Bank Chief Broadsides Counter-Terrorism Data Demands

Australian Banking Association chairman and Commonwealth Bank CEO David Murray last week threw a grenade into the counter-terrorism debate warning the federal government that banks will not allow access to customer data as part of joint information-sharing initiatives.

Addressing CIOs, e-commerce and IT security managers at the ABA's inaugural IT Security Conference in Sydney, Murray said the banking community will not automatically acquiesce to government attempts to arbitrarily fish in, or tinker with, a bank's customer data under the banner of improved security.

Despite media reports to the contrary, Computerworld understands the government's Trusted Information Sharing Network (TISN), a protected forum where business stakeholders share information to combat IT and security vulnerabilities, will not require government access to customer data.

Murray warned that, for banks to operate, customers need total confidence that both their funds and privacy are completely secure. If confidence is eroded an infrastructure collapse of its own can ensue.

"We promise our customers the security of funds in their accounts; this promise is unqualified and we operate to the extent that if funds are removed fraudulently from a client's account, we will immediately repay them," he said.

"We undertake for our clients [the] privacy of information about their relationship with the bank."

Murray also warned that terrorism-related security expenditure is draining revenue and productivity from the financial sector. While thwarting terrorists is imperative, it also means managing out the costs they can create for shareholders.

"The problems of money laundering and terrorism around the world have created what economists now call a new security tax on the world.

That is, the cost of doing what we did yesterday is now higher — for no major incremental return," he said.

"It's terribly important that we apply ourselves to minimise that tax without compromising our security. That means we really have some new skills to deploy here to do our part, as one, critical industry," Murray said, adding that bank customers still expected security, privacy and functionality regardless.

According to Murray, bank customers are now highly intolerant of screw-ups and system failures — and shop very swiftly with their feet. Murray claimed that the risks associated with changing business processes to comply with new regulatory requirements are palpable.

"There is no way any client will deal with a bank with a high and predictable error rate in processing their money," he said.

After noting the CBA's participation and cooperation in recent critical infrastucture consultations between industry and government, Murray's velvet glove came off in relation to information sharing initiatives.

Referring to a critical infrastructure conference he attended last year, Murray said the government had no concept that if it collected information from industry "[the government] should give us some statutory protection to deal with privacy for our clients".

"We already know that we have statutory protection if we are required, by law, to give customer information to the Tax Office. Why should, in dealing with critical infrastructure, there be a different rule? It seemed to me the government was intent, or the bureaucracy was intent, on creating so many new rules that we would forget one thing — and that is how to protect the critical infrastructure," he said.

"So there's a lot we can do, but we need to remind the government that the concept of people trading with one another works best if governments are not involved in it, not if governments are involved. Governments have to provide a very good set of laws to facilitate trading between people. And they have to have an outstanding process of the rule of law to deal with problems that emerge."

Murray's message was not lost on Mike Rothery, director of critical infrastructure assurance for the Attorney Generals Department. Presenting an overview of the government's efforts to protect critical industry from unwanted interference, Rothery reiterated the need to build strong bridges between government and industry.

"Our response to Mr Murray would be to [say to] build up the business case for legislation with the members of that group [other banks and financial institutions]," Rothery said.

Copyright © 2003 IDG Communications, Inc.

The 10 most powerful cybersecurity companies