Open Banking Canada: Can We Expect A Launch This Year? – Financial Services

Open banking working groups

Following the release of the report, four working groups were
established in 2022 to provide input on four key aspects of the
open banking framework: accreditation, liability, privacy and
security. The working groups, which included representation from
banks, other prospective open banking participants and consumer
representatives, met five times over the course of the past six
months. Below are some of the points on which most of the
participants reached consensus.

Accreditation

The accreditation working group is focused on the criteria that
organizations will be required to follow in order to participate in
the open banking framework. Federally and provincially regulated
financial institutions are expected to be exempt from
accreditation, as they are already subject to stringent oversight.
The working group agreed with the following four criteria for
accreditation: (1) background information/internal governance; (2)
financial capacity; (3) certification; and (4) privacy and
security. There was consensus that participants must have an
adequate insurance policy or comparable financial guarantee in
order to participate. This guarantees financial capacity to cover
liabilities.

To meet this obligation, there was consensus that the Australian model
is preferable. The Australian model allows participants to
determine the adequacy of the insurance or comparable guarantee
that they require by assessing factors such as the (1) nature of
products or services to be provided; (2) nature of Consumer Data
Right (CDR) likely to be managed; (3) volume of CDR data held; (4)
financial resources; (5) scope; (6) policy limit; (7) persons
covered; and (8) exclusions¹.

Liability

The liability working group focused on three themes: (1)
liability as it pertains to consumers; (2) traceability and
transparency; and (3) liability between participants. A majority of
the group agreed that $50 should be the liability limit for
consumers except where it is proven that a consumer has committed
gross negligence or criminal acts, including fraud. There was
consensus that the internal complaints handling guidelines for
banks, which are published and enforced by the Financial Consumer
Agency of Canada, should frame the accreditation requirements for
complaints handling. There was also
agreement that data standards should be prescribed, following
the Australian model where liability is addressed under the
country’s competition law regime.

However, in order to govern the legal relationship between
participants, there was no agreement on whether the regime should
prescribe a deemed contract under statute, as is the case in
Australia, or to follow the non-legislative U.K. approach. This
working group also discussed redress for consumers, with most
agreeing that the redress process should begin at the complaints
desk chosen by the consumer (either the data recipient or provider)
and that the data recipient should be the automatic guarantor, who
must pay out automatically to the consumer and then resolve
compensation with the corresponding party through an alternative
dispute mechanism².

Privacy

The privacy working group focused on two topics: (1) consent;
and (2) consent management and the customer journey. There was
agreement that the customer journey should be designed to support
the elements for consent, which requires consent to be explicit, to
list to the customer the implications of the data use, full
transparency on how the data will be used, to be limited in time,
and revocable. There was consensus that revocation of consent will
be deemed where the consumer closes their account or if the purpose
for which the data was collected changes. There was also general
agreement that the consent approach should align with the existing
financial services industry standards and that the disclosure
approach found in the Bank Act consumer protection
provisions provide a solid baseline for disclosure principles to be
applied to open banking.

Security

The security working group focused on (1) foundational risks;
(2) risk management; and (3) governance. The main risk types
identified were data security, cybersecurity, and operational
risks. The working group is not responsible for developing the
principles and technical standards of the API, which is a crucial
piece of open banking that will facilitate the data exchange
between financial services providers and open banking platforms. A
majority of the participants agreed that the National Institute of
Standards and Technology (NIST) framework provided the best balance
to serve as a baseline requirement to address data security risk,
providing flexibility and prescriptive requirements. Participants
appreciated the flexibility the NIST framework provides in
addressing proportionality needs.

From working group to implementation

The outcomes of the working group meetings provide an
appreciation of the operational, commercial, and technical
approaches that will shape open banking in Canada. 2023 will
provide more opportunities to see how the conclusions of these
meetings are implemented.

The one elephant in the room that has not been discussed is the
“governance” of Canada’s open banking initiative.
Although the report recognized that “in all open banking
approaches, effective governance of the system is central to
success”, it does not appear as if any decisions have
been made as to how the government plans on tackling the governance
of Canada’s open banking framework. The “hybrid” open
banking approach recommended in the report, where both government
and industry play a role, is commendable but can only work if the
governance model is properly designed and implemented. The
diverging opinions of stakeholders on the precise governance model
that should be adopted certainly point to the challenges of
establishing a governance model that would be supported by various
stakeholders and that will eventually lead to a successful Canadian
open banking framework³.

While Mr. Tachjian, Canada’s open banking lead, is making
progress on the design of the system, stakeholders are still
waiting to hear from government officials on the design of the
“purpose-built governance entity” which they have been
tasked to develop.

CIO Strategy Council publishes national standard for consumer
directed finance

In addition to the open banking steering committee, other groups
are also working to advance Canada’s open banking framework.
One such group is the CIO Strategy Council. In November 2022, the
council published its national standard for consumer directed
finance. The council brings together Canada’s chief
information officers and executive technology leaders to
collectively mobilize on common digital priorities. The standard
includes provisions on design and experience principles,
authentication, authorization, consent, and data portability. The
standard is applicable to organizations in the financial products
and services space, including third-party providers. This
development is another step towards ensuring that industry is
aligned in the development of open banking in Canada.

What’s next

Stakeholders and consumers alike are excited to see Canadian
developments in open banking. 2023 should yield pivotal
developments in the implementation of open banking in Canada.
This will provide clarity to industry members as to how open
banking will impact their businesses and services.

Footnotes

1. This is in contrast to the European Union approach,
which provides a strict formula and criteria to calculate the
minimum policy required.

2. https://www.canada.ca/en/department-finance/programs/financial-sector-policy/open-banking-implementation/liability-working-group-meeting-2-july-26-2022.html

3. Per the diverging opinions expressed during the
consultation process that generated the final report of the
advisory committee on open banking.