Bank Builder

Bank Builder is a unique software service enabling Trusts to grow their staff banks by appealing to Messly's community of 20,000 UK Doctors.

A strong staff bank decreases agency spend and reliance. Using bank over agency doctors provides greater oversight, quality and consistency of care.


  • Attract new doctors to the Trust bank based on needs
  • Access Messly's community of 20,000 doctors
  • Identify areas of greatest agency spend and most rota gaps
  • Segment community of doctors by location, speciality and grade
  • Define marketing approach to doctors
  • Marketing to doctors through Messly, email and social media
  • Support with pre-employment checks
  • Support on boarding doctors to the staff bank
  • Dedicated support team available
  • Cloud web and mobile based application


  • Grow your staff bank
  • Increased number of bank doctors available to fill shifts
  • Reduced agency reliance
  • Reduced agency spend
  • Reduced burden on current staff
  • Future-proof workforce and workforce transformation
  • Offer flexible workforce options to doctors
  • Potential to attract new permanent staff
  • Bring innovation to staffing at your trust and region


£500 per transaction

Service documents


G-Cloud 11

Service ID

5 2 7 9 1 3 4 9 1 2 9 0 3 3 6



Abrar Gundroo


Service scope

Software add-on or extension
Yes, but can also be used as a standalone service
What software services is the service an extension to
Messly Locum - manage temporary staffing efficiently, safely and cost-effectively by connecting directly with healthcare-workers through Messly's digital platform.
Cloud deployment model
Public cloud
Service constraints
System requirements
  • Internet connection
  • Minimum browser requirements

User support

Email or online ticketing support
Email or online ticketing
Support response times
Weekdays: Within 2 hours
Weekends: Within 24 hours
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Web chat
Web chat support availability
9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard
None or don’t know
How the web chat support is accessible
WCAG 2.0 A on all checklist items except:

1.4.1 – Use of Colour: Don’t use presentation that relies solely on colour

2.1.1 – Keyboard: Accessible by keyboard only
Web chat accessibility testing
Basic assistive technology check against WCAG 2.0 A checklist.
Onsite support
Onsite support
Support levels
On Launch:

- Account Manager assigned

- Team on site to run 30 min training with each users with time available for questions

- Team available for follow up support and questions to ensure implementation successful.

Ongoing Support:

- Account Manager as point of contact - Available through phone and email 9:00-17:00 Monday to Friday. Two Horus response time

- Out of hours /weekend support is provided via email ticketing and live-chat. Twenty-four hour response time
Support available to third parties

Onboarding and offboarding

Getting started
We do the following to ensure a rapid, low-risk rollout of Bank Builder. We typically complete this within 2 weeks, so Trusts can begin realising benefits swiftly.

1. Identify Scope
We work with the trust to decide upon the scope of the first phase of work. This involves idenitfying rota gaps and areas of high agency spend. Based using this we agree the target number and type of doctors be added to the bank.

2. Preparation
With the team who currently manage doctor on-boarding we work to understand the current process. This includes compiling a full list of what is needed to onboard a doctor to the staff bank, so Messly can work with doctors to ensure this is ready as soon as possible.

3. User Onboarding
Our dedicated account manager will spend time with each user to demonstrate the platform, ensure they are comfortable and answer any questions. This takes approx 30 mins - 1 hour. Our support team is available on an ongoing basis to answer any queries, troubleshoot issues and support adherence to new processes.

Users can then begin utilising the platform to attract and connect to new bank doctors.
Service documentation
Documentation formats
End-of-contract data extraction
We are able to provide full data extraction of trust and department level data on request at no cost. Data is provided CSV format with one week notice required.
End-of-contract process
Termination can be easily requested by contacting the assigned Account Manager. There are no termination costs. No uninstallation is required. The end-user’s account will be blocked with immediate effect.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 8
  • Internet Explorer 9
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
Our platform is built with best practice Responsive Web Design (RWD) enabling access from any internet-connected mobile device. The user interface has been optimised to enable the product feature to be identical on both mobile to desktop.
Service interface
Description of service interface
We operate a RESTful Application Programmable Interface that enables Messly products to securely communicate with each other, expose data and programmatically connect with external services to augment functionality. The methods we use are performed over HTTP, including GET, POST, PUT and DELETE.
Accessibility standards
None or don’t know
Description of accessibility
WCAG 2.0 A on all checklist items except:
1.4.1 – Use of Colour: Don’t use presentation that relies solely on colour
2.1.1 – Keyboard Accessible by keyboard only
Accessibility testing
Basic assistive technology check against WCAG 2.0 A checklist
What users can and can't do using the API
Messly's API is a fully featured RESTful JSON API.

Users can integrate with and use our API by generating an authentication token for their account which is passed along with every request as a header.

With API access set-up, users can then:

- Access and search community of doctors
- Invite doctors to join hospital staff bank
- Set up trust level work eligibility and payroll information.
- Add relevant medical information (grade, specialty, work history, exams etc.)
API documentation
API documentation formats
API sandbox or test environment
Customisation available
Description of customisation
The software has in-built features to enable users to customise their experience, both on setup and through the duration of the contract from within the application.

