KYC & AML Policy
1. Overview & Scope
Wellfare ehf. ("SameFare") operates a cost-sharing rideshare marketplace that facilitates payments between passengers and drivers. As an operator of a platform that processes payments, SameFare is subject to applicable Icelandic anti-money laundering (AML) and counter-terrorism financing (CTF) obligations, principally:
- Icelandic Act no. 140/2018 on Measures against Money Laundering and Terrorist Financing (Lög um aðgerðir gegn peningaþvætti og fjármögnun hryðjuverka), as amended.
- The EU Anti-Money Laundering Directives (AMLD) as incorporated into Icelandic law through the EEA Agreement.
- Regulations issued by Fjármálaeftirlitið (FME), the Icelandic Financial Supervisory Authority.
This policy applies to all users of the SameFare platform — both drivers and passengers — and to all payments processed through the Platform. It supplements our Privacy Policy and Terms & Conditions.
2. Customer Identification (KYC)
SameFare applies a Know Your Customer process to every user before they may make or receive payments through the Platform.
2.1 Passenger identity verification
Before completing a first booking, passengers must verify their identity by submitting one of the following government-issued documents:
- Icelandic or EEA national ID card
- Passport (any nationality)
- Driving licence valid in Iceland (Icelandic or EEA-issued)
The submitted document is verified for authenticity by our identity verification provider. A liveness check and biometric face match are performed to confirm that the person submitting the document is its genuine holder. The verification outcome (approved, declined, or flagged for review) is recorded by SameFare.
2.2 Driver identity and licence verification
Before posting a first ride, drivers must submit a driving licence valid in Iceland for combined identity and driving eligibility verification. In addition to document authenticity and liveness checks, the licence is verified against the submitting person's face. This single submission satisfies both identity verification and driver vetting.
SameFare may require re-verification if:
- The driver's previously approved licence is approaching or has passed its expiry date.
- There are reasonable grounds to question the continued validity of the licence.
- Regulatory requirements mandate periodic re-verification.
2.3 Verification technology
KYC checks are performed by Didit Technologies, an accredited identity verification provider. Didit performs:
- Document authenticity verification (MRZ, chip reading where available, security feature checks)
- Liveness detection to confirm a real person is present
- Biometric face matching against the document photograph
- Automated sanctions and PEP screening (see section 5)
Documents and biometric data are processed and stored on Didit's infrastructure. SameFare receives and stores only the verification session reference and the outcome. A full description of data processing is in our Privacy Policy.
3. Driver Vetting
Drivers are subject to enhanced due diligence compared to passengers because they receive cost contributions from passengers through the Platform. In addition to identity verification (section 2.2), SameFare requires drivers to confirm:
- The vehicle is insured under a civil liability policy that covers cost-sharing passengers.
- The vehicle holds a valid roadworthiness certificate (skoðun).
- The driver holds a licence valid for the class of vehicle used.
SameFare relies on driver self-declaration for the insurance and vehicle conditions listed above. Submission of a verified driver's licence is treated as confirmation that these conditions are met. SameFare does not independently verify insurance coverage but reserves the right to request documentary evidence at any time.
A driver whose account is flagged during AML screening, whose licence verification fails, or who accumulates adverse platform conduct indicators may have their posting privileges suspended pending investigation.
4. Biometric Processing
The identity verification process involves the processing of biometric data as defined under GDPR Article 4(14), specifically:
- Liveness detection — analysis of a real-time capture to confirm a live person is present.
- Biometric face matching — comparison of the liveness capture against the facial photograph in the submitted document.
This processing is necessary for the purposes of fraud prevention, identity authentication, and compliance with anti-money laundering obligations. The legal basis is GDPR Article 9(2)(g) — processing necessary for reasons of substantial public interest, specifically the prevention of financial crime, identity fraud, and money laundering, in conjunction with Icelandic Act no. 140/2018.
Biometric data is processed solely by Didit Technologies as our data processor. SameFare does not receive, store, or independently process biometric data. Users who object to biometric processing cannot use the Platform's payment features, as identity verification is a non-waivable requirement of our AML compliance obligations.
