Commonwealth Bank demands accountability in data portability reform

The bank's CEO Ian Narev has said that he wants the Commonwealth Bank of Australia to take responsibility for the security and privacy of its customer's data, if it is not farmed out to a data portability body.
Written by Asha Barbaschow, Contributor on

Commonwealth Bank of Australia (CBA) CEO Ian Narev has said that he wants the banking industry to be responsible for determining the security and privacy guidelines around opening up the bank's application programming interfaces (API) to external parties.

Narev also said his bank wants to take accountability for the security of his customer's data, as he holds firm that CBA's only concern around allowing customers to easily port their banking data and take their business elsewhere is their privacy and security.

The CBA chief's comments were made during the second day of the House of Representatives Standing Committee on Economics' review of the performance of Australia's banking and financial system, where opening up customer data has been a focus of the committee.

By 2018, banks in the United Kingdom will be required to effectively open up APIs to enable consumer data to be accessed by competing banks, startups, and other financial institutions -- providing the consumer consents. This is a move the committee chair, Federal Member for Banks David Coleman, is eager to see implemented in Australia.

According to Coleman, opening up access to consumer data will create a more competitive market as it will make it easier for people to switch banks, which will result in Australians getting better offers from other banks.

Of key concern to Coleman in allowing CBA and its peers to lead the implementation, is that a largely industry-led execution -- one led by the big four banks -- will be one led by 95 percent of the Australian finance industry.

"Certainly from my perspective, there is a potential conflict there because while you may in theory support the opening up of consumer data, the provision of that data to new entrants, to startups, to other banks, creates potentially competitive problems for you," Coleman said.

Coleman believes the implementation should instead be performed via a regulatory mandate, similar to the way in which mobile phone number portability was looked after by the Australian Competition and Consumer Commission, as he said it was recognised that the telcos were not particularly well-placed to lead a process that arguably was not in their commercial interests.

The chair told Narev that the process should be implemented with the banks at arm's length.

"The bottom line is, this is going to happen and we accept that, and we think competition is good for us," Narev replied. "In the world in which we live in every day, we see attempts to get our information, that is why we want parts of the solution to be industry led."

"We will support any solution if ultimately we can be clear on specifically who is accountable for privacy and security," he added.

"We want to take that accountability. If somebody else is going to take it and be accountable for that so we know where to address concerns if there are problems with this, then we are open to that solution."

Retail banking head Matt Comyn expanded on Narev's remarks, highlighting that what CBA is recommending is that the industry be closely involved.

"We see a clear role for government particularly in areas such as the Digital Transformation Agency, we note the work that's ongoing at the moment by the Productivity Commission, we also think that Fintech Australia should be involved, we think there's a role for consumer groups to be involved as well because there are a broad set of considerations around security and privacy," Comyn added, noting the bank was also in the process of making it "very easy" for customers to switch to another credit card provider.

"They will be able to close their account online with a few clicks with no interaction with a person."

When facing the committee last year, CBA, initially commented that is opposed to the practice of opening up APIs, citing data security concerns and the misfortune of previous technology projects as its main rationale.

The Australia and New Zealand Banking Group (ANZ) also faced the committee's probe on Tuesday afternoon, with CEO Shayne Elliott saying that while his bank supports the impending change and sees opportunity for its customers, ANZ's primary focus is protecting its customers' privacy and security.

"Data is powerful. Allowing customers easier access to their own data will help them make better choices. But data is also dangerous in the wrong hands," Elliott explained. "Even today, 25 percent of all bank fraud attempts target customers' data as opposed to their money."

The ANZ chief pointed to the practice of moving AU$200 billion for its customers each day, and said that his bank does so with "incredible levels of accuracy and safety" as the industry has worked with regulators to define rules and standards that his bank follows.

"We have an obligation and a business opportunity to provide the same levels of protection when moving our customers' data," he added.

"Australia will need to consider how data access can occur safely without exposing Australians to unreasonable risk and see local innovation and jobs rather than see all the benefits go overseas or offshore."

Elliott believes that time, coordination and investment, and cooperation between industry and government will be paramount to bringing the UK-like initiative to Australia.

"Opening up of the data should be led by an independent regulatory body that obviously will be charged with addressing all of those privacy issues, making use of your expertise and so on in that process ... but they will have the final say," he said.

"We're not proposing that the banks alone decide that, I think models that have worked well are where there's cooperation between industry and government ... working together surely -- in our view -- is the right answer."

On Friday, the National Australia Bank (NAB) faced the Economics Committee and highlighted similar security and privacy concerns to those of CBA.

"We need to innovate, we need to improve, and we welcome competition," CEO Andrew Thorburn said.

"We're supporting the thrust of what you're saying. We're just saying that the risks of it need to be clearly identified because if others have access to data, that is clients' data in our bank, and if that got into the wrong hands, the bank is going to be suffer serious reputational damage with that."

NAB chief operating officer Antony Cahill said he was recently in the United Kingdom speaking with a number of financial services providers, but noted that even though their legislation has been in place for a while, providers in the UK are still working through the commercial implications.

"I think at this stage it is not possible to say whether it's in our interests or not," he added. "Our view is if it happens then clearly we'll think about the commercial implications and how we can adapt to that."

Westpac will face the committee on Wednesday.

Editorial standards