Fintech infrastructure and security compliance companies collaborate on data security requirements for early and growth-stage digital finance companies. OFDSS supporters include: Plaid, MX, Flinks, Drata, Secureframe, Laika, Vanta, and Truework
The protection of consumer information is paramount to any company operating in financial services. This protection, achieved through compliance, security, and transparency, creates trust between data providers, consumers, and technology providers that expands the safe deployment and adoption of new technologies. This expansion gives consumers increased access to new financial products and opportunities.
Over the years, data security and trust have been established through landmark programs and accreditations such as SOC2, NIST CST, and ISO27k. While these programs provide strong shared standards, the cost of implementing a security program that can meet these standards can be exceedingly high.
The barriers to entry created by traditional data security compliance requirements typically result in the following outcomes for emerging technology companies:
While privacy and security have been a focal point for Truework since our inception, we know not every startup - even if they are security-focused - has the resources to invest in a security program designed to achieve traditional compliance. This challenge hurts consumers in two ways:
Today, Truework, along with a group of financial technology and security compliance vendors, announced the Open Finance Data Security Standard (OFDSS). The OFDSS is a framework of security controls tightly designed to address risks encountered by companies that handle sensitive consumer data in financial transactions, such as SSN, income and employment data.
When applied to employment and income verifications, the OFDSS provides much needed data security architecture that goes beyond the baseline consumer privacy provisions of the Fair Credit Reporting Act (FCRA). These up-leveled standards will build a secure bridge between traditional verification processes and the on-demand and instant world of open finance.
The OFDSS was informed by existing security programs such as SOC2, NIST CST and ISO27k. The founding supporters of the OFDSS developed a set of targeted yet impactful data security standards *distilled from those three programs.
This standard will be more attainable for security-minded organizations with fewer resources, yet remain objectively secure when measured against legacy programs. The OFDSS provides clear requirements making it easier for emerging technology companies to deliver safer and more secure products, resulting in better data security practices, throughout financial services.
"The OFDSS is a huge step forward in building a safer environment for financial data sharing. Consumers are increasingly using their employment and income data to obtain a variety of financial products, like loans or lines of credit. Building upon existing regulatory frameworks, these standards provide a foundation of security and trust within an industry charged with the protection of consumer data.
“For Truework, this will bring greater transparency to how payroll data is handled, fostering the trust necessary to expand payroll data access and integrate it more broadly into open finance applications. We look forward to joining others - including lenders, data providers, and fellow consumer reporting agencies - in supporting the OFDSS to facilitate compliant access with upleveled consumer protections." - Ryan Sandler, CEO
The OFDSS establishes 63 individual security requirements across 12 control domains, including Asset Management, Data Minimization and Access Control, that address common data security risks encountered by early-stage digital finance companies. The requirements will be contextualized with implementation guides over the next few months, along with high-level audit steps for ensuring compliance.
These standards are not intended to exhaustively address all data security risks that may affect any particular organization. Instead, these controls address security risks that are commonly encountered by early-stage companies when processing or storing sensitive information like payroll data.
Companies with mature and audited information security programs based on legacy frameworks need not go through an OFDSS certification exercise. The OFDSS is intended to complement, not replace, these existing security programs.
Companies that elect to incorporate OFDSS into their business can work with independent security compliance companies to evaluate their practices against the criteria, address challenges, and provide audit services.
The OFDSS is an industry-wide initiative. Current participants are seeking feedback and additional participation from parties across financial services - both private and public, with plans to begin implementation in the second half of 2022.
To learn more and get involved, please visit OFDSS.org.