
ex_flow - stock.adobe.com
Security and verification concerns dog debate over Data (Use & Access) Bill
With the long-awaited Data (Use & Access) Bill returning to the House of Commons on 7 May, there remain pros and cons in the bill in relation to financial crime and cyber security
There is much to be welcomed in the UK’s latest revision to data legislation, which has had a multi-year marathon from inception as the Data Protection & Digital Information Bill and other iterations to its new form as the Data (Use & Access) Bill.
Perhaps foremost in the benefits within the bill is the explicit encouragement for organisations to share data to combat financial crime, in particular the move from “legitimate interest” towards “recognised legitimate interest”.
In essence this allows organisations to work on the assumption that data can be shared in set circumstances. This then allows for automated data sharing in real time, essential in a world of faster payments where human intervention is not realistic.
The bill also goes a long way to create the exciting new smart data economy. It builds, as its regulatory impact assessment notes, all smart data on the success of open banking.
The UK has been a pioneer in open banking and as April’s Global FinTech Week attested, the UK’s fintech scene continues to be a world leader and a huge contributor to the government’s growth agenda.
As last year’s report with then Lord Mayor Michael Mainelli notes, the Data Bill will move the UK “Beyond fintech to ubiquitech”. This creates opportunities for many other smart data sectors to follow in fintech’s footsteps and create burgeoning new industries - medtech, insurtech, or any of the other sectors that are built on the ubiquitous technologies that underpin the digital economy.
One bill to rule them all
As the report describes, the Data Bill is the “one bill to rule them all”. Many other acts of Parliament passed recently rely almost entirely on the data provisions within the new bill to optimise their performance.
The Economic Crime & Corporate Transparency Act, for example, relies on the “recognised legitimate interest” to allow it to scale, and the Companies House reforms require the verification of directors to be defined. Unfortunately, this is where the standards envisaged and signposted to are a dramatic fail, opening up not only to future abuse but baking in existing fraudulent activity.
Regular readers of Computer Weekly over the last few decades may well recall the ongoing debate as to whether British Gas bills (other utility documents are available) were really the international gold standard for identity security, an issue on which the financial services sector has consistently opined to be counter to effective security.
Yet the current “trust” framework - which you can’t trust as there is no liability model behind it - is still harking back to the Gov.uk Verify era Good Practice Guidelines (GPGs).
For those uninitiated with the GPGs, they are so called because they provide good practice for slightly disorganised criminals to follow the guide so they can more readily circumvent controls.
For those of you who follow the excellent Dark Money Files, we can all agree that even the disorganised criminals need no more help in practicing their online filing. However, reference to GPGs in the Data (Use & Access) Bill would cement these flaws into the system.
Given that the bill now builds on open banking it is somewhat counter-intuitive that the addition of all other smart datasets onto open banking should weaken security controls across the board just because the other datasets do not currently have to meet financial services security controls.
Security vulnerabilities
Outside financial crime, failure to address cyber security vulnerabilities risks the general public’s trust in the handling of their data. Some will recall the collapse of the NHS National Programme for IT in 2012, in large part due to the public’s justified concerns about the lack of security over how their data was being handled.
Secretary of state for health and social care Wes Streeting has recently made some excellent points about the need to optimise application of the huge national asset that is NHS data, but this is highly unlikely to be realised without bringing public trust and confidence with it.
With the majority of the population having been a victim of financial crime, it is scarcely reassuring to then inform them that a lower security standard is being adopted for their medical records should they consent to use such services, and this urgently needs to be amended.
Meanwhile, we heard from the Office for National Statistics last month that fraud - already the largest form of crime, responsible for 41% of all crime - is still accelerating. Moreover, this is despite the stronger sector-specific security standards that exempted financial services from the Network Infrastructure Systems Directive (NIS) a decade ago.
The juxtaposition of NIS2 and the Digital Operational Resilience Act (DORA), coming through from the European Union, with a watering down of already lax financial services controls does not bode well for a UK “trust framework”.
The forthcoming Cyber Security & Business Resilience Bill is to be welcomed in aiming to address the vulnerabilities in UK critical national infrastructure, a concern highlighted recently by Heathrow Airport’s closure and the switch-off of Spanish and Portuguese power grids.
Even here, however, strong authentication is critical, as shown in the analysis of the Colonial Pipeline shutdown, discovered to be a basic failure of multi-factor authentication.
Know your customer (KYC) and anti-money laundering (AML) controls ought to be set at a bare minimum, but even beyond that financial services really ought to be implementing the guidance that UK Finance adopted back in 2018 as part of its commitment to the Payment Systems Regulator’s payment strategy forum’s financial crime working group.
Regulatory guidelines
While British standards were adopted at the time as meeting the need for regulatory guidelines, these security measures have yet to be effectively implemented in any organisation, with disparate elements merely being patched together in disjointed fashion.
If that were to actually manifest then the UK could have a true Dreadnought moment, providing actual identity security, potentially offered internationally, for a robust, resilient, secure and actually trusted framework. But until then, we have a lowest common denominator which will ensure that organised crime flourishes on the back of photoshopped driving licences and gas bills.
And for those who are heartened by the inclusion of international biometric chip passports, a quick note that many of our key adversaries are state-sponsored organised crime gangs.
While access to corrupt officials in certain nations has always been a concern, we now have multiple states actively attacking UK services. For those of you who follow Dark Money Files, you will be aware of the scourge of innocent members of the public having their home addresses utilised for fraud.
The Economic Crime and Corporate Transparency Act is supposed to tackle this, but the currently envisaged verification “solution” will simply allow Adolf Hitler to verify that he does indeed live at your address. Having done so this will likely make it even more difficult for you to have his companies that are registered at your home to be taken down.
Ill-fated fiasco
In conclusion, the Data (Use & Access) Bill has much in it which could prove to be a gamechanger both in combatting financial crime and cyber security flaws, but also in allowing a new swathe of smart data applications to transform the UK economy and drive growth.
But if trust in the verification of individuals and organisations is fundamentally undermined by inappropriate and provably vulnerable processes then we risk the ill-fated Gov.uk Verify fiasco dragging on for yet another decade.
Andrew Churchill is policy director at the Cyber Security & Business Resilience Policy Centre and author of the British Standard in Digital Identification & Strong Customer Authentication (BSI PAS499).
Read more about the Data (Use & Access) Bill
- Here comes the government’s Data Bill - again: In the past three years the government has proposed three different data bills - but the latest one looks like it might actually make it into law.
- Latest attempt to override UK’s outdated hacking law stalls - Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee.
- The Data Bill: Considering datacentres' hunger for power - New legislation to govern the use of data needs to also consider the implications of all that data when it comes to powering the datacentres needed to store and process our growing demand for information.