Compliance

La discipline réglementaire — documentée, vérifiable, à jour.

The standing posture

Osage Finance combines three regulatory dimensions under one operating relationship: the chartered‑bank dimension (SF Private Bank, full BSA / AML / KYC / sanctions programme); the on‑chain dimension (Travel Rule / IVMS 101 messaging, sanctions screening at the wallet layer, transaction monitoring on Osage Network); and the federal‑mission dimension (FinCEN, OFAC, OCC, IRS reporting capacity through SF Private Bank’s compliance team).

Bank‑side compliance (SF Private Bank)

• BSA / AML programme — tier‑1 jurisdiction, with documented policies, transaction monitoring, suspicious‑activity reporting, and annual independent testing.
• KYC & CDD — risk‑based Customer Due Diligence; Enhanced Due Diligence for PEPs, high‑risk jurisdictions, and complex structures.
• Sanctions screening — OFAC SDN, consolidated UN/EU/UK lists, and PEP / adverse‑media screening at onboarding and continuously thereafter.
• FinCEN reporting — CTR, SAR, FBAR, Form 8300, 314(a) and 314(b) participation.
• FATCA & CRS — full reporting capacity.
• Beneficial‑owner registry — CTA / FinCEN BOI compliance for entity clients.

On‑chain compliance

• Travel Rule (IVMS 101) — full VASP‑to‑VASP transfer messaging on all Osage Network outbound flows above threshold.
• Wallet screening — OFAC SDN check on every receiving and sending address.
• Transaction monitoring — behavioural rules over on‑chain flow; flagged transactions route to a human review queue with SF Private Bank’s compliance team.
• Stablecoin reserve attestation — for issued or held stablecoin balances, attestation cadence documented per token.

Securities side

Securities‑related work composes with Osage Capital, Osage Fund, and Osage Exchange under the standing register held by General Counsel and International Counsel; jurisdiction‑specific filings and exemptions are documented per offering.

Cybersecurity & data

• SOC 2 Type II — on the platform side.
• PCI DSS Level 1 — attested through our card‑processing partner.
• NIST 800‑171 — for federal‑mission work; CMMC Level 2 roadmap; see /capabilities.
• Post‑quantum cryptography — the standing PQ brief is held by the Chief Architect & Cryptographer; see osage.global/capabilities.

Data at rest — envelope encryption

Every Osage Finance application stores sensitive data under an envelope:

• Root of trust — Osage KMS (HSM‑backed; FIPS 140‑3 boundary). Keys never leave.
• Per‑client Key Encryption Key (KEK) — one per organisation, versioned, never persisted outside KMS.
• Per‑file / per‑row Content Encryption Key (CEK) — random AES‑256 per row, wrapped under the org KEK, stored alongside the ciphertext.
• AES‑256‑GCM with AAD‑bound nonces — replay‑resistant; rows cannot be moved across tables or orgs.
• Crypto‑shredding — revocation of a client’s KEK in KMS renders that client’s entire dataset unreadable, instantly. Compliance with right‑to‑erasure and data‑residency revocation is one KMS API call.
• SQLite via Osage Base — one OLTP engine across local dev, staging, production, and air‑gapped / sovereign deploys. No PostgreSQL anywhere. Backups via Litestream to S3‑compatible storage.
• Analytics — separated to a ClickHouse layer that never sees plaintext sensitive columns; sensitive columns either don’t propagate or propagate as their AAD digest for cardinality without leakage.

The full canonical specification is published at osage.tech/docs/storage and is normative for every Osage Group application.

Reporting & audit

Annual financial audits, BSA programme audits, and SOC 2 reports are available to qualifying counterparties under NDA via [email protected].

Compliance: [email protected] · Sanctions queries: [email protected].