Security Statement

Overview

Meridian Solutions (International) Ltd’s e-money accounts, payment and foreign exchange services are provided by some of the world’s leading FCA regulated financial technology (FinTech) companies.

The below security statement applies to the products, services, websites and apps offered by our main service provider Currencycloud. Currencycloud values their customers’ trust and takes its role as data custodian very seriously. Your information is stored securely and the safety practices detailed below aim to provide you with complete transparency over how your data is protected. More information on how they collect and use data is outlined in the following Privacy Policy.

In the UK, payment and e-money services are provided by The Currency Cloud Limited. Registered in England No. 06323311. Registered Office: 1 Sheldon Square, London, W2 6TT, United Kingdom. The Currency Cloud Limited is authorized by the Financial Conduct Authority under the Electronic Money Regulations 2011 for the issuing of electronic money (FRN: 900199, click here for further information)

The FCA requires standards to be met across three areas and Currencycloud exceeds all three of these standards which are as follows:

Capital Adequacy: The levels of capital requirements are based on Currencycloud‘s level of activity. The FCA regularly reviews their capital adequacy.

Client Protection: Client funds are held in segregated accounts, entirely separate from Currencycloud’s own operating accounts, so client funds are always safe.

Robust Internal Risk Management: There is strict governance and operational processes in place to scrutinise the accuracy of each of the transactions, with appropriate involvement from the Directors. Compliance with governance and processes is regularly audited.

Europe

For clients based in the European Economic Area, the issuance of e-money and the provision of related payment services for Meridian Solutions are provided by CurrencyCloud B.V. CurrencyCloud B.V. is registered with the Dutch Chamber of Commerce in the Netherlands under number 72186178. Registered office Mr. Treublaan 7, 1097 DP, Amsterdam, Netherlands. CurrencyCloud B.V. is licensed and regulated by De Nederlandsche Bank as an Electronic Money Institution (Relation Number: R142701)

USA

For United States, Payment services for Meridian Solutions are provided by Visa Global Services Inc. (VGSI), a licensed money transmitter (NMLS ID 181032) in the states listed here. VGSI is licensed as a money transmitter by the New York Department of Financial Services. Mailing address: 900 Metro Center Blvd, Mailstop 1Z, Foster City, CA 94404. VGSI is also a registered Money Services Business (“MSB”) with FinCEN and a registered Foreign MSB with FINTRAC. For live customer support contact VGSI at (888) 733-0041.

Canada

For Canadian customers, The Currency Cloud Limited is authorized by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for the issuing of electronic money with Money Services Business (MSB) registration number M14700991.

Funding

Currencycloud is backed by some of the leading names in the investment community, including GV (Google Ventures), Sapphire Ventures, Anthemis, Notion Capital.

Physical Security

Currencycloud are ISO/IEC 27001:2013 compliant and have robust processes to protect their systems. They consistently review and enhance their processes and systems to ensure that they remain secure.

Their service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.

• ISO 27001 Information Security Management Controls
• PCI-DSS Level 1 Payment Card Standards
• ISO 27018 Personal Data Protection
• SSAE16/SOC 1, SOC2 and SOC 3
• FIPS United States Government Security Standards

For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/

More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/

Network Security

Currencycloud have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. They use reputable registrars to protect against domain hijacking and “phishing” attacks.

Their platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.

Encryption

All network traffic is encrypted at a transport level and confidential information is encrypted at rest. They use best practices in terms of encryption key storage and security.

Information security

Currencycloud’s platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.

They also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as the European Union General Data Protection Regulation (GDPR).

Strong access control

Currencycloud’s platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.