Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Select Committee on Financial Technology and Regulatory Technology

MORRIS, Mr Michael, Head of Technology, Up

SHAY, Mr Xavier, Senior Engineer, Ferocia


CHAIR: I welcome Mr Michael Morris and Mr Xavier Shea from Up.

Mr Morris : Just to clarify: we work for a company called Ferocia. Up is technically a collaboration between our company, Ferocia, and Bendigo and Adelaide Bank.

CHAIR: Information on parliamentary privilege and the protection of witnesses and evidence has been provided to you or your associates. Would you like to make an opening statement?

Mr Morris : Yes. Our business, Ferocia, was established in 2002. Throughout that time we've been working in the fin-tech space, primarily with Bendigo and Adelaide Bank. Specifically, we build their whole internet banking platforms: web, mobile, iOS and Android applications. In October 2018, working with Bendigo and Adelaide Bank, we launched, effectively, a new brand to market called Up, which has been a success. In its first eight months, from October 2018, it acquired over 100,000 customers. We believe it to be the fastest-growing digital bank in Australia at this stage.

In our capacity we're not the regulated entity here. In terms of the way the relationship works between the two companies, Ferocia and Bendigo Bank, we're responsible for customer experience and enforcing a lot of the regulatory processes on customers and producing reporting, and, as such, have a view to them, but we are certainly not the regulated entity from a banking perspective.

CHAIR: You don't have a licence?

Mr Morris : Correct.

CHAIR: That's okay. You don't have to have a licence. I mean, you do have to have a licence to do banking, but that's okay.

Senator MARIELLE SMITH: Thank you for appearing today. Can you clarify, going down another level, what you do versus what the banks do in Up?

Mr Morris : We provide the customer experience: how it looks and how it feels. Primarily, why are customers choosing our services as opposed to CommBank, ING and NAB, or indeed switching from those services to us? It's due to the experience that we built. That's kind of our company.

Senator MARIELLE SMITH: So the software customer experience is you, but the service's products and underpinning are the bank?

Mr Morris : The financial product is issued by Bendigo and Adelaide Bank but, yes, the customer experience and even the security of the operations and all those sorts of things are maintained and run by our company, except for, obviously, the core banking platforms, payment integrations and those sorts of things.

Senator MARIELLE SMITH: Thank you. That is helpful in clarifying. Where, anecdotally, Bendigo and Adelaide Bank have been involved in the sector in a very collaborative and supportive way with helping fin-techs get off the ground, I'm interested in your experience of working with them. Obviously they're a considerable bank but not one of the big four. Are there lessons from your experience with Adelaide and Bendigo that could be replicated across the sector or things you'd like to see the big four or other players in the market do?

Mr Morris : Sure. I think the success of our collaboration has certainly, I guess in my conversation with peers in the industry, provided more of an impetus for others, indeed the big four or other regulated entities, to collaborate more with fin-tech. For us, Up is sort of an overnight success story if you will, but it has been eight years of working on that relationship and how we work together to get to that point.

Senator MARIELLE SMITH: That's a long night!

Mr Morris : Yes! I don't think that that is escapable. This is a serious business in a serious industry that we're operating in. This is people's money, people's livelihoods. I sometimes see a perception from some fintechs: 'I used to work on small websites on the weekend. I should immediately be able to potentially play in this space,' but without those years of rigour and experience, which I actually think are important.

Mr Shay : It's been the lessons learned, as well. One is that we tried a couple of different ways in how we arranged the partnership, if you like. As Mike mentioned, we also work with them on their internet mobile banking. I think one thing we found to be working relatively well at the moment is: conceptually, Ferocia is a distributor of their financial product. It's almost more like wholesaling. This is not a technically accurate description but it's conceptually accurate. We're taking care of the company experience. We also do all the marketing and we also do a lot of the frontline support. Giving us the flexibility to run with new ways of doing that gives us a good wall between, 'You focus on the wholesaling part of: what's the core product that we can resell?', and I think that's a model that's working quite well for us. But there have been some interesting things in the regulatory space that we have had to work through, because, as far as we could tell, we were the first to do a lot of this stuff.

