The government is moving towards giving individuals more control over their banking data.
A Productivity Commission report Data Availability and Use, released in March, recommended customers gain “continuing shared access with the data holder”.
An independent review into Open Banking in Australia, commissioned by Treasurer Scott Morrison in July, looks set to go one step further.
“Greater consumer access to their own banking data and data on banking products will allow consumers to seek out products that better suit their circumstances, saving them money and allowing them to better achieve their financial goals,” Morrison said at the time.
Australian fintechs are salivating at the potential of an open data regime similar to those being forged in the UK, the EU and Singapore. The bigger banks may have no choice but to begrudgingly accept the changes.
But will mandatory open data lead to a mass exodus of customers from the Big Four? Will everyone suddenly switch their accounts and transfer their information over to smaller start-ups offering better deals?
It could all come down to one thing: trust.
Trust in me, just in me
People trust their bank to look after their data, even if they don’t trust the sector as a whole.
An Australian Banker’s Association (ABA) survey published last month found that only 31 per cent of Australians trust the industry, believing it to be driven by profit, not focused on customer need and too fuzzy with fees.
Yet more than half trusted and had confidence in their own bank.
A 2016 global study by Telstra found more than three quarters of millennials nominated banks as a platform they trust with their personal information, 25 times more than the number who nominated fintechs.
For the respondents, the main ‘trust factors' related to the security and privacy of data and transactions, the survey found.
The Big Four banks are ultra-sensitive about how their data security posture is perceived. They know it’s an advantage over newbies in the sector.
In a blog post yesterday, ANZ bank’s New Zealand chief operations officer Mike Bullock put it this way: “At its very core, banking is about trust”.
“Security is in a bank’s DNA and it’s a powerful advantage in a world of would-be disruptors,” he wrote.
Bullock’s colleague Darren Abbruzzese, general manager of data at ANZ earlier this year argued fintechs lacked people’s trust to keep their data secure.
“Despite their fresh approach and modern technology, these new entrants lack a key intangible asset that established banks have: trust. In spite of recent crisis and fines, customers still trust banking institutions as a destination for their personal and financial data, and with trust comes customer stickiness,” he said.
Any suggestion a bank’s security is shaky is met with a strong response.
Commonwealth Bank of Australia, in the wake of reports that it was cutting cyber security staff and outsourcing work to overseas vendors issued a lengthy statement.
“Reports suggesting we are stepping back from cyber security are incorrect,” the bank said.
Data security was “part of our responsibility to our customers and communities” it continued, adding “We remain committed to being at the forefront”.
Time and transparency
Speaking on a panel at the AustCyber (formerly the Australian Cyber Security Growth Network) National Fintech Cyber Security Summit in Sydney yesterday, fintech leaders argued they need time to earn the public’s trust, and that being transparent was a good way to do so.
“It’s a matter of being as transparent as possible; it’s also a matter of time. Everything with trust is always a matter of time,” said George Lucas, CEO of micro-investing app Acorns Grow Australia.
“Number one is definitely transparency,” said Damir Cuca, founder and CEO of Basiq, a Westpac and NAB backed aggregation platform for banking data.
“Making sure you’re clear about the measures you’re taking to protect data. Two is by having strong authentication and policies and engaging the customer on that – giving them control so they can revoke access as well.”
Cuca went on to suggest that the technology architecture of fintechs could help them match the banks for cyber security.
"One of the things with fintech – we have at our disposal is these great cloud providers that are investing so much in security. And there are a lot of great architectural models that fintechs can adopt where they don’t have to host their own servers, they don’t have to host their own databases. Therefore they minimise their security exposure," he said.
"And I think that there's a lot of that they can already leverage that I would argue is probably better than some banks."
Lucas agreed, adding: "In the world of cloud, there are so many services that are affordable that small fintechs can buy that actually help protect [them]."
Australian banks have so far (mostly) avoided a major data breach. The same can’t be said about established financial institutions elsewhere in the world.
The ‘mammoth’ Equifax breach revealed this month potentially exposed the personal details of 143 million people in the US. Banks in Italy and Canada, the US, and a payday lender in the UK have all suffered loss of customer data within the last year.
The passing of mandatory data breach notification legislation in Australia could see more bank breaches being revealed, and trust eroded.
As ANZ’s Bullock, paraphrasing Warren Buffet, wrote: “It takes 20 years to build a reputation and five minutes to ruin it.”