The Consumer Data Right (CDR) is a building block of the Open Banking reform which will empower customers to safely use their data to compare and access the correct banking products.
Submissions to government are now open and chief executive of the ABA Anna Bligh said the CBR would have a revolutionary impact on competition.
“The Open Banking reform, of which the Consumer Data Right is an important building block, will increase competition in the industry with customers the big winners.
“Privacy and protection of data should be an important priority which is why the industry is seeking further testing during the pilot program to ensure we get this right,” she said.
In its submission, the ABA said that the government’s proposed privacy impact assessment (PIA) that will be connected to the CDR was comprehensive and supported by the body.
“Assessing the risks to privacy associated with the CDR is a very complex task and the PIA represents a significant effort in understanding these risks and how they may be mitigated. The ABA supports the recommendations of the PIA to ensure the risk mitigation strategies outlined work as they are intended,” the submission reads.
The government announced a pilot program of the CDR to begin in July this year which ABA said was a good opportunity to see how the PIA may need to be expanded and refined before the 2020 launch.
The ABA recommended that the terms of reference in the pilot specifically included an assessment of privacy risks to “reflect the factual and technical nature of the given risks”.
“The ABA has identified aspects of the PIA where industry experience would suggest a higher risk likelihood is plausible. As the PIA is refined, the ABA suggests that these risk assessments are reconsidered with input from the Rules and Standards that are developed, and insights from consumer testing and the pilot program,” it said.
Some of those risks included phishing, fraud, third party misuse of data and hacking, said the ABA in its submission to the government.
The ABA recommended that the adoption of the authentication flow would be an important risk mitigation measure for phishing and other fraud.
“Decisions around the authentication flow should include an analysis of the risk that different models would pose to consumers, in terms of the likelihood of future phishing attacks, and the PIA amended to reflect these decisions,” it read.
For third party misuse the ABA considered a few mitigation ideas to be critical including the right “to withhold data if there is reasonable grounds that sharing data will lead to serious harm for the consumer”.
The ABA also considered that the PIA includes information security requirements in the accreditation criteria and to introduce measures for “threat monitoring and intelligence sharing arrangements between data holders to help data recipients to defend against cyber-attacks targeting consumer data”.
Other issues raised by the association was the potential for the data to be disclosed to a non-accredited entity and who was bound by the privacy safeguards listed in the PIA.
Ms Bligh said the association welcomed many of the measures and hoped the pilot would help inform further initiatives.
“The industry has been an advocate and partner of the federal government’s initiative to set in stone a customer’s right to direct their data to be shared with others so they can get the maximum benefit from it.
“We support the PIA’s recommendations on measures to reduce risks to customer’s data and the pilot program will help inform further initiatives which will boost security,” Ms Bligh said.
