Big Aussie banks side with Google, Facebook and Amazon against data localisation rules

Australia’s big banks have heavily backed in US technology giants Google, Facebook and Amazon to oppose any prospect of forcing them to house Australian customer data onshore, despite growing safety concerns among security agencies, regulators and consumer advocates.

In a muscular response to the Department of Home Affairs’ Data Security Action Plan Discussion Paper, the Australian Banking Association claims moves to legally require data to be held onshore in Australia and prevent it from being sent overseas will create new security threats.

The consultation is a key element of the previous government’s National Data Security Action Plan, part of the Digital Economy Strategy launched in the 2021-22 budget.

“The concept of data localisation can seem attractive as it can be viewed as a way to reduce dependencies on other countries and to give regulators greater visibility into where data is stored and who it’s shared with. However, ABA cautions against a general policy or prohibition on storing or moving data offshore,” the ABA’s submission said.

“Data localisation can also weaken data security. Many Australian entities use third-party providers of software or platform services, including major global entities. Both Australian and overseas entities may use offshore data centres. Requiring data to be kept onshore would disrupt these existing commercial and infrastructure arrangements.”

Or, to put it more bluntly, it would force up tech costs for banks who have been saving billions by hiving off infrastructure to public cloud giants.

Clouded judgments

American-based giants Amazon Web Services, Google Cloud, Meta (Facebook) and Microsoft are also opposing in-country data localisation because it would force them to re-work their cloud infrastructures to conform with local laws.

At a geopolitical level, data localisation has become a regulatory lightning-rod issue in Europe alongside the European Union’s General Data Protection Regulation (GDPR), which seeks to protect personal citizen data from mass harvesting and exploitation by US tech platforms.

Facebook parent company Meta, which has had persistent run-ins with regulators, is one of the most strident opponents of forced data onshoring and local data protection regimes, essentially arguing such moves here would land Australia in the despot club.

“Local data storage requirements also have broader implications for the state of an open, global internet,” Meta said in its submission.

“Personnel and data localisation measures such as those in India, Vietnam, Turkey and China are often intended to facilitate the surveillance or censorship of citizens’ online activities and violate individuals’ human rights including freedom of speech, expression, access to information, and privacy and due process rights.”

The ABA also “cautions against relying on new, standalone legislation to impose data security requirements across the Australian economy”, saying there should instead be consideration of using “existing legislative vehicles” or ways to “ensure harmonisation between data security policy and existing requirements.”

Apple holds cards tight

A notable abstainer from lodging a public submission to the National Data Security Action Plan consultation is Apple, which Australian banks have been fighting against tooth-and-nail (ANZ excepted) to preserve their lucrative payments card hegemony with Mastercard and Visa.

While banks have essentially accused Apple of creating a restrictive monopoly through Apple Pay, which now dominates contactless transactions, the use of biometrics to secure transactions made directly from iPhones has made them highly fraud-resistant, unlike online card transactions.

Known as card not present (CNP) fraud, fraudulent online transactions made using Mastercard and Visa products (cards which Australian banks issue) have remained stubbornly high in Australia, with fraud losses sheeted back to merchants routinely sitting above $400 million a year.

Note that number and who picks up the tab – merchants – because we’ll come back to it.

The extent of and persistence of CNP fraud losses, as well as the willingness of institutions to opaquely pass through the financial hit to their merchant customers, represents a serious credibility gap in public policy level for banks, which are now officially classed as critical infrastructure.

Banks cast outside policy tent

The Albanese government has also conspicuously sought to maintain a professional distance from major banking institutions during the recent Jobs and Skills Summit, excluding individual representatives from the Big Four in favour of ABA chief and former Queensland Labor premier Anna Bligh.

A known irritant between banks and policymakers is the all-out digital push to send customers online while shutting branches and ATMs, a stance that plumps banks’ profits but decimates jobs and businesses in regional areas. It also further alienates vulnerable Australians such as the elderly.

