Geopolitical tensions intensify operational risks for Aussie banks

George Lekakis

ASX-listed BNPL provider Openpay yesterday moved to dispel concerns that data relating to its Australian customer base was being stored or used by an external service provider in Ukraine.

In a privacy disclosure statement published on its website, Openpay tells customers that it may use or store Australian customer information with offshore suppliers in six countries, including Ukraine.

“Your personal information (including credit information and credit eligibility information) may be used, stored and/or accessed or otherwise disclosed by staff operating outside of Australia working for us, other members of our group or suppliers,” the company states in its privacy policy.

“These parties may not have an Australian link and may include entities located in the United Kingdom, Philippines, Israel, Ukraine, USA and Ireland.”

However, a company spokesperson yesterday denied that local customer data was stored anywhere in the besieged Ukrainian republic, which was invaded by Russian forces on 24 February.

“Openpay does not operate or store data in Ukraine,” the spokesperson said in an emailed response to questions put by Banking Day.

“Openpay has no third-party service being provided in Ukraine.”

The spokesperson confirmed that the company previously used the services of a Ukrainian software developer but the contract ended about two years ago.

The Russian invasion of Ukraine along with rising geopolitical tensions between the United States and China appear to be increasing the operational risks of Australian banks, most of which say they share Australian customer data with offshore service providers.

Some of the international jurisdictions that Australian banks share customer information with seem highly problematic given recent escalations in geopolitical discord.

CBA, NAB, Suncorp and ANZ disclose in their privacy policies that they share information with entities in China, while Bank of Queensland’s customers have exposure to at least one service provider in Mongolia.

The Bank of China’s Australian subsidiary, which is regulated by the Australian Prudential Regulation Authority, reserves the right to share local customers’ information with its Beijing-based parent, the group’s Moscow subsidiary and external service providers based in Russia, Kazakhstan and Panama.

The idea that Bank of China’s Aussie arm would be sharing customer information with entities in these locations would probably dismay most Australians in the current environment.

Operational risk expert Patrick McConnell believes rising geopolitical tensions should compel directors of Australian banks and financial institutions to review their outsourcing arrangements with offshore providers.

"For decades Australian and other banks have been outsourcing processes to more external providers which has led them into all sorts of operational risks - technical and political risks," he said.

"The minute you let someone else access your data and processes you become incredibly at risk."

While APRA has repeatedly told local banks that they wear the risk of external providers compromising processes and confidential data of Australian customers, the regulator has not done much to ensure that banks give retail and business customers specific details about how their personal data is shared or used overseas.

Disclosures in the privacy policies of Australian banks are notable for their brevity, with most institutions giving customers only an indicative sense on where their information might be used overseas.

"APRA has made it clear that the buck stops with the boards of Australian banks on managing operational risk,” McConnell said.

“It's not clear to me at the moment whether boards are meeting that responsibility.

"Outsourcing is an operational risk nightmare in normal times but the perils to regulated financial institutions are magnified by wars or when geopolitical tensions intensify," McConnell said.