AccessPay

Payments and Cash Management Automation Software

The AccessPay platform enables organisations to securely connect their back-office systems (ERP, Treasury Management System, Payroll System) to UK (Bacs, Faster Payments, CHAPS) and International (SWIFT, SEPA) payment schemes. Enhanced workflows and role based profiles mean that payment approval and submission can be controlled centrally and processes enforced.

Features

• Bacs Approved Payments Software
• Direct Debit Collections
• Bacs Approved Bureau Software
• Multi-bank connectivity & Secure integrations
• Confirmation of Payee
• International Payments
• Secure Access & Fraud/Error Prevention
• Enhanced Workflows
• Automated bank statement retreival & visualisation
• Reporting & Alerting

Benefits

• Automated payments direct to scheme
• Easily manage high volumes of direct debits
• Easy, centralized management of local government payroll
• Remove risks of fraud associated with manually processing payment files
• Name checking verification to reduce misdirected payments
• Centralise and control cross-border payments
• Only approved staff are able to access critical payment data
• Systemic enforcement of processes and control
• Fast access to cash position data across your banking estate
• Receive alerts notifying you of significant cash movements

£2,000 a licence a year

• Education pricing available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

957177199094441

Contact

Charles Haworth
+44 (0) 161 250 7778
charles.haworth@accesspay.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: ERP, CRM, Payroll and Treasury Management Systems.
• Cloud deployment model: Public cloud
• Service constraints: N/A
• System requirements: Modern Browser - Chrome, Edge, Firefox, Safari, etc..

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: We have a 15 min SLA to respond to new queries; SLA's for tickets are tiered according to severity and business impact.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 9 to 5 (UK time), Monday to Friday
• Web chat support: No
• Onsite support: No
• Support levels: AccessPay service hours are Mon-Fri 08:00 - 18:00 with extended hours to 22:30 for Severity 1 incidents. ; Support incidents are assessed and categorised against service levels, which as follows; ; Severity 1: Incident resulting in total loss of core functionality with sever business impact to customer eg unable to submit or process any files. Severity 2: Incident resulting in loss of some core functionality e.g., stuck files or unable to process specific files.; Severity 3: Incident involving single user issues which has the potential to be escalated if a solution or workaround is not found or a workaround is available. ; Severity 4: Cosmetic or minor issue, causing minor inconvenience to customers. ; Target Resolution Times are as follows; ; Severity 1: Response SLA - 15 mins | Target Resolution: 2 hours | Escalation to Management: Immediate | Update Frequency: 30 mins. ; Severity 2: Response SLA - 30 mins | Target Resolution: 4 hours | Escalation to Management: 1 hour | Update Frequency: 1 hour ; Severity 3: Response SLA - 1 hour | Target Resolution: 24 office hours | Escalation to Management: by exception Severity 4: Response SLA - 1 working day | Target Resolution: 5 business days
• Support available to third parties: No

Onboarding and offboarding

• Getting started: Every new AccessPay client is given a dedicated implementation consultant to guide them through the onboarding process. The onboarding process itself consists of three milestones; ; 1. Discovery - Define roles and responsibilities (Client, AccessPay, Bank), establish governance, collect data and sample files. ; 2. Build - Complete file transformations, Set-up users, Configure workflows, Set-up file configuration. ; 3. Test and Go-live - File testing with banks and connectivity testing, remote training, Client UAT with bank(s). ; Typical project governance and communication cadence; ; - Weekly progress call - Weekly progress reports ; - Increased frequency of calls and updates during testing and go-live ; - Full handover to live.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: At end of contract customers can request a copy of their data or can request that their data is deleted. We ask that the request is made within 30 days of termination, outstanding fees be paid and data will be provided in a CSV format.
• End-of-contract process: Customers that wish to cancel their subscription with AccessPay must do so in writing 30 days before the annual renewal date. The request to cancel can be made to either of the Service Desk, our Finance team or directly with your Customer Success or Account Manager. Once acceptance of the request to cancel has been confirmed by AccessPay, removal of access for all client users will be initiated at a date agreed by both parties.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: AccessPay is a reactive browser based solution.; When accessing the platform website through a mobile device users are limited to the dashboard and the approval function.
• Service interface: No
• User support accessibility: None or don’t know
• API: Yes
• What users can and can't do using the API: The AccessPay External Web API supports server-to-server interactions such as those between an ERP system and an AccessPay service.; All Schemes (Bacs, FPS, Swift and Host-to-Host) are supported.; ; The AccessPay Open API supports payment initiation, either through bulk files or via single or bulk submission in a JSON payload, as well as updates on payment statuses.; It also allows for access to balance and transaction information from underlying banks and collection of reports from the BACS scheme.
• API documentation: Yes
• API documentation formats: Open API (also known as Swagger)
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The AccessPay platform can be customised in the following ways;; ; Payments Automation (UK and International Payment Schemes);; - Role based profiles; - Workflow rules that segregate user duties within the software (create workflows by payment type, eg payroll and by area, eg Schools payroll with designated submitters and approvers in each).; ; Cash Management Automation;; - View cash balances by currency, region, division, bank, or any grouping determined by you.; ; In each instance it is the Administrative users who have the ability to add and remove users, create new workflows and alter role profiles.; ; Reports can be generated and scheduled to meet customer's requirements.

