SinglePoint Security: MFA Tokens, Encryption Standards and Fraud Controls
SinglePoint protects commercial banking sessions with multi-factor authentication, TLS 1.3 in transit, AES-256 at rest, dual-control approval workflows, positive pay and machine-learning fraud detection. The security posture is independently attested under SOC 2 Type II and aligned with NIST 800-53 moderate-baseline controls.
As a product of an OCC-chartered national bank, SinglePoint inherits U.S. Bank's regulatory safeguards: GLBA Safeguards Rule, Regulation E dispute rights for eligible electronic transfers, UCC Article 4A for commercial wires and full OFAC screening on every international payment.
Authentication: How SinglePoint Sign-In Works
Three secrets plus a registered device — every session, every time.
Every SinglePoint sign-in requires Company ID, User ID and password, followed by a one-time passcode (OTP) from the U.S. Bank token app on a registered mobile device or a hardware token issued through the Company Administrator. The Company ID is the commercial entity identifier; the User ID is the individual operator; the password is user-specific and enforced against strength rules (minimum 12 characters, mixed case, number, symbol, no dictionary words, no last 10 reuse). The OTP layer defends against credential replay and stolen-password attacks.
High-risk actions inside SinglePoint trigger step-up reauthentication with a fresh OTP even within an active session. These include releasing a wire above the user's configured threshold, adding or editing a beneficiary in the payment library, provisioning a new User ID, changing a user's role or approval authority, and modifying dual-control rules. Step-up prevents a hijacked session from being silently weaponised for fraudulent payments.
Idle SinglePoint sessions time out after 15 minutes of inactivity. Five failed sign-in attempts lock the User ID until a Company Administrator performs a manual unlock, or the Service Centre verifies the user's identity out-of-band. Password age is enforced at 90 days for standard users and 60 days for administrators. Biometric sign-in (Face ID, Touch ID, Android fingerprint) is available on the SinglePoint mobile app as a convenience layer in place of password entry, while the OTP factor remains mandatory.
Encryption, Infrastructure and Attestations
SinglePoint traffic and data are protected with modern cryptography and independently audited controls.
All traffic between the browser or mobile app and the SinglePoint platform is protected by TLS 1.3 with modern ciphers and HSTS preload. Legacy TLS versions below 1.2 are rejected. Perfect forward secrecy is enforced on every session. Server certificates are issued by a commercial certificate authority with CAA records pinned to U.S. Bank's approved issuers and monitored for unauthorized reissue.
At rest, sensitive SinglePoint data is encrypted with AES-256 inside hardened data centres operated by U.S. Bank. Key management is backed by FIPS 140-2 validated hardware security modules. Database-level tokenization protects account numbers, and encryption keys are rotated on a defined schedule with separation of duties between key custodians and database operators. Backups are encrypted and stored in a geographically separate region.
Independent attestation includes SOC 2 Type II issued annually and covering security, availability, confidentiality and processing integrity trust service criteria. Controls align with NIST 800-53 moderate baseline. Payment card handling inside SinglePoint — for business credit card administration — is scoped under PCI-DSS. Internal red-team exercises, external penetration tests and continuous vulnerability scanning run on the SinglePoint estate, with findings tracked to remediation through the OCC-examined operational risk programme.
SinglePoint Security Control Matrix
Eight layers of protection mapped to the standard that governs each.
| Security Layer | Technology | Standard | SinglePoint Module |
|---|---|---|---|
| Authentication | Company ID + User ID + password + OTP | FFIEC Authentication Guidance | SinglePoint Sign-In |
| Transport encryption | TLS 1.3, PFS, HSTS preload | NIST SP 800-52 Rev. 2 | All SinglePoint channels |
| Data at rest | AES-256, HSM-backed keys, FIPS 140-2 | NIST 800-53 SC-28 | SinglePoint Data Store |
| Fraud detection | Machine learning behavioural scoring | OCC Heightened Standards | SinglePoint Risk Engine |
| Payment validation | Positive pay cheque and ACH matching | UCC Article 4, Reg E | SinglePoint Positive Pay |
| Network controls | IP allowlisting (enterprise tier) | NIST 800-53 AC-3, AC-17 | SinglePoint Admin Console |
| Session management | 15-min idle timeout, 5-attempt lockout | NIST 800-63B | SinglePoint Session Manager |
| Secure messaging | Encrypted intra-portal messaging | GLBA Safeguards Rule | SinglePoint Message Center |
Fraud Controls, Positive Pay and PAFD
Defending SinglePoint payments against first-party, third-party and synthetic-identity fraud.
The SinglePoint risk engine applies machine-learning behavioural scoring to every payment in real time. Models evaluate beneficiary novelty, amount deviation, time-of-day patterns, user location, device fingerprint and historical workflow signatures. High-score transactions route to a human review queue at the U.S. Bank fraud operations centre; medium-score transactions require step-up authentication or second approver; routine transactions proceed. Payment Account Fraud Detection (PAFD) is the cross-channel surveillance layer that correlates signals across wire, ACH and card rails to detect account takeover in progress.
Positive pay is embedded inside SinglePoint for both cheques and ACH. Cheque positive pay reconciles each presented cheque against the issued-cheque file uploaded to SinglePoint, flagging mismatches in payee name, amount or serial number. ACH positive pay (often called ACH block and filter) lets clients whitelist originator IDs and SEC codes so that unauthorized debits on their operating accounts are rejected automatically. Both modules feed an exception queue where authorized users decide to pay or return within the UCC/NACHA return window.
Additional protective tools include IP allowlisting (enterprise tier) so SinglePoint sign-in is only permitted from pre-registered corporate egress IPs, geo-velocity checks that flag simultaneous sessions from incompatible locations, device binding for token-app registrations, and the secure intra-portal Message Center that replaces insecure email for sensitive exchanges with your Relationship Manager. Reg E dispute rights apply to covered electronic funds transfers; UCC Article 4A rights apply to commercial wires; all SinglePoint international payments pass OFAC sanctions screening before release. The Consumer Financial Protection Bureau publishes broader electronic-transfer consumer guidance.
Phishing, Social Engineering and User Hygiene
The final defensive layer is the SinglePoint user.
No employee of U.S. Bank or the SinglePoint Service Centre will ever ask for your full password, your full OTP value, or request that you install remote-desktop software on your behalf. Any such request is fraudulent. Legitimate Service Centre agents identify themselves, authenticate you through pre-registered security questions and can be independently verified by hanging up and calling back 1-800-377-3404. The Federal Trade Commission operates consumer reporting infrastructure for impersonation attempts.
Best practices for SinglePoint users: access the portal only by typing singlepoint.at directly or using a bookmark set during initial onboarding; never follow sign-in links from email; separate the email address used for SinglePoint correspondence from personal mailboxes; enforce device full-disk encryption and auto-lock; keep the token app on a device that is patched monthly; and escalate any anomaly — an unexpected OTP prompt, an approval request you did not initiate, a session that feels off — through the Service Centre immediately.
SinglePoint Security in 60 Seconds
A compact reference card for treasury operations, risk and audit teams.
Security Profile
- SinglePoint MFA: Company ID + User ID + password + OTP from U.S. Bank token app or hardware token.
- Encryption: TLS 1.3 in transit, AES-256 at rest, FIPS 140-2 HSM-backed keys.
- Attestations: SOC 2 Type II, NIST 800-53 moderate baseline, PCI-DSS for card handling.
- Fraud controls: ML behavioural scoring, positive pay (cheque + ACH), PAFD cross-channel surveillance.
- Session controls: 15-minute idle timeout, 5-attempt lockout, IP allowlisting on enterprise tier.