Bennett Jones is one of Canada's premier business law firms and home to 500 lawyers and business advisors. With deep experience in complex transactions and litigation matters, the firm is well equipped to advise businesses and investors with Canadian ventures, and connect Canadian businesses and investors with opportunities around the world.
If your company is a fintech operating or hoping to operate in
Canada with a business model that offers financial products, you
should be aware that Canada's federal government has announced
its intention to enact legislation that could apply to your
organization.
What's Happening?
This impending legislation is the Consumer-Driven Banking
Act (CDBA), and it will set the foundation for a framework
that enables consumers and small businesses to securely transfer
their financial data through an API to approved service providers
of their choice.
The framework for consumer-driven banking—a.k.a.
"open banking"—includes six core elements, all of
which will play into whether your organization is subject to the
framework, and what obligations could apply. These obligations will
come in two phases because the CBDA will be enacted in two
pieces—the first, expected in H1 2024 will implement elements
including governance, scope and a technical standard. The remaining
elements are expected to be legislated in the fall of 2024.
What Will it Mean for Fintechs?
The table below gives a high-level snapshot of the core elements
of the framework as introduced in the Government's policy
statement: Budget 2024: Canada's Consumer-Driven Banking
Framework1. Note: the CDBA has not yet become law
and could yet change. Further, the Government's policy
statement makes clear that the development of Canada's
Consumer-Driven Banking Framework will be an iterative process and
may evolve significantly over time. Lastly, the table is not
exhaustive and does not constitute and should not be relied upon as
legal advice.
If you have any questions about the information in this blog
post or require legal advice, please contact Matt Flynn.
Canada's Consumer-Driven
Banking Framework
Core Framework Element
Fintech Obligations/Considerations
Governance:
Oversight and management of the framework
Oversight and management rests with the Financial Consumer
Agency of Canada (FCAC);
FCAC to establish framework elements: scope; system
participation; safeguards re: integrity and national security; and
common rules covering privacy, liability, security;
FCAC to select a single, technical standard for data sharing
(including interoperability with coming U.S. open banking
framework);
FCAC to review framework after 3 years to ensure it continues
to meet policy objectives and consumer needs.
Scope:
What entities can participate
Data that must be shared
Functionality, such as read or write access
CBDA will set requirements on fintechs' entry into / exit
from the framework2;
Participating entities required to meet prescribed technical
and security requirements;
Initial scope of data required to be shared at consumer's
request: deposit accounts; investment products; lending products.
Note: data "materially enhanced" by a fintech to offer
"significant additional value or insight" will be
excluded from scope;
Reciprocal access must be granted b/w participants;
Data to be shared free of charge.
Accreditation:
Requirements and process for participating in consumer-driven
banking
Formal accreditation process, inclusive of process, oversight,
and criteria for entities to collect consumer-permissioned
data;
Applicants for accreditation will be evaluated by the
FCAC;
Evaluation points to include: info on the organization;
operational standards (including security and privacy controls);
financial capacity;
List of authorized participants will be published by the
FCAC;
Participants subject to reporting on a regular basis and as
business model evolves;
FCAC may suspend or revoke accreditation
Common Rules:
To protect consumers and govern privacy, liability, security
Privacy:
In addition to existing privacy legislation, framework will
include rules unique to financial data sharing to address consent
and revocation of access to data;
Participants to reconfirm consent at regular intervals or
following certain events;
Participants to provide consent dashboards to give consumers
real-time knowledge of who has access to their data and to maintain
control over the type of data they share, the accounts from which
it is being collected, the length of the consents, as well as the
ability to revoke consent;
Participants required to adopt user experience guidelines to
govern all areas of consent and revocation.
Liability:
A statutory rather than contractual liability structure between
participants;
Liability will move with the data and rest with the
party-at-fault;
Consumers not liable for financial losses incurred due to
sharing their data;
Required policies and procedures for complaint handling and
redress.
Security:
Participant's information security management system must
capture all people, processes, tech and infrastructure that
interacts with consumer data;
Established security that will serve as the minimum
"floor" to safeguard consumer data;
Ongoing reporting obligations that will be overseen by the
FCAC.
National Security:
Safeguards to protect the integrity and security of the
consumer-driven banking framework and financial system
Framework to include safeguards and provide authority to the
Minister of Finance that aligns with existing financial sector
statutes, such as the Retail Payment Activities Act, the Bank Act
and the Proceeds of Crime (Money Laundering) and Terrorist
Financing Act;
Minister of Finance enabled to refuse, suspend, or revoke
access to the framework for national security-related reasons.
Minister provided an expanded authority to direct the FCAC to take
measures related to the framework for reasons related to national
security, to safeguard the integrity or security of Canada's
financial system, or in the best interest of the financial
system.
Single Technical Standard:
Establishment, maintenance, and oversight of a technical
standard flow of data between consumers and the financial tools of
their choice
API's to be used to enable different products and services
to communicate in a consistent manner;
Framework will mandate a single technical standard to which
APIs are built to support functionality and interoperability.
2. The framework will apply to in-scope fintechs that opt
into the framework. The government will mandate participation for
banks that meet a specified threshold for retail volume. This
threshold will scope-in Canada's largest retail banks. The
remaining federally regulated financial institutions, as well as
credit unions, Crown corporations acting as banks, and other
entities seeking accreditation, will be provided the ability to
opt-in.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.