Canadian Open Banking Report Summarized

The Canadian government has released its report into open banking. Final Report: Advisory Committee on Open Banking is available here. The vision for a Canadian system should be governed by six outcomes: consumer data is protected; consumers are in control of their data; consumers receive access to a wider range of useful, competitive and consumer friendly financial services; consumers have reliable, consistent access to services; consumers have recourse when issues arise; and consumers benefit from consistent consumer protection and market conduct standards.

The report acknowledges the importance of the ability to transfer data between financial institutions and accredited third party providers, saying it gives consumers access to a more complete financial picture that could provide better services while improving their financial outcomes. It can also provide those on the margins with affordable financial management tools to help manage and improve their finances.

The benefits to SMEs are also obvious. It can help them better assess loan applications and simplify the management of bills, invoices, payroll, and taxes to reduce the complications of running a small business.

To move beyond screen scraping, open banking must provide Canadians with a range of useful tools. To achieve this the committee believes the initial phase should include data currently available to consumers and small business through their online banking applications. Financial institutions should be able to exclude derived data, that which is produced internally such as proprietary risk assessments. Consumer data held by third party providers (excluding derived data) should be included, however.

Consumers must always consent to their data being exchanged. Additional rules related to liability, privacy, and security are needed in order to complement existing legislation.

The report recommended have an operational system by the beginning of 2023. In order to meet that deadline, the initial rollout should be limited to lower-risk, read-only activities. That can be expanded to payment or account creation functions if the system runs well. It should also include:

1. Common rules for open banking industry participants to ensure consumers are protected and liability rests with the party at fault; 
2. An accreditation framework and process to allow third party service providers to enter an open banking system; 
3. Technical specifications that allow for safe and efficient data transfer and serve the established policy objectives; and
4. A mandate from the government, an open banking lead person, and accountability to the Deputy Minister at Finance Canada.

Data which should be included in the initial scope of an open banking system is that which is traditionally readily available to consumers through their online banking applications, such as consumer provided data, balance data, transaction data, product data, and publicly available data. It should come from checking and savings accounts; investment accounts accessible to the consumer through their online banking portal, such as RRSPs, TFSAs, and other non-registered investing accounts including those holding stocks, bonds, mutual funds, term deposits, guaranteed income certificates; and lending products, such credit cards, lines of credit and mortgages. Third-party service providers should be allowed to receive the data but not be able to edit it.

Recommendations coming from this section are:

1. Federally regulated banks should be required to participate in the initial scope of the open     banking system and provincially regulated financial institutions such as credit unions should have the opportunity to join on a voluntary basis. Participation from other entitles should be allowed upon meeting accreditation criteria and following the rules of the open banking system; 
2. The initial scope should apply to both consumers and SMEs;
3. The initial scope should reflect data currently available to Canadians through their online banking applications, including checking and savings accounts, investments accounts, and lending products. The initial scope of data shared in Canada’s open banking system should not be limited to specific use cases;
4. Consumer-provided data, balance data, transaction data, product data and publicly available data should be part of the initial open banking scope. All industry participants should have the right to exclude derived data and an obligation to justify any exclusion; 
5. The initial scope should be limited to read access functions. However, the system should be built to allow the scope to be expanded to include new types of data and write access functions once the system is established and the risks can be fully understood and addressed; and
6. All participants within the open banking system should be equally subject to consumer-permissioned data mobility requests. Reciprocity must be driven by express consumer consent and participants should not be allowed to require reciprocal data access in order to provide a product or service.

Both government and industry should have roles in supervising this process and the level of governance displayed should be commensurate with the risk

“Where stakeholders diverge is with respect to the precise governance mechanism,” the report states. “Some stakeholders are in favour of overarching legislation to establish an implementing organization and mandate the rules for participation in the system. Others argue government should set a broad policy direction and leave industry to establish standards of practice to act as a framework for open banking.”

A phased governance approach was recommended, with an appointed lead working with government and industry to design and implement an early phase of the system. While this occurs the government could work in parallel to develop a permanent one. Recommendations for this aspect are:

1. Common rules for open banking participants to replace the need for bilateral contracts and ensure consumers are protected; 
2. An accreditation framework and process to allow third party service providers to participate in an open banking system; and 
3. Technical specifications that allow for safe and efficient data transfer and serve the established policy objectives.

Whoever leads this process should be supported by industry groups which include, banking and consumer representatives along with people from other groups who stand to benefit. A formal governance entity should be created over the long-term and some aspects should be formally codified in legislation.

Common rules should also be established to keep the system running whilst protecting consumers. To assist with this the government should address legislative or regulatory impediments that could inhibit the operationalization of an open banking system, particularly with a view to resolving hurdles that necessitate bilateral contracts. They must also make clear that liability moves with the data and rests with the party at fault. Compliant guidelines should be simple to understand and make clear how complaints will be resolved.

Consumers must be limited from liability beyond a fixed dollar amount unless gross negligence or criminal act can be proven. Common rules for privacy should be developed for consent and privacy management.

1. The common rules should prohibit undue pressure on consumers, ensure that information provided to consumers is accurate, clear and not misleading, and require public disclosure regarding consumer complaints received;
2. Common rules for security should be developed for data security and operational and systemic risk;
3. A minimum “floor” of security standards should be followed by third-party services providers seeking accreditation with stronger security standards required based on risk;
4. Educational tools and resources should be developed for consumers to raise consumers’ awareness of their rights and responsibilities; and
5. The common rules should be developed in an impartial, consistent, transparent and representative manner, with sufficient government oversight to ensure consumer interests are protected and public policy objectives are met.

Accreditation criteria should be strong enough to protect consumers but not onerous enough to exclude a wide range of market participants. The criteria should be sufficient to demonstrate the participant is able to comply with rules related to liability, privacy and security. The accreditation process should be trusted, independent, proportional to risk, transparent and coherent with other regulatory regimes. The accreditation criteria, as well as the list of accredited firms, should be easily accessible to consumers and other market participants.

Those seeking accreditation should bear the costs of the accreditation process, with a party outside the open banking system, such as an independent entity with appropriate auditing capacity or a government regulatory body, directing it.