Stability and security

You need services you can rely on. That requires a partner that is secure and stable.

Your service provider should be continually testing, debugging and maintaining its services to provide you with the peace of mind that you can offer a great payment experience to your customers. Any provider should also be embedding information security in everyday business processes to ensure data is handled securely.

When assessing a provider’s stability, you should consider uptime and operational resilience.

Downtime can and does happen, but your provider should be able to clearly communicate what caused any periods of downtime. For example:

• Was it scheduled maintenance or an unexpected problem?
• How long did it take to discover?
• How long did it take to fix?
• How many end customers were affected?
• How were end customers notified of any problem?
• What work has happened to prevent this type of problem in the future?

When assessing a provider’s security, you should consider its systems, processes and overall approach to proactively managing its systems to provide robust services. Information security (InfoSec) is critical to ensuring your provider’s payment platform and supporting systems and services are resilient and minimising any potential impact of a security incident. This includes:

• A threat modelling programme, mitigating any potential vulnerabilities.
• A security programme based on a recognised standard.
• Independent third-party auditing of its security programme
• A clear protocol for release management.
• An independent third-party penetration testing programme of its infrastructure.

• Do you have an active status page on the client portal displaying real-time information?
• What was your uptime in the previous 6 months?
• What is your approach to information security?
• What are your security policies to maintain the confidentiality, integrity and availability of systems and data?
• How do you maintain appropriate physical, technical, and administrative security controls?
• How do you communicate and run updates?

ClearBank ensures processes relating to security, risk and operational procedures are thoroughly documented and used in day-to-day activities throughout the organisation. These processes are in place to ensure consistency in how we operate, mitigate risks and ensure resilience.

We have a dedicated security team managed by our Chief Information Security Officer (CISO) and comprised of the following areas:

• Security Governance Risk and Compliance (SecurityGRC): ensuring we maintain appropriate physical, technical, and administrative security controls to manage our exposure to information security-related risk effectively and to satisfy relevant legal, regulatory and scheme compliance requirements consistently.
• Security Operations (SecOps): continuously monitoring and analysing our security procedures that defend against security breaches and mitigate security risks. This team also oversees cyber incident investigation and response.
• Security Engineering: overseeing all engineering, implementation, and monitoring tasks relating to security measures protecting our computer systems, networks, and information. This includes identifying and defining system security requirements, designing security architecture, and developing cyber security designs.
• Identity and Access Management (IAM): ensuring that the right people or machines have access to the right assets at the right time for the right reasons while keeping unauthorised access at bay.

Our Information Security Risk (ISR) management structure is based on the 3-line model and enables ClearBank, within its defined appetite for risk, to identify and manage ISR exposure. This is supported by having appropriate policies, procedures, governance, systems, and tools in place to enable effective risk management.

ClearBank’s Information Security Management System (ISMS) is certified to ISO 27001 standards comprising 114 implemented controls in total among 14 categories which are used to assess us, our data, and our information security management system. ClearBank’s Business Continuity Management System (BCMS) is certified to ISO 22301. This standard comprises a set of fulfilled requirements that prepares for and reduces the likelihood and impact of interruptions to our services to our clients.