Alastair MacGibbon, former national security advisor, head of the Australian Cyber Centre and special advisor to the prime minister on all things cyber security, has called for financial support for startups in complying with open banking rules and the consumer data right (CDR).
MacGibbon co-authored a response to the Senate Select Committee on Financial Technology and Regulatory Technology from his cyber security service provider Cyber CX.
Overall, Cyber CX supports the case for CDR and for consumers retaining control over their data, and endorses the attempt to increase competition in the financial sector.
However, the submission suggested the Australian Competition and Consumer Commission’s proposed rules regarding the transfer, handling and storage of data could be prohibitive to startups.
Rather than suggesting less onerous rules for smaller players, MacGibbon called on the government to provide them with loans and other methods of financial help so they can meet the same standards as everyone else.
While the open banking regime and CDR rules have arguably led to an increased interest in alternatives to the traditional finance players, it’s also called the treatment of consumer data into question.
If data can be easily transferred between institutions, there is more potential for a breach.
The inquiry’s issues paper itself highlighted concerns from FinTech Australia about the cost of compliance with the security requirements of the CDR legislation, estimating it would amount to between $50,000 and $100,000 per year.
That fee would potentially apply upfront, before the startup has validated the idea, or the market for it. It means many startups could opt out of the CDR program altogether.
A lot of the controversy centres around the controversial but popular ‘screen scraping’ method of gathering consumer data, typically used to establish creditworthiness. It requires users to hand over the usernames and passwords for other services, and has raised questions around security.
The issues paper acknowledged advice from FinTech Australia that CDR should make it cheaper and easier for startups to acquire consumer data than screen scraping, in order to be viable for startups.
“For many fintech companies, the cost, time and effort to become accredited and maintain the CDR ‘rails’ does not make sense given screen scraping ‘rails’ already exist and are relatively less complex to access for new fintech companies,” it said.
Cyber CX’s submission argues screen scraping is “not best practice” in terms of consumer privacy and information protection.
“At a time when we should be seeking to instil in individuals a greater awareness of the importance of online security, encouraging people to reveal their passwords is precisely the wrong message,” it says.
“Our concern is that ‘screen scraping’ legitimises and gets consumers used to handing over their passwords to third parties.”
However, it’s not the case that there should be less onerous CDR rules for startups, the paper says. Such a system could simply incentivise attackers to target them, instead of the larger players.
Instead, Cyber CX calls on the government to offer financial support to startups, for example through a loan scheme, allowing them to adhere to the “most rigorous information security and privacy protection standards”.
The submission also suggests that such loans could be repaid once the startup hits a particular revenue threshold.
“Initiatives such as these will have the dual advantage of encouraging greater participation in the open banking initiative while enhancing the overall cybersecurity posture of the sector,” the submission said.
FinTech Australia’s own submission to the inquiry also highlights the “laborious accreditation process” for CDR rules as a concern.
However, it maintains that screen scraping should be allowed, hailing the practice as a way to offer consumers tailored services, and as something many businesses rely on.
The submission also suggested CDR should be cheaper and more efficient than screen scraping, and went as far as making a suggestion, with high priority, that “no attempt should be made to outlaw screen scraping until CDR and CDR data is readily and widely available across the economy” — or in other words, when there is no need for screen scraping at all.
Any attempt to outlaw the practice would be “effectively anti-competitive”, FinTech Australia said.