Opefin Source

Global Consumer Terms

For individuals and entities whose information is processed through the Opefin Source AML/CTF compliance platform

Version 1.0  |  Effective Date: 1 April 2026  |  Read alongside the Global General Terms

Opefin Limited (NZBN: 9429053433008)  |  hello@opefin.com

How these terms fit with Opefin's other documents

These Global Consumer Terms (“Consumer Terms”) apply specifically to Opefin Source. For consumers, the order of precedence is: (1) the applicable Country Specific Additional Consumer Terms (highest); (2) these Consumer Terms; (3) the Global General Terms (GGT). Read the GGT at opefin.com/legal/global-general-terms.

These Consumer Terms tell you: what Opefin Source is; what data is accessed; what the certificate and the Opefin Compliance Network are; how your data is held and used; and what your rights are. We have written these terms to be read and understood.

Part A

What is Opefin Source?

1. About This Product

1.1 What Opefin Source is

Opefin Source is an end-to-end AML/CTF compliance platform. It provides the tools that help businesses with legal compliance obligations verify who their clients are and where their money comes from. It connects to your bank accounts through a regulated open banking connection, verifies your identity using biometric and document verification, screens your details against global PEP and sanctions lists, and generates a cryptographically signed certificate summarising the results. The certificate is a structured, cryptographically signed document that proves where the money being used in a transaction came from.

Opefin Source also maintains a verified compliance record in the Opefin Compliance Network. This is a core feature of the product, not an optional add-on. By accepting these terms, you agree to your certificate and associated verified data being part of the Opefin Compliance Network for the duration of the applicable statutory retention period.

1.2 What the Opefin Compliance Network is

The Opefin Compliance Network is a regulated verification infrastructure that stores verified compliance records derived from Opefin Source certificates. Accredited reporting entities, including those in other jurisdictions, can query the Network to verify your identity and compliance status for future transactions in which you are involved, with notification to you each time.

The benefit to you is significant: you provide your AML/CTF information once and future reporting entities can verify you instantly, across borders, without requiring you to repeat the full AML process each time. This is the financial passport feature of Opefin Source.

1.3 Why open banking is used

Historically, source of funds checks meant collecting PDF bank statements, which AI tools can now convincingly forge. Opefin takes a different approach: instead of you providing a document, your bank provides the data directly through a secure, regulated connection. There is no document layer and therefore nothing to fake. Every certificate Opefin generates is cryptographically signed, making any forgery mathematically detectable.

1.4 What Opefin is not

Opefin is a technology company. We are not a bank, financial adviser, solicitor, compliance consultant, or regulator. We provide a data infrastructure tool. The professional who commissioned your certificate is responsible for their own compliance decisions.

2. Who These Terms Apply To

2.1 Natural persons

These Consumer Terms apply to you if you are an individual who uses Opefin Source by connecting your personal bank accounts, whether for a personal transaction or to support a business matter where your personal finances are relevant.

2.2 Business entities and sole traders

These terms also apply if you are a company, trust, partnership, or other legal entity/arrangement. When a legal entity connects its accounts, the individual who completes the authentication represents and warrants they are authorised to do so and that the entity consents to the data access.

2.3 Who initiates the process

In most cases, a professional involved in your transaction sends you a link to Opefin Source. In some cases, the professional may upload your documents directly on your behalf. In either case, before any Opefin product processes your data, you must accept these Consumer Terms and the applicable Privacy Notice. This acceptance is required before the reporting entity can use the full Opefin Source workflow.

Part B

Connecting your bank accounts

3. Your Consent

3.1 What consent means here

Connecting your bank accounts requires your active consent. Consent in this context means two things: (a) you give the open banking provider permission to access specific data from your nominated bank accounts on Opefin’s behalf; and (b) you give Opefin permission to process that data to generate a certificate and to create and maintain your Compliance Network record.

The Consumer Consent Disclosure Notice, displayed to you before you complete the bank connection, sets out in plain language exactly what data will be accessed, for what purposes (including the Compliance Network), who will receive the certificate, how long your data will be held, and your rights.

3.2 Scope of consent

Your consent covers the following purposes:

  • Generating your AML/CTF certificate for the requesting reporting entity.
  • Creating and maintaining your verified compliance record in the Opefin Compliance Network.
  • Enabling accredited reporting entities to query your Compliance Network record for future transactions in which you are involved, with notification to you.
  • Enabling the reporting entity to meet its obligations under applicable anti-money laundering and counter-terrorism financing law in connection with your transaction. Where those obligations require regulatory reporting, the reporting entity (not Opefin) is responsible for making it; Opefin does not make such reports on your behalf.
  • Improving Opefin products and services, including training our models and generating industry analytics, using derived and anonymised data generated from your certificate and transaction data. Once genuinely anonymised, this data no longer identifies you and is no longer personal information.
  • Complying with applicable legal obligations, including statutory retention requirements.

