Safeguarding our clients’ money
Keeping our clients’ money safe is really important. And it’s part of what makes us a trusted partner of choice.
Payments services for Payment Network are provided by The Currency Cloud Limited. As a payment services provider, Currencycloud receives, collects and stores funds for our clients, as well as facilitating FX conversions and processing outbound payments. Any funds (e-money) held on behalf of our clients, for the provision of a conversion or payment service, are subject to safeguarding, making sure that our clients’ funds are always protected and can be issued back, should Currencycloud go into administration or liquidation. Unlike holding money in a standard bank account, all of our clients’ funds are protected, regardless of the value.
How we are regulated
Payment Safeguarding is a key consumer protection measure required by the Electronic Money Regulations and the Payment Services Regulations. The Currency Cloud Ltd (Currencycloud) is an authorized Electronic Money Institution (EMI) and the firm’s reference number is 900199. The Currency Cloud Limited are regulated by the Financial Conduct Authority (FCA) under the Electronic Money Regulations 2011 and Payment Services Regulations 2017.
How we safeguard our clients’ funds
Currencycloud separates clients’ funds from their company funds and places them in safeguarding accounts held with reputable uk and eu banks. If the business was to become insolvent, the funds held in our safeguarding accounts would form an asset pool from which claims of the e-money holders (our clients) would be paid above those of other creditors. The bank(s) or authorized credit institutions have no rights over funds in Currencycloud’s safeguarding accounts. Currencycloud has no rights over our clients’ accounts (other than where specified in our Terms and Conditions).
Physical security. Our service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.
- ISO 27001 Information Security Management Controls
- PCI-DSS Level 1 Payment Card Standards
- ISO 27018 Personal Data Protection
- SSAE16/SOC 1, SOC2 and SOC 3
- FIPS United States Government Security Standards
For the full list of AWS compliance programs see : https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-socfedramp-faqs/
More information about AWS data centre controls may be found here : https://aws.amazon.com/compliance/data-center/controls/
We have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. We use reputable registrars to protect against domain hijacking and “phishing” attacks. Our platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.
All network traffic is encrypted at a transport level and confidential information is encrypted at rest. We use best practices in terms of encryption key storage and security.
The platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited. We also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as the upcoming European Union General Data Protection Regulation (GDPR).
Strong access control
The platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.
Please contact us via XXX-XXX-XXXX or email firstname.lastname@example.org for further information on the security measures we have in place.