Adapting the existing regulatory framework concerning privacy and introducing a new framework that supports open banking and economy-wide open data are necessary precursors to the successful implementation of the open banking regime, according to the Australia and New Zealand Banking Group (ANZ).
In its submission to the government's review into open banking in Australia, ANZ suggests that open banking be underpinned by a new "Data Act" that covers what is missing in the Privacy Act 1988 and establishes a regulatory and liability framework that supports economy-wide open data, as it pertains solely to the financial sector.
"[We] question whether the Privacy Act is the appropriate vehicle for an era predicated upon the importance of data. As electronic data and its use become more embedded in our economy, we can see the importance of a legislative framework that can articulate community expectations at the scale that will be required. A new Act may future proof Australia's laws concerning electronic data," ANZ stated in its submission.
While the banking group notes that establishing an appropriate regulatory framework will take "deliberation, effort, and law reform", ANZ suggests the new Data Act be passed as early as the first half of 2018, followed by the implementation of a regulatory framework in the middle of 2018 after the passage of the new Act.
Suggested amendments to the Privacy Act include clearly stipulating that data recipients are responsible for the security of digital data after it leaves the data transferor's firewall, assuming that the data transferred under the open banking regime will only ever be a subset of personal information collected by the customer, rather than imputed and proprietary data; and that the data transferor has no obligation to disclose or investigate how the data recipient intends to use the data.
Customer protections and trust
An informed customer consent regime must be a central part of the data sharing process with clear disclosures around what types of data are being accessed and how they will be used, the Australian Bankers Association (ABA) has said.
Additionally, the disclosure mechanism must be designed to ensure customers are properly aware of the terms access and use of their data, the Consumer Action Law Centre (CALC) suggested in its submission.
"[It] is now recognised that disclosure and tick box consents (particularly through terms and conditions or privacy policies) are an ineffective form of consumer protection. Blanket terms and conditions in lengthy legalese can maximise what a business can do with someone's data, whilst minimising their responsibility," CALC said.
"In fact, one of the defining features of the Financial System Inquiry panel's final report was an explicit shift in focus from consumer protection regulation based on disclosure to one focusing on fair treatment of consumers.
"Implicit in that change is an acceptance that consumers are not necessarily capable of absorbing all of the information presented to them and, even if they do, various cognitive limitations and biases limit the ability of people to make rational choices."
As such, CALC warns against a narrow focus on disclosure, as opposed to broader regulation that requires entities to access and use consumer data fairly.
"If disclosure is to form a useful part of the regime, its design should start with a consideration of how consumers actually use disclosure and how they make decisions, rather than a focus on compliance and risk avoidance ... Consumer testing of any proposed disclosure or consent process will be critical," CALC said, adding that effective consumer protection and resulting trust cannot rely solely on disclosure.
The ABA suggested that informed customer consent for data access and use be originated on the bank's platform.
"Banks provide trusted platforms that would circumvent many of the security risks that could eventuate on unknown third party websites," the ABA said. It also cited a Telstra report that found 76 percent of millennials nominated banks as entities they trust with personal information, with no other entity coming close to this level of trust.
The ABA also advised that customer data be made available to accredited third parties via a "safe data sharing" mechanism that provides customers control over how their data is shared and used.
The association suggested a capability be introduced on banking apps through which the customer can find the data sharing option, where all the third parties that have been accredited to share data would appear; verify the scope and date range for their data use subject to agreed industry standards; log in to see where they have existing data sharing arrangements and where they could revoke permission; and receive information of the risks associated with sharing data, as well as their rights regarding liability and revocation.
Payment solutions provider Cuscal stated in its submission that access to data should only be provided once the customer consent is provided to both the financial institution holding the data and the third party providing the service to the customer.
"For reasons of liability and financial crime prevention, we do not think that financial institutions can rely solely on access consent provided to the third party," Cuscal said.
The payment solutions provider additionally suggested consumers have the ability to "dial up or down the amount of access they are willing to provide to their data" on an ongoing basis so that control is maintained.
"For example some consumers might be quite happy to share their transactional data, but may not wish to share information about their mortgage or superannuation, while for other customers the inverse may be true," Cuscal explained.
