Your guide to BILL’s bank-level protection: Keeping payments and data secure

Your clients trust you to protect their sensitive financial data. Earning and maintaining that trust requires solutions built on rigorous safeguards.

BILL has been a trusted leader in financial operations technology since 2006. As a publicly traded company, BILL provides the transparency and accountability accounting firms and their clients expect. Transactions are protected by bank-level security measures, regulatory compliance, strong encryption, and more.

Today, 8 million network members pay or get paid using BILL¹, with payment methods that include ACH, corporate cards, international payments, virtual cards, paper checks, and more.

Here are ways BILL protects transactions for you and your clients.²

Each year, BILL moves $300B in total payment volume (~1% of US GDP).¹

BILL Accounts Payable and Accounts Receivable protections

‍No third-party issuers: Unlike other AP platforms that use third-party services to issue payments, BILL AP/AR keeps payment processing in-house. This masks your clients’ banking information while giving more control over payments and better visibility into their status.
Customizable approval workflows: BILL's approval customizations help you reduce potential fraud by allowing you to control which bills need approval, by whom, and when, based on business need.
Separation of duties: BILL automation enforces the separation of duties with role-based access that lets you control who can enter, approve, and pay bills.
Audit trails: BILL automatically keeps a record of all AP activity with a timestamped, unalterable audit trail, including original bills, review notes, approvals, payments, and remittance details for each transaction.
Clearing accounts: BILL sends checks through a clearing account, so your clients’ account remains hidden.
Positive Pay: Issued checks are matched to those presented for payment, reducing fraud. While other financial providers often charge for this service, BILL does not.‍
Eliminate blank check stock: With BILL handling check payments, you can remove the risks associated with keeping blank check stock on your premises.

BILL’s AI-enabled fraud solutions protect the most important asset SMBs have–their cash. In FY25, our predictive AI solutions helped us stop over 8 million fraudulent attempts.¹

BILL Spend & Expense controls

Control spend: With BILL Spend & Expense, employees receive budgets on their BILL Divvy cards.³ If the employee tries to purchase something not approved by the budget, or to use a card without funds assigned to it, the card will not work. Your client can even use merchant category codes to limit the kind of purchases employees make or designate other user rules for the cards.
Virtual cards: BILL Spend & Expense provides as many virtual cards as needed for your clients. Each of your clients’ vendors can receive a unique virtual card number, hiding your clients’ credit card information and reducing the chance of fraud.
Authorization limits: Account administrators can freeze or limit cards in real time.
Fraud protection: The BILL Divvy Card delivers industry-leading protection against fraud like BIN attacks with advanced, AI-driven automation. BILL’s risk platform monitors transactions in real time, instantly identifying and blocking suspicious activity while allowing legitimate purchases. If a card is targeted, our systems move quickly to stop fraud and alert affected customers.
Account protections: BILL Spend & Expense accounts are protected by robust multi-factor and adaptive authentication (including voice, SMS, and Google Authenticator), secure login credentials, and strict standard operating procedures for password and authentication resets to defend against unauthorized access and fraud.
Biometric logins: The BILL Spend & Expense mobile app uses the latest security features, including Android fingerprint scanning and Apple Touch or Face ID.
‍Secure data centers: The BILL production environment is located in Amazon Web Services (AWS) across three physically separate availability zones in the US-West-2 region, protecting services from loss of connectivity, power issues, or other location-specific outages. Full data backups are being saved continuously to the US-East-2 environment.

BILL Spend & Expense world-class spend management software is free, with no hidden fees or contracts.

Compliance protections

SOC 1 and SOC 2 Type II: BILL meets SOC 1 and SOC 2 Type II standards, established by the American Institute of Certified Public Accountants (AICPA).
PCI Level-1 Certification: BILL undergoes an annual audit by an independent Qualified Security Assessor (QSA). PCI Level-1 compliance is the highest level of certification under the Payment Card Industry Data Security Standard (PCI DSS), ensuring sensitive card data is safe and only accessible to authorized users.
Health Insurance Portability and Accountability Act of 1996 (HIPAA): For healthcare organizations that need to maintain compliance with HIPAA, BILL Accounts Payable and Accounts Receivable provides safeguards for electronic protected health information (ePHI).
‍Anti-Money Laundering (AML)/OFAC program: BILL maintains AML and OFAC controls to help prevent use of the platform for money laundering, terrorist financing, sanctions violations, or other illegal activity.

Application security

Multi-factor authentication (MFA): BILL requires a second form of verification for account access.
Strong password enforcement: BILL software mandates robust password complexity
Auto-logout: Users are signed out after periods of inactivity.
‍Real-time monitoring: Suspicious sign-ins or payment activity are flagged instantly.

Physical and infrastructure protections

‍

Secured data centers: All servers are hosted in secure, certified data centers with redundancy across multiple locations.
Staff training: Staff undergo background checks and ongoing security awareness training.
Vendor management: Formal management protocols between BILL and its vendors ensure third-party risk is actively managed.

Network security and data protections

Intrusion detection and prevention systems are in place, supported by ongoing network monitoring.
All communication is encrypted with Transport Layer Security (TLS).
Frequent vulnerability assessments and replication ensure protection in the event of a disaster.
Sensitive information is encrypted both at rest and during transit.
Industry-standard ciphers (TLS) are used to protect data over the internet.
Replication between primary and backup facilities ensures continuity even if an outage occurs.
Extra layers of encryption safeguard against malicious applications.
TLS and industry-standard ciphers protect data in transit.
Data replication between primary and backup facilities ensure business continuity.

Building security into client relationships

Security isn’t just a checklist—it’s built into every transaction, workflow, and client engagement. BILL gives accounting firms an auditable and scalable foundation for protecting sensitive data and payments. This way, you can confidently advise clients, streamline operations, and rest easy knowing BILL has you covered—24/7.‍‍

You can learn more about BILL security or download this security spec list.

See BILL security in action. Request a demo or reach out to your account manager.

‍

¹^{BILL Holdings, Inc. (BILL) Q4 FY2025 earnings call}^‍

^{2 The security measures described in this document represent a selection of the protective controls implemented by BILL. This overview is not comprehensive and may not include all features, safeguards, or procedures currently in use. BILL continuously reviews, updates, and strengthens its security programs, and additional measures beyond those described may be in place.}

^{3 The BILL Divvy Card may be issued by one of Divvy Pay, LLC’s}^{bank partners}^{. The BILL Divvy Card is not a deposit product. For your specific lender, see your Card Agreement.}