Purpose and scope
neolife operates the fulfillment rail that connects telehealth clinics to their compounding and dispensing pharmacies. Orders move through us. In many configurations, payment for those orders moves through us too — either as the platform of record or through a regulated payment processor we engage. Because we sit at that intersection, we maintain an anti-money-laundering (AML) and know-your-customer (KYC) program designed to keep illicit funds, bad actors, and unlicensed activity off the rail.
This policy governs how we onboard, verify, and monitor the parties that use neolife: the clinics and other businesses that send us orders, the licensed providers who approve those orders, and the pharmacies and payment counterparties on the other side. It applies to all neolife personnel, contractors, and systems involved in onboarding, payments, and compliance. It does not replace any AML or licensure obligation that our customers carry independently — it sits alongside them.
We verify the businesses and providers using neolife. We do not, and our program is not designed to, perform diagnostic or clinical review of individual patient prescriptions. Clinical responsibility for each order rests with the licensed provider who approves it; this program addresses the integrity of the parties and the payments, not the medicine.
Definitions
- Customer — any business that contracts with neolife to send orders or move payments through the platform, typically a telehealth clinic or practice group.
- Provider — a licensed clinician (physician, nurse practitioner, physician assistant, or equivalent) who is authorized to prescribe and who approves orders on the platform.
- UBO — ultimate beneficial owner; any natural person who owns or controls 25% or more of a Customer entity, or who otherwise exercises control.
- KYB — know your business; the due diligence we run on a Customer entity.
- KYC — know your customer; the identity and credential verification we run on a Provider.
- CDD / EDD — customer due diligence and enhanced due diligence; the standard and elevated review tiers described below.
- Compliance Officer — the designated person accountable for this program, reachable at [email protected].
Our compliance program
neolife maintains a written, risk-based AML/KYC program with five pillars: a designated Compliance Officer, documented policies and procedures, customer and provider due diligence, ongoing monitoring with a defined escalation path, and periodic independent review and training. The program is approved by management and reviewed at least annually, and sooner when regulation, product, or risk materially changes.
The depth of diligence we apply scales with the risk a relationship presents. A single-location clinic with a verified medical director and standard formulary sits at one end. A multi-state operation with complex ownership, controlled-substance categories, or unusual payment patterns sits at the other and draws enhanced due diligence.
Business verification (KYB)
Before a Customer can send a single order, we verify the business itself. No account is enabled for live order or payment flow until KYB is complete and cleared by compliance.
Legal entity
- Legal name, trade names, formation jurisdiction, entity type, and registration or incorporation number, confirmed against the relevant secretary-of-state or company registry.
- Federal tax identification number (EIN) and registered business address, confirmed against independent records.
- Operating addresses for any physical clinic locations and the states in which the Customer intends to operate.
Licensure and authority to operate
- Verification that the Customer is lawfully able to provide telehealth and to direct the dispensing of prescriptions in the states it serves, including any required clinic, facility, or telehealth registration.
- Identification of the supervising medical director or responsible clinician, with that individual run through Provider verification (KYC) below.
- Confirmation that the Customer has an established relationship with the dispensing pharmacy that will fill its orders, and that the pharmacy holds the licenses required for the relevant states and product categories.
Ownership and control (UBO)
- Identification of all ultimate beneficial owners holding 25% or more, and of the individuals who exercise control (officers, directors, managing members), with identity verification on each.
- A documented ownership structure for layered or holding-company arrangements, so that we can see through to the natural persons behind the entity.
- Screening of owners and controllers against sanctions and watchlists as described below.
We collect supporting documentation — formation documents, license certificates, ownership attestations — and retain it under the schedule in Recordkeeping and retention. We may use third-party verification and registry data sources to corroborate what a Customer tells us. If we cannot verify an entity, its ownership, or its right to operate, we do not onboard it.
Provider verification (KYC)
Every order on neolife is approved by a licensed provider — that is the core of how the platform works. So we verify each provider before their approvals count, and we keep those credentials current.
- Identity. Legal name, date of birth, and government identity confirmation for the individual clinician.
- State license. Active, unrestricted license to practice in each state where the provider approves orders, verified against the issuing state board, including license number, status, and expiration.
- NPI. National Provider Identifier confirmed against the NPPES registry and matched to the provider's name and taxonomy.
- DEA registration. Where a provider's orders involve controlled substances, a current DEA registration is verified, with the schedule authority and state of registration confirmed and matched to the dispensing location. Controlled-substance prescribing is also subject to applicable federal and state telehealth requirements.
- Sanctions and exclusion screening. Providers are screened against OFAC lists and against the HHS OIG List of Excluded Individuals/Entities (LEIE) and the System for Award Management (SAM) exclusions, so that excluded clinicians cannot operate on the rail.
Credentials with expiration dates are tracked and re-verified before they lapse. A provider whose license becomes inactive, restricted, or excluded is suspended from approving orders until the issue is resolved.
Sanctions and watchlist screening
At onboarding and on an ongoing basis, we screen Customers, their beneficial owners and controllers, and Providers against applicable government lists. These include, at minimum:
- U.S. Treasury Office of Foreign Assets Control (OFAC) Specially Designated Nationals and Blocked Persons (SDN) and consolidated sanctions lists.
