Skip to content

Go Beyond with Pleo’s European roadshow for finance leaders. Register to attend.

The Pleo Blog

Looking for

Book a demo

Tools & Tips

The security risks a finance team needs to be aware of (and how to avoid them)

Whether you’re a CFO or junior member of the finance team, you should be playing a part in risk management. Keeping your finances safe is a priority for every business, but you can’t prevent problems if you don’t know what you’re looking for. Here are three of the biggest security risks threatening your business, and the steps Pleo takes to help you prevent them. 

Banking on just one bank

Remember when Silicon Valley Bank (SVB) collapsed in March? It was one of the fastest bank runs – and fastest bailout of depositors – ever. SVB lent over $200 billion, and many of its customers would have relied solely on it as their main bank. 

There’s a reason people advise against putting all your eggs in one basket. Depending on one source for your money carries risks, as if something happens, all of your money is at stake. Which explains why SVB saw over $42 billion withdrawn in just one day when whispers of trouble started spreading. 

This is why many people have lots of banks instead of one.

While there’s no ‘one size fits all’ approach to how many bank accounts you need, it’s worth spreading your money between different bank accounts. For example, you might want a current account for your daily expenses and a savings account for emergency cash. Within that, you might want to keep some savings in a fixed term account (as these tend to offer higher interest rates), and some in an easy access account so you can get hold of your money when you need it. 

This way, if one bank suffers a downturn, you can easily move the funds into one of your other accounts.

At Pleo, we maintain several banking relationships. And we only work with banks that are deemed systemically important (which means if they fail, the government will be more willing to step in).

As a licensed Electronic Money Institution (EMI), Pleo Financial Services A/S is required to  follow safeguarding requirements, which means storing all customer funds in a separate segregated account.

The vast majority of our funds are held with JP Morgan, but we make sure invoice payment transfers happen as quickly as possible through our relationship with Banking Circle. We know how important it is for you to have access to your funds when you need it most, which is why in the UK, it takes just 1-3 business days for funds to reach your bank account once you’ve withdrawn them from the Pleo app.

Stolen card details and personal data

Unfortunately, criminals are only becoming more sophisticated in the methods they use to get hold of your personal information. In fact, there were 2.8 million fraud reports made in 2021 alone.

One of the ways you can help to keep your customers’ data safe is by only using tools that make Strong Customer Authentication (SCA) mandatory (such as Pleo). SCA is a European regulatory requirement designed to reduce fraud and make payments more secure. It involves building an extra layer of authentication into your checkout flow, such as Two Factor Authentication (2FA).

We do this at Pleo to make sure it’s really you trying to log in. Our log-in flow requires one more factor of authentication than a lot of companies, which makes the whole process more phishing-resistant than average. While it might take you a few seconds extra to access your Pleo account, it’s worth it to keep your money safe. 

If you’re a tech provider like us, another step you can take is making sure you’re registered with the Payment Card Industry Data Security Standard (PCI DSS). It’s a rigorous benchmark that makes sure your business offers a safe environment for your customers’ funds and data. 

For example, one of the requirements for Pleo thanks to PDI DSS is that we can’t see customers’ card details in full. That means there’s no way for us to access your CSV number. Did we mention that we pass the highest level of PCI-DSS Examination every year? We also perform regular penetration tests to find and address any security vulnerabilities, so you can trust that we take this seriously. 

It’s also worth implementing processes that allow customers to make quick decisions. At Pleo, we encourage this by allowing you to freeze cards and remove users quickly and easily. Spotted a transaction that looks suspicious? Just freeze the card in your Pleo account – you can always unfreeze it if everything’s fine. And if someone leaves your company or no longer needs a company card, you can remove them as a user in a few clicks. 

Deleting users will permanently destroy their virtual and plastic cards and remove their access to Pleo. Don’t worry, you can still access their expense history in the Expenses tab.

Being dependant on a third party

For many companies, relying on a third party when dealing with customer information is normal. But leaving these matters to someone else means things can fall through the cracks and create problems down the line. And whether you’re the company seeking or supplying the due diligence, you’re both equally liable for any issues.

The best way to mitigate this is by carrying out your own relationship checks for every person or company you’re selling to. This will allow you to identify and assess the potential risk level of each customer, so that you only do business with those you’re comfortable selling to. One of the benefits of being a Pleo customer – since we do our own due diligence – is that you won’t be bundled into someone else's customer base (aka a bigger card programme which can negatively affect you.)

You might also want to consider being tech-dependent on others, but not regulatory-dependent. Relying on another company for regulation means that any changes to regulations, taxation, interest rates and so on, will also affect you. 

For example, Pleo is part of Pleo Financial Services, a financial entity regulated by the FSA in Denmark. The existence of Pleo Financial Services means that we can enforce our own compliance and fraud regulations and maintain a close relationship with the financial regulator. What’s more, we’re not at risk of being exposed to governance failings by others. (And we’re very selective about the few third parties we do work with).

It’s also important to be fully compliant with the current GDPR legislation. In fact, it’s not really an option as it’s the law. And you could be fined €20m or, if higher, as much as four percent of global revenue.

Pleo follows the GDPR rules to keep our customers’ data safe, but what does this actually mean?

  • We’ll never process personal data for a longer period than is necessary.
  • We won’t use customer data for anything other than what is allowed by the law. 
  • We won’t share it with website marketing agencies or use it for newsletters etc. without your permission. 
  • Any ID documents customers upload during verification are securely stored in AWS and are only accessible by our Compliance team.

Have a read of our cookie policy for more information.

99% of users feel secure using Pleo

These are just some of the lengths we go to in order to keep your money in safe hands. But there are always extra measures you can take to protect your data. Want to learn more about card security and fraud awareness? Scroll to the bottom of Pleo’s homepage and click on ‘Fraud awareness’ for a handy guide to help you understand our approach to security, scams and how to contact us if something goes wrong.

You might enjoy...

Get the Pleo Digest

Monthly insights, inspiration and best practices for forward-thinking teams who want to make smarter spending decisions