Australia’s high profile former cybersecurity tsar Alastair MacGibbon has waded into the increasingly heated debate over the use of screen scrapers by fintech firms, warning any weakening of security controls under open banking will create an instant target list for hackers.
In a blunt assessment of the adverse consequences lowering existing data security standards would create, MacGibbon’s new cyber protection firm CyberCX cautions if a push for “less rigorous rules” gets up, “any data breaches would undermine consumer confidence and trust” in the forthcoming open banking regime.
The comments are contained in CyberCX’s submission to the Senate Select Committee on Financial Technology and Regulatory Technology and are likely to bolster a push from consumer and financial legal advocates to have screen scraping banned by the government altogether.
A fierce debate has erupted around the persistence of screen scraping technology as a customer migration tool, not least because it usually requires consumers to hand over their user names and passwords to third parties to access their accounts.
The practice is already banned in the UK and Europe.
“At a time when we should be seeking to instil in individuals a greater awareness of the importance of online security, encouraging people to reveal their passwords is precisely the wrong message,” CyberCX’s submission says.
“Our concern is that ‘screen scraping’ legitimises and gets consumers used to handing over their passwords to 3rd parties.”
The public entry of CyberCX into the debate is significant, not least because the company groups together a dozen Australian cybersecurity service providers is helmed by former Optus Business chief executive John Paitaridis.
MacGibbon, who headed the Australian Cyber Security Centre and was until last year the government’s National Cyber Security Adviser, regulator is the firm’s chief strategy officer.
A clutch of mainly smaller fintech firms are pushing the government hard to legitimise the practice of screen scraping, saying much of the nascent fintech and regtech sectors will become essentially unviable if the practice is banned because of compliance costs of between $50,000 to $100,000.
Under standards presently floated by the Australian Competition and Consumer Commission, organisations that want to participate in Open Banking will need to be accredited by the regulator and comply with a raft of data security and protection standards.
Many smaller fintechs feel the compliance bar has been set too high for the Consumer Data Right and have argued cashed-up large incumbents will exploit strict standards to shut out smaller and more innovative competitors.
The Commonwealth Bank has been singled out for criticism by some firms because it issues warnings to its customers about them keeping passwords and credentials confidential when its detects screen scrapers, including warning customers about fraud potential liability in the event of a compromise.
There is palpably little consensus on the issue, with the approach of warning customers having attracted sharp accusations of hypocrisy from once credit card schemes once close to the banks, including American Express.
In particular American Express wants consumers who shop their accounts around through providers who use screen scrapers to be indemnified from losses under the Australian Securities and Investments Commission’s voluntary E-Payments code, which codifies liability.
“We consider it inappropriate for consumers to be held liable by their bank for using RegTech services, particularly when those RegTech services are being used by those banks to acquire new customers,” Amex said in its submission.
While CyberCX isn’t buying into the sectoral mudslinging, the firm does warn starkly that the fallout lowering security standards could derail the whole open banking project if customers lose trust in participants in the event they are compromised.
A major cautionary note is that a two tier security system should not be allowed to develop, especially one where “financial organisations would opt-out of Open Banking in favour of continuing to engage in ‘screen scraping’ unless the costs associated with meeting the ACCC rules are reduced.”
“There also seems to be a suggestion the ACCC may create more than one level of accreditation as the CDR regime matures. CyberCX would not wish to see a less onerous version of the ACCC rules in order to accommodate small or start-up financial organisations,” the firm says.
“Were some financial organisations able to achieve accreditation through less rigorous rules, it would create an incentive for attackers to target those organisations. As stated previously, any data breaches would undermine consumer confidence and trust in the initiative.”
Having a lend of security
Encouragingly, the argument around controlling the cost of security compliance and screen scraping is not a binary equation, Messrs MacGibbon and Paitaridis observe.
The pair believe the government can meet cash-strapped fintechs halfway and still keep a gold standard security regime by essentially extending a line of credit to businesses that need to bring themselves up to scratch to pass muster at the ACCC.
“Rather than resorting to ‘screen scraping’ or rule dilution, it would be preferable for the government to assist small and start-up financial organisations achieve the most rigorous information security and privacy protection standards,” CyberCX argues.
“This could be accomplished through the establishment of either a loan or voucher scheme.
“Loans could be offered to qualifying small and start-up financial organisations in order to invest in strengthening their cybersecurity postures and meeting the ACCC rules,” CyberCX said – without the slightest hint of irony that the government would be lending to the unsecured lending market.
“These could be repaid once the organisation passes a specified revenue threshold. Alternatively, a voucher scheme could be established where government covers part of the costs of achieving a stronger cybersecurity posture.”
Who knows, maybe an enterprising major bank could white label the loans to the government as cyber bonds … well, maybe not.