The loophole could result in an unaccredited fintech asking a customer to hand over banking data the customer had requested directly from their bank in a machine-readable format.
The consumer groups are concerned payday lenders or other un-accredited parties could use the data for predatory lending or marketing.
The ACCC is currently taking submissions about how privacy and data protections will apply to parties not accredited under the CDR as part of its finalisation of the open banking regime, which is due to kick off in July.
The Financial Rights Legal Centre and Consumer Action Law Centre are also calling on the Senate inquiry being chaired by Liberal Senator Andrew Bragg to recommend that fintechs use artificial intelligence technology in an ethical manner, backed by law.
It has also called for additional regulation of buy now, pay later operators, arguing they should be brought under the National Consumer Credit Act, which the Australian Securities and Investments Commission has said is not necessary.
During open banking consultation with the ACCC, the consumer groups say various fintechs have been seeking to “build friction into the process of deleting one’s data” and “designing the consumer experience to benefit the fintech over the interests of the consumer”.
It wants the government to ban screen scraping, which allows fintechs to read bank account data once customers provide banking credentials, describing the process as “outmoded and dangerous” and pointing to its ban in the UK.
The groups say handing over banking passwords is counter to government security advice, undermines the purpose of the consumer data right and could result in the loss of protections under the e-payments code.
FinTech Australia disagrees, arguing that screen scraping should be allowed in parallel with open banking.
But the consumer groups say it is “nonsensical to develop a parallel system to serve the interests of a small number of legacy fintechs who are unwilling to change their business model to meet the higher standards and security requirements of the CDR regime”.
Commonwealth Bank also wants to see an end to screen scraping, and has been targeting customers of ASX-listed Raiz Invest with warnings not to hand over passwords. In the United States, JP Morgan Chase said recently it would stop fintechs using its customers’ passwords to access their accounts.
Profiling for profit
The consumer groups’ submission to the Senate committee also raises broad concerns that the liberalisation of customer data will result in more customers being “profiled for profit”, lifting levels of exploitation in the market.
Banks are highly sensitive to the potential negative impact of pricing products and services based on customer risk – which open banking will facilitate – given rising community expectations around their social license following the Hayne royal commission.
“Much of the promise of fintech is that more tailored products and services will be made available with lower fees or lower loan interest rates for many banking customers,” the submission said.
“However, the flip side to lower fees and interest rates for some is that costs will increase for others. These ‘others’ will undoubtedly be Australia’s most vulnerable, disadvantaged and financially stressed households.”
It points to problems being especially acute in insurance. FinTech Australia wants the CDR extended to the insurance sector, but the consumer groups said this would result in fewer insured people being treated as “average” risk, and premiums rising for higher risk customers.
“There are key issues of fairness and equity which this committee should consider and address,” the submission says.
“Algorithmic decision making in the financial services sector has great potential to introduce bias into decision making particularly for marginalised consumers.”
An ethical framework for AI should be legally enforceable and potentially introduced via a code of practice backed by the ACCC’s consumer data right rules, it suggests.