November 16, 2021
Plaid Among Founding Supporters of Open Finance Data Security Standard (OFDSS)
Shano Fonseka - Head of Risk
Fintech infrastructure and security compliance companies collaborate on data security requirements optimized for early and growth-stage digital finance companies
OFDSS supporters include: Flinks, MX, Plaid, and Truework, and security compliance companies Drata, Laika, Secureframe, and Vanta.
Protection of consumer information is paramount to any company operating in financial services, and to the financial ecosystem as a whole. Today, Plaid, along with a consortium of financial technology and security compliance companies, announced the Open Finance Data Security Standard (OFDSS), a proposed framework of requirements that address security risks commonly encountered by emerging financial technology companies that handle consumer financial information. OFDSS will help instill even greater confidence in data holders, including financial institutions, that the fintech ecosystem has robust protections in place for consumer data, which ultimately protects consumers.
Founding supporters of OFDSS include fintech technology companies Flinks, MX, Plaid, and Truework, and security compliance companies Drata, Laika, Secureframe, and Vanta.
Raising the bar for data security among emerging companies and fostering innovation
Digital finance innovation has thrived due to the availability of cloud infrastructure and enabling technologies, like the Plaid API, that have lowered barriers to entry for delivering digital financial services at scale. As a result, thousands of new apps and services have emerged over the last decade, representing a significant change in how financial services are delivered, and also the profile of companies that provide them.
However, existing data security standards were not designed specifically for modern, cloud-native delivery models or the resource constraints of early stage companies. OFDSS was created to address this gap and create strong, auditable data security guidelines that maintain alignment with common and relevant criteria found in other security frameworks such as SSAE18 TSC for Security and NIST CSF, while providing clear requirements optimized for cloud-native, technology-focused startups and growth-stage companies.
The industry is rallying around OFDSS because it will help raise the bar for data security in the fintech ecosystem at a time when the pace of innovation is accelerating. It provides a strong framework that helps fintechs improve security while enabling innovation, gives banks a level of confidence about the companies connecting to their APIs, and, most importantly, helps protect consumers.
What does OFDSS cover?
The OFDSS is designed to be a living document that will evolve over time to meet the needs of the industry, incorporate new technology, and mitigate emerging risks. Currently, it establishes 63 individual security requirements across 12 control domains that address common data security risks encountered by early-stage digital finance companies. The requirements are contextualized with implementation guides, along with high-level audit steps for ensuring compliance.
They are not intended to exhaustively address all data security risks that may be material to any particular organization. However, these requirements address security risks that are commonly encountered by emerging financial technology companies when processing or storing sensitive information. Companies with mature and audited information security programs that have the ability to provide reasonable assurance about the effectiveness of those programs are likely alreading meeting the requirements captured in this standard.
Companies that are subject to OFDSS can work with security compliance companies such as Drata, Laika, Secureframe and Vanta to help evaluate their practices against the criteria, help address challenges, and conduct audit services.
Seeking industry participation and feedback
OFDSS is an industry initiative and the consortium is seeking additional industry feedback and participation with plans to begin implementing the standard in the second half of 2022. To learn more and potentially get involved, please visit OFDSS.org.