Latest Products

Conflict of data sharing

Tuesday 10 October 2017

One of the most contentious discussions raised at the AustCyber Summit in September was that of the implications of open Application Programming Interfaces (API).

The session was held after lunch and divided big enterprise against fintechs. Speaking on behalf of big enterprise was Ryan Peterson, CTO of Data61 and Kate Carruthers, Chief Data Officer, UNSW Sydney. For the fintechs was Damir Cuca, CEO and Founder of the Basiq, and George Lucas, CEO of Acorns Grow Australia.

The debate was chaired by Anthony Robinson, Financial Services and Cyber Security Partner at EY.

When the discussion of open APIs was first raised in the Australian context, the big four banks had concerns about the security of such a data exchange and questioned who would be liable for data breaches in this context.

Anthony Robinson asked the question of whether the new open banking regime will be the boon for fintechs.

“Speaking with some of the bank leadership over the last few weeks, there is a lot of concern over data-sharing now, because the information that Equifax leaked was actually information that was gathered from the banks,” Robinson said.

Peterson added that Data Republic believes banks should be able to share information, but there are concerns about privacy, collection statements around privacy and who owns the data.
“Banks have put quite a lot of money into collecting that information and storing it,” he explained. “Millions of dollars have gone into securing it. But it needs to be done in such a way that the information going back out remains relevant and available, but in the right way.”

Peterson advocated the sharing of insights instead of raw data, without compromising any personal information.

This ‘sharing of insights’ includes not sharing with the consumer the details of every entity with which their data has been shared, but rather assuring consumers that appropriate measures are being taken to protect their data.

Carruthers supported Peterson’s perspective on the limited sharing of data, but questioned what that data would be used for in the first place.

She said that there is a lot to be said for working to improve and make seamless the student experience, but it is a challenge and it can be very easy to lose control of the data.
“We are having to develop protocols on how we manage that, so that we protect the data but provide the functionality to the students.”

She said she shares this task with the University’s Chief Information Security Officer, the Chief Risk Officer and Privacy Officer.

“The real issue is understanding the data and understanding who has the rights to decide it can actually leave our facilities when we have assessed where things are safe. And I am telling you now that a lot of the start-ups running these sort of services are not really thinking about cyber security in any meaningful way, so when we give them the set of our non-functional requirements, they tend to blanche and look quite worried, ” Carruthers said.

According to Lucas, the question of cyber security is also the prevailing argument of those representing big business. He stated they have been doing penetration test in their processes.
The representatives for the fintech community then moved the conversation from that of security towards consumer choice, stating that this is the argument that regulators like ASIC have been supporting. When it comes to the conversation about trust, the regulator supports the shift in institutional trust mentioned by Rachel Botsman—that is, towards that of fintechs and sharing economies.

This altered trust dynamic is caused partly by the growing gap between industry practice and consumer expectation, and includes the topic of open banking, as well as allowing consumers to direct their data to be shared with a third party.

Further to this, Cuca suggested that the infrastructure of open data and open API is already available. The Basiq founder suggested that banks’ unwillingness to share data actually has more to do with consumers’ understanding of their banking data and the subsequent consumer realisation that they can get a lot more value by switching to a fintech service.

On the question of data-sharing, Cuca suggested that consumer interests are not always aligned to that of the banks, since the banks are businesses and exist, primarily, to make money.

“Does the consumer know where their data is going when they leave the bank?” Cuca said. “Do they know? No, they don’t. Do they know about companies like Quantium and so forth, and what they do with it and why they interrogate it?”

Legal versus API infrastructure
Lucas focused on legal infrastructure, rather than data-sharing infrastructure.
“Let’s be very clear,” he said. “Open data is here, and already, we get all the information from the banks that we need through services like Basiq. What we are really talking about in open data banking is actually the legal implications of who owns the data and who owns the liability.”

However, according to Lucas, it is interesting that the conversation about liability and who responsible for data even exists, when the banks are the ones with massive infrastructure to protect the data.

“Fintechs such as Data 61 and the banks have a much higher level of security than any individual ever really expects for their data. That raises the very interesting question of who is liable for your own data [consumer], when you don’t even look after your data anyway.”

Data sharing
Data 61 has been hired by Westpac and NAB to share data in a controlled way, and Peterson said they are all for sharing data that helps protect people and accounts, and for participating in what is known as ‘social good data’.

He stressed what is important about the data is not so much about the collection, but rather its permitted use.

“Why are we using the data, and what are we making the data available for?” he asked. “Those are the kind of things the banks are really concerned about. It’s about the risk of involving consumers.”

Thus, the balance of the discussion seems to dance between consumer power to make decisions, and protecting consumers from making bad or uniformed decisions that might have dire or unforeseen consequences.

“And what would consumers really do with their data, even if they had it?”

Carruthers further challenged the notion of consumer access to data, “Realistically, how many people are going to come and ask for their data? Hardly any? What are they going to do with it? There will be little utility in it for them.”

Peterson further supported this argument by asking whether consumers always really need to know with whom their data is being shared.

While the debate raised some interesting question, by and large, the debate itself is moot. API’s are coming, either way.