Open banking is just around the Canadian corner. In 2018, the Minister of Finance appointed the Advisory Committee on Open Banking (the Committee) to review the merits of open banking. In August 2021, the Minister of Finance released the Committee's final report and made several ambitious recommendations, including meeting a January 2023 target date for the implementation of the first phase of the proposed open banking implementation plan. In March 2022, the federal government tasked Abraham Tachijian as Canada’s first open banking lead.
Open banking not only encompasses existing banking laws but also introduces layers of complexity through added data, privacy and security compliance. With the work of the steering committee and working groups now well under way, looking ahead to 2023, we take a look at where open banking stands in Canada, what it means for Canadians, and what legal questions remain.
Open banking is a practice that provides third-party financial service providers open access to consumer banking, transaction and other financial data from banks and non-bank financial institutions, using secure application programming interfaces (APIs). Open banking’s promise is to provide a more competitive and accessible marketplace for financial services for consumers.
Many jurisdictions have already introduced their own open banking regimes, including the United Kingdom, the European Union, and Australia. Over four million Canadians already share their financial data with third-party financial services providers through “screen scraping”, a less secure method than APIs as it requires customers to offer their banking login information to the third-party provider.
Given the sensitive nature of the data that will be managed by open banking parties, smaller fintechs will have to be ready to meet bank-level cyber protocols—even if they are still establishing their market foothold.
The Committee recommended that the government implement a hybrid, “made-in-Canada” approach which recognizes the important and distinct roles of government and industry. As a result of the report, four industry working groups were created to provide input on implementation. The groups offer representation from financial institutions, other prospective open banking participants, and consumer groups—and they cover four distinct areas: 1) accreditation; 2) liability; 3) privacy; and 4) security. Although as per the timelines provided, all four working groups were expected to have finished their four rounds of consultations by the end of September 2022, it appears that additional consultations will also take place in October.
Is Canada prepared for open banking?
Mr. Tachijian has remained steadfast that the implementation process is committed to meeting the aggressive January 2023 target date set by the Committee. While open banking has been in the works for many years, the establishment and implementation of a Canadian regime is a delicate process. The challenge for a Canadian open banking regime weighs on balancing increased competition and innovation in the financial services industry with legal safeguards that protect privacy, security, and the stability and integrity of the financial system. Three key initiatives are key to achieving this balance: 1) the coming into force of the Retail Payment Activities Act; 2) implementation of Canada’s real-time payments system; and finally 3) the establishment of enhanced data and privacy protections.
The aim of the Act is to build confidence in the safety and reliability of payment service providers while protecting end users from specific risks. These objectives will be achieved by requiring payment service providers to register with the Bank of Canada in order to mitigate operational risk through appropriate policies and procedures, safeguard end-user funds by keeping them separate from money used in their business operations and complying with various reporting requirements.
Regulations clarifying the details of the legislation will be published for comment in Part 1 of the Canada Gazette.
Canada's Real-Time Rail
The critical foundation for a well-functioning open banking regime is the establishment of a real-time payments system that will provide 24/7/365 payments that are final and irrevocable. Since 2018, Payments Canada has been working towards the establishment of Canada’s new real-time payments system. The Real-Time Rail will feature account number-based routing and ISO 20022 messaging to support data-rich payments.
Data and privacy law considerations
Data, privacy and security play a significant role in open banking. Ensuring that robust laws exist to protect consumers, financial services providers and the integrity of the system is paramount to the success of open banking. Reliance on a digital marketplace for financial services carries the possibility of data breaches and cyber-attacks, and uneven regulation of market participants can increase risk for consumers as well as the financial systems.
In June 2022, the federal government introduced two pieces of legislation to strengthen regulation of privacy, cybersecurity and data governance in the private sector. The first, Bill C-26, would enact the Critical Cyber Systems Protection Act (CCSPA), which aims to protect critical cyber systems, including in the financial sector, and grants substantial new order-making and information-gathering powers to federal regulators overseeing them. The second, Bill C-27, would enact the Consumer Privacy Protection Act (CPPA) to reform federal privacy law, and the Artificial Intelligence and Data Act (AIDA), which would govern the use of AI and automated decision systems.
While it remains to be seen how broadly the critical financial system will be defined under the CCSPA, all companies operating in the open banking ecosystem should expect to comply with the legislation if passed, either directly or through contractual or industry expectations. This would include establishing a cybersecurity program aimed at preventing, detecting and mitigating cyber incidents. Under Bill C-27, companies could face administrative monetary penalties for non-compliance of an amount up to the greater of $10,000,000 and 3% of the organization’s gross global revenue. Organizations that commit certain offences may be ordered to pay fines of up to the greater of $25,000,000 and 5% of the organization’s gross global revenue. Given the sensitive nature of the data that will be managed by open banking parties, smaller fintechs will have to be ready to meet bank-level cyber protocols, even if they are still establishing their market foothold.
As we start to get a sense of what a “made-in-Canada” open banking system may look like, it is evident that it will engage a multitude of different areas of law. There are still many moving parts that once implemented will define the regulatory ecosystem for open banking. Chief among these are the Retail Payment Activities Act; Canada’s real-time payments system and the passing of enhanced data and privacy protections. It will be essential for open banking players to ensure compliance with new legislation that addresses the new multifaceted world of digital financial services through open banking, while continuing to ensure compliance with pre-existing banking laws.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.