Legislation lag harms innovation: CommBank

Commonwealth Bank CIO Michael Harte has said governments should only legislate technology in principle rather than in hard-defined rules that make the cost for compliance extremely high.

Speaking at the F5 Agility forum yesterday, Harte said that more and more businesses were paying for the lag of regulation behind technology change.

 "Because it is protective for the consumer, it is difficult for them to stay current. There's always a lag between the evolution of technology and the rules around protecting consumers. They have to be principle based, but recently they tend to go to rules based legislation," he said.

"The regulators find it hard to keep pace, or they apply generic rules, and that just increases the cost of compliance."

He said that the way regulation was being imposed in Australia was for the country to adopt regulation from Europe or the United States and then "applied here without much thought".

"The thing that regulators can't keep up with now is design. We can actually design things and manufacture things much faster than the regulators can keep pace with," he said.

He said government concerns about where data is hosted was "a bit antiquated", suggesting that data sovereignty rules were either in place for historic reasons, or as a form of protectionism.

"Locally, I could move traffic anywhere and store it and protect it, and I don't believe sovereignty as a means to protect things just because they're here," he said.

"I know of countries that have come to visit, and have rummaged around in our drawers, and left hints about who they are and what they were looking for.

"I don't think we are as private as we like to think, just because we are protected by data sovereignty rules that say data must reside where it is created."

He said that one of the ideals around the internet was that an individual's privacy is paramount, and he said private institutions, more than governments, had a growing role in providing identity protection

"I think there is an increasing role, not for government but for private institutions, that can provide identity protection, that can provide security across [networks]. You can at home, or backed up somewhere, store that which you hold private, and those digital assets that you hold valuable that are unable to be attacked by one or another party, and they are insured if they are," he said.

"I don't think the government needs to play a role in that. They can set standards for that activity, but when we start saying anonymity or pseudonymity is forbidden, and we want to watch everyone, or we want to have sovereign royalty, that is not good government."

"Good government would start with the protection of identity and the individual privacy of individuals."

The comments came as the bank on Monday published its submission (PDF) to the federal government's inquiry into financial systems, where the bank adopted a similar position, stating that banks should play a larger role in reducing the number of instances of an online identity.

"The present need for individuals to maintain multiple online identities creates inefficiency and a burden for all parties. Individuals either suffer the inconvenience of managing multiple passwords or risk fraud and identity theft from re-using identities across multiple services," the bank said.

"There is a risk that customers will be impacted by inefficiency and security threats if the proliferation of identities across expanding digital 'footprints' continues on its current track. The private sector has an important role to play in addressing this risk, particularly the financial sector as the primary providers of secure and private digital identity solutions."

The bank said that the leaks on US government surveillance by former NSA contractor Edward Snowden had "adversely impacted online trust" and risked the development of Australia's digital economy. The bank recommended that Australia's cyber security strategy, which has not been updated since 2009, should be updated to include:

• A review of the role of cyber security investment in the digital economy
• Promotion of government and industry partnerships on cyber security including real-time sharing of intelligence
• An outline of the roles and responsibilities of corporations and governments in the event of a "cyber-crisis"
• Advocation of an open digital economy

The bank also recommended that the government should frame its education policy with a view to improve IT skills, particularly around cyber security.

The future of the internet and services weighs on the mind of the bank, as it increasingly focuses on shifting more services online. At the F5 conference, Harte said that moving services online provided the bank a way to remove charging fees for certain processes that add no value to what the customer gets from CommBank.

"Real-time transactions are free, and the trade off is we get all the information about an individual or a household, or a businesses spending so we can in turn go back to them and offer them new value. I think that has to be the proposition," he said.

"Telcos have been the worst at this, and the only pressure that came on them was through phone number portability. I would like to see the same thing for bank account portability so people are able to find the most valuable service offering in the market in the most open way."

Josh Taylor travelled to the Sunshine Coast as a guest of F5 Networks