Open banking security is still an open question

Australia’s major banks have been keen to sow the idea that customer data is imperiled once it leaves their grasp, as a reason why the government and regulators should tread carefully on open banking.

The government announced last week that open banking would arrive in Australia progressively from July 2019.

It promises to gives customers greater control over their finance data, including the ability to transfer data between banks and other financial players such as accounting software makers and fintechs.

Australia’s move to open banking has so far mirrored other markets such as Europe and the UK, insofar as each scheme is a balance of competing demands.

At a very simple level, banks have so far tried to limit the scope of rules and how quickly they are introduced, while fintechs and others aiming to disrupt the banks want expansive changes as quickly as possible.

The government found a balance on that particular issue - broad applicability across 27 financial product categories, albeit with a gradual introduction.

But banks have also been keen to play up cybersecurity issues they believe could manifest in an open banking world.

In particular, they have been keen to demonstrate that a kind of asymmetry exists between their own infosec capabilities compared to the fintechs and others that want access to their customer data.

“Customer data, as well as the information created as part of bank records, is confidential;
it needs to be handled appropriately,” NAB said in a submission [pdf] to the open banking review last year.

“Our focus must be on ensuring [open banking] is implemented in an appropriate manner and that speed isn’t prioritised over safety,” NAB’s chief operating officer Antony Cahill said again last week.

Westpac told last year’s open banking review that “in the banking and financial services context, customers expect that information maintained by a bank will be kept confidential and held to the most rigorous data security standards”.

“Increasing third party access to data and moving data from bank-grade security to third parties with less rigorous security systems, controls and processes (including in relation to secure data storage) may present undesirable risks for the customer,” Westpac said [pdf].

ANZ also chimed in, arguing the privacy regime applicable to open banking participants is “not as stringent as the data security standards that are currently applied to banks”.

It said those standards set “an enhanced level of security that bank customers currently benefit from when their data is held by a bank”.

The review itself highlighted a general lack of “consensus on the standards that accredited entities should be required to meet” to handle banking data.

“Some argued that increasing cybercrime and the sensitive nature of banking data meant accredited entities should meet security standards commensurate with those of banks,” the review said.

“Others thought that requiring smaller participants to meet the banks’ security standards would be a significant barrier to entry into the system."

Is there really an infosec asymmetry?

Chris Michael, the interim technology head for the UK’s open banking implementation entity (OBIE), told iTnews that the infosec postures of Australia’s banks and fintechs may not be as far apart as the banks made out.

“There is quite a lot of scaremongering that goes around about fintechs [around whether] they know about security and how to protect customer data,” Michael said from the sidelines of Ping Identity’s Identify conference in Sydney last week.

“Some fintechs probably do [infosec] better than banks and others may be more risky - time will tell.

“But I think it’s a myth that banks are brilliant at security. Banks are being hacked all the time.”

Michael said the banks’ concerns were not completely without merit - but he also noted that the secure exchange of banking data is a long-running problem, not one that is suddenly materialising with the arrival of open banking.

“There’s all sorts of [existing] models out there today like screen-scraping where customers give their banking credentials to third parties, and those third parties then have almost unrestricted access to a bank account,” he said.

“The [secure data exchange] problem exists now.

“Secure APIs used in open banking - where the data is travelling securely with explicit [customer] consent and only between regulated parties - is a much better place to be in than what we’ve got now.”

Open banking schemes in the UK and Europe also benefit from the EU’s general data protection regulation (GDPR), which comes into force later this month.

Arguments of asymmetry between the infosec postures of banks versus other third parties may be less pronounced in the UK and Europe as a result, given all parties must hit the same minimum data protection and handling standards.

“If you’ve got something like GDPR then than puts an awful lot of protection in place for customers,” Michael said.

The Greens are presently pushing a proposal to upgrade Australia’s privacy laws to GDPR levels. Australia’s move into open banking could add weight to the Greens’ push.

Michael is certainly supportive of GDPR-like rules outside of the European Union.

“I think GDPR should be a global regulation,” he said.

Open questions

Open banking in the UK is considered to be a model for Australia’s scheme.

Australia’s open banking review pointed to using UK standards as a basis for local ones, and Australia’s banks have also implored the government and regulators to learn the lessons of the UK experience.

On data and security, there may be learnings around how standards were put together, but some challenges around security remain.

For example, it is widely accepted in open banking schemes worldwide that participants should be accredited.

Last year’s open banking review by federal Treasury uncovered “differing views as to who should perform the accreditation role - with some advocating a regulator-led process and others proposing an industry-led accreditation utility”.

Who does it is important because there are open questions on how technically capable the accreditation oversight body would need to be to ensure scheme participants met appropriate security and data standards.

“There is a lack of clarity across Europe - and I have no idea of the situation in Australia - how the regulators are going to accredit and assess whether third parties are doing the right thing from a security point of view,” Michael said.

While these kinds of questions are worked through, there are some assets and standards that Australia may be able to lean on to begin its journey.

OBIE has stood up a “central trust and identity platform, which acts as a directory of trusted individuals, third parties and applications” in the UK’s open banking ecosystem.

The “trusted identities” are stored in a technology platform by vendor Ping Identity.

Ping and the OpenID Foundation are also among the co-authors of the UK’s open banking security model.

Ping said in February that its CEO and members of its CTO group met with Australia’s “open banking review team to relay our experience working on the UK's open banking platform”.

Data protections and standards development for Australia’s open banking scheme will be led by CSIRO’s Data61, while the Office of the Australian Information Commissioner (OAIC) will oversee privacy protections. The ACCC will also assume a regulatory oversight role.

Shaping the Australian model

Michael noted that Australia and other jurisdictions may want to duplicate the collaborative model used in the UK to piece together the standards.

“What I’ve seen is a lot of other markets have been very driven by the traditional payments industry - people who’ve already got a vested interest in maintaining the status quo,” he said.

“If they are the people driving the standards then that’s not particularly helpful because they’re not going to necessarily get you the market outcomes you want.

“One of the things we’ve done is put a lot of focus and effort on getting fintechs and other parties into the mix.

“It’s important to have them involved in the development of these standards rather than just creating it and then handing it over.”

Michael said the UK experience showed it was possible to develop standards without succumbing to the self-interest of contributors.

“Get people together and appeal to the fact that most people, whether they are from a bank or fintech, want to do the right thing,” he advised.

While an organisation might want to protect its own interests, Michael said that individuals could override these kind of influences.

“You tend to find that the sensible stuff comes to the top,” he said.

OBIE runs a large collaboration environment built on Atlassian’s Confluence.

“We have multiple rounds of review of specs and we make people [provide] feedback in front of other people - they can’t do it behind closed doors,” he said.

“Just being very open and transparent helps speed up decision making. You can’t always get everyone to agree but you can get a sensible consensus because you’ve been very open and everyone is being listened to.”