5. AML & Sanctions Screening
All users are automatically screened against the following lists as part of the identity verification process:
- UN Security Council sanctions lists
- EU consolidated financial sanctions list
- OFAC Specially Designated Nationals (SDN) list
- Politically Exposed Persons (PEP) databases
- Adverse media — automated screening for negative news coverage linked to financial crime, fraud, or terrorism
Screening is performed by Didit Technologies at the point of identity verification and may be repeated periodically. A screening hit does not automatically result in account denial — results are reviewed in accordance with a risk-based approach. SameFare reserves the right to decline or suspend accounts where screening results indicate unacceptable risk.
Ongoing transaction monitoring (section 6) provides a supplementary layer of AML detection beyond the initial onboarding screen.
6. Risk Assessment & Transaction Monitoring
6.1 Risk-based approach
SameFare applies a risk-based approach to AML compliance. User and transaction risk is assessed based on factors including (but not limited to):
- Identity verification outcome and screening results
- Booking frequency, route patterns, and price levels relative to platform norms
- Payment method and card origin
- Cancellation patterns or unusual booking behaviour
- PEP or adverse media flags
6.2 Transaction monitoring
Transactions on the Platform are subject to automated monitoring. The following patterns may trigger manual review:
- Unusually high booking volumes from a single account within a short period
- Trip prices significantly above or below platform guidelines
- Repeated booking and cancellation cycles with no completed trips
- Multiple accounts booking the same trip from the same device or payment method
- Payments from cards or accounts in high-risk jurisdictions
Where a transaction or account is flagged, SameFare may delay or withhold driver disbursements, request additional information, or suspend the account pending investigation. Users will be notified where legally permissible.
7. Suspicious Activity Reporting
SameFare is legally obliged to file a Suspicious Activity Report (SAR) with the relevant Icelandic authority under Act no. 140/2018 where we have knowledge or reasonable suspicion that a transaction may relate to money laundering or terrorist financing. Note: the precise competent authority for SAR filing under Icelandic law (FME or the National Police Commissioner / Embætti ríkislögreglustjóra) should be confirmed with Icelandic legal counsel prior to any live SAR submission.
Where a SAR is filed, SameFare is prohibited by law from disclosing ("tipping off") the subject of the report that a report has been made or that an investigation is underway. Accordingly, affected users will not be informed when a SAR is filed, and SameFare will not provide reasons for account suspension or payment holds where disclosure would constitute tipping off.
Any internal suspicion of money laundering or terrorist financing should be reported to the SameFare compliance function at samefare@samefare.com.
8. Record-Keeping
In accordance with Icelandic Act no. 140/2018, SameFare retains the following records for a minimum of 5 years from the date of the relevant activity:
| Record type | Retention period | Legal basis |
|---|---|---|
| KYC verification outcomes (session references, status, date) | 5 years from account closure | Act no. 140/2018, Art. 24 |
| AML screening results | 5 years from screening date | Act no. 140/2018, Art. 24 |
| Transaction records (payments, refunds, disbursements) | 6 years (tax compliance — Act no. 145/1994) | Icelandic Bookkeeping Act |
| SAR filing records | 5 years from filing date | Act no. 140/2018, Art. 24 |
Document images and biometric data are retained by Didit Technologies subject to their own retention policy. SameFare does not independently retain document images.
9. Ongoing Due Diligence
KYC and AML obligations are not limited to onboarding. SameFare may request updated identity information or re-verification at any time where:
- A previously submitted document has expired or is approaching expiry.
- Unusual activity is detected on an account.
- New regulatory requirements mandate re-screening of existing customers.
- There is reason to believe that previously submitted information was inaccurate or falsified.
Failure to respond to a re-verification request within a reasonable timeframe will result in suspension of payment features and, if unresolved, account closure. Data collected during ongoing due diligence is subject to the same retention and processing rules described in this policy.
10. Contact
For KYC or AML enquiries, to exercise your rights in relation to verification data, or to report an internal AML concern:
Wellfare ehf.Reykjavík, Iceland
Email: samefare@samefare.com