Gowling WLG is an international law firm built on the belief that the best way to serve clients is to be in tune with their world, aligned with their opportunity and ambitious for their success. Our 1,400+ legal professionals and support teams apply in-depth sector expertise to understand and support our clients’ businesses.
Canada's Consumer-Driven Banking Framework (Framework) was released alongside the 2024 federal budget, and serves as an update to the previously released 2023 Fall Economic Statement...
More commonly known as "open banking" or sometimes
referred to as "consumer-directed finance,"
consumer-driven banking refers to a framework that allows consumers
and small businesses to securely transfer their financial data
through an application programming interface (API) to approved
service providers of their choice.
Who benefits?
Building on the earlier Policy Statement, the Framework
continues to emphasize benefits to consumers, small businesses and
the Canadian economy at large. Among other things, it touts
increased control over financial data and security protections for
consumers; reduced administrative burdens, efficiency, and improved
product access for small businesses; and global competitiveness and
innovation in the financial sector.
So, what do we know about the Framework?
The development of the Framework is guided by three public
policy objectives:
Safety and Soundness
Protecting Canadians' Financial
Well-Being
Economic Growth and International
Competitiveness
These policy objectives have guided the development of the
government's six (previously five, now including "National
Security") core Framework elements, as follows:
1
Governance
The Framework expands on the oversight and management elements,
notably:
the mandate of the Financial Consumer Agency of Canada
(FCAC) will be expanded to include oversight,
administration, and enforcement of open banking in Canada;
legislative amendments to the Financial Consumer
Agency of Canada Act will establish a new position,
called the Senior Deputy Commissioner of Consumer-Driven Banking,
at the FCAC;
FCAC will develop a consumer education campaign to increase
Canadians' awareness;
FCAC oversight of consumer-driven banking will operate on a
cost-recovery model once the Framework is in place;
all participants will be subject to the open banking regulation
and FCAC supervision;
provincial credit unions and Crown corporations that act as
banks will be able to "opt-in" to governance,
supervision, and participation; and
provinces and territories will retain the authority to impose
their own requirements on entities subject to their
jurisdiction.
2
Scope
The Framework provides additional information on the entities
that will be able to participate, the scope of data that
participants will be required to share, certain functional
requirements for participation and details on the future expansion
of "scope." The initial phase of implementation will
include:
government-mandated participation for Canada's largest
retail banks, with other participants provided with the ability to
opt-in;
clear requirements for how various entities, such as fintechs,
can enter into, and exit out of, the open banking system;
a requirement to demonstrate adherence to technical and
security requirements;
a requirement for participants to share (at the request of a
consumer) data related to chequing and savings accounts operations,
investment products available through their online portals, and
lending products, such as credit cards, lines of credit, and
mortgages;
an exclusion from scope for data that has been materially
enhanced by a participant to offer significant additional value or
insight;
maintaining the existing prohibition on the sharing by banks of
customer information for the business of insurance;
having all entities subject to consumer-permissioned data
sharing requests (reciprocal access); and
a requirement for participants to be able to provide reciprocal
access.
The scope may be expanded at a later date to include additional
data, entities, entry processes (e.g., tiered accreditation), and
functionalities (such as the ability to initiate payments).
3
Accreditation
entities wishing to become accredited will need to submit an
application to the FCAC;
applications will include information on the organization
(including existing oversight arrangements and governance
structure), operational standards (including security and privacy
controls), and financial capacity (including liability instruments
such as insurance);
the FCAC will evaluate applications against a specified
criteria and publish a list of authorized participants in a central
registry;
once accredited, a participant will be permitted to request
financial data, at the instruction of a consumer, from another
participant, and will in turn be obligated to follow all common
rules and make available any in-scope data to other
participants;
participants will be subject to mandatory reporting on a
regular basis; and
the FCAC will have the authority to suspend or revoke
accreditation if a participant fails to meet its obligations or
presents a risk to consumers.
Tiered accreditation (i.e., different accreditation requirements
for entities) will not be included at this initial phase.
4
Common rules
The implemented Framework will include common
rules (as a condition to access of consumer data). The
common rules:
will address consumer protection interests, privacy, liability,
security, national security, and integrity obligations (notably,
this updated version of the Framework includes reference to
"national security", "integrity" and
"consumer protection interests" whereas it did not
previously); and
work to complement existing legislation, rather than creating
duplicative or potentially conflicting requirements, but additional
privacy rules unique to financial data sharing will be introduced
to address consent to data access, consent management, and the
revocation of access to data by a consumer.
Note further that in respect of privacy,
participants will be required to:
reconfirm consent every 12 months or following certain
events;
provide "consent dashboards" to provide consumers
with real-time knowledge and control over the accessibility of
their data (i.e., who has access to what); and
adopt user experience guidelines to govern all areas of consent
and revocation.
The implemented Framework will clearly set out a
liability structure that establishes a statutory
relationship between participants of the open banking system. This
liability structure:
is based on the principle that liability moves with the data
and rests with the party at-fault if anything goes wrong;
ensures consumers will not be held liable for financial losses
incurred as a result of sharing their financial data within the
system; and
requires participants to put in place policies and procedures
for complaint handling and the provision of redress to ensure
consumers have a clear path for addressing their complaints.
Clear security requirements for how voluntary
and mandated participants protect consumers' data will also be
established by the implemented Framework. Legislation is expected
to:
establish security requirements for all participants that will
serve as the minimum "floor" to safeguard consumer
data;
require participants to fulfill ongoing reporting obligations
that will be overseen by the FCAC, such as surveillance audits;
and
mandate a security certification.
The Department of Finance will engage with stakeholders to
finalize a recommendation in respect of the selection of this
certification as well as the extent of the reporting
obligations.
5
National Security
The implemented Framework will include safeguards and provide
authorities to the Minister of Finance that align with existing
financial sector statutes. The Minister will be able to:
refuse, suspend, or revoke access to the open banking system
for national security-related reasons; and
direct the FCAC to take measures related to the Framework for
reasons related to national security, to safeguard the integrity or
security of Canada's financial system, or in the best interest
of the financial system.
6
Technical Standard
The implemented Framework will include a government-mandated
single technical standard that:
forms the specifications to which APIs are built; and
is fair, open, accessible, and able to meet key public policy
objectives, including interoperability with standards used in other
jurisdictions.
Legislation will provide authority to the Minister of Finance to
identify and revoke a technical standard, and authority to the FCAC
to supervise the technical standard body to ensure compliance with
open banking regulations.
What's next?
Spring 2024: Framework legislation was
expected to be introduced in Budget 2024. Instead, the government
intends to introduce the first of two pieces of legislation to
implement the Framework this Spring. This legislation will address
key elements such as governance, scope, and criteria and process
for the technical standard.
Fall 2024: Remaining elements of the Framework
would be legislated in the Fall of 2024, which is expected to be
introduced in connection with a second budget implementation act.
The government has not indicated if FCAC's expanded mandate
will be introduced as part of the first or second piece of
legislation.
Beyond: While the government previously set a
goal of fully implementing the necessary
Framework for the operationalization of open banking in Canada by
2025, Budget 2024 did not specify such a date. However, it noted
that the implemented Framework is expected to be reviewed after
three years to ensure it continues to meet core objectives and
reflect the needs of Canadians.
In the meantime, the Department of Finance will continue to
engage with all stakeholders, including federal, provincial and
territorial governments, as open banking legislation is
developed.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