Scaling

• Independence of resources: We proactively manage capacity to ensure AccessPay can provide a service level availability of up to 99.5% for the service hours of your support contract

Analytics

• Service usage metrics: Yes
• Metrics types: AccessPay provide the following metrics as part of our customer success progamme;; ; - Active users; - Transaction volume and value throughput reports; - Usage reports; - Service availability reports; - Incident management performance
• Reporting types:
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Conforms to BS7858:2019
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: No
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: ‘IT Health Check’ performed by a CHECK service provider
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
• Data sanitisation process: Yes
• Data sanitisation type:
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
• Equipment disposal approach: Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

• Data export approach: Users with the appropriate permissions can download uploaded transaction files from the AccessPay portal once logged in.; Through the Audit function users are also able to run and export audit reports such as File Journey, User Access Monitoring, User Permissions, Admin Changes and a full Transaction report.
• Data export formats:
  • CSV
  • Other
• Other data export formats:
  • XSLX
  • PDF
• Data import formats:
  • CSV
  • Other
• Other data import formats:
  • ISO 20022 - Pain.001
  • ISO 20022 - Pain.008
  • BACS Standard 18
  • Excel

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: Connection is made via manual upload of file, sure SFTP or secure API.
• Data protection within supplier network:
  • TLS (version 1.2 or above)
  • Other
• Other protection within supplier network: Encryption for data in transit (TLS 1.2) and rest (AES 256).

Availability and resilience

• Guaranteed availability: AccessPay aim to provide a service level availability of up to 99.5% for the service hours of your support contract, with the exception of:; • Agreed routine maintenance windows; • Scheduled downtime; • Disruption / outages beyond the control of ACCESSPAY Systems; Service availability is calculated monthly using our automated monitoring.
• Approach to resilience: Available on request.
• Outage reporting: In the event of service outage, AccessPay will notify the clients stated business and technical contacts via email at the intervals outlined below according to the incident priority levels;; ; Severity 1 - Urgent: Every 30 mins; Severity 2 - High: Every 1 hour; Severity 3 - Medium: Not Applicable; Severity 4 - Low: Not Applicable

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • 2-factor authentication
  • Username or password
  • Other
• Other user authentication: For customers SSO is available depending on product.
• Access restrictions in management interfaces and support channels: AccessPay operates RBAC based on the principle of least privilege and requires permissions from clients in some cases to get access to their data for support purposes. Access to systems is monitored and recorded for audit and monitoring purposes.; Users have clear role separations in the AccessPay solution and only approved users can contact AccessPay for support.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Alcumus ISOQAR
• ISO/IEC 27001 accreditation date: 18/09/2013
• What the ISO/IEC 27001 doesn’t cover: Not Applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: Yes
• Who accredited the PCI DSS certification: ECSC
• PCI DSS accreditation date: 31/08/2020
• What the PCI DSS doesn’t cover: PCI DSS Level 1 compliant.
• Cyber essentials: Yes
• Cyber essentials plus: Yes
• Other security certifications: Yes
• Any other security certifications:
  • ISO BCM 22301
  • SWIFT Approved software provider
  • BACS/FPS approved software provider
  • ISO Privacy Management 27701

