Banks sacrificed CDR efforts to prevent COVID-19 cyber threats

Some of Australia’s largest banks removed cyber security talent from their respective consumer data right projects in anticipation of heightened cyber security threats during the coronavirus pandemic, the country’s competition regulator has revealed.

In recent answers to questions on notice from the government’s fintech inquiry, the Australian Competition and Consumer Commission said the major banks moved staff after it became clear that risk would increase.

“In response to a prediction of heightened cyber security risk to the banking sector as the health impacts of COVID-19 peaked, based on experience in other countries, cyber security resources were temporarily reallocated by banks from their Consumer Data Right projects to prevent and mitigate those anticipated threats,” it said.

“To reduce the risk from technology change at a time of strained resources, major banks also reported temporarily freezing non-essential technology changes.”

The ACCC said the staffing shift was part of a “widespread and rapid reallocation of resources to areas of need” by the big four to address the economic impacts of COVID-19 on their customers.

“Data Holders (major banks) have reported that they have expended significant efforts to respond to the very great economic impacts of COVID-19 with rapidly rising unemployment and falling business cash-flow,” it said.

“Those economic impacts have required handling significantly more customer enquiries and applications, increasing lending activity, proactively introducing measures to support customers impacted by COVID-19 related issues, and assisting implementation of government support packages.”

But despite the setback, the ACCC has committed to forging ahead with the planned introduction of the consumer data right at the start of July, having already delayed its starting date once before.

It said the CDR register and accreditation application platform, which it is developing with an unnamed technology provider, is “nearing the completion” and will be ready before July to allow sharing of consumer data to begin.

Despite this, the ACCC noted “widespread disruption” as a result of COVID-19 “causing some loss of productivity and temporary delays”, leading it to give non-major ADIs temporary exemption to begin sharing product reference data.

The major banks have been sharing this data, which includes information about a bank’s rates, fees and features of banking products, as part of the open banking regime since July 2019.

The three-month exemption, revealed last week, will allow non-major banks, building societies and credit unions to delay sharing product reference data - used by business like comparison sites - until the start of October 

The exemption will also extend to “non-primary brand products offered by the major banks”.

However, the challenges haven’t been restricted to data holders, with the ACCC reporting that some data recipients have also encountered issues as a result of COVID-19 that have hampered their CDR efforts.

It said recipients had faced challenges “maintaining or securing funding to continue their work” and an “inability to progress technology development”, particularly those that rely on IT resources based in other countries hit hard by COVID-19.

A “loss of key clients due to COVID-19 related issues, difficulty obtaining information security control audit certificates due to travel restrictions in Australia or overseas, and competing business priorities” were also cited.

“Some Data Recipients have had to pause their work on the Consumer Data Right for the time being, while others have expressed a wish to press ahead without delay,” the ACCC said.

“Recognising that the situation with COVID-19 will continue to evolve, the ACCC is continuing to work with participants, Treasury and the Government on the roll out of the remaining elements of the CDR.

“At this stage, the ACCC expects there will be a limited impact to the current schedule, and still expects sharing of consumer data to commence during July 2020.”