An FBAR (FinCEN Form 114) is a report of foreign bank and financial accounts that must be filed annually by US persons who have over $10,000 in foreign financial accounts at any time during the calendar year.

Who needs to file an FBAR?

US citizens, residents, and entities who have a financial interest in or signature authority over foreign financial accounts with an aggregate value exceeding $10,000 at any time during the calendar year must file an FBAR.

What are the penalties for not filing an FBAR?

Non-willful FBAR violations can result in penalties of up to $16,117 per account. Willful violations can result in penalties up to $161,072 or 50% of the account balance at the time of the violation.

Security & Compliance

How we protect your data and maintain compliance with financial regulations.

✅

SOC 2 Type I Readiness

All five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) implemented as technical controls.

🔒

Encryption at Rest

●All PII (SSNs, account numbers, EINs) encrypted with AES-256-GCM before database storage
●Unique 12-byte IV and 16-byte authentication tag per encrypted field
●Encryption keys never stored in code or version control — injected via environment variables
●Database connections encrypted with TLS (mysql2 ssl mode)

🌐

Encryption in Transit

●HTTPS enforced on all endpoints (HSTS with 2-year max-age, includeSubDomains, preload)
●Content-Security-Policy blocks mixed content and unauthorized script sources
●API communications with Moov FinCEN and Pabbly use TLS 1.2+

🛡️

Access Control

●JWT-based session management with 24-hour expiry
●Role-based access control (individual, preparer, admin) enforced at middleware level
●Login rate limiting: 10 attempts per minute, lockout after 5 consecutive failures (15 min)
●Password requirements: 8+ characters, uppercase, lowercase, number
●bcrypt with 12 rounds for password hashing

📋

Audit Logging

●Every data mutation (create, update, delete) recorded with user ID, action, entity, IP address, and timestamp
●Request tracing with unique X-Request-ID on every HTTP request
●Structured JSON logging with correlation IDs for incident investigation
●Audit logs retained for compliance review

✍️

E-Signature Integrity

●Electronic signatures captured with SHA-256 hash, real client IP, and UTC timestamp
●Form 114a authorization acknowledged under penalties of perjury before submission
●E-signature audit trail included in every Audit Defense Folder
●Signatures retained for 5 years per 31 CFR 1010.350

💼

Data Protection

●Privacy-first architecture: bank statements never stored on server
●PII encrypted at application layer before database write — database-level encryption is defense in depth
●XSS and SQL injection payload scanning on every incoming request
●GDPR compliance with cookie consent, data processing agreements, and right to deletion

🚨

Incident Response

●Automated security incident detection (login lockouts, XSS/SQLi attempts, rate limit breaches)
●Severity classification (low, medium, high, critical) with configurable notification thresholds
●Webhook-based alerting for high-severity incidents
●Sentry integration for real-time error tracking and performance monitoring

⚙️

Infrastructure

●Docker containerized services with isolated networks
●MinIO object storage with encryption for document artifacts
●Moov FinCEN sandbox for FBAR XML validation before production transmission
●Environment-based configuration — no secrets in code

Questions?

For security inquiries, penetration test reports, or to request our Data Processing Agreement, contact security@auditable.tax