The Australian Government has announced its intention to mandate that ADIs provide open access to customer and small business data with a commencement date still to be determined. Treasury has been tasked with undertaking a review of the proposals put forward by the Productivity Commission, and is due to report back to the Government by the end of 2017 as to its recommendations on implementation of the proposals and recommended timeframe.
While everyone is excited about the benefits that will flow from open banking, there have been concerns raised about the security and privacy risks raised by an open banking regime. In relation to privacy, the Productivity Commission has suggested that the solution is to amend the existing Privacy Act to include a new class of protected information known as “consumer data”. However there are significant gaps in the existing Privacy Act that would pose real problems in connection with the protection of customer data. For instance, the Australian Privacy Principles do not apply to small businesses with turnover of less than $3.0m and this may exempt many FinTech players from any privacy obligations.
There are also no clear guidelines on who will be liable for any data breaches which result from transfers of consumer data. If the Banks are to remain liable then there should be minimum compliance and financial standards imposed on transferees of consumer data. Similar measures are being proposed in the UK where transferees have mandated risk management and security measures in place plus compulsory professional indemnity cover, and in some cases minimum asset requirements. If Banks are not to be liable for breaches after a transfer of consumer data, then consumers should be able to seek compensation from transferees which will only be valuable where transferees have assets or insurance to respond to claims.
It is to be hoped that in addition to all the potential benefits to consumers from open banking, the Treasury report also considers the very real risks which widespread consumer data transfers poses to consumers in terms of breaches of privacy and data security issues.