The furious agreement on the need to reject enforceable data localisation regulations by both banks and controversial platforms like Facebook and Google is also likely to arouse fresh suspicions among cross-benchers and independents wary of their already spotty regulatory record.

Facing-up to biometrics

Consumer advocates are already mobilising to expose the often hidden or sparingly disclosed use of artificial intelligence and collection of sensitive personal data, including biometrics, with CHOICE citing its recent sting on retailers in April.

“CHOICE requested information from 25 leading Australian retailers on their use of facial recognition technology and analysed their privacy policies, available online,” CHOICE wrote in its response to the Home Affairs’ Data Security Action Plan discussion paper. “Based on the responses and analysis, CHOICE identified that Kmart, Bunnings and The Good Guys are collecting and using their customers’ sensitive information via the use of facial recognition technology.

“Retailers are collecting sensitive biometric data known as a ‘faceprint’ through their facial recognition technology systems. Under the Privacy Act 1988, the collection of sensitive information, such as biometric data, has stricter requirements in relation to notice and consent. This matter has been referred to the Office of the Australian Information Commissioner for consideration.”

In July, the OAIC initiated an investigation into CHOICE’s revelations. The regulator said it will look into “the personal information handling practices of Bunnings Group Limited and Kmart Australia Limited, focusing on the companies’ use of facial recognition technology”.

The OAIC said it had also started “preliminary inquiries with Good Guys Discount Warehouses (Australia) Pty Ltd following public reports that the company has paused its use of facial recognition technology”.

But the real question is why some of Australia’s biggest retailers went out on such a shaky privacy limb and resorted to intrusive technology to facially scan their customers.

Clicking collect on fraud

Let’s circle back to that circa +$400 million a year in online (card not present) fraud that gets passed back through to merchants.

These days at retail point of sale, better terminals and plastic cards with embedded smartcards that can do contactless or docked transactions and biometrically equipped phones with Apple Pay have dramatically cut margins for card crooks because cloning the magnetic stripe and signing doesn’t work anymore.

Merchants are also largely shielded from fraud liability at the point of sale for card-present transactions because banks rent merchants their payment terminals for a hefty price, and that’s before the great interchange fee racket kicks in, allowing banks to make billions.

However, on click-and-collect transactions, it’s almost always the merchant who wears the risk because these are classed as ‘card-not-present’ on the basis they are transacted online.

Liquidating assets

The next step is to think about how fungible or liquid the goods obtained using card fraud are, and what’s easy to shift on the black market that still has enough margin: consumer electronics and power tools, especially lithium batteries.

There’s also a speed advantage. While many initial fraudulent online card transactions can be picked up by cardholders or detection engines in time for a delivery to an address to be stopped and payment reversed, click-and-collect fraud usually happens on the same day.

The only rub is someone needs to ‘mule’ the goods out of the store.

Hence the use of facial recognition cameras that can also be used to target conventional shoplifters and thieves who often have a crossover into card and identity fraud.

Shoplifters of the world unite

The methodologies of various carders are sublimely laid out in the recently released film Emily the Criminal, which tells the story of a debt-laden student trying to break free from a cycle of low wage poverty. Without spoiling the plot, outfoxing facial recognition is in there. Mass facial biometrics is real, especially in retail, and it’s increasing.

And while it doesn’t make it OK, the fact that big stores such as Bunnings have resorted to biometrics indicates the passing through of CNP fraud by the banks is now stinging big merchants bad enough for them to try and solve the problem themselves.

These are, of course, the very same banks howling up a storm in unison with Facebook to avoid the prospect of sensitive personal data being stopped from leaving the country so they can save on tech infrastructure costs.

It’s a Vegas-grade marriage of regulatory convenience that likely won’t last long if events in the United Kingdom are anything to go by.

After foisting the equivalent of the Consumer Data Right and Authorised Push Payments (APP) onto the public there, UK banks now want US platforms to shell out for their exploding fraud losses claiming platforms and social media are fraud enablers.

One big, happy, regulatory family.

This article was first published by The Mandarin.