Data security and privacy

We understand the importance of data. With over $100B in loan application and origination data collected over 23 years, external data vendors, and data from all major credit bureaus, our team of 175+ data scientists reviews and evaluates our models to drive performance and minimize risk. Given the scope of data we collect and analyze, BHG has robust privacy and security standards to protect our customer information. Our dedicated team of security and privacy professionals develop, test, and evaluate internal controls and routinely engage with third-party auditors to review our program. BHG has achieved its SOC 2 Type 2, which demonstrates our commitment to security, availability, and confidentiality controls within our environment.

Examples of other security protocols include: 

• Partnership with external security vendor to conduct quarterly vulnerability testing, with summaries available on request  
• Vulnerability and penetration testing 
• All customer data is transmitted via encrypted communication 
• Formal enterprise risk management policy and program that manages enterprise-wide risk most critical to BHG’s success
• Governance, risk, and compliance program that measures, monitors, and reports material risks 
• Multi-factor authentication is required every 90 days, or when a user logs in from a new computer, or when a cache has been cleared for employees and partner banks  
• All customer data is encrypted. TLS 1.2 or above is required for all data in transit. AES 128, AES 192, or AES 256 is required for data at rest. 
• Password complexity is required for all employee and customer logins 

Protecting our bank partners 

BHG is skilled at analyzing data to effectively manage risk and adjust lending parameters when needed to provide strong loan performance for our partners. Using our vigorous internal controls as a guideline, BHG can advise and assist our bank partners with their own data security and privacy safeguards. 

In addition to the protocols discussed above, banks on our institutional network can leverage our fraud mitigation and internal fraud policies. Both apply to the identification and resolution of any irregularity involving or perpetrated by the company’s prospects, customers, employees, contractors, or officers. The policies also cover identifying, reporting, investigating, and resolving activity related to fraud, synthetic identities, and identity theft.

Additionally, BHG has an ID Red Flag Policy that enumerates the requirement for and execution of: 

• Undertaking an identity theft risk assessment process that includes identifying and assessing Red Flags for identity theft 
• Detecting Red Flags and responding appropriately to prevent and mitigate identity theft 
• Managing identity theft in service provider relationships 
• Training requirements 
• Periodic reporting updating of this program to reflect changes in risks