Standard Online Banking Security Controls for Business Clients
Boston Private takes great care to safeguard the security of your Online Banking transactions.
This article applies to the current Online Banking platform.
For business accounts, we have established the following standard Online Banking security controls:
Client Validation,Verification and Login
Before clients can use Online Banking, they must enroll. Once you are approved, you will be notified of your Access ID and initial Passcode. The initial passcode is good for one-time use after which you must create a new passcode in addition to selecting and answering three security challenge questions. If you are a client who has access to cash management functions (ACH/Wire), you will be sent a hardware token as well. The hardware token is a small device that fits on a key ring and generates a random security code by pressing the button on the face of the token (35 seconds display time). Your initial login will require you to enter either a token security code or a one-time security code generated via email at the time of login.
Dual-factor Authentication at Login
The Online Banking environment stores login and session statistics for all Online Banking clients. This information allows us to build a pre-login and post-login profile for each client, which can then identify unusual transactions or behavior based on the client’s profile. Any activity that deviates from the client’s historical profile is scored from based on the differences in behavior, with a high score at login indicating the highest difference in behavior. Having a high score can trigger the dual-factor authentica¬tion at login as described below. Dual factor authentication adds an extra layer of security by taking something the user knows (Access ID and passcode) and combining it with an additional form of authentication such as the security challenge questions, a one-time PIN, or the hardware token. If your score at login is high as noted above, in addition to Access ID and passcode, Clients without access to cash management functions (ACH/Wire) have the option of correctly answering two of the three security challenge questions originally selected at enrollment, or requesting a one-time use PIN to be sent to your e-mail address on file. Clients with cash management functions that have a high score at login will be required to enter a random security code generated from the token in addition to Access ID and passcode.
Dual-factor Authentication for Clients with Cash Management Functions (ACH/Wire Payments)
Authorized Clients will be required to enter a random number generated from the token in Online Banking to create, modify, delete and approve ACH/Wire payments. Business clients without ACH/Wire access will not need a token to conduct their Online Banking transaction activities.
Dual-factor Authorization for User Administrators
To create or modify a new user or administrator, you will be required to enter a one-time PIN that is sent to your email address on file. This provides another layer of security. An alert is also sent to you stating the new or modified changes of the user or administrator (see below, “Alerts”).
Clients can select and configure numerous automatic notifications to be sent to them when certain events occur using the “Notify Me Alerts” tab. The Online Banking System provides three types of alerts:
- Account Activity Alerts notify clients of events on their accounts such as balances, transfers, and deposits;
- Messaging Alerts notify clients of secure messages waiting for them on the Online Banking website.
- Security Alerts notify clients of events that could potentially affect their on line access. Mandatory security alerts are sent to the client when there is a change to their Access ID, passcode, security challenge questions, or email address/mobile phone number.
Use of the optional alerts is highly recommended.
For more information on available alerts, go to the “Notify Me Alerts” Tab within Online Banking.