Data security risks surrounding Australia’s open banking regime are “significantly higher” than the federal government believes, according to the big four banks.
In a new submission to the government’s draft Privacy Impact Assessment, the Australian Banking Association (ABA) said that the pilot program for the scheme, which will kick off in July, will need to focus on privacy and security.
“Privacy and protection of data should be an important priority which is why the industry is seeking further testing during the pilot program to ensure we get this right. We support the PIA’s recommendations on measures to reduce risks to customer’s data and the pilot program will help inform further initiatives which will boost security,” ABA CEO Anna Bligh said.
The government’s PIA for the Consumer Data Right (CDR), the legislation underpinning the open banking regime, was released late last year and outlines the “range of privacy risks” associated with the upcoming open banking regime.
“There are a number of potential privacy risks associated with the system. These risks may have consequences for the rights and wellbeing of individuals and businesses. These risks are broadly categorised into identification risks; transfer risks; collection; use or disclosure authorisation risks; authorisation risks; holding risks; and data quality risks,” it said.
“Some of these risks could lead to substantial financial, personal and emotional loss. However, the government has developed privacy protections to mitigate these privacy risks. The CDR simultaneously offers individuals corresponding benefits to privacy, competition, convenience and choice.”
But the ABA has said that the government is underestimating many of these security risks.
The scheme will provide ripe ground for hackers to conduct phishing attacks to access banking details and the ABA said the government isn’t taking this seriously enough.
“The ABA view is that this fails to consider the intentions of fraudulent and criminal actors and cyber criminals who seek to operate using illegal means, and who may be difficult to enforce Australian laws against when located overseas or otherwise difficult to identify given the environment in which they operate, being primarily over the internet,” the submission said.
“Banks expend significant resources to protect their customers’ data and have learnt that cyber criminals have proven themselves to be highly capable in creating new opportunities for phishing attacks and are quick to take advantage of new industry developments.”
The big banks also looked to draw the focus of these security risks onto the fintech companies that will be looking to access consumer data, saying the likelihood of unauthorised access to consumer data by a third party is “significantly higher” than the “unlikely” listed in the government’s PIA.
“Strong identity and access management controls at the data recipient will help mitigate this risk. The information security standards expected of data recipients that are established in the rules could mandate appropriate IAM controls,” the submission said.
The likelihood of a data holder being hacked and losing data is also “higher” than the Treasury’s assessment of “unlikely”, the ABA said.
“We would also suggest that a key risk is that non-accredited third parties who hold the CDR data mishandle, misuse or fail to appropriately protect this data. Under the framework to be established by the CDR bill, accredited data recipients are liable for the behaviour of these third parties. It may be appropriate for Treasury to consider whether the privacy safeguards should also be applied by law to these third parties, rather than just relying on accredited data recipients to impose and police data security standards,” it said.
In response, fintech association Fintech Australia said its members already deal with sensitive data and understand the importance that comes with holding it.
“Our members understand the importance of this reform and the value of data. Our goal is to ensure the framework is rigorous enough to protect consumers but not too burdensome as to stifle innovation,” Fintech Australia general manager Rebecca Schot-Guppy told InnovationAus.com.
“Many of our members already hold personal financial data, and other forms of sensitive information. They realise the burden and the benefits of it and have strategies in place to protect it. Assuming the final framework doesn’t put in place any commercially untenable mechanisms for safeguarding data, the industry is ready to ensure this data is properly protected upon receipt.”
Many fintechs are concerned about potentially overlapping privacy rules, with a need to make it clearer whether the Privacy Safeguards or Australian Privacy Principles apply.
“It is critical to clearly identify the boundaries of the Consumer Data Right scheme to ensure that all organisations are clear about when the Privacy Safeguards apply and when APP applies. We need to avoid overlap of the two schemes,” Ms Schot-Guppy said.
“There’s potential for this reform to deter investment and innovation from fintechs due to its complexity. For instance, the regime asks all data recipients to create two separate pools of data for each consumer, and ring-fence them. This is to ensure they are compliant with two separate data codes.
“We understand the need for process and applaud any measures taken to safeguard the consumer. But it just needs to be balanced with an approach that does enable innovation and won’t trip up emerging companies, as that is the whole point of this reform.”
The draft PIA also states that data must be “deleted or de-identified upon any use permissions being spent”, which could lead to issues for fintechs, Ms Schot-Guppy said.
“We broadly agree with this proposition, but there may be circumstances which require relevant data to be retained beyond the specified consent use cases. For instance, if data needs to be retained for tax purposes or legal purposes,” she said.
The launch of the open banking scheme was quietly delayed by the federal government just before Christmas, after the legislation underpinning it failed to pass through Parliament last year.