CASHFAC PLC

Cashfac Care Account Platform

Cashfac’s Care Account Platform enables Guardians and Appointees, to manage client accounts on behalf of vulnerable people for effective management of their financial affairs.
Used by Local Authorities, links to your bank, to provide a robust client banking solution with segregation and control of cash, and real time account opening.

Features

• Bank Agnostic plug and play different or multiple banks
• Fast Start get up and running quickly through data import
• On-line account opening/closing in real-time and set own interest rates
• Unlimited on-line statement information
• Send UK Payment types BACS, Chaps and Faster Payments
• Supports Direct Debit Payments (bills ie utilities, phone rates etc)
• Receipt and Payment Types to mirror OPG reporting
• Automatic Collection of Charges
• Standard On-line Reports available to download
• Comprehensive user permissions and transaction authorisation

Benefits

• No need to switch your banking partner to use service
• Change banks without losing cash management platform capability
• We can on-board you quickly with minimal disruption
• Real time access to account history
• Create automated regular payments e.g. to service pre-payment card
• Creates data extracts for automated OPG reporting eg CASPAR exract
• Streamline charges collection through a single process
• Ability to set bespoke interest rates
• Set-up payment limits according to amounts being sent
• Full audit record of who accessed and what was done

£14,803.56 a licence a year

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at compliance@cashfac.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

543055536158373

Contact

Carmen Morgan
02079200617
compliance@cashfac.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Systems like Caspar and Controc
• Cloud deployment model: Private cloud
• Service constraints: There are no known constraints however the onboarding project will examine any requirements out of the ordinary.
• System requirements: Your bank needs to provide Balance and Transaction files

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: All services are supported by standard SLAs for quick responses
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: WCAG 2.1 AA or EN 301 549
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: Cashfac provides 1st line support via phone and support portal, 2nd and 3rd line support are provided via 1st line support escalation.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: There is an implementation process to onboard a customer to the platform
• Service documentation: Yes
• Documentation formats: PDF
• End-of-contract data extraction: Managed Service can provide a data extract of transactional data can be provided on contract end.
• End-of-contract process: Users will be given the opportunity to contract with Cashfac directly. If they choose to terminate they will be removed from the platform and support accounts closed. Optional data extracts can be provided back to the User, to meet their relevant regulatory requirements and records retention, at the point of termination. Exit management provisions are included in the standard Supplier Terms.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
• Application to install: No
• Designed for use on mobile devices: No
• Service interface: Yes
• User support accessibility: WCAG 2.1 A
• Description of service interface: The service interface is via a Website available over the internet which allows the User(s) of the platform to manage account holders, accounts, transactions, interest and statements for their clients. Authentication is via a username and password followed by a pin tied to the device (Multi-Factor Authentication). User(s) are given a role based access with permissions hiding functionality they do not have permission to.
• Accessibility standards: WCAG 2.1 A
• Accessibility testing: Cashfac follow w3.org WCAG and use a developer W3C validator tool to verify developments as well as following a standard checklist during code reviews. Various banks have put our application through their own testing using a varied tool set to provide greater coverage. If issues are highlighted, they are typically addressed through the product maintenance patching cycle.; ; The product is capable of being used by visually impaired people and has been tested by an existing customer with this disability. The product has also been tested with assistive software (JAWS screen reader) both internally and externally. Screen navigation can also be achieved without reliance on the mouse.; ; The following tools are typically used for accessibility testing; WAVE toolbars, JAWS or NVDA screen reader (depending on browser compatibility), Colour Contrast Analyser, PDF Accessibility Checker.
• API: Yes
• What users can and can't do using the API: Cashfac has a suite of API's providing the ability to create and administer a Client(s) accounts/account holders as well as the creating and amending transactions on those accounts. A full list of API's is detailed below. User management is via the web UI and multi-factor authentication.; ; Login, ; Account Enquiry - Transaction Status, Account Balance, Account Statement by Date, ; Account Processing - Create Account Holder, Capitalise Interest, Open Accounts, Maintain Accounts, ; Transaction Processing - Create transactions, Create Value Instructions, Update Transactions, Delete Transaction, ; ATMA - Get Unallocated Items, Create ATMA exception, Create ATMA Allocation
• API documentation: Yes
• API documentation formats: PDF
• API sandbox or test environment: Yes
• Customisation available: No

Scaling

• Independence of resources: Cashfac has a comprehensive capacity management program with application performance management tools providing real time feedback. Services are scalable to scale up/out any services

Analytics

• Service usage metrics: Yes
• Metrics types: Cashfac will provide a generic service review document to all consumers of the SaaS service including availability, major incidents affecting the service
• Reporting types: Regular reports

