Uplifting cybersecurity controls

Tuesday, 20 August 2019

The New Payments Platform operates with security and fraud front of mind, which is why our regulations require NPP participants to have strict cyber-security and fraud detection processes in place when they offer services via the Platform.

NPP Australia was advised late in the evening of Friday, 16 August 2019 that a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.  Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately.

The affected data included PayID name and account numbers. None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.

Financial institutions whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts.

Cuscal’s client has advised that the appropriate regulatory notifications have been made.

NPP Australia has regulations in place that prohibit disclosure of account data and that require participating financial institutions to have controls to monitor, detect and shut down any attempts to misuse the PayID service.  These regulations incorporate suspension of access to the PayID service by organisations not meeting these requirements, and were recently strengthened by the introduction of non-compliance charges which are expected to be also applied where these controls are not implemented.

Cybersecurity is an issue of paramount importance to NPP Australia.  As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended.