Compliance & Regulatory Posture
Compliance built into the infrastructure layer
This page addresses the regulatory and compliance questions that every legal and finance team at a Series A SaaS company will ask before signing an embedded finance partnership agreement.
Banking infrastructure
Sponsor bank and FDIC pass-through coverage
Mainstreetspine operates through banking-as-a-service partner banks that hold FDIC member institution status. Merchant sub-accounts provisioned via the Mainstreetspine API are eligible for FDIC pass-through deposit insurance coverage up to the applicable statutory limit per depositor, in the same manner as other custodial pass-through arrangements.
Platform operators are not required to hold a banking license, obtain a money transmitter license, or become a sponsored member of a payment network. Mainstreetspine and its banking partners hold the regulatory permissions required to operate the sub-account, card issuance, and ACH programs that the API exposes. Specific banking partner names are disclosed during the platform onboarding and due-diligence process and are covered by standard NDA.
FDIC Pass-Through Coverage
Sub-account deposits are held at FDIC member institutions. Pass-through coverage applies in accordance with standard custodial arrangements and current regulatory guidance. Coverage eligibility depends on end-merchant account structure.
Sponsor Bank Relationship
Banking operations are conducted through our sponsor bank partners, which hold applicable state and federal banking charters and are members of the Federal Reserve System. Partner identity is disclosed at contract stage under NDA.
Platform License-Exemption
SaaS platforms using the Mainstreetspine API do not become money transmitters. Regulated activity is conducted by Mainstreetspine and its licensed bank partners. Your platform earns revenue-share on program activity without holding regulated instruments.
BIN Sponsorship & Card Programs
Virtual card issuance operates under a card program agreement with our principal member bank. BIN sponsorship, network membership, and interchange economics are managed by Mainstreetspine. Platform operators configure spend controls via the admin API.
KYC & AML
Identity verification and anti-money laundering framework
Every merchant onboarded through the Mainstreetspine API completes identity verification and watchlist screening before a sub-account is provisioned. The compliance workflow is automated and occurs synchronously with account creation — your engineering team does not write or maintain compliance logic.
Identity Verification (KYC)
Individual and business identity verification uses a combination of document verification, biometric matching, and authoritative data sources. Verification logic follows FinCEN Customer Identification Program requirements and our sponsor bank's KYC program standards.
Watchlist Screening
Every merchant entity and individual beneficial owner is screened against OFAC SDN and consolidated sanctions lists, PEP databases, and relevant adverse media sources at onboarding and on an ongoing basis per a scheduled refresh cycle.
Transaction Monitoring (AML)
Post-onboarding transaction monitoring applies rules-based and behavioral analytics to detect structuring, unusual velocity, and patterns associated with money laundering. Alerts are reviewed by our compliance operations team in coordination with our sponsor bank's BSA officer.
SAR Filing
Suspicious Activity Reports are filed by our compliance team and sponsor bank as required under the Bank Secrecy Act. Platform operators are not required to file SARs or maintain a BSA compliance program. SAR filings are managed entirely within the Mainstreetspine compliance infrastructure.
Data & privacy
Data handling and information security
Mainstreetspine processes financial transaction data, identity documents, and merchant account information on behalf of platform operators. Data handling practices are governed by our Platform Services Agreement, which includes data processing addendum provisions aligned with applicable US federal and state privacy law.
Data Residency
All transaction and identity data for US-market merchant accounts is stored and processed within United States infrastructure. No cross-border data transfer to non-US jurisdictions occurs without explicit contractual agreement. Mainstreetspine does not operate in EU markets under current product scope.
Encryption Standards
Data in transit uses TLS 1.2 or higher. Data at rest is encrypted using AES-256. API authentication uses short-lived JWT tokens and HMAC request signing. PAN and sensitive card data are handled within PCI-DSS Level 1 scope boundaries maintained by our card program processor.
Third-Party Data Sharing
Mainstreetspine shares merchant identity and transaction data with our sponsor banks and regulated service providers solely as required to operate the financial product programs. We do not sell merchant data or platform operator data to third parties for advertising, analytics, or data-broker purposes.
Breach Notification
Our incident response program includes defined breach notification timelines consistent with applicable state breach notification laws. Platform operators are notified within 72 hours of confirmed security incidents that affect their merchant data. Full incident response SLAs are defined in the Platform Services Agreement.
Compliance diligence
This page provides a general overview of Mainstreetspine's regulatory posture for informational purposes. It is not a legal representation or warranty. Platform operators and their legal counsel should review the full compliance disclosure package, sponsor bank attestation letter, and data processing addendum provided during the platform onboarding process. For compliance diligence requests, contact [email protected].
Compliance questions?
We share a full diligence package at the integration stage
The compliance disclosure package includes sponsor bank attestation letters, BSA program overview, KYC procedure documentation, and data processing addendum. Request access to start the conversation.