Torys in 10: Unpacking the latest report on open banking

Our podcast, Torys in 10, features quick, candid conversations with our lawyers on issues affecting your business: critical changes in the law, deal trends, market and industry developments and more.

As the importance of open banking continues to grow, Joel Ramsey and Ronak Shah discuss the concept and dive into some of the key risks and rewards through the lens of a report from the federal government released earlier this year.

A full episode transcript follows.

Joel Ramsey (00:12): I’m Joel Ramsey. I’m a partner at Torys and I’m co-head of the Technology Transaction practice, and I’m here with Ronak Shah.

Ronak Shah (00:19): And I’m a Senior Associate, and my practice focuses on privacy, cybersecurity and data governance.

JR (00:25): In today’s podcast, we will briefly explore what’s been going on in Canada in terms of open banking and discuss the first phase report issued by the advisory committee on open banking that was recently released by the Minister of Finance.

It’s helpful to define what we’re talking about because open banking, as you know Ronak, particularly, is often misunderstood. So open banking is a system that enables customers to access their data, such as their financial information, from their bank and to securely direct it to third parties such as fintechs and other banks. Those third parties can then deliver useful services to customers using that data, and it’s frequently in combination with other data from other sources. Open banking initiatives being pursued in many other jurisdictions, such as the U.K. and Australia, typically require banks to provide customer information to authorized third parties through these standardized interfaces called Open Application Programming Interfaces—we refer to them as APIs. These are an important part of current open banking initiatives. It’s helpful to think of them as secure pipes through which the data is transferred in order for open banking to occur.

So, Ronak, that’s how we’re defining open banking. Maybe you could provide a brief summary of what’s happening Canada so far.

RS (01:52): Sure. So as you pointed out, the Minister of Finance had appointed an advisory committee in 2018 to explore the merits of open banking. And in January of 2019 that advisory committee launched a consultation process by doing a series of stakeholder meetings and review of written materials. Fast forward to January of 2020 the Minister of Finance announced, as you noted that the government will be moving forward with open banking and that the advisory committee will now focus on a second phase review of open banking to assess the privacy and cybersecurity issues around it. Joel, I was wondering, I know you’ve read this cover-to-cover, on what your thoughts were on the report on and if things stuck out for you.

JR (02:49): Thanks, Ronak, I have read the report and it does cover a lot of ground. The first thing to note is that the committee has chosen to use the term “consumer-directed finance” instead of open banking. And the reasons for this rebranding so to speak come out of a concern that the word “open” will be misconstrued to mean other things, such as the system will allow open access to all of a person’s financial data, which is not really the case. And in fact, it’s intended to be for the benefit of consumers.

RH (03:17): Yeah and I thought it was interesting that they called it [consumer-directed finance]. But they really focus on not only individuals but small businesses, and so I think instead of consumer, they could have thought of more inclusive language like customer-directed banking. But those are just my thoughts.

JR (03:40): That’s good point. They do focus on consumers probably quite a bit more than customers as a more general idea, but it’s true that it could be used by not just individuals but by small businesses. In any event, the people who use it are intended to be the beneficiaries of the system because it will allow them to have a greater number of choices to manage their finances, and it also will help to serve under bank communities and populations. It’s also noted in the report that consumer-directed finance is intended to be part of a larger transformation in Canada to a digital economy, and in part it should enable candidate to be more globally competitive by fostering a growing economy focused on innovation, which is really important these days.

So the report says that without swift and concrete action, Canada risks falling further behind than it already is as global leaders in financial service that have already made inroads in open banking such as the U.K. and Australia. The report also discusses the government’s role in developing consumer-directed finance framework. Specifically, it says that the government is there to set the guard rails in a manner to protect consumers and participants while allowing innovation to flourish. It’s a bit short on specifics, but it concluded the government should play an important role in bringing together all the different stakeholders in to define objectives and deadlines.

RS (05:09): I thought that collaborative approach is quite unique to Canada, and especially if you compare it to other jurisdictions, like the U.K., where it has been more of a top down approach to open banking. What your thoughts on that?

JR (05:25): Well, the report does say that the government should allow—should encourage I should say—the industry to determine the best technical solution because banks and technology companies are in a better position to determine what those APIs, for example, should look like. The government is there to facilitate that and probably played a role in coming up with some kind of accreditation system where once those standards were put in place then fintechs that want to interface with the bank, have the proper security when data gets transferred.

