Squirrel reviews all the different ways we work to keep your money and data safe

There’s a huge degree of trust involved whenever you hand over your money, or sensitive personal information, to a business. 

As a customer, unfortunately, there’s no easy way for you to do your own due diligence in this respect, other than asking questions to find out how a business runs things—and what internal checks and balances they have in place—so you can be sure they’re going to do right by you, and with your money and data. 

Following that, you really just have to count on them to do what they say they’re going to do. 

Here at Squirrel, we take our responsibility to our customers seriously—which means we’re doing everything we can to keep your money and data safe, and supporting you to do the same. 

So, what does that look like? 

Part 1: All of Squirrel's internal processes (a.k.a. custodial controls) are reviewed annually by an FMA approved auditor 

In the financial services world, a custodian is defined as any service provider that holds, manages or administers assets (usually money or property) on its clients’ behalf, for a specified purpose—like Squirrel does for customers on our lending & investment platform.

As you’d expect, there are a whole lot of rules and regulations that govern the way financial custodians need to operate in New Zealand, largely driven by the Financial Markets Conduct Act 2013 (the “FMC Act”) and Financial Market Conduct Regulations 2014 (the “Regulations”). 

Under the FMC Act, we’re obligated to have controls in place to ensure that your money is handled safely and appropriately—and make sure we’re keeping detailed, accurate and timely records of everything along the way.

The obligations under the FMC Act for handling client money also mandate that we must: 

• hold client money on trust in a separate trust account;
• properly account to the client for money held;
• report on client money;
• maintain adequate records of the client money;
• not use or apply client money, except as expressly directed by the client. 

As part of those obligations, every year Squirrel must engage an FMA approved auditor to undertake a ‘reasonable assurance’ review in relation to its custodial controls (a ‘Custodial Review’). Our auditor reviews the design and operating effectiveness of the controls we have in place to ensure that the processes, procedures and controls are effective and are being complied with.

The reasonable assurance review looks at a whole raft of things, including whether:

• we have accurately described the controls that we had in place throughout the year;
• the controls described were suitably designed to achieve the specified control objectives;
• the controls were implemented; and
• the controls were operating effectively throughout the year.

OUR KYC / ANTI-MONEY LAUNDERING CHECKS & PROCESSES

As part of our licence to operate, we’re also required to collect certain information from new customers and maintain up-to-date information on existing customers. This is to help us ensure that: 

1. We have a good understanding of our customers—including their risk profile, and why and how they’re intending to use our platform.
2. We’re sure that people are who they say they are—which helps us mitigate the risk of the Squirrel platform being used for fraudulent purposes, including money-laundering and other financial crimes. This is why we ask all new customers to submit a copy of either their NZ Driver’s Licence or NZ Passport, to help us verify your identity.
3. We can report information to relevant authorities at the appropriate times.

During the Custodial Review process, our auditor conducts checks to ensure that we’re collecting the right level of information about new customers—and that we’re keeping appropriate records—and deploying the necessary AML checks to verify people’s identities. 

As a licenced peer-to-peer lender, every year Squirrel is required to file a report with the Financial Markets Authority (FMA) detailing our KYC/AML processes and systems. Additionally, we must undergo a full independent audit of these systems every three years, the findings of which are also submitted to the FMA.

HOW WE MANAGE YOUR MONEY 

a) That, where we act as a custodian, customers’ money is kept separate from Squirrel’s own money

A quick Google search will turn up all sorts of cautionary tales about what can happen when these lines are blurred—businesses co-mingling custodial and business funds with disastrous consequences, leaving customers millions, sometimes billions, of dollars out of pocket. 

(The example of FTX and Sam Bankman-Fried is probably the most high-profile case we’ve seen in recent years, but there have been a litany of other ones here in New Zealand too.)

The Custodial Review process involves a review our financial records to ensure that we’re managing custodial funds appropriately—a.k.a. keeping them separate from Squirrel’s own funds, and investing (or holding) them only as directed by our customers. 

b) That our internal processes for moving and managing your money all adhere to best practice

As you’d expect, we also have all sorts of different controls in place inside our business to prevent anyone on our team misusing or misappropriating customer funds. 

That includes only having specific people authorised and able to do certain things with customer money—such as moving funds around—and requiring at least two people to be involved in any one transaction (one person to set it up, and two to authorise it). 

As part of the Custodial Review process, our auditor reviews our records relating to the management of customer funds—including who has access to our various operating systems—to make sure those measures are operating effectively. 

c) And finally, that the numbers all add up.

In simple terms, this includes  reviewing our bank balances at various times during the year, and all our internal and customer account records, to ensure that the amount of customer funds we say we’re holding matches up with the amount we actually have on hand.

Squirrel's most recent Custodial Review, for the financial year to 31 March 2024 was completed in June 2024 

It found that the systems and processes Squirrel uses were effective in ensuring that customer funds were managed appropriately over that period of time. 

Here’s a snippet summarising the auditor’s findings from the Custodial Review: 

“In our opinion, in all material respects, the Trustee’s controls report is fairly presented, in that: 

• the controls were suitably designed to achieve the control objectives specified in section 229V(2) (a) to (i) of the Financial Market Conduct Regulations 2014 (the ‘Regulations’) for the year ended 31 March 2024 (the ‘Period’)
• the description fairly presents the system as designed throughout the Period; and
• the controls, necessary to achieve the control objectives, operated effectively as designed throughout the Period.”

