Security

SecurityExtendedCrop

Here’s how we look after your money

Security and compliance is of paramount importance to Bell Rock. We adhere to strict and stringent regulations and have robust internal controls in place to safeguard your funds and minimise any risks to the business or your money.

All transactions are initiated using a secure payment system which ensures each payment is approved internally by multiple users and processed by our Tier 1 partners.

As required by the Payment Services Regulations 2009, your funds are permanently held in segregated bank accounts in leading Tier 1 banks and so cannot be claimed by creditors. Your funds are always protected, as they are completely independent of the business accounts and assets. Note that your funds are never used to speculate on the market.

Regulation

Bell Rock Financial Ltd (Company No.12002081) carries out it’s FX and payment services through it’s subsidiary BRF Payments Ltd (Company No.12231878). BRF Payments Ltd is authorised and regulated through The Currency Cloud which itself is regulated in the UK, Canada, Netherlands, and the United States.

United Kingdom
Authorized by the FCA under the Electronic Money Regulations 2011 and the Payment Services Regulations for issuing of electronic money and the provision of payment services with FCA registration number 900199.

Netherlands
Authorized by De Nederlandsche Bank (DNB) for the issuing of electronic money with Relation number DNB: R142701.

United States
Services may be provided in the United States under sponsorship by Community Federal Savings Bank, to which The Currency Cloud Limited is a service provider, or by The Currency Cloud Inc., pursuant to the money transmitter regulations of the various States where it is licensed. NMLS ID: 1428924. The Currency Cloud Inc. is registered with FinCEN under registration number 31000112572477, and is licensed for money transmission in 44 states.

Security

Technical Security

Our payment and platform provider, The Currency Cloud, is ISO/IEC 27001:2013 compliant.

Physical security

The service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.

  • ISO 27001 Information Security Management Controls
  • PCI-DSS Level 1 Payment Card Standards
  • ISO 27018 Personal Data Protection
  • SSAE16/SOC 1, SOC2 and SOC 3
  • FIPS United States Government Security Standards

For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/

More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/

Network security

We have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. We use reputable registrars to protect against domain hijacking and “phishing” attacks. Our platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.

Encryption

All network traffic is encrypted at a transport level and confidential information is encrypted at rest. We use best practices in terms of encryption key storage and security.

Information security

Our platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.

We also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as European Union General Data Protection Regulation (GDPR).

 Strong access control

Our platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.

Payment Control – Strong Customer Authentication (SCA)

SCA is covered as part of the EU Payments Services Directive (PSD2) and is a new European regulatory requirement to reduce fraud and make online payments more secure. Similar to how two-factor authentication (2FA) provides additional peace of mind for users logging into their Bell Rock platform, SCA performs a similar job when it comes to making a payment. It’s simply an additional security step where users will be asked to confirm it is them who have instructed the payment.