There are advantages in avoiding the bleeding edge of regulatory reform. This is the case in the Australian government’s drive toward an open banking regime – and by extension, open data regulatory philosophies more generally.
This does not mean Australia should take its foot off the gas in relation to the speed of open data implementation. But not coming first in this race has its advantages, and the Australian Government’s sober, measured approach to its open data regime has its advantages.
Ping Identity’s Asia Pacific Chief Technology Officer Mark Perry says the Australia government and its regulatory agencies has been “looking at the right things at the right time” and is optimistic about the current momentum toward a more efficient data economy in this country.
Mr Perry was recently appointed to the government’s Andrew Stevens-chaired Data Standards Body set up to support the new Consumer Data Right. The focus initially is on the open banking sector, and even in this the planned roll-out is a step-by-step process before broadening out to other sectors like telecommunications and energy utilities.
“When you look at the experience overseas, you can see it’s quite difficult to jump in and be the first mover in this space,” Mr Perry said.
“There are a lot of issues and complexities behind the scenes that are not immediately obvious in this space. I think in Australia we can learn from what’s going on overseas – both the good and the bad,” he said.
“In open banking, we can actually provide value to both sides – the banks and FinTechs – and ultimately to consumers in a way that makes most people happy, and then continually iterate on that to improve capability.”
Mr Perry says there are broad misconceptions about open banking. At its core, the regime should unlock value from data while making the data ecosystem more secure, while delivering consumer benefits through new services and better services.
He says there has been some quite dangerously uninformed commentary in Australia propagating a view that open banking is a solution that is looking for a problem.
But Mr Perry says the current ad hoc drive of entrepreneurial FinTech’s into the financial system is based on practices that introduce significant risk – something the open banking regime addresses.
“At the moment we are in a situation where application developers – the FinTech’s – are asking customers for their banking credentials,” Mr Perry said. “They then store these credentials in the FinTech’s service, replaying them against each bank to get the data that’s needed by that application to do its job.”
“That’s what we call in the security industry an anti-pattern, and we don’t want that happening. We don’t want people to share credentials with third parties, because it increases the risk of attacks and of identity theft.
“And we’re talking about banking data here. If we give developers access to the complete set of banking services through the front end website [via screen scraping], then there is no way to prevent them from doing things and seeing data we as consumers may not want them to see.”
Open banking effectively has three technology elements that lets the industry provide secure access to data at a fine-grained level among different parts of the system, where consumers are given a completely transparent understanding of what they are providing access to, and given the ability to remove or modify consent for that data sharing at any time.
“First there is the security component, which is the digital identity piece providing the protocols to say this is how you authorise access to an account – without sharing credentials – and how you provide consent, and how you secure all of those interactions between the banks and the fintechs,” Mr Perry said.
“Secondly, there are the API’s, which are the communications mechanism between the banks and the third-party application developer once the user has been authenticated and given consent.
“And thirdly there is the user experience, which really drives the friendliness of open banking. This is important, as the experience of dealing with the security flows and subsequent interactions in the fintech app should not become a burden for customers, so that they keep using those services and recommend them to others, and open banking becomes part of the fabric of everyday life for Australian consumers.”
The measured approach taken by the Australian government has been important to getting the model right. The Treasury’s review into open banking in Australia, the Productivity Commission’s inquiry into Data Availability and Use – as well as the government’s official response – has been based on ‘cautious haste’ and ultimately produced informed policy.
The anti-patterns that have emerged in the sector – particularly around credentials and security – have become a problem, such that the open banking regime and open data frameworks more generally have arrived at the right time.
“The problem is that we have screen-scraping happening, and we’ve got credential sharing, and quite simply we should not be allowing that to happen as an industry,” Mr Perry said.
The Australian open banking regime has been based largely on the system that is being implemented in the UK, where its roll-out has been underway for a couple of years. There are learnings to be had from the UK experience, especially around security, the data sets that have been made available, and the importance of getting user experience issues right.
“I’m probably a little biased because my colleagues [at Ping] have worked on the UK open banking specifications in terms of the security component – and they are very good,” he said. “They are secure – obviously – but they are also very well thought out, and they use the well-tested open standards that are available.”
“The fact that the UK haven’t made too many changes to those open standards means that vendors [like Ping] were able to modify our products very quickly to meet the requirements without major delay.
“That has helped a lot of banks in the UK get into open banking more easily and to meet their regulatory requirements on time and with a manageable level of complexity.”
There are also deep learnings that can be taken from the UK in relation to data that is mandated under the scheme, and the user experience issues that have arisen from that implementation.
“Some changes will need to be made to the UK’s API design, to suit Australian banking terminology. There also is a chance to thoroughly review and simplify the UK’s APIs.”
Ping Identity has partnered with InnovationAus.com to deliver a Special Report on issues in Australia related to DigitalID, Open Data and Privacy. InnovationAus.com will publish a special newsletter on September 5.