Keeping your Relay account secure

Keeping your money and data safe is our top priority at Relay, so we’ve put together this list of security best practices for you, so you’re equipped to protect yourself online.

Our Security team also works to keep your account secure behind the scenes, and we would like to give you some peace of mind by sharing what we’re doing to protect your Relay account.

What you can do to keep your account secure

• Create a different, strong password for every site you use, including Relay, and do not use the same (or a similar) format when creating a new password for other apps. A unique password is especially important for your banking app, and any other app used to manage your money.
• Two-factor authentication (2FA) is required for Relay accounts. If you have not logged in to Relay since 2FA was enforced, you will be prompted to do so the next time you log in. More details are here.
• Set up biometric authentication (face/fingerprint ID), following the instructions outlined here, to further secure access to Relay from your mobile device.
• Consistently review transactions and other account activity, like debit card creation, to identify unusual activity quickly. If you notice something suspicious, please reset your password and report it to our Customer Experience team as soon as possible.
• Set up email notifications to be alerted on account activity, like payments being sent. To learn how to set up notifications in your Relay account, please see Managing your notification preferences.
• Regularly review your account sessions to identify any logins from unfamiliar devices or locations. For instructions on how to view your session activity, please see Viewing session activity. If you notice something suspicious, please reset your password and report it to our Customer Experience team as soon as possible.
• Be vigilant against phishing attempts to access your Relay account. In a phishing attack, a hacker might pose as Relay to try and get you to share your login information. To stay vigilant, please note the following:
  • Relay will never ask you to share your phone number, password, or 2FA code over social media, text message, or email.
  • Our only login URL is https://app.relayfi.com/login.
  • We’re @bankwithrelay and @relay.hq on Instagram, and we’re @bankwithrelay on Twitter/X, LinkedIn, and Facebook. All other Relay accounts on these platforms are unauthorized and not managed by our team.
  • We will only send you emails from @relayfi.com and @bankwithrelay.com domains.

How Relay keeps your account safe

• Encryption. Relay employs industry-standard encryption to ensure secure and protected transmission of data. An AES-256-GCM encryption algorithm is used for data-at-rest encryption. We enforce TLS 1.2 or better, with Forward Secrecy for in-transit encryption.
• State-of-the-art infrastructure. We consistently monitor our platform and log all points of access using CloudWatch and CloudTrail. Our Security team is immediately alerted to unusual behaviour, and they follow an established, industry-standard procedure when responding to potential incidents.
• Employee security. All Relay employees undergo background checks before joining our team, and they are required to complete security training after joining the team. Employee access to internal systems is managed through zero-trust tunnels, and all activity is logged and monitored. Additionally, we follow best security practices, such as the principle of least privilege, when it comes to employee mobile device management, virus protection, and disk encryption.
• Regular penetration tests. Relay regularly audits its systems to identify potential vulnerabilities. This is in addition to our vulnerability disclosure program, managed by HackerOne, which is continuously working to help us identify potential vulnerabilities. Learn more about this program below.

How Relay responds to and protects against fraud

• Transaction monitoring. Relay locks accounts and notifies users when our transaction monitoring systems identify unusual or suspicious transactions that are outside of an account’s normal spending activity.
• FDIC insurance via Thread Bank¹. The Federal Deposit Insurance Corporation (FDIC) is a U.S. government corporation that provides deposit insurance to commercial banks. Relay customer deposits are insured up to $3M through our partner bank, Thread Bank. Learn more about this here.
• Debit card controls. If a physical or virtual debit card is suspected to be compromised, customers can immediately freeze and terminate the card in just a few seconds by logging into Relay and navigating to the Cards section. More information on this can be found here.

How to report a potential vulnerability

Relay partners with HackerOne to offer a vulnerability disclosure program. The invite-only program provides individuals with monetary rewards for safely disclosing potential privacy vulnerabilities in non-production environments. Our Security team follows an established procedure when responding to potential vulnerabilities disclosed through this program.

If you would like to join Relay’s vulnerability disclosure program, please let us know at security@relayfi.com.

When is SMS Verification Needed? 

If Keeping your account safe is our top priority at Relay. On occasion, when changing your phone number, you may be prompted to verify your changes with an SMS code sent to your previous mobile device as an added layer of security. 

Please note: For security reasons, Relay is unable to make any changes to your login information (including your mobile phone number) via email. If you want to make these changes, please give us a call so that we can verify your identity and help you access your account as soon as possible.

¹ Relay is a financial technology company, not a bank. Banking services and FDIC insurance are provided by Thread Bank; Member FDIC. Relay customers are insured up to $3,000,000 per business by the FDIC through an insured cash sweep program managed by Thread Bank, Member FDIC.