Security & Regulation
Here’s how we look
Here’s how we look after your money
Security and compliance is of paramount importance to Bell Rock. We adhere to strict and stringent regulations and have robust internal controls in place to safeguard your funds and remove any risks to your money.
Bank accounts and payment services are provided by The Currency Cloud Limited who are authorised by the Financial Conduct Authority under the Electronic Money Regulations 2011 for the issuing of electronic money (FRN: 900199). Currencycloud provides its clients with payment/e-money accounts or e-wallets.
Our partner/payment services provider Currencycloud was acquired by Visa Inc. in December 2021 so you can be comfortable that you are working with the largest payment company in the world. Since 2012, Currencycloud has processed more than $100bn to over 180 countries, working with banks, financial institutions and Fintechs around the world, including Starling Bank, Revolut, Penta and Lunar. Based in London with offices in New York, Amsterdam, Cardiff & Singapore, Currencycloud works with partners to deliver simple, clear cross-border infrastructure solutions for clients. They are regulated in the UK, Canada, US, Australia and the EU.
How we safeguard our clients’ funds
As required by the Payment Services Regulations 2009, any funds held on behalf of our clients are subject to safeguarding, making sure that our clients’ funds are always protected and can be issued back, should the company go into administration or liquidation. Unlike holding money in a standard bank account, all of our clients’ funds are protected, regardless of the value.
All clients’ funds are totally separate from company funds and placed in safeguarding accounts held with reputable Tier 1 UK and EU banks. The safeguarding account(s) are held with Barclays Bank PLC. Barclays does not monitor the funds that are placed on the safeguarding account or how you operate these accounts. If the business became insolvent, the funds held in our safeguarding accounts would form an asset pool from which claims of the holders (our clients) would be paid above those of other creditors.
The bank(s) or authorised credit institutions have no rights over funds in Currency Cloud’s safeguarding accounts. Currency Cloud has no rights over clients’ accounts (other than where specified in the Terms and Conditions). Keeping your funds safe largely comes down to two things: separation and reconciliation.
How we are regulated
Safeguarding is a key consumer protection measure required by the Electronic Money Regulations and the Payment Services Regulations. The Currency Cloud Ltd (Currencycloud) is an authorized Electronic Money Institution (EMI) and the firm’s reference number is 900199. They are regulated by the Financial Conduct Authority (FCA) under the Electronic Money Regulations 2011 and Payment Services Regulations 2017.
The Currency Cloud is also fully regulated in the EU, US, Canada and Australia.
Authorized by the FCA under the Electronic Money Regulations 2011 and the Payment Services Regulations for issuing of electronic money and the provision of payment services with FCA registration number 900199.
Authorized by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for the issuing of electronic money with Money Services Business (MSB) registration number M14700991.
Authorized by De Nederlandsche Bank (DNB) for the issuing of electronic money with Relation number DNB: R142701.
Services may be provided in the United States under sponsorship by Community Federal Savings Bank, to which The Currency Cloud Limited is a service provider, or by The Currency Cloud Inc., pursuant to the money transmitter regulations of the various States where it is licensed. NMLS ID: 1428924. The Currencycloud is registered with FinCEN in the USA and authorised to provide both domestic and international money transmitting services in all 50 states. We hold Money Transmitter Licenses (MTLs) in 39 states and leverage regulatory sponsorship via our network of banking partners while we actively pursue the remaining licenses.
How we keep secure
We want our clients to use Currencycloud with confidence. Your money and your data is as important to us as it is to you. Here are some of the things we do to make sure that you can use our services with peace of mind.
We use a market leading platform through our partners CurrencyCloud which is compliant with ISO27001.
The service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.
- ISO 27001 Information Security Management Controls
- PCI-DSS Level 1 Payment Card Standards
- ISO 27018 Personal Data Protection
- SSAE16/SOC 1, SOC2 and SOC 3
- FIPS United States Government Security Standards
For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/
More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/
We have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. We use reputable registrars to protect against domain hijacking and “phishing” attacks. Our platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.
All network traffic is encrypted at a transport level and confidential information is encrypted at rest. We use best practices in terms of encryption key storage and security.
Our platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.
We also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as European Union General Data Protection Regulation (GDPR).
Strong access control
Our platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.
Payment Control – Strong Customer Authentication (SCA)
SCA is covered as part of the EU Payments Services Directive (PSD2) and is a new European regulatory requirement to reduce fraud and make online payments more secure. Similar to how two-factor authentication (2FA) provides additional peace of mind for users logging into their Bell Rock platform, SCA performs a similar job when it comes to making a payment. It’s simply an additional security step where users will be asked to confirm it is them who have instructed the payment.