The federal government should provide financial support to startups and small businesses looking to meet the “rigorous” open banking privacy and security rules, according to former special adviser to the Prime Minister on Cyber Security Alastair MacGibbon.
The open banking regime is set to officially launch in June this year after being delayed for a second time. The scheme lets consumers request that their data held by banks be transferred to accredited third parties, including FinTechs.
To become accredited, FinTechs have to meet data security and privacy requirements. FinTech Australia has estimated that the compliance associated with the scheme would cost FinTechs on average of $50,000 to $100,000 annually.
In a submission to the Select Committee on Financial Technology and Regulation Technology, cybersecurity service provider CyberCX – co-founded by former Australian Cyber Security Centre boss Alastair MacGibbon – said it’s crucial that these security rules aren’t undermined, and that the government should assist companies to meet the “most rigorous information security and privacy protection standards”.
This could be done through a loan or voucher scheme, the CyberCX submission said.
“Loans could be offered to qualifying small and startup financial organisations in order to invest in strengthening their cybersecurity postures and meeting the ACCC rules. These could be repaid once the organisation passes a specified revenue threshold.” the submission said.
“Alternatively, a voucher scheme could be established where government covers part of the costs of achieving a strong cybersecurity posture. Initiatives such as these will have the dual advantage of encouraging greater participation in the open banking initiative whilst enhancing the overall cybersecurity posture of the sector.”
CyberCX brings together 12 cybersecurity companies and offers cybersecurity services to companies, including startups and SMEs.
CyberCX said this support would be preferrable to the ACCC introducing a lower tier of accreditation for FinTechs, which would require less onerous security guidelines.
“Were some financial organisations able to achieve accreditation through less rigorous rules, it would create an incentive for attackers to target those organisations. We strongly believe that rigorous information security and privacy protection measures are absolutely essential to safeguard consumers,” it said.
“If data breaches occur as a result of insecure API transfers or due to financial institutions not handling and storing received data in accordance with best practice standards, consumer confidence and trust in the initiative will be severely undermined. The result would likely be consumer reluctance to participate in open banking, which would severely limit the initiative’s ability to achieve greater competition in the financial sector.”
A number of FinTechs and ANZ bank have argued for lower tiers of accreditation that would allow smaller companies to access open banking data without having to meet the same requirements on data security.
In its own submission, FinTech Australia said that some FinTechs won’t be participating in open banking due to the compliance costs involved.
“Many FinTech Australia members who participated in the FinTech Census and stated they are not planning to become accredited data recipients cited the laborious accreditation process as their top concern,” FinTech Australia said.
“Allowing intermediaries to access, hold and manage CDR data facilitates access to CDR data by FinTechs and others in the broader economy without the significant capital outlay.”
The organisation argued that compliance with open banking should be easier and cheaper than the practice of screen scraping, where users give their login details to a third party which then obtains and translates data from the screen display.
FinTech Australia argued that screen scraping shouldn’t be made illegal as this would be “effectively anti-competitive”, but CyberCX and a number of consumer groups said the government should move to stamp out the practice.
“At a time when we should be seeking to instil in individuals a greater awareness of the importance of online security, encouraging people to reveal their passwords is precisely the wrong message,” CyberCX said in the submission.
“Our concern is that screen scraping legitimises and gets consumers used to handing over their passwords to third parties.”