Weekly Fintech Focus

• Data aggregators launch the Open Finance Data Security Standard for emerging cloud-native, digital finance companies.
• The banking regulators issue a final rule related to bank and bank service provider reporting of computer-security incidents.

Data Aggregators Launch Open Finance Data Security Standard

A group of data aggregator fintechs and security and compliance companies recently released a new data security standard for the open finance industry – the Open Finance Data Security Standard (OFDSS). The OFDSS is a common framework for consumer data security, privacy, and control to support new and emerging cloud-native, digital finance companies. The guidelines contained in the OFDSS are intended to create strong and auditable data security standards that will align with current security frameworks (like SSAE 18 TSC for Security and NIST CSF) and will provide clear requirements for fintechs that handle consumer data. The current draft OFDSS includes 63 individual security requirements across 12 control domains with implementation guides and guidance on audit processes. Feedback is being sought about the draft OFDSS with an intended implementation date in the second half of 2022.

Banking Regulators Issue Final Rule on Computer-Security Incident Notifications

On November 18, 2021, the Office of the Comptroller of the Currency (OCC), Federal Reserve, and Federal Deposit Insurance Corporation (FDIC) issued a final rule to require covered banking organizations to provide the banks’ primary federal regulator with prompt notification of any “computer-security incident” that rises to the level of a “notification incident” as soon as possible and no later than 36 hours after the bank determines that a notification incident has occurred. The final rule also requires a bank service provider to notify an affected banking organization customer as soon as the bank service provider determines that it has experienced a computer-security incident that causes, or is reasonably likely to cause, a material service disruption or degradation for four or more hours. The final rule expands security incident notification obligations beyond those currently required by the Gramm-Leach-Bliley Act (GLBA), which only requires notification as soon as possible of incidents involving unauthorized access to, or use of, sensitive customer information, and does not cover incidents that disrupt operations but do not compromise sensitive customer information.

The final rule includes changes from the proposed rule, including changes to key definitions and notification provisions applicable to both banking organizations and bank service providers. In the final rule, the definition of “computer-security incident” focuses on the actual, rather than potential harm caused by the incident and removes obligations related to violations of a bank’s internal policies or procedures. The definition of “notification incident” is more tailored than in the proposed rule, and requires that the incident be reasonably likely to XXXXXXX. Additionally, the notification standard is tied to a good faith belief that the incident occurred rather than a determination standard. The bank service provider notification provision has been clarified to define more clearly “covered services” and requires that the notice be provided to a bank-designated point of contact. Finally, financial market utilities (FMUs) are excluded from the definition of banking organization and bank service provider as FMUs are subject to separate obligations in this space (e.g., Regulation HH).

As a result, the definitions in the final rule are as follows:

• “Computer-security incident” is defined as an occurrence that results in actual harm to the confidentiality, integrity, or availability of an information system or the information that the system processes, stores, or transmits.
• “Notification incident” is defined as a computer-security incident that has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, a banking organization’s— (i) ability to carry out banking operations, activities, or processes, or deliver banking products and services to a material portion of its customer base, in the ordinary course of business; (ii) business line(s), including associated operations, services, functions, and support, that upon failure would result in a material loss of revenue, profit, or franchise value; or (iii) operations, including associated services, functions and support, as applicable, the failure or discontinuance of which would pose a threat to the financial stability of the United States.
• “Bank service provider” is a bank service company or other person that performs covered services; provided, however, that no designated financial market utility shall be considered a bank service provider. Importantly, “covered services” are those services that are subject to the Bank Service Company Act (12 U.S.C. §§ 1861-1867).

The effective date of the final rule is April 1, 2022 and the compliance data is May 1, 2022. We previously covered the proposed rule here.

[View source.]