Back to

UNSW Consumer Data Right reports released to public

The reports increase cyber security protections for banking customers.

A hand reaches for a digital padlock hovering above a data visualisation.

In 2022, UNSW experts made recommendations to help protect bank customers who share data through the Consumer Data Right from cyber security threats. Their research findings, now released, remained confidential while critical recommendations were implemented.

A team led by Professor Lyria Bennett Moses, comprising UNSW experts in business, computer science, defence, and law, produced two reports: Considerations for Managing Cyber Threats to the Consumer Data Standards and Risk Management for the Consumer Data Standards. The reports identified potential threats and risks at that time, including:

  • The possibility of large-scale attacks from organised and persistent cyber criminals
  • The potential for weaknesses in the data transfer technology (called an API)
  • The prospect of human error, mismanagement, and intentional misuse of data
  • Issues when less cyber mature companies join the ecosystem
  • Challenges of maintaining skilled security staff in a rapidly changing situation

The reports acknowledged the complexity of the Consumer Data Right (CDR) ecosystem, particularly given changes in the cyber threat landscape, technological change, and prospective changes to the CDR. The researchers’ key recommendations included maintaining a highly skilled staff, conducting ongoing threat modelling, and developing predefined responses to known and unknown threats.

“We advised a specific process for threat modelling, but our main emphasis was on the need for a structured approach,” says Prof. Bennett Moses.

“The modelling needs to be independent, frequent, collaborative, and broad. Beyond the obvious threats, it also needs to consider situations that might arise from social engineering (scammers), consumer misunderstanding, and the loss of key employees.”

Why do Australians have a Consumer Data Right?

If you ever sought to refinance your home loan through a mortgage broker in the past, you may have discovered the quickest way to share your financial history required logging into your bank account via a third-party website. That third-party website then extracted your financial and customer data, using a process known as ‘data scraping’, and then sent your data to the broker in a simple format. 

This data-scraping practice created security risks for consumers, but it was legal and, in many cases, the only way customers could get their data from their bank. In 2018, the government introduced legislation establishing the Consumer Data Right which forced banks, when a customer instructed them, to directly share the customer’s data with third parties.

In other words, the CDR now requires your bank to provide your financial records directly to its competitors upon your request. This makes it harder for banks to monopolise and easier for Australians to find a better loan. It also protects customers against the very high risks associated with data scraping. However, the security of your information is only as good as the systems that protect the CDR ecosystem - and the people who have access to it. 

Managing future vulnerabilities

Prof. Bennett Moses says that while no system is flawless, threat modelling, risk management and putting the right staff and processes in place will help the CDR manage emerging and unforeseen vulnerabilities.

For example, data breaches like those that affected Optus and Medibank customers, release details that scammers cross-reference with other sources, like public social media content, to build convincing imitation scams. While most reported scams impersonate family members, the government and road toll companies; bank imitation scam victims lose the highest amounts.

Following the reports' recommendations, the CDR has evolved into a more secure data transfer ecosystem. This is important as the government has and continues to expand the CDR data-sharing ecosystem beyond banking into other industries.

About the authors
The cybersecurity researchers and report authors are Professor Lyria Bennett Moses and Associate Professor Katharine Kemp from UNSW Law & Justice; Professor Peter Leonard and UTS Professional Fellow Rob Nicholls, from UNSW Business School; Professor Richard Buckland and Dr Rahat Masood from UNSW Engineering; and Associate Professor Benjamin Turnbull from UNSW Canberra.