Mr Morris : We were the first in Australia.

Senator MARIELLE SMITH: Can you expand on that a bit? What were the key challenges you did find?

Mr Shay : Do you want to talk about APRA and the cloud stuff?

Mr Morris : Certainly. It's early days. From a technology perspective, one of our core differentiators in the market is that we're ultimately a technology company building a banking product as opposed to a bank trying to build a technology product. That's a pretty core difference. For us, we played quite a significant relationship introducing Google—we're hosted on Google cloud—to APRA. It was a challenge that no financial institution's data was hosted on the Google cloud platform before. It launched in July 2017, and we performed our first deploy to it, I think, in September 2017. That was hard. And I know APRA has done work to this effect, but providing clearer guidance on how to approach cloud platforms, so you can leverage that technology benefit, is something that would have benefited us.

Mr Shay : Another example could be that we recently announced that we're doing a partnership with TransferWise to facilitate international payments. TransferWise is also a regulated entity in Australia. What we've found, in working with Bendigo and Adelaide on getting this partnership set up, is that a lot of the regulations specifically around AML/CTF, sanction screening and that type of regulation are either a little bit unclear or a little bit hard to negotiate, in the sense that we have two parties now and they're both regulated entities. How do we do this in a sane way that provides a decent customer experience without, effectively, everybody having to say: 'Hi, we're Bendigo. Who are you?' or: 'Hi, we're TransferWise. Who are you?' It's been quite a lot of work to interpret the regulations and work our way through to find a line there that actually provides a good customer experience.

Senator MARIELLE SMITH: In terms of the product Up specifically, who is your main customer market? Are you appealing to a younger consumer base who are already online and operate in that space anyway or is it universal in appeal?

CHAIR: Like us.

Mr Morris : Absolutely! No doubt you guys are all customers or you could be after this; I can do a product pitch later on. Our average customer age is 24 and our largest customer cohort is 19, so it's certainly the younger generation of customers—pre-millennials, if you will.

Senator MARIELLE SMITH: So, pretty safely, not us.

CHAIR: I'm a millennial.

Senator MARIELLE SMITH: I'm a millennial too; I'm younger than you! We digress. I'm interested in some of the comments you made around Australia not necessarily being a place of high-cost labour for fintechs and regtechs. Obviously that's contrary to other views which have been presented to us. Can you dip into that a bit and explain what you mean there?

Mr Shay : That comment primarily came from me. I've spent the last eight years in the US as a hiring manager hiring engineers in the US and competing in that market. I worked at Square, which you might be familiar with—they also have a presence in Australia—so I'm very familiar with what I paid. I think I was directly responsible for about 60 engineers' salaries and was involved a lot more over seven years. Plus, I knew what Google, Facebook and Netflix were offering, and they're just not comparable. The biggest component here—if you purely look at cash compensation, it's pretty close. But the prevalence of equity compensation here is virtually non-existent, whereas, in the States, it was a big part. I was in San Francisco, but it was also in New York, Atlanta, Seattle and a few other markets. Pretty much every technology company there is offering equity as a non-trivial part of compensation or compensating. For instance, Netflix famously doesn't do this, but they pay their senior engineers close to half a million dollars—then total compensation for Google, Facebook and Square is around there, and we're short of that here. That's primarily where that comment came from. I was like, 'Look, maybe there's data to support that, but it doesn't match my experience.'

Senator MARIELLE SMITH: What do you think is driving that? Another piece of evidence we've had is that there's a real shortage, particularly in terms of developers in Australia, so it's not easy to get talent. The layman's view would be that that would drive the cost of those employees up, whereas, in Silicon Valley you'd imagine there's a greater quantity of developers.

