A long anticipated report from a federal advisory committee on open banking was released publicly this month, several months after being submitted privately to the government in April 2021. The Advisory Committee on Open Banking's final report (the "Report") calls for the government to implement an open banking system in 18 months, designed jointly through input from the federal government and industry. "Open banking" refers to a system which provides customers the ability to share their banking and financial data with financial services providers, with the ultimate aim of increasing competition and innovation and giving users greater control over their data.
The Report follows several developments in this space over the last few years. In January 2020, the same committee issued its first report (see our previous blog post here) in connection with the Department of Finance Canada's consultation process on open banking, a process that began in January 2019. In July 2020, Financial Data Exchange, LLC, a not-for-profit organization aiming to facilitate secure data sharing, launched in Canada with 31 members, including the five major banks. Following an initial delay due to COVID-19, the Department of Finance Canada reopened its second stage of consultations on open banking with industry stakeholders. The reopened consultations consisted of five virtual sessions through November and December 2020 and focused on how regulators and the financial sector can mitigate data security and privacy risks associated with open banking.
1. Recommended Vision and Governance
The Report recommends a "made-in-Canada", collaborative approach where industry stakeholders implement and administer the open banking system under clear policy objectives set by government. The foundational pillars of this "hybrid system" are:
- Common rules for open banking industry participants to ensure consumers are protected and liability rests with the party at fault;
- An accreditation framework and process to allow third party service providers ("Participants") to enter an open banking system; and
- Technical specifications that allow for safe and efficient data transfer and serve the established policy objectives.
The implementation of the open banking system would be done in phases. Phase 1 would take 18 months. Phase 2 would take 18 months and beyond.
In Phase 1, the government would appoint a "lead" to design the first two pillars and work with industry to develop the third pillar. Participants would then apply for accreditation and data transfer mechanisms would be tested. Under this timeline, Canada would have an early-stage open banking system by 2023. The scope of this system is described below.
In parallel to the lead's work, the government would establish an entity to administer the open banking system and replace the lead during Phase 2. The entity would be run by open banking stakeholders, but the government would set its mandate and objectives. In Phase 2, the government would also consider codifying parts of the system implemented by the lead.
2. Recommended Scope of Early-Stage Open Banking
Under the proposed open banking system, federally regulated banks would have to participate. Provincially regulated financial institutions could voluntarily participate. The Report states that this broad, initial scope would then ensure that most individuals and small and medium businesses can access open banking services.
Crucially, the Report recommends that the scope of the open banking system not be limited to certain use cases. In general, the type of data in the system should be information that individuals can access when online banking, including: data provided by the customer (e.g. contact information); account information (e.g. balance, transactions); and product information (e.g. rates, account numbers, fees).
The Report recommends that mortgage, investment account, chequing and savings account, credit card, and line of credit information be included. Subject to a consumer's permission, data sharing would be reciprocal between banks and Participants.
There are several notable limitations to the recommended scope:
- Banks would not be required to share "derived data", which is data derived through proprietary processes.
- Data access would be "read-only". However, the Report recommends that write access functions be added once the system is more established.
- Insurance underwriting is a use-case that should not be initially allowed.
3. Recommendations for Common Rules and Liability Framework
The Report highlights liability, privacy and security as the central concerns that should be addressed by the common rules. These rules should promote consumer confidence, build on existing frameworks and provide certainty for consumers in the event something goes wrong.
The Report states that liability should flow with the data and lie with the party at fault, suggesting that banks will not automatically be held liable simply because they have originated the data. Consumers must also have certainty regarding how they will be protected, how they can file complaints and how they will be compensated if issues arise. Consumers' liability should also be capped at a small fixed-dollar amount (e.g. $50), barring gross negligence or a criminal act. The Report references the existing Financial Consumer Protection Framework for best practices on this topic and complaints handling. See our past blogs for more information on the Financial Consumer Protection Framework.
The Report also provides that common rules should standardize consumer consent management. The process should prioritize transparency so consumers know who has access to what information and can manage the permissions provided. There should also be harmonized rules to protect personal information and consumers from undue pressure and misrepresentations.
With respect to security, the common rules would set standards for data security, operational risk and systemic risk. Participants would have to meet minimum standards to be accredited, with riskier use-cases being required to meet stronger standards.
4. Recommendations for Accreditation
All Participants would have to be accredited to participate in the open banking system. Federally regulated banks, and potentially provincially regulated financial institutions, would be exempt.
Under the recommended accreditation system, independent entities would review an applicant's compliance with the accreditation criteria. The criteria would be focused on the capability of the applicant to adhere to the common rules and protect consumers in the event of a loss. The accreditation would be reviewed periodically.
The accreditation system should be trustworthy, independent of the open banking system, proportional to risk, transparent, and coherent with other regulatory oversight. The system should also balance consumer protection with innovation and entry into the system. To this end, the Report suggests tiered accreditations, with low-risk activities requiring lower standards.
5. Recommendations for Technical Specifications
The Report does not recommend whether technical specifications should be standardized or whether multiple, market-driven standards should be allowed to emerge. Instead, the Report recommends that the lead work to align existing innovation and standards with recommended policy objectives. Namely, the specifications should be accessible to system participants, flexible enough to evolve and allow for innovation, and compatible with international approaches. The Reports suggests that government involvement may be required if this development stalls.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.