Open Banking in Australia has begun, but ill-informed cynicism needs to be tempered by educated discussions on security and privacy.
Note: these opinions are not necessarily shared by my employer.
Australia has a new, modern way of transferring sensitive financial information from a consumer's bank, to another bank or a trusted fintech. On July 1 this year, the Consumer Data Right (CDR), Australia's version of the global Open Banking initiative, went live with customer-consented data sharing between an initial select group of banks and one fintech (financial services application provider). Already, one Accredited Data Recipient has used the CDR to process and approve a mortgage application with data shared from their customer's bank, in only six minutes.
I've spent the last two and a half years working on the CDR. In my role as Asia Pacific CTO for Ping Identity, I wrote Ping's submissions to the Farrell Report in 2017 and subsequent requests for comment, and served on the government's Advisory Committee for the CDR for the last two years. I've worked with Ping's customers trying to make sense of the CDR's technical specification as it has morphed into its current form. I've helped inform Ping's product managers of the Australian-specific requirements that required updated functionality in our software solutions.
So it's more than a little disappointing to see the lack of understanding in the Australian information security market about the need for and the benefits of this new era in secure data sharing, based on informed customer consent.
Australians love to denigrate those in authority — it's in our national psyche. And banks are high on the list of our favourite institutions for criticism. But having sat through this process as an insider (or as close to being on the inside as you can, without working for a bank), I feel the need to come to the banks' (and the CDR's) defence.
As the very simplified video published by the ACCC shows, the CDR helps consumers share their personal banking data with trusted third parties (fintechs like Frollo, or other banks, like Regional Australia Bank) to initiate new products or services, like budget planning, credit card applications, or as mentioned previously, mortgages.
I experienced the traditional mortgage application process in the last month, and it's as if I was back in the 1990s. I had to make a copy of:
- My credit card statements
- My savings account statement
- My last three payslips
- The contract of sale for my new apartment
And my wife had to do the same.
The data was either scanned from the paper copies, or downloaded as PDFs from our banks' (plural) internet banking sites. They were then emailed to my new bank's mortgage broker. This was time-consuming, genuinely annoying, and inherently insecure.
Why insecure? Because the documents sat on my computer's hard drive and in my Sent folder. After supplying the data to their bank or broker, most consumers are not going to do what I did: delete them from my computer; nor would the majority have Two-Factor Authentication enabled on that email account. That data could remain there for years. Email accounts are the primary attack vector for cybercriminals, and detailed financial information like this is a pot of gold for any criminal.
The CDR avoids this problem by mandating a number of security controls:
- The Data Recipients (organisations who can receive the data from the banks) are regulated and accredited by the ACCC. While the specification is "open", access to the data is not.
- Data Recipients never see the consumer's internet banking password, or even their internet banking username. In fact, during the data sharing process, the consumer never enters their password, to help mitigate phishing attacks. Authentication is performed at the bank using a username and one-time passcode.
- Access to the data is for a limited time that is clearly communicated during the data sharing consent process. The consumer is prompted to reauthorise access when their consent expires.
- The type of data shared is limited by the CDR specification, and data sharing is designed with privacy and user sensitivity in mind.
There are other more technical design decisions I could list here, but this is not meant to be an article for a technical audience, who can read the spec and (hopefully) understand where the security and privacy concerns have been addressed.
After the go-live on July 1, there was some bank bashing online from consumers, which was not all that surprising and hasn't been helped by the limited information published at this stage.
"I don't know what it is, but I don't like it." — Twitter.
But it was concerning to see some cybersecurity industry professionals weigh into the discussion with ill-conceived arguments, equating the CDR to the messy introduction of the federal government's MyHealth Record system in 2018.
Full disclosure: I opted out of MyHealth Record because I was concerned about the design of the regime and the government's opt-in/opt-out backflip, both of which I believe were poor decisions. But to equate MyHealth Record to the CDR is just plain wrong, on a number of fronts.
Centralised versus Distributed Data Storage
- MyHealth Record centralises consumer health data into the government's service.
- In the CDR regime, data is not centrally stored. A subset of data is shared with one or more accredited Data Recipients. And the CDR is designed to disallow the correlation of customer data across different Data Recipients, for example, in mergers and acquisitions in the future.
Unbounded versus Time-Limited Sharing
- MyHealth Record's goal is to store a history of a person's health data, from initial account creation to death. There is no reauthorisation of consent mechanism in MyHealth Record. Consumers can request for their MyHealth Record to be deleted, or manually remove documents.
- Data sharing is limited in the CDR specification to no greater than 12 months, and consumers are notified every 90 days of their existing consents. If a consumer wishes to continue this arrangement beyond that time, they must reauthorise the data sharing arrangement with each Data Recipient. If the consumer does not reauthorise their consent(s), those Data Recipients must delete the shared data.
Opt-Out versus Opt-In
- MyHealth Record is Opt-Out, meaning all Australians born since 31 January 2018, or who did not explicitly opt-out before that date, will have a MyHealth Record created for them. Consumers can request for their MyHealth Record to be deleted.
- The CDR is completely opt-in. There is no requirement to use CDR for financial services data sharing. It is purely a convenience decision for the consumer. ACCC rules prohibit making CDR data sharing a mandatory requirement for access to a product or service.
Above all, the design and specification for the CDR is open, meaning the detailed technical information about the data, the security, the communications methods, and the consent mechanism, is published. It has been peer reviewed by the information security industry and some of their concerns have been integrated into the design. I am unaware of any similar openness for MyHealth Record.
The fact is, throughout the CDR design process, some of the most vocal protectors of consumer privacy and security have been the executives and technical people from Australia's big four banks.
I have been in meetings and workshops and seen the banks' representatives argue for stronger security measures, push back on perceived shortcuts, and constantly remind those present that it is the Consumer Data Right, first and foremost.
We're at the beginning of a new era in digital data sharing, and as with all new technology implementations, we can't be sure of all the outcomes and consequences in the future.
Yes, there are risks in providing new ways to share sensitive data, even in a highly regulated system like the CDR. But ill-informed pessimism, based on historic prejudices and ignorance, won't help society evolve.
The CDR is a bold undertaking and has just started in Australia, but it's based on years of experience in Open Banking in the United Kingdom, and has consumer privacy and security designed in by default.
It deserves to be supported and nurtured.