Category Archives: Data Governance

Whose side is AI on?

Posted on by
Reply

At the risk of coming across as some sort of Luddite, recent commentary on Artificial Intelligence suggests that it is only natural to have concerns and misgivings about its rapid development and widespread deployment. Of course, at its heart, it’s just another technology at our disposal – but by its very definition, generative AI is not passive, and is likely to impact all areas of our life, whether we invite it in or not.

Over the next few weeks, I will be discussing some non-technical themes relating to AI – creativity and AI, legal implications of AI, and form over substance when it comes to AI itself.

To start with, these are a few of the questions that I have been mulling over:

– Is AI working for us, as a tool that we control and manage?  Or is AI working with us, in a partnership of equals? Or, more likely, is AI working against us, in the sense that it is happening to us, whether we like it or not, let alone whether we are actually aware of it?

– Is AI being wielded by a bunch of tech bros, who feed it with all their own prejudices, unconscious bias and cognitive limitations?

– Who decides what the Large Language Models (LLMs) that power AI are trained on?

– How does AI get permission to create derived content from our own Intellectual Property? Even if our content is on the web, being “publicly available” is not the same as “in the public domain”

– Who is responsible for what AI publishes, and are AI agents accountable for their actions? In the event of false, incorrect, misleading or inappropriate content created by AI, how do we get to clarify the record, or seek a right of reply?

– Why are AI tools adding increased caveats? (“This is not financial advice, this is not to be relied on in a court of law, this is only based on information available as at a certain point in time, this is not a recommendation, etc.”) And is this only going to increase, as in the recent example of changes to Google’s AI-generated search results? (But really, do we need to be told that eating rocks or adding glue to pizza are bad ideas?)

– From my own experience, tools like Chat GPT return “deliberate” factual errors. Why? Is it to keep us on our toes (“Gotcha!”)? Is it to use our responses (or lack thereof) to train the model to be more accurate? Is it to underline the caveat emptor principle (“What, you relied on Otter to write your college essay? What were you thinking?”). Or is it to counter plagiarism (“You could only have got that false information from our AI engine”). If you think the latter is far-fetched, I refer you to the notion of “trap streets” in maps and directories.

– Should AI tools contain better attribution (sources and acknowledgments) in their results? Should they disclose the list of “ingredients” used (like food labelling?) Should they provide verifiable citations for their references? (It’s an idea that is gaining some attention.)

– Finally, the increased use of cloud-based services and crowd-sourced content (not just in AI tools) means that there is the potential for overreach when it comes to end user licensing agreements by ChatGPT, Otter, Adobe Firefly, Gemini, Midjourney etc. Only recently, Adobe had to clarify latest changes to their service agreement, in response to some social media criticism.

Next week: AI and the Human Factor

Banking Blues (pt. 481)

Posted on by
Reply

Last week, I attended a networking evening for Intersekt, Australia’s largest annual fintech conference. Billed as the “flagship event of the Digital Innovation Futures Victoria Festival”, the 2-day event is supposed to take the pulse of Australian fintech – by highlighting current industry trends, showcasing local success stories and identifying areas for future growth and collaboration. I wasn’t able to attend the 2-day conference itself, but based on the networking audience, and the program agenda, it feels like there is very little “innovation” these days, and certainly not among the major banks.

The fintech product focus is still very much on payment solutions and open data – even though we’ve had the NPP and Open Banking for several years – plus SME lending (since the major banks have largely abandoned cashflow lending, just as they have exited wealth management and financial planning). There was barely an hour of the conference given over to crypto currencies and digital assets, and from what I could see, no sessions dedicated to Blockchain technology.

Challenger or neo-banks have not managed to gain traction in Australia, mainly due to the dominance of the incumbent banks, especially the so-called Big 4, which continue to enjoy an entrenched oligopoly protected by regulation. Despite Financial Services (banks, diversified financials and insurance) forming the largest sector (27%) of the ASX 200, it is highly concentrated and appears structurally designed to keep out competition (and hence, stifle innovation).

Indeed, I cannot think of a single new product that my bank has introduced in the 20 years I have been a customer. Over that time, I have held both personal and business accounts with this bank – mortgages, investment loans, credit cards, transaction accounts and savings products. They no longer offer wealth management services under their own name, and the share trading account I hold with them is actually operated by a foreign financial institution. At the same time, the bank has been shuttering branches, and disbanding services, often without any notice or customer communication.