Mr Shay : There are more people trying to hire them though. I've found it easier to hire in Melbourne than in San Francisco specifically. A lot of companies in the US are actually moving out of San Francisco because the cost of labour is so high, and even with the cost of labour so high it's hard to find people. That said, I do believe the cost here is going up. So it is trending up, but it just hasn't caught up yet, I guess.

Mr Morris : We have companies like Square and Zendesk choosing to open Melbourne offices. They're opening Melbourne offices because there are talented engineers here and they are more affordable, or at least comparable to hire to the US mothership, if you will. I think a lot of organisations—how can I put this politely?—potentially aren't great at attracting good talent through sometimes not being great places to work. We've been very fortunate in the talent that we've been able to attract, but we're building a good product in an interesting space, we empower our engineers, we have good remuneration and a good office, and I think you need all those things. It's not enough to simply say, 'I should have engineers beating down my door.' Why?

Mr Shay : Yes, I would answer it that way. I feel like we don't compete on price very often. It's more about what it's like to work there. You hit this certain point where it's like, 'Yeah, okay, that's a good amount of money. What else can you give me?' in a sense.

Senator MARIELLE SMITH: It's really interesting to me, because one of the calls we've had is for perhaps a different category of visa or an expansion of leniency in our visa system so that people can hire from overseas. But it seems to me that your evidence suggests that we've got great people here and that the issue of shortages of developers isn't an Australia own problem and perhaps it's about what you do as a business to attract them.

Mr Morris : I absolutely fully accept that other organisations have problems recruiting good talent. Personally, I'm responsible for all our hiring. I get approached every day by great engineers at some of the bigger financial institutions, and they actually struggle to get anything done, and job satisfaction in their current work is low. It's not that they're not a great, motivated engineer, it's just that sometimes in other organisations it can just be too difficult to get anything done. The organisation feels like, 'I just can't get good people.' It might be that the organisation struggles to retain those people for other reasons.

Mr Shay : I think that we do hire virtually all the good people we can find, so I still would be in support of easy visas or whatever to hire people. I don't want to say, 'Oh yeah, there's no shortage.' It's still hard to hire people; it's just comparative.

Senator MARIELLE SMITH: I guess it's a question of priorities and relativities.

Mr Morris : That's the important thing about our company—it's not the technology that we've built; it's the people that we've hired.

Senator MARIELLE SMITH: Is Australia an exciting place for a young person who has an ambition to work in fintechs and regtechs to be? Does our regulatory environment allow people to get excited about opportunities and potential, or do young people say, 'I'd like to stay in Australia, but I could do more exciting or better things in a better jurisdiction'?

CHAIR: That's a great question.

Mr Shay : I went to San Francisco, so that probably tells you something. It is pretty good, though.

Mr Morris : Specifically on fintech, I don't think I can give an authoritative answer. In terms of engineers in general, we had an absolutely amazing designer. He went to work at Instagram, in San Francisco. He is one of their lead designers over there now. We pretty much packed his bags for him. That's an incredible opportunity to work on a product of that scale. We have some fairly big, successful software companies in Australia. I think we could do a better job—and the US and the UK do a great job—of representing that externally. We could ultimately attract more talent into Australia by better telling their stories. It is the Atlassians and the Canvas. Here in Melbourne it is the Culture Amps and those sorts of things—Envatos.

Mr Shay : I recognise this is the committee on fintech so you have to frame it like that. But I think for more people it's not about fintech specifically; it's about start-ups more generally, and fintech can play a big part in that. That is how I see it. Are there fun, exciting and useful start-ups happening in Melbourne and Australia? Are there good fintech ones? Yes, there are a few. But you can also look at other industries. My guess is that people look at the wider view rather than fintechs specifically.

Senator MARIELLE SMITH: Do you see a role for government, a role for parliament, in telling that story and spreading that message, or is that something you think needs to happen from within the sector?

