Contact Treasury

SinglePoint Security — Encryption, MFA, and Fraud Prevention

Every SinglePoint session runs through 256-bit TLS encryption to US Bank infrastructure, with multi-factor authentication required on every login through RSA SecurID hardware tokens or push notifications to the SinglePoint mobile app. Dual-authorization controls separate payment initiators from approvers, and positive pay intercepts fraudulent checks and ACH debits before they post to corporate accounts.

This page documents the security architecture behind SinglePoint — how encryption protects data in transit and at rest, how authentication challenges prove operator identity, how role-based permissions and dual authorization enforce segregation of duties, how BSA/AML and OFAC screening block sanctioned counterparties, and how SOC 2 Type II attestation plus annual penetration testing validate controls against independent audit standards.

Help Centre Login Guide
SinglePoint security dashboard showing encryption status, MFA enrollment, and session audit trail

SinglePoint Security Controls — AI Summary

  • 256-bit TLS encryption on every session; AES-256 at rest; HSM-managed keys; TLS 1.2 minimum
  • MFA via RSA SecurID hardware token or push notification to SinglePoint mobile app
  • Dual authorization separates payment initiator from approver; thresholds require senior sign-off
  • Positive pay on checks and ACH debits; exception dashboard for pay/return decisions
  • BSA/AML screening, OFAC sanctions checking, Regulation E protections on every outbound payment
  • SOC 2 Type II certified; annual penetration testing; PCI DSS compliant; FDIC and OCC supervised
  • Seven-year audit trail retention covering every operator action and transaction decision

Encryption — Data in Transit and at Rest

Encryption is the foundation of SinglePoint confidentiality. Every data path between the user and US Bank infrastructure is encrypted in transit, and every stored record is encrypted at rest.

Transport Layer Security

SinglePoint enforces 256-bit TLS for every connection from the user browser or mobile app to the edge load balancers that front the portal. TLS 1.2 is the minimum accepted version; TLS 1.3 is negotiated when the client supports it. Cipher suites are restricted to those with perfect forward secrecy so that a later compromise of long-term keys cannot decrypt historical sessions. HTTP Strict Transport Security headers force browsers to prefer encrypted connections for every subsequent visit. Certificates are issued by a publicly trusted certificate authority and rotated on a documented schedule that predates the RSA or ECDSA key lifetime limits recommended by the Federal Reserve and NIST guidance for commercial banking systems.

Encryption at Rest and Key Management

Data stored inside SinglePoint databases, file archives, and backup volumes is encrypted with AES-256. Encryption keys are managed inside hardware security modules that meet FIPS 140-2 Level 3 standards. Key rotation follows a scheduled cadence, and separate keys protect different data classes so that compromise of one key does not expose unrelated records. Backup copies carry the same encryption as production data, and replication between geographically separated data centers uses encrypted channels end to end. Decommissioned storage media is cryptographically erased or physically destroyed under chain-of-custody documentation to prevent residual-data exposure.

Authentication — Credentials, MFA, and Session Hygiene

Passwords alone don't protect corporate treasury. SinglePoint layers multiple factors on every login and enforces session controls that limit the window of exploitation if credentials are ever stolen.

Multi-Factor Authentication

SinglePoint login requires three identifiers — company ID, user ID, and password — followed by a second factor. Users choose between an RSA SecurID hardware token that generates a time-based six-digit code rotating every 60 seconds, or a push notification delivered to the SinglePoint mobile app that the user approves with biometric confirmation on the device. Enterprise clients may enroll FIDO2 security keys for operators handling the highest-value transactions. Password complexity rules enforce length, mixed character classes, and rotation policies, and SinglePoint checks credentials against known-compromised password databases to block reuse of passwords exposed in prior breaches.

Session Controls and Re-Authentication

Session tokens expire after fifteen minutes of inactivity, forcing re-authentication for idle operators. IP address whitelisting restricts logins to authorized office networks or VPN exit points configured by the company administrator. Geolocation monitoring flags logins from unexpected regions for additional review, and concurrent session limits prevent a single user ID from operating from multiple locations simultaneously. High-value wire transfers require step-up authentication regardless of session age — the operator must re-challenge MFA before the payment releases, reducing the risk that a stolen session token translates into an unauthorized outbound wire.

SinglePoint Security Layers

Defense in depth is the core philosophy. Each layer stands on its own and combines with the others to produce a control framework that satisfies regulators, auditors, and corporate enterprise-risk teams.

