ClearBank security overview

Security is essential to protect sensitive data and prevent potential security threats. ClearBank takes security seriously and is constantly working to stay ahead of potential risks to ensure the safety of our clients and our company.

We understand that the services we provide, and the data entrusted to us, are critical to your business. As your business partner, we want to provide you with the information you need to feel confident in the information security program at ClearBank.

• ClearBank’s Information Security Management System (ISMS) is certified to ISO 27001 standards.
• ClearBank’s Business Continuity Management System (BCMS) is certified to ISO 22301. This standard is comprised of a standard set of requirements that prepares for and reduces the likelihood and impact of interruptions to our services and clients.

These internationally recognised standards require us to continuously monitor, review and improve our controls around security practices.

Safeguarding the confidentiality, integrity and availability of our data and systems is a priority at all levels of our business. Our information security risk management approach is based on a 'defence in depth’ approach where assets are protected by complex layers of technical, procedural and administrative controls, with each layer providing additional safeguards and defences. This approach is supported by a suite of policies, standards, procedures, and benefits from three-lines of defence for comprehensive oversight.

ClearBank's banking infrastructure is built on the Microsoft Azure Cloud. By building all our core systems using Microsoft Azure Cloud, ClearBank leverages Microsoft’s multi-layered security suite provided across physical data centres, infrastructure, and operations in Azure, including benefitting from Microsoft’s investment of more than USD1 billion annually on cybersecurity research and development.

Microsoft Azure Cloud encrypts data both in transit and at rest to prevent unauthorised access to sensitive information. Azure’s APIs (Application Programming Interfaces) are designed with security in mind. They include authentication mechanisms and authorization checks to prevent unauthorised data access by external applications or services. ClearBank’s Information Security Risk (ISR) Framework is based on the 3 lines of defence model, supported by appropriate policies, procedures, governance, systems and tools in place to enable effective risk management across ClearBank.

Microsoft Azure Cloud incorporates data integrity practices to safeguard against unauthorised modifications and ensure data accuracy across its lifecycle. Azure uses cryptographic hash functions to verify data integrity, employs digital signatures to ensure the authenticity of data using asymmetric encryption for verification, and continuously monitors and audits resources to detect and respond to unauthorised changes.

ClearBank clearly identifies and sets out agreed methods of controlling logical access to ClearBank information and systems. Access controls implement the principle of least privilege and segregation of duties to ensure access to the correct systems or data, with no users having full control over a complete lifecycle.

Microsoft Azure Cloud services keep ClearBank’s applications available and redirect traffic from troubled instances to healthy ones that are running smoothly. Azure takes care of ClearBank’s underlying cloud infrastructure, from provisioning to load balancing, backed by an industry-leading 99.95% service-level agreement (SLA).

ClearBank utilises Microsoft Defender for Endpoint, an enterprise endpoint security platform designed to help networks prevent, detect, investigate, and respond to advanced threats. Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. ClearBank’s Security Operations team continuously monitors and oversees cyber incident investigation and response, and our Incident Management team is on call to resolve issues in line with PRA and FCA guidance.

ClearBank policies are maintained and enforced across the organisation by their relevant policy owners and reviewed annually. Each policy sets out appropriate processes for non-compliance, including remedial action and intervention from our Board and Risk Committees.

ClearBank obtains independent external assurance from several sources, covering security controls, policies, procedures and associated governance. As an ISO27001 certified organisation, ClearBank's ISMS is subject to annual external audits to ensure that the controls maintained to manage security risk and the governance around those controls remains operationally effective and evidentially validated.

ClearBank’s employees are trained continuously throughout the year, with security training completed at induction and annually thereafter. Developers receive specialised training in line with their role.

ClearBank has a robust phishing program, with simulated phishing conducted on a continuous basis and training designed to educate employees on social engineering tactics.

ClearBank maintains Minimum Supplier Security Requirements (MSSRs) documented on the ClearBank website (clear.bank/legal) to effectively manage our exposure to information security related risk and to consistently satisfy relevant legal, regulatory and scheme compliance requirements. We continuously monitor our Suppliers’ compliance with the MSSRs throughout their relationship with ClearBank through annual security questionnaires and evidence of third party security accreditation.

ClearBank has a zero-tolerance approach to security breaches. We strive to provide a highly reliable and secure service to our customers and understand the importance of continuous monitoring, vulnerability scanning and penetration testing. ClearBank performs several different penetrations.

Security is incorporated throughout the Software Development Lifecycle, and ClearBank employs a security first development process to ensure that we are identifying, designing, developing and delivering software based products and infrastructure as code for those products securely. Our Security Development Lifecycle process is based on agile principles to provide guidance on how ClearBank identifies, designs, develops and delivers software based products and infrastructure as code for those products. ClearBank has separate development and test environments that never use any production data. Our engineering teams have dedicated ‘Security Champions’ who undergo specialised security training renewed annually.

ClearBank uses a combination of automated and manual reviews to look for security vulnerabilities in code changes before they are released to production, while utilising Snyk for static application security testing. Any identified issues are addressed before changes are released, with blocking controls in place to prevent insecure changes from being deployed into production.

ClearBank utilises Microsoft Azure Infrastructure DDoS. Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks, automatically tuned by Microsoft to help protect Azure resources in a virtual network.

ClearBank conducts pre-employment screening checks on all employees aligned with the HMG Baseline Personnel Security Standard (BPSS) standard. All employees are subject to contractual confidentiality obligations and must abide by the ClearBank Code of Conduct, Acceptable Use Policy, and other related compliance policies and standards.

ClearBank uses Microsoft Azure Defender, Darktrace, Microsoft Defender for Endpoint and physical security devices combining HIDS and NIDS where applicable.

ClearBank ensures that appropriate technical and organisational measures are in place to protect against unauthorised disclosure or unlawful processing of data and against accidental loss or unlawful destruction of, or damage to, data. ClearBank uses Microsoft Security E5 DLP (Data Loss Prevention) to manage risks, protect and govern sensitive data, and respond to regulatory requirements. To read more please visit https://clear.bank/data-protection-and-privacy.

We understand the importance of continuous monitoring – ensuring that monitoring and alerting are applied across our systems and continually strengthened as they and our services to clients continue to grow. ClearBank utilises Microsoft Azure Sentinel SIEM to log 450+ alerts spanning multiple MITRE ATT@CK categories from High to informational, and are configured with +C63 additional Machine Learning capability for analysis. ClearBank’s Security Operations team and SOC team actively monitor alerts to Sentinel.

ClearBank has clearly defined timelines and processes for patching systems and applications in a timely manner to appropriately mitigate known technical security vulnerabilities, supported by Microsoft Azure Automation for automated patch management.

Clearbank utilises Azure Active Directory (Azure AD), leveraging a comprehensive set of features and capabilities such as integrations, single sign-on (SSO), passwordless and multifactor authentication (MFA), conditional access, identity protection, and privileged identity management, to manage users, groups, devices, and other resources within the ClearBank environment.

ClearBank conducts pre-employment screening checks on all employees aligned with the HMG Baseline Personnel Security Standard (BPSS) standard. All employees are subject to contractual confidentiality obligations and must abide by the ClearBank Code of Conduct, Acceptable Use Policy, and other related compliance policies and standards.

We don’t currently offer payment for reporting vulnerabilities.

If you believe you’ve identified a security vulnerability in our website or services, we thank you for reporting it as quickly as possible. We’ll work with security researchers to investigate and fix any valid reports.

Please send reports to [email protected].