PenChecks and Cyber Security: We’ve Got Your Back
At PenChecks Trust™ we’re in the business of providing solutions to the retirement plan industry. Most of those solutions involve payment processing services and the care and administration of missing participant assets. They also involve handling significant amounts of money and sensitive personal data for hundreds of thousands of retirement plan participants. In today’s ever-increasing world of digital commerce, it’s easy to understand that cyber security and the protection of our clients is one of the foremost concerns for PenChecks.
PenChecks invests a great deal of time and resources in making our systems and our data as secure as possible. Our Information Security and Compliance departments work year-round to ensure this. Based on our business model and how we process transactions, we have a lower risk profile than many other retirement plan service providers – for several reasons.
- We only process distribution requests that get funded. When a client requests we pay out a plan participant, they must provide us with the money. If not, we don’t make the payment. Even if a cyber-criminal could hack into one of our client’s accounts to request a fraudulent payout, they would have to fund that payment request.
- Our clients proactively engage us for distribution processing services. In most cases, this means a plan participant on the other end is expecting a payment and actively monitoring the status of their processing until they receive their funds. And in all cases, it means we are monitoring it from beginning to end.
- The only funds we custody for individuals on an on-going basis are missing participant funds. When we pay these individuals (when they are located and claim their funds), we are required by federal regulations to perform robust identity verification protocols and Patriot Act validations.
As long as we receive the correct information from our clients, the chances of PenChecks making a payment to the wrong person are extremely small.
Using MFA to Improve Login Security
At PenChecks, we have both business to business (B2B) and business to consumer (B2C) clients. Our B2B clients consist of TPAs, Plan Sponsors and Institutional clients we provide services for. Our B2C clients consist of individual account holders, including Automatic Rollover and Missing Participant IRAs, one-time distribution recipients, and recurring distribution recipients.
The best way to protect both stakeholder groups is to prevent cyber thieves from getting in by the front door. In other words, to make it very difficult for them to gain access to a client’s or participant’s account at the point of login. To do this, PenChecks requires a multifactor authentication (MFA) upon login.
In order for B2B clients to access our system they are required to use MFA on account set-up and then use it on every login thereafter via a randomly generated code.
For B2C clients (individual participants or account holders) to access our online Benefit Election Site:
- They must log in with a combination of personal identification elements plus an individual code that is provided to them.
- For increased security, we will be adding an updated, real-time experience that incorporates additional individual identity verification elements for account holders.
We also employ an automated bank account verification protocol that validates the ownership of bank accounts to the requesting recipient. It also validates correct and matching bank routing and account numbers. This dramatically reduces the instance of rejected electronic payments, resulting in a faster turnaround time for our clients.
Cyber Security Is a Team Effort
You can help reinforce our ongoing security efforts by doing the following:
- Benefit elections. Remind your plan participants ahead of time that PenChecks will be processing their distribution, which may include correspondence about their benefit elections, and encourage them to respond as soon as possible.
- Accurate information. Make sure we have accurate participant information, especially the address. This allows us to process claims quicker.
- Don’t share user IDs. With our proprietary online processing platform, there is no limit to the number of user IDs you can establish for your B2B account. We strongly recommend every user have their own individual login credentials.
- Keep your users with access up to date. When an employee leaves your company, remove their access right away. That’s one less place for cyber thieves to find a way into your account.
If you haven’t read our recent blog on why plan fiduciaries need to make cyber security a top priority, we urge you to do so. No computer system is completely foolproof. But the author, guest blogger Carol Buckmann, points out a number of steps you can take to protect your business and your plan participants.
Another Step Toward A More Secure PenChecks System
We are proud to announce that Kevin Smallen, our Chief Information Security Officer (CISO), recently earned the rigorous and demanding Certified Information System Security Professional (CISSP) designation. CISSP is an information security certification created by the International Information Systems Security Certification Consortium (ISC). It ensures computer security professionals have standardized knowledge in areas ranging from physical and networking security to cryptography, security architecture application and systems development, law, investigation, and ethics. Kevin is one of a limited number of IT professionals to hold this coveted designation.