Mr Morris : The US and the UK, from what we've seen, do a good job of telling those success stories—

Senator MARIELLE SMITH: Their governments?

Mr Morris : Yes. And I think the government could provide a better platform to promote those sorts of things externally.

Senator SCARR: Mr Morris and Mr Shay, I am interested in your personal backgrounds. There was some discussion earlier today about whether the people who get high distinctions in high school and then go to university are the ones who end up in this space or whether there have to be other pathways. I am interested to know your personal backgrounds in terms of education and experience.

Mr Morris : I grew up in Tassie. I moved to Melbourne for university and studied at Monash University from 2001 to 2003.

Senator SCARR: What did you study?

Mr Morris : Computer science. I ended up founding a computer repairs company. That got acquired. I became the technical director of a media website called The Conversation. I was basically employee No. 1 there and built that. I—

Mr Shay : I was employee No. 2!

Mr Morris : I hired this guy.

CHAIR: Was Michelle Grattan there then?

Mr Morris : No. That was before my time. One of the people who funded the tech team at the time was Michael Hart, the CEO of the Commonwealth Bank. I was interested in what could be achieved in banking because I didn't think that the products being put out into the market were as strong as the products being put out in other industries. So I almost ended up working at Commonwealth Bank. But then I heard about Ferocia and ended up joining them in 2002 and have worked there ever since.

Senator SCARR: Mr Shay?

Mr Shay : Similar. I grew up in Geelong I went to Swinburne University and studied a bachelor of technology in 2006 or thereabouts. And then I got into the start-up scene here. I worked at Red Bubble, now a public company in Australia, back when they were new. I worked at Clear Grain, which was co-founded with Ferocia, their previous company. I worked with Mike at The Conversation, as you mentioned. I ran start-ups in Melbourne for about five or six years. Then I moved to San Francisco and got recruited at Square. Part of my move, in relation to some earlier questions, was that I wanted to work for a bigger company, see the world a bit then bring my experience back to Melbourne. So I thought I would go over for a year or two, see out a visa and come back. I ended up staying there for seven years instead because there was so much to learn. I was at Square for almost the whole time. Then I moved back in April last year and joined back with Ferocia and the people I had worked with before I left.

Senator SCARR: Thanks for that. It's useful to give us a perception of your journey. My follow-up two questions are far more mundane and may be less interesting. In relation to equity compensation, in your view is it more a question of the founders of the company—the culture in Australia being such that the founders of the company don't want to give up their equity and there is not a culture of them being more open to introducing other investors as part of their employment compensation? Or is it the tax system et cetera in Australia, as opposed to the US, that militates against equity compensation? Or is it a combination of both?

Mr Shay : There's definitely some of the former. I think that's starting to change as people look for other ways to compete for talent. For the second one, I'm actually not as familiar. I've just moved back here, so I'm not as familiar with the tax law here. I know there was definitely a problem there when I left. But it might be better now

Mr Morris : I think another aspect of it is probably the prevalence of venture capital. A lot of VC firms will actually require, as part of their investment, that the organisation has some sort of program for their employees, simply because they recognise that companies are built by people, so having a strong strategy to recruit and retain the best is often mandated by an organisation. As there is less capital available in Australia there are fewer companies seeking investment. Because there are fewer companies seeking investment there is a lesser requirement from venture capitalists being put onto these companies to say they must do these sorts of things.

I think that contributes to another sort of problem, in that typically the people that are then potentially exit these successful companies, whether they be fintech or tech related, if there has been some sort of equity compensation they can then be in a position to go and start a company themselves. They are referred to as the PayPal mafia—the guys that came out of that founding and then went off to do the Teslas and all those sorts of things. It's unfortunate that we don't have the same situation here in Australia.

Senator SCARR: As my last question, I want to ask you your view on screen-scraping practices—that is something I didn't know about before this inquiry—and whether you think those sorts of practices should be banned.

