational requirements and obligations.

• Contingency Funding Risk

Risk of disruptions in accessing additional funding sources during stress scenarios.

Strategic Risk

• Business Model Risk

Risk associated with the organization's strategic decisions, including expansion or diversification.

• Competitive Risk

Risk of losing market share to competitors or disruptive financial technologies.

2. Risk Assessment

Our Risk Assessment process is a critical step in evaluating and understanding the potential impact and likelihood of identified risks across Give's operations. It enables us to make informed decisions by quantifying and qualifying risks in various areas, including operational, financial, compliance, and strategic dimensions. We employ standardized criteria and metrics, such as risk matrices and heat maps, to visualize and prioritize risks based on assessment results. All findings are thoroughly documented, facilitating the development of targeted risk mitigation strategies and resource allocation to effectively manage critical risks while ensuring compliance with industry standards and regulations.

2.1 Risk Assessment Procedure

Categorization of Risks

• Categorize the identified risks into specific areas, including operational, financial, compliance, and strategic dimensions.

Quantification of Risks

• Utilize standardized criteria and metrics to quantify the potential impact of each identified risk. Consider factors such as financial consequences, operational disruptions, and regulatory implications.

Qualification of Risks

• Assess the likelihood of each identified risk materializing and its potential consequences. Use risk matrices and heat maps to visualize and qualify risks.

Prioritization of Risks

• Prioritize identified risks based on their assessment results. Focus on risks with the highest potential impact and likelihood.

Documentation of Findings

• Thoroughly document all risk assessment findings, including the rationale for risk levels, quantification, qualification, and prioritization. Ensure that documentation is clear, organized, and easily accessible.

Resource Allocation

• Allocate resources effectively to address and mitigate high-priority risks. Ensure that resources are aligned with the organization's risk management strategy and objectives.

Development of Risk Mitigation Strategies

• Based on the assessment results, develop targeted risk mitigation strategies for high-priority risks. These strategies should include specific actions, responsibilities, timelines, and performance metrics.

Monitoring and Review

• Continuously monitor and review the effectiveness of risk mitigation strategies. Adjust strategies as needed to address changing risk landscapes.

Compliance with Standards and Regulations

• Ensure that the risk assessment process complies with industry standards and regulatory requirements. Stay current with evolving risk management best practices and regulatory updates.

Reporting and Communication

• Communicate risk assessment findings and progress to relevant stakeholders within the organization. Foster a culture of risk awareness and transparency.

Documentation Maintenance

• Maintain all risk assessment documentation in a secure and organized manner, ensuring that it is readily available for internal and external audit purposes.

3. Risk Monitoring

Implement ongoing surveillance of identified risks across various areas using real-time data analysis, team feedback, and external intelligence. Leverage technology for effective risk monitoring, including automated alerts and systems.

3.1 Risk Monitoring Strategy

Risk Tracking and Reporting

• Provide frequent updates on the status of risks and develop comprehensive reporting for internal stakeholders.
• Highlight risk trends, emerging threats, and mitigation efforts.

Response Mechanisms

• Establish immediate response protocols for critical risk events and outline escalation procedures for risks exceeding thresholds.

Performance Evaluation

• Regularly assess and adjust the effectiveness of risk mitigation strategies based on performance evaluations.

Compliance and Regulatory Alignment

• Continuously monitor and adapt to compliance with industry standards and regulations.

Integration with Risk Assessment

• Create a dynamic feedback loop between risk monitoring and assessment processes.
• Promote data sharing and collaboration for holistic risk management.

Stakeholder Engagement

• Maintain communication with internal teams and inform external stakeholders about risk monitoring outcomes.

Advanced Analytics and Forecasting

• Use predictive analytics for potential risk scenarios and proactive risk identification.

Training and Awareness Programs

• Conduct regular training sessions to enhance risk awareness and response capabilities.
• Foster a risk-aware culture throughout the organization.

Documentation and Record Keeping

Keep detailed records of all monitoring activities and ensure documentation is organized and audit-ready.