My frustration with this bank goes unheeded – if anything, the customer service has worsened, often under the guise of “the Royal Commission”. The latter has no doubt given rise to staff cuts to pay for greater compliance costs, and is used to justify over-bureaucratic customer processes. Meanwhile, every time I raise a complaint, I’m told it’s the bank’s “systems” that are to blame, or their third-party service providers – it’s never the bank’s own fault, and they never take responsibility or demonstrate accountability.

These are just the latest incidents in a litany of poor customer experience:

1. A simple title transfer involved me visiting three different branches (thanks to branch closures and rotating staff), plus e-mailing and phoning an interstate office (at least the settlement was probably executed on Pexa’s blockchain-enabled platform…)

2. A glitch in setting up a replacement bank-issued credit card in my digital wallet was blamed on the card provider’s technology (even though I had just successfully linked this same card to my smart watch). I hope the bank has robust SLAs with this third party…

3. Some unsolicited (and highly misleading) e-mail marketing sent out under the bank’s name was blamed on another third-party provider (surely the bank must authorise what communications are issued in its name?)

4. I spent over 2 hours in a branch to open some basic term deposits in the name of existing businesses that already have client profiles and accounts with this same bank – a combination of bureaucracy, slow technology and cumbersome processes which still involve wet signatures on hard copy documents.

5. In the process of setting up one of these business accounts, it turns out the bank had the wrong company details on their core records, even though the statements are sent to the correct address. I advised the bank of the change of address several years ago, but despite the findings of the Royal Commission, the bank has not bothered to run a check on the ABN register, which is free to use, to check the company details.

The really depressing thought is that even if I switch banks, I will probably run into similar problems elsewhere!

Next week: Non-binary Politics?

Trust in Digital IDs

Posted on by
Reply

Or: “Whose identity is it anyway?”

Over the past few years, there have been a significant number of serious data breaches among among banks, utilities, telcos, insurers and public bodies. As a result, hackers are able to access the confidential data and financial records of millions of customers, leading to ransomware demands, wide dissemination of private information, identity theft, and multiple phishing attempts and similar scams.

What most of these hacks reveal is the vulnerability of centralised systems as well as the unnecessary storage of personal data – making these single points of failure a target for such exploits. Worse, the banks and others seem to think they “own” this personal data once they have obtained it, as evidenced by the way they (mis)manage it.

I fully understand the need for KYC/AML, and the requirement to verify customers under the 100 Points of Identification system. However, once I have been verified, why does each bank, telco and utility company need to keep copies or records of my personal data on their systems? Under a common 100 Points verification process, shouldn’t we have a more efficient and less vulnerable system? If I have been verified by one bank in Australia, why can’t I be automatically verified by every other bank in Australia (e.g., if I wanted to open an account with them), or indeed any other company using the same 100 Points system?

Which is where the concept of Self-Sovereign Identity comes into play. This approach should mean that with the 100 Points system, even if initially I need to submit evidence of my driver’s license, passport or birth certificate, once I have been verified by the network I can “retrieve” my personal data (revoke the access permission), or specify with each party on the network how long they can hold my personal data, and for what specific purpose.

This way, each party on the network does not need to retain a copy of the original documents. Instead, my profile is captured as a digital ID that confirms who I am, and confirms that I have been verified by the network; it does not require me to keep disclosing my personal data to each party on the network. (There are providers of Digital ID solutions, but because they are centralised, and unilateral, we end up with multiple and inconsistent Digital ID systems, which are just as vulnerable to the risk of a single point of failure…)

But of course, banks etc. insist that not only do they have to ask for 100 Points of ID each and every time I open an account, they are required to retain copies or digital versions of my personal data. Hence, we should not be surprised by the number of data hacks we keep experiencing.

The current approach to identity in banking, telcos and utilities is baffling. Just a few examples I can think of:

1. In trying to upgrade my current mobile phone plan with my existing provider, I had to re-submit personal information via a mobile app (and this is a telco that experienced a major hack last year, resulting in me having to apply for a new driver’s license). If I have already been verified, why the need to ask for my personal data again, and via a mobile app?

2. I’ve lived at my current address for more than 5 years. I still receive bank statements intended for the previous occupant. I have tried on numerous occasions to inform the bank that this person is no longer living here. I’ve used the standard “Return to Sender” method, and tried to contact the bank direct, but because I am not the named account addressee or authorised representative, they won’t talk to me. Fair enough. But, the addressee is actually a self-managed superannuation fund. Given the fallout from the Banking Royal Commission, and the additional layers of verification, supervision and audit that apply to such funds, I’m surprised that this issue has not been picked up the bank concerned. It’s very easy to look up the current registered address of an SMSF via the APRA website, if only the bank could be bothered to investigate why the statements keep getting returned.

3. I have been trying to remove the name of a former director as a signatory to a company bank account. The bank kept asking for various forms and “proof” that this signatory was no longer a director and no longer authorised to access the account. Even though I have done this (and had to pay for an accountant to sign a letter confirming the director has resigned their position), if the bank had bothered to look up the ASIC company register, they would see that this person was no longer a company officer. Meanwhile, the bank statements keep arriving addressed to the ex-director. Apparently, the bank’s own “systems” don’t talk to one another (a common refrain when trying to navigate legacy corporate behemoths).

In each of the above, the use of a Digital ID system would streamline the process for updating customer records, and reduce the risk of data vulnerabilities. But that requires effort on the part of the entities concerned – clearly, the current fines for data breaches and for misconduct in financial services are not enough.

Next week: AI vs IP  

 

Open Banking and the Consumer Data Right

Posted on by
Reply

While most of Australia has been preoccupied by things such as Covid-19 lock-downs, border closures, which contestant got eliminated from Big Brother/Masterchef, and which federal politician went to an NRL game (and depending on which State you live in), the ACCC has implemented the first phase of the Consumer Data Right regime (aka Open Banking).

The TLDR on this new regulation, which has been several years in the making, can be distilled as follows:

Banks can no longer deny customers the right to share their own customer data with third parties.

So, in essence, if I am a customer of Bank A, and I want to transfer my business to Bank B, I have the right to request Bank A to share relevant information about my account to Bank B – Bank A can no longer hold on to or refuse to share that information.

Why does this matter? Well, a major obstacle to competition, customer choice and product innovation has been the past refusal by banks to allow customers to share their own account information with third party providers – i.e., it has been an impediment to  customer switching (and therefore anti-competitive), and a barrier to entry for new market entrants (and therefore a drag on innovation).

Of course, there are some caveats. Data can only be shared with an accredited data recipient, as a means to protect banking security and preserve data privacy. And at first, the CDR will only apply to debit and credit cards, transaction accounts and deposit accounts. But personal loans and mortgages will follow in a few months. (And the CDR is due to be extended to utilities, telcos and insurance in coming years – going further than even the similar UK Open Banking scheme.)

Although I welcome this new provision, it still feels very limited in application and scope. Even one of the Four Pillar banks couldn’t really articulate what it will actually mean for consumers. They also revealed something of a self-serving and defensive tone in a recent opinion piece:

“Based on experience in other markets, initial take up by consumers is likely to be low due to limited awareness and broader sensitivities around data use.”

Despite our fondness for bank-bashing (and the revelations from the recent Royal Commission), Australians are generally seen as being reluctant to switch providers. Either because it’s too hard (something that the CDR is designed to address), or customers are lazy/complacent. In fact, recent evidence suggests existing customers of the big four banks are even more likely to recommend them.

For FinTechs and challenger brands, the costs of complying with some aspects of the CDR are seen as too onerous, and as such, act as another impediment to competition and innovation. Therefore, we will likely see a number of “trusted” intermediaries who will receive customer data on behalf of third party providers – which will no doubt incur other (hidden?) costs for the consumer.

Full competition will come when consumers can simply instruct their existing bank to plug their data into a product or price comparison service, to identify the best offers out there for similar products. (Better still, why not mandate incumbents to notify their existing customers when they have a better or cheaper product available? A number of times I have queried the rate on an existing product, only to be offered a better deal when I suggested I might take my business elsewhere.)

Recently, my bank unilaterally decided to change the brand of my credit card. Instead of showing initiative by offering to transfer my existing subscriptions and direct debits to the new card, the bank simply told me to notify vendors and service providers myself. If I didn’t request the change of card, why am I being put to the inconvenience of updating all my standing orders?

For real innovation, we need banks and other providers to maintain a unified and single view of customer (not a profile organised by individual products or accounts). Moreover, we need a fully self-sovereign digital ID solution, that truly puts the customer in charge and in control of their own data – by enabling customers to decide who, what, when, why and for how long they share data with third parties. For example, why do I still need 100 points of identity with Bank B if I’m already a client of Bank A?

Finally, rather than simply trying to make money from managing our financial assets, banks and others have an opportunity to ensure we are managing our financial data in a more efficient and customer-centric way.

Next week: Counting the cost of Covid19