On August 4, 2021, the Advisory Committee on Open Banking (the Committee) released its Final Report, which includes 34 recommendations for the implementation of an open banking system in Canada. The Final Report suggests that an open banking system could be operational by January 2023 and should consist of a made-in-Canada approach that recognizes the potential for government and industry to collaborate, each with appropriate roles.
The Final Report follows the Committee’s initial report, Consumer-Directed Finance: The Future of Financial Services, which was released on January 31, 2020.
Recommendations from the Final Report
The Final Report outlines a vision for what an open banking system should offer Canadian consumers and makes recommendations on the scope, governance, common rules, accreditation, and technical specifications and standards required to achieve it.
Of particular note are the following core foundational elements that need to exist before open banking can begin to formally operate in Canada:
- Common rules for open banking industry participants to ensure consumers are protected and liability rests with the party at fault. The common rules would focus on liability, privacy and security. The Committee specifically addresses banks’ concerns regarding liability and accountability, given the outsourcing requirements under OSFI Guideline B-10, and the perceived need for bilateral arrangements. The Committee states that open banking cannot work effectively if bilateral contracts are required between parties and banks should not be held liable for how consumer-directed transfers of data from banks are ultimately used by third party service providers.
- An accreditation framework and process to allow third party service providers to enter an open banking system.
- Technical specifications that allow for safe and efficient data transfer and serve the established policy objectives.
Key recommendations from the Final Report are discussed below.
As a first step, the Committee recommends that the federal government appoint an open banking lead, accountable to the Deputy Minister at Finance Canada, who would convene industry participants to advance the core elements stated above. Rather than recommend that an existing regulatory body oversee open banking in Canada, the Committee recommends that a new governance entity be created specifically for the purpose of the on-going administration of open banking. The Committee’s view that neither an exclusively government-led nor industry-led approach is right for Canada is reflected in its recommendation that this new entity include representation of open banking participants and consumer representatives. As the mandate of the open banking lead concludes, the governance of the system would transition to the governance entity.
The Committee sets out an aggressive timeline for implementation, allowing just nine months for system design, an additional nine months for implementation, and a go-live date of January 2023. The urgency behind such a timeline is stated to be the proliferation of screen scraping in which users provide their bank credentials to third parties, which the Committee notes presents real security and liability risks to Canadians. Given this urgency, several of the recommendations by the Committee are driven by what can be done expediently, rather than what may take time to implement, present more risks, or require additional analysis and discussion.
Participants and Accreditation
Recommendations for the initial scope of open banking include required participation by federally regulated banks, with provincially regulated financial institutions having the opportunity to join voluntarily. All other entities would have to meet accreditation criteria to participate. Although specific accreditation criteria are not included in the Final Report, the Committee notes it should be developed in accordance with principles of trust, independent operation from industry, proportionality to risk, transparency, and coherence with existing regulation. The accreditation criteria and individual participants’ compliance should be reviewed regularly.
Scope of Data
The initial scope of data included in the system should reflect what is currently available to Canadians through their online banking applications and should not be limited to specific use cases. This includes consumer-provided data, balance data, transaction data and publicly available data. Industry participants should have the right to exclude derived data, referring to data that is enhanced by a financial institution to provide additional value or insight to the consumer, such as internal credit risk assessments or new product offerings, but with an obligation to justify any exclusion. All participants in the open banking system should be equally subject to consumer-permissioned data mobility requests which should be driven by express consumer consent.
At the initial phase, the Committee recommends that the scope be limited to read access data. That is, participants would be able to read data, but not execute commands such as payment initiation or account creation (write access). Write access raises significantly more risks and, further, would have to be considered in the context of other initiatives, such as payments modernization.
Interestingly, the Committee raises the possibility that information may be shared among banks and insurers and insurance intermediaries. While the Committee notes that banking data should not be used for underwriting insurance policies, this comment is limited to the initial scope of open banking, raising the possibility that such data sharing could be contemplated in the future. This would represent a significant departure from the current prohibitions on such data sharing with limited exceptions under the Bank Act and its regulations.
The Committee recommends that liability should flow with the data and ultimately rest with the party at fault. Simple and efficient complaint handling mechanisms should be provided for consumers that prescribe clear and automatic terms of redress. Similar to the federal complaints handling requirements for banks, the Committee recommends that participants be required to have an internal complaints handling process, be a member of an alternative dispute resolution mechanism or external complaints body, and limit consumer liability to a nominal amount (the example given is $50, which mirrors the maximum liability that may be incurred by a consumer in relation to a credit card that is lost or stolen under the Bank Act and its regulations, as well as under certain provincial consumer protection laws).
Privacy and data security: critical
Protecting the privacy of users and securely managing data is of paramount importance to the effective implementation of open banking. The Committee recognizes that data protection and consumer control over data are key outcomes that should guide the development of the system. Further, common rules should be developed to address privacy management and data security, specifically in the areas of consent management, privacy management, and operational and systemic risk.
The open banking lead should engage with technical experts to assist in the development of technical requirements. Such requirements should enable the safe and efficient transfer of data, be capable of evolving with technological change, enable the introduction of innovative new products, and be compatible with existing international approaches. Minimum security standards should be established for all entities seeking accreditation with, stronger security standards required based on risk.
The Final Report is another milestone in the ongoing stages of open banking in Canada; however, it remains to be seen if more concrete progress is made in a timely fashion.
Although the Committee states that open banking is possible by 2023 and sets out a detailed roadmap on how this could be achieved, at this time there still remain many steps before implementation is realizable. For example, although data portability rights (which would drive a mandatory, legislative approach to open banking) have been proposed in Canada’s Digital Charter and in Bill C-11 through the Consumer Privacy Protection Act, this legislation has died due to the upcoming federal election, and will need to be re-introduced. Alternatively, it is possible that another bill encompassing a legislative privacy scheme could be introduced. In addition, it is uncertain what level of priority the new government, once formed, will accord to open banking and the degree to which the Committee’s recommendations will be followed.