Uplifting cybersecurity controls

20 August 2019
Featured Image

The New Payments Platform operates with security and fraud front of mind, which is why our regulations require NPP participants to have strict cyber-security and fraud detection processes in place when they offer services via the Platform.

NPP Australia was advised late in the evening of Friday, 16 August 2019 that a number of PayID records and associated data in the Addressing Service were exposed by a vulnerability in one of the financial institutions sponsored into the NPP by Cuscal Limited.  Cuscal has confirmed that the client-side technical issues underlying the exposure were identified and resolved immediately.

The affected data included PayID name and account numbers. None of the details involved can, on their own, enable the withdrawal of funds from a customer’s account without the customer’s specific further involvement.

Financial institutions whose customer details have been exposed have been provided with details so that they can take the necessary action, which includes customer notification and enhanced due diligence over affected accounts.

Cuscal’s client has advised that the appropriate regulatory notifications have been made.

NPP Australia has regulations in place that prohibit disclosure of account data and that require participating financial institutions to have controls to monitor, detect and shut down any attempts to misuse the PayID service.  These regulations incorporate suspension of access to the PayID service by organisations not meeting these requirements, and were recently strengthened by the introduction of non-compliance charges which are expected to be also applied where these controls are not implemented.

Cybersecurity is an issue of paramount importance to NPP Australia.  As part of our ongoing commitment to uplifting cybersecurity controls across the NPP ecosystem and following a similar event in June, we recently commenced implementation of more targeted cybersecurity requirements upon participating institutions, increasing assurance requirements and testing end point security to ensure that the controls are executed as intended.


AP+ acknowledges the Gadigal People of the Eora nation as the Traditional Custodians of the lands on which we are based and pays our respects to Elders past, present and emerging. We recognise all Aboriginal and Torres Strait islander peoples ongoing connection to the lands and waters of Australia and thank them for protecting and for their pivotal role in the creation of this beautiful place. Always was and always will be Aboriginal Land.

View our Reconciliation Action Plan

©2023 Australian Payments Plus. ABN: 19 649 744 203  All rights reserved

Back to top Arrow