Our promise to you
We’re committed to doing the right thing for your money by keeping it secure and delivering services that are in the best interest of you and your wealth.
Licensed by the Securities Commission Malaysia
We have a Capital Market Services License (eCMSL/A0352/2018) for Fund Management under the Digital Investment Management framework. With it, we can advise and manage funds for both retail and sophisticated investors. We comply with the same capital, compliance, auditing, and reporting requirements with which most financial institutions in Malaysia also comply.
As of April 2021, we've raised $61.4 million USD to fund our operations. This money pays our salaries, rent, and bills.
The funds we use for our operations are in a completely separate bank account from your money.
Your money belongs to you, not us. In an unlikely bankruptcy event, any money held in a trust or custodian account can’t be touched.
Your deposits first go to a Citibank trust account.
Then, your purchased securities go to a custodian account through Saxo Capital Markets.
Your funds are held by HSBC Bank Malaysia Berhad.
You and your money are in safe hands
We’ll always send you email notifications every time you make a transfer or withdrawal.
For your security, any suspicious transfers will be automatically flagged for investigation.
To keep your account secure, we require you to set up two-factor authentication (2-FA) when you sign up.
You’ll also need to enter a One-Time Password (OTP) whenever you log in from a new device or update your account.
Secure server infrastructure
Your data is protected by a secure server infrastructure that we built and actively manage.
- Regular whitebox and blackbox testing ensure that cyber attacks wouldn’t compromise our multi-layered defense mechanism
- Hosted on Amazon Web Services and monitored 24/7
- Intrusion detection systems and security measures to safeguard your data
Frequently Asked Questions
Who has access to my information?
We do not outsource customer service to third party providers. All our staff are trained in-house so that we have tighter controls over the onboarding process, and our Client Experience team does not forward customer documents to any other department in the company.
Access to our corporate network is only for authorized personnel and specific devices. We practice the Principle of Least Privilege, where we only assign just enough access for staff to perform his/her job. Hence only very limited staff has access to customer information.
We have to be compliant with the Personal Data Protection Act and MAS Technology Risk Management (TRM) Guidelines to attain and maintain our Capital Markets Services License.
What happens to my money if StashAway gets acquired, goes public, or closes?
Your money is kept entirely unmingled with StashAway's finances. To ensure that we never touch your money, we use custodian banks that hold your money, whether it's in cash or in securities.StashAway has made it a top priority to work with global, reputable banks for these purposes. Our custodian bank for receiving your deposits is Citibank Berhad, while Saxo Capital Markets Pte Ltd is our custodian for your investible cash and securities.In these custodian institutions, your assets are always in a segregated account-- one that is separate from StashAway's operations and assets. This means that you will always have full access and claim to your assets no matter what happens to StashAway.
How to report security vulnerabilities?
At StashAway, we take security seriously and strive to ensure that while we focus on customer experience, usability and product reliability, it is secured as well. However, nothing is perfect and we encourage the reporting of suspected vulnerabilities or weaknesses in our IT services and systems through our Vulnerability Disclosure Programme (VDP). You can find more information on how to report here.
Please also note that the VDP does not authorise or permit the taking of any action which may contravene applicable laws and regulations (e.g. Computer Misuse Act). For the avoidance of doubt, attempts to exploit or test suspected vulnerabilities (e.g. gaining unauthorised access to any computer program or data) are prohibited.