3.2. Restricted MCC Code Monitoring

Restricted MCCs will be monitored and reviewed monthly as they require Enhanced Due Diligence prior to being onboarded. Additionally the restricted MCC will be reviewed when the merchant’s risk level is elevated. Give will provide the Sponsor with a quarterly activity report for each Sub-Merchant. The following information will be included in the report:

• The Sub-Merchant’s name and location as appears in clearing records;
• The Sub-Merchant’s DBA name;
• The Sub-Merchant’s MCCs;
• The transaction sales count and amount for each MCC; and
• The transaction chargeback count and amount for each MCC.

Upon request, Give is also prepared to provide the Sponsor and card network with merchant activity reporting. Give will provide the following:

• The Sub-Merchant’s name as it appears in the merchant name field;
• The Sub-Merchant’s DBA name;
• The Payment Facilitator’s name;
• Monthly transaction count and amount; and
• Monthly dispute and fraud advice (TC40) count and amount.

The list of restricted Merchant Category Codes is detailed in Exhibit A of this document. The list can be updated at any time.

3.3. Chargeback Monitoring

The policy outlines monitoring and managing merchant chargeback activities through a series of rules that trigger based on specific thresholds of chargeback counts and ratios. These triggers are assessed daily from the time an account is created.

Give monitors for chargebacks daily. Chargebacks are included in triggers and the chargeback trigger is turned on when the account is opened. Chargeback thresholds of 0.01% and higher elevate the merchant’s risk level to “High” and require a remediation plan. The trigger points for chargeback ratios greater than 0.01% and equal to 1% will increase from 3 to 5 points. Chargeback ratios greater than 1% will be 7 trigger points.  

For a merchant experiencing their first chargeback when the count exceeds one, an alert is permanently set without the possibility of a reset. This serves as an initial warning mechanism.

Further, there are three levels of alerts for merchants based on their chargeback ratios:

• An alert is raised if the chargeback ratio reaches or exceeds 0.1%. This alert can be reset if the ratio falls below this threshold for at least 30 days.
• A more severe alert is triggered when the chargeback ratio hits or surpasses 1.0%, with the possibility of reset under the same conditions as the first.
• The most critical alert is activated once the chargeback ratio climbs to 5.0% or more. This too can be reset after a 30-day period below the threshold.

These mechanisms are designed to keep track of merchant performance regarding chargebacks and adjust their risk profile as needed.

3.4 Account Changes

Account changes and its ownership will be verified using various verification methods such as;  uploading bank statements, bank confirmation and verified third party subscription. The authenticated login credential of one signer is necessary as authorization for the changes. Senior management will review account change exceptions. Changes to the merchant will trigger a notification to verify CIP and CDD/EDD.

3.5 Red Flags

Potential Red Flags Payment Processors are being Used Illicitly

• Fraud

High rates of consumer complaints and chargebacks involving Payment Processors and their merchant clients can indicate potential unfair or deceptive practices, or fraud. Consumer account information has also been used to create unauthorized RCCs or ACH debits.

• Accounts at Multiple Financial Institutions

Payment Processors that are engaged in questionable activities often spread their banking across multiple financial institutions. This tactic allows them to diversify their risk and avoid detection, as they anticipate that a bank might close their accounts upon spotting suspicious behavior. This shifting and distribution strategy can also involve moving from one bank to another in short intervals. There is an increased use of "check consolidation accounts" by some Payment Processors to obscure high rates of returns or chargebacks.

• Money Laundering

Criminals frequently exploit Payment Processors as tools to launder the proceeds of their illicit activities, including consumer fraud. These processors offer a veneer of legitimacy that can disguise illegal or suspicious transactions. Additionally, Payment Processors have been implicated in schemes where illegal funds are directly deposited into financial institutions. This is often done through ACH credit transactions that originate from foreign sources, further complicating the traceability and oversight of these funds. Such practices pose significant risks to the integrity of the financial system and require vigilant regulatory oversight.

• Enhanced Risk

Relationships with third-party entities, especially those involving foreign-located payment processors that handle transactions for telemarketers, online businesses, and other merchants, carry significant risks. These relationships can expose financial institutions to heightened regulatory and reputational risks. Consequently, they require stringent due diligence and ongoing monitoring to ensure compliance with legal standards and to protect against potential abuses such as fraud or money laundering. Vigilant oversight is crucial to mitigate the risks associated with these complex international payment processing arrangements.

