Australia’s banks have rolled a hand grenade under the federal government’s push to create a Consumer Data Right regime to underpin open banking and contestable accounts across utilities, warning current privacy and security assumptions are riddled with understated risks and cyber fraud holes.
In an emboldened pushback to Treasury, the Australian Banking Association (ABA) has used a submission on the laws to directly challenge key security and risk assumptions contained in the Privacy Impact Assessment (PIA) for the proposed Consumer Data Right that remains in legislative limbo ahead of the election.
The banks’ chief criticism is that Treasury is looking at security risks surrounding transferable consumer data through rose-tinted glasses. They argue that hackers and cyber criminals, who already routinely assail banks and payments schemes can and will do anything to get data intended for Accredited Data Recipients (ADRs).
Citing the PIA’s downgrade in assessment of “the likelihood of a third person posing as the accredited data recipient in order to gain access to the individual’s consent information” from ‘possible’ to unlikely, the banks directly question the security posture of the reforms.
“The ABA view is that this fails to consider the intentions of fraudulent and criminal actors and cyber criminals who seek to operate using illegal means, and who may be difficult to enforce Australian laws against when located overseas or otherwise difficult to identify given the environment in which they operate, being primarily over the internet,” the ABA submission says.
“This is supported by data reported by the Office of the Australian Information Commissioner (OAIC) showing that the largest cause of data breaches is malicious criminal attacks, such as the theft of personal information or hacking, phishing and other similar events.”
The submission goes on to suggest that the PIA’s overall cyber, criminal and privacy risk is simply too optimistic and does not reflect what is now occurring. Specifically, banks want the PIA’s take on risks re-evaluated to take account of specific technical advice and testing and the upcoming pilot scheduled to kick off on July 1.
“The ABA has identified aspects of the PIA where industry experience would suggest a higher risk likelihood is plausible,” the ABA paper says.
“As the PIA is refined, the ABA suggests that these risk assessments are reconsidered with input from the Rules and Standards that are developed, and also insights from consumer testing and the pilot program.”
The relationship between the banks, government and the bureaucracy over the timing of the CDR and open banking rollout became substantially more problematic just before Christmas when it was quietly revealed the commencement date had been slipped from July 2019 to February 2020.
In the interim, banks – at least those who are actually ready – will test the system via a pilot to fine tune the mechanics.
It is understood banks have been privately cautioning that the open banking timeline was so perilously short it essentially invited major risks and unintended consequences into the equation because of the haste needed to get it running.
At the same time enabling legislation is also still to be passed with Labor expected to kick the laws into the long grass by way of referring the legislation to a committee, a move that would stall passage until after the election when it could be in power.
Already badly bruised by the Royal commission into misconduct in financial services, the banks’ relationship with the self-destruction prone Coalition government has not been helped by the optics of the appointment of former Queensland Labor Premier Anna Bligh – a move that may prove prescient if Labor is elected federally this year.
In the meantime the ABA’s laundry list of urgent fixes to mitigate privacy risks for consumers and logically fraud loss risk to themselves is extensive.
The labelled as risk assessed to be too low include:
- a cyber-criminal posing as a data recipient to steal consumer data;
- a third party using a false identity to acquire authentication information from the accredited data recipient;
- a data recipient directing a consumer to a fake data holder website (i.e. where the data recipient knowingly engages in wrong-doing by directing the consumer to a phishing website);
- a cyber-criminal poses as a data recipient to direct a consumer to a fake data holder website.
“The PIA does not appear to have contemplated a scenario where a cyber criminal attempts to tamper with the data recipient’s website so that the website directs the consumer to a fake data holder website,” the ABA submission cautions.
It also warns there is little that can be done about the protection of consumer data held by ADRs that go on to hit the wall, an issue that cuts across all sectors that will be covered consumer data right.
But there are some glaring omissions from the ABA riposte as well.
Chief among them is an absence of discussion of what role digital identity credentials could or would play in both the CDR and open banking regime to secure data in the same way it can secure transactions.
Banks are also waiting to see if the Opposition will seek to politicise the adoption of a digital identity issued by the government – now being developed by the Digital Transformation Agency and at private beta stage – will be made into a target in the same way as the previous Access Card was shot down during the 2007 election campaign.
Labor is yet to reveal its hand on either digital identity or the consumer data right, keeping its options open before the election. But who's counting the days.