Under CDR rules, financial institutions must provide customers with greater access and control of their data. The aim is to make it easier for consumers to switch between products and services and to encourage increased competition between service providers.
For tier 1 banks and large finance institutions, CDR compliance had to be met by July 1 this year. Due to the pressures caused by the COVID-19 pandemic, tier 2 banks and smaller firms have been granted an extension until July 2021, a date which is rapidly approaching.
To achieve the required data-sharing capabilities, many organisations have taken an API gateway-based approach. API gateways proxy the API requests from third parties and deliver it in a suitable format for their requirements.
While API gateways are a mature technology and well defined, a lot of people are failing to understand the strict security measures that must also be put in place. Some have the mistaken belief that deploying an API gateway on its own is all that’s required. They don’t realise that additional, robust security measures are also needed to ensure consumer data remains protected at all times. And while some API gateways can be modified to meet some of the CDR security requirements using custom code, the maintenance and life cycle of these customisations are likely to be a major source of technical debt in the future.
The API security challenge
The challenges posed by using APIs to meet CDR security compliance occur because of changes made to the standards by the Australian Competition and Consumer Commission. The ACCC has taken international security standards as a basis for the laws and then amended them to better suit local conditions.
As a result, out-of-the-box security solutions designed to meet international standards have to be modified to match Australian requirements. This has made the process more difficult for all participants trying to achieve compliance.
Another security challenge needing to be addressed comes from the requirement to have comprehensive consent capabilities in place. CDR-compliant organisations must have a consent model that not only captures and enforces consent in line with current requirements but also meets new requirements for concurrent consent.
Concurrent consent is where end users have multiple consents in place with the same data recipient. For example, a bank customer could have a long-term consent for their account balance to be shared with a third party providing a personal finance analysis and budgeting app, and a separate short-term consent with the same third party for a mortgage or credit card application. The bank needs to have the security and user experience measures in place to make this possible.
Achieving and then moving beyond compliance
Because of the additional complexities caused by the Australian regulations, it is important that organisations take a thorough and structured approach to achieving full compliance.
A good method is to use a sandbox environment to fully test a new CDR infrastructure. Data transactions can be generated that will show whether all the security requirements are in place or what additional steps need to be taken.
It’s also worthwhile undertaking a full review of your CDR specifications alongside an IT security expert who can spot any gaps or weaknesses that could cause problems once the service has gone live. At this point, it will become obvious that deploying an API gateway alone is not the answer.
CDR is both a challenge and an opportunity for most organisations. As well as allowing the required data sharing to take place, the real value and competitive advantage will come from being able to use the underlying infrastructure in other areas of the business. Opportunities could include improving the way consumer identity is managed and enabling new services in which secure data sharing with customer consent is essential.
Take the time now to closely review your CDR preparations and security measures. Your ability to achieve full compliance within the required time period will rely on it.
Mark Perry, APAC chief technology officer at Ping Identity