ScotiaConnect Security: Multi-Factor Authentication, Encryption & Fraud Protection
Compliance Snapshot
- Authentication: ScotiaConnect Token (mobile app + hardware option), 30-second OTP, transaction-level re-challenge.
- Encryption: TLS 1.3 in transit, AES-256-GCM at rest, HSM-backed key management.
- Assurance: SOC 2 Type II, ISO 27001, OSFI B-13 Technology and Cyber Risk, PIPEDA, FINTRAC AML.
- Controls: Dual-control on payments, IP whitelisting, session timeout, account lockout after 3 failed attempts.
- Fraud: ML-based anomaly detection, positive pay for cheque fraud, secure messaging, anti-phishing programme.
Defence-in-Depth for Canadian Commercial Banking
Commercial payments are a concentrated target. A single ScotiaConnect session can authorise a multi-million-dollar wire, release an EFT batch paying thousands of employees, or change banking instructions on a supplier master file. The security posture of ScotiaConnect is calibrated to that reality: overlapping authentication, encryption, transaction controls and detection layers so that no single compromise — a phished password, a stolen device, a rogue insider — can pass unchallenged to settlement.
This page describes how the controls actually work. It is not a marketing surface; Canadian CFOs, controllers, internal audit teams and information-security officers use it as reference when completing vendor risk assessments, OSFI B-10 third-party due-diligence files and their own cyber insurance attestations.
The ScotiaConnect Token
Every ScotiaConnect User ID is bound to a ScotiaConnect Token. Two form factors are supported: a software token delivered as the ScotiaConnect Token mobile app for iOS and Android, and a hardware token (RSA-style OATH-compliant fob) for clients whose internal policy prohibits authentication apps on mobile devices. The token produces a six-digit one-time password that refreshes every 30 seconds and is cryptographically bound to the enrolled device at issuance.
Sign-in requires three components — Customer Number, User ID and password — plus a current OTP. Beyond the sign-in boundary, ScotiaConnect requires a separate OTP challenge before releasing any payment above a configurable client threshold, changing a user's transaction limits, enrolling a new user, or modifying beneficiary master records. This transaction-level step-up authentication means a stolen session cookie cannot by itself authorise a wire; the attacker would also need the live token sequence at the moment of release.
Encryption in Transit and at Rest
All client-server traffic is protected by TLS 1.3 with forward-secret ciphers. HSTS is enforced with preload at the domain apex. Certificates are issued from a pinned chain and rotated in line with industry best practice. At rest, all client data — transaction records, reporting files, audit logs — is encrypted with AES-256-GCM. Key material is stored in FIPS 140-2 Level 3 hardware security modules operated within Scotiabank's Canadian data centres. Backups are encrypted separately with distinct keys under split-knowledge custody.
Assurance, Attestation and Regulation
ScotiaConnect is covered by an annual SOC 2 Type II attestation covering the Security, Availability and Confidentiality trust services criteria. The underlying Scotiabank information security management system is certified to ISO 27001. As a federally regulated Schedule I Canadian bank, Scotiabank operates under OSFI Guideline B-13 — Technology and Cyber Risk Management and the Cyber Security Self-Assessment framework, which define expectations for governance, third-party risk, incident management, resilience testing and regulatory reporting.
Privacy is governed under the Personal Information Protection and Electronic Documents Act (PIPEDA) and implemented through the Scotiabank Privacy Code. Anti-money-laundering and sanctions obligations flow from FINTRAC under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act. Deposit insurance is provided by CDIC. Payment-system participation is governed by Payments Canada Rules covering Lynx and the AFT.
Dual-Control Approvals and IP Whitelisting
Every commercial payment initiated in ScotiaConnect can be placed under dual control. The Super User configures the threshold per account, per payment type and per currency — a typical Canadian mid-market configuration requires a second approver on any wire above CAD $25,000 and any EFT batch above CAD $100,000. Initiator and approver must be distinct User IDs; ScotiaConnect enforces segregation so that one person cannot both create and release the same transaction.
