Open banking will give consumers more control over their banking data – allowing them to more easily move between providers and securely share their data with third parties.
This will be a significant change for the financial services sector. The application of open banking is helping the industry to evolve towards platform-based distribution and if leveraged correctly, opens opportunities for banks to extend their reach. For traditional, vertically integrated banks, there will need to be a change to the regular way of doing business.
Open Banking: the first application of Consumer Data Right
On 13 February 2019, the Australian Government officially passed Consumer Data Right (CDR) into law; it will be officially launched on 1 July 2020. Consumer Data Right aims to provide Australians with more control over how their data is used and disclosed. It will improve consumers’ ability to compare and switch between products and services, encourage competition between service providers, drive the development of more innovative products and services, and reduce prices.
Open Banking is the application of the CDR in the banking sector. Following an Open Banking Review, the government planned a phased implementation from July 2019 to apply CDR to banking data. The recommendations are specific to the banking sector and relate only to access to data.
Partner - Grant Thornton ConsultingContact Matthew
Who does it impact?
Open banking impacts anyone with a use for banking data, including software providers, neobanks and lending platforms – Australia’s Big Four banks have been asked to make select financial data available to all other entities. The opportunity for Fintech’s is particularly strong as a move to open banking demonstrates a willingness of regulators and participants in the sector to embrace technology that enables customers to take control of their data. It will not only become easier for customers to switch banks, it will generate more transparency and competition in the sector.
We have a deep understanding of the challenges Fintechs face, including cost, resourcing availability, flexibility and adaptability. Having worked closely with a number of key stakeholders in developing recommendations for the implementation of Consumer Data Right to banking data, we are able to guide you through the process.
Becoming an Accredited Data Recipient – what data is in-scope for Financial Services?
Entities wishing to gain access to consumer data under the CDR will need to become an Accredited Data Recipient (ADR) as detailed in the recently released Draft Accreditation Standards. This process of accreditation ensures only entities that have appropriate processes and controls in place to protect consumer data are given access. To achieve ADR status, entities will need to undergo an independent audit of processes and controls under the ASAE3150 standard as part of the accreditation application.
While the audit scope will be defined by the systems, processes and controls of the individual entity seeking accreditation, the ACCC has provided guidance that includes the following requirements of what is expected:
- have processes in place to limit the risk of inappropriate or unauthorised access
- take steps to secure their network and systems
- securely manage information assets over their lifecycle
- implement a formal vulnerability management program to identify, track and remediate vulnerabilities in a timely manner
- take steps to limit prevent, detect and remove malware
- Implement a formal information security training and awareness program for all personnel interacting with CDR data.
Our Technology Risk team can carry out the ASAE3150 Type 1 accreditation audit for entities wishing to become an ADR. The Type 1 audit is required within 3 months of submitting the application to become accredited, with ongoing Type 2 reviews then required every other year. We have extensive experience conducting type I and type II controls audits under various standards such as ASAE3150, ASAE3402, SOC2 and ASRS4400.
Why partner with Grant Thornton?
- In order to meet the requirements most efficiently, we have developed a control framework for compliance which includes mapping the 24 data security requirements to 46 general technology controls.
- We have significant experience in delivering security related controls reviews under industry standards such as SOC-2, ASAE 3150 and GS 007.
- Our team has developed relationships with key industry players including market regulators, data holders and organisations that are part of the nine initial data recipients.
- More broadly, we work with over 70 fintechs in Australia, providing end-to-end support to assist in managing the challenges of high growth including technical requirements like tax and audit, as well as risk & regulation, governance and culture, through to funding, M&A and potential IPO.
- We are familiar with the accreditation requirements beyond the ASAE 3150 requirement and can assist you with these if needed (e.g. cyber insurance).