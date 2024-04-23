1 Governance The Framework expands on the oversight and management elements, notably: the mandate of the Financial Consumer Agency of Canada ( FCAC ) will be expanded to include oversight, administration, and enforcement of open banking in Canada;

FCAC oversight of consumer-driven banking will operate on a cost-recovery model once the Framework is in place;

all participants will be subject to the open banking regulation and FCAC supervision;

provincial credit unions and Crown corporations that act as banks will be able to "opt-in" to governance, supervision, and participation; and

provinces and territories will retain the authority to impose their own requirements on entities subject to their jurisdiction.

2 Scope The Framework provides additional information on the entities that will be able to participate, the scope of data that participants will be required to share, certain functional requirements for participation and details on the future expansion of "scope." The initial phase of implementation will include: government-mandated participation for Canada's largest retail banks, with other participants provided with the ability to opt-in;

clear requirements for how various entities, such as fintechs, can enter into, and exit out of, the open banking system;

a requirement to demonstrate adherence to technical and security requirements;

a requirement for participants to share (at the request of a consumer) data related to chequing and savings accounts operations, investment products available through their online portals, and lending products, such as credit cards, lines of credit, and mortgages;

an exclusion from scope for data that has been materially enhanced by a participant to offer significant additional value or insight;

maintaining the existing prohibition on the sharing by banks of customer information for the business of insurance;

having all entities subject to consumer-permissioned data sharing requests (reciprocal access); and

a requirement for participants to be able to provide reciprocal access. The scope may be expanded at a later date to include additional data, entities, entry processes (e.g., tiered accreditation), and functionalities (such as the ability to initiate payments).

3 Accreditation entities wishing to become accredited will need to submit an application to the FCAC;

applications will include information on the organization (including existing oversight arrangements and governance structure), operational standards (including security and privacy controls), and financial capacity (including liability instruments such as insurance);

the FCAC will evaluate applications against a specified criteria and publish a list of authorized participants in a central registry;

once accredited, a participant will be permitted to request financial data, at the instruction of a consumer, from another participant, and will in turn be obligated to follow all common rules and make available any in-scope data to other participants;

participants will be subject to mandatory reporting on a regular basis; and

the FCAC will have the authority to suspend or revoke accreditation if a participant fails to meet its obligations or presents a risk to consumers. Tiered accreditation (i.e., different accreditation requirements for entities) will not be included at this initial phase.

4 Common rules The implemented Framework will include common rules (as a condition to access of consumer data). The common rules: will address consumer protection interests, privacy, liability, security, national security, and integrity obligations (notably, this updated version of the Framework includes reference to "national security", "integrity" and "consumer protection interests" whereas it did not previously); and

work to complement existing legislation, rather than creating duplicative or potentially conflicting requirements, but additional privacy rules unique to financial data sharing will be introduced to address consent to data access, consent management, and the revocation of access to data by a consumer. Note further that in respect of privacy, participants will be required to: reconfirm consent every 12 months or following certain events;

provide "consent dashboards" to provide consumers with real-time knowledge and control over the accessibility of their data (i.e., who has access to what); and

adopt user experience guidelines to govern all areas of consent and revocation. The implemented Framework will clearly set out a liability structure that establishes a statutory relationship between participants of the open banking system. This liability structure: is based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong;

ensures consumers will not be held liable for financial losses incurred as a result of sharing their financial data within the system; and

requires participants to put in place policies and procedures for complaint handling and the provision of redress to ensure consumers have a clear path for addressing their complaints. Clear security requirements for how voluntary and mandated participants protect consumers' data will also be established by the implemented Framework. Legislation is expected to: establish security requirements for all participants that will serve as the minimum "floor" to safeguard consumer data;

require participants to fulfill ongoing reporting obligations that will be overseen by the FCAC, such as surveillance audits; and

mandate a security certification. The Department of Finance will engage with stakeholders to finalize a recommendation in respect of the selection of this certification as well as the extent of the reporting obligations.

5 National Security The implemented Framework will include safeguards and provide authorities to the Minister of Finance that align with existing financial sector statutes. The Minister will be able to: refuse, suspend, or revoke access to the open banking system for national security-related reasons; and

direct the FCAC to take measures related to the Framework for reasons related to national security, to safeguard the integrity or security of Canada's financial system, or in the best interest of the financial system.