For additional control, client administrators can restrict ScotiaConnect sign-in to a whitelist of corporate IP ranges. Sign-in attempts from outside the allow-list are blocked at the edge before credentials are evaluated. Session inactivity timeout is configurable (15 minutes default). Account lockout triggers after three consecutive failed sign-in attempts and requires Super User unlock or Service Centre verification.
Fraud Detection and Positive Pay
ScotiaConnect runs a machine-learning anomaly-detection layer across wire and EFT flows. Models score transactions in real time against the client's historic pattern: beneficiary familiarity, payment time-of-day, amount, originating user, currency and geography. High-risk transactions are held in an exception queue and require additional verification before release. This layer complements, rather than replaces, client-side controls — it is not a substitute for internal segregation of duties.
For clients issuing business cheques, positive pay integration lets the controller upload the daily issuance file; ScotiaConnect then matches each inbound cheque against the file and escalates any unmatched item for pay/return decision before debit. This single control typically eliminates the bulk of cheque fraud loss for Canadian mid-market businesses.
Secure Messaging and Anti-Phishing
Sensitive client-to-bank communication never uses public email. The ScotiaConnect message centre, accessible only inside an authenticated session, supports signed documents, encrypted attachments and full audit retention. ScotiaConnect will never ask for your password, Customer Number or OTP by email, phone or text — any such request is phishing. Suspicious emails should be forwarded to phishing@scotiaconnect.at with headers intact.
Security Layers at a Glance
| Security Layer | Technology | Standard / Reference |
|---|---|---|
| Authentication | ScotiaConnect Token MFA (soft + hard) | NIST SP 800-63B AAL2 |
| Transport Encryption | TLS 1.3 with forward secrecy, HSTS preload | IETF RFC 8446 |
| Data-at-Rest Encryption | AES-256-GCM, FIPS 140-2 L3 HSM | FIPS 197 / FIPS 140-2 |
| Assurance | Independent attestation | SOC 2 Type II, ISO/IEC 27001 |
| Regulatory Oversight | OSFI cyber supervision | OSFI Guideline B-13 |
| Privacy | Scotiabank Privacy Code | PIPEDA (Canada) |
| AML / Sanctions | Transaction monitoring, sanctions screening | FINTRAC / OSFI Guideline B-8 |
| Fraud Controls | ML anomaly detection, positive pay, dual-control | Payments Canada Rule H6 / H1 |
Session Hygiene and Device Trust
Sessions are bound to a device fingerprint and protected by rotating tokens. Concurrent-session limits are configurable per User ID. A Super User can force-terminate any active session from User Management. Out-of-band sign-in alerts are sent to the client-designated security contact whenever a new device first authenticates. Biometric unlock on the ScotiaConnect Mobile app (Face ID, Touch ID, Android BiometricPrompt) is optional and is paired with — not a replacement for — the Token OTP.
Incident Response and Reporting
Scotiabank operates a 24/7 Security Operations Centre and a Computer Security Incident Response Team. Confirmed material incidents are reported to OSFI within the required 24-hour window under the Technology and Cyber Security Incident Reporting advisory. Personal-information breaches are assessed under PIPEDA's Real Risk of Significant Harm test and, where applicable, reported to the Office of the Privacy Commissioner and notified to affected individuals.
Client Responsibilities
Security is a shared model. Clients are responsible for the secrecy of Customer Numbers, User IDs, passwords and tokens; for maintaining accurate Super User designations; for promptly removing access when staff depart; for ensuring endpoints used to access ScotiaConnect are patched, anti-malware protected and free of unauthorised remote-access tools; and for reporting suspected fraud or account compromise to the Service Centre at 1-800-267-7220 without delay. ScotiaConnect publishes a Security Best Practices guide inside the authenticated Help Centre.