Final report of advisory committee on open banking
Kevin Landry and Annelise Harnanan (summer student)
Recently, the Advisory Committee on Open Banking released the Final Report of the Advisory Committee on Open Banking, (“Report”) confirming its intention to implement a broader, more modernized open banking system in Canada and mapping out a plan to do so.
As with the recently proposed Retail Payment Activities Act (“RPAA”) discussed in our earlier client update, the Report introduces proposed new licensing requirements and an oversight regime for Financial Technology (“FinTech”) companies, however the Report pertains to governance of ‘Open Banking’ instead of payment services, and conceives of a regulatory system being put in place as early as January 2023.
Background – open banking
Open banking refers to a regulatory framework that would allow consumers and small businesses to securely transfer their financial data. With open banking, data can be efficiently and safely moved between financial institutions, such as banks, and third-party service providers, such as FinTech companies that, for example, provide budgeting or investing services.
According to the Report, Canadian consumers have already been transferring their financial data to third parties in order to access various financial management tools. However, a method used by many consumers to share their data online, called “screen scraping,” presents security and liability risks to consumers because they are required to share their banking login credentials with third-party service providers. In sharing their usernames and passwords with third parties, consumers may violate the terms of their service agreements with their banks, causing the risk of loss to shift to them without their knowledge. Open banking is seen as a way to address these risks.
Scope
If the Report’s recommendations are adopted, all federally-regulated banks would be required to participate in open banking. Provincially-regulated institutions, such as credit unions, would be able to join if so desired. Other entities, such as FinTech companies, would have to meet accreditation criteria and follow the other rules of the open banking system in order to participate. All participants would be equally subject to data mobility requests, following consumer permission.
The Report proposes that the initial scope of the open banking system should cover data that has generally been available to consumers through online banking. This includes data from (1) chequing and savings accounts; (2) investment accounts that consumers can access through online banking; and (3) lending products such as lines of credit and credit cards. Derived data (data that has been analyzed or enhanced by financial institutions, such as internal credit risk assessments) is often proprietary and may be excluded from open banking.
It is also recommended that the initial phase of open banking be limited to “read access”, meaning consumers can grant third-party service providers the ability to receive their financial data, but not to edit this data on bank’s servers.
Governance
The Report recommends a phased approach to governance of the open banking system. For phase one, it is proposed that the government appoint an open banking lead who will be accountable to the Deputy Minister of Finance. This “lead” would work with industry experts and consumer representatives over an initial 18-month span to establish the following three foundational elements:
- Common rules for open banking participants that would replace the need for bilateral contracts and ensure consumer protection;
- An accreditation framework that allows third-party service providers to participate in the open banking system; and
- Technical specifications that would ensure the safe and efficient transfer of data and serve established policy objectives.
At the second phase, a “governance entity” would be established to manage the ongoing administration of the system. It is also recommended that the government consider which elements of the open banking system need to be codified in legislation.
Common rules
It is envisioned that the open banking lead will develop common rules to govern the participants of open banking, including banks and FinTech companies. The Report proposes that these rules address the allocation of liability, privacy (and consent) management, and the security of the financial data that is being transferred.
Accreditation
If the Report’s recommendations are followed, accreditation would be required for all entities to be allowed into the banking system with the exception of federally-regulated banks. An exception for provincially-regulated financial institutions such as credit unions from accreditation is to be considered, as well.
The Report acknowledges that the accreditation criteria should be robust enough to protect consumers, but not too onerous that it excludes a wide range of market participants and notes that “holding adequate insurance or some comparable financial guarantee will be critical to ensure accountability among accredited third-party service providers”.
Technical specifications and standards
The Report recommends that technical standards be developed for sharing, accessing, safeguarding, and revoking data among system participants. Notably, the Report does not take a stance on whether a single standard, applicable to all participants ought to be developed. Rather, it states that efforts to develop technical specifications should continue, and these standards should be guided by certain principles. These principles include ensuring that the open banking system is capable of evolving with technological change and that it is compatible and interoperable with international approaches.
Conclusion
The Report contains many other recommendations and maps out a timeline for introducing open banking in Canada. It proposes that the first phase be implemented by January 2023. It remains to be seen whether or not these recommendations will be followed, especially given the upcoming federal election in 2021. Nevertheless, financial institutions and FinTech companies should be alert to the possibility that their obligations regarding consumers’ financial data could soon change.
This update is intended for general information only. If you have questions about the above, please contact the author(s) to discuss your needs for specific legal advice relating to the particular circumstances of your situation.