What's in the public summary
The pack below is the public-facing summary. The full document — covering specific program managers, jurisdictions, control owners, evidence and contractual flow-down — is shared during due diligence after the first commercial discussion.
Programme operating model
- Operator ownership. Depending on the programme, operators may contract directly with the program manager or with NAS, which holds the program-manager contract. The relationship is operator-owned in either case — no reselling, no third-hand access.
- Multi-PM architecture. Program-manager calls are isolated in a dedicated adapter — switching or adding a PM later is contained.
- Custody & safeguarding. Client funds, where held, sit within the applicable programme structure — the program manager's banking partner, a regulated custodian, or NAS's own MPC-based custody infrastructure depending on the Program — segregated from operating accounts and reconciled continuously. Client funds are not held on NAS's balance sheet and any control, custody or safeguarding function operates only through the applicable programme structure and the relevant regulated or safeguarded arrangement.
- Licensing posture. Programmes operate under the licensing of the regulated back-end partners (e.g. EMI, MSB or local equivalents). Nano Advanced Services Limited is registered with the U.S. FinCEN as a foreign-located money-services business; that registration is for US AML / money-services purposes and is not a general or cross-jurisdictional authorisation. NAS is not a bank, deposit-taking institution, e-money institution, or scheme member, and does not hold client funds as principal.
- Economics. Operators contract directly with the program manager. Separately, NAS receives an aggregation fee from the program manager in recognition of the combined volume the NAS network delivers. NAS does not mark up, or take a share of, funds flowing to operators.
AML / KYC / KYB
- Multi-tier KYC: hosted vendor flow on mobile · in-browser OCR & MRZ extraction on web · PEP & sanctions screening · address & compliance info · provider-agnostic wire format. KYC files are prepared on the NAS platform; the regulated back-end partner makes the underlying customer-acceptance decision and owns the regulatory record.
- KYB onboarding for B2B distributors and corporate clients, with manager → team hierarchies and approval workflows. KYB files are prepared by NAS (collection, validation, packaging); the regulated back-end partner assesses and owns the decision. NAS does not make customer-acceptance or AML-onward decisions.
- Ongoing transaction monitoring under the regulated back-end partner's framework, with NAS supplying full event streams to compliance tooling.
PCI DSS scope
- NAS's own posture: SAQ-A, token-only. Sensitive card data never touches the NAS system. PAN, CVV and equivalents are tokenised by the program-manager / processor before any NAS service sees them. NAS handles tokens, not PANs.
- Back-end partners' attestations (SAQ-D, Level-1 or equivalent) are the partners' own and are made available under NDA during due diligence. NAS does not represent partners' attestations as its own.
Security controls (platform)
- All program-manager and admin calls behind a secure, signed, audit-logged API.
- Signed webhooks with replay protection. Per-device session tracking. OTP everywhere for sensitive actions.
- Role & privilege access control on the admin back-office. Manual ops overrides logged with operator identity.
- Log masking; complete audit trail with retention configured per jurisdiction.
- Auto-logout for sensitive mobile and web sessions. Secure storage for mobile.
Data residency & transfers
Partner-hosted Surfaces. The Consumer mobile, Consumer Web, Business Portal, Support Portal and Admin Back-office Surfaces are deployed and hosted by the Partner on the Partner's own infrastructure under the Partner's brand. Customer Personal Data captured through those Surfaces resides on Partner infrastructure (Partner is the host and the controller).
NAS-hosted central layer. The central orchestration API operated by NAS, the Partner-representative data NAS controls in its own right, and the nas.cards marketing site are hosted on a tier-one cloud provider in the European Union (primary location: Frankfurt, Germany). International transfers, where required, are covered by SCCs / UK IDTA / UK Addendum or operate under an adequacy decision.
Incident response
24/7 on-call for production. Documented playbooks for fraud, compromise and partner outage. Disclosure timelines aligned to the PM's framework and applicable law (e.g. GDPR Art. 33: 72 hours).
What you get during due diligence
- Full architecture diagrams (data, key management, custody flow).
- Named program-manager(s) and their licensing posture for your jurisdiction.
- Sub-processor list and DPA template.
- SOC / PCI attestations of partners, where applicable.
- Penetration-test summary letter.
- Business continuity & disaster recovery plan summary.
This page is a public summary. It is not a regulatory representation, nor a contractual document. Specific licensing posture is determined by the selected program manager and disclosed under NDA.