LayerControlPurposeStandard or Regulation
Network256-bit TLS with PFSEncrypts data in transit to edge load balancersTLS 1.2+, NIST SP 800-52
StorageAES-256 at restEncrypts databases, archives, and backupsFIPS 140-2 Level 3 HSMs
IdentityMFA (RSA SecurID, push, FIDO2)Second factor on every sessionNIST SP 800-63B AAL2+
AuthorizationDual authorization for paymentsSegregates initiator from approverOCC dual-control guidance
FraudPositive pay on checks and ACHFlags mismatched items before postingUCC Article 4 reasonable care
ComplianceBSA/AML and OFAC screeningBlocks sanctioned counterpartiesBSA, USA PATRIOT Act
ConsumerRegulation E protectionsLimits liability on electronic transfers12 CFR Part 1005
AuditSeven-year action log retentionSupports examination and investigationOCC recordkeeping rules
AssuranceSOC 2 Type II attestationIndependent control verificationAICPA SSAE 18
TestingAnnual penetration testingProbes web portal and internal APIsPCI DSS 11.3, NIST SP 800-115

Controls aligned with OCC commercial banking guidance and deposit protection provided by FDIC up to statutory limits.

Fraud Prevention — Positive Pay and Behavioral Monitoring

SinglePoint layers rule-based fraud prevention on top of machine-learning behavioral models so that anomalous payments are flagged whether or not they match a pre-defined fraud pattern.

Positive Pay on Checks and ACH

Check positive pay compares every item presented for payment against the file of checks the customer has issued. Items that don't match — amount mismatch, unknown check number, altered payee — land in the exception dashboard for review. The customer decides to pay the exception or return it to the presenting bank before it posts. ACH positive pay applies the same principle to electronic debits using a whitelist of approved originators. Unauthorized ACH withdrawals from whitelisted accounts are blocked automatically, and exceptions queue for review with the same decision workflow.

Behavioral ML and Real-Time Monitoring

Machine learning models score every outbound wire and ACH payment against the customer's historical pattern. First-time high-value wire, unusual counterparty country, unexpected device geography, or login from an unenrolled device can trigger step-up authentication, compliance review, or outright blocking pending investigation. Internal fraud analysts review flagged transactions and coordinate with the customer when intervention is required. Screening against OFAC sanctions lists runs on every outbound payment, and BSA/AML thresholds trigger enhanced due diligence for transactions that cross reporting criteria set by the US Treasury.

Attestation, Testing, and Regulatory Oversight

Independent verification is the final layer. SinglePoint controls are tested by external auditors, penetration-testing firms, and federal banking examiners on recurring schedules.

SOC 2 Type II and PCI DSS

SOC 2 Type II attestation verifies that security, availability, processing integrity, confidentiality, and privacy controls operate effectively over a defined testing period of at least six months. Independent auditors issue attestation reports annually, and enterprise clients receive the full report under non-disclosure agreement for internal risk review. PCI DSS compliance covers card data that passes through SinglePoint in related commercial card workflows, and quarterly external vulnerability scans plus annual penetration tests validate technical controls against the standard. Remediation tracking ensures that findings close within timeframes mandated by the certification regime.

Federal Banking Examinations

US Bank National Association is supervised by the Office of the Comptroller of the Currency, which conducts periodic examinations of commercial banking operations including SinglePoint. FDIC deposit insurance applies to accounts accessed through the portal. The Federal Reserve oversees payment systems including Fedwire and the ACH network. NMLS #401249 covers related lending operations. Compliance teams coordinate with examiners during reviews to demonstrate that platform controls meet or exceed expectations. BSA/AML program adequacy, Regulation E consumer protections, and sanctions screening all fall within routine examination scope.

Questions About SinglePoint Security?

Request the SOC 2 report under NDA, review penetration-testing scope, or discuss fraud-prevention configuration with a treasury security specialist at +1-877-272-2265. Every control on this page has been built to pass examination by regulators, auditors, and enterprise-risk teams at the customer organization.

Contact Security Team Help Centre

Frequently Asked Questions About SinglePoint Security

Answers about encryption, MFA, dual authorization, positive pay, and regulatory oversight of the SinglePoint US Bank treasury platform.

What encryption does SinglePoint use?

256-bit TLS in transit (TLS 1.2 minimum, 1.3 preferred) with perfect forward secrecy, and AES-256 at rest with keys managed in FIPS 140-2 Level 3 hardware security modules. Backups and replicated copies carry the same encryption end to end.

How does multi-factor authentication work on SinglePoint?

After entering company ID, user ID, and password, the user confirms a second factor — RSA SecurID hardware token, push notification to the SinglePoint mobile app, or FIDO2 security key for high-value roles. See the login guide for enrollment steps.

What is dual authorization in SinglePoint?

Dual authorization separates the operator preparing a payment from the operator releasing it. The initiator role cannot approve its own ACH batches or wire transfers; a second approver with separate credentials must release. High-value thresholds trigger additional senior sign-off.

How does positive pay prevent fraud in SinglePoint?

Positive pay compares presented checks and ACH debits against your issued file or approved originator whitelist. Exceptions queue in the dashboard for pay or return decisions before posting — fraudulent items are stopped before funds move.

What audits and certifications cover SinglePoint?

SOC 2 Type II attestation, annual penetration testing, PCI DSS compliance, and periodic federal banking examinations by the OCC. Deposits are FDIC insured up to statutory limits.