Powered by MOMENTUM MEDIA
subscribe to our newsletter

Banks call for stronger CDR privacy rules

The ABA has told government that the upcoming Consumer Data Right could have a “revolutionary impact” on competition, but privacy should be prioritised.

The Australian Banking Association’s (ABA) submission to the draft Privacy Impact Assessment (PIA) of the Consumer Data Right (CDR) welcomed the new scheme but urged government to prioritise privacy to protect customers.

Under the draft Treasury Laws Amendment (CDR) Bill 2018 released last month, individual and business consumers will be able to access their own data, or direct custodians to share it with accredited entities such as banks, telcos, energy companies and comparison service providers in order to get tailored access to services and competitive deals.

The PIA will help shape the security behind the CDR programme, which is set to launch in pilot phase on 1 July 2019 before resulting in the full launch of access to consumer data in February 2020.

Treasury’s consultation on its first PIA for the CDR closed last Friday (18 January) and called for interested parties to submit responses before government develops its revised PIA.

Advertisement
Advertisement

Comments will reportedly be considered as part of the development of the revised version.

In its submission to Treasury’s first PIA, the ABA supported the Treasury’s recommendations on measures to reduce risks to customers’ data, adding that it would be “seeking further testing during the pilot program to ensure we get this right”.

The pilot program will test the waters for privacy security in the CDR, to minimise the risk of leaks or breaches, ensuring customer data is kept in the vault.

“The industry has been an advocate and partner of the federal government’s initiative to set in stone a customer’s right to direct their data to be shared with others so they can get the maximum benefit from it,” ABA CEO Anna Bligh said.

Higher risk categories around consumer privacy and data protection being assessed by the ABA were highlighted throughout the submission.

PROMOTED CONTENT


According to the ABA submission, cyber criminals prove “highly capable” of launching phishing attacks by taking advantage of new industry developments.

The highest risk areas that will be assessed under the PIA regarding cyber criminals include those:

  • Posing as data recipients to access consumer data
  • Posing as a third party using the false identity of an accredited data recipient, in order to steal authentication information
  • Posing as a data recipient to direct a consumer to fake data-holding websites
  • Directing consumers to fake data-holding websites through an online data recipient, who is knowingly engaging in illegal activity

The ABA therefore said that “decisions around the authentication flow should include an analysis of the risk that different models would pose to consumers, in terms of the likelihood of future phishing attacks”. It called for the PIA to be amended to “reflect these decisions”.

Third-party mismanagement of consumer data can be difficult to predict or prevent, even when private consumer data is held by trustworthy and credible companies, according to the ABA.

In its submission, the ABA noted that its members would assess the likelihood of unauthorised access to consumer data by a third party to be “significantly higher than ‘unlikely’”, as the government had originally stated.  

For example, in a scenario where a failed company becomes deregistered and loses control over consumer data, the ABA said “risk mitigation strategies are practically very difficult to implement and also unlikely to be effective”.

Difficulties associated with such risk mitigation strategies included:

  • Consumers becoming aware in advance that a company has become deregistered.
  • Consumers being able to contact the deregistered company to delete private information.
  • Data holders retaining the power to withhold private information on reasonable grounds relating to data security.
  • Rigorous monitoring and enforcement “including re-consent requirements”.

To combat these risks, “information security requirements” should be included in the accreditation criteria, according to the banking association.

Meanwhile, information related to threat monitoring should be shared between data holders, in order to help data recipients “defend against cyber attacks targeting consumer data”, it said.

“Assessing the risks to privacy associated with the CDR is a very complex task, and the PIA represents a significant effort in understanding these risks and how they may be mitigated,” the submission reads.

Some key amendments to the PIA suggested by the ABA include:

  • Examining its rules and standards in greater detail
  • Discussing regulatory strategies around the risks of non-compliance that could be adopted by the Australian Competition and Consumer Commission (ACCC)
  • Reviewing factual and technical risks around privacy and data security following the CDR pilot program
  • Ensuring consistency of risk assessment in alignment with Section 33C of the Privacy Act 1988 (Cth) (Privacy Act)

“Once the PIA findings are known and considered, the lessons should inform compliance standards and align to the accreditation process beyond the principles currently set out in the ACCC Rules Outline issued in December 2018,” the submission concludes.

[Related: Government seeks to enshrine Consumer Data Right]

Banks call for stronger CDR privacy rules
Digital data
mortgagebusiness

Annie Kane

Annie Kane is the editor of The Adviser and Mortgage Business.

As well as writing about the Australian broking industry, the mortgage market, financial regulation, fintechs and the wider lending landscape – Annie is also the host of the Elite Broker and In Focus podcasts and The Adviser Live webcasts. 

Contact Annie at: This email address is being protected from spambots. You need JavaScript enabled to view it.

Latest News

The Federal Court has ordered Westpac to pay an agreed $1.3 billion penalty for breaching anti-money laundering and counter-terrorism financ...

The major bank has hired internally to fill the position of head of corporate finance, international, a newly created role overseeing the c...

The ASX-listed bank has reported strong third-party-driven loan book growth over the first few months of the new financial year. ...

FROM THE WEB

Join a group of highly informed brokers.

Broker Pulse, a community-driven knowledge base of lender performance Reveal exactly which lenders are making life easiest for brokers and their clients by taking this monthly survey and joining a group of highly informed brokers who leverage these insights every month.

JOIN NOW
podcast

LATEST PODCAST: Victoria’s surprising appetite for new homes

Do you expect to see strong uptake of the HomeBuilder scheme?

Website Notifications

Get notifications in real-time for staying up to date with content that matters to you.