On August 4, the Minister of Finance released the Advisory Committee on Open Banking's (the Committee) final report (the Report)—marking the completion of the Committee's mandate. The Committee's Report discusses the Committee's findings from their second phase stakeholder consultation, which focused on issues of consumer privacy and security. More importantly, the Report provides the government with an 18-month road map to implementing open banking in Canada.
What you need to know
- The Committee recommends that the government implement a hybrid, made-in-Canada approach which recognizes the important and distinct roles of government and industry. Under this hybrid approach, the government will establish the policy objectives, oversee the consultation process, set the framework and timelines, while the industry will manage the implementation and administration of the system.
- The recommended hybrid, made-in-Canada open banking system would have the following core elements: common rules for all participants; an accreditation framework for third-party service providers to enter the system; and technical specifications to ensure data security.
- The Committee suggests a two-staged open banking implementation plan: 1) an initial low-risk open banking system to be designed and implemented by January 2023, followed by 2) a period of ongoing evolution and administration of the system.
- To meet the January 2023 target date, the initial system build should be limited to consumer-provided data (but not derivative data), and read access functionalities, but should also allow for the scope to be expanded to include new types of data and, potentially riskier functionalities, such as write access functions, as the open banking system evolves.
- To achieve this ambitious date, the Committee recommends an "open banking lead" be appointed. The open banking lead would be responsible for convening industry, government and consumers in designing the foundations of the system within 9 months of appointment, and for overseeing a testing and accreditation phase in the following 9 months.
- The Committee recommends the establishment of a separate governance entity to oversee the open banking system beyond the initial 18-month period (see more detail on the Committee's proposed timeline in the Report here).
- The Committee recommends that: all federally regulated banks should be required to participate in the first phase of open banking in Canada; provincially regulated financial institutions be provided the opportunity to participate voluntarily; and other entities should be allowed to participate after they meet the accreditation criteria.
- The Minister has not announced any next steps beyond the release of the Report.
1. Guiding principles
The Committee recommends that the following principles underpin the development of the open banking system:
- Achieving key consumer outcomes including protection of consumer data; consumer control of their data; reliable and consistent consumer access to a wide range of services; consumer protection and market conduct standards, and consumer recourse when issues arise.
- Ensuring the system considers and addresses financial inclusion issues particularly during the implementation phase.
2. System scope
In order to address consumer demand for open banking services, as evidenced by the proliferation of services based upon screen scraping, while also addressing the risks of these services, the new system should aim to mirror the range of products and services currently available through screen scraping while including capacity to expand and include new functionality.
To ensure that the system evolves in response to consumer and technological developments, the Committee recommends that the system's design not be limited to specific use cases, but rather that the design reflect data currently available to Canadians through their online banking applications as well as allow for the future use of new types of data. To limit risk while also allowing for the development of service comparable to those based on screen scraping, the Committee recommends initially limiting the data to be included in the system to: consumer-provided data, balance data, product data, and publicly available data. In order to address a central concern of industry participants, the Committee also recommends the excluding of "derived data", which is data that financial institutions have enhanced to provide additional value or insight. If derived data is available through screen scraping, however, then the Committee recommends an institution would need to justify the data's exclusion.
While the designated open banking lead would work with government and industry to design and implement the system's initial phase, the government should consider the establishment of a purpose-built entity made up of system participants and stakeholders that would manage the system's ongoing administration. The Committee recommends that the government should set the mandate and objectives of the entity but delegate decision-making and administration to the members of the organization.
The system's operations are contingent on the establishment of three key pillars:
- Common rules
- Accreditation framework
- Technical standards
a) Common rules
The establishment of common rules for open banking participants would ensure consumer protection while eliminating the current reliance on bilateral contracts between banks and third-party service providers to deliver open banking types of services. Doing away with bilateral contracts may be challenging, however, as regulated entities such as banks are ultimately accountable for all outsourced activities under, for example, OSFI's Guideline B-10. To address this issue, the Committee recommends government look at ways to limit banks' liability for the use of data by third parties while at the same time requiring third parties be held responsible and to high standards for the protection and use of consumer data.
The credibility of the common rules, argues the Committee, is a central concern and is best achieved through a well-designed liability framework. In order to promote responsible conduct by participants and to ensure key consumer protection objectives are achieved, the Committee recommends that liability flow with the data that is shared and rest with the party at fault. Consumers should be provided with protection and redress mechanisms by the system's rules through, for example, accessible complaint mechanisms and limitations on consumer financial liability (e.g., to a nominal amount such as $50). These measures should be supported by data tracing and audit mechanisms and third-party dispute resolution. In order to limit consumer risk and enhance confidence in the new system, the Committee also recommends that consumers who suffer a financial loss be compensated by either their bank or a third-party service provider after which the bank and provider can seek compensation from the other participant(s) as appropriate.
Data sharing is at the heart of open banking, and the Committee recommends that the new system be designed to enable consumers to control their data and understand how it is used. To this end, the Committee recommends that the system should use clear, simple, and not misleading language in its consumer facing materials along with a standardized and robust consent management system. It is also noteworthy that the Committee recommends adopting aspects of the new Financial Consumer Protection Framework with respect to data sharing, protection, and control. In particular, the Committee recommends that the common rules should prohibit participants in the system placing undue pressure on consumers; require participants to provide information that is accurate, clear and not misleading; and require publication of consumer complaints.
The Committee recommends that a base level of security requirements be included in the initial design of the system for third-party service providers seeking accreditation with stronger security standards required based on risk. The Report recommends that the common rules for security focus on data security (e.g., authentication, authorization, access management, encryption, traceability etc.) and operational and systemic IT risk.
b) Accreditation framework
The implementation of an accreditation system would ensure that participants adhere to the common rules and have insurance or provide a financial guarantee. The accreditation process should be trusted, independent, proportional to risk, transparent and coherent with other regulatory regimes. This last criterion of "coherence with other regulatory regimes" is particularly interesting as the newly introduced Retail Payment Activities Act will require payment service providers, which may include open banking participants, to register with the Bank of Canada before performing any retail payment activities. Entities who have lightly, if at all, been regulated in the past, may now find themselves subject to both the new open banking accreditation requirements as well as the Bank of Canada's registration requirements.
c) Technical standards
The Committee recommends that the open banking lead engage with technical expertise to develop technical requirements over the next 9 months that address security, consumer experience, stability, the safety and soundness of the financial sector, and international standards so as to facilitate compatibility and interoperability.
4. Next steps
With the delivery of the Report to the Department of Finance, the Committee has provided a blueprint for the implementation of an open banking system that it argues reflects the Canadian marketplace, consumer and industry interests and concerns, and international standards and protocols. In order to launch the new system by January 2023, however, implementation of the Report's recommendations would need to begin soon. With the government's response to the Report still to come, it is uncertain if this deadline will be achievable.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.