• Solicitation for Business

Payment Processors involved in dubious activities often target financially distressed institutions, which might be more open to engaging in higher-risk transactions due to their need for revenue and capital. These processors may also offer to purchase stock in such institutions as a way to sweeten the deal, further incentivizing them to accommodate high-risk merchants. Typically, smaller community banks are the targets of such schemes. These banks often lack the robust infrastructure required to effectively manage and monitor the risks associated with a high-risk Payment Processor relationship. Additionally, it's not just the smaller banks that are involved; large financial institutions also sometimes unknowingly host accounts for fraudulent merchants through these payment processors. This highlights the pervasive risk across the banking spectrum, necessitating stringent oversight and preventive measures to safeguard against such exploitative practices.

• Elevated rate of return of debit transactions due to unauthorized transactions

Payment processors that are engaged in or complicit in suspicious activities might exhibit unusually high rates of returned debit items due to unauthorized transactions, significantly exceeding industry averages. While some payment processors might appear to operate within normal parameters when overall return rates are considered, a deeper analysis can reveal a different story. Specifically, when return rates are assessed based on the transaction volumes of individual originators rather than the total volume of the processor, these rates can be markedly higher. This discrepancy suggests that while on the surface things may seem compliant, certain segments or transactions could be particularly problematic, indicating potential abuse or misuse by criminals. Such patterns necessitate closer scrutiny and potentially enhanced regulatory oversight to prevent and address such malpractices effectively.

Mitigating Third-Party Payment Processor Risk

• Financial institutions should conduct a comprehensive onboarding due diligence that indicates if external investigations and or legal actions are pending against a Payment Processor or its owners and operators.
• Financial institutions should verify the Payment Processor has the necessary state licenses, registrations, and approvals.
• A financial institution is required to file a SAR if it suspects that a Payment Processor is trying to disguise illegal activity funds, evade regulations, or activity that lacks a legitimate business or apparent lawful purpose.

Red Flags Third Party Payment Processors Should Be Aware

• Large-value transactions processed through (ACH) often involve TPSP by originators who are not direct bank customers resulting in no or inadequate due diligence.
• TPSPs often violate ACH network rules, generate illicit transactions, or facilitate manipulated or fraudulent transactions for their customers.
• Several layers of TPSPs that are involved in transactions with no clear purpose.
• An unusually high number of Internet or telephone initiated transactions.
• ACH transactions that originate by the Internet or telephone are at risk for manipulation and fraud.
• Batch processing that hides the identities of the originators.
• ACH transactions may involve parties who are subject to OFAC or other Sanctions programs.
• Higher risk merchants tend to use third party processors.

Red Flags for Merchants

Colluding Merchants

Merchant and or its employees knowingly process transactions on reported lost, or stolen credit cards. The transactions are forced without a code. The merchants do not fight push back on these transactions.

New Merchant Bust-Out Schemes

A merchant sets up a  fake business and opens several merchant accounts at various banks at the same time to process as many transactions as possible. The transactions come from fraudulent credit cards and no goods or services are rendered. The merchant disappears after receiving the funds.

Sales Draft Laundering or Factoring

A fraudster poses as a merchant and convinces an unsuspecting financially distressed merchant to deposit sales drafts for a percentage in their account. The activity continues for a short time. The merchant usually does not have enough to cover the chargebacks.

Merchant Cash Advances

A merchant uses their own credit card for a purchase, usually a large even dollar transaction. However, no goods or services are exchanged. The activity is conducted to fund the merchant’s account because usually these merchants have financial difficulties.

Merchant Credits

Someone fraudulently makes a credit return on their credit or debit card. However, there is no return of goods to match the credit. This is similar to the fraudulent merchant cash advance scam.  The credit is either used to offset the credit card balance or withdrawn as cash from an Automated Teller Machine (“ATM”).

