David McLean takes a look at Facebook, Cambridge Analytica and open banking.

"We have a responsibility to protect your data, and if we can't then we don't deserve to serve you."

That was Facebook founder Mark Zuckerberg facing the music after Cambridge Analytica was accused of gaining improper access to the personal data of millions of users.

His words are a warning to all businesses considering data sharing, and have particular relevance to open banking.


Open banking refers to a bank sharing your financial data — securely and with your approval — with trusted third parties, so the information can be used in a variety of apps and digital products. The ultimate aim is to create greater choice, ease and convenience for consumers.

In a typical example, a customer, Sally, might allow a two-way flow of information between a travel website and her "holiday savings" bank account, as she plans a getaway with friends to Fiji. The website could notify her of travel packages and offers based on her bank balance. She might even decide to allow the website to debit her account for an airfare if it drops to a nominated price.

Sally might also use a mobile app to understand the best credit card for her based on her spending habits, and have another one that ranks the importance of bills based on their due dates and the money in her account. The app could even pay the bills automatically, based on rules decided by Sally.

Authorities in Europe and the UK have already taken steps to promote open banking and there is similar interest in New Zealand. And, just this month, it was announced that banks in Australia will be obliged to share customers' information, if they request it, from July next year.

Most of this activity has been driven by a desire to increase competition. By compelling financial services businesses to share Sally's data, if she requests it, it is hoped it will be easier for her to switch providers, and for other businesses to offer her competing products.

As an organisation that wants to help our customers by providing them with the tools to grow financially, we think open banking will be an important part of the future.
We believe it has the potential to deliver improved experiences for customers and tremendous value for businesses and New Zealand.

But it pays to return to the experience of Facebook, Zuckerberg and Cambridge Analytica for a reminder of what's at stake when personal information is shared.

In 2013, the social media behemoth hosted a personality quiz app which asked users for access to their personal details, and those of some of their friends and family.

A year later, Facebook tightened up its policies to limit the information apps could access, but by then the horse had bolted.

Zuckerberg testified that the compromised user data eventually found its way from the app developer to Cambridge Analytica — in breach of Facebook policies.

That data was allegedly used in an attempt to influence the United States presidential election and sway public opinion in other instances in other countries.

Two key lessons came out of the Cambridge Analytica scandal: firstly, the risk of customer data ending up with parties it wasn't intended for proved to be more than just a hypothetical possibility, and secondly, the original holder of the data, Facebook, was largely held responsible, even though users had agreed to share at least some of the data.

The incident is a reminder that a watertight framework needs to be established if open banking is to become a trusted and durable technology.

That's because your banking data is the most valuable data you have — not only to you, but to the bad guys.

Looking back at the example of Sally and the overseas travel website, it is easy to see how third parties could misuse her data if they got hold of it — not only by directly trying to access her money but even indirectly by using her behavioural information maliciously.

This could include charging her more than other customers, or targeting marketing at her.

Clearly, some big questions arise for regulators: how should laws be drafted to stop data breaches from happening, how would such an outcome be prevented in practical terms, and how would any breach be prosecuted, especially if it happened outside New Zealand?

Cynical readers might wonder whether Westpac is not just raising these issues to put the brakes on a technology that some say threatens traditional banking.

But that's not the case. We already have one of the most developed API frameworks of any bank in New Zealand and are actively experimenting in this area, working on prototypes with external partners to deliver innovative solutions.

However, our first responsibility is to look out for our customers and keep their most valuable information — their financial data — safe. If this can't be guaranteed, then open banking will never be successful.

That means taking a careful approach to its implementation.

This is not something Westpac can do on its own: there will need to be some industry-wide co-operation on things like standards and protocols.

Even more importantly, the Government and regulators will have to set legal boundaries and protections.

We are looking forward to working closely with all these parties to develop a world-leading, safe, open banking framework for New Zealand.

We've already made a start: on the business-to-business side of things, we have a live portal that allows rigorously vetted software developers to integrate Westpac payment channels into their products.

It's safely processed tens of thousands of transactions since going live.

We know the consumer applications that promise so much will arrive over time, and we're looking forward to bringing those to Westpac customers.

But, when that happens, we want to be able to say, in good faith, that we've done the utmost to keep their data safe, so that they can put their concerns aside and get on with enjoying the experiences on offer.

David McLean is Chief Executive of Westpac NZ