Information Security protects the confidentiality, integrity and availability of information through the application of physical, administrative and technical controls to manage and mitigate risks to acceptable levels.
Other Journeys in ‘TPP Guidelines’.
There are many sources of advice about information security and how to implement effective controls that are proportionate to the size and scale of your business and the products or services you provide.
To protect the confidentiality, integrity and availability of information and data in the Open Banking Ecosystem, all Participants should ensure that security is given sufficient profile and influence in their organisation and operations in order to meet both obligations under PSD2 and data protection laws.
Implementation of Information Security controls must be in line with the Open Banking Read/Write API specifications, particularly the Open Banking Security Profile. These specifications detail the underlying information exchanges between Participants and how these are secured, but not the way each Participant can operate securely. This document should be read in conjunction with other Open Banking ‘How To’ guides and the Open Banking security profile.
Develop, maintain and implement an Information Security Policy, ensuring adequate resources, processes, technology, people and budget are allocated.
Regulatory Consequences: Poor information security could lead to revocation of your regulatory permissions as well as enforcement action and/ or fines arising out of data protection breaches.
Revenue Consequences: Poor information security will compromise trust in your business, create reputational risk and could lead to adverse publicity and reduction in customer take-up of your products and services.
Identify Your Greatest Threats: People are your greatest asset, but also your greatest threat. Ensure strong controls around vetting, training and clear accountability.
Guidance from the ICO on dealing with a data breach can be found here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/
Regulatory Consequences: A data breach must be reported to the Information Commissioners Office. For certain types of personal data breach, this must be done within 72 hours of becoming aware (where feasible).
Data Breach Policy
Amongst other policies and procedures and in accordance with data protection laws, TPPs should create a data breach policy statement and operate to the following recommended set of policies:
Data Incident Management Procedure
TPPs should develop an Incident Management Procedure that includes Data Incidents. This should be adhered to in all such cases, ensuring that a Data Incident is promptly identified and adequately reviewed, assessed, escalated when appropriate, remediated and recovered.
The key stages in a Data Incident Management Procedure, which may run concurrently, are:
The Data Incident Management Procedure must apply to and should be followed by all workers, in any capacity, including employees, contractors, directors, external consultants, third party representatives and business partners.
Identify and subscribe to appropriate intelligence sources then monitor the outputs to inform necessary action. There are many free Open Source Intelligence sources and tools available. Additionally, all participants are encouraged to leverage the intelligence reports shared from Open Banking.
Practical Guide to IT Security from ICO can be found here: https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf
Identify Your Greatest Threats: Consider your risks from exposed network connections (particularly from home and mobile workers).
TPP Guidelines Previous
Counter Fraud Measures Next