Trade Ledger, a lending automation software provider, has claimed that the Australian government’s proposed open banking implementation plan has more kinks than its international counterparts.
These “substantial weaknesses” include the lack of an independent organisation to overlook implementation and governance, as well as “limited” consumer and SME representation in the development of industry standards, the fintech said.
It warned that these weaknesses could provoke a “scaremongering campaign around data security”, which could “stall progress and reduce the scope of the changes, leaving the door open for overseas financial markets to take over our local markets”.
Trade Ledger’s co-founder and CEO, Martin McCann, said: “Given the fact that digital banking services don’t observe national borders, the consequences of getting this wrong could be catastrophic for our local industry.
“It could mean a shift away from a local-banks-versus-fintechs stand-off, and instead Australia might find itself competing against a whole horde of unstoppable open banking entrants from overseas — an absolute tragedy for Australian financial services.”
Thus far, the Australian Retail Credit Association (ARCA), in consultation with the industry, established the “Principles of Reciprocity and Data Exchange” (PRDE), which it said had been designed to facilitate the sharing of credit data among signatories by setting up a reciprocal data exchange.
The six principles, which were approved by the Australian Competition and Consumer Commission (ACCC), require that signatories:
- commit to the binding and enforceable system and structures developed by the industry that encourage the safe and secure exchange of credit information in the PRDE;
- ensure that the partial and comprehensive credit information is only exchanged between signatories to the PRDE;
- ensure that data meets a certain standard before it is exchanged, by requiring that shared data adheres to the Australian Credit Reporting Data Standard;
- agree to adopt transition rules within the specified timeline which will support early adoption of partial and comprehensive information exchange;
- be subject to monitoring, reporting and compliance requirements for the purpose of encouraging participation in the exchange of credit information and data integrity; and
- accept the terms whereby the PRDE can be amended, as well as accept that a broad review of the PRDE is to be completed three years after it commences.
However, the Trade Ledger CEO noted that given open banking’s potential to “revolutionise” the financial services industry and the broader economy by “unlocking a treasure trove of bank customer data”, he “fears” that by not learning from the best practices and mistakes of the UK, Australia will not be able to experience the full benefits, despite members of the Data Standards Body’s advisory committee claiming that they would be considering which aspects of the UK model are or aren’t appropriate and replicable in Australia.
“In the UK, the banks were made [to] pay for implementation of open banking under law. This incentivised them to act rapidly and efficiently,” Mr McCann said.
“The UK also set up a range of trade and consumer lobby groups to balance the power of the incumbent institutions, and a governance body with unprecedented powers to compel all parties to work in the national interest.
“So far, Australia does not have most of this in its implementation plans.”
In noting some of the anticipated benefits of open banking, the CEO said: “Businesses and consumers could gain real-time control of their own financial information, allowing them to evaluate financial products from multiple lenders and switch instantaneously to a better deal. Currently, only 2 per cent of bank customers switch products, despite the fact [that] most could access a better deal.
“[It] could also bring forth all manner of new and exciting financial products and processes that could change the way we transact forever.”
The government’s proposed open banking implementation plan involves lender participation in the mandatory comprehensive credit reporting (CCR) regime, starting with the big four banks, followed by the non-majors, whose deadlines are 12 months after the majors.
Under the National Consumer Credit Protection Amendment (Mandatory Comprehensive Credit Reporting) Bill 2018, which is yet to be legislated, ANZ Bank, Commonwealth Bank, National Australia Bank and Westpac are required to share credit card, debit card, deposit and transaction account data via a reciprocal data exchange system established by ARCA in consultation with the industry. Data on mortgages and personal loans are to be shared in the coming years.
However, the chair of the Australian Prudential Regulation Authority (APRA), Wayne Byres, warned that Australian banks’ anachronistic IT systems could mean that they are under-prepared for the CCR regime and might not be able to meet new prudential requirements.
APRA’s technology risk team reviewed 90 per cent of the banking industry by assets, according to the chair, and found that in many instances, the banks’ core systems had reached end-of-life or end-of-support “without funded remediation plans in place”.
“The complexity of systems and process environments and reliance on manual processes has made the mapping of data lineages, managing data quality and the aggregation of data difficult,” Mr Byres said.
Another key component of the open banking regime is the Consumer Data Right (CDR), set to come into effect on 1 July 2019. The draft Treasury Laws Amendment (Consumer Data Right) Bill 2018 states that individual and business consumers will be able to access their own data or direct custodians to share their data with accredited entities — such as banks, telcos, energy companies and comparison service providers — that have “satisfactory security and privacy safeguards” in place.
Consumer data will be subject to “strong privacy safeguards” similar to the individual protections contained in the Australian Privacy Principles as part of the Privacy Act, but is more restrictive so that an “enhanced level of protection” is built around CDR data, specifically individual and small business consumer data, according to the government’s explanatory memorandum.
The shared data would have to be in a CDR-compliant format, the draft bill stipulates, which will be determined by the ACCC in consultation with the Office of the Australian Information Commissioner and the Data Standards Body.