The Consumer Data Right (CDR) legislation called Open Banking requires financial institutions to share customer data with third-party providers (TPPs).
Data is only shared where consumers opt-in, with the right to opt-out at any time. This change brings new opportunities for TPPs to access and aggregate data to create new products and services through APIs. Security and privacy will play an important role in how this plays out in practice.
What do we know so far?
Open Banking in Australia follows the lead of the UK's introduction of Open Banking and the Payment Services Directive 2 (PSD2) in January 2018. There are broadly two types of TPPs; Account Information Service Providers (AISPs), and Payment Initiation Service Providers (PISPs). Australian regulators are still exploring whether to allow "Write" access under Open Banking that would enable payment initiation. At this stage only AISPs are relevant in Australia.
The lead regulator is the Australian Competition and Consumer Commission (ACCC) with support from the Office of the Australian Information Commissioner (OAIC). CSIRO's Data61 is the appointed Data Standards Body (DSB) that has released a draft Consumer Data Standard (CDS) for industry feedback. The CDS is intended for all industries. The initial roll out is planned for banking, followed by energy and telecommunications.
The first guiding principle of the CDS is that "APIs are secure", demonstrating the security-first focus. This includes mitigating the risks of technical breaches as well as inadvertent data leakage.
When does it all happen?
Implementation is following a phased introduction. The ACCC announced a six month delay in December 2019, citing security concerns.
February 2020 -> Delayed to July 2020: Credit and debit card, mortgage, deposit, and transaction data.
July 2020 -> Delayed to November 2020: Mortgage and personal loan data.
Opportunistic tech providers have already built APIs and platforms to take advantage of what Open Banking enables. While the major banks are likely to be dragging their heels to delay its implementation, those on the other side eagerly await its introduction.
A registration process will be followed in line with the UK Open Banking. This requires a Software Statement Assertion (SSA) to demonstrate compliance with the detailed technical requirements of the data standard, and completing the formal registration process with approval by the ACCC. This process is likely to require demonstrated security and privacy practices to protect consumers.
How does SOC 2 and ISO 27001 relate to Open Banking?
The draft CDS sets a number of specific technical requirements for Open Banking APIs. We know security and privacy are the top concern of regulators that approve and monitor TPPs.
Security and privacy standards like SOC 2 and ISO 27001, demonstrate broad, good-practice security. This not only addresses the risk of technical breaches, but also the inadvertent data leakage that can originate from inadequate company-wide security awareness and data protection. These standards assess security practices like security awareness training, hiring and onboarding processes, and a top-down view of defined policies, processes and practices. The output report or certification demonstrates a commitment and alignment to good practice security.
AssuranceLab's assessment tools provide a free, simple and highly-effective way to assess your security practices. We offer end-to-end services with our security-specialist AICPA firm partners, if you choose to proceed to a SOC 2 or ISO 27001 certification. Contact us to discuss your needs.
Read more about SOC 2 or ISO 27001: