Australian bank regulator urges more work on biometrics in ePayments Code
The Australian Securities and Investments Commission (ASIC) has denied Australian banks the changes they sought to the ePayments Code due to unresolved questions about biometrics technology, mobile devices, and the role of consumers in securing their devices.
The ePayments Code regulates consumer electronic payment transactions, credit card transactions, online payments, internet and mobile banking, and BPAY in Australia. Most Australian banks, credit unions and building societies currently adhere to the Code, along with a number of non-banking businesses. The ASIC’s latest report on proposals to the Code is part of a long-running inquiry into digital payments, encompassing biometrics and modernizing definitions like ‘device.’
The ASIC rejected the banking industry’s recommendations for biometric inclusion to the Code in a report. It named hesitation towards the term “authentication method” and accommodating biometric authentication without more clarity on what the ASIC is attempting to address with its proposal. The report says the banking industry sought “fulsome” modernization of the Code and holistic accommodation of biometric authentication, rather than identifying specific existing provisions for accommodating the concept within existing parameters. One industry suggestion for modernizing the Code was to require the ASIC to consider how consumers use their electronic devices and the impact on the security of virtual credit and debit cards in the event that the consumer’s personal electronic device is compromised or lost.
The banking industry cited concerns and a need to establish a unique set of rules to address consumer protection when using devices for payments, and the obligations of subscribers regarding personal devices that are manufactured by entities that do not follow the Code. The industry noted “extreme carelessness” with protecting passcodes, which would be equivalent to a consumer allowing another person to have remote access to their computer or smartphone and giving away passwords, allowing remote access while logging into their internet banking.
Other industry concerns include the need for standalone rules for biometrics because a consumer does not keep a biometric secret, unlike a password; a consumer cannot give away a biometric like a passcode nor does the Code define “extreme carelessness;” and the Code may need to prohibit users from allowing third-party biometric access to their personal electronic devices if that device has digital payment methods enabled or access to mobile banking. They also point to problems if the ASIC diverges too far from the definition of biometrics in the Privacy Act and the rapidly changing nature of the technology.
The ASIC concludes that, “further work is needed to ensure that the benefits of accommodating biometric authentication within the Code are balanced appropriately against implications stemming from consumers’ use of such technology,” and to better outline what biometrics are.
Face biometrics were used for identity verification to distribute relief payments from Services Australia to people whose documents were lost or destroyed following 2020’s massive brushfires.