Australia looks to private sector to implement open banking regime

Treasurer Scott Morrison is looking to implement an open banking regime that is in part already accounted for under the existing Privacy Act, according to Privacy Commissioner Timothy Pilgrim.
Written by Asha Barbaschow, Contributor

The Australian government is looking into implementing an open banking system regime, having announced it is seeking advice from law firm King & Wood Mallesons on how to boost competition and innovation in financial services.

The measure, announced during the 2017-18 federal Budget, is centred on giving Australians greater access to their own banking data, and according to Treasurer Scott Morrison, has the potential to transform the way Australians interact with the banking system, touting it as a measure to empower consumers through open banking.

By 2018, banks in the United Kingdom will be required to open up their APIs to enable consumer data to be accessed by competing banks, startups, and other financial institutions -- providing the consumer consents. This is a move the Australian House of Representatives Standing Committee on Economics is eager to see implemented in Australia.

A report from the committee, tabled in November, recommended that banks be forced to provide open access for third parties to customer and small business data by July 2018.

The data would be wrapped in security and privacy protections and would include information on a customer's transaction history, account balances, credit card usage, and mortgage repayments.

Throughout the banking probe, committee chair, Federal Member for Banks David Coleman, touted the initiative as an important measure that not only provides more control to the consumer, but one that has the potential to make a strong contribution to the country's economic growth.

Speaking at the recent Data + Privacy Asia Pacific conference in Sydney, Australia's Privacy and Information Commissioner Timothy Pilgrim highlighted that underneath the hype of mandating banks to open their application programming interfaces (APIs) to others, is the allowance for customers to access their own banking data within the Privacy Act 1988.

"The productivity commission brought out a report into data use and getting data out, etc, and one of the things they referred to was the introduction of what they termed a new consumer right. I would argue the rights they are referring to already exist in the Privacy Act," Pilgrim said during a discussion on Europe's impending General Data Protection Regulation (GDPR).

"But one of the things they talked about was data portability and introducing that as part of a new scheme; we would say the Privacy Act can already provide for that because it says a person has the right to access their information in the form they wish to access it."

Pilgrim said such a requirement has been in the Act for quite a long time, but added that a succinct specification on what the term portability explicitly means may be necessary.

In his submission to the committee [PDF], Pilgrim said the definition coined by the committee essentially duplicates the existing definition of personal information set out in the Privacy Act.

"I consider that this new definition would likely introduce significant confusion and result in an increased regulatory burden, for minimal (if any) benefit," the commissioner wrote.

"I therefore do not support the new definition of consumer data as currently drafted."

He said the justification for introducing a new definition of consumer data appeared to be that an updated definition would help strengthen consumer rights to data, by ensuring that Australian government agencies and businesses could shift away from seeing data through a more limited, compliance-based "privacy lens".

"It is important to note that good privacy practice is not merely a 'compliance' or regulatory issue. Privacy is a fundamental human right, with the Privacy Act giving individuals control over their personal information, and requiring entities which handle personal information to do so in a transparent and accountable manner," he said.

"Nevertheless, if the data reforms are aimed at encouraging entities to take a different, more 'positive' approach to their management of data, in my view a legislative amendment is not necessary to effect such a change. Rather, entrenched cultural practices and mindsets can be overcome more effectively through a clear communications strategy."

Editorial standards