If you receive an approval request that you do not recognise, do not approve it.
Approval requests should only be approved when they are expected, authorised, and consistent with your organisation’s internal process. An unexpected request may indicate an operational error, an incorrect instruction, or potentially unauthorised activity.
What counts as an unexpected approval request?
An approval request may be unexpected if:
- You were not expecting to review or approve it
- The requester is unfamiliar
- The wallet, asset, network, amount, or destination address looks wrong
- The request does not match an internal instruction, ticket, or approval record
- The request appears urgent without clear justification
- You are asked to approve outside the normal process
- The request appears inconsistent with normal business activity
- The request relates to a governance or configuration change you do not recognise
What should I check?
Before taking any action, review:
- The type of approval request
- The requester or source of the instruction
- The wallet, asset, network, amount, and destination address, where applicable
- The policy, role, address, limit, or governance change, where applicable
- Any internal approval, ticket, or supporting record
- Whether the request matches your organisation’s expected process
Do not approve the request unless you are satisfied that it is legitimate and correct.
What should I do next?
If the request is unexpected, you should:
- Leave the request unapproved
- Follow your organisation’s internal escalation process
- Contact an appropriate administrator, security contact, or control function
- Ask for the request to be verified through an approved internal channel
- Keep a record of the issue if required by your organisation’s process
Do not use informal or unverified channels as the only basis for approval.
What if I suspect unauthorised activity?
If you suspect unauthorised activity, treat the request as a security concern.
You should:
- Not approve the request
- Avoid approving any related requests
- Escalate immediately through your organisation’s security process
- Contact Bitpanda Enterprise Custody Support through the approved support channel if support is required
Include relevant request, wallet, asset, network, address, user, and timing details where available.
Do not include passwords, PINs, private keys, seed phrases, API keys, API secrets, or other sensitive authentication information in a support request.
Can another approver approve it instead?
Another approver should not approve the request simply to complete quorum.
Each approver is expected to perform their own review. If a request is unclear, unexpected, or inconsistent, it should be escalated before any further approval is given.