Financial-technology startup Plaid, alongside a coalition of fintechs and security compliance companies, announced Tuesday a proposed framework for fintechs to better protect consumer financial information from rising security risks.
The framework – coined as the Open Finance Data Security Standard (OFDSS) – is a worked document that establishes 63 individual security requirements across 12 control domains the consortium has deemed as possible security risks encountered by early-stage digital finance companies.
In a release shared to FinLedger, Shano Fonseka, Plaid’s Head of Risk, said the OFDSS is designed to be a “living document” that will evolve over time to meet the needs of the industry, incorporate new technology and mitigate emerging risks.
In an interview with FinLedger, Daniel Kahn, Head of Global Open Finance at Plaid, said the company began examining the risk associated with some of the fastest growing fintechs in the ecosystem in late 2019. The OFDSS was the product of this research and desire from the resulting founders to create a compliance strategy for its downstream apps and services.
Historically, audits around security looked more like a check the box activity, Kahn explained, designed for a world where companies had all of the data on premise in physical locations.
“This new standard is designed much more for innovative financial services companies that utilize primarily cloud data,” Kahn said.
Standards will vary for each fintech, however, include resource allocation, asset management and controls, cryptography, auditing and alerting, incident management, network security, awareness and training, vendor management and independent testing.
While none of the founding companies operate as regulatory entities, Kahn said the coalition has been sharing the OFDSS’s specs in briefs with regulators. The Consumer Financial Protection Bureau (CFPB), The Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) are all in the process of rewriting third party risk management guidelines and have asked for reference standards.
According to Plaid, the standard is more of a suggested framework the industry can rally behind, though Kahn said there are ways for companies to take some actionable force.
“When we think about what do we need to do to make this actually enforceable it comes down to making sure that we proportion the risk appropriately on both the low end and the high end,” Kahn said. “Part of the work we’re going to do the rest of this year is make sure the spec aligns with things that are already out there in the industry on the higher level so that they can demonstrate compliance.”
While many of these fintechs operate globally, the framework will focus mainly on the US and Canada, where neither country has a fully defined and implemented open banking regulatory regime. The coalition hopes OFDSS standards will be referenced for the rules currently being written around Dodd Frank section 1033 surrounding consumer access to financial records.
“OFDSS is a major step forward for open finance in the US, establishing the framework for protecting data amongst an increasingly larger ecosystem,” said Stephen Greer, Senior Analyst at Celent. “Rigorous and innovation-aware security requirements placed on all parties will ensure safe and responsible innovation, benefiting fintechs, banks, and the customers they serve.”
In October, Plaid announced it was offering its software in a way that enables users to make digital payments funded by users’ bank accounts – a nod to the firm grasp open banking and data aggregation have one the payments ecosystem. A report by Allied Markets shows open banking expected growth rate will reach $43 million in size by 2026 – six times its value in 2018.
In August, however, Plaid settled a $58 million class action lawsuit over claims that the fintech firm passed on personal banking data to third party firms without user consent. However, a spokesperson for Plaid said the claims did not sufficiently reflect its practices, reiterating its does not and had not ever sold data.