BT Security concerned open banking presents a 'conundrum' for mitigating risk

The security arm of multinational BT has offered the big four advice to err on the side of caution when opening data up to third parties under Australia's new Consumer Data Right.
Written by Asha Barbaschow, Contributor

Australia's major banks will be forced to make banking data available from the start of the 2020 financial year.

The mandate comes by way of a new open banking regime that forms the first phase of a new Consumer Data Right (CDR) which will allow individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.

As banking is the first cab off the rank, the Australian Competition and Consumer Commission (ACCC) will be shaping its legislation around what is immediately required from financial services providers.

A similar initiative is already underway in the United Kingdom, and while the likes of the big four still have a little over eight months to get their ducks in a row and learn from global peers, they have concerns that the security and privacy of their customers may not be as safe when it comes to making it open.

Addressing the Standing Committee on Economics' review of the performance of Australia's banking and financial system previously, Westpac CEO Brian Hartzer said a significant data breach under such a new regime would "undermine trust and confidence in data sharing and ultimately impact our shared objective of increasing transparency and innovation in the sector".

Discussing the open banking regime on Thursday, chief executive of BT Security Mark Hughes offered his sympathies to Australian financial services providers.

"You breathe a big sigh and think, you've got two opposing things which are really juxtaposed and there's no -- they don't meet in the middle -- and we're sort of left with the conundrum to deal with it," Hughes told the British Chamber of Commerce in Sydney. "It's still your data, in whatever you do with it."

According to Hughes, it's best to err on the side of caution -- "especially in today's climate" -- when it comes to opening up data for third-party consumption, and wrap security provisions around it anyway.

"I might have decided to put parts of that risk into the services I provide to you, but ultimately it's still your reputation, your risk that's at stake, and so transferring that is extremely tricky," he continued.

"Ourselves in the UK, we have a regulatory, separated access division called Openreach where there's a lot of information sharing that goes on there. But in financial services the data is a bit different, it's a bit more valuable, people are interested in it."

Hughes said to ensure there are limits on the data sets, because it is still business data and the risk cannot be transferred away.

"When it comes to it, I would, as I have done in our organisation, is err on the side of we're carrying that risk, it's our brand and reputation at stake, so therefore I will work out how to do it."

He clarified, however, that it isn't about making it difficult for competing firms.

"We're well beyond that in the telecom space in the UK, and that was never the case in the first place ... ultimately it is our risk," he added.


Australia to force 'big four' to open banking data by July 2019

All major banks will need to make data available on credit and debit card, deposit, and transaction accounts by July 1, 2019, after the federal government accepted the recommendations made by a Review into Open Banking.

Privacy Foundation: Trusting government with open data a 'recipe for pain'

The Australian Privacy Foundation wants the government to develop security controls around sharing open data and provide the agency charged with investigating data misuse with 'adequate' resources.

Australia's open data approach lands in a security and privacy minefield (TechRepublic)

Australia is charging headlong into a privacy disaster as government open data initiatives come online without considering how to properly implement privacy safeguards and data anonymity.

Editorial standards