The rise of cloud-first adoption, coupled with the acceleration of digital finance companies, means that more consumer data is out there than ever before. To protect this information, the fintech ecosystem is rallying around a new data security standard – Open Finance Data Security Standard (OFDSS) – for emerging digital finance companies.
Today, Drata, along with a consortium of financial technology and security compliance companies, announced the Open Finance Data Security Standard (OFDSS), a proposed framework of requirements that address security risks commonly encountered by emerging financial technology companies that handle sensitive information. OFDSS will help instill even greater confidence in data holders, including financial institutions, that the fintech ecosystem has robust protections in place for consumer data, which ultimately protects consumers.
Founding supporters of OFDSS include fintech technology companies Flinks, MX, Plaid, and Truework, as well as security compliance companies, including Drata.
What is OFDSS?
OFDSS aims to raise the bar for data security among fintech startups while also fostering innovation. It is designed to be a living document that will evolve over time to meet the needs of the industry, incorporate new technology, and mitigate against emerging risks. Currently, it establishes 63 individual security requirements across 12 control domains that address common data security risks encountered by early-stage digital finance companies. The requirements are contextualized with implementation guides, along with high-level audit steps for ensuring compliance.
OFDSS was created to address this gap and create strong, auditable data security guidelines that maintain alignment with common and relevant criteria found in other security frameworks such as SOC 2 and NIST CSF, while providing clear requirements optimized for cloud-native, technology-focused startups and growth-stage companies.
How Drata is Supporting OFDSS
Drata is revolutionizing the way companies earn and maintain the trust of their customers in proving the operating effectiveness of their security controls. Through advanced automation, Drata is able to provide a single picture of a company’s security and compliance posture, saving customers hundreds of hours per year manually tracking assets and collecting control evidence for SOC 2 and ISO 27001 audits – and soon HIPAA and PCI DSS.
Drata’s automation platform continuously monitors and collects evidence of controls directly linked to framework requirements, allowing customers to prove they meet the criteria. Like with many other frameworks (such as SOC 2 and ISO 27001), there will be an overlap between specific OFDSS controls, allowing companies to save time meeting new framework requirements.
Seeking Industry Participation and Feedback
OFDSS is an industry initiative and the consortium is seeking additional industry feedback and participation with plans to begin implementing the standard in the second half of 2022. To learn more and potentially get involved, please visit OFDSS.org.