Tech Companies Launch New Data Security Standards

On November 16, 2021, eight individual application programmable interface (API) and several data and security compliance companies, serving as founding supporters, announced a new open finance data security standards body called the Open Finance Data Security Standard (OFDSS).

According to one of the OFDSS supporters, MX, OFDSS is “a proposed framework of requirements that address[es] security risks commonly encountered by emerging financial technology companies that handle sensitive information.” Although there are existing data security standards that financial institutions can utilize, MX claims that these standards “were not designed specifically for modern, cloud-native delivery models or the resource constraints of early-stage companies.” As such, OFDSS was created to ensure that there are no gaps in security guideline coverage by “maintain[ing] alignment with common and relevant criteria found in other security frameworks such as SSAE18 TSC for Security and NIST CST, while providing clear requirements optimized for cloud-native, technology-focused startups and growth-stage companies.”

OFDSS is designed as a “living document” that will go through many evolutions as the needs of the financial industry change, new technologies emerge, and risks facing the institutions change. As is, OFDSS establishes 63 individual security requirements across 12 control domains, including access controls, cryptography, data minimization, auditing and alerting, incident management, independent testing and vendor management, all designed to address data security risks commonly encountered by “early-stage digital finance companies” and provide “implementation guides” and high-level audit steps to ensure compliance in the organization utilizing the system.

MX notes that “companies with mature and audited information security programs that have the ability to provide reasonable assurance about the effectiveness of those programs, are likely [already] meeting the requirements captured in this standard.”

If compliance has not yet been achieved, MX also notes that “companies who are subject to OFDSS, can work with security compliance companies such as Drata, Laika, Secureframe and Vanta to help evaluate their practices against the criteria, help address challenges, and provide audit services.”

According to OFDSS, the new standard is designed to “instill even greater confidence in data holders, including financial institutions, that the fintech ecosystem has robust protections in place for consumer data, which ultimately protects consumers.”

For questions or concerns about how these new standards will impact your financial institution, contact Kennedy Sutherland.