Security Statement

Overview

Meridian Solutions (International) Ltd’s e-money accounts, payment and foreign exchange services are provided by some of the world’s leading FCA regulated financial technology (FinTech) companies.

The below security statement applies to the products, services, websites and apps offered by our main service provider Currencycloud. Currencycloud values their customers’ trust and takes its role as data custodian very seriously. Your information is stored securely and the safety practices detailed below aim to provide you with complete transparency over how your data is protected. More information on how they collect and use data is outlined in the following Privacy Policy.

In the UK, The Currency Cloud Limited is authorised and regulated by the Financial Conduct Authority (FCA) as an Electronic Money Institution (Ref. Number: 900199, click here for further information)

The FCA requires standards to be met across three areas and Currencycloud exceeds all three of these standards which are as follows:

Capital Adequacy: The levels of capital requirements are based on Currencycloud‘s level of activity. The FCA regularly reviews their capital adequacy.

Client Protection: Client funds are held in segregated accounts, entirely separate from Currencycloud’s own operating accounts, so client funds are always safe.

Robust Internal Risk Management: There is strict governance and operational processes in place to scrutinise the accuracy of each of the transactions, with appropriate involvement from the Directors. Compliance with governance and processes is regularly audited.

Europe

For European customers, Meridian Solutions (International) Ltd’s e-money accounts, payment and foreign exchange services are provided by Currencycloud B.V. Currencycloud B.V is authorised by the Central Bank of the Netherlands (De Nederlandsche Bank – DNB) for the issuing of electronic money with Relation number DNB: R142701

USA

For US customers, The Currency Cloud Inc. is registered with FinCEN under registration number 31000112572477, and is licensed for money transmission in 44 States (please find full list and further details here).

Services may be provided in the United States under sponsorship by Community Federal Savings Bank (CFSB), to which The Currency Cloud Limited is a service provider, or by The Currency Cloud Inc., pursuant to the money transmitter regulations of the various States where it is licensed. NMLS ID: 1428924. CFSB fully owns the bank program and services are provided by The Currency Cloud Inc. CFSB is registered with the Federal Deposit Insurance Corporation (FDIC Certificate# 57129).

Canada

For Canadian customers, The Currency Cloud Limited is authorized by the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) for the issuing of electronic money with Money Services Business (MSB) registration number M14700991.

Funding

Currencycloud is backed by some of the leading names in the investment community, including GV (Google Ventures), Sapphire Ventures, Anthemis, Notion Capital.

Physical Security

Currencycloud are ISO/IEC 27001:2013 compliant and have robust processes to protect their systems. They consistently review and enhance their processes and systems to ensure that they remain secure.

Their service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.

• ISO 27001 Information Security Management Controls
• PCI-DSS Level 1 Payment Card Standards
• ISO 27018 Personal Data Protection
• SSAE16/SOC 1, SOC2 and SOC 3
• FIPS United States Government Security Standards

For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/

More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/

Network Security

Currencycloud have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. They use reputable registrars to protect against domain hijacking and “phishing” attacks.

Their platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.

Encryption

All network traffic is encrypted at a transport level and confidential information is encrypted at rest. They use best practices in terms of encryption key storage and security.

Information security

Currencycloud’s platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.

They also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as the European Union General Data Protection Regulation (GDPR).

Strong access control

Currencycloud’s platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.