This includes:

- Targeting of doctors by specialty, grade and location
- Number of doctors


Independence of resources
We have monitoring tools and have implemented some restrictions on our shared environments to ensure that usage does not affect the performance of individual users. In the case that you do experience any type of performance issues with the server, we are able to migrate your users to a new environment.


Service usage metrics
Metrics types
From the Messly Community the following data can be seen:
- No. Drs by location
- No. Drs by specialty
- No. Drs. by grade

From use of Bank Builder:
- No. of Bank Doctors needed to reduce rota gaps
- No. Drs introduced to the trust by grade and speciality
- Total savings from using bank doctors
Reporting types
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Staff screening not performed
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
United Kingdom
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Protecting data at rest
Encryption of all physical media
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Built in export functionality on rota coordinator, clinicians and central dashboard. By clicking a single button users are able to export their specific data in CSV format.
Data export formats
Data import formats

Data-in-transit protection

Data protection between buyer and supplier networks
TLS (version 1.2 or above)
Data protection within supplier network
TLS (version 1.2 or above)

Availability and resilience

Guaranteed availability
99% uptime SLA for end-users Pro rata refund for failure to meet uptime e.g. 0.5% additional downtime would incur refund of 0.5% contract value.
Approach to resilience
Available on request.
Outage reporting
1. Public banner on website homepage

2. Email and SMS alerting to relevant end-users

3. Uptime Robot (for internal monitoring)

Identity and authentication

User authentication needed
User authentication
  • Username or password
  • Other
Other user authentication
Members of the doctor community must provide a valid GMC number.
Access restrictions in management interfaces and support channels
Restriction in management interfaces and support channels is based on secure individual user login and passwords. End-users are assigned individuals roles within the application which restrict their access to specific interfaces they are not required to interact with.
Access restriction testing frequency
At least once a year
Management access authentication
Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
At least 12 months
How long system logs are stored for
At least 12 months

Standards and certifications

ISO/IEC 27001 certification
ISO 28000:2007 certification
CSA STAR certification
PCI certification
Other security certifications
Any other security certifications
SSL Certification

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
Other security governance standards
IG Toolkit v14.1
Information security policies and processes
* Data Protection Act Compliant

*ICO registered with registered data controller

*Fully Caldicott compliant

* Security roles and responsibilities

* Specifying risk appetite, tolerance, scope and period of risk assessment, and ongoing risk management process

* Security standards

* Disaster recovery policy

* Incident response policy

* Security awareness, training, and education

* Asset access specifying access rights to categories of assets and how these are managed

* Staff training to ensure adherence to policy, policy waivers and exceptions, and consequences of non-compliance

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
We adopt Agile methodology through the Scrum framework:

- Our product owner creates a prioritised wish list (product backlog).
- During sprint planning, the team pulls a small chunk from the top of that wish list, a sprint backlog, and decides how to implement those pieces.
- The team has a certain amount of time — a sprint (usually two to four weeks) — to complete its work, but it meets each day to assess its progress and monitor changes.
- At the end of the sprint, detailed quality assurance is carried out to ensure components are ready to ship.
Vulnerability management type
Vulnerability management approach
Vulnerabilities are assessed at two levels:

1. Server level: These are assessed by our third-party host who have a dedicated team to assessing potential threats and addressing them which entails deploying patches, typically within 48 hours.

2. Application Level: Our development team regularly use vulnerability management software (Qualys) to assess for vulnerabilities. These are run against the OWASP Top 10 Risks and common hacker techniques. Patching is typically deployed within 48 hours.
Protective monitoring type
Protective monitoring approach
We use a number of different tools to assess potential compromises:

- Sucuri’s SiteCheck - Google Webmaster Tools
- Google Safe Browsing diagnostics
- Scanner

If a vulnerability is identified we follow a rigorous 4-stage process within 24 hours to identify and restore the site as quickly as possible:

1. Application take offline
2. Assess the damage and apply restoration of data if necessary
3. Work on recovery and preventative solutions
4. Application restored online
Incident management type
Supplier-defined controls
Incident management approach
We follow rigorous 8-stage incident management
1. Identifying Incidents Based on compromise testing
2. Logging Incidents Submitted by end-users via online ticketing system and email
3. Categorising Incidents Categorisation based on inputted category/subcategory or email topic.
4. Prioritisation of Incidents Based on impact/urgency/priority metrics
5. Initial Diagnosis of Incidents Carried out by member of service desk
6. Escalation of Incidents Tickets escalated based on level of inactivity to prevent incidents from being missed.
7. Investigation and Diagnosis of Incidents
8. Resolution and Recovery of Incidents Status of incident updated and fed back to end-user with outcome via bespoke email reporting.

Secure development

Approach to secure software development best practice
Supplier-defined process

Public sector networks

Connection to public sector networks


£500 per transaction
Discount for educational organisations
Free trial available

Service documents

Return to top ↑