Access to large consumer data sets is increasingly driving new and innovative ways of doing business for traditional banks and fintech startups, whether it be the use of artificial intelligence (AI) tools to determine credit eligibility or the design of novel services relating to budgeting, investment tracking or deferred payments.
With cash transactions decreasing, COVID-19 accelerating the move away from face-to-face interactions in local branches and the Australian implementation of ‘open banking’ – which gives consumers the right to transfer their transaction and account data between banks – such innovations are only set to continue.
The interplay between this trend and financial services regulation is dynamic, and it is reasonable to expect that the use of ‘big data’ by financial services providers will attract greater attention from regulators including ASIC, the ACCC and the OAIC in future.
Open banking in particular will provide lenders with significant inflows of reliable transaction data about prospective customers. This is likely to drive more sophisticated consumer offerings, including greater personalisation of financial services and has a number of significant implications for lenders.
Under consumer credit legislation, credit providers must assess whether a product is suitable for a particular customer having regard to reasonably available information about the consumer’s financial situation. Where a lender fails to request consumer data under the open banking framework or fails to properly consider data it receives, it may breach its responsible lender obligations.
Banks already have policies in place to assist with the assessment of whether someone is likely to experience substantial hardship as a result of obtaining credit. However, in the context of open banking and the ability to access greater amounts of reliable information, these policies and procedures will need to be refined.
Systems may also need to be redesigned to ensure that red flags are triggered for certain types and amounts of spending (such as the frequency and amount of money spent gambling). In future, issues are particularly likely to arise in circumstances where the open banking data indicates that credit is unsuitable, but traditional verification methods (such as self-reported expenses) suggests otherwise.
Similarly, access to open banking data may have implications for financial services providers in terms of their compliance with anti-money laundering and counter-terrorism funding reporting obligations.
Access to the increasing volumes of consumer data which will be available to financial services institutions through open banking may result in an accelerated use of AI in credit decision-making. While these tools undoubtedly have great potential, proper design and oversight is critical to ensure they do not perpetuate unconscious bias or discrimination against certain customer demographics. This issue is the subject of an ongoing review by the Australian Human Rights Commission which released a substantial discussion paper on Human Rights and Technology at the end of last year.
Managing open banking data is also likely to present a number of data governance challenges. Open banking data is subject to significantly stricter privacy safeguards than those that apply under general privacy law, and financial services providers will need to implement systems and access controls that can effectively manage the different protocols for the collection, storage and use of the different kinds of data they hold. Maintaining appropriate access controls is becoming both more complex and critical over time. Unsurprisingly, there is an increasing regulatory focus on these issues, and 2019 saw the OAIC secure court enforceable undertakings from financial institutions to rectify deficiencies in this regard.
Big data and open banking present real opportunities for innovation and increased competition in the financial services sector, but they also create a number of challenges for both banks and fintechs in terms of their broader data governance practices and regulatory compliance.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.