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Baseline Personnel Security Standard (BPSS)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: No
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Explicit overwriting of storage before reallocation
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: Data exports can be retrieved manually through the web browser interface or data extracts can be produced automatically on a schedule
• Data export formats:
  • CSV
  • Other
• Other data export formats: PDF
• Data import formats: CSV

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: IPsec or TLS VPN gateway

Availability and resilience

• Guaranteed availability: The service levels, availability and credits are defined in the Supplier Terms, Schedule 5 - Cashfac Cloud Service Levels.
• Approach to resilience: The service has high availability built into the infrastructure at the network, web, application and database layers. Data is replicated to a disaster recovery site housed in secondary location in real time allowing for a warm start of the service.
• Outage reporting: Outages are reported via Service Management and the Service Desk.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: Any login to the application requires two factor authentication and the management of the application is handled by permissions groups arranged by role. ; ; Support is only accessible by login to the support portal by an accepted domain.
• Access restriction testing frequency: At least once a year
• Management access authentication: 2-factor authentication

Audit information for users

• Access to user activity audit information: You control when users can access audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: You control when users can access audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: BSI Group
• ISO/IEC 27001 accreditation date: 07/10/2021
• What the ISO/IEC 27001 doesn’t cover: The scope of our information security management system is set out under a formal Statement of Applicability, as required under the ISO27001 standard, for the provision of our Managed Service operations, which includes the provision of the Cashfac Care Account Platform. Currently, none of the control requirements are out of scope.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications: Approved supplier on Hellios, Financials Services Qualification System

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Cashfac have an over-arching ISP with many related information security policies as defined in our Statement of Applicability.; The following is a summary of policies which form part of the mandatory requirements of the ISO27001 standard:; Information Security Policy; Risk Assessment and Treatment; Information security risks in Project Management; Information classification, labelling, handling and secure disposal; Records Management; Operational planning and control documents; Internal audit program; Security event and incident process; Clear desk policy/Physical security Employee pre-employment screening; Business and IT Continuity provisions

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Formal ITIL change management process with CAB approval.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerabilities are managed according to our Risk Assessment Methodology and treated accordingly. A risk assessment is carried out and appropriate measures are taken to mitigate or eliminate any associated risks. Actions are tracked via the Risk Treatment Plan. The Asset Register, Patch Management and Change Management processes support vulnerability management. A Change Advisory Board meets twice weekly to assess any vulnerabilities identified. Patches can be deployed in real time, depending on criticality and nature of threat. External vulnerability monitoring tools are also used, with relevant alerts to the technical teams.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Various event logging facilities are in place to support potential operational compromises and contractual obligations, including automated tools and manual reporting processes. Logs are held centrally in a SIEM tool, in accordance with relevant legal and contractual obligations and controlled by the Security Logging and Event Management policy, which is reviewed annually. Logs are reviewed by Technical Services team and escalated to the ISM and CRO if there is a potential compromise. Incidents are managed through the Cyber Incident Response Plan. Incident response times depend on the criticality. Critical incidents are responded to within 1 hr.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: There is a predefined policy and process for managing incidents. This forms part of our regulatory obligations and is reviewed annually. User(s) can report incidents by phone or email. Incident tickets are managed centrally via our Service Desk. Incident reports would be provided to User(s) with a root cause analysis and mitigating steps to avoid a similar future issue. Similarly if an incident was a regulatory reportable event then this would be reported on the relevant regulator portal. Summarised incident reports are provided to Cashfac's Operational and Executive Boards.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  We are committed to good environmental practices and always seek to reduce any negative environmental impact and contribute towards a healthier environment.

  Covid-19 recovery

  We aim to positively support our communities whether through, fundraising, donations, sponsorship, or volunteering, to support those suffering from hardships, are vulnerable and/or are disadvantaged. We are proud to support charities dedicated to providing future generations with resources and skills to integrate into the technology-driven world.

  Tackling economic inequality

  We strive always to conduct business with integrity and respect to human rights. We do not tolerate human rights abuses and will not engage or be complicit in any activity that solicits or encourages such abuse. We will continue to promote maintaining high standards amongst our suppliers and oppose the exploitation of any workers and will not tolerate forced labour, or labour which involves harassment or intimidation of any kind. We will not accept human trafficking or the exploitation of children and young people in our business.

  Equal opportunity

  We have a diverse workforce and respect and value every individual we work with and the contribution that they make. We treat everyone fairly and equally and have an inclusive workforce offering employment opportunities to all members of the community.

  Wellbeing

  Our people are like our family and their wellbeing is vital to our business success. We maintain our investment in our Health & Wellbeing Programme in providing a supportive, compassionate, and positive experience for our employees.

Pricing

• Price: £14,803.56 a licence a year
• Discount for educational organisations: No
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at compliance@cashfac.com. Tell them what format you need. It will help if you say what assistive technology you use.