Australian 'big four' to align their data-sharing ducks ahead of Open Banking

A review has requested that Australia's largest banks be ready to hand over customer data at request from the day an Open Banking regime becomes legislated.
Written by Asha Barbaschow, Contributor

The federal government in November announced a new Consumer Data Right, allowing individuals to "own" their data by granting them open access to their banking, energy, phone, and internet transactions, as well as the right to control who can have it and who can use it.

The first sector of the Australian economy to which this right is to be applied is the financial services sector, through an Open Banking regime.

A review from law firm King & Wood Mallesons on how to boost competition and innovation in the country's financial services sector, published on Friday afternoon, made a number of recommendations on how Open Banking in Australia should look, with one requesting that the big four banks -- the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), the Australia and New Zealand Banking Group (ANZ), and Westpac, which hold around 95 percent market share of the entire Australian finance industry -- have a system in place to facilitate data sharing the moment the final government decision is delivered.

"From the commencement date, the four major Australian banks should be obliged to comply with a direction to share data under Open Banking," the Review into Open Banking: Giving customers choice, convenience and confidence states.

"The remaining Authorised Deposit-taking Institutions (ADIs) should be obliged to share data from 12 months after the commencement date, unless the Australian Competition and Consumer Commission (ACCC) determines that a later date is more appropriate."

From the commencement date, which is yet to be determined, it is recommended that Open Banking should apply to transaction data and product data, but not to transaction data relating to transactions before January 1, 2017.

See also: Big four banks passing the buck on open data regulation

Making a total of 50 recommendations, the review [PDF] also requests that Open Banking not be mandated as the only way that banking data may be shared.

It is recommended by the review that Open Banking should be implemented primarily through amendments to the Competition and Consumer Act 2010 that set out the overarching objectives of the Consumer Data Right, and led by the ACCC, with the Office of the Australian Information Commissioner (OAIC) primarily responsible for privacy protection -- as customers are covered by The Privacy Act 1988 -- and the Australian Securities and Investments Commission (ASIC), Australian Prudential Regulation Authority (APRA), the Reserve Bank of Australia (RBA), and other sector-focused regulators consulted where necessary.

The ACCC and the OAIC have also been asked to determine the rules of both Open Banking and the Consumer Data Right, with the standards requested to include transfer, data, and security standards.

It is additionally recommended that a Data Standards Body be established to work with regulators on developing standards, which should also limit access to Open Banking data to accredited parties only.

"This body should incorporate expertise in the standards-setting process and data sharing, as well as participant and customer experience," the review explains.

On accreditation, criteria should not create an "unnecessary barrier to entry" by imposing prohibitive costs or otherwise discouraging parties from participating in Open Banking.

As a result, the review recommends using a tiered risk-based accreditation model, and said that having regard to existing licensing regimes should minimise costs for many participants.

Accreditation decisions should be reviewable by the Administrative Appeals Tribunal, it is suggested, with the ACCC holding responsibility for ensuring there is a public address book showing who is accredited.

Additionally, in order to be accredited to participate in Open Banking, all parties must comply with designated security standards set by the Data Standards Body.

The standards should allow for delegation of access to intermediaries such as middleware providers, and they should also allow users who do not use online banking to authorise the sharing of information through service channels that are ordinarily provided by the data holder, the review asks.

The regime should also be mapped on the UK Open Banking technical specification, which has already mandated that banks effectively open up APIs to enable consumer data to be accessed by competing banks, startups, and other financial institutions.

Open Banking, the review states, should have internal and external dispute resolution processes to resolve customer complaints; and the Consumer Data Right rules should create a right for accredited parties to seek remedy for breaches and conversely create breach-reporting obligations.

A clear and comprehensive framework for the allocation of liability between participants in Open Banking should also be implemented, the review says, with such framework making it clear that participants in Open Banking are liable for their own conduct, but not the conduct of other participants.

"To the extent possible, the liability framework should be consistent with existing legal frameworks to ensure that there is no uncertainty about the rights of customers or liability of data holders," the review continues.

The sharing of data is to be done via APIs.

According to the review, Open Banking should apply for all customers holding a relevant account in Australia, and to all ADIs, other than foreign bank branches. This practice should also be free of charge to the consumer.

Financial institutions must be forced to participate, and ADIs should be automatically accredited to receive data under the model put forward by the review.

At a customer's direction, data holders should be obliged to share all information that has been provided to them by the customer -- or a former customer. However, as recommended by the review, the obligation should only apply where the data holder keeps that information in a digital form, and should not apply to information supporting an identity verification assessment.

It is requested that aggregated datasets not be included in the scope of Open Banking.

"Data holders should only be obliged to share that information with the customer directly, not a data recipient," the review explains.

"If directed by the customer to do so, data holders should be obliged to share the outcome of an identity verification assessment performed on the customer, provided the anti-money laundering laws are amended to allow data recipients to rely on that outcome," recommendation 3.4 expresses.

It is requested by the review that customer consent be explicit, and that the customer be notified when their data holder has received their request.

As a further responsibility for the banks, where they are under existing obligations to publicly disclose information on their products and services -- such as information on their price, fees, and other charges -- the review asks that information be made publicly available under Open Banking.

One desired facet of the Open Banking regime that cannot be fulfilled in this instance, however, is the right for the customer to be forgotten.

"Given the many complexities involved in legislating for a right to deletion (including the range of legal obligations to retain records) and the fact that individuals currently have no right to instruct deletion of their personal information under the Privacy Act, it is beyond the scope of Open Banking to mandate a special right to deletion of information," the review explains.

As the government's decision to implement Open Banking as the first application of the Consumer Data Right aims to facilitate an "economy-wide, consumer-directed data transfer system", the review said it has therefore kept interoperability between sectors in mind when designing the Open Banking facet.

Facing the House of Representatives Standing Committee on Economics and its probe into the country's big four banks, Brian Hartzer, CEO of Westpac, said in March that his bank was supportive of the impending mandate to open customer data, but concerned about the vulnerabilities this may incite from a security perspective.

"Westpac supports enhanced data sharing, but at the same time, it's important we get the implementation of data sharing with third parties right in order to protect our customers from fraud, privacy breaches, and inappropriate use of their data," Hartzer said at the time.

"A significant data breach under a new regime would undermine trust and confidence in data sharing, and ultimately impact our shared objective of increasing transparency and innovation in the sector."

It was a similar story for CBA, NAB, and ANZ, with CBA's outgoing CEO Ian Narev asking previously for clear guidelines on who exactly is accountable for privacy and security under an Open Banking regime.

"The bottom line is, this is going to happen and we accept that, and we think competition is good for us," Narev told the Economics Committee.

Hartzer was keen to see the banking sector lead the open data reforms, but the idea was dismissed by the committee chair given the hefty market share the big four hold.

The government announced the independent Open Banking Review in the 2017-18 Budget, with the desired outcome of increasing access to banking product and consumer data by consumers and third parties.

The review is taking submissions on the recommendations until March 23, 2018.


Editorial standards