Open Banking or FedNow: Where to Start?
September 14, 2023 | 2 min read
Banks have traditionally used vaults to uphold the highest level of security standards because they deal with one of the world’s most valuable assets — people’s money. Now, with data becoming the new currency, security measures are changing fast to keep up with the pace. Over the last few years, data security has become increasingly important as data sharing and open banking are becoming the new norm. Naturally as access to data opens up, the potential threats also increase.
Unfortunately, many financial institutions and fintechs are reactive to attacks, with most of their monitoring designed around things that have already happened,leaving miscreants plenty of time to plan a new scheme. Additionally, as external protections increase it becomes easier to attack an organization from the inside, increasing the internal threats to worry about. Financial systems are so vast that they require extensive monitoring and testing. This is compounded by older legacy systems that are difficult to update and hard to maintain leaving them full of holes and gaps. Lastly, there are huge regulatory shifts in the financial industry. With the evolution of regulation to meet consumer protection needs, what many financial institutions and fintechs have built today not only misses the consumer’s needs, but may not be secure enough.
To help banks and credit unions navigate security concerns and reduce data breach threats, MX has been offering industry leading security practices to 2,000+ financial institutions for 10 years. Now, fintechs are facing similar security concerns, requiring the same high-level of security measures that financial institutions have had to adhere to for decades.
When it comes down to it with new entrants, advancements in technology, influx of regulations, and increasing customer demands the financial industry is evolving fast, leaving many fintechs and financial institutions wondering how they can safeguard against common risks. Here are 5 of the most common security risks financial institutions and fintechs face, and how we help alleviate these threats.
1. Rapid detection of security anomalies
A good security program is one that understands its risks and associated threats. This is evidenced by thoughtful monitoring and response planning. Controls should continually be monitored for their effectiveness and layered in such a way that one failure can’t cascade through the organization. Monitoring should include not only control status, but active security events. These events should be reviewed and related back to the organization so that as the threat landscape evolves changes can be made to controls.
At MX, we build out systems that can accommodate change in a rapid manner and are essential in architecting for rapid response to security instances. To do this, we invest the time and resources necessary to gain clear situational awareness in all aspects of our organization. Coupling this with tools that enable flexible data acquisition and analysis is the difference between being in command of a security incident or the victim of one.
2. Secure data handling
Ensuring that the partners you work with have accurate and secure ways of encrypting and storing your data is critical to minimizing the potential for data breaches and external threats. Data security encompasses two fundamental areas, ensuring that data retains its integrity and is only accessible to those that are authorized to access it. Proper understanding of the access requirements and the requisite sensitivity of the data involves taking the time to develop data classifications and corresponding security controls.
At MX, we take this seriously. To develop these controls, we understand that data security involves two contexts, data-at-rest and data-in-transit. While the need for confidentiality and integrity remain for each context, achieving this in each case requires specific strategies. Data-at-rest security often involves field level or full disk encryption while data-in-transit relates to encrypted protocols for data transmission. Encryption of data alone is not enough; proper implementation and key management practices are pivotal in ensuring data is properly secured. It is for this reason that well-respected encryption libraries and protocols should be used for each context.
3. Third-party risk management & authorized access
The vetting process can be critical to the security of an institution’s data. Even if a solution or new type of technology is innovative and exciting, it’s important to know that your potential partners have their own high standards for data security. One way to ensure safety is by working with providers who bake security into their software development. You’ll want to look for partners who adhere to bank-level security.
One way we do this at MX is by never selling your data. Consumer privacy concern as it relates to the digital world continues to grow. Consumers not only want to know what data points you are collecting, they also want to know what you intend on using it for and for how long it will be used. The data we receive is never provided to any third parties. Put simply, we never send customer financial data to aggregators; we only pull it in situations where we are providing certain solutions like Account Aggregation. That’s why our clients and partners never have to worry about their confidential information being shared with anyone or compromised — ever. Another way is by investing in behavior-based protection in key areas: credential stuffing, account takeover, and email compromise.
4. Purposeful development
The excitement that comes from innovating and trailblazing can often lead to making hasty unplanned choices. At MX, we believe in purposeful development — developing systems that have a specific focus and function. Leveraging discrete units of software with a specific function, inputs, and outputs facilitates proper architecture, development, integration and testing. Building software in this manner requires planning and discipline and reduces your attack surface area. This practice enables us to make changes quicker and with more confidence that our platform will remain stable. In the event that security issues are detected, we can quickly isolate them to the affected service and then rapidly deploy changes that remediate the situation.
The keystone of purposeful development is establishing a software development lifecycle (SDLC). DevOps style development allows for small incremental changes that can be quickly reviewed by security teams so that security issues are addressed in their infancy and can be easily remediated. Follow advice from OWASP, NIST and SANS to develop an appropriate SDLC for your organization.
5. Proper compliance
Compliance is perhaps one of the most important parts of data security. New regulations and standards coupled with the increasing speed of innovation, makes it hard to always stay compliant. Understandably, many organizations get caught up in the regulatory burden that comes with maintaining, storing, and manipulating financial data. Caution must be exercised to ensure that decisions are made that move the needle forward towards what is best for the organization as well as ensuring compliance.
At MX, we hold our security and compliance to the highest standards. Our in-house framework matches the framework used by the FFIEC for Bank Security Compliance. We’re also compliant with NYDFS, GDPR, CCPA, NIST Cybersecurity Framework standards, and a series of other compliance standards.
We also base our security program on the same security frameworks that fintechs and financial institutions are audited against. MX uses the NIST Cybersecurity Framework to organize it’s security program. This is the same framework used by the FDIC and FFIEC when assessing bank security. Because of this, MX’s security program aligns very closely with what financial institutions are doing themselves, which streamlines third-party risk assessments and provides confidence to our customers that we will continue to improve our program in the same manner that regulators will request that they do.
We publish a SOC2 type II report to existing and prospective clients. The report covers security, availability, confidentiality, and privacy.
We are audited annually for compliance with the PCI-DSS
We routinely work with clients to supply evidence of controls upon request
Third party risk management
Rigorous practices for initial and ongoing due diligence of our third parties
CIS based control assessment
SOC2 type II reports (security, availability, confidentiality, privacy, and processing integrity)
PCI attestations of compliance
OAuth credential verification
With OAuth credential verification, financial institutions’ customers don’t have to give MX their credentials. In this way, the financial institution remains in control of their customers’ login flow and experience from beginning to end. Also, customers are able to log into their financial institution’s website and see where they’ve used their credentials to sign in and delete websites that they no longer want to share their login information with.
Furthermore, because OAuth verification is one of the cleanest ways to prove where information is coming from, by requiring an established relationship with that provider, it helps financial institutions comply with Bulletin 2020-10. For the many banks that don't support OAuth yet, MX has a comprehensive fraud detection program to detect potential abuse of their customers' accounts. We implement identity-centric security measures that track not just your employees but also your customers, your technology assets, your services, and your connections.
What’s more, we implement identity-centric security measures that track not just your employees but also your customers, your technology assets, your services, and your connections.
Bank-level security and beyond
Now MX is making bank-level security available to fintechs through ultra-scalable, dev-friendly access to our suite of connectivity, data, and experience products.
Stay tuned for upcoming releases that make us even easier to code up to in your early days, and scale with you as you well past your millionth user.
September 14, 2023 | 2 min read
August 31, 2023 | 2 min read
July 28, 2023 | 1 min read