Security Measures and how to Navigate them Using Ledgersync.
Error: “Bank is asking password, security question or code, update manually to answer and continue”.
Security Measures are put in place by banks and financial institutions to protect their client’s data from unauthorized access. This reference guide is designed to help you understand why these “errors” occurs and how to solve it.
First we must understand what security measures are, why they are there, and the forms they come in.
They usually take 2 forms:
These typically rotate between a series of questions that have been set up by the client on the bank’s website. When triggered, the user logging in must supply the correct answer, failure to do so will usually rotate to a new question. Note: It is possible to lock online banking if a false answer has been supplied too many times.
Secure Access Codes aka Token:
Tokens are typically handled one of two ways by the bank. The bank provides a few point of contacts which have been set up previously by the client. Either the bank will call you and you may have to enter into the phone the code that appears on the site, or the bank may send you the code (via text or email) and you must enter it on the screen.
Once the bank receives the data input the extractor will continue as normal.
Things to know about security measures and using Ledgersync
Ledgersync can not bypass them or avoid them. This would be “hacking” and is illegal.
Ledgersync is designed to be recognized by the bank in the future and all the settings have been programmed so that our connection does not create a cause for “suspicious login attempt” with the bank.
Banks have MANY reasons that a security measure may be triggered ranging from random to suspicious account activity or a new IP login that has previously never logged into the account. (Your first time setting up a client will typically trigger a security measure for this reason, but subsequent refreshes should be recognized.)
Some banks trigger security measures on EVERY login - we can not bypass that.
Client Involvement - Ledgersync will not completely remove your need to interact with your client, but it hopes to reduce the time spent doing so.
When you receive that bank message in Ledgersync unless you:
Have the answers to your client’s questions
Are on the list of provided access points to retrieve a token
You will likely need to involve your client.
The 3 Minute Rule and Token Retrieval
You have 180 seconds from the time a security measure is triggered to enter the requested information.
If it times out, or if you cancel it your new error message will be replaced with “update account canceled or aborted”.
This means your attempt to provide information was not completed successfully and you should attempt it again in order to refresh the account successfully.
PRO TIP: However do not attempt to bypass a security measure without first getting your client on standby, trying to trigger the security measure and then chasing your client in 3 minutes may end up in a game of chasing your own tail in which the client is supplying a code that has already expired.
The best way to achieve a quick painless token retrieval should you see that the bank is asking for a security code is to take the following steps:
Call or text your client and say the following “hi valued client <name> I am attempting to download your latest statements from the bank but the bank is asking that I provide a secure access code. Since I am not a point of contact I will need you to help complete this task, it will only take a moment of your time, can we do this right now?” Chances are if you have them on the phone already they will say yes.
Yes - If they say yes, select the bank you need to refresh, and click the “Spinning Arrows” from the summary page. (This is what the message means when it says “manually refresh”). The manual refresh will trigger the bank to display the security measure request again and will give you the point of contact options. Text is best method since it is the fastest. The client should receive the code within 10 seconds, and they should relay it to you by phone or text and you will enter it into the data-field box provided. The extractor should then continue to update.
No - If you reached their voicemail or if you caught them at a bad time, schedule a 2 minute call (explain to them the process is no more than 2 minutes) and when you do connect perform step 2.
You can also explain that you are not able to download their statements until you have 2 minutes of their time.
What to do if your client is “annoyed” by requests for token.
Explain to them that these measures are in place by the bank specifically to protect their data and is therefore a “necessary evil” to ensure security.
Give them the option to add your number as a point of contact. This does not make an authorized user or a signer, nor will it give you any direct access to their account. Adding your office or mobile number as an additional point of access means that in the future instead of needing your client to be avaiable to relay the code number, instead you can send it to your own office or mobile thereby bypassing the need to disturb your clients. Many “irate” clients are happy to add you as a point of contact when they understand that they will no longer need to be bothered in the future, and ofcourse they can remove your number at any time.
Security Question Tips:
Some clients are happy to supply the answers to their questions once you explain that by doing so you are still not able to directly access their account in any way and merely will use the information to be able to download their statements.\
For client’s unwilling to supply the answers to you. They can either learn to login directly to their client portal and refresh the account for you. Or come in to the office and you can hand them the keyboard when it comes time to answer the question.
If you tried to update your clients account and received a trigger to answer a question remind the client that on the future update the question may rotate to something else. So either it is best that they give you all the answers, or be on the phone with you at the time you refresh the account.
**Pro-Option for Security Measures: Training clients to keep their Ledgersync accounts refreshed
Ledgersync was designed with security in mind, specifically with client’s who do not wish to share account credentials or security questions. They can maintain the control at all times while still giving you access to their data by learning how to login to their Ledgersync account and updating their accounts at least monthly.
There is a separate reference guide available which discusses how to onboard such clients and how you can help them keep their accounts refreshed so that their data is always current and up to date.