- HHS OIG List of Excluded Individuals/Entities (LEIE) and SAM exclusions, which bar participation in federal health programs.
- Other domestic and international watchlists, debarment lists, and politically-exposed-person (PEP) data sources as warranted by the relationship's risk.
A confirmed match against a sanctions or blocked-persons list results in a freeze on the relationship and the relevant funds, escalation to the Compliance Officer, and reporting to the appropriate authority as required by law. We re-screen periodically and when list data is updated, so that designations that occur after onboarding are caught.
Risk rating
Each Customer is assigned a risk rating at onboarding and on review. The rating drives how closely we monitor the relationship and how often we re-verify it. Factors include:
- Ownership complexity and the transparency of beneficial ownership.
- The states and product categories involved, including whether controlled substances are in scope.
- Order and payment volume, velocity, and value.
- Geographic factors, including any nexus to higher-risk jurisdictions.
- Screening results, adverse media, and any prior compliance findings.
Higher-rated relationships receive enhanced due diligence at onboarding and more frequent review thereafter.
Ongoing monitoring and review
Verification is not a one-time event. We periodically refresh Customer and Provider information on a schedule keyed to risk rating — more often for higher-risk relationships, and immediately on any trigger event such as a license lapse, an ownership change, a sanctions hit, or an unusual activity alert. Customers are required to notify us of material changes to their legal entity, ownership, licensure, or the pharmacy that fills their orders.
Where information becomes stale or cannot be re-verified, the affected account is reviewed and may be restricted until the gap is closed.
Payment and transaction monitoring
Where neolife is in the payment flow, we monitor transactions for patterns inconsistent with a legitimate telehealth fulfillment relationship. Monitoring is risk-based and rule-driven, and looks for signals such as:
- Order or payment volume and velocity that diverge sharply from a Customer's verified profile.
- Structuring patterns — amounts arranged to sit below reporting or review thresholds.
- Mismatches between the prescribing pattern, the payer, and the destination of funds.
- Refund, chargeback, or reversal patterns that suggest layering or payment abuse.
- Payment instruments or counterparties connected to higher-risk jurisdictions or screened entities.
Alerts are reviewed by compliance. We coordinate with our regulated payment processors and financial-institution partners, who maintain their own AML programs; this policy is complementary to, not a substitute for, those programs.
High-risk handling
When a relationship or transaction is rated high-risk, we apply enhanced due diligence: deeper documentation, senior-level approval to onboard or continue, tighter monitoring thresholds, and shorter review cycles. We may impose limits on order or payment volume, require additional attestations, hold or delay specific transactions pending review, or decline to proceed. Decisions to onboard or retain a high-risk relationship are documented and approved by the Compliance Officer.
Prohibited customers
neolife will not onboard or knowingly continue to serve:
- Individuals or entities on OFAC SDN or other applicable sanctions or blocked-persons lists, or owned or controlled by such parties.
- Clinicians or businesses appearing on the HHS OIG LEIE or SAM exclusion lists.
- Businesses that cannot or will not provide verifiable legal-entity, ownership, or licensure information.
- Entities operating telehealth or directing dispensing without the licenses required in the states they serve.
- Shell companies with no demonstrable legitimate business, or arrangements designed to obscure beneficial ownership.
- Any party we reasonably believe is using, or intends to use, the platform to launder funds, evade sanctions, divert controlled substances, or otherwise break the law.
Suspicious activity escalation
Any neolife employee or contractor who identifies activity that may indicate money laundering, sanctions evasion, fraud, or other illicit conduct must escalate it promptly to the Compliance Officer. Escalations are confidential and are reviewed without delay.
The Compliance Officer investigates, documents the findings, and determines the appropriate response — which may include freezing funds or accounts, filing a report with the relevant authority, coordinating with our payment and banking partners on their reporting obligations, and terminating the relationship. Where the law prohibits disclosure of a report to its subject, neolife observes that prohibition. Employees who escalate concerns in good faith are protected from retaliation.
Recordkeeping and retention
We retain onboarding records, verification evidence, screening results, risk ratings, monitoring alerts, investigations, and escalation decisions. These records are retained for at least five years after the end of a relationship or the date of the relevant activity, or longer where a specific law, regulation, or legal hold requires it. Records are stored securely, access is limited to authorized personnel, and any records containing protected health information are handled under our Privacy Policy and applicable HIPAA safeguards.
Governance and training
The Compliance Officer owns this program and reports to management. Staff involved in onboarding, payments, and compliance receive training on their AML/KYC obligations at hire and periodically thereafter, including how to recognize and escalate suspicious activity. The program is subject to periodic independent review, and findings are remediated and tracked to closure. We update this policy as our product, our regulatory environment, and the risks we see evolve.
Contact
Questions about this policy, or matters requiring compliance attention, should be directed to our designated Compliance Officer at [email protected].
This policy is provided for transparency and may be updated from time to time. The version shown here is current as of the date above.