Privacy and data security compliance will become both more complex to manage and more important as Australia moves towards implementing open banking. Yet a recent inquiry identified a concerning level of subscriber non-compliance with the privacy obligations set out in the Customer Owned Banking Code of Practice (the Code).
Privacy requirements come under Key Promise 8 – “We will comply with our legal and industry obligations” – and are addressed by Section 23 of the Code, which commits member institutions to comply with the Australian Privacy Principles, which form a schedule to the Privacy Act 1998.
A June 2018 inquiry by the independent Customer Owned Banking Code Compliance Committee (the Committee) which monitors the Code found that while all subscribers have training processes in place, the frequency of breaches caused by human error suggests that keeping privacy issues front-of-mind for staff is imperative – a conclusion supported by detailed breach data supplied by Code subscribers to the Committee..
Data gathered via the 2018 Annual Compliance Statement showed that of the 192 self-reported breaches of Section 23 of the Code, half were attributed to “process and procedure not followed”. The next biggest root causes were manual error (35) and staff error (26). Although the staff members responsible were spoken to and on occasion re-retrained, broader remedial actions were rarely taken.
This was the case with one institution that detailed several incidents typical of Section 23 breaches: a letter posted to one customer contained the term deposit details of another; emails containing personal information were sent to the wrong person; a partially completed application was handed in error to a potential customer inquiring about an account. In each case, processes were in place to prevent such errors, but had not been followed. No remedial action was taken.
The Committee believes the best way institutions can safeguard customer privacy is to commit to a continual process of improvement. Most institutions review their privacy compliance at least once every two years, although it appears that these reviews could be more comprehensive. Equally important is identifying the root cause of any breaches and implementing changes that will prevent future occurrences.
This is exemplified by a breach report in which a staff member at a customer owned bank noticed that paper records containing customer information were being placed in the wrong bin. The records were destroyed securely, and the customer owned bank took active measures to avoid this happening again by issuing a staff communication to reiterate the disposal process and reviewing its procedures and training to assess their adequacy. It also heightened its monitoring of customer complaints.
A recurring issue in the breach reports was the unauthorised disclosure of information to family members of customers. At one institution, the fact that a customer had applied for a credit card was incorrectly disclosed to the customer’s spouse. Remedial training was provided. At another organisation, branch staff disclosed personal information and details regarding transactions to family members who were not authorised to see them. The staff faced disciplinary action and were reminded of their obligations regarding privacy.
Breaches of customer privacy can have a significant impact. A total of 4,167 customers were affected by the breaches self-reported by subscribers in their Annual Compliance Statement for the period July 2017 to June 2018.
Around three thousand customers were affected by a procedural error at one large institution. The marketing department sent an email to members advertising a cashback promotion for a credit card. The distribution list included 3,000 members who had not opted in to marketing emails. In response, the institution educated marketing staff on which distribution lists to use and updated the checklist used before sending marketing emails.
Failing to follow procedure can have a devastating impact when it enables or leads to fraud. One breach report described how a fraudster used an institution’s webchat facility to impersonate a member. An internet banking access code was reset and given to the fraudster, who made three transfers out of the account totalling $2,750. The full amount was reimbursed to the member. The staff member involved entered performance management and was subject to daily monitoring and coaching for a month.
At a different institution, manual error led to fraud. A customer was incorrectly linked as a signatory to another member’s account. That account was accessed, and money fraudulently withdrawn. The same institution also listed three cases of human error involving information being sent to the wrong person. In another matter, an unauthorised third party received an email containing the name, date of birth and address of another member.
This final incident was dealt with at the customer level and listed as a Code breach. It was also reported to the Office of the Australian Information Commissioner (OAIC). Entities with obligations under the Privacy Act – including Code subscribers – are required to inform the OAIC of any loss, unauthorised access or disclosure of personal information if it is likely to result in serious harm to any individual affected.
Although member institutions self-reported numerous instances of such breaches, this was the only occasion on which an OAIC report appears to have been made.
The ability of the financial services sector to protect their customers’ privacy will be crucial in coming years. Complying with the Code – and using breaches and complaints to continuously improve compliance – is a significant step in that process.
The latest quarterly report from the Office of the Australian Information Commissioner (OAIC) is also instructive. It shows that 262 data breaches involving personal information were notified between October and December 2018, a slight increase to the previous two quarters.
The leading cause of notifiable data breaches in the December quarter was malicious or criminal attack with 64% (168 notifications), followed by human error with 33% (85 notifications) and system error with 3% (9 notifications).
Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks.
The OAIC used its quarterly report to reinforce the need for organisations and individuals to secure personal information by safeguarding credentials. The Code Compliance Committee encourages all Code subscribers to review on an ongoing basis their internal and third-party information security arrangement and their data breach response plan to ensure they are best placed to mitigate and manage threats to their customers’ privacy from cyber-attacks.