Mr Morris : Screen-scraping is another organisation enticing a customer to input their user name and password into their site with, I guess, a promise that they will only use it for the purposes that customer intended. Obviously there is no enforceability of this promise. There is no regulation of this promise. It's against the terms and conditions of the financial institution, yet it continues. It's effectively a time bomb waiting to happen. You have these organisations that amass a bunch of customer credentials. Secondly, it encourages bad customer practice to start typing in your user name and passwords into lots of different websites, which can lead to financial crime or breaches of privacy. There are better ways to do these sorts of things, like open banking. We would certainly not like to see it encouraged, which is what I've read in other proposals. It's a hack, if you will. We should not be promoting or endorsing that. We should be supporting organisations for their ability to enforce their terms and conditions and restrict it.

Senator WALSH: I have a question about where you and the partner banks, to the extent that you can tell me, would see Up Bank going in the future. Do you intend to try to follow through your 19- to 25-year-olds as their needs change—for example, become a lender—or do you seek have to have a model where you're always working with the 19 to 25s and then transferring them to the main product later on, when there needs change?

Mr Morris : Definitely the former rather than the latter. The relationship that customers have with Bendigo and Up is very much arm's length. It's certainly mentioned and visible and explicit, but the support model and the customer experiences is all via the Up brand, and that would continue. In the future, yes, we may well offer things like mortgages. The roadmap for Up is actually completely public. You can go to It's behaving more like a tech company rather than a bank, in that we are forecasting absolutely everything we're doing for the next period of time. Yes, we will obviously seek to acquire more customers and potentially offer bigger experiences to customers, which could include credit.

Senator WALSH: What would that ultimately look like in terms of customer experience? Are you doing 100 percent of everything through your device? Is there call centre now and is there in the future a call centre? Is there in the future any face-to-face interaction in the transactions?

Mr Shay : We do have a call centre. There are certain requirements for inquiries to have a call centre. We are quite proud of our support model. Within the app you can get in contact with us directly through the app. We think that's a really strong way for customers to interact with us, because there's so much context around it. Our customers seem to really enjoy that. Of course, for things like lending products you have to have a call centre. We do think it's a good idea, but also we have to have one. As far as developing any further face-to-face or branch presence, it's possibly unlikely given the model that we are going after.

Senator WALSH: As developers, how do you intersect with the regulatory world? I think you're the first people we've seen who haven't said that it's too onerous, it's too much, we hate it, it stops innovation et cetera. Do you just see that there's a bunch of stuff that we have to problem solve around?

Mr Morris : Our company is largely software engineers now. We're not a regulated entity. But obviously we need to enforce the KYC flows, for example, and all that sort of stuff. We treat those as software or technical problems. Specifically, in my conversations with APRA around our approach to cloud, one of the technical people there was saying, 'It's all well and good: you build this system, you get it audited and tested, all that sort of stuff; great, but what happens the next day?' So we've built a technical solution that audits our system on an hourly basis and will send us a report immediately. They say, 'That's fantastic. That's a great answer to that problem.' But another organisation that was perhaps less technically inclined would see that as an onerous thing: 'Oh, now we need to schedule all this testing every month' or those sorts of things. So I guess that, depending on your approach, the regulation can be cumbersome or not.

Mr Shay : To add to that: I'm a really big fan of some of the principles behind regulation. Why are we doing this AML stuff? Why are we doing all the sanction screening? I think there's a big cultural aspect to this. If you have an organisation that just ticks the boxes for regulation, you're probably not going to be able to follow it over the long term. You're probably going to get into weird cases. You're probably going to run into trouble. But, if you have a really strong culture of doing the right thing for the right reasons and then map that onto the regulations and have that guided by the regulations, you almost have two separate things. You have, 'Do we have the right culture that's doing the right thing?' and then you have, 'Can we map the regulations?' You'll find that, if you do that, the culture usually ends up doing stuff in excess of what's required by the regulations. We found that with a lot of the technology stuff we do. We do it because we think it's good software engineering and it's good security practice. When we map back to regulations, we're like, 'Oh, we're actually exceeding what we need to do here.' From our perspective, yes, I do spend a lot of time reading through the various documents, mapping them and treating them as problems to be solved, but I also look at the culture element. I think that's actually how we get ahead.