Telemarketing Scams

Individual customers make a purchase from a telemarketer. The price of the product is usually much lower than the price the customer is charged.  The customer is charged repeatedly either monthly, same day or within a short period of time. 

3.6 Results Indicates the Risk is Increasing

When results from an investigation indicate a merchant's risk is increasing the following may apply, extend the period on the WatchList, update reserve amount, temporarily suspend deposits, close account, and or add the merchant to MATCH. A reserve may be required to cover the potential risk of a restricted merchant.

4. Risk Reporting

Risk Reporting is a crucial aspect of our comprehensive risk management framework. This process is centered around the generation of regular, detailed reports aimed at senior management and the board of directors. These reports serve as a critical tool for decision-making and strategic planning, ensuring that leadership is fully informed about the organization's risk landscape.

4.1 Key Components of Risk Reporting

Regular Reporting Schedule

Establishing a consistent schedule for delivering risk reports to ensure timely and regular dissemination of crucial risk information.

Detailed Risk Information

Each report includes comprehensive details on identified risks. This involves outlining the nature of each risk, its potential impact, and the areas of the organization it affects.

Assessment Overview

The reports provide an overview of recent risk assessments. This includes insights into the likelihood of risk occurrence, the potential magnitude of impact, and any other relevant metrics or indicators used in the risk assessment process.

Mitigation Strategies and Progress

A critical part of these reports is the update on current mitigation strategies. This includes information on the implementation of these strategies, their effectiveness to date, and any adjustments or refinements that have been made.

Future Risk Outlook

The reports also look forward, offering an analysis of potential emerging risks and changing risk dynamics. This helps in preparing the organization for future challenges.

Actionable Insights

The aim is to provide actionable insights to senior management and the board, enabling them to make informed decisions about risk management priorities and resource allocation.

Compliance and Regulatory Updates

Including updates on compliance with relevant regulations and standards, and how these might impact risk profiles and mitigation strategies.

Clear and Accessible Format

Ensuring that the reports are clear, concise, and accessible, enabling quick understanding and facilitating informed decision-making.

4.2 Targeted Risk Analysis Reports

Trailing Twelve Month (TTM) Credit and Fraud Loss

• Calculation of TTM Losses

Regularly calculate the trailing twelve months (TTM) credit and fraud losses by summing up the total losses incurred over the past twelve months. This calculation should encompass all relevant loss types, including chargebacks, fraud incidents, and credit defaults.

• Regular Report Generation

Generate TTM Credit and Fraud Loss reports periodically. These reports should include actual loss figures and compare them against established thresholds. Ensure these reports are comprehensive and provide an accurate representation of the loss landscape.

• Escalation Protocols

Establish clear protocols for escalation in cases where TTM losses exceed predefined thresholds. Promptly escalate such instances to senior management and the board of directors, accompanied by detailed explanations, analyses, and proposed remedial actions.

• Documentation and Record Keeping

Maintain meticulous records of all TTM credit and fraud loss monitoring activities. This should include detailed documentation of analyses conducted, actions taken in response to breaches in thresholds, and outcomes of those actions. Ensure that these records are stored in a centralized repository for easy access and review by relevant stakeholders.

Suspicious Activity Report (SAR)

• Detection and Identification: Implement systems and training for employees to detect and identify actions that qualify as suspicious activities, such as unusual transaction patterns, significant changes in account activities, or transactions that lack a legitimate business purpose.
• Immediate Documentation: Once a suspicious activity is identified, prompt documentation should be initiated. This includes gathering all relevant information about the transaction, parties involved, and the nature of the suspicious activity.
• Evaluation and Decision-Making: Conduct a thorough evaluation of the documented information to determine if the activity meets the criteria for filing a SAR. This decision should ideally involve the compliance team or designated officers.
• Filing the Report: If the activity is deemed reportable, complete and file the SAR with the appropriate regulatory authority, following the prescribed format and within the stipulated time frame.
• Confidentiality and Record-Keeping: Maintain strict confidentiality during and after the reporting process. Securely store all records related to the SAR, including the report itself, supporting documentation, and details of the decision-making process, in accordance with legal requirements and company policy.

