The commencement of the Consumer Data Right (CDR) scheme marks a “watershed moment” for consumers – yet even as the industry jumps onboard and the government eyes the energy industry next, there are warnings that inadequate policies and escalating cybercriminal activity will turn CDR into a data-security nightmare.

Nearly three years in the making, the scheme was passed into law in August 2019 and the open banking scheme it enables formally kicked off on July 1 – allowing consumers to log onto bank-managed portals to access data about their credit and debit cards, deposit accounts, and transaction accounts (with loan data to be added to the mix in November).

Data is not only available to consumers, but can be shared with brokers, fintechs and other accredited businesses that “may be able to provide them more personalised services and competitive offers,” Australian Competition and Consumer Commission (ACCC) commissioner Sarah Court said in kicking off the new scheme.

The scheme’s rollout remained unchanged despite the chaos caused by the ongoing COVID-19 pandemic, with recent months seeing governing body the Australian Competition and Consumer Commission (ACCC) progressively locking it in by formalising its operating rules, outlining penalties for those who breach its requirements, and opening certification to mortgage brokers, finance companies, banks and fintechs that want to be involved.

Some 39 companies are currently in the process of becoming accredited to handle data under the scheme, treasurer Josh Frydenberg revealed in lauding the “game-changing reform”.

Australian Banking Association (ABA) CEO Anna Bligh called CDR’s successful kick-off a “great achievement by the major banks” and a “watershed moment for competition in the banking industry.”

“Despite moving the majority of their workforce to work from home and processing unprecedented numbers of customer queries and loan deferrals as a result of COVID-19, the banks have stayed on plan and delivered Open Banking”.

Counting the new risks

With so much sensitive financial data being divorced from the carefully-designed bank systems that hold it, authorities are doubling down on security, with the ACCC flagging that “maintaining security and privacy are top priorities” for the scheme.

CSIRO arm Data61 has managed the development of Consumer Data Standards and related security frameworks to ensure the data is not compromised – but industry experts believe cybercriminals are already out of the gate when it comes to finding ways to exploit the new data.

The recent Verizon Data Breach Investigations Report (DBIR) 2020 found that 86 per cent of analysed data breaches were financially motivated, with 448 confirmed data breaches at financial companies during 2019 alone.

The financial and insurance sector, Verizon’s analysts concluded, “has always had a target on its back due to the kinds of data it collects from customers [and] remains a favourite playground for the financially motivated organised criminal element”.

Cybercriminals’ similar enthusiasm against Australian targets – the most recent statistics from the Office of the Australian Information Commissioner found 37 per cent of breaches in this country involved financial details – suggests that the CDR is likely to become a prime target for opportunistic cybercriminals that have already been working overtime to capitalise on COVID-19 disruption.

Micheael Warnock, APAC head of growth with security firm SecureAuth, warned that the system’s breadth and capabilities could heighten its exposure to human-created risks.

“Many people do not have the best of habits when it comes to password security,” he explained, “and for financial institutions, the underlying concern is people create risk and can be their own worst enemy when it comes to protecting and securing their privacy, data, and online accounts.”

Recognising that users “can pose credible risk to valuable resources and data,” Warnock added, “the challenge for security and risk leaders is implementing the right access tools and user workflows to mitigate risk, improve security, and ensure users encounter a friction-free experience.”

The security industry has already come to the party, with Trend Micro releasing a cloud-based automated compliance checking tool designed to ensure that CDR-certified Accredited Data Recipients’ security controls are maintained.

Next steps for CDR

CDR was designed from the start as a framework that would be extended beyond the financial-services industry, and as the open-banking regime kicked off the government was already putting wheels in motion for its next phase.

Just two days before the CDR commenced, Frydenberg formally launched its legislative extension to the energy sector, with the ACCC set to begin consulting around that process.

Industry group the Australian Energy Council welcomed the changes, with CSO Sarah McNamara lauding increased competition and noting that “enlisting the help of third parties through the CDR will make it easier for customers to find the cheapest deals”.

The government is also running an inquiry into the future of the CDR, with an ongoing issues paper exploring broader use of the CDR scheme to store other types of data and allow for a broad range of other uses.

Whatever changes come, ensuring privacy and security are maintained will be crucial: the ABA, for one, has flagged the importance of ongoing Privacy Impact Assessments and noted that “any changes to the CDR regime [are] likely to have a significant impact on the privacy of individuals”.