On August 4, 2021 the Advisory Committee on Open Banking (the "Committee") released its final report (the "Report") on open banking. This report is the latest development in the ongoing efforts to bring open banking to Canada.
Efforts began in 2018 when the Committee was established. The Committee then released an initial report in 2020 entitled Consumer-Directed Finance: The Future of Financial Services. In this initial report, the Committee states that open banking would provide Canadians with a number of benefits, including giving consumers more control over their own financial information, allowing consumers greater access to better rates and varied financial services, and fostering an innovative and competitive financial sector on the international stage. The Committee ultimately recommended taking further action to implement an open banking framework in Canada. Additional details of the Committee's findings are available in our February 2020 and February 2021 bulletins. General information on open banking can be found in our previous bulletins from February and July 2019.
Following the initial report, the Committee initiated a second phase of stakeholder consultations. The Report represents the culmination of these consultations and makes recommendations on six aspects of open banking in Canada: vision, scope, governance, common rules, accreditation, and technical standards.
Notably, the Committee originally proposed that the term "consumer-directed finance" be used in Canada instead of "open banking". In the Report, the Committee moves away from this proposal and returns to using "open banking" as it is a more "readily understood" and internationally recognized term.
Vision: Consumer-centric and hybrid approach
The primary recommendation for the vision of the open banking framework is to design a consumer-centric framework ensuring, among other things, that consumer data is protected, that consumers control their own data, and that consumers have recourse should problems arise. To support this vision and to assist with the goal of financial inclusivity, the Committee recommends offering financial education programs and resources. Finally, as in the initial report, the Committee re-emphasized a hybrid approach noting that both government and industry have roles to play in implementing and administering open banking in Canada.
Scope: Narrow to start with room to expand
The Committee also makes recommendations concerning the scope of participants and the scope of accessible data. The Committee recommends that all federally regulated banks be required to participate, with provincially regulated financial institutions such as credit unions participating on a voluntary basis and other entities participating upon meeting certain accreditation criteria (discussed below). Express consent from individuals and small and medium enterprises must be obtained before such individuals and enterprises provide any reciprocal data access and participants should not be allowed to require such reciprocal data access in order to provide a product or service. The Committee recommends that data which is "traditionally readily available to consumers through their online banking applications" be included in the initial scope of the open banking system, while also leaving room to expand to other types of consumer data in the future. However, the scope of data should be narrow such that derived data (e.g., data enhanced by a financial institution to provide additional value or insight to the consumer, such as internal credit risk assessments or new product offerings) can be excluded if the financial institution/participant chooses. Also, third parties should not be allowed to edit the data on bank servers. In other words, the data is accessible in "read only mode". Of note, the Report states that banking data should not be used for underwriting insurance policies as part of the initial scope of open banking, given the complexity of insurance data and the potential for inequitable outcomes.
Governance: A two-phase approach
The Committee recommends a two-phase approach to establishing a governance system in order to expedite the implementation of open banking. In the first stage, an open banking lead should be appointed by the government and given nine months to develop three core foundational elements: common rules, accreditation criteria, and technical standards. The Report indicates the lead could be "internal or external to government" but should have knowledge of the financial and technology sector. The subsequent nine months should be used for third party service providers to obtain accreditation and to "test connectivity" to the system. The open banking system would open for consumer use during the second phase, which should begin by January 2023. During phase two, administration of the system would transition from the appointed open banking lead to a "fit-for-purpose" entity created by the government during phase one.
Common Rules: Focus on liability, privacy, and security
The Committee recommends developing common rules for open banking, particularly with respect to liability, privacy and security, which would replace the current system of bilateral contracts between banks and third party service providers. The rules on liability should allocate responsibility and provide a clear mechanism for consumers to file a complaint. Notably, current Canadian rules allocate ultimate responsibility to banks where a complaint arises from outsourced activities. Under the new open banking system, banks should not be liable for how consumer-directed transfers of data from banks are ultimately used by third party service providers. The rules on privacy should require express consumer consent for data exchange and ensure that consumers have control over their own data. The security rules should protect consumer data along two axes: data security, requiring elements like authentication and authorization, and infrastructure security, requiring elements like incident monitoring and recovery measures.
Accreditation: Establish principled criteria and audit for compliance
The Committee indicates that the ultimate goal of the accreditation system should be to balance the entry of third party service providers into the system with the need to robustly protect consumer data. The Committee recommends that the open banking lead establish accreditation criteria for prospective participants to fulfill and engage an independent entity to audit the participant for compliance. The criteria should assess the participants' operational, financial, privacy and security fitness using a process similar to the Systems and Organization Controls (SOC) process. The Committee further recommends that the open banking lead consider the following principles when developing the accreditation criteria: trust, independence, proportionality to risk, transparency, and coherence.
Technical Specifications and Standards: Guiding principles
Technical specifications direct many aspects of an open banking system such as data transfer and storage, consumer experience with the system interface, consumer authentication and consent management. The Committee notes that there are already "significant efforts underway in the Canadian market" to develop technical specifications and standards. The Committee recommends building on these efforts with the following principles in mind: accessibility and inclusivity for accredited system participants, positive consumer experience, safe and efficient data transfer, flexibility, and compatibility with international approaches.
The Report concludes by recommending the speedy implementation of an open banking system in Canada, urging the government to take the immediate step of appointing an open banking lead. If the recommendations in the Report are heeded, open banking could arrive in Canada as of January 2023 bringing with it a much-anticipated transformation of the Canadian financial system.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2021