Today, we’re announcing that we’ve renewed our certifications for SOC 2 Type 2 and PCI DSS Level 1, and that we’ve achieved certification for SOC 1 Type 1. These certifications position us to help a wide variety of lenders, including those at enterprise scale and with strict InfoSec requirements.
To achieve these certifications we worked with independent third-party auditors Laika and FoxPointe, who provided an important third-party validation of our internal and external processes and high level of operational excellence. The certifications complement our Compliance Guard™ offering, which gives lenders an unprecedented advantage in staying compliant with lending regulations.
To learn more, read the full press release.
An excerpt from the press release
OAKLAND, Calif.--(BUSINESS WIRE)--Peach Finance, a cloud-native lending technology platform that helps lenders quickly launch and confidently scale new lending products, today announced that it has renewed its certifications for SOC 2 Type 2 and PCI DSS Level 1, and achieved certification for SOC 1 Type 1.
The certifications position Peach to serve the needs of a wide range of lenders, including those at enterprise scale and with strict InfoSec requirements. The certifications are also a significant third-party validation of Peach’s internal and external processes and high level of operational excellence. Peach worked with independent third-party auditors Laika and FoxPointe, well-known firms that provide end-to-end compliance and audit management for modern companies like Peach. In addition to its certifications in SOC 2 Type 2, SOC 1 Type 1 and PCI DSS Level 1, Peach is also positioned to support lenders subject to HIPAA.
Peach’s InfoSec certifications complement its compliance-first approach, which sets it apart in the lending technology space. Peach practices defense-in-depth security architecture and employs best-in-class practices and tools to maintain security on all levels. And Peach’s Compliance Guard™ gives lenders an unprecedented advantage in staying compliant with lending regulations. Compliance Guard conducts borrower status monitoring for bankruptcy, deceased, active military and FEMA disasters. It also scans outbound communications for compliance with federal and state regulations, and features a configurable rules engine that enables lenders to customize their policies.
Peach’s other information security practices include the following.
Authentication, authorization and accounting
Peach maintains role-based access control (RBAC) across all its systems. Access to all critical services requires SSO / multi-factor authentication. Accounting is carried out by logging of session statistics and usage information.
Penetration tests and vulnerability scans
Peach engages with trusted third parties for penetration testing and vulnerability scans and performs internal vulnerability scans continuously to identify, prioritize and remediate potential system vulnerabilities.
Security training and background checks
All Peach employees are required to complete mandatory security training, and all new employees complete this training as part of onboarding. Peach conducts background checks on all applicants selected for full-time employment.
Data encryption
Through Google Cloud, Peach encrypts data at rest and in transit using AES and a Transport Layer Security protocol. Peach also uses logging and monitoring to detect and alert staff to potential security issues, and deploys firewalls and…(continue to Business Wire)
lender’s priority list. But that doesn’t mean compliance is straightforward, even for lenders with the most earnest intentions. Often, legacy infrastructure is the culprit, making it difficult for lenders to take the actions clearly outlined in the law. Even regulations that haven’t changed for some time—like the—still present significant challenges for many lenders.
The SCRA grants active-duty service members the ability to request certain protections during the period of their deployment, enabling them to devote their energy to serving the country. These protections include a reduction in interest rate to a maximum of six percent on any pre-service loans. While the SCRA in its current version has been law since 2003, the number of recent enforcement actions indicates just how difficult it is for many lenders to comply with the SCRA’s interest rate protections.
Blunt tools in the absence of a scalpel
For example, in October of 2022 the Department of Justice (DOJ) announced that the financial leasing arm of GM agreed to pay over $3.5 million to resolve allegations in relation to
Peach’s approach to SCRA
At Peach, we brought real-life lending experience to the design of our platform. So from day one, we recognized the importance of being able to make retroactive changes to loans. (There are numerous applications beyond SCRA, including our Supported Portfolio Migration.) In the case of SCRA, Peach has long enabled lenders to retroactively change interest rates and waive past fees—as separate, manual actions.
Peach’s approach to SCRA
This was functional, but the ideal way to implement SCRA is to make these changes simultaneously. We now support this capability by leveraging the power of Peach's Loan Replay™ engine, which can make changes to the ledger at any time, and then recalculate a loan’s history in light of those changes. The new combined functionality is as user-friendly for your agents as processing a payment.
Peach’s approach to SCRA
Specifically, the new SCRA feature allows your agents to perform the following adjustments simultaneously on a loan of an active-duty service member:
- Lower interest rates to 6% (and lower the recurring payment during the active-duty period to account for the interest rate reduction)
- Waive fees, if necessary
- Enact these changes retroactively, if necessary, and replay the loan history with the rate and fee adjustments
- Preview the intended changes
“We launched our first product on Peach in six weeks. Eighteen months later.”
John Smith, CMO
Our SCRA functionality is available via API as well as through our white-label agent tool. The white-label agent interface can be seen here:
Peach’s approach to SCRA
Our SCRA functionality is available via API as well as through our white-label agent tool. The white-label agent interface can be seen here:
For those working directly with the API, this can be as simple as sending the following request body to the SCRA endpoint:
You’ll receive a response with either the actual post-SCRA adjusted payment plan or a preview of it. Below is a comparison of a payment plan prior to the SCRA adjustment, and the expected payments after the SCRA adjustment. The SCRA period is in effect for the first two months, and thus you will see the interest rates lowered to 6% in the response body (and the recurring amount due lowered by the amount of the interest rate reduction for the two relevant months). The origination fee has also been canceled.
The breadth of loan data needing to be adjusted means that rewriting loan histories requires the right design and abstractions, and having a built-in layer of abstraction to handle retroactive changes is the only feasible approach. Because of our team’s combined experience in the real world of lending, we know that the need to edit past loan events is inevitable. So we’ve designed a system that makes these changes as painless and automated as possible.