Merchant Risk Report

• Identification of Critical and High-Risk Merchants

Develop criteria to identify merchants who pose critical or high risks. This could include factors like transaction volumes, chargeback rates, nature of business, financial stability, or history of compliance issues.

• Regular Monitoring and Analysis

Implement continuous monitoring mechanisms for identified high-risk merchants. Regularly analyze their transaction patterns, financial health, customer complaints, and any red flags that may arise in their dealings.

• Escalation Triggers

Clearly define specific triggers for escalation. These might include exceeding a certain chargeback ratio, sudden spikes in transaction volumes, reports of fraudulent activities, or significant changes in business practices that increase risk.

• Timely Response Protocols

Establish strict protocols for responding to escalated cases. Outline the maximum response times for different levels of risk, ensuring swift action is taken to mitigate potential threats or losses.

• Reporting and Documentation

Maintain detailed reports on high-risk merchants, including their risk profiles, reasons for classification as high risk, and any incidents or escalations. Document all actions taken in response to escalated situations.

Complaint Handling Reporting

• Categorization and Tracking

Systematically categorize and track complaints into types such as transaction disputes, service issues, fraud-related concerns, billing and fees, customer service, compliance and regulatory matters, and refunds and returns. Ensure accurate recording of each complaint's nature for reporting purposes.

• Regular Reporting Schedule

Establish a regular schedule for generating comprehensive reports on complaints received. These reports should detail the number, type, and trends of complaints over specific periods.

• Analysis of Complaint Data

Analyze complaint data to identify common issues, patterns, or recurring problems. Include metrics such as average resolution time, complaint frequency, and resolution success rates.

• Resolution and Response Overview

Provide an overview of how complaints are resolved, highlighting effective strategies and areas needing improvement. Include information on the time taken to resolve different types of complaints.

• Feedback and Continuous Improvement

Utilize the insights from complaint reports to recommend improvements in products, services, and customer interaction processes. Highlight how customer feedback is being used to drive organizational changes.

• Compliance and Regulatory Reporting

In cases involving compliance and regulatory issues, report on how these complaints are handled in adherence to legal and regulatory standards.

Incident Response Report

• Incident Classification and Documentation

Classify and document incidents based on their nature and severity. This includes security breaches, data leaks, system outages, or any other operational disruptions. Ensure detailed recording of the incident's specifics, including time, scope, and impact.

• Immediate Reporting of Incidents

Establish a protocol for the immediate reporting of incidents to relevant authorities within the organization. This ensures prompt initiation of the response process and minimizes potential damage.

• Analysis and Investigation

Conduct a thorough analysis and investigation of each incident. This should include identifying the cause, the extent of the impact, and any vulnerabilities exploited.

• Resolution and Mitigation Measures

Document the steps taken to resolve the incident and mitigate its effects. Include details of the response actions, parties involved in the resolution, and the time taken to address the incident.

• Post-Incident Review and Reporting

After resolving the incident, compile a comprehensive report. This report should cover the incident's timeline, the effectiveness of the response, lessons learned, and recommendations for preventing similar incidents in the future.

• Continuous Improvement

Use insights from incident reports to refine and improve the incident response plan. Update policies, procedures, and preventive measures based on these insights.

• Regulatory Compliance and External Reporting

Where applicable, ensure that the incident reporting complies with legal and regulatory requirements. Report incidents to external authorities as required by law or industry standards.

Exception Reporting

Overview

While Give does not currently allow force sale, force posts, or force capture, the inclusion of these in the transaction process would necessitate stringent oversight and agreement from the Risk and Compliance teams. The adoption of such practices must be paired with comprehensive exception reporting to maintain transaction integrity and ensure compliance with regulatory standards.

Procedures for Monitoring and Reporting

1. Tagging and Identification of Exceptions

• Tagging System Implementation: A tagging system will be introduced within the transaction processing software to automatically flag any transactions identified as force sales, force posts, or force captures.
• Transaction Flagging: Transactions categorized under these exceptions will be tagged at the point of entry. Each tag will record details such as the transaction date, type, and the specific reason for the exception.