RD (05:59): Yeah, I like that they also talked about that approach being not too prescriptive. So I think that allows the regulations and reforms to be nimble and evolve over time, I think.

JR (06:12): Nimble but also be safe. And as you know, Ronak, the privacy and cybersecurity issues seem to be at the heart of consumer-directed finance. Can you tell us a bit about what the report’s findings are with respect to those issues?

RS (06:25): Sure. So not surprisingly, the committee noted that privacy and cybersecurity are, and should be, at the heart of consumer-directed finance and its implementation. Three things kind of stuck out at me. First was the recognition by the committee that privacy and cyber risks exist and, in some situations, may be amplified by open banking. But the committee was of the view that these risks are not impossible to overcome, and that equal weight should be paid to the growth of the vibrant financial ecosystem and technology and its innovation. Further, I think that committee recognized that these risks also arise, partly because the current market is unstructured and by implementing a structured framework, these risks could be mitigated. So, as you mentioned, including an accreditation framework, enhanced consent and control requirements and data governance.

(07:24): The second finding that I thought was interesting with the committee recommended that Canada should have a principled approach to consumer-directed finance, and this includes providing and enabling consumers with more choice and meaningful control. And that’s really in line with the global movement in privacy by providing individuals with more control.

And the third finding that I thought was fascinating was that the committee recognized the broad potential of open banking and it recommended that the government align its digital efforts more broadly with the open banking reforms. So, one particular example of that was that the government should align its open banking reforms with the ongoing efforts to modernize PIPEDA (Personal Information Protection and Electronic Documents Act). PIPEDA is being updated to ensure that it remained adequate with the EU’s GDPR (General Data Protection Regulation) which is their privacy regime.

JR (08:23): And can you give an example of how PIPEDA should be more in line with GPRP in order to facilitate consumer directed finance?

RH (08:28): Sure, yeah, so one of the things being contemplated is introducing a general data portability right. And so that would just mean open banking but for all sectors and so that the committee kind of recommended that open banking be used as a blueprint for how PIPEDA and its reforms can enhance data choice and control across sectors.

JR (08:56): So it’s clear that you need to be able to have portability of your data in order for it to move from a bank to fintech for example?

RS (09:02): Absolutely. And I think aligning that with international standards also allows Canada’s open banking to be interoperable with the international system. So again, it goes back to that competitive advantage and maintaining the ability to be globally competitive.

JR (09:21): Has the government discussed next steps with respect to consumer-directed finance?

RS (09:25): So in terms of immediate next steps, the committee will undertake its second phase review with a focus on privacy and cybersecurity. In the longer term, the committee has recommended the government implement its reforms within one or two years. So, I think there is still a lot of development that’s going to be happening. But given that there is still uncertainty and a lot of moving parts, what should organizations currently do, Joel?

JR (10:06): Well, knowing that a large part of the population already uses fintech services through screen scraping as you mentioned earlier, organizations should consider how to mitigate their risks. Many financial institutions and fintechs are already partnering to offer consumers greater choices through access to data through mechanisms that don’t involve screen scraping. We could also see banks mandate the use of proprietary rather than open API and contract mechanisms such as bilateral data access agreements rather than a regulatory framework, until that regulatory guidance is given. That would be similar to what J.P. Morgan is using in the U.S. This isn’t likely the long term solution the advisory committee has in mind, but it would bring more certainty to security and liability issues that come from screen scraping and the status quo.

(10:56): In the longer term organizations should continue to prepare for a new era of digital banking. Having an enterprise data governance program, as you mentioned, would be a huge part of this, which we expect to be reflected in the modernized PIPEDA. There’s a sense of urgency in the report because the world of fintech is changing so rapidly, so the frame will hopefully bring a greater sense of certainty and stability sooner rather than later

And you and I both will continue to monitor these developments in consumer-directed finance in Canada, and we’ll be speaking with our clients about it as things progress.

RS (11:30): That we will.

JR (11:31): Thanks for listening.

RS (11:31): Thanks, everyone.

Music: Stratosphere - www.adamvitovsky.com

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2020 by Torys LLP.
All rights reserved.

Tags:

Get in Touch