Digital Banking Security Controls for Business Clients
Boston Private takes great care to safeguard the security of your Digital Banking transactions.
This article applies to the Digital Banking platform, launched November, 2019.
This article applies to Business Edition and Corporate Edition where noted.
We have established the following standard Digital Banking security controls:
Client Validation, Verification and Login
Before clients can use Digital Banking, they must enroll. Once approved, users will be notified of their Username and Password via Secure Mail. The initial password is temporary and will remain valid for 12 hours from issuance. After your first login you must create a new password.
If you are a user who will be approving ACH or Wire payments in the Corporate Edition of Digital Banking, you will need to establish a security token to perform the approval action. See Using Soft Tokens with Digital Banking to learn more about using the Symantec VIP Soft Token mobile app.
Dual-factor Authentication at Login
The Digital Banking environment stores login and session statistics for all Digital Banking users. This information allows us to build a pre-login and post-login profile for each user, which can then identify unusual transactions or behavior based on the user's profile. Any activity that deviates from the user's historical profile is scored based on the differences in behavior, with a high score at login indicating the highest difference in behavior. Having a high score can trigger the dual-factor authentication at login as described below.
Each time a user logs in from a new device, they will be asked if they would like to register the device or not. Registering the device alerts the platform that it is a trusted device and the user will not be prompted for dual factor authentication again on that device unless login behavior deviates from typical patterns as noted above.
Dual factor authentication adds an extra layer of security by taking something the user knows (Username and Password) and combining it with an additional form of authentication such as a one-time PIN. If your score at login is high as noted above or if you are logging in from a new device, in addition to Username and Password, users may request a one-time use Secure Access Code (SAC) be sent to your e-mail address or mobile number on file.
Dual-factor Authorization for User Administrators
To create or modify a new user or administrator, you will be required to enter a one-time PIN that is sent to your email address or mobile number on file. This provides another layer of security. An alert is also sent to you stating the new or modified changes of the user or administrator (see below, “Alerts”).
Clients can select and configure numerous automatic notifications to be sent to them when certain events occur using the “Alerts” feature. The Digital Banking System provides three types of alerts:
- Account Activity Alerts notify clients of events on their accounts such as balances, transfers, and deposits;
- Messaging Alerts notify clients of secure messages waiting for them on the Digital Banking website.
- Security Alerts notify clients of events that could potentially affect their on line access. Mandatory security alerts are sent to the client when there is a change to their Username, Password, or email address/mobile phone number.
Use of the optional alerts is highly recommended. Learn more about available alerts by visiting the Managing Digital Banking Alerts article.