Who Can Access My Bank Info? Protections Explained

Mina Rad/Unsplash

Two brothers - Paul Issa and Phillip Issa - fronted court in Sydney this week, both facing criminal charges after allegedly accessing the personal banking details of Prime Minister Anthony Albanese.

The younger brother, 21-year-old Paul, was a graduate employee of consulting firm EY and on secondment to the Commonwealth Bank of Australia at the time of the alleged offence. He has since been sacked by the firm.

Neither the Issa brothers nor EY have publicly commented on the case. Noting that the matter was still before the courts, Albanese told ABC News Breakfast on Wednesday it was "appropriate that charges have been laid" and that:

accessing anyone's privacy, any Australian's privacy, is alarming.

Regardless of the outcome of this case, these allegations raise some obvious questions.

Who - among bank staff, regulators, technology providers and other third parties - can access our private financial data?

What protections are in place to stop them misusing it? And are there any steps we can take to protect ourselves?

Who can see my bank details?

Within a bank (or other financial institution, such as a superannuation fund), access to your personal information is not a free-for-all.

Authorised access is generally determined by a staff member's role and responsibilities. It is also limited to what is absolutely necessary for legitimate business purposes, a principle called " least privilege " access control.

For example, customer service staff at your bank may be granted access to your information where it is needed to manage your account, answer your queries, or provide basic financial services.

Members of the fraud, risk, compliance or audit teams may also have access to customer information where required to perform their duties. These teams use this data to investigate suspicious transactions, monitor risk and ensure the bank is meeting its legal and regulatory obligations.

Who else can access my data?

Bank staff themselves aren't the only ones who may have access to your financial data. To provide modern banking services, banks also work with a range of third-party providers.

These include technology companies, cloud service and data analytics providers, cybersecurity specialists and consultants.

In similar fashion, these groups may be given access to customer information where necessary to deliver services on behalf of the bank: for example, to improve a bank's core operating system, or detect cyber threats.

But, as with bank staff, this access is governed by strict contractual arrangements, security standards and relevant laws.

In principle, these third parties do not have independent rights to use customer data for their own purposes. They must handle it with care and protect it from unauthorised use.

Does the bank track every click?

Importantly, access to customer data is not unrestricted. It is controlled through internal permissions. Banks typically apply " role-based access controls ", which restrict what different staff members can see, depending on their role.

Most banks also maintain detailed monitoring and audit systems. They record when customer information is accessed, who accessed it, and why.

These systems are designed to detect unusual or inappropriate access and support internal investigations where needed.

What the law says

Banks have these sophisticated systems in place because they are required to comply with a range of internal bank policies, security controls and external regulatory obligations.

Most major Australian banks are voluntarily members of the Australian Banking Association and subscribe to the Banking Code of Practice . This industry-led framework sets standards for dealing with customers.

Banks must also comply with a range of Australian laws, including the Australian Privacy Principles under the Commonwealth Privacy Act. This is enforced by the Office of the Australian Information Commissioner.

Broader financial services regulation is overseen by key regulators, chiefly:

  • the Australian Securities and Investments Commission (ASIC)
  • the Australian Prudential Regulation Authority (APRA)
  • the Australian Transaction Reports and Analysis Centre (AUSTRAC).

Where access to customer information is improper or unauthorised, it may result in disciplinary action. In serious cases, there could be criminal penalties.

How can we protect ourselves?

Most of the legal responsibility for protecting customer data sits with financial institutions and regulators.

But individuals can still play an important role in protecting their own privacy.

Practical steps include:

  • using strong, unique passwords
  • enabling multi-factor authentication where available
  • regularly monitoring account activity
  • being cautious about phishing attempts or unsolicited requests for banking information.

Some banks offer customers the ability to opt in to data-sharing arrangements through " open banking " (also known as the " consumer data right ").

This allows customers to give permission for accredited third parties to access their banking data for specific purposes. For example, this could include comparing mortgage products or managing finances.

Importantly, this access is consent-based, time-limited, and can be revoked by the customer at any time.

While alarming, incidents involving alleged unauthorised or inappropriate access do not necessarily mean governance systems have failed.

In many cases, they highlight that monitoring and control systems are functioning as intended.

The Conversation

The authors do not work for, consult, own shares in or receive funding from any company or organisation that would benefit from this article, and have disclosed no relevant affiliations beyond their academic appointment.

/Courtesy of The Conversation. This material from the originating organization/author(s) might be of the point-in-time nature, and edited for clarity, style and length. Mirage.News does not take institutional positions or sides, and all views, positions, and conclusions expressed herein are solely those of the author(s).