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Process and policies based on ISO 27001, ISO 22301 and NIST security framework. Policies and processes align to Information Management System and examples include: Access Control and Training Policy, Asset Management Policy, Acceptable Use, Data Protection Policy, Risk Management, Supplier Management, Password Policy, Incident Management Policy, Logging and Monitoring, Configuration and Hardening, Secure Development, Vulnerability Management Policy, Change and Release Management, Service Management and Quality. ; Controls are reviewed by internal and external audits, policy review, and regular reporting to senior management.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow set configuration standards including: user configuration, network configuration, operating systems, application security, logging and monitoring requirements, patching and vulnerability, subject to change management process, and back up and restoration in place.; ; We follow Change management process with dedicated release manager and roles and responsibilities defined. Different types of change have been identified and depending on change an approval process is followed including risk assessment, impact of change, testing and rollback planning. All changes tracked in Jira and include approval flow including approver groups and CAB and documentation is retained.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Threats are assessed using CVSS scoring and fixed based on the following score classifications;; Critical (CVSS 9+) < 2 Weeks; High (CVSS 7+) < 1 Month; Medium (CVSS 4+) < 3 Months; We collect information from security tooling, government and private agencies, for example new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) and National Vulnerability Database (NVD).
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: Potential compromises/threats are identified using SIEM, vulnerability scanning, file integrity check, log monitoring, user activity monitoring and in-house-built application and system monitoring solutions which notifies abnormalities to our Security Team who react based on severity of the notification. Updates are provided hourly and most of the issues closed same day if no third party is involved.
• Incident management type: Supplier-defined controls
• Incident management approach: AccessPay users can notify AccessPay of incidents via Customer Portal, email or telephone. AccessPay operation teams monitor platform to identify incidents. Incidents are impact assessed and prioritized according to the following standards. ; ; Critical - Severe impact on the ability of staff to work/support business operations impacting on the function of client facing systems; ; High - Severe impact on the ability of staff to work/support business operations but no impact to client facing systems; ; Medium- Limited impact on the ability of staff to work/support business operations.; ; Low - Minimal, if any, impact; ; Reports are provided to named business contacts.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  AccessPay has a Corporate Compliance policy which the company adheres to. One of the commitments in the policy is the company’s commitment to managing its environmental impact. The Company seeks to avoid waste and promotes the use of sustainable resources when choosing or specifying materials and equipment. We demonstrate our commitment to the Environmental and Green Policy by:; • Reviewing and understanding the range of environmental impacts arising from our activities.; • Ensuring that we comply with and, where possible, exceed all applicable environmental ; legislation.; • Setting environmental objectives and targets where possible and defining a means of achieving ; them to improve our environmental management and performance.; • Reducing energy and resource consumption by implementing effective and efficient reduction ; methods consistent with best practice.; • Communicating our environmental policy to our suppliers and contractors to ensure that ; goods procured and services undertaken comply with it.; • Minimising the generation of waste and implementing recycling initiatives.; • Ensuring that the policy is understood, implemented and maintained at all levels within the ; organisation and is supported by suitable education and training.

  Equal opportunity

  AccessPay have always demonstrated providing equal opportunities through having a diverse workforce throughout all of the company. We have recently published an article on the importance women in tech and increased diversity. AccessPay has been recognised as one of 'UK's best place to work' by Great Places to work in 2024.

  Wellbeing

  Wellbeing is at the heart of AccessPay's culture. ; There are two aspects to this: our internal approach to mental wellbeing and health, and the potential benefits our solution offers individuals within businesses. AccessPay has a number of policies to support internal wellbeing, along with dedicated mental health first aiders and an employee assistance programme. All AccessPay employees have a wellbeing allowance which can be used on something which makes them feel good (e.g. gym, headspace app etc). Externally, we often shout about how our automation of banking operations can free up finance and treasury teams, allowing businesses to focus on work that really matters.

Pricing

• Price: £2,000 a licence a year
• Discount for educational organisations: Yes
• Free trial available: No

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at charles.haworth@accesspay.com. Tell them what format you need. It will help if you say what assistive technology you use.