Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Fair Digital Finance Evaluation Framework

Principle 1: Safety

Digital finance products are secure and minimize risks.


Subprinciple: Fund Protection

  • Customers’ funds are kept secure via multiple overlapping methods.
    • Users can easily find and understand disclosures of funds’ protection.
    • Company clearly discloses if and how customer funds are insured.
    • Users’ funds are returned if the company goes out of business.


Subprinciple: Fraud Protection

  • Company protects users against fraud and scams.
    • Company commits in legally binding documentation to actively monitor their service for fraud, including actively monitoring transactions in real-time to detect suspicious activities, fake accounts, and/or accounts that engage in fraudulent behavior.
    • Company defines a process in legally binding documentation to notify users via an out-of-band medium when suspicious activity is detected.
    • Company has appropriate escalation paths to handle suspicious activity.
    • Company provides an easy procedure for user to verify activity and un-freeze account.
    • Company creates and prominently links to documentation or help pages to inform and educates users about potential scams, and scams that have been identified in the past.
    • When a user sends money from their account via the service, the user can verify and confirm the identity of the recipient before initiating the transfer.
    • If a user loses assets due to data breach, fraud, scam, or identity theft, the company has a clearly defined process to support the user in recovering their lost or stolen assets.


Subprinciple: Security Practices

  • The product has an authentication system that corresponds to the sensitivity of the user data it manages.
    • The product has an authentication system for accessing accounts.
    • The user must authenticate each time they want to use the product.
    • The product or service times out.
    • The authentication system requires at least two pieces of information to authenticate users.
    • For products or services that handle sufficiently sensitive data or provide access to funds, customers must opt-out of multi-factor authentication.
    • If the product uses a password/passphrase for authentication, it requires that passwords be reasonably complex.
    • If the product uses a password/passphrase for authentication, it is compatible with popular password managers.
  • A product that has an authentication system resists attempts to break it.
    • The product notifies users when account security settings have changed.
    • The product allows users to be notified via an out-of-band medium when account security settings are changed.
    • To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it.
    • If the product has an authentication system, lockouts are triggered after multiple incorrect login attempts.
  • Financial data and personally identifiable information is encrypted so that it can’t be easily read or used by attackers.
    • User data, information and communications are encrypted by default using modern standard methods when at rest
    • User data, information, and communications are encrypted by default using modern standard methods when in transit.
    • End-to-end encryption is enabled by default.
  • The product is protected from known software vulnerabilities that present a danger from attackers.
    • The software is secure against known bugs and types of attacks.
  • The company is a responsible caretaker of my data.
    • The company has systems in place to limit and monitor employee access to user information.
    • The company has an internal security team that conducts security audits on the company’s products and services.
    • The company commissions third-party security audits on its products and services.
    • The company ensures that third-parties who process data on behalf of the company implement the required technical and organizational measures to protect user data.
  • The company is willing and able to address reports of vulnerabilities.
    • The company has a mechanism (ex: a bug bounty program or a security.txt file) through which security researchers can submit vulnerabilities they discover.
    • The company discloses the timeframe in which it will review reports of vulnerabilities.
    • The company commits not to pursue legal action against security researchers.