Contact Us

CorporateConnect Security: Encryption, MFA, Fraud Controls and FFIEC Alignment

Security Posture at a Glance

CorporateConnect protects client payments and data with TLS 1.3 in-transit encryption, AES-256 at-rest encryption, FIDO2 passkey multi-factor authentication, mandatory dual authorization on wires and ACH above configured thresholds, positive pay, payee positive pay, role-based access control, and an immutable seven-year audit log. Controls are externally validated by an annual SOC 2 Type II attestation and mapped to FFIEC authentication guidance. The platform has processed $1.4 trillion in annual payment volume with no breach of client funds or data.

Encryption in Transit and at Rest

All network traffic to and from CorporateConnect is encrypted with TLS 1.3 and perfect forward secrecy. Stored data uses AES-256 with keys rotated every 90 days inside FIPS 140-2 Level 3 hardware security modules.

TLS 1.0, TLS 1.1 and weak cipher suites (RC4, 3DES, CBC-mode with SHA-1) are rejected at the edge. Certificate pinning is applied on the CorporateConnect mobile apps. Account and routing numbers are additionally tokenized in the database so that a compromised read-replica cannot expose plaintext payment identifiers. Backup archives are encrypted with separate keys, stored in a geographically distinct region and tested with a quarterly restore drill.

The Cybersecurity and Infrastructure Security Agency (CISA) recommends TLS 1.2 as a minimum for financial services; CorporateConnect standardizes on TLS 1.3, one generation ahead of the minimum.

Multi-Factor Authentication and FIDO2

FIDO2 passkeys are the default strong authenticator on CorporateConnect. Soft tokens and SMS serve as fallback, and SMS can be disabled entirely by the company administrator.

CorporateConnect supports three MFA methods. FIDO2 hardware keys (YubiKey 5 series, Google Titan, Feitian) and platform authenticators (Touch ID, Windows Hello) sign a cryptographic challenge that cannot be phished. Soft tokens via the CorporateConnect Authenticator app generate TOTP codes bound to the device keychain and rotate every 30 seconds. SMS one-time passcodes are supported but explicitly discouraged by FFIEC for high-risk transactions; administrators may require FIDO2 for any user who initiates or approves payments.

Step-up authentication triggers automatically when session risk crosses a threshold — new device, impossible travel, IP reputation anomaly, or transaction dollar value above configured tier. A high-risk event forces re-authentication with the strongest factor the user has enrolled, regardless of their default.

Security Control Inventory

A factual list of the security controls enforced on every CorporateConnect session and transaction.

ControlCategoryStandard AlignmentEnforcement
TLS 1.3Transport encryptionNIST SP 800-52 Rev. 2Always on, TLS 1.0/1.1 rejected
AES-256At-rest encryptionFIPS 197All DB columns + backups
FIDO2 passkeyAuthenticationFFIEC 2021 guidanceDefault for payment users
Soft token TOTPAuthenticationRFC 6238Fallback, 30s rotation
Dual authorizationPayment controlFFIEC Wholesale PaymentsConfigurable dollar threshold
Positive payCheck fraudUCC Article 4ADaily exception review by 2pm CT
Payee positive payCheck washingIndustry best practicePayee name match enforced
Role-based accessAuthorizationNIST RBAC modelPer entity, per account
Immutable audit logForensicSOX, SEC 17a-47-year retention
SOC 2 Type IIAttestationAICPA TSCAnnual independent audit
24/7 fraud hotlineIncident responseFFIEC BCP handbookAvg 47s to human
FinCEN SAR programAMLBSA 31 USC 5318(g)Continuous monitoring

Fraud Protection and Positive Pay

Positive pay, payee positive pay and ACH debit filters block unauthorized debits before they settle.

Check fraud remains the single most reported payments fraud category in Federal Reserve and FinCEN advisories. CorporateConnect counters it with a three-layer check program: positive pay matches serial number and amount; payee positive pay additionally matches the payee line using optical character recognition against the uploaded issue file; reverse positive pay is offered for low-volume clients that prefer a review-all workflow. Exceptions route to an in-portal queue before the 2pm Central cutoff daily.

On the ACH side, CorporateConnect offers ACH debit filtering (block by default, allow by company ID), ACH debit blocks (reject all debits), and ACH positive pay (review incoming debits against a whitelist). Every blocked debit is logged with originator company ID, SEC code, and the reason code that triggered the rule.

FFIEC Alignment and Regulatory Oversight

CorporateConnect maps every authentication and authorization control to FFIEC Authentication and Access to Financial Institution Services and Systems guidance.

The FFIEC publishes joint guidance on layered security, customer awareness education, transaction risk assessment and incident response. CorporateConnect submits a control-to-guidance crosswalk to its lead regulator annually. Customer awareness material is delivered inside the portal on a quarterly schedule and on first login after any enrollment change.

In addition to FFIEC, the program aligns to NIST CSF 2.0 for enterprise cyber governance, PCI-DSS 4.0 for business credit card controls, and NACHA Operating Rules for ACH origination risk management. The lead regulator is the Office of the Comptroller of the Currency, which examines the program annually under the Bank Service Company Act.

Security Frequently Asked Questions

What encryption does CorporateConnect use?
TLS 1.3 for in-transit with perfect forward secrecy; TLS 1.0/1.1 rejected. AES-256 at-rest with keys rotated every 90 days in FIPS 140-2 Level 3 HSMs. Account numbers additionally tokenized.
What multi-factor authentication does CorporateConnect offer?
FIDO2 passkeys (hardware keys and platform authenticators), mobile soft tokens via the CorporateConnect Authenticator app, and SMS as fallback. Administrators can disable SMS and require FIDO2 for payment-initiation users, aligned with FFIEC guidance.
Is CorporateConnect SOC 2 Type II certified?
Yes. Annual SOC 2 Type II attestation covering Security, Availability, Confidentiality and Processing Integrity trust service criteria, performed by an independent Big Four firm. Reports available to active clients under NDA.
How does positive pay protect my accounts?
Positive pay matches presented checks and ACH debits against your pre-authorized issue file. Mismatches route to an exception queue for decision before 2pm CT. Payee positive pay additionally validates the payee name, defeating check washing.
How quickly does CorporateConnect respond to fraud reports?
24/7 fraud hotline at 800-462-6583 option 7. Average time to first human response is 47 seconds. Wire recalls via Fedwire reversal within 24 hours; ACH reversals within 5 business days per NACHA rules.

Related Services

Deepen your understanding of how CorporateConnect protects commercial payments.

User Management

Role-based access control, dollar limits and four-tier approval chains.

Secure Login Guide

Step-by-step sign-in including FIDO2 passkey enrollment.

Wire Security Controls

Dual authorization thresholds, callback verification and recall procedures.

Help Centre

Security topic library and self-service MFA recovery steps.