Skip to main content

Overview

Onboarding Timeline#

Tech Checklist#

You will need to implement the following items before Unit hands over the API keys to the production environment.

ItemExplanationGuidance
User AuthenticationYou should use a secure authentication solution to authenticate End Users.Suggested vendors include Auth0, AWS Cognito, Firebase or Stytch.
Phone Number VerificationFor security and fraud prevention purposes, you must verify the phone number provided as part of an application before creating the application.We recommend using Twilio Verify.

This checklist item is satisfied if you use Unit's Application Form
Second Factor AuthenticationFor security and fraud prevention purposes, you must authenticate the customer with a second factor before performing various sensitive actions. See 2 Factor Authentication section of our documentation for further details.We recommend using Unit’s Customer Token Verification.
IdempotencyUnit uses idempotency to protect against repeat occurrences of sensitive operations (e.g. originating an ACH Credit). Such operations are marked in our API docs.
  • You must provide a unique idempotency key when performing payment operations.
  • We strongly recommend providing an idempotency key for other sensitive operations marked in our API docs.
ACH Debit AuthorizationBefore you can originate an ACH Debit (i.e. pull funds from a counterparty at another bank), you must authenticate and collect consent from this counterparty.We require using Plaid for authentication followed by the counterparty's explicit consent in order to debit an outside account. We also require the use of Plaid Identity and Plaid Balance. For use cases that require other solutions, please contact Unit for approval.
FirewallImplement a web application firewall in front of your web application.We recommend using one of: AWS WAF, Azure Web Application Firewall, Google Cloud Armor or Cloudflare.
Storage EncryptionWhenever possible, we recommend that you avoid storing the Personally Identifiable Information (“PII”) of your customers. However, if you do store PII, it must be encrypted at rest.PII includes any information that could be used to identify an individual, including:
  • Name
  • Email address and phone number
  • Physical address
  • Bank account and card numbers
StatementsRegulations require that you allow End Users to retrieve monthly account statements for every account they own.Ensure you can access the relevant monthly statement information through Unit’s API and present it to the End User through your app or site.

⇨ Unit minimizes the work you need to do by offering a Statements API.
Terms & Conditions (“T&Cs”)You must collect End User consent to relevant T&Cs before calling the Unit API to create applications.
T&Cs should be displayed clearly on all devices, typically in the footer of your website.
  • A customer’s acceptance of the T&Cs should be captured in your database and linked to that customer so the record can be retrieved later for legal or compliance purposes.
  • T&Cs should be displayed on your website at all times so potential customers can view them before providing their information to open an account.
  • If you pay interest to your customers, you will need to consider a form of dynamic disclosures that will allow you to properly update your T&Cs when rates change.

⇨ See Compliance Pre-Launch Checklist for further guidance.

This checklist item is satisfied if you use Unit's Application Form
End User OnboardingYou must display certain disclosures during the account opening process and in all marketing materials.⇨ See Compliance Pre-Launch Checklist for further guidance.

This checklist item is satisfied if you use Unit's Application Form

Compliance Checklist#

Due Diligence#

Before we present you to the bank partner for formal approval, we need the following information from you.

ItemExplanationGuidance
Complete Due Diligence QuestionnaireYou must complete this questionnaire, which requests basic background information about your organization, your business model, and customer base.You may complete the questionnaire before your due diligence call with the compliance team, or the compliance team can complete it with you during the call.

⇨ You can find this questionnaire in your Client Folder.
Provide Security InformationYou must demonstrate you have implemented a system to ensure your systems are secure and any vulnerabilities have been addressed.
You will need to provide us with a copy of your organization’s:
  • System diagram
  • Information security policy
  • Incident response policy
  • End User privacy policy
  • Unit can provide you with templates for an information security and incident response policy, but you will need to modify them to address your organization.
  • The system diagram should describe at a high level your security, infrastructure, and data flows and storage (particularly related to PII and other sensitive information).
  • The privacy policy is specific to the interactions with your customers and unrelated to the financial product you are offering.
Provide Business Continuity InformationYou must demonstrate that you have a business continuity plan in place to address threats to your business like system outages and natural disasters.
  • Your plan must address technical elements, such as disaster recovery plans and timeframes, and an asset inventory.
  • It also must address business topics, such as identification of critical business functions and a plan for restoring normal business operations.
⇨ Unit offers business processes templates for you to use, but you will be required to customize them based on your operations.
Provide Vendor ListYou must provide Unit with a list of all vendors, along with an assessment of each one’s criticality to your organization and the risk each poses to your operations.Criticality may be related to, but is not equal to, risk. For example, AWS may be critical to your operations, but its redundancies and high availability may make it a low-risk vendor.

