The wake of the Optus breach, which saw almost 10 million customers have their personal details stolen, has shone a light on the safety and security of the banking and finance sector.
The federal government has now prepared amendments to the Telecommunications Regulations 2021, which would allow telecommunications companies to temporarily share approved government identifier information with regulated financial services entities in a bid to safeguard customers’ information.
At a time when digitisation and the sharing of information have become increasingly popular, the latest data breach has thrown banking associations, the consumer watchdog and other interested parties on high alert, with many issuing warning notices to consumers to protect their information as well as tightening internal controls.
The challenge for banks and other associations is how to balance the need for information while assuring customers that data is safe.
One major technological breakthrough that has been building momentum is open banking — set to make the mortgage process much more efficient and transparent, through the sharing and access to information.
In October 2021, the government confirmed amendments to the consumer data right (CDR), the key part holding open banking together, formalising the ability for consumers to share their data with “trusted advisers”, such as their mortgage broker, financial adviser, accountant, tax agent or financial counsellor.
However, on the back of the Optus breach the question of how safe and secure open banking has surfaced.
Chief customer officer Simon Docherty at Frollo, an Australian government-accredited data recipient providing open banking services, said CDR was built with consumers in mind using the best technology at the time.
But Mr Docherty added, as with all technology, it was important it was always “evolving”.
“The government has mandated that all of the banks have to make consumer’s data available. And they do that via an API”, he said — which is an application programming interface, or secure back-end framework.
There are two APIs, the bank and the registered data recipient (in this case — Frollo). The bank’s API is transferred to Frollo’s API and made available to “trusted advisers” for a period of time.
Mr Docherty said a consumer must first identify what level of information they want to be accessed.
“They go through a defined consent process… they consent to the time that they’re giving the data… the types of accounts they want to give access to and are made aware of what the data will be used for,” Mr Docherty said.
“You may only want that data for 24 hours… so after that, 24 hours, the data recipient is required to delete that data after that period.”
He added a consumer may want access to that data for a longer period of time, such as three months, in which case a dashboard was made available where the trusted adviser could review the data.
While trusted advisers have access to this data, Mr Docherty explained “raw data” was never transferred, instead brokers had access to downloaded reports.
Thus how they store those reports would fall under the same security responsibility they have with all consumer data.
ASIC calls for adequate cyber security systems
Indeed, the way brokers manage and protect data is increasingly important.
A new precedent was recently set following the Federal Court’s landmark decision on Australian Financial Services (AFS) licensee RI Advice after several cyber attacks found it did not have adequate risk management systems in place.
These attacks resulted in the potential compromise of confidential and sensitive personal information of thousands of clients and other persons.
Australian Securities & Investment Commission (ASIC) said it was imperative for all entities, including licensees, to have adequate cyber security systems in place to protect against unauthorised access.
ASIC said it: “Strongly encourages all entities to follow the advice of the Australian Cyber Security Centre and adopt an enhanced cybersecurity position to improve cyber resilience in light of the heightened cyber-threat environment.”
Aside from the recent Optus attack, the Australian Cyber Security Centre (ACSC) received over 67,500 reports of cyber crime, up nearly 13 per cent from the prior year, in the year to 30 June 2021.
Cyber crime on a massive, organised scale is a growing threat to Australian banks, with S&P Global Ratings team warning a cyber attack at an Australian bank could threaten to destabilise the country’s financial system given the interconnectedness of the sector, however the overall risk of this happening remains low.
An S&P Global report into banking cyber security said a large-scale attack could “significantly damage the country’s banking system”, and lenders with weaker cyber and non-financial risk governance are the most vulnerable. It added regional banks were most exposed.
The report’s author Nico DeLange, analyst at S&P Global Ratings, said “attacks are on the increase in Australia” and warned banks were an attractive target.
“Many banks participate in direct payments and a successful attack on even one lender could affect the national system,” Mr DeLange said.
He explained the financial system was “heavily interconnected” that increased risks.
“The potential risks will rise as smaller banks gain access,” he said, adding that an attack on a third-party service provider could also “cripple banking operations”.
“Many smaller banks use the same content delivery networks (e.g., Akamai, which saw a major outage in 2021), cloud-based service providers (such as AWS), or providers of software as a service for core banking systems (e.g., Temenos or Data Action, which is especially relevant for smaller and regional banks).”
Banks heavily regulated
APRA has flagged that banks must also strengthen their ability to oversee cyber resilience.
In July 2019, the Australian Prudential Regulation Authority (APRA) issued an Information Security Prudential Standard to help the industry prepare and build out cyber risk management frameworks and issued notices in 2021 advising all banks to start preparing for Information Security tripartite reviews.
All businesses in Australia, including banks, are required to notify the government-run ACSC of any cyber incident that has a critical or relevant impact. However, non-bank financial institutions are not as closely regulated.
Mr DeLange warned non-banks may be “lagging their regulated bank peers in developing cyber defenses”.
However, he added they had observed several bank and non-bank cyber risks and found it had a “sound approach to cyber risk management”.
[Related: Businesses must learn from landmark RI advice court decision]