2. Monthly Reporting

• Monthly Exception Reports: Exception reports will be compiled monthly, providing analysis and summaries of all flagged transactions. These reports are crucial for understanding the scope and details of exceptions handled.
• Contents of the Reports: Reports will include:

• Total count of exception transactions.
• Breakdown by type (force sale, force post, force capture).
• Detailed accounts of the resolution process for each transaction.
• Identification of any patterns or recurrent issues.

3. Data Archiving

• Exception Reporting Archives: An archive for exception reports and related documents will be maintained. This archive will be secure, compliant with data protection standards, and accessible for audit purposes.
• Retention Period: A specific retention period for these documents will be established, conforming to legal and regulatory requirements.

4. Oversight and Compliance

• Regular Audits: Audits of the exception reporting system and its archives will be conducted regularly to ensure adherence to policies and regulatory standards.
• Training and Awareness: Continuous training will be provided to all personnel involved in transaction processing and exception handling to familiarize them with the policies, procedures, and their responsibilities.

Conclusion

The establishment of exception reporting for practices such as force sales, force posts, and force captures at Give, should they be allowed, will necessitate thorough preparation, vigilant monitoring, and detailed reporting. By designing these protocols, Give prepares to maintain proactive compliance and security in its transaction processing operations, readying the organization for any potential policy changes in the future.

5. Mitigation and Response

Mitigation and Response is an integral part of our comprehensive risk management framework. This area focuses on developing and executing strategies to effectively manage and reduce the impacts of identified risks. These efforts play a pivotal role in ensuring that risks are not only recognized and evaluated but are also actively addressed and controlled, with efficient response mechanisms for any emerging incidents or issues.

5.1 Key Components of Mitigation and Response

Strategy Development and Implementation

• Formulate specific mitigation strategies tailored to various identified risks such as operational, compliance, financial, and strategic.
• Integrate these strategies into the organization’s overall business planning and operational processes.

Training and Culture of Risk Awareness

• Conduct regular training for employees on risk mitigation methods and emergency response procedures.
• Cultivate a culture within the organization that values risk awareness and proactive risk management.

Ongoing Monitoring and Strategy Adjustment

• Continuously monitor the effectiveness of risk mitigation strategies and adjust them in response to new insights from risk monitoring and reporting.
• Update and refine strategies based on changing risk landscapes and organizational needs.

Incident Response Preparedness

• Develop comprehensive and updated incident response plans for potential risk events, ensuring they are practical and actionable.
• Regularly test and revise these plans to keep them relevant and effective.

Communication and Stakeholder Engagement

• Maintain clear communication channels for risk reporting and incident response.
• Keep internal and external stakeholders informed about risk mitigation efforts and responses to incidents.

Regulatory Compliance and Alignment

• Align mitigation and response activities with applicable regulations and industry standards, adapting to regulatory changes when necessary.
• Ensure compliance is an integral part of all mitigation and response actions.

Documentation and Continuous Improvement

• Document all actions and outcomes related to risk mitigation and incident response.
• Use these records for ongoing learning, improvement, and evidence of compliance.

Terminating a Merchant Account

There will be instances where it will be necessary to close a merchant’s account either by Give or at the request of the Sponsor. Some of the reasons for closure include fraud or other financial crimes.

6. Review and Revision

Review and Revision is a critical component of our comprehensive risk management framework, focusing on the continuous evaluation and updating of our risk management practices. This process ensures that our risk management strategies remain effective, relevant, and aligned with the evolving business environment, regulatory changes, and emerging risks.

6.1 Key Components of Review and Revision

Periodic Evaluation of Risk Management Processes

Schedule regular reviews of the entire risk management framework, including risk identification, assessment, monitoring, reporting, mitigation, and response processes.

Assess the effectiveness of current risk management strategies and tools in addressing the identified risks.

Incorporation of Feedback and Lessons Learned

Integrate feedback from different stakeholders, including management, employees, and external parties, into the risk management process.

Analyze incidents, near-misses, and successful risk mitigations to gather lessons learned and best practices.

Adaptation to Changing Business and Risk Landscape

Update risk management processes to reflect changes in the business environment, such as new technologies, market shifts, or operational changes.

