Chase-Bank
Chase-BankTrust · Est. 1989

Security Center

The quiet weight of a real vault.

Security at Chase-Bank is not a feature shipped in a release note. It is the institution's product. Below is how we protect your accounts, what we ask of you in return, and how to reach our fraud desk if something looks wrong.

SOC 2 Type II

Audited annually by an independent Big Four firm. Control reports available to clients on written request under NDA.

AES-256 & TLS 1.3

All client data encrypted at rest with AES-256-GCM, in transit with TLS 1.3, and on backups with envelope encryption under HSM-managed keys.

Hardware-bound Keys

Sign-in binds to FIDO2 / WebAuthn hardware tokens or platform authenticators. SMS one-time codes are not accepted for high-risk operations.

Behavioural Biometrics

Risk scored against your individual telemetry — typing cadence, device orientation, network signature — not a population baseline.

24/7 Fraud Desk

A human reviews every wire above your threshold within four minutes, day or night. We have never missed a confirmed fraud signal in our operating history.

Defense in Depth

Network segmentation, mutual TLS between services, runtime attestation, and continuous SIEM correlation across the full stack.

Controls protecting your account

Multi-Factor Authentication

FIDO2 hardware keys, platform passkeys, and authenticator apps. MFA is required for all sign-ins, every session, no exceptions.

Device Trust

Each device is fingerprinted and enrolled. New devices require step-up verification and a 24-hour cooling period before high-value transactions are permitted.

Transaction Risk Scoring

Every outbound payment is scored in real time against your historical pattern, beneficiary risk, geolocation, and threat intelligence feeds.

Rate Limiting & Bot Defense

Adaptive rate limits, proof-of-work challenges, and managed bot mitigation protect login, enrollment, and password-reset endpoints.

Encrypted Audit Ledger

All account activity is written to a tamper-evident, append-only ledger with cryptographic receipts you can verify independently.

Secure Software Lifecycle

Mandatory peer review, static analysis, dependency scanning, and quarterly third-party penetration testing across all production systems.

Compliance & Assurance

Independently verified, continuously monitored.

Our control environment is examined annually under SOC 2 Type II, ISO 27001, and PCI DSS, and quarterly by an external red team. We publish the date of our most recent attestation and make the full report available to clients under non-disclosure on request.

  • SOC 2 Type II

    Audited annually — current report available to clients under NDA.

  • ISO/IEC 27001

    Information security management certified across all production environments.

  • PCI DSS Level 1

    Card data handled in fully tokenized, segmented enclaves.

  • NIST CSF & 800-53

    Aligned across identify, protect, detect, respond, and recover.

  • GDPR / Swiss FADP

    EU and Swiss data subject rights honored end to end.

Your Half of the Work

A six-step posture for every client.

The strongest control we deploy is the one you finish setting up. We ask every client to complete the following within their first 30 days.

  1. 01Enable a FIDO2 hardware key (YubiKey 5 series or equivalent) as your primary second factor.
  2. 02Add a platform passkey on each trusted device as a backup authenticator.
  3. 03Set a wire-approval threshold above which a callback to your registered number is required.
  4. 04Register a duress passphrase with your relationship director for in-person verification.
  5. 05Review the device list and active sessions in your profile at least monthly.
  6. 06Confirm your registered email, phone, and postal address are current — out-of-band alerts depend on them.

Reporting Suspicious Activity

If something looks wrong, tell us immediately.

If you receive a message, call, or notification you did not initiate — or if you see an unfamiliar device, login, or transaction — contact the fraud desk before doing anything else. We will never ask for your password, full card number, hardware-key seed, or one-time codes by phone or email.

24/7 Fraud Desk

+1 (212) 555-0117

Answered by a human within 30 seconds.

Encrypted Email

fraud@chsbank.example

PGP key published on our keyserver.

Responsible Disclosure

Researchers may report security issues to security@chsbank.example. We acknowledge within one business day, do not pursue legal action against good-faith research conducted under our policy, and offer monetary rewards for qualifying findings.

Policy published at /security/disclosure