A series of high-profile cyber security incidents have dominated the media in recent months. Major brands have been compromised across health, telco, retail and real estate, exposing the data of millions of Australians and international students, including sensitive information such as passport numbers and medical details. The incidents present a timely reminder about the importance of a continued focus on security.
Banks and payment service providers have long been a target for fraudsters. According to the Australian Signals Directorate, Banks and Financial Services make up 4% of cyber security incidents (requiring ACSC assistance), which, while still concerning, compares favourably to other sectors. The payments industry has been an early adopter of cyber security threat mitigants, such as two-factor authentication, encryption and penetration testing. The resulting stability is one reason why banks have retained the trust of their customers.
As banks and payment service providers have shifted to close the gaps that hackers might target, consumers have become the weakest link in the chain. Criminals are looking to achieve their objectives by either scamming consumers into initiating payments or taking over a consumer’s identity to accumulate debt in their name. The Australian Competition and Consumer Commission (ACCC) estimates scams to be costing Australians $2 billion a year, but that figure is difficult to validate as consumers are often too embarrassed to come forward.
THE NEED FOR SECURITY REMAINS HIGH
A conversation going on at the moment relates to action initiation under the Consumer Data Right (CDR). Support for action initiation was recommended under the “Future Directions of the Consumer Data Right” review and endorsed in December 2021 by the Liberal government who were in power at the time. The recent spate of cyber security incidents has some in the industry concerned about potential risks.
A key feature of action initiation will enable an authorised third party to trigger payments from a bank account. In the ensuing consultation, the Australian Banking Association (ABA) submission calls out new attack vectors presented by such access. The ABA submission also calls for clarity in regards to liability where a third party sits between the bank and the customer, preventing the collection of data points that are normally used as part of a risk assessment.
Endava recently surveyed over 1,000 global non-bank organisations on their finance and payments strategy. The results highlight that security remains front of mind for organisations:
BALANCING RISK AND INNOVATION
If we look to the UK, where payment initiation has been available for some time, advocates point out that open banking payments avoid sharing sensitive card numbers and the risks associated with manual data entry. Meanwhile, critics highlight that the UK’s Payment Systems Regulator is consulting on mandatory consumer protection to minimise the impact of authorised push payment scams. Measures under consideration include reimbursing customers, which would presumably push up costs and may dilute some of the benefits associated with a basic account-to-account payment offering.
In Australia, regulation has traditionally played a role in protecting the interests of all participants in the payments ecosystem. Whether that be issuers, acquirers, merchants or consumers, regulation sets the rules each participant must abide by. In recent years, the number of participants involved in a single payment has increased dramatically. Digital wallets, payment orchestrators, BNPL services and other innovators form part of the value chain. With a more diverse set of stakeholders comes a broader set of perspectives.
Whilst it’s prudent to focus on risks associated with change, it is also important to recognise that many of the advances we have seen in payment technologies are a result of disruptive business models introducing innovation in payments. Without action initiation, some organisations have opted to use screen scraping technology to deliver payment services to customers. There are mixed views as to whether screen scraping should be permitted – but from a purely technical perspective, a robust set of formalised APIs would be preferable.
So, what is driving the need for third-party action initiation? Payments are just one component of the Consumer Data Right. It’s worth remembering that the initiative was designed to be an economy-wide framework. In the future, it might enable consumers to choose a trusted companion app or wallet that not only manages all their banking, telco, insurance and energy services, but also compares competing offers based on actual usage data and, with consent, switches services without the administrative barrier that impedes competition today.
Coupled with supporting legislation for Digital Identity, customers could be onboarded to those new services without the need to collect identity documentation at all, greatly reducing some of the risks that have been surfaced by the recent cyber security incidents. Interoperable Digital Identity is a separate initiative banks have stayed close to, with plans in the first instance to allow consumers to use their banking relationship to “vouch” for identity attributes.
CONCLUSION
If there is a takeaway from the recent cyber attacks and subsequent publication of sensitive information, it is that the loss of data may be as, if not more, damaging as the loss of money – and it cannot be resolved through re-imbursement.
Australia’s regulators have a good track record balancing the competing need for innovation with the requirement for security and stability, which is reflected in our nuanced payments regulation. Past examples include Australia’s Card-Not-Present (CNP) Fraud Mitigation Framework and a Consumer Data Right legislation that extends beyond the finance industry. The growing number of stakeholders will make this an increasingly challenging balance to strike, particularly from a timing perspective.
Next month, the Australian payments industry will come together at the industry association’s annual payment summit, aptly themed “Paving the way”. With reviews pending for the privacy act, licensing, crypto asset regulation and action initiation, industry participants will be looking for insights on when and where some of these issues might land.
David Marsh will be speaking on the “Future of Payments” panel at the AusPayNet Summit 2022, alongside representatives from Visa, NAB and Stripe.
You can find more insights in the Endava 2022 Global Payments Report.