Stay abreast of emerging risks and modify risk strategies to account for these new challenges.

Alignment with Regulatory Requirements and Industry Standards

Regularly review and update risk management practices to ensure compliance with the latest regulatory requirements and industry best practices.

Adjust policies and procedures to reflect changes in legal and regulatory landscapes.

Stakeholder Engagement and Communication

Actively involve relevant stakeholders in the review and revision process to ensure a comprehensive understanding of risk perspectives.

Communicate changes and updates in the risk management framework to all relevant parties, ensuring clarity and understanding.

Documentation and Record Keeping

Maintain thorough documentation of the review and revision processes, including rationale for changes, impact assessments, and revised procedures.

Ensure that all modifications are well-documented and accessible for reference, training, and compliance purposes.

7. Custodial Account and Reserves

Funds processed for sub-merchant funds and fees are transferred into Give’s FBO account. The funds are then distributed to the sub-merchants via a daily ACH file from the FBO bank account.

Appendix A: Merchant Risk Monitoring System

The risk monitoring system oversees all approved merchants for processing. Each merchant is assigned a risk profile, consisting of risk points categorized by color-coded risk levels. Whenever a risk event is detected, corresponding risk points are appended to the merchant's risk profile.

Any risk level prompts an email notification to the compliance team. Elevated risk levels may lead to automated suspension of the merchant's processing and/or money transfer capabilities.

Risk Activity

• Sudden or unusual changes in sales volume, transaction velocity, transaction averages etc.
• High amount of chargebacks, refunds, prepaid cards in relation to approved transactions (per Visa’s established monitoring thresholds)
• New or Inactive merchant activity sales volume or transaction spike
• Force transaction activity (too many invalid CVV attempts, incorrect card numbers, declined transactions, etc..)
• High volume of low value transactions in a short period of time
• Transaction attempts with credit cards that have been determined to be lost or stolen
• Previously blocked credit card numbers, IP/User Agents, email address
• High occurrences of transactions with rounded amounts (e.g. 1.00)
• Customers’ with same credit card number

Risk Indicators

• Global and Merchant specific moving averages for; sales volume, transaction average, transaction count
• Individual Merchant moving averages compared against their own activity and the global mean moving averages
• The merchants chargeback percent and velocity compared to their own activity and the global mean
• The merchants refund percent and velocity compared to their own activity and the global mean
• The merchants prepaid credit card percent and velocity compared to their own activity and the global mean

Merchant Risk System Screens

Merchant Risk Profile Screenshot

Merchant Risk Activity Screenshot

Merchant Risk Triggers Screenshot

Merchant Risk Indicators Screenshots

Merchant Risk Point System

Appendix B: Transaction Monitoring System

Give software solutions for transaction monitoring and fraud prevention monitors every transaction and automatic action is taken when fraudulent behavior or activity is detected.

The transaction monitoring system creates a profile for each transaction using the IP address / User Agent. Activity is recorded and the monitor looks for unusual behavior. If fraud is detected the profile is automatically blocked from making further transaction attempts.

Transaction Risk Activity

• Force transaction activity (too many invalid CVV attempts, incorrect card numbers, declined transactions, etc..)
• High volume of low value transactions in a short period of time
• Transaction attempts with credit cards that have been determined to be lost or stolen
• Previously blocked credit card numbers, IP/User Agents, email address
• High occurrences of transactions with rounded amounts (e.g. 1.00)
• Customers’ with same credit card number
• Multiple attempts with unusual or suspicious emails / name on the card

Transaction List

Transactions are monitored in real-time and can be filtered and sorted to gain insight into patterns that could indicate an attack or suspicious behavior.

Transaction List Screenshot

Blocked List Screenshot

Quarantine Transaction List Screenshot

Transaction Risk Profile

Geolocation and VPN Detection Screenshot

Transaction Activity Monitor Screenshot

Escalation Monitoring Screenshot

Transaction Risk Profile Analysis and Assessment Screenshots

Appendix C: Risk Alert Notifications System

Notification Mechanisms

Our risk management system incorporates both push and email notifications as essential tools for communication. These automated alerts are configured to inform the compliance team and any team members who have appropriate permissions and are subscribed to the alert notifications. This approach ensures timely and efficient dissemination of critical risk-related information to the relevant personnel.

