Security & controlsBuilt in, not bolted on

Money that can’t slip.

Every payment carries risk — a wrong wallet, a changed destination, an over-approval. Lootrunners puts controls around each one, and writes every sensitive action to an immutable audit log.

(01)   Payment-destination controls

✓New destinations require verification before any payout

✓Changed wallets trigger a 24-hour hold

✓High-value payments require two approvers

✓Destinations are scoped to the organization

✓Approved wallets are allowlisted

✓Suspicious changes generate alerts

(02)   Account controls

✓Mandatory MFA for finance roles, passkeys where available

✓Step-up authentication before payments

✓Least-privilege roles & session monitoring

✓Secrets encrypted with a managed KMS

✓Signed webhook validation & strict idempotency

✓API keys rotate; no shared payment credentials

(03)   Operational & compliance

✓Daily reconciliation & payout-limit monitoring

✓Failed-webhook recovery & provider-outage fallback

✓Chain / network mismatch prevention

✓Manual compliance queue for higher-risk activity

✓KYC / KYB & sanctions screening via regulated partners

✓A risk-based sanctions program aligned to OFAC guidance

The model

Lootrunners supplies the software, records, and controls. A regulated partner holds and moves the money. We never take possession of customer funds.