"In order for such choice to be exercised, the banking information will need to be categorized and the customer's financial institution will need to offer the selection to the customer. A simple categorisation could be based either on product type (e.g. credit card, loan) or on a functional basis (e.g. transactional data, balance data, loan repayment history)."
A third party should only be able to access and use the portion of information required to provide a particular service, Cuscal added.
"Data should be used within a certain amount of time from the collection time and once used the data should be destroyed by the third party or, to the extent that record keeping regulation requires it to be kept, it should be de-identified and encrypted," the payment solutions provider said.
Moreover, the consents provided to data transferors and data recipients must have consistent terms, according to Cuscal.
"It will be critical for the consent categorisation to be standardised across the industry so that consumers understand what they are consenting to and third parties can develop products appropriately," Cuscal said.
"We therefore recommend that financial institutions be required to offer the consent choices in an easily accessible and highly visible format within their digital channels. Processes will also need to be developed to deal with dual consent for joint account holders."
ANZ bank said that Australian law needs to clarify that if a data transferor shares data in line with a consumer's request, it has no liability for any losses the consumer faces resulting from the misuse or loss of the shared data by a third party -- a view also held by the National Australia Bank (NAB) and the Commonwealth Bank of Australia (CBA).
ANZ said consumers have the right to pursue action against the third party if data is used for purposes not clearly indicated in the consent retrieval process or if reasonable steps have not been taken to protect their data.
"The costs of bringing the right of action could be reduced if consumers were entitled to bring an action to a non-court dispute resolution scheme (e.g. financial sector recipients will likely be subject to the jurisdiction of the new Australian Financial Complaints Authority) or to the relevant government agency," the banking group added.
CALC said "accessible avenues for dispute resolution and consumer redress" is required to ensure consumers have trust in the open banking regime.
The ABA suggested that a "strong liability regime" be established on the principle that the entity responsible for any breach is able to compensate affected customers. As such, one of the accreditation requirements should be for open banking participants to hold "adequate insurance" should a breach occur. This approach takes into consideration that startups might have limited capital to be able to compensate consumers, the association said.
NAB noted that regardless of which party is legally liable for data breaches, such events would still impact the trust and confidence customers have when dealing with the data transferor.
"Providing consent though does not alleviate all security concerns. It will also be important that in gaining such consent, further education is provided to remind customers of the risk they are accepting, and to ensure they are confident in the third party recipient managing their data. Consent should also be limited to a specified period of time, and not be in perpetuity," NAB said in its submission.
In addition to customer consent and a third party accreditation system, NAB suggested the security of the data shared under an open banking regime be ensured by the use of encryption in the transfer process. The bank also recommended the auditing and logging of data requests by individuals or transfer requests for third parties under the open banking regime.
"This would allow for traceability and auditability in the event of a breach. In the instance where multiple parties are involved and a data breach occurs, identifying the exact party where the breach occurred can be challenging," NAB said.
NAB also suggested that banks be given the ability to restrict access to a third party if that third party has suffered a data breach within a recent period of time.
Data privacy, security, and standardisation
The Reserve Bank of Australia (RBA), while in strong favour of common industry standards around data definitions, formats, security, and access arrangements, suggested that standards should be flexible enough to accommodate future advances in technology.
"However, standards should also promote best practice in relation to data sharing, for example by specifying minimum functionality requirements benchmarked against current best practice," the RBA said.
But it's also important that the standards established do not create a barrier to entry for new players, as it would undermine the government's objective to increase competition, the RBA said, adding that stringent standards could present technical challenges for new players who don't have the capital to comply with those standards.
As such, accreditation requirements will need to "strike an appropriate balance between managing security risks and facilitating access to the market", the RBA said.
Additionally, it recommended that any licensing or accreditation regime implemented not be focused on one aspect of financial services -- such as payments -- as it would create a fragmented system with inefficiencies.
CBA said an "accreditation utility" be responsible for publishing standards, providing once-off accreditation to participants, setting accreditation fees and charges, conducting assessments for regular re-accreditation, and monitoring compliance over time.
The utility will also remove accreditation on expiry or breach, and be supported by selected group of certifiers, auditors, and specialists, the bank added.
While APIs are widely considered an appropriate mechanism for data sharing, CBA commended ABA's customer-oriented and accreditation-based model where consent originates on banking apps and third-parties are accredited prior to the execution of data-sharing activities.
