Compliance Deep Dive
Risk scoring, sanctions screening, Travel Rule, wallet verification, and audit.
Risk Scoring
Every transaction is scored against 7 rules:
| Rule | Trigger | Severity | Score |
|---|---|---|---|
THRESHOLD_10K | >= $10,000 | Medium | +15% |
THRESHOLD_50K | >= $50,000 | High | +30% |
VELOCITY_24H | 15+ tx in 24h | Medium | +10% |
VELOCITY_1H | 30+ tx in 24h | High | +25% |
NEW_WALLET | First transaction | Low | +5% |
ROUND_AMOUNT | $5,000+ increments | Medium | +5% |
SELF_TRANSFER | sender == receiver | Low | +10% |
Decision engine:
- < 30% = approved (auto-execute)
- 30-50% = flagged (requires user confirmation)
- >= 50% = blocked (automatic rejection)
Fast-track: transactions under $500 skip most checks (only self-transfer check).
Sanctions Screening
NautLense screens against 4 sanctions lists:
| List | Source | Entities |
|---|---|---|
| OFAC SDN | US Treasury | 16,910+ |
| SECO | Swiss SECO | Swiss sanctions |
| EU | European Union | EU consolidated list |
| UN | United Nations | UN Security Council |
Screening methods:
- Name matching with fuzzy tolerance
- Address matching (exact, for crypto addresses like Tornado Cash)
- Batch screening up to 100 entities per request
Travel Rule (FATF Recommendation 16)
Supported Jurisdictions
| Code | Regulator | Threshold | Self-Hosted Wallet |
|---|---|---|---|
| CH | FINMA | 0 CHF (all transfers) | Verify all amounts |
| DE | BaFin | 0 EUR | Verify > 1,000 EUR |
| AT | FMA | 0 EUR | Verify > 1,000 EUR |
| EU | National FIU | 0 EUR | Verify > 1,000 EUR |
Required Originator Fields
- Switzerland (CH): name + account + one of: address / (dob+pob) / national_id / customer_id
- Germany (DE): name + dlt_address + account + one of: (address+document_number+customer_id) / (dob+pob)
- Austria (AT): name + address + dob + nationality + account (strictest — all mandatory, no alternatives)
- EU Generic: Same as Germany
Data Completeness Scoring
completeness = presentFields / totalFields
1.0 = compliant (all required fields present)
< 1.0 = missing_info (with list of missing fields)Wallet Verification (Poco)
Cryptographic proof of wallet ownership, ported from production NautPoco system.
Signature Challenge Flow
POST /wallets/verify/initiate— generates challenge with 5-word slug + nonce + 30-min expiry- Client signs challenge using wallet private key (ed25519 for Solana, secp256k1 for EVM)
POST /wallets/verify/confirm— NautLense verifies cryptographic signature- Verification valid for 1 year
Challenge Message Format
NautLense Wallet Verification
Wallet: 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU
Challenge: brave-purple-dolphin-happy-sunset
Nonce: a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6
Timestamp: 2026-03-27T14:30:00.000ZSolana Off-Chain Message Format
Header: \xff + "solana offchain" + \x00\x00
Length: 2-byte little-endian (message UTF-8 byte length)
Body: UTF-8 encoded challenge messageVerified using nacl.sign.detached.verify()with the wallet's ed25519 public key.
Emergency Lockdown
- In-memory flag for zero-latency enforcement (no DB round-trip)
- Database persistence across server restarts
- HTTP 423 Locked response on all
/tx/capturecalls - Blocked transaction count tracked during lockdown
- Audit trail of all lockdown events
SAR Reports
- Case numbers:
SAR-YYYY-NNNNformat - Authority filing workflow with sign-off
- Asset freeze capability on submission
- Linked to transactions and wallet profiles
Audit Trail
SHA256 hash chain across all captured transactions:
- Each record contains
hash(SHA256 of record +prev_hash) andprev_hash GET /tx/verify-chainwalks the entire chain- Any tampering breaks the chain at the modified record
- Critical notification generated on chain break