⇨ Your list of accounts payable is often a good place to find all your vendors.
Provide FinancialsYou will need to provide Unit with your current financial statements.Unit’s minimum requirement is that you have 12 months of capital to sustain your current burn rate.

⇨ Two years of audited financials are preferred, but we accept a 12-month history of your balance sheet and a P&L statement.
Provide Pitch DeckYou will need to provide basic documentation so we can better understand your product and company.In particular, you will be asked to provide:
  • Terms & Conditions governing the relationship between you and your End Users, unrelated to any financial product.
  • A presentation deck that describes your company and the solution you are offering, your target market, potential growth/revenue streams, founders, investors, etc.

Pre-Launch#

Before we hand over API keys to the production environment (i.e., before you are able to onboard customers), you must complete the following items.

ItemExplanationGuidance
Ensure Sufficient Insurance CoverageYou must purchase insurance coverage that meets Unit’s requirements to ensure you are properly protected against unforeseen challenges or negative events.Unit requires the following types of insurance:
  • General Liability
  • Professional Liability (Errors & Omissions)
  • Cyber Liability and Privacy
  • Crime
  • Workers Compensation

⇨ See the Insurance Guide for further guidance.
Develop T&CsYou must develop relevant T&Cs and collect End User consents, including:
  • E-Sign
  • Account terms
  • Privacy policy
Unit offers template T&Cs that you may use, but you must review and finalize them with us and your counsel before going live. After the due diligence call, Unit will draft your T&Cs and share with you for your review.

⇨ Review the T&Cs item in the Tech Checklist above.
Develop End User DisclosureYou must display a disclaimer on any webpage, mobile app or marketing material that discusses a financial product. Most clients display disclosures as a footer of their website or mobile application.
  • For any bank account: [Client Name] is a financial technology company and is not a bank. Banking services provided by [Bank]; Member FDIC.
  • For a bank account with a debit card: [Client Name] is a financial technology company and is not a bank. Banking services provided by [Bank]; Member FDIC. The [Client Name] Visa® Debit Card is issued by [Bank] pursuant to a license from Visa U.S.A. Inc. and may be used everywhere Visa debit cards are accepted.
Confirm ACH AuthorizationIf your customers can initiate an ACH debit, you must provide the proper ACH disclosures.The compliance team will work with you to draft this disclosure during the Onboarding process, if needed.

⇨ You can find template ACH Authorization disclosure in your Client Folder.
Onboard Your OrganizationYou will need to complete our CIP process to formally onboard your organization onto the Unit platform.The link to complete this process is https://apply.unit.co/.
Review the Deposit AgreementYou will need to agree to Unit’s Deposit Agreement prior to funding your Reserve Account and onboarding customers.We will send this agreement to you via DocuSign once you have successfully onboarded your organization to the Unit platform.
Fund Your Reserve AccountYou will need to fund your Reserve Account according to the terms set out in your Client Services Agreement before onboarding any customers.⇨ Please contact Unit for further guidance on the Reserve Account.

Penetration Testing#

ItemExplanationGuidance
Penetration Test ScopeIn a penetration test, test/fake accounts are created by the tested party for a penetration tester (usually a vendor hired for the purpose) to use.

These accounts can then be canceled after the test, and all transactions / funds are “returned”.
Penetration tests should cover:

  • Network
  • Web
  • Mobile applications (if applicable)
  • Other APIs (especially with financially-relevant partners)
Penetration Test ResultsBefore you reach 50 customers on Unit, you must provide us with the results of a recent penetration test.If you have conducted a pen test in the last 12 months:
  • If the results are satisfactory (no medium or high findings) or include a sufficient mitigation plan, we do not require another full test. However, we do require a connection-focused penetration test before you reach 50 customers. The focus of this test is the addition of Unit functionality and the effects it will have on you + your customers.
  • If the results are not satisfactory (some medium or high findings) and do not include a sufficient mitigation plan, we will require a full penetration test following launch and before you reach 50 customers, including a test of your connections to Unit.


If you have not conducted a pen test in the last 12 months:
  • We will require a full penetration test following launch and before you reach 50 customers, including a test of your connections to Unit.
⇨ We can recommend a penetration test vendor, if needed.

Operations Checklist#

ItemExplanationGuidance
Ensure Customer Support process is set upYou will need to set up a Customer Support process prior to onboarding customers.You will need to set up a Customer Support process and select an appropriate tool (e.g. ZenDesk) so that customer support tickets can be routed through your interface to Unit.

⇨ See the Customer Support Guide for further guidance.
Submit card designYou will need to develop and submit a card design template to begin the card issuance process.You will work on the card design and issuance process with Unit’s operations team.

⇨ See the Card Issuance Guide for further guidance.