RBA warns on digital identity mess

The Reserve Bank of Australia has staked its claim on the unfolding debate over how Australia’s digital identity regime will be run, warning that multiple uncoordinated builds will be inefficient and leave security holes.

Australia’s central bank on Thursday frankly set out its ambitions and concerns, revealing there will be no pullback from moves by the powerful Payments Council to have a credential fit for use with the New Payments Platform as it comes online.

The entry of the RBA into the digital identity debate is highly significant because it has the potential to steer millions of consumers and businesses towards a payments-related digital identity build.

That credential could ship well ahead of adoption of similar credentials that the Department of Human Services and the Digital Transformation Agency have been attempting create for at least the last three years.

In a speech delivered almost immediately after the release of the worst online payments fraud loss figures on record, RBA Assistant Governor, Business Services Lindsay Boulton articulated the RBA’s thinking and direction on digital identity build now being stewarded by the Payments Council.

Addressing the 2018 Global Business Banking Summit in Sydney, Boulton unambiguously called for industry and government cooperation on digital rollouts so that they did not wind up withering in isolation to frustration of consumers and business.

“Whatever form it finally takes, it is important that the work to develop the framework is coordinated,” Boulton said.

“The benefits will not be fully realised if each identity service provider goes it alone, developing their own identity services with different standards, separate and unconnected to each other.”

To drive the RBA’s concerns home Boulton warned that disparate systems “would likely result in inefficiencies, requiring individuals and organisations to maintain identities with different providers for different purposes, and leave security gaps.”

Unlike the DTA, Centrelink and some parts of ATO who want digital identity to underpin citizen transactions and access to government services, one of the RBA’s chief concerns is the systemic integrity of the payments system which is digitising rapidly.

A major concern is addressing online payments fraud which has consistently ballooned thanks to the cumbersome and clunky PCI-DSS security standard that was largely retrofitted onto credit card schemes after the explosion of online commerce.

A further issue is that banks at present are still allowed to sheet online fraud losses back to merchants, a legacy regulation that much of the business community and regulators are increasingly starting to view as a perverse incentive for banks to do nothing on challenging global payment card schemes.

Retailers this week hit back over ballooning online losses that came in at $476 million for 2017, with both the Australian Retailers Association and the National Online Retailers Association again raising the pain felt by merchants.

A sticking point for banks has been that the clunky nature of PCI-DSS upgrades can result in the cost of implementation being greater than losses, a turkey banks then have to try and sell to their merchant customers.

As the NPP comes online, the RBA is cordially ramping up its own efforts to eliminate fraud.

“The NPP and open banking are just two developments that offer significant benefits for business banking customers. As new payment services emerge, it will be important to manage the risks, particularly the risk of fraud and identity theft,” Boulton said.

“Already in Australia, annual losses arising from payment card fraud amount to around $600 million, much of which comes from online payments where the card is not physically present.

“The ability for individuals representing either themselves or their organisations to properly and reliably identify themselves online is essential for security as we increasingly move to online transactions.

“This is the case irrespective of whether the transaction is finance based, a licence application, a health insurance claim, or an application for some form of government assistance, to name just a few potential use cases.”

Boulton also pointed out the RBA’s unique role as a transactional banking services provider to government to the tune of $1 trillion in volume annually and called out transaction heavy federal agencies as key customers.

“Importantly, the customer base includes the largest spending and collection agencies – the Department of Human Services (DHS) and the Australian Taxation Office – which, together, comprise a significant share of the Bank's customer business.”

With Canberra and digital identity policy now in meltdown, the prospect of a safe and stable digital identity services provider will be starting to look increasingly appealing to business and agencies alike.