Banks call for stronger CDR privacy rules

The Australian Banking Association’s (ABA) submission to the draft Privacy Impact Assessment (PIA) of the Consumer Data Right (CDR) welcomed the new scheme but urged government to prioritise privacy to protect customers.

Under the draft Treasury Laws Amendment (CDR) Bill 2018 released last month, individual and business consumers will be able to access their own data, or direct custodians to share it with accredited entities such as banks, telcos, energy companies and comparison service providers in order to get tailored access to services and competitive deals.

The PIA will help shape the security behind the CDR programme, which is set to launch in pilot phase on 1 July 2019 before resulting in the full launch of access to consumer data in February 2020.

Treasury’s consultation on its first PIA for the CDR closed last Friday (18 January) and called for interested parties to submit responses before government develops its revised PIA.

Comments will reportedly be considered as part of the development of the revised version.

In its submission to Treasury’s first PIA, the ABA supported the Treasury’s recommendations on measures to reduce risks to customers’ data, adding that it would be “seeking further testing during the pilot program to ensure we get this right”.

The pilot program will test the waters for privacy security in the CDR, to minimise the risk of leaks or breaches, ensuring customer data is kept in the vault.

“The industry has been an advocate and partner of the federal government’s initiative to set in stone a customer’s right to direct their data to be shared with others so they can get the maximum benefit from it,” ABA CEO Anna Bligh said.

Higher risk categories around consumer privacy and data protection being assessed by the ABA were highlighted throughout the submission.

According to the ABA submission, cyber criminals prove “highly capable” of launching phishing attacks by taking advantage of new industry developments.

The highest risk areas that will be assessed under the PIA regarding cyber criminals include those:

• Posing as data recipients to access consumer data
• Posing as a third party using the false identity of an accredited data recipient, in order to steal authentication information
• Posing as a data recipient to direct a consumer to fake data-holding websites
• Directing consumers to fake data-holding websites through an online data recipient, who is knowingly engaging in illegal activity

The ABA therefore said that “decisions around the authentication flow should include an analysis of the risk that different models would pose to consumers, in terms of the likelihood of future phishing attacks”. It called for the PIA to be amended to “reflect these decisions”.

Third-party mismanagement of consumer data can be difficult to predict or prevent, even when private consumer data is held by trustworthy and credible companies, according to the ABA.

In its submission, the ABA noted that its members would assess the likelihood of unauthorised access to consumer data by a third party to be “significantly higher than ‘unlikely’”, as the government had originally stated.  

For example, in a scenario where a failed company becomes deregistered and loses control over consumer data, the ABA said “risk mitigation strategies are practically very difficult to implement and also unlikely to be effective”.

Difficulties associated with such risk mitigation strategies included:

• Consumers becoming aware in advance that a company has become deregistered.
• Consumers being able to contact the deregistered company to delete private information.
• Data holders retaining the power to withhold private information on reasonable grounds relating to data security.
• Rigorous monitoring and enforcement “including re-consent requirements”.

To combat these risks, “information security requirements” should be included in the accreditation criteria, according to the banking association.

Meanwhile, information related to threat monitoring should be shared between data holders, in order to help data recipients “defend against cyber attacks targeting consumer data”, it said.

“Assessing the risks to privacy associated with the CDR is a very complex task, and the PIA represents a significant effort in understanding these risks and how they may be mitigated,” the submission reads.

Some key amendments to the PIA suggested by the ABA include:

• Examining its rules and standards in greater detail
• Discussing regulatory strategies around the risks of non-compliance that could be adopted by the Australian Competition and Consumer Commission (ACCC)
• Reviewing factual and technical risks around privacy and data security following the CDR pilot program
• Ensuring consistency of risk assessment in alignment with Section 33C of the Privacy Act 1988 (Cth) (Privacy Act)

“Once the PIA findings are known and considered, the lessons should inform compliance standards and align to the accreditation process beyond the principles currently set out in the ACCC Rules Outline issued in December 2018,” the submission concludes.

[Related: Government seeks to enshrine Consumer Data Right]