On August 4, the Advisory Committee (The Committee) on Open Banking released their Final Report (‘The Report’) with the recommendation for a new regulatory framework enabling data portability with third-party services providers to be implemented by 2023.
As outlined in the Report, open banking allows an individual to control, edit, manage, and delete his information and decide when, how, and to what extent this information is communicated to others.
To enable an open banking system in Canada that is secure, efficient and consumer-friendly, the Committee’s proposal is focused around 6 core consumer outcomes:
Consumer data is protected
Consumers are in control of their data
Consumers receive access to a wider range of useful, competitive and consumer friendly financial services
Consumers have reliable, consistent access to services
Consumers have recourse when issues arise
Consumers benefit from consistent consumer protection and market conduct standards.
Furthermore, the Report indicates that financial inclusion should be taken into account in the open banking framework to address issues related to groups that are financially marginalized.
The Committee is also advocating for a hybrid model where open banking will be based on ‘both industry and government-led models deployed elsewhere’ but taking into account the Canadian specificity.
The Committee recommends that the following be included in the initial scope of the Canadian Open Banking System:
Participants: All federally regulated banks, provincially regulated financial institutions (on a voluntary basis) and other entities subject to accreditation criteria
User Accounts: Small and medium enterprises (SMEs)
Account Data: Chequing and savings accounts, investment accounts accessible to the consumer, lending products (e.g., credit cards, lines of credit and mortgages)
Derived Data: With the possibility for participants to exclude derived data from open banking as they are considered ‘proprietary’ (as the institution has invested the resources in processing the data). Although, when this data is readily available to the consumer and may be accessed via screen scraping, participants should have an obligation to justify its exclusion.
“Read” vs. “Write” Functionality: ‘Read access’ will allow third party service providers to receive consumer financial data, but not edit this data on banks servers. ‘Write access’ is excluded from the initial scope of open banking.
Reciprocal Data Access: Requiring all accredited participants within an open banking system to be equally subject to consumer-permissioned data mobility requests.
The Final Report also includes the Committee recommendations on governance with a primary requirement that governance ‘be impartial, transparent, and representative of all parties in an open banking system’.
The Committee recommends the appointment of a Lead by the Government responsible for convening stakeholders to advance the key foundational elements (i.e., Common rules, accreditation framework and technical specifications) and implementation of a system of open banking in an 18 months period.
The common rules will focus on subjects such as:
Liability: Who is responsible for what and how to provide compensation when something goes wrong. The Report recommends that participants (1) have an internal consumer complaints handling process, (2) be a member of an alternative dispute resolution mechanism or external complaints body, (3) have protocols in place to trace data so that all API calls are recorded and can be audited and (4) limit liability to consumers in all functions of open banking beyond a small fixed dollar amount (e.g., $50). The report refers to EU PSD2, Australia's Consumer Data Right and the Canadian Financial Consumer Protection Framework as good examples.
Privacy: Consumers express consent and consumers have control over their data as provided in the upcoming Consumer Privacy Protection Act (data mobility, deletion etc.…). Privacy framework that should be facilitated by information that is clear, simple and not provided in a misleading language.
Security: The Committee encouraged minimum cybersecurity practices that will serve as a baseline and be applicable to all participants. The data security & operational and systemic risk framework should be based on a tiered accreditation system designed through a collaborative work between the government, industry and system participants, and cybersecurity experts.
To reinforce the common rules, the Committee recommends the introduction of an accreditation framework analogous to the Systems and Organization Controls (SOC) process and that should be guided by the following principles:
Trusted: Enabling third party service providers to demonstrate their credibility as participants in an open banking system.
Independence: Independent accreditor with auditing capacity or a government regulatory body.
Proportional to Risk: The accreditation process should reflect the degree of risk that a third-party service provider poses to the system.
Transparency: Information about accreditation should be publicly available and accessible to consumers and other market participants. Accreditation criteria, process and result should be clearly explained to candidates. A central registry of all accredited parties should be made available to consumers.
Coherent: The accreditation regime should take into account the diversity of regulatory regimes to avoid duplicative or conflicting expectations.
Concerning the technical specifications and standards, the Committee recognized the work that is currently being done by technical experts and recommends that they be guided by the following principles:
Accessible and inclusive for all accredited system participants without requiring additional arrangements
Enable a positive consumer experience without overly onerous steps that the consumer must follow to realize the benefits of open banking
Enable the safe and efficient transfer of data among system participants
Capable of evolving with technological change to keep pace with the rapidly evolving sector
Sufficiently flexible to enable the development of new and innovative products
Compatible and interoperable with international approaches.
To note that the term 'consumer-directed finance' that was proposed to be used in lieu and place of 'open banking’ will finally not be retained as the term 'open banking' is better understood in industry and international fora.
The report was welcomed by the Minister of Finance who is planning further actions.