Today’s Australian Financial Review reports that the Commonwealth Bank has “sent alarming emails to thousands of its customers who are engaging with fintech start-ups, warning that sharing internet banking passwords could invalidate the protection CBA provides from losses on accounts relating to fraud”.
This reminds me of how the banks hold their EFTPOS customers responsible for data breaches made possible by the banks’ unsafe EFTPOS solutions. That is just not on. Banks have to offer safe products, otherwise it is them who are responsible.
Here is another outrageous example. The banks refuse to allow their customers to make their own transaction, account and credit data — held by the banks on their behalf — safely available to third parties. With such data, a fintech innovator can provide customers, for example, with a unified view and analysis tools across all bank accounts held across multiple institutions or uses customer data across multiple banks to extend a loan and transact the loan efficiently.
To work around the barrier and get to the data, third party providers, a competing bank or a fintech innovator uses the services of US company Yodlee or Australian bankstatements.com.au to receive the passwords, which are encrypted, and then to access the data through a process known as “scraping”. These companies are used by many banks around the world and they claim their systems are as secure as they can be with banks recalcitrant to do their part.
If the banks were looking after their customers’ interests and particularly their safety, they would provide a safe path to share data with third parties that are under an adequate licensing regime such as APRA, AFSL or ACL.
Instead of sending scare emails, the banks could simply use available technology that easily and efficiently eliminates the need and risk of openly entering the password credentials into a third party website. For instance OAuth is an open standard for authorisation commonly used as a way for internet users to log in to third party websites using their Google, Facebook, Microsoft, Twitter, or One Network accounts without exposing their password.
The reality is that to protect their unfair advantage, banks prohibit, threaten, endanger their customers using their own transaction and lending data to obtain fair and competitive funding and other solutions from the market. By restricting safe access to customer data to third parties, banks control the pace of innovation and competitive tension in Australia to the detriment of Australian consumers and businesses and the public interest. It is time for the Federal Government and the Regulator to intervene.