If you are unsure whether a request is legitimate, do not approve it, submit it, or act on it until it has been verified through your organisation’s approved process.
In BE Custody, requests may relate to transactions, approval workflows, governance changes, address changes, API activity, user access, or support actions. Any request that is unexpected, unclear, or inconsistent with normal process should be treated with caution.
What types of requests should be verified?
You should verify any request that relates to sensitive custody activity, including:
- Transaction creation or approval
- Withdrawal address use or address book changes
- Governance or policy changes
- User access or role changes
- Quorum or approval workflow changes
- API key or webhook changes
- Device, login, or authentication changes
- Requests for reports, audit history, or account information
- Requests to bypass normal approval or escalation processes
Do not proceed simply because the request appears urgent or comes from a familiar name.
What warning signs should I look for?
A request may require further verification if:
- It was not expected
- The requester is using an unusual channel
- The request appears urgent without clear justification
- The wallet, asset, network, amount, or destination address looks unfamiliar
- The request does not match an internal instruction, ticket, or approval record
- You are asked to bypass quorum, approval, or governance controls
- You are asked to keep the request confidential from normal approvers or administrators
- You are asked to share passwords, PINs, private keys, seed phrases, API keys, API secrets, or access tokens
- The request is inconsistent with normal business activity
How should I verify a request?
Use your organisation’s approved verification process.
This may include:
- Checking the relevant internal ticket, instruction, or approval record
- Confirming the request with an authorised contact through an approved channel
- Reviewing the transaction, address, wallet, asset, network, and amount
- Checking whether the request aligns with normal operating procedures
- Escalating to an administrator, security contact, compliance team, or control function
- Contacting Bitpanda Enterprise Custody Support through the approved support channel if support is required
Do not rely only on informal messages, screenshots, or unverified communication channels.
What should I avoid?
Do not:
- Approve a request you do not recognise
- Submit a transaction because another user says it is urgent
- Use an address that has not been verified
- Change roles, permissions, quorum, or governance settings without proper approval
- Share sensitive authentication information
- Use personal messaging channels as the only basis for approval
- Continue with a request if the details do not match the approved instruction
What if the request came from a senior person?
Requests from senior users should still follow the organisation’s approved process.
Seniority does not remove the need for verification, quorum, segregation of duties, or internal governance controls. If a request appears unusual or asks you to bypass normal procedures, stop and escalate before taking action.
What should I do if I still cannot verify it?
If you cannot verify the request, do not proceed.
Follow your organisation’s escalation process and contact an appropriate administrator, security contact, or control function. If Bitpanda Enterprise Custody Support is needed, raise a request through the approved support channel.
Do not include passwords, PINs, private keys, seed phrases, API keys, API secrets, access tokens, or other sensitive authentication information in a support request.