"In the event of a security breach [in a system using APIs], perpetrators will be unable to unilaterally extract large volumes of consumer data. This is important in the face of increasing threats from criminal organisations and rogue states," CBA said.
"Furthermore, the de-centralised nature of the model minimises the risk of wholesale data compromise. The recently publicised data leak suffered by Equifax in the United States highlights the vulnerabilities associated with a centralised data repository.
"The proposed model would also be consistently applied to any overseas based technology companies seeking to access customer data."
Cuscal meanwhile suggested an availability and performance framework to ensure the APIs are implemented to meet the same service standards as the banks' internet or mobile banking channels.
Charging fees for data access
Participants in the consultation, including the ABA, generally agree that data providers should be able to charge for access to data to recover costs of accreditation and ongoing maintenance.
NAB said it's "not commercially sustainable or equitable in the long term for the entire cost of implementing an open banking regime to be borne by the incumbent banking sector".
"NAB believes the key costs will be in identifying, collating, verifying, and aggregating the data, the development of technology systems and infrastructure to complete this work, and the ongoing costs of data reporting and system maintenance," NAB said in its submission, adding that it's difficult to estimate the costs "without a proposed approach, data format and commencement date being identified".
CBA is similarly in support of charging data recipients for access, noting additional business costs such as "change management, risk, and regulation", and industry costs such as the development and maintenance of standards.
"Implementing change to support open banking reforms is not only a technology project but also requires large investments to change business processes, and contribution to an industry-wide process for setting and monitoring standards," CBA said.
"In some cases UK participants have identified business implementation costs of a similar scale to, if not in excess of, technology costs. In particular, significant resourcing has been allocated to manage business change and for data quality assurance."
NAB additionally suggested in its submission that the costs for data access be determined by the financial industry, with regulatory approval, to ensure it is standard across the sector and data recipients are not charged different amounts from different financial institutions for access to similar datasets.
While in support with a "user pays" model, ANZ noted that "excessive charging" would undermine the consumers' perception that they own their data. The banking group recommends a schedule of prices to be paid by data recipients based on data type, transfer mechanism, and transfer frequency.
"Completely free data, though, would not recognise the efforts of data transferors in collecting, storing, and protecting the data and the commercial interest that the data recipient has in receiving the data," ANZ said.
Cloud accounting software firm Xero believes, however, that regulated charging for access to transactional data can potentially "stifle innovation", instead suggesting charging consumers directly or their chosen service providers.
This, according to Xero, "enables market forces to determine the value of data and economics to drive innovation".
Additionally, Xero recommends mandating transparency for consumers about the fees charged by the data transferor to them directly or to their service provider. This will ensure "pass-through/cost recovery is enabled without risk of non-value-added profiteering at the expense of consumers", the cloud accounting firm explained.
Participants in the consultation largely agree that the government should not mandate the technology that is used to facilitate data sharing as it can limit innovation.
"Industry should be able to determine the most appropriate data delivery mechanism for each data circumstance. Mandating one mechanism over others could constitute a significant opportunity cost of diverting investment from emerging technologies that may be more effective for data sharing," the ABA said.
NAB noted that legislation can become outdated as technology changes.
ANZ outlined four types of transfer mechanisms that could be used to send the data from the data transferor to the data recipient: Download CSV file of transaction data; transmit CSV file of transaction data; public API, and permissioned API.
Cuscal said APIs would likely be the best technology to transfer customer data to third parties in a standardised format.
"In this scenario each financial institution could be required to issue a unique code to a customer, which can then be registered with the third party. Banking systems would need to be modified to allow read only access to customer accounts when the code is used rather than the full log in details," it said.
"This method of access would enable third parties to offer a wide range of "read only" based services while providing security to consumers and overcoming the key objections that financial institutions currently have to screen scraping services."
However, providing simply "read access" to customer data -- which RBA advocates for in the shorter term -- will not generate the most benefits when it comes to competition and innovation.
"We believe those goals will be achieved through 'write access' -- i.e. the ability to authorise third parties to act as an agent of the customer to initiate payments and/or transfer funds. This would be consistent with the European regime which defines a Payment Initiation Service Provider (PISP) under PSD2," Cuscal stated in its submission.
According to the ABA, "write access" could be considered at a later date, as part of a phased approach to open banking.