The Compliance Network is a core product feature, not a secondary optional use

By accepting these terms, you agree to your certificate and verified compliance data being part of the Opefin Compliance Network for the applicable statutory retention period. You cannot use Opefin Source while opting out of Compliance Network participation, because the Network record is part of what the certificate infrastructure creates. You can request removal from active Network queries at any time, which means no future reporting entity can query your record through the Network going forward, but the underlying certificate will still be retained for the statutory period.

3.3 Consent is voluntary

Giving consent is your choice. If you do not consent to these terms, you will not be able to use Opefin Source for that request. The professional involved in your transaction may need to use alternative methods to verify your source of funds/wealth. Your consent authorises access to your own data as well as bank data. Separately, Opefin maintains your verified compliance record and operates the Compliance Network to deliver the verification service and to support reporting entities in meeting their anti-money laundering and counter-terrorism financing obligations; where the law requires an independent basis for that processing, Opefin relies on those legal obligations and on legitimate interests rather than on bundled consent. You may ask to be removed from active Compliance Network queries at any time as described in clause 8, although records that must be kept under AML/CTF law are retained for the statutory period.

3.4 Each certificate request is separate

Your consent relates to the specific transaction and purpose described in the Consumer Consent Disclosure Notice for that request. If a professional sends you a new request for a different transaction, that is a separate consent. Review the Consent Disclosure Notice each time to confirm the purpose and the professional involved.

3.5 Consent cannot be transferred

Your consent to access your banking data is personal to you and to the specific request. The professional who received the certificate cannot pass your consent to another party to generate a new certificate.

3.6 The reliance model

Anti-money laundering laws in some jurisdictions allow one professional to rely on AML verification conducted by another professional. A single certificate, issued with your consent once, may satisfy the legal obligation of multiple professionals in your transaction. Where this reliance model applies, the Consumer Consent Disclosure Notice will list all the professionals who may rely on your certificate.

3.7 How to cancel consent

You may cancel your consent to bank access at any time through your bank’s own consent management interface, the open banking provider’s consent management tool, or by contacting privacy@opefin.com. Cancelling consent stops any further access to your bank accounts. It does not delete a certificate that has already been generated and delivered.

4. What Happens When You Connect

When you follow the link sent by the professional and complete the bank connection:

  • You are taken to the open banking provider’s interface or your bank’s own interface directly, depending on your jurisdiction and bank.
  • You select which accounts you want to include. You are not required to include every account you hold.
  • You authenticate directly with your bank using your bank’s own security process. Opefin and the open banking provider do not see your login credentials.
  • Your bank sends the requested data to the open banking provider, which passes it to Opefin.
  • Opefin processes the data, generates the certificate, applies the cryptographic signature, and delivers the certificate to the professional.
  • A verified compliance record is created and stored in the Opefin Compliance Network.
  • You receive a notification that the certificate has been delivered.

Part C

The certificate

5. What Your Certificate Contains

ComponentWhat it containsSource
Source of funds/wealth narrativeA plain-language description of where the funds for your transaction came from, generated from your actual transaction history.Derived from your data (including bank data).
Transaction-level funds traceA record of the relevant transactions tracing the funds back to their origin, with dates, amounts, and source categories.Derived from your bank data.
Identity verification and biometric confirmationYour name as confirmed by both biometric identity verification and your bank records, cross-referenced for consistency. Includes confirmation that the liveness check was passed. Raw biometric data is not retained by Opefin after the verification event.Retrieved from your bank.
Completeness declarationA statement of which banks and accounts were connected.Generated by Opefin.
Cryptographic signatureA mathematical signature proving the certificate came from Opefin and has not been altered.Applied by Opefin at generation.
Certificate reference and metadataA unique certificate reference number, the date and time generated, the data period covered, your initials, and the name of the requesting professional.Generated by Opefin.

This is important to understand

The certificate is a factual record of where your funds came from, based on the accounts you connected. It is not a credit assessment, a statement that your funds are free from legal issues, an approval of your transaction, or a decision of any kind. The professional receiving the certificate is responsible for using it alongside their own assessment. Whether your transaction proceeds is a matter for the professional and other parties, not for Opefin.

