Security working group meeting 2 – July 28, 2022

This discussion guide is provided to assist security working group members in preparing for the second meeting, which builds on the main risks discussed at the first meeting.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

• Discussion guide
• Outcomes

Discussion guide

Data security

The Advisory Committee on Open Banking noted that data security, which includes authentication, authorization, confidentiality, availability, integrity and non-repudiation, should be a key element of an open banking system.

Leveraging industry expertise and existing frameworks/certifications can help set up a minimum set of effective rules that protects the confidentiality, integrity and availability of information and data in the open banking ecosystem.

For example, under the Australian Consumer Data Right (CDR) regime, certain entities applying for accreditation must satisfy information security obligations. To this end, applicants may provide evidence of compliance with frameworks such as ISO 27001. The United Kingdom’s Open Banking Implementation Entity takes a similar approach. 

Outcomes

Data security

• There was general consensus among participants that existing frameworks/certification regimes could serve as the baseline for data security risks.
• A majority of participants agreed that the National Institute of Standards and Technology (NIST) framework offered a good balance between flexibility and prescriptive requirements, and can be complemented to include additional controls.
• SOC 2 certification was viewed as too elementary whereas ISO27001 was considered too stringent.
• Participants were also of the view that NIST framework addresses both information security and cyber risks.
• Some participants noted that mandating NIST certification may make it too cumbersome for smaller fintechs and could impact the level of innovation.

• Participants discussed that the inherent flexibility built into the NIST framework is sufficient to address proportionality needs. This can be done by relying on different NIST tiers.
• Some participants noted that how an organization is using the data and the type of data, may be more significant than the size of the organization when considering data security risks.

• There was general consensus that certification creates a defined roadmap and consistency for accreditation applicants.
• Participants also discussed the need for a framework to be scalable, facilitate ongoing oversight and evolve with the system.

• Participants noted potential challenges related to time and resource requirements for implementation, the impact of framework modifications and additional controls, and the supply of expertise in the market.
• Participants discussed early and clear communication as a potential solution to allow the market to adjust.

Security working group attendees