A series of high-profile cybersecurity incidents have dominated the media in recent months. Major brands have been compromised across health, telco, retail and real estate, exposing the data of millions of Australians and international students, including sensitive information such as passport numbers and medical details. The incidents present a timely reminder about the importance of a continued focus on security.
Banks and payment service providers (PSPs) have long been a target for fraudsters. According to the Australian Signals Directorate, banks and financial services see around 4% of cybersecurity incidents (requiring ACSC assistance), which, while still concerning, compares favourably to other sectors. The payments industry has been an early adopter of cybersecurity threat mitigants, such as two-factor authentication, encryption and penetration testing. The resulting stability is one reason why banks have retained the trust of their customers.
As banks and PSPs have shifted to close the gaps that hackers might target, consumers have become the weakest link in the chain. Criminals are looking to achieve their objectives by either scamming consumers into initiating payments or taking over a consumer’s identity to accumulate debt in their name. The Australian Competition and Consumer Commission (ACCC) estimates scams to be costing Australians $2 billion a year, but that figure is difficult to validate, as consumers are often too embarrassed to come forward.
The need for security remains high
A conversation going on at the moment relates to action initiation under the Consumer Data Right (CDR). Support for action initiation was recommended under the “Future Directions of the Consumer Data Right” review and endorsed in December 2021 by the Liberal government in power at the time. The recent spate of cybersecurity incidents has some in the industry concerned about potential risks.
A key feature of action initiation will enable an authorised third party to trigger payments from a bank account. In the ensuing consultation, the Australian Banking Association (ABA) submission calls out new attack vectors presented by such access. The ABA submission also calls for clarity in regard to liability where a third party sits between the bank and the customer, preventing the collection of data points that are normally used as part of a risk assessment.
At Endava, we have surveyed over 1,000 global non-bank organisations on their finance and payments strategy. The results highlight that security remains front of mind for organisations:
Balancing risk and innovation
If we look to the UK, where payment initiation has been available for some time, advocates point out that open banking payments avoid sharing sensitive card numbers and the risks associated with manual data entry. Meanwhile, critics highlight that the UK’s Payment Systems Regulator is consulting on mandatory consumer protection to minimise the impact of authorised push payment scams. Measures under consideration include reimbursing customers, which would presumably push up costs and may dilute some of the benefits associated with a basic account-to-account payment offering.
In Australia, regulation has traditionally played a role in protecting the interests of all participants in the payments ecosystem. Whether that be issuers, acquirers, merchants or consumers, regulation sets the rules each participant must abide by. In recent years, the number of participants involved in a single payment has increased dramatically. Digital wallets, payment orchestrators, BNPL (Buy Now Pay Later) services and other innovators form part of the value chain. With a more diverse set of stakeholders comes a broader set of perspectives.
Whilst it’s prudent to focus on risks associated with change, it is also important to recognise that many of the advances we have seen in payment technologies are a result of disruptive business models introducing innovation in payments. Without action initiation, some organisations have opted to use screen scraping technology to deliver payment services to customers. There are mixed views as to whether screen scraping should be permitted – but from a purely technical perspective, a robust set of formalised APIs would be preferable.
So, what is driving the need for third-party action initiation? Payments are just one component of the Consumer Data Right. It’s worth remembering that the initiative was designed to be an economy-wide framework. In the future, it might enable consumers to choose a trusted companion app or wallet that not only manages all their banking, telco, insurance and energy services but also compares competing offers based on actual usage data and, with consent, switches services without the administrative barrier that impedes competition today.
Coupled with supporting legislation for digital identity, customers could be onboarded to those new services without the need to collect identity documentation at all, greatly reducing some of the risks that have been surfaced by the recent cybersecurity incidents. Interoperable digital identity is a separate initiative banks have stayed close to, with plans in the first instance to allow consumers to use their banking relationship to ‘vouch’ for identity attributes.
Conclusion
If there is a takeaway from the recent cyberattacks and subsequent publication of sensitive information, it is that the loss of data may be as, if not more, damaging as the loss of money – and it cannot be resolved through reimbursement.
Australia’s regulators have a good track record balancing the competing need for innovation with the requirement for security and stability, which is reflected in our nuanced payments regulation. Past examples include Australia’s Card-Not-Present (CNP) Fraud Mitigation Framework and a Consumer Data Right legislation that extends beyond the finance industry. The growing number of stakeholders will make this an increasingly challenging balance to strike, particularly from a timing perspective.
Next month, the Australian payments industry will come together at the industry association’s annual payment summit, aptly themed “Paving the way”. With reviews pending for the privacy act, licensing, crypto asset regulation and action initiation, industry participants will be looking for insights on when and where some of these issues might land.
David Marsh will be speaking on the “Future of Payments” panel at the AusPayNet Summit 2022, alongside representatives from Visa, NAB and Stripe.
You can find more insights in our 2022 Global Payments Report.