6. What Your Certificate Covers

TierWhat it includesTypical use
StandardIdentity verification, source of funds narrative, funds trace, bank-verified identity, completeness declaration, risk rating, and cryptographic signature. Core modules: IDV and CDD.Standard client onboarding and CDD for any transaction type.
With ScreeningAll Standard elements plus PEP screening, sanctions screening, and adverse media screening against global watchlists. Adds the EDD module.Higher-risk clients, PEPs, foreign nationals, and any transaction where the reporting entity requires enhanced due diligence.
Full PlatformAll With Screening elements plus ongoing monitoring with live re-verification alerts and SAR workflow support. Adds the Ongoing Monitoring and SAR Workflow modules.Full AML/CTF workflow including monitoring and suspicious activity reporting. The specific modules activated for your transaction are determined by the reporting entity.

7. Multiple Professionals, One Certificate

As explained in clause 3.6, a single certificate may be shared with and relied on by multiple professionals in the same transaction, with your consent. If you have concerns about who has accessed your certificate, contact privacy@opefin.com.

8. The Opefin Compliance Network Record

When your certificate is generated, a verified compliance record is created in the Opefin Compliance Network. This record contains the structured derived data from your certificate, including your verified identity, source of funds/wealth status, certificate date, tier, and associated compliance indicators. It does not contain your full raw bank transaction history. Holding this verified record is how Opefin reduces the friction of repeat AML checks: instead of starting over each time, your verification can be kept current and reused, and shared with another accredited reporting entity under the reliance model only with your consent at the time of each new transaction. Opefin also derives anonymised and aggregated data from your information which, once it no longer identifies you, Opefin may keep and use indefinitely to operate, improve, and build new products and services. This use of de-identified data does not require further consent and does not expose your personal information.

Accredited reporting entities involved in future transactions with you may query your Compliance Network record. You will receive a notification each time this happens. This is how the financial passport works: you verify once and future reporting entities can access your verified status instantly, without requiring you to repeat the process.

You may request removal from active Compliance Network queries at any time by contacting privacy@opefin.com. This means no future reporting entity can query your record going forward. The underlying certificate and Compliance Network record will still be retained for the statutory period.

Part D

Your banking data and privacy

9. What Data Is Accessed

The data we access from your connected bank accounts is set out in the Consumer Consent Disclosure Notice for your request. At a general level, the categories are:

  • Your name and account details as held by each connected bank, cross-referenced with your verified identity.
  • Up to 24 months of transaction history from each connected account, including dates, amounts, descriptions, and payee or payer names.
  • Account balances as at the time of the connection.
  • Biometric data including your facial image, liveness check result, and identity document scan, processed by Opefin’s IDV Provider to verify your identity. The IDV Provider processes this data under their own privacy framework. Opefin retains only the verification outcome, not your raw biometric data.
  • Where the EDD module is activated: PEP, sanctions, and adverse media screening against global watchlists.
  • For Enhanced and Premium tiers: government-verified identity data through the applicable identity verification service in your jurisdiction.

10. How Long Your Data Is Kept

Data categoryKept forWhy
Raw transaction data retrieved from your bankRetained as part of your certificate and Compliance Network record for the statutory retention period (5 years NZ, 7 years AU) once incorporated. Data retrieved but not incorporated into any certificate or Network record is deleted within 30 days.AML/CTF law for incorporated data; privacy law for non-incorporated data deleted within 30 days.
Completed certificateThe minimum statutory period required by applicable AML/CTF law in your jurisdiction. In New Zealand this is 5 years. In Australia this is 7 years.AML/CTF law in the applicable jurisdiction.
Compliance Network recordThe same period as the underlying certificate. Deleted within 30 days of expiry or your removal request after the statutory period.Statutory obligation; Compliance Network operation.
Your consent recordThe statutory period applicable in your jurisdiction, consistent with open banking regulations.Applicable AML/CTF law and open banking regulations.
Derived and anonymised dataRetained indefinitely for product development and analytics. Once anonymised this data is no longer personal information and is not subject to deletion rights.Legitimate interests in product improvement and industry analytics.
Certificate hash (mathematical fingerprint only, no personal data)Indefinite.Allows permanent verification that the certificate has not been altered.

Why you cannot ask us to delete your certificate or Compliance Network record during the statutory period

AML/CTF law requires reporting entities and their technology providers to retain source of funds records for a minimum statutory period (5 years in New Zealand, 7 years in Australia). Deleting your certificate during this period would put the reporting entity in breach of their legal obligations. Raw transaction data not incorporated into the certificate can be deleted separately at 30 days. Once the statutory period expires, data is deleted within 30 days of your request.

