Security working group meeting 2 – July 28, 2022
This discussion guide is provided to assist security working group members in preparing for the second meeting, which builds on the main risks discussed at the first meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Data security
The Advisory Committee on Open Banking noted that data security, which includes authentication, authorization, confidentiality, availability, integrity and non-repudiation, should be a key element of an open banking system.
Leveraging industry expertise and existing frameworks/certifications can help set up a minimum set of effective rules that protects the confidentiality, integrity and availability of information and data in the open banking ecosystem.
For example, under the Australian Consumer Data Right (CDR) regime, certain entities applying for accreditation must satisfy information security obligations. To this end, applicants may provide evidence of compliance with frameworks such as ISO 27001. The United Kingdom’s Open Banking Implementation Entity takes a similar approach.
Discussion
- Are there existing frameworks/certification regimes that could provide the baseline requirements to address data security risks?
- Are these frameworks/certifications suitable for organizations of varying sizes, complexity, and risk levels?
- What benefits do frameworks/certifications offer to potential accreditation applicants?
- What challenges can be foreseen in implementing frameworks/certification regimes and how can they be addressed?
Outcomes
Data security
Discussion 1
Are there existing frameworks/certification regimes that could provide the baseline requirements to address data security risks?
- There was general consensus among participants that existing frameworks/certification regimes could serve as the baseline for data security risks.
- A majority of participants agreed that the National Institute of Standards and Technology (NIST) framework offered a good balance between flexibility and prescriptive requirements, and can be complemented to include additional controls.
- SOC 2 certification was viewed as too elementary whereas ISO27001 was considered too stringent.
- Participants were also of the view that NIST framework addresses both information security and cyber risks.
- Some participants noted that mandating NIST certification may make it too cumbersome for smaller fintechs and could impact the level of innovation.
Discussion 2
Are these frameworks/certifications suitable for organizations of varying sizes, complexity, and risk levels?
- Participants discussed that the inherent flexibility built into the NIST framework is sufficient to address proportionality needs. This can be done by relying on different NIST tiers.
- Some participants noted that how an organization is using the data and the type of data, may be more significant than the size of the organization when considering data security risks.
Discussion 3
What benefits do frameworks/certifications offer to potential accreditation applicants?
- There was general consensus that certification creates a defined roadmap and consistency for accreditation applicants.
- Participants also discussed the need for a framework to be scalable, facilitate ongoing oversight and evolve with the system.
Discussion 4
What challenges can be foreseen in implementing frameworks/certification regimes and how can they be addressed?
- Participants noted potential challenges related to time and resource requirements for implementation, the impact of framework modifications and additional controls, and the supply of expertise in the market.
- Participants discussed early and clear communication as a potential solution to allow the market to adjust.
Security working group attendees
Members
- Affinity Credit Union
- Alterna Savings and Credit Union Limited
- ATB Financial
- Canadian Imperial Bank of Commerce
- Clearco
- Equitable Bank
- Flinks
- nanopay
- PayBright
- Questrade
- Royal Bank of Canada
- TD Canada Trust
External guests
- Credit Union Deposit Guarantee Corporation of Alberta
- Financial Consumer Agency of Canada
- Office of the Superintendent of Financial Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: