To participate in Open Banking (my introduction to Open Banking Australia) and become a Data Recipient, organisations must be accredited. The ACCC defines a process of Accreditation to vet and approve Data Recipients under the CDR Rules Framework that governs Open Banking. The ACCC also provides some references on information security.
The Open Banking review provides an important background to the accreditation process, in which it is desired to achieve a balance between conservative safeguards and a level of tiered-risk pragmatism to avoid “unnecessary barriers to entry and innovation” . The desired balance is justified to adhere to the key goal of Open Banking in improving competition in the industry. This is encouraging for emerging neobanks and for the FinTech industry.
The ACCC is the only Data Recipient Accreditor and as such can grant, suspend and revoke accreditations. The ACCC will manage an official Register of accredited Data Recipients.
In Australia, there is only one general tier of Data Recipient accreditation envisaged so far. However, the ACCC hints a desire to later accommodate lower tiers that would restrict the data in scope of sharing.
According to the CDR Rules Framework, ADIs receive automatic accreditation when applying, except for ADIs that are restricted or providers of purchased payment services.
Candidate non-ADIs, and ADIs excluded from streamlined accreditation, must satisfy the following requirements (my cut):
- Be a “‘fit and proper’ person to receive CDR data”, which would be primarily assessed against criminal, managerial, bankruptcy and insolvency history;
- Be legally operating in Australia (foreign companies must have a local liable agent). This is important as UK OpenBanking accredited organisations will not be recognised in Australia, at least in a first version of Open Banking in Australia;
- Have appropriate and proportionate systems, resources and procedures in place to comply with the legislation, the rules and the standards including in relation to information security. The requirement includes complying with the ACCC rules to protect CDR data from misuse, interference, loss or unauthorised access, modification and disclosure. The requirement also includes having appropriate plans and processes in place for managing risk when entering into an outsourcing arrangement involving the disclosure of CDR data;
- Have appropriate dispute resolution processes; and
- Hold appropriate insurance.
With regards to information security risk management, candidate Data Recipients must provide evidence of:
- Effective procedures to identify, manage and monitor any risks to which it might be exposed with respect to CDR data;
- Adequate procedures and processes to comply with the privacy safeguards;
- Procedures for monitoring, handling, and following up security incidents and security-related customer complaints;
- Measures and tools for the prevention of fraud and illegal use of CDR data; and
- Descriptions of security control and mitigation measures and procedures for the mandatory reporting of incidents, and notification processes to consumers in the event of a security incident.
The ACCC does not intend to prescribe technical information security guidelines, but refers to:
- The Australian Privacy Act;
- The OAIC’s Information Security Guidelines, including by requiring appropriate systems and procedures in relation to information security, data breaches, physical security, workplace policies, and regular monitoring and review; and
- APRA’s Information Security Prudential Standard (officially commencing on 1 July 2019) for ADIs.
Non-ADIs are then primarily referred to the OAIC’s Information Security Guidelines.