11. Your Privacy Rights

Your full privacy rights are set out in the Global General Terms (Part E) and the Privacy Notice for your jurisdiction. In summary:

  • You may ask us what data we hold about you and request a copy.
  • You may ask us to correct inaccurate data. Data sourced from your bank must be corrected with your bank first.
  • You may cancel your open banking consent at any time using the methods in clause 3.7.
  • You may request removal from active Compliance Network queries at any time by contacting privacy@opefin.com.
  • You may ask us to delete data we hold about you. We may need to decline where retention is required by law. Anonymised data is not subject to deletion rights.
  • You may complain to the relevant data protection authority in your jurisdiction, named in the applicable Privacy Notice.

To exercise any of these rights, contact our Privacy Officer at privacy@opefin.com.

Part E

Your responsibilities

12. What You Must Do

12.1 Connect accurate information

You must connect only accounts that belong to you or, if acting on behalf of a legal entity, accounts the entity is authorised to connect. You must not connect someone else’s accounts without their explicit consent for that specific purpose.

12.2 Connect material accounts

Where the purpose of the certificate request is to verify source of funds/wealth for a specific transaction, you should connect all bank accounts that hold or have held funds material to that transaction. Deliberately omitting relevant accounts to obtain a misleading certificate may constitute fraud or a breach of AML/CTF laws.

12.3 Authorised representatives

If you are acting as an authorised representative of a company, trust, or other entity, you must be genuinely authorised to act in that capacity.

13. What You Must Not Do

Conduct that is never acceptable

Connect accounts that do not belong to you or the entity you represent without explicit authorisation. Attempt to manipulate, alter, or interfere with the open banking connection or certificate generation process. Use Opefin Source to generate a certificate for fraudulent purposes, including misrepresenting your financial position. Share your access link with another person for them to connect their accounts under a request made for you. Use the certificate for any purpose other than the purpose stated in the Consent Disclosure Notice for that request.

14. If Something Looks Wrong

If the certificate generated appears to contain inaccurate information, or if you believe accounts were connected without your knowledge, contact us at privacy@opefin.com or hello@opefin.com as soon as possible. We will investigate and, where an error on our part is confirmed, issue a corrected certificate. If incorrect information has already been provided to a professional, inform that professional directly.

Part F

The service and our responsibilities

15. What We Commit To

We commit to providing Opefin Source with reasonable skill and care. Specifically:

  • We will retrieve and process your banking data accurately and only for the purposes stated in the Consent Disclosure Notice and these Consumer Terms.
  • We will generate the certificate in accordance with these Consumer Terms.
  • We will apply the cryptographic signature so the certificate can be independently verified.
  • We will maintain your Compliance Network record in accordance with these Consumer Terms and notify you when accredited reporting entities query it.
  • We will handle your personal data in accordance with the Global General Terms (Part E), the applicable Country Specific Additional Consumer Terms, and the Global Privacy Policy as well as the applicable Privacy Notice.
  • We will tell you if we cannot complete a certificate request and explain why, where we are able to do so.

16. What We Are Not Responsible For

Limitations you should know about

The certificate reflects the data you provide, as well as the data the bank makes available through the open banking connection at the time the connection was made. We are not responsible for data your bank did not provide, data not yet posted to your account, or data relating to accounts you chose not to connect. We are not responsible for the professional’s decision to request a certificate, how they use it, or any decision they make based on it. We are not responsible for delays caused by your bank’s response time in the open banking connection, or for disruptions to the open banking network outside our control.

The liability provisions in the Global General Terms (Part G) apply to these Consumer Terms. Nothing in these Consumer Terms reduces the mandatory consumer law rights available to you in your jurisdiction.

17. Changes to These Consumer Terms

We may update these Consumer Terms from time to time. Where a change affects your rights or obligations in a material way, we will give you at least 30 days’ notice before it takes effect, by email or by a notice in the platform. If you do not accept the change, you may stop using Opefin Source. If you continue to use Opefin Source after the change takes effect, you are taken to have accepted the updated terms.

18. Contact

TopicContact
Questions about your data or privacyprivacy@opefin.com
Questions about the service or the certificatehello@opefin.com
Complaintscomplaints@opefin.com
Reporting fraud or misusesecurity@opefin.com
Opefin LimitedNZBN: 9429053433008 | opefin.com

End of Opefin Source Consumer Terms | Version 1.0 | Opefin Limited

Read alongside the Global General Terms and the Privacy Notice for your jurisdiction