Welcome to Consumer Reports Advocacy

For 85 years CR has worked for laws and policies that put consumers first. Learn more about CR’s work with policymakers, companies, and consumers to help build a fair and just marketplace at TrustCR.org

Fair Digital Finance Evaluation Framework

Principle 1: Safety

Digital finance products are secure and minimize risks.

 

  • Customers’ funds are kept secure via multiple overlapping methods.
    • Users can easily find and understand disclosures of funds’ protection.
    • Company clearly discloses if and how customer funds are insured.
    • Users’ funds are returned if the company goes out of business.
    • Users can withdraw all of their funds without penalty or delay if the business is acquired or sold.
  • Company protects users against fraud and scams.
    • Company commits in legally binding documentation to actively monitor their service for fake accounts or accounts that engage in fraudulent behavior.
    • Company commits in legally binding documentation to monitor transactions and activities in real-time to detect suspicious activity.
    • Company defines a process in legally binding documentation to notify users via an out-of-band medium when suspicious activity is detected.
    • In legally binding documentation, company commits to freezing accounts when suspicious activity is detected.
    • Company provides an easy procedure for user to verify activity and un-freeze account.
    • Company creates and prominently links to documentation or help pages separate from marketing material to inform and educates users about potential scams, and scams that have been identified in the past.
    • When a user sends money from their account via the service, the user can verify and confirm the identity of the recipient before initiating the transfer.
    • If a user loses assets due to data breach, fraud, scam, or identity theft, the company has a clearly defined process to support the user in recovering their lost or stolen assets.
  • The product has an authentication system that corresponds to the sensitivity of the user data it manages.
    • The product has an authentication system for accessing accounts.
    • The user must authenticate each time they want to use the product.
    • The product or service times out.
    • The authentication system requires at least two pieces of information to authenticate users.
    • For products or services that handle sufficiently sensitive data or provide access to funds, customers must opt-out of multi-factor authentication.
    • If the product uses a password/passphrase for authentication, it requires that passwords are at least 8 characters long.
    • If the product uses a password/passphrase for authentication, the password/passphrase may be at least 20 characters long.
    • If the product uses a password/passphrase for authentication, it requires that passwords are reasonably complex.
    • If the product uses a password/passphrase for authentication, it allows all reasonable characters as input.
    • If the product uses a password/passphrase for authentication, it is compatible with popular password managers.
  • A product that has an authentication system resists attempts to break it.
    • The product notifies users when account security settings have changed.
    • The product allows users to be notified via an out-of-band medium when account security settings are changed.
    • To change a password/passphrase/pin, a user must enter the previous password/passphrase/pin, or have access to a secondary system that is used to reset it.
    • If the product has an authentication system, it also has a system to prevent brute-force/dictionary attacks
  • Financial data and personally identifiable Information is encrypted so that it can’t be easily read or used by attackers.
    • Transmission of user data, communications or information is encrypted by default.
    • Transmission of user data, communications or information is encrypted using modern standard methods.
    • End-to-end encryption is enabled by default.
    • User data, information and communications are encrypted by default when at rest.
  • The product is protected from known software vulnerabilities that present a danger from attackers.
    • The software is secure against known bugs and types of attacks.
  • The company is a responsible caretaker of my data.
    • The company has systems in place to limit and monitor employee access to user information.
    • The company has an internal security team that conducts security audits on the company’s products and services.
    • The company commissions third-party security audits on its products and services.
    • The company ensures that third-parties who process data on behalf of the company implement the required technical and organizational measures to protect user data.
  • The product is kept protected with software updates for a clearly defined and communicated period of time (i.e., the product life cycle).
    • The company has a mechanism (ex: a bug bounty program or a security.txt file) through which security researchers can submit vulnerabilities they discover.
    • The company discloses the timeframe in which it will review reports of vulnerabilities.
    • The company commits not to pursue legal action against security researchers.