Data security and privacy


We understand the importance of data. With over $100B in loan application and origination data collected over 23 years, external data vendors, and data from all major credit bureaus, our team of 175+ data scientists reviews and evaluates our models to drive performance and minimize risk. Given the scope of data we collect and analyze, BHG has robust privacy and security standards to protect our customer information. Our dedicated team of security and privacy professionals develop, test, and evaluate internal controls and routinely engage with third-party auditors to review our program. BHG has achieved its SOC 2 Type 2, which demonstrates our commitment to security, availability, and confidentiality controls within our environment.

Examples of other security protocols include: 

  • Partnership with external security vendor to conduct quarterly vulnerability testing, with summaries available on request  
  • Vulnerability and penetration testing 
  • All customer data is transmitted via encrypted communication 
  • Formal enterprise risk management policy and program that manages enterprise-wide risk most critical to BHG’s success
  • Governance, risk, and compliance program that measures, monitors, and reports material risks 
  • Multi-factor authentication is required every 90 days, or when a user logs in from a new computer, or when a cache has been cleared for employees and partner banks  
  • All customer data is encrypted. TLS 1.2 or above is required for all data in transit. AES 128, AES 192, or AES 256 is required for data at rest. 
  • Password complexity is required for all employee and customer logins 


Protecting our bank partners 

BHG is continually analyzing data to effectively manage credit risk and to enhance our lending criteria to provide strong loan performance for our partners. And so, we understand the need for rigorous data security and privacy safeguards and have developed comprehensive internal policies, procedures, and controls to manage that risk.

In addition to data security and privacy safeguards, BHG also has a strong set of controls to detect and manage fraud, identity theft, and synthetic identity theft. These tools and controls include an ID Theft Red Flags Policy, ID theft risk assessments, procedure on how to respond and report suspicious activity, third-party risk management, internal training, and robust reporting.

Additionally, BHG has an ID Red Flag Policy that enumerates the requirement for and execution of: 

  • Undertaking an identity theft risk assessment process that includes identifying and assessing Red Flags for identity theft 
  • Detecting Red Flags and responding appropriately to prevent and mitigate identity theft 
  • Managing identity theft in service provider relationships 
  • Training requirements 
  • Periodic reporting updating of this program to reflect changes in risks