To summarise: take what we think are good practices from a technology perspective but also for the support organisation, knowing the customer and that sort of stuff, and use the regulations as almost a safety net. Make sure we're ticking all these boxes, but, if we can exceed them, that's good for everybody.

Senator WALSH: How did you develop what you just described as the culture or ethical framework? Was that a consumer based approach? Is it written down? How did you go about developing it?

Mr Shay : Good question. We talk about it a lot. A lot of regulations talk about having to have a training register of who's done what training. It's pretty easy to tick a training box for having to watch a video, but did they actually learn anything? I think it is really about investing in actual quality training and in your managers, line managers and people, and then positive reinforcement as far as what you talk about as a company. If somebody has done something really good, do you call that out at the company level? It is that sort of stuff. It's a bit of a wishy-washy answer because it's an intangible, building-a-culture thing, but the good thing for me is that it's entwined with all the other cultural stuff we do to make it a really great place to work. It's just another part of that, and it really comes down to what we're actually doing as people and how we're treating people. I'm sorry it's not a great answer, but that's how I think about it.

Senator WALSH: I want to clarify. You're coming here operating in an environment that you're taking a very innovative approach to. You're solving lots of problems and you're seeing the environment as a given and thinking about how to adapt to that and succeed in that. But I don't think you've told us about what's getting in the way. Did you want to come here today and tell us everything is great, or was there something that you wanted to tell us we're missing?

Mr Shay : We mentioned earlier a bit about the AML sanctions regulations. I specifically mentioned TransferWise earlier. Australia is quite strict in how the regulations are drafted there. There's been some legislation in the works about doing the shared KYC model. More of that sort of stuff would be good for us. You also said 'take it as a given'. No, I do think that advocacy is important and that sort of lobbying and educational stuff is important. The R&D tax incentive and getting the NPP on board—most of the stuff out of that FinTech Australia submission—we're still quite supportive of. Are there any others you want to call out?

Mr Morris : That's fine.

Mr Shay : I realise we didn't speak about them a lot, but I thought we'd talk about the bits that weren't in that submission. That's why we spent our time there.

CHAIR: It's a good point you're making. I did want to ask you, though, before I ask you a serious question: is it really true that technology people don't like football?

Mr Shay : No, that's not true at all.

CHAIR: I didn't think so.

Mr Shay : We actually have some football players.

CHAIR: Well, there you go. Any Geelong supporters, to make up for your outrageous—

Mr Shay : I'm going to say yes.

CHAIR: Good answer. Thank you for that. I want to ask you about R&D and also about screen scraping. On your R&D side, there were a lot of submissions to this review that have talked about the R&D tax arrangements. One of the questions is: what is new and what is not new in a definition sense? Do you have a view on that?

Mr Morris : Yes.

CHAIR: Good. Can you tell us what it is?

Mr Morris : Yes. I guess this is one of the things that we've found challenging. We've done a heck of a lot of, I guess, innovative things, world-firsts, and are trying to map the quite prescriptive R&D process—experiment, hypothesis and all those sorts of things—to modern software development practices: 'Okay, how do things really work and get done?' That is just a lot of work.

CHAIR: Have you claimed the tax offset?

Mr Morris : Yes, we have experience in it. We've developed, I guess, new knowledge.

CHAIR: Are you saying that it's been cumbersome?

Mr Morris : That process, the submission process, is cumbersome.

CHAIR: But it has worked for you?

Mr Morris : Yes, we got there in the end, but with a lot of pain.

CHAIR: But you're saying it's too hard? I'm just trying to work out what you're saying. You're saying it's too hard?

