CANBERRA: Commonwealth Bank has called on the government to carefully consider design issues associated with the proposed introduction of an open banking regime after significant cost blowouts in a similar exercise in Britain. In its submission to the Treasury’s review of open banking, CBA says the cost of implementing open banking and associated payments reforms for some British banks were a high as £300 million ($505m), while the average figure was £150m-£200m. “It is noted that these figures do not include operating costs such as operating expenses, as well as the indirect financial burden of change impacts and the cost of servicing and supporting customers,” the submission says. “Allowing for indirect costs, financial impact may run as high as £500m for some participants.” The high figures, according to CBA, were “understandable”, because of the technical complexity of the British model. Practical design choices could be made to reduce the execution risk and potential financial burden on the industry. CBA recommends a “technology-neutral” approach to regulation of open banking. This would enable the industry to choose the most suitable technology to implement the government’s direction. It would also help open data reforms to evolve with technological developments and leave the industry free to identify solutions that operate across industry sectors.
CBA, like the other major banks, supports the recommendation by the Australian Bankers’ Association for a new industry utility to oversee access to an open banking regime. The ABA also wants the government to develop rules for sharing customer data across the economy, so that appropriate banking industry standards are introduced. The new industry accreditation utility would determine whether recipients of banking data meet minimum standards of security and privacy, and have the capacity to meet the cost of potential breaches, such as the huge leakage of data last month from the US company Equifax.
National Australia Bank says that without an accreditation body, it would be unaware of a third party’s data management standards and practices. “Only third parties who can demonstrate robust data security processes should be allowed to receive or access data,” the bank says in its submission. “An accreditation entity offers a productivity benefit of third parties only having to receive a single accreditation, rather than needing recertification from each bank.” Once established, the entity could also be used by other industry sectors as part of an economy-wide data-sharing framework. This would allow the “considerable” security expertise of banks to be used by other industries. On the issue of a liability framework, the bank says the customer should not suffer any loss as a result of a data breach. However, once a customer’s data was transferred to a third party, at the request of the customer, the bank was no longer in control of the data. “NAB believes that liability for fraud or data misuse caused after the transfer of data to a third party should fall with that third party,” the submission says.