Triggers for Alert Notifications

The alert notifications are activated in a range of scenarios to promptly flag various types of risk-related events. The activation of these alerts is crucial for maintaining ongoing monitoring and enabling quick response to potential threats in our operations. Below is a comprehensive list of scenarios and conditions that trigger these alert notifications

New Chargeback

An alert is triggered whenever a new chargeback is detected.

Chargeback Dispute Case Updated

This alert is sent when a chargeback dispute case is updated, requiring a response.

Chargeback Reversal

An alert is generated when a chargeback is reversed.

Create Merchant

This alert is sent when a new merchant signs up or is added to the portfolio manager.

Merchant Underwriting Approved

Whenever a new merchant receives approval from the underwriting process, this alert is issued.

Merchant Risk Level Escalation

An alert is sent when an event triggers the escalation of a merchant's risk level.

Negative Balance

This alert is activated when a merchant's daily balance goes negative due to factors like chargebacks, refunds, or direct debits.

New Bank Account

An alert is generated whenever a new bank account is added by the merchant.

New Team Member Invited

This alert is sent when a new team member is invited to join the portfolio manager.

OFAC Match

An alert is issued when an OFAC check returns with a match.

PEP Match

This alert is sent when a business owner is identified as a politically exposed person (PEP).

Blocked Transaction

This alert is sent when a transaction is blocked either by the system or manually.

Refund

An alert is triggered whenever a refund transaction occurs.

The following Triggers are required by the Sponsor

Activity Exceeded Volume and Swipe Limits

The merchant exceeded their established authorization swiping and volume limits.

Multiple Authorizations, Exceeded Settlement

There are triggers that capture multiple authorizations on the same card number, for the same amount or exceeded settlement.

No Balance Merchant Batch Total, Activity on Closed Account, No Offset

Triggers for zero or negative batch total, deposits on closed account or credit with no offset.

Exhibit A. MCC Restrict List

Airlines, Air Carriers ( not listed elsewhere)

Automobile and Truck Dealers (Used Only)

Bail and Bond Payments

Computer Software Stores

Counseling Service – Debt, Marriage, Personal

Court Costs, including Alimony and Child Support

Digital Goods- Applications (Exclude Games)

Discount Stores

Door-to-Door Sales

Financial Institutions – Manual Cash Disbursements

Financial Institutions – Manual Cash Disbursements

Financial Institutions – Merchandise and Services

Government Licensed On-Line Casinos (On-Line Gambling) (US Region only)

Government-Licensed Horse/Dog Racing (US Region only)

Government-Owned Lotteries (US Region only)

Lodging – Hotels, Motels, Resorts, Central Reservation Services (not elsewhere classified)

Marketplaces

Money Orders – Wire Transfer

Non-Financial Institutions – Foreign Currency, Money Orders (not wire transfer) and Travelers Cheques

Real Estate Agents and Managers- Rentals

Security Brokers/Dealers (Non High Risk)

Steamship and Cruise Lines

Theatrical Producers (Except Motion Pictures), Ticket Agencies

Timeshares (straight sales only)

Travel Agencies and Tour Operations

The information contained herein is intended to provide a general overview of the Company’s policies and procedures relating to compliance with this Policy and does not constitute legal advice or a complete description of the laws and regulations relating to this Policy. The Company has made every effort to ensure the accuracy and completeness of this Policy.  This document is intended to provide guidance to employees of Company on how to comply with applicable laws and regulations related to this Policy. Employees should consult with the Legal or Compliance Department if they have any questions about the Policy or how to comply with it. Company reserves the right to modify or update this Policy at any time without notice. Employees are responsible for reviewing the Policy on a regular basis to ensure that they are aware of any changes. This Policy applies to all employees of Company, regardless of their position or location unless stated otherwise in the Policy. Employees are responsible for complying with the Policy and for reporting any suspected violations to their respective supervisor, the Legal Department, AMLCO or respective recipient of such violation as outlined in this Policy.