How Bankjoy Raises the Bar on Security - By Michael Carroll, CTO of Bankjoy

Introduction

Security is top of mind for credit unions and community banks when it comes to digital banking. Bankjoy not only takes this concern extremely seriously, but strives to make it a competitive differentiator. By leveraging best-in-class third-party security tools and using state-of-the-art infrastructure, processes and controls, we work actively to provide the highest level of cybersecurity to our clients.

Bankjoy is SOC2 compliant and Type 2 audited annually. We are happy to provide our SOC2 report to clients upon request. As further proof of our high security standards, here are other ways Bankjoy ensures data security in an increasingly shared digital space.

1) Account and Payments Security

User Authentication

Bankjoy uses multi-factor authentication and strong username and password format requirements to authenticate digital banking login attempts. Users must enter a temporary passcode sent to their email or cell phone after inputting the correct username and password. This adds an extra layer of security to the sign-in process, with minimal additional effort from the user.

Mobile Biometric Login Option

On mobile devices that support it, app users can choose to turn on Apple or Android-specific biometrics (such as face ID or touch ID) or set a unique 6 digit pin. Once enabled, this replaces the need to enter a username and password upon login.

“Step up” Authentication

Bankjoy supports additional layers of security for certain activities. For instance, multi-factor authentication can also be required for updates to contact info and external money transfers.

Account Opening Identity Verification

Bankjoy uses leading optical recognition and AI solutions to verify the identity of users who attempt to open a new account with a financial institution. Most online account opening products require users to upload a valid government ID, but oftentimes, they must finish the account opening process at a branch to verify their identity. However, with Bankjoy, new customers can upload their ID, take a selfie during the account opening process and AI can match the photo on the ID to the selfie that was taken.

Know Your Customer (KYC) and Anti-Money Laundering (AML) Compliance

During the account opening process, a user’s name and profile is compared against Chexsystems, OFAC, and additional international sanctions lists to comply with federal KYC and AML regulations.

ACH Fraud Prevention

Bankjoy prevents ACH fraud using three methods: micro-deposits, ACH limits, and third-party fraud detection services. Each of these provides a distinctive layer of protection for maximum ACH security. For business customers, Bankjoy allows them to set up customized permissions for their employees based on roles and require approval from the business account’s administrator for any ACH transfers to go through. This will also help prevent ACH fraud.

2) Application Security

To maintain application security, Bankjoy has multiple security precautions in place, such as data sanitization, session security, blurring minimized apps, reCAPTCHA to protect from malicious software, weak password policies, and SQL parameter sanitization to protect your bank and your customers’ information.

Penetration testing

To minimize the risk of a security breach, Bankjoy utilizes third-party security experts to perform detailed penetration tests on Bankjoy’s infrastructure.

3) Infrastructure Security

Cloud Security

As a modern, software-as-a-service company, Bankjoy stores its data on the cloud. Cloud-based infrastructure is far more secure and scalable than the traditional method of using local storage. Bankjoy is hosted on Microsoft Azure, which has world-renowned data centers and industry-leading physical security systems.

Bot & API Security

As the banking industry continues to leverage more APIs, banks should make sure their fintech partner has a platform that accounts for content delivery network (CDN) asset caching, API rate-limiting, and distributed denial-of-service (DDoS) attack mitigation. Bankjoy leverages Cloudflare for these purposes. Bankjoy also has tools in place, such as Shape Security, that identifies and prevents access to bots and automated requests.

Patching & Scanning

The importance of scanning for and patching vulnerabilities cannot be underestimated. Bankjoy’s system patching and upgrade processes adhere to SOC2 guidelines, as well as other industry standards and best practices.

Encryption

With Bankjoy, all data is encrypted at rest, with additional field-level encryption applied to sensitive data elements. External traffic is encrypted and verified by a leading third-party certificate authority.

4) Operational Policies and Practices

Incident Reporting

Should a cybersecurity incident happen, your bank’s fintech partner should be prepared with a reporting plan in place. Bankjoy’s employees have a designated protocol for security events, which includes escalation guidelines, communication procedures, and follow-up reports.

Employee Policies & Training

Bankjoy has thoroughly outlined standards and procedures for information security and guidelines. Our employees are trained to understand these policies and their importance, from the time they are onboarded and throughout their employment.

Business Continuity

​​For critical issues such as outages, security-related issues, fraud, and authorized access issues, Bankjoy’s clients have access to 24/7 support. In the event of an incident, our team has a designated plan to restore services to the maximum extent in the least amount of time. This plan documents roles and responsibilities, escalation procedures, and continuity strategies for critical services.

Conclusion

No bank wants to fall victim to a cyber attack or data breach. The reputational damages alone can do major damage to your brand’s reputation, not to mention the financial costs associated with a security incident. However, with Bankjoy’s high security standards, your bank can achieve its digital initiatives without being exposed to added risk.