Discover our latest AI-powered innovations around faster payments, smarter workflows, and real-time visibility.Learn more →

Learn

What is SOC 2?

Welcome to Learn, where we provide straightforward, easy-to-understand definitions of the payments industry.

Follow us

Service Organization Control 2 (SOC 2) is a voluntary auditing procedure that service providers complete to keep their clients’ data secure from cyber attacks like malware installation, data theft, or extortion.

Software-as-a-Service (SaaS) providers that are SOC 2 compliant enjoy a competitive advantage over those that are not.

The SOC 2 security standard was developed by the American Institute of CPAs (AICPA), which governs and standardizes how organizations manage customer data. SOC 2 compliance is viewed through the lens of five Trust Services Criteria, including processing integrity, availability, security, confidentiality, and privacy.

SOC 2 can be customized by each organization per its business practices. Organizations may create two different types of reports that specify how data is managed which can be shared with regulators, suppliers, and other partners:

  • Type I reporting documents the organization’s systems and confirms if the system design is compliant with relevant trust principles.
  • Type II reporting documents the operational efficiency of each system.

The key difference between the SOC 2 standard and other compliance requirements like PCI DSS is that SOC 2 reports are unique and tailored to each organization. Each company can create its own set of controls that align and comply with relevant trust principles.

What Does SOC 2 Look Like in Action?

Outside auditors look at an organization’s systems and processes to see how compliant they are against one or more of the trust principles. Compliance with the principles may be summarized in the following ways:

  1. Security – Are systems resources protected from people that shouldn’t have access? Compliance might include access controls that can reduce the possibility of system abuse, software misuse, or data getting into the wrong hands. Security tools may include multi-factor authentication (MFA), web application firewalls (WAFs), and intrusion detection.
  2. Availability – Are services, systems, and products accessible and available in the ways outlined in agreements and contracts? While usability or functionality don’t fall under this umbrella, it does pertain to security-related issues that could impact availability. Tools and processes may include network performance and availability monitoring, security incident response, and site failover.
  3. Processing integrity – Do processing systems do what they say they will do and deliver data completely, accurately, and quickly – and is that data transmission valid and authorized? It’s important to point out that processing integrity is not the same as data integrity. This means that data errors that exist before input into the system do not fall under the processor’s responsibility. Tools may include data processing monitoring along with thorough quality assurance procedures.
  4. Confidentiality – Is data access and disclosure restricted to a specific set of people or organizations? Data includes intellectual property, internal documents, business plans, or sensitive financial information that is only intended for specific people. Encryption, firewalls, and strict access controls are the primary tools used to ensure data confidentiality for both stored and processed data.
  5. Privacy – Does the organization follows its own privacy protocol and that of the AICPA’s generally accepted privacy principles (GAPP)? The privacy principle looks at how an organization collects, uses, stores, disseminates, and disposes of personally identifiable information (PII). Tools to ensure layers of protection with this data include controls to guard against unauthorized access.

Try Modern Treasury

See how smooth payment operations can be.

Talk to sales
More from

Learn

Learn topic image

Compliance is a crucial function for any company that moves money on behalf of their customers. Dive into the fundamentals behind key compliance processes like KYC, KYB, transaction monitoring, and more.

Compliance risk management (CRM) is the ongoing process of identifying, assessing, and mitigating potential risks that threaten an organization’s business.

Read more

Customer due diligence (CDD) is a process used at financial institutions (FIs) when working with potential new customers.

Read more

The Customer Identification Program (CIP), part of the Know Your Customer program guidelines, requires that financial institutions in the U.S. verify that customers (both individuals and businesses) are who they say they are when they open new accounts for themselves or other people.

Read more

FinCEN, short for Financial Crimes Enforcement Network, is a government bureau that aims to prevent money laundering and other financial crimes—and punish bad actors that commit them.

Read more

Know Your Business (KYB) is a set of verification procedures that helps companies avoid getting into business with criminals.

Read more

The Office of the Comptroller of the Currency (OCC) is a federal agency that "charters, regulates, and supervises" all national banks.

Read more

According to the Department of Labor (DOL), Personal Identifiable Information (PII) is any information from which a person’s identity can be either directly or indirectly inferred.

Read more

A Politically Exposed Person (PEP) is someone that might be more likely to break the law or be corrupt because of the power their position affords them.

Read more

Specially Designated Nationals (SDN) are individuals and entities tied to countries that the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has hit with sanctions.

Read more

A Suspicious Activity Report (SAR) is a report that a bank or other financial institution must file if it suspects that a customer might be breaking the law and committing fraud, financing terrorism, or laundering money.

Read more

Anti-money laundering (or AML) compliance entails a careful adherence to rules and regulations aimed at combating illicit financial activities.

Read more

Know Your Customer or Know Your Client (KYC) is a set of guidelines for verifying the identity of a customer and gauging the associated risk of working with them.

Read more

The Office of Foreign Assets Control (OFAC) is a financial intelligence and enforcement agency under the jurisdiction of the US Treasury Department.

Read more

PCI DSS certification means your business has met the requirements laid out in the Payment Card Industry Data Security Standard (PCI DSS) to secure payment card data.

Read more

Service Organization Control 2 (SOC 2) is a voluntary auditing procedure that service providers complete to keep their clients’ data secure from cyber attacks.

Read more

Section 314(a) is part of the USA Patriot Act that enables financial institutions (FIs) and law enforcement to work together to fight money laundering and terrorist activity.

Read more

Section 314(b) and Section 314(a) of the USA Patriot Act both relate to information requests under the Banking Secrecy Act (BSA).

Read more

A currency transaction report (CTR) is a report made by U.S. financial institutions aiming to prevent money laundering.

Read more

An Agent of the Payee is a person, entity, or other intermediary specifically appointed by a payee to process and collect payments on their behalf.

Read more

Identity Verification APIs allow businesses to streamline the process of checking the identities of new users by automatically, and in some cases instantly, verifying their provided identifying information.

Read more

The Bank Secrecy Act (BSA)—also known as the Currency and Foreign Transactions Reporting Act—is a piece of legislation designed to help prevent fraud.

Read more

The Electronic Fund Transfer Act (EFTA) is a federal law in the U.S. that regulates electronic transactions to protect consumers.

Read more

Subscribe to Journal updates

Discover product features and get primers on the payments industry.

Subscribe

Products

Platform

Modern Treasury For

Case Studies

Insights

Documentation

Company

Legal


Popular Integrations

© Modern Treasury Corp.