Security Framework Highlights
- **Digital Certificates**: Mandatory client-side certificates that bind a user's identity to a specific, authorized device.
- **Biometric 2SV**: High-assurance approval for wires and EFTs using the RBC Mobile app (FaceID/TouchID).
- **Behavioral Monitoring**: AI-driven detection of non-human interactions (bots) and navigation anomalies.
- **Network Hardening**: Administrator-controlled IP filtering and regional geo-fencing to restrict access.
Digital Certificates: Hardware-Bound Identity
Identity is not just a password. To prevent session hijacking and credential stuffing attacks, RBC Express utilizes **Digital Certificates**. Unlike a simple login, a certificate is a unique cryptographic file installed on an authorized computer. Even if a malicious actor acquires a user's username, password, and token, they cannot gain access to the account without the physical device that holds the valid certificate. This creates an "Air-Gap" between the public internet and your corporate ledger, ensuring that only trusted machines can initiate transactions.
Certificate Lifecycle Management
Corporate administrators can revoke certificates instantly if a laptop is lost or an employee departs. This centralized control ensures that access is always aligned with your current staff roster and security policy.
Strategy: Biometric 2SV via RBC Mobile
For high-value approvals, RBC Express integrates with your secure mobile device. When a Treasurer initiates a $1M wire, they receive a push notification on their phone. Authorization requires a biometric check (FaceID or Fingerprint), ensuring that the approver is physically present and attentive to the transaction.
AI-Driven Behavioral Monitoring (AIBD)
Detecting threat actors by how they move. RBC utilizes advanced **Behavioral Biometrics** to identify potential bot activity or unauthorized users. Our systems analyze the "Cadence" of interaction—including typing speed, mouse movement patterns, and navigation flow. If a session demonstrates "Mechanical" behavior (indicative of a bot) or deviates significantly from a user's established historical baseline, the system automatically triggers an additional security challenge or terminates the session to prevent automated fraud.
Real-Time Transaction Scoring
Every outbound payment is scored against thousands of risk variables in milliseconds. We look at the destination account history, the time of day, and the relationship between the sender and receiver. High-risk transactions are routed for manual review by our Global Fraud Team before the funds are released.
| Security Feature | Technical Logic | User Impact |
|---|---|---|
| Digital Certificates | Private Key Infrastructure | Device Binding |
| Biometric 2SV | Push / FaceID / TouchID | Instant Approval |
| AIBD Monitoring | Behavioral Analysis | Background Protection |
| IP Filtering | CIDR Block Restriction | Network Control |
Master Administrator Controls & IP Filtering
Securing your digital perimeter. RBC Express gives your company's Master Administrator the tools to build a custom security perimeter. Through **IP Filtering**, you can restrict portal access to your specific corporate IP addresses (CIDR blocks). This ensures that even authorized users cannot log in from home or an insecure public network unless specifically permitted.
Geo-Fencing & Regional Restrictions
If your business only operates in Canada and the U.S., you can "Geo-Fence" your account to block all login attempts from outside North America. This simple configuration effectively neutralizes the risk from international hacking organizations before a single login attempt is made.
Common Questions: Login & Cyber Security
You can contact your company's Master Administrator or RBC Technical Support to have the token revoked. A replacement can be issued instantly for digital tokens or couriered for hardware devices.
Yes. RBC Express works alongside all major corporate antivirus and endpoint protection platforms (EPP). We recommend keeping your operating system and browser updated to the latest versions for maximum compatibility with our security modules.
Administrators can invite users to download the RBC Mobile app and link it to their RBC Express profile. Once linked, the user can toggle "Push Approval" within their security settings.
The "Defense-in-Depth" Methodology
Our security methodology is built on a **Zero Trust** architecture. We never assume a login is legitimate based on a password alone. By leveraging benchmarks from The Canadian Centre for Cyber Security, we ensure our defensive layers are calibrated to the latest global threat vectors. We prioritize the "Principle of Least Privilege," providing your staff with the exact access they need to perform their duties and nothing more, reducing your internal surface area for risk.