Big four banks passing the buck on open data regulation

At the conclusion of the three-day review of Australia's four major banks, not one has explicitly pointed to who should lead the open data reform that will potentially change the heavily regulated banking industry in Australia.
Written by Asha Barbaschow, Contributor

Westpac CEO Brian Hartzer has told the House of Representatives that he is "relatively agnostic" when it comes to determining who leads the process that will eventually see banks in Australia opening up customer data to external parties.

On the final day of the Standing Committee on Economics' review of the performance of Australia's banking and financial system, Hartzer said a regulator-led process may be appropriate so long as there is heavy involvement from the banks.

"Westpac supports enhanced data sharing, but at the same time, it's important we get the implementation of data sharing with third parties right in order to protect our customers from fraud, privacy breaches, and inappropriate use of their data," Hartzer said in his opening address.

"A significant data breach under a new regime would undermine trust and confidence in data sharing and ultimately impact our shared objective of increasing transparency and innovation in the sector."

The only hesitation Hartzer said Westpac has surrounds the bank's obligation to protect customer data. He said he wants to avoid a situation where a third-party makes determinations about something it doesn't fully understand or is unaware of the potential risk, such as what a breach could mean for the banking industry in Australia.

By 2018, banks in the United Kingdom will be required to effectively open up application programming interfaces (API) to enable consumer data to be accessed by competing banks, startups, and other financial institutions -- providing the consumer consents. This is a move the committee chair, Federal Member for Banks David Coleman, is eager to see implemented in Australia.

Coleman probed Hartzer at length on who he wants to see lead the reform, pointing to the UK model that has handed the responsibility over to an independent regulatory authority.

"Our recommendation is that a regulatory authority has that mandate because we don't think it's appropriate for the entities that currently control the data to also be in charge of the process of opening it up because we see that there are potential conflicting priorities in that position," Coleman said on Wednesday.

"The crux of the matter seems to me is who is in charge of the process, not whether or not safeguards need to be put in place or whether banks need to be heavily involved in that process because clearly you do because you have the expertise in the area."

Hartzer, however, is concerned that even the benchmarked model has holes.

"I was in the UK a couple of months ago meeting with banks and many of these privacy, fraud, and security issues in the UK are not resolved yet and many senior bankers do not know how they're going to deal with some of these issues," Hartzer explained.

"I think it's important to recognise that if you let the genie out of the bottle and allow a significant data breach to reach customers -- it's a terrible thing for customers and for the system as a whole."

Hartzer said that whatever process is in place needs to deal with security and privacy very seriously while also providing confidence.

"So long as it's a genuine process and the legitimate issues are dealt with and there are some gates around that, then we've got no problem," he added.

During the three-day probe, neither Westpac, the Commonwealth Bank of Australia (CBA), the National Australia Bank (NAB), or the Australia and New Zealand Banking Group (ANZ) explicitly pointed to a particular party or body that should be handed the responsibility of determining the regulatory framework for open data in the Australian financial sector.

CBA faced the committee on Tuesday, with CEO Ian Narev saying his bank will support any solution if it is clear on specifically who is accountable for privacy and security in the process.

"The bottom line is, this is going to happen and we accept that, and we think competition is good for us," Narev said.

"In the world in which we live every day, we see attempts to get our information, that is why we want parts of the solution to be industry led."

"We want to take that accountability. If somebody else is going to take it and be accountable for that so we know where to address concerns if there are problems with this, then we are open to that solution."

ANZ's CEO Shayne Elliott also faced the committee on Tuesday, saying that while his bank supports the impending change and sees opportunity for its customers, ANZ's primary focus is also in protecting its customers' privacy and security.

"Data is powerful. Allowing customers easier access to their own data will help them make better choices. But data is also dangerous in the wrong hands," Elliott explained. "Even today, 25 percent of all bank fraud attempts target customers' data as opposed to their money."

The ANZ chief pointed to the practice of moving AU$200 billion for its customers each day, and said that his bank does so with "incredible levels of accuracy and safety" as the industry has worked with regulators to define rules and standards that his bank follows.

"We have an obligation and a business opportunity to provide the same levels of protection when moving our customers' data," he added. "Australia will need to consider how data access can occur safely without exposing Australians to unreasonable risk and see local innovation and jobs rather than see all the benefits go overseas or offshore."

First to face the committee's second round of questioning, NAB CEO Andrew Thorburn said that while his bank was supportive of the concept, he wants the potential risks of opening up data to be clearly identified, as he is concerned over the potential reputational damage the data getting into the wrong hands would mean for NAB.

In their respective responses to the committee during the first round of questioning last year, all four CEOs highlighted the complexity of implementing account portability, which alluded to the big four hedging their bets by saying they will support the industry reform, while also thinking the mandate would potentially be years away.

"This is absolutely not about delaying the process," Hartzer told the committee Wednesday.

"Innovation is important for the Australian economy as it drives competition which leads to better outcomes for customers.

"We're in a really interesting time at the moment where technology is giving us the ability to make things simultaneously better for customers, better for risk management, and better for the bank.

"What we found is while you might in the first instance start with this view that giving access to data would be a risk, actually we're finding it's creating new opportunities for us to create better services for customers."

Editorial standards