Budget 2024: Canada moves one step closer to open banking

On April 16, Canada’s federal government (the Government) released its 2024 budget (the Budget). As part of the Government’s ongoing efforts to establish a modern digital payments system for Canada, the Budget included additional details on the establishment of a consumer-driven/open banking framework (the Framework).

What you need to know

• In a previous bulletin, we considered the future of payments in Canada and assessed what steps the Government needs to take to establish a modern digital payments system. The Government has already introduced certain initiatives, such as the launch of Lynx (Canada’s new high-value payment system). Other initiatives, such as the Retail Payment Activities Act (RPAA), are being rolled out.
• Open banking frameworks allow financial data to be shared between financial institutions and third parties using secure application program interfaces (APIs). Such frameworks are already in place in several jurisdictions, including the UK and Australia. The Government estimates that nine million Canadians already share their financial data by providing banking credentials to service providers, a process known as screen-scraping.
• The development of the Framework, which was first announced in the 2023 Fall Economic Statement, is guided by six core elements: governance, scope, accreditation, common rules, national security, and a technical standard.

Governance

In a significant step, the Budget signalled the Government’s intention for the Financial Consumer Agency of Canada (FCAC) to oversee the Framework. To support the FCAC in this new mandate, the Government announced the creation of a new FCAC position, the Senior Deputy Commissioner of Consumer-Driven Banking. The Financial Consumer Agency of Canada Act will be amended to create this new position.

As part of its new mandate in supervising the Framework, the FCAC will maintain its integrity and security, enforce common rules, accredit entities, and oversee technical standards. The new role adds to the FCAC’s existing mandate of supervising federally regulated financial institutions, such as banks, as well as payment card network organizations, and external complaint bodies. Recognizing potential jurisdictional issues with the provinces, the Government notes that the FCAC Commissioner will not be responsible for the direct oversight of the Framework, leaving that responsibility to the Senior Deputy Commissioner. In its 2021 submission to the Advisory Committee on Open Banking, the FCAC highlighted the benefits consumers receive from consistent consumer protection and market conduct standards, potentially offering insight into the FCAC’s regulatory priorities for open banking. As the FCAC observed, consumer confidence is necessary for the success of open banking.

All industry participants will be subject to the Framework and FCAC supervision. To facilitate oversight of provincial entities, while respecting their jurisdiction, the Framework will be structured in a manner that allows for provincial credit unions and Crown corporations that act as banks to “opt-in” to governance, supervision, and participation. This is a key area of uncertainty for the Framework, as it is uncertain the extent to which provincial credit unions and crown corporations will choose to opt in. If they do not, the Government will need to clarify whether organizations that choose not to opt in will be able to provide open banking-type services.

Scope

The Government will mandate participation for banks that meet a specified threshold of retail volume, while the remaining federally regulated financial institutions—as well as provincial credit unions, Crown corporations that act as banks, and other entities seeking accreditation—will be able to opt in. There will also be clear requirements for how various entities such as fintechs can enter and exit the Framework.

The development of the Framework will be an iterative process. In the initial phase, participants will be required, at the request of a consumer, to share data related to deposit accounts, investment products and lending products. All participants will be equally subject to data-sharing requests, a process known as reciprocal access.

The issue of data sharing is likely to be a key area of contention as the implementation of the Framework progresses. The Government notes that data that has been “materially enhanced” by a participant to offer significant additional value or insight will be excluded from scope. This is likely to pose challenges for entities in drawing a line around bank-developed information and information that is owned by the individual.

Accreditation

The Framework will establish a formal accreditation process for entities wishing to collect consumer data. Entities wishing to become accredited will need to submit an application to the FCAC. Applications will include information on the organization, operational standards, and financial capacity. Once accredited, entities will be subject to mandatory reporting of key information on a regular basis, with the FCAC retaining authority to suspend or revoke an organization’s accreditation.

Importantly, while the Fall Economic Statement noted that certain regulated entities, such as federally-regulated banks and credit unions, would be exempted from accreditation, the Budget was silent on this issue.

Common rules

The Framework will include common rules that address consumer protection interests, privacy, liability, security, national security, and integrity. The common rules are intended to complement existing legislation, rather than create duplicative requirements.

In keeping with the Government’s efforts to harmonize and enhance broader consumer protections across Canada, “consumer protection interests” were newly introduced as a common rule in the Budget.

1. Privacy

The Framework will include additional privacy rules beyond existing privacy legislation addressing the provision of express consent to access data, consent management, and revocation of access. In addition, participants will be required to have a standardized and clear means for consumers to provide and revoke their consent. These means will be based on user experience guidelines which participants will be required to adopt. Participants will also be required to reconfirm consumer consent at specified intervals (every 12 months) or following certain events, as well as to provide consent dashboards to ensure consumers have real-time knowledge to how their data is managed.

This area is likely to pose a key compliance challenge as organizations overhaul their back-end technological systems. Moreover, participants will be required to manage different privacy obligations enforced by the FCAC and privacy regulators

2. Liability

Recognizing the importance of clearly establishing where the liability rests, the Framework will establish a statutory liability–eliminating the need for bilateral contracts between participants. Liability will move with data and rest with the party at-fault. Consumers will not be liable for financial losses incurred as a result of sharing their financial data within the Framework, while participants will be required to put in place a complaint-handling process that is aligned with existing industry practices. The data provider maintains liability toward the consumer for data under its control.

3. Security and national security

In developing security obligations, the Government has acknowledged that they are setting a high bar. Unlike the RPAA’semphasis on proportionality, which aligns risk management with potential outcomes, the Government does not appear to favour a proportional approach to imposing requirements as it notes that legislation will establish security requirements for all participants to serve as the minimum floor to safeguard consumer data, along with ongoing reporting obligations.

The Government has indicated that the security requirements will apply to all the people, processes, technology, and infrastructure that interact with in-scope data that is collected through the Framework. However, consultation is ongoing with respect to the certification or reporting obligations that will be required.

The Minister of Finance would also receive new powers related to national security and protecting the integrity of the financial system. The Government proposes to empower the Minister to refuse, suspend, or revoke access to the Framework for national security reasons. The Minister would also be empowered to direct the FCAC to take measures related to the Framework for reasons related to national security, to safeguard the integrity or security of Canada’s financial system, or in the best interest of the financial system. These provisions are intended to align with existing financial sector statutes, such as the RPAA, the Bank Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

Single technical standard

To align with international best practices, the Government will mandate the use of a single technical standard that is fair, open, accessible, and interoperable with standards in other jurisdictions. Legislation will provide authority to the Minister of Finance to identify and revoke a technical standard, as well as authority to the FCAC to supervise the technical standard body.

Next steps

An effective open banking framework requires a modern payments infrastructure. As the implementation of the Framework progresses, the Government will ideally ensure that the RPAA framework is fully operational before open banking has launched. This may provide consumers with increased confidence in using fintechs for their financial services. Efforts are also required to increase Canadians’ familiarity with open banking, given a recent Abacus poll noting that 57% of Canadians acknowledge being unfamiliar with the concept.

In Spring 2024, the Government intends to introduce the first of two pieces of legislation to implement the Framework, starting with elements such as governance, scope, and process for the technical standard. The remaining elements will be addressed through a second piece of legislation in the fall, with a review of the Framework after three years.