Mr Morris : Yes.

CHAIR: So how do we make it easier?

Mr Morris : Good question. What are the sorts of behaviours that you're looking to encourage, and how could you better encourage those processes? Is the R&D tax grant the best way to encourage the behaviours that you're looking for? What I see, I guess, is that with the R&D tax incentive you want to offer benefits from being in Australia to companies doing innovative things and bringing new technology into the world. If you look at how that process goes and what the outcomes of that are, potentially you can look at an approach where you say: 'Okay, what are the innovative things? What are the actual outputs of this process, as opposed to being very focused on input and on precisely how it was produced and how the examples were chosen?'

CHAIR: I understand. That's a good answer. Are there any good examples we could import? We always like to import good ideas and good people.

Mr Morris : Yes. Do you mean good examples in terms of—

CHAIR: Abroad.

Mr Shay : It's a bit of a mess in the US too. I wouldn't necessarily recommend it. So I don't know. That's my answer to that.

CHAIR: You don't know, so we might try and seek that information from someone else. Are you a member of any policy associations or groups—industry bodies that do this sort of policy work?

Mr Morris : No, not really. We're a member of a bunch of bodies but more around cybersecurity and those sorts of things.

CHAIR: All right. We'll probably try and get that information from the start-up people.

Mr Morris : Yes, it's a good question.

CHAIR: The other thing I want to ask you about is screen scraping. A straw man that's been put by a number of submitters is effectively that you have screen scraping now and then, once you have open banking, you don't have screen scraping. What do you think about that?

Mr Morris : Our view would be that I certainly wouldn't encourage it. I read earlier submissions, for example, where people were saying, 'You should make it so that organisations have to enable their platforms to be screen scraped,' if you will. We certainly wouldn't support that view. I think organisations should be able to enforce their terms and conditions, and also they should be held accountable if they're not enforcing their terms and conditions. If you have terms and conditions that say, 'You mustn't give your username and password out to other organisations,' and yet that is actively going on and you're not doing any work to police that or enforce that, then you effectively become complicit in that.

CHAIR: The critical question is: is that straw man a reasonable position for industry?

Mr Morris : You cannot screen scrape up. We have designed it in such a way that it is not possible for a customer to give away their credentials that would allow them to compromise themselves. So you cannot do it. It's in our terms and conditions that you can't do it, but, actually, even technically it's not possible. On screen scraping, what you have now you do not have for us. Personally, if I were responsible for security at other financial institutions, you wouldn't have it there either. That's what we have now until we have open banking. It's what organisations choose to allow now, but we certainly don't. I would question strongly other organisations that do allow their users to do that.

Senator MARIELLE SMITH: When you say you 'don't allow it', what sorts of things can you do to not allow it?

Mr Morris : Basically it comes back to the R&D stuff. We have developed a mechanism for authentication and cryptography between a device and our servers where you don't have a username and password per se so you couldn't give that to an external service to compromise yourself.

Senator MARIELLE SMITH: How do you get in?

Mr Morris : Sign up and take a look! It's like your phone where—

Senator MARIELLE SMITH: So it's like an Apple login and that kind of thing?

Mr Morris : There's a passcode and all that sort of stuff. It's good and its world leading, and I think other organisations should adopt that approach.

CHAIR: Obviously we are looking at the broad regulatory framework. The fact that open banking has not commenced on the timetable that had been anticipated means there are potentially some transitional issues. I understand it doesn't affect you directly, but I just wanted to get your view of that because it is an industry matter.

Mr Shay : It does undermine everybody's security. It weakens people's resistance to phishing attacks. It doesn't really matter who is allowing that; if somebody is doing it, then it compromises security for everybody. That's concerning. The fact that open banking keeps getting pushed back is somewhat concerning to us as well.

CHAIR: Thank you for your time.

Proceedings suspended from 12 : 13 to 12 : 59