New regulations enable Financial Institutions to receive data to protect customers

The federal government announced late last week it will introduce amendments to the Telecommunications Regulations 2021 designed to allow telecommunications entities that have suffered a data breach to share data of affected customers with all APRA-regulated financial institutions, except branches of foreign banks. The data sharing is intended to enable the financial institutions to provide enhanced monitoring and safeguards to protect their customers from fraud and other financial harm.

The data-sharing scheme is elective: financial institutions can choose to participate. Doing so may allow a financial institution to provide better outcomes for its customers, but the financial institution must meet certain criteria to take part. While we are still awaiting the detailed regulations to be published imminently, the various press releases have provided high level detail on what financial institutions may be able to receive in the near future.

Who?

All APRA-regulated financial institutions are eligible, except branches of foreign banks.

What?

Receive designated data attributes limited to those that are strictly necessary for the purposes of implementing enhanced monitoring and safeguards for customers affected by the data breach.

How?

• Define the types of enhanced monitoring and safeguards available, informed by your existing obligations and expectations under Australia’s financial crime regime.
• Assess whether there are any third party services that support these processes and consider applying to the Communications Minister to specify these service entities if needed.
• Define the data attributes needed to enable enhanced monitoring and safeguards.
• Implement appropriate internal controls to ensure that the information can only be used for the sole purposes of preventing or responding to cybersecurity incidents, fraud, scam activity or identity theft, including appropriate retention and deletion protocols.
• Provide a written attestation to APRA that the data required is necessary and proportionate and that the institution’s CPS234 (Information Security) standards will apply to the receipt, usage and handling of the data.
• Provide written commitments to ACCC that the institution will comply with the Privacy Act in handling the relevant data.
• Engage with the telecommunications entity to facilitate secure access to the data.

The government’s amendments of the regulations to facilitate such cross-sectoral data sharing for the purpose of customer protection is an unprecedented move in the face of the scale of the Optus breach. While many financial institutions may wish to avail themselves of the option, the above requirements are significant and any organisation attempting to do so will need to ensure that it has adequately and appropriately established the relevant governance and suitable systems, processes and controls to protect customer data. Our Digital Operations, Cyber Risk and Financial Crime Risk Advisory team would be happy to assist should your organisation wish participate in the scheme.