Plaid leads effort to raise the bar on fintechs’ data security

The data aggregator Plaid is leading the charge for a new data security standard for fintechs.

The San Francisco company, which delivers bank account data to 4,500 fintech clients, has recruited other companies to this effort, including the data aggregators Flinks and MX; the employment verification provider Truework; and the security compliance companies Drata, Laika, Secureframe and Vanta.

A new data security standard would encourage fintechs that handle consumer data to pay more attention to the way they protect that data.

The new Open Finance Data Security Standard was posted online Tuesday and is open for outside comment ahead of implementation next year. It is meant to hold fintechs that handle consumer data to a higher standard of data protection, the way the PCI Security Standards Council’s Data Security Standard guides those in the payment card industry to protect card data.

“If you look across established industries like the payment cards industry, they have a really clear set of rules, which has been codified in the PCI DSS, a data security standard that says, if you're going to hold sensitive customer information, this is what you have to do, these are the types of systems and controls that you have to have in place,” said Dan Kahn, open finance lead at Plaid, who has been leading the initiative.

“The principles that exist in the payments industry haven't yet been codified in the open finance space,” Kahn said.

Members of Plaid’s risk team spoke with their industry colleagues and realized security wasn’t something they wanted to compete on, but that this was an opportunity to collaborate with companies that have traditionally been competitors, he said.

Fintech startups typically begin with small teams and limited resources. They tend to focus on developing products and getting them to market, not on security.

“We know that they're not going to be hiring a chief information security officer on day one,” Khan said. “But that doesn't mean we can't start to give them an indication of where they should be going with data security.”

The security requirements in the standard cover data encryption, access controls and other basics.

“These are fairly commonsensical standards,” Khan said. “We're not setting out to reinvent the wheel.” Many of the requirements exist in other security frameworks and therefore are already being followed in most larger companies.

The group behind OFDSS plans to begin implementing the standard in the second half of 2022.

For reprint and licensing requests for this article, click here.
Data sharing Bank technology
MORE FROM AMERICAN BANKER