Consumer and privacy watchdogs have heavily criticised the draft Australian law to facilitate the launch of open banking in the country, while fintechs eager to move onto legacy banks’ turf urge lawmakers not to further delay the bill’s passage.
The Australian government is piecing together a sweeping new law called the Consumer Data Right (CDR), which will regulate the flow of consumer data under an open banking regime set to begin testing in July.
After announcing a delay to the bill’s introduction just before Christmas last year, Australian Treasurer Josh Frydenberg introduced the bill to parliament last month, where it was shunted to a Senate committee for a quick-fire inquiry that reports at the end of March.
An array of industry associations, fintechs and consumer groups have leaped on the opportunity to convince senators to either wave through the bill as it is drafted or hit pause and reassess some of its basic features.
The CDR’s very name was branded misleading by the Australian Financial Rights Legal Centre, which said it implied to consumers a catch-all data privacy law in the mould of the European Union’s General Data Protection Regulation (GDPR), rather than the data-sharing framework it actually seeks to create.
The centre also excoriated the government’s decision not to include a ban on “unsafe” screen-scraping in the draft bill.
“Without a ban on these technologies, there is very little incentive for businesses such as payday lenders and debt management firms to become accredited” as CDR recipients, the watchdog argued.
It suggested that consumers would not understand the difference between open banking participants who are CDR-accredited third-party providers and those who are relying on screen-scraping.
The provision in the current rules framework, developed by the Australian Competition and Consumer Commission, for non-accredited entities to receive sensitive CDR data under some circumstances is “incredibly dangerous”, the centre said.
“It is dangerous because consumers are being led to assume their data will be protected under a ‘Consumer Data Right’ but in fact it has the potential to facilitate the movement of this data outside of a strengthened privacy framework to one with lower privacy protections.”
“If we continue to delay the bill, it will drive our fintech ecosystem into other markets and hinder the competitive advantage we have over other jurisdictions that are yet to develop an open banking regime,” industry group FinTech Australia said.
Respondents also took the opportunity to take aim at the Treasury’s privacy impact assessment (PIA) of the consumer data right, which several argued should have been delegated to an independent provider.
The Australian Privacy Foundation (APF) said the assessment did “not meet the standards required of competency, transparency and fairness” and accused the government of trying to “hide the consultation in the holiday season so no one would notice”.
On Monday, the Treasury released an updated PIA that reflected the feedback it had received during a consultation, which will undergo further revision once the the CDR rules framework is finalised. After reviewing the revised assessment, the APF told PaymentsCompliance that its criticisms still stand.
The Financial Rights Legal Centre echoed the concerns, claiming the Treasury “failed to address a number of core consumer concerns” because its PIA is “flawed, conflicted in nature” and not in keeping with the government privacy watchdog’s recommendations.
Fintechs urge speedy resolution
Although watchdogs decried a rush to cobble together the legal framework, fintechs have urged lawmakers not to propose legislative tweaks that would slow the already-delayed implementation of the CDR.
Under the government’s original timetable, the big four banks were supposed to begin data sharing by July 1. That date has been pushed back to February next year, with other lenders following suit in 2021.
“If we continue to delay the bill, it will drive our fintech ecosystem into other markets and hinder the competitive advantage we have over other jurisdictions that are yet to develop an open banking regime,” industry group FinTech Australia said in its Senate submission.
MoneyBrilliant, which hopes to become an account information service provider under open banking, said the original timeline had been “aggressive” but “achievable” and that further delays would “come at significant cost to Australian economy and society”.
The company said that privacy and security concerns “shouldn’t be reasons to slow down or stop the implementation” of the CDR. Under the revised timetable, a pilot program involving major banks will begin in July.
FinTech Australia also dismissed the privacy concerns raised by non-governmental organisations, arguing they could be ironed out during the pilot phase.
“Delaying the bill on the basis of privacy concerns is misguided; it actually undermines the delivery of certainty required to alleviate the privacy concerns shared by all parties,” FinTech Australia argued.
But the Business Council of Australia, whose views hold significant sway in Canberra, warned about the preparedness of market participants and the effect of several rapidly sequenced, short consultations, and suggested the government “carefully consider” its timeline.
Derived data alarm
Many of the submissions expressed concern that the language of the draft law leaves the question of so-called derived data up in the air, and some argued for it to be explicitly excluded.
The current bill includes in the CDR regime any data designated by the Treasurer, and data “derived from that data”, which both banks and third-party providers have argued includes both value-added and commercially sensitive data. Fees for access to that data are not ruled out.
Both banks and their fintech competitors were united in their opposition to the inclusion of such derived data.
MoneyBrilliant said that it “is the result of additional effort and often the application of intellectual property” and has “no place in the scope” of the CDR.
The Customer Owned Banking Association also said that forcing market players to give up such data could damage “product and service innovation and positive consumer outcomes”.
The Business Council of Australia argued that “businesses will need to factor in the risk and resulting uncertainty that proprietary information will be captured by the CDR bill when making decisions on investing or innovating in data in the future” and that including value-added data in the scope of the law could stifle innovation.
The Senate’s Standing Committee on Economics has 18 days to study the bill, the 27 submissions it received and issue its report.
Although the CDR and open banking have not been the subject of significant controversy, senators may be influenced by the looming federal election and unpopularity of the country’s financial sector.
Australia’s big four lenders — ANZ, Commonwealth Bank, the National Australia Bank and Westpac — boast some of the world’s widest banking margins, but are under scrutiny following a Royal Commission that laid bare dodgy lending, financial advice and brokering practices.