Bamboo: Security Process
Users often ask us: why do you require our banking credentials?
Bamboo’s core purpose is to provide the ability to round up your transactions and seamlessly invest in a portfolio of your selection. In order to achieve this purpose, we need the transactional data from your bank and to confirm of your bank balance before taking a payment (avoids unnecessary charges to you and us when there is no money in your bank account).
To achieve these requirements, we currently use a third party intermediary called Basiq (www.basiq.io) who is part-owned by NAB, Salesforce and Reinventure). Basiq work with the majority of Australian Banks to provide a data feed to third parties where the third party can verify the customer has provided approval. This is completed by providing the online banking credentials. Basiq then work as a gate keeper of this data between the bank and Bamboo on behalf of the customer.
The customer remains in control at all times as with a simple change of their banking password, permission is immediately revoked to Bamboo. Basiq takes all reasonable steps to ensure that the personal information is protected from misuse, interference and loss and unauthorised access, modification or disclosure by the use of various methods including access limitation, and Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information.
At the beginning of August 2019, Australia took a major step towards an open data economy by passing the Consumer Data Right (CDR) legislation, which gives customers control of their data and enables them to share it with third parties. This is known as “Open Banking”.
Since this time, the Australian banking system commenced upgrading its technology to accommodate this, with the goal of allowing customers to provide third party service providers with various levels of your banking information to benefit you. Examples of this include easier access to switch banks, apply for loans and utilise other fintech products. This technology allow you to provide this data without the need for you to provide your log-in credentials.
Basiq and Bamboo are gearing up to also utilise this new technology however in the interim we are required to continue to use existing technology and remain nimble during the transition period.
Split Payments Pty Ltd provide the direct debit services to us (Bamboo). In the signup process, you request and authorise Split Payments Pty Ltd to arrange, through their own financial institution, a debit to your nominated account of any amount deemed payable by you. Split Payments also utilise Basiq to pre-check your account for funds before a debit is made. As mentioned, this is because we do not want to debit funds from your account if there is no money because we will incur a debit fee and users may be charged an overdraft fee.
Split Payments ensures the highest levels of security for your payments by the following:
- All communication is encrypted using 128 bit TLS 1.2 ensuring that your information is never transmitted in clear text and always safe from prying eyes.
- Their development follows industry-standard secure coding guidelines, such as those recommended by OWASP so you can be certain of secure payment (https://www.owasp.org).
- They use ISO 27001, FISMA & IRAP certified data centres that undergo recurring assessments to ensure compliance with industry standards.
During a Split transaction, no one can access or see your internet banking login credentials. All communication via Split takes place using HTTPS transport level security and no sensitive information is stored (not even cached).
Some important items to note which impact the Bamboo app from being able to operate effectively are:
- If you change your online banking password and you still wish Bamboo to operate, you will need to log back into the Bamboo app and re-enter your bank credentials to re-establish permission.
- If you have 2FA (app or dongle) to access your online banking, Basiq is unable to integrate with your bank.
- If you implement any features of online banking which hide or mask your bank account number Basiq is unable to retrieve the account number for Bamboo.
- If the bank is under maintenance, Basiq is unable to access your transactional data.
- If the bank has provided a notice to its customers (common notices are to accept new terms and conditions, maintenance being scheduled), Basiq is unable to access your transactional data.
We are working on something we term “Blind Payments”. Blind Payments involve Bamboo taking payment without verifying your bank balance before doing so. This represents more risk for us as we can not pre-check accounts and we estimate it will result in a significant percentage of our payments failing. As we will incur fees for these failures, we need to plan and execute the roll-out of this feature carefully. There are likely to be some criteria around this feature in order to use it. This involves some major changes to the code base and rule features, and as a result we expect this feature to be released around mid-2021.
We are wanting to implement this additional method for two reasons: 1) the current method via Basiq is often unreliable with the ever changing banking environment; and 2) Some people don’t want to connect their bank to Bamboo and would just like to use the Recurring and Top-Up features of the app.
Navigating this transition period as smoothly as possible is a key priority for Bamboo as we are excited by what lies beyond for improving the experience for our customers. We will continue to implement and maintain best industry practice and handle our user’s security and privacy with care. As always, if you have any questions please reach out to us on email@example.com.