More time can tame 'open banking' risks
Since floating in 2012, Facebook’s monthly active users have swelled from 845 million to 2.13 billion.
According to Facebook, almost 90 million of them might have had their data shared with Cambridge Analytica, the UK political consulting firm at the centre of the social media giant’s recent high profile saga that has thrust the importance of data security and privacy into the mainstream.
We’re living in a mobile world. Many of us don’t think twice about what happens to our hundreds of daily interactions with our data.
But as we’ve recently seen, that’s clearly changing.
Like in other regions such as the UK and Europe, Australia is going through a major shift to “open data” regimes, firstly through “open banking” announced in last year’s federal budget. With more than 13 million customers, Westpac strongly supports the development of an enhanced and safe data-sharing regime.
But as Facebook’s data breach highlighted, security and privacy is paramount. When this is lost, systems break down.
If someone’s identity, data and finances are not protected and trust in the financial system is eroded, everyone pays.
When used safely, effectively and by trusted users, data provides immense value to customers, but also industries, the government and society more broadly. As a small, open country that relies on foreign capital, improvements in our collective use of data can only help Australia’s global competitiveness by creating a more innovative and productive economy.
But we need to get this right. And that means enhancing the current recommendations for the open banking regime as laid out in the Farrell review, particularly the implementation timeframe.
There needs to be a phased approach to implementation, commencing with consumer and small business deposit products, and consumer credit cards, available through online banking.
While the review suggested that implementation should commence with Westpac, National Australia Bank, ANZ and Commonwealth Bank through an initial 12 month compliance period similar to in the UK, the open banking regime in Australia as proposed would include products and channels significantly broader than the UK Regime.
Getting the design, building and testing of significant technology, data and operational requirements right cannot be put at risk. For example, given the potentially large number of externally facing connections into data recipients, there needs to be adequate time to ensure appropriate reliability and security of data transfer flows and protect against fraud and cyber-attacks.
As we’ve seen elsewhere around the world, it can take many years to set up open banking regimes. In the UK, some of the nine institutions slated to participate didn’t meet the January deadline despite years of groundwork. It also took four years of preparation and debate before the EU in 2016 approved the General Data Protection Regulation, which from May will give people greater data use and portability.
But customers need time to adjust too.
Recent research by YouGov for bank CYBG in the UK found that nearly 58 per cent of people didn’t know what open banking was. In addition, more than 75 per cent of people said they were “unlikely” to use Open Banking service and 81 per cent were “not excited”. Unsurprisingly, security issues were the main concern, such as data falling into the wrong hands.
We can do better. It will just take time.
Think of all the non-digitally active customers who will require support, ensuring appropriate accreditation requirements for companies, and the potential need for a right to deletion/be forgotten.
As a Morgan Stanley report into Europe’s regime in April surmised: “Overall, as consumers are given more rights over their data, companies will need to build consumer trust on their data use.”
Development of rules and standards are critical, and Australia can learn much from the UK by making it industry-led and reliant on relevant expertise. Setting allocation of liability is equally important, and in our view requires further consultation to ensure clear customer recourse for losses and whether we need a last resort compensation scheme for less capitalised participants.
While customers can be compensated for fraud losses, it’s not as straightforward for stolen identities or when impacted by other breaches to their privacy, including personal safety.
But with some vision, and collaboration between industry and government, maintaining trust and confidence in the protection and sharing of data is achievable.
It just may take a little more time than currently flagged.