Reporting to the Financial Markets Authority (FMA)

Once the Custodial Review has been completed, Squirrel must then file its custodial controls report with the FMA—one of the industry bodies we report to—to prove that we’re adhering to all the relevant legislation, and are meeting our duties and obligations under our peer-to-peer market service provider licence.

Part 2: We also use a range of different IT security measures to help protect our systems against cyber threats

Cyber-crime has been on the rise generally in recent years, and unfortunately—due to the nature of the work we do, and the information we collect—financial services firms always tend to be pretty high up on the list of targets. 

Even our biggest banks aren’t immune, fending off hundreds (if not thousands) of attacks every day. 

At Squirrel, we eat, sleep and breathe cyber-security—which means we have all sorts of measures and tools in place to help protect our various systems and platforms, and keep your money and data safe.

1. Let’s start with our systems

We use a wide range of Microsoft services, including their cloud storage platform.  

Microsoft is damn good at securing technology, and we make the most of everything they have to offer. That includes everything from applications designed to block cyber-attacks, through to the tools we use to manage access for our staff.

2. We’re well on the way to being SOC 2 compliant

SOC 2 compliance (which stands for Systems and Organisation Controls) is a global best-practice standard in data and IT security—the sort used by some of the world’s, and New Zealand’s, largest financial institutions. 

It’s based on five key principles: security, privacy, availability, confidentiality and processing integrity. 

There’s an extensive list of criteria that businesses must meet in order to achieve SOC 2 compliance—and Squirrel is most of the way through that checklist. 

3. We encrypt all your data from go to whoa

Any data stored on our system is encrypted the whole way through—both when you’re using the platform, and when you’re not.

At rest, your data is encrypted using 256-bit AES encryption. And we use TLS 1.2 (Transport Layer Security) when we’re transferring your data to, or from, another website or platform.

4. Our platforms and security measures are rigorously tested and audited.

We do a whole lot of regular testing on our systems to make sure they’re up to scratch, and we have a leading independent cyber-security firm constantly testing and auditing our platforms as well to make sure they’re in tip-top shape.

As we’ve already talked about, we also engage an FMA approved auditor each year to for our statutory financial audit and reasonable assurance review of our custodial controls.

5. We have 24/7 monitoring in place to help us catch any unusual activity as soon as it happens

We work with an independent cyber-security firm who monitors our platforms for threats 24/7. Even when we’re asleep here in New Zealand, they have teams around the globe keeping watch for anything out of the ordinary – and ready to swing into action at the first sign of any issues.

It means that, should an issue crop up, we’re able to spot the problem almost immediately, and take swift action to mitigate it. 

Our cyber-security firm also conducts dark web monitoring on Squirrel’s behalf—which involves searching, scanning and collecting data on the dark web, to help us ensure that a data breach hasn’t taken place. 

6. Our staff are trained to keep themselves and their technology secure.

That includes training on the importance of keeping up with software updates and security patches, never leaving devices unlocked when they’re not in use (and never leaving them unattended in a public place), and how to spot a suspicious email or attachment.

The other part of the security equation is empowering our customers to take action to help protect themselves and their information. 

Here’s how you can help keep your money and data secure with Squirrel. 

1. Starting with online security 101: passwords!

Always use a password that's hard to guess, and do not re-use passwords across multiple platforms. (And no, chucking a ‘1’ or a ‘!’ at the end to “mix it up” isn’t fooling anyone.)

If you can hardly remember what you had for dinner last night, let alone hundreds of unique passwords…the good news is there’s a tool for that! Password managers can be used on trusted devices – like your personal phone or laptop – to help keep track of all your passwords.

At Squirrel, we use one called 1Password—but Apple and Google do a great job of this stuff too. Just be sure to keep your device locked when you’re not using it!

And finally – don’t share your passwords with anyone!

2. Make sure you’ve got multi-factor authentication enabled (MFA) 

Multi-factor authentication is an added line of defence that makes it much harder for people to get into your account, even if they do somehow get their hands on your password!

Squirrel works with Authsignal to provide MFA for our customers.

3. Enable face or fingerprint recognition, or a PIN, on the mobile app

This is another layer of security, which means that even if someone does get hold of your password, they won’t be able to use it to log-in to the mobile app!

It also means you won’t have to enter your password as often – which is a nice little time-saver.

4. Keep your personal contact info up-to-date

This means you’ll get an alert about any suspicious activity with your account – and it also makes it much easier for us to get in touch with you if there is any suspicious activity, so we can get it sorted.

5. Learn the tell-tale signs of a scam email or text

It’s pretty scary how clever scammers are getting these days, but there are a few things that can be a dead giveaway when it comes to spotting a scam in the wild. Things like:

1. If they’re asking you for your account login info – including any links that ask you to “click to log in”.
2. If you receive an email that asks you to “click this link” to login. Squirrel will never include login links in our emails.
3. If someone is offering unsolicited investment advice, especially on social media and emails.
4. The sender’s email address looks suspicious – like if it’s from a Gmail account, or if the domain name is spelled wrong. This is often the best indicator that something’s amiss!
5. The text is from a standard mobile number (021, 027, etc.), or an overseas number. Most legitimate businesses, Squirrel included, will text you via a “short code” which is an abbreviated 3- to 6-digit phone number.

So, in short, keeping your data and money secure is—and always will be—one of our top priorities

Even though most of what we do happens in the background, so you don’t see it in action, there are plenty of layers of defence working away to help protect our customers, their money and their personal information.