Organisations should review BE Custody user access regularly to make sure roles and permissions remain appropriate.
Access reviews help ensure that users only have the permissions they need, that former users are removed, and that operational responsibilities remain aligned with the organisation’s governance model.
Why are access reviews important?
Access reviews support internal control, audit readiness, and operational risk management.
They can help organisations identify:
- Users who no longer require access
- Users with permissions that no longer match their responsibilities
- Admins, Signers, or other role holders who need to be updated
- Former employees or external users who should be removed
- Excessive permissions or unnecessary role combinations
- Approval workflows that no longer reflect the organisation’s operating model
When should access be reviewed?
Access should be reviewed on a regular schedule defined by the organisation.
Organisations may also want to review access after specific events, such as:
- A user joins the organisation
- A user leaves the organisation
- A user changes role or team
- A user no longer requires custody access
- A new wallet, asset, or operational process is introduced
- Governance rules or approval workflows are changed
- An internal audit or control review is performed
- A suspected security or operational incident occurs
What should be reviewed?
During an access review, organisations should check:
- Which users have BE Custody access
- Which roles are assigned to each user
- Whether each user still requires access
- Whether permissions match current responsibilities
- Whether Admin and Signer roles are still appropriate
- Whether technical or procedural roles remain correctly assigned
- Whether approval workflows and quorum requirements remain suitable
- Whether any inactive or former users need to be removed
Who should perform the review?
Access reviews should be performed by authorised users within the organisation, such as administrators, governance owners, compliance teams, security teams, or other responsible control functions.
The exact ownership depends on the organisation’s internal governance model.
What should happen after a review?
After an access review, organisations should take appropriate action where needed.
This may include:
- Removing users who no longer require access
- Updating roles or permissions
- Changing approvers
- Reviewing quorum or approval settings
- Updating internal records
- Retaining evidence of the review for audit or control purposes
Any changes should follow the organisation’s internal approval process and the relevant BE Custody workflow.
What should I do if access looks incorrect?
If you identify incorrect, outdated, or excessive access, follow your organisation’s internal escalation process.
If support is needed to review or update access in BE Custody, contact Bitpanda Enterprise Custody Support through the approved support channel.
Do not include passwords, PINs, private keys, seed phrases, API keys, API secrets, or other sensitive authentication information in a support request.