As the open banking steering committee and working groups continue their important work to create an open banking framework in Canada, the larger financial services community is preparing to integrate open banking for businesses and ultimately for consumers. Although many were hoping for the launch of the first phase of open banking in January 2023, as initially promised in the final report of the advisory committee on open banking, this date no longer appears achievable. However, progress continues to be made on open banking, with the first phase expected to launch this year. In this article, Torys examines what’s happening on the open banking front and what’s ahead.
Following the release of the report, four working groups were established in 2022 to provide input on four key aspects of the open banking framework: accreditation, liability, privacy and security. The working groups, which included representation from banks, other prospective open banking participants and consumer representatives, met five times over the course of the past six months. Below are some of the points on which most of the participants reached consensus.
The accreditation working group is focused on the criteria that organizations will be required to follow in order to participate in the open banking framework. Federally and provincially regulated financial institutions are expected to be exempt from accreditation, as they are already subject to stringent oversight. The working group agreed with the following four criteria for accreditation: (1) background information/internal governance; (2) financial capacity; (3) certification; and (4) privacy and security. There was consensus that participants must have an adequate insurance policy or comparable financial guarantee in order to participate. This guarantees financial capacity to cover liabilities.
To meet this obligation, there was consensus that the Australian model is preferable. The Australian model allows participants to determine the adequacy of the insurance or comparable guarantee that they require by assessing factors such as the (1) nature of products or services to be provided; (2) nature of Consumer Data Right (CDR) likely to be managed; (3) volume of CDR data held; (4) financial resources; (5) scope; (6) policy limit; (7) persons covered; and (8) exclusions1.
The liability working group focused on three themes: (1) liability as it pertains to consumers; (2) traceability and transparency; and (3) liability between participants. A majority of the group agreed that $50 should be the liability limit for consumers except where it is proven that a consumer has committed gross negligence or criminal acts, including fraud. There was consensus that the internal complaints handling guidelines for banks, which are published and enforced by the Financial Consumer Agency of Canada, should frame the accreditation requirements for complaints handling. There was also agreement that data standards should be prescribed, following the Australian model where liability is addressed under the country’s competition law regime.
However, in order to govern the legal relationship between participants, there was no agreement on whether the regime should prescribe a deemed contract under statute, as is the case in Australia, or to follow the non-legislative U.K. approach. This working group also discussed redress for consumers, with most agreeing that the redress process should begin at the complaints desk chosen by the consumer (either the data recipient or provider) and that the data recipient should be the automatic guarantor, who must pay out automatically to the consumer and then resolve compensation with the corresponding party through an alternative dispute mechanism2.
The privacy working group focused on two topics: (1) consent; and (2) consent management and the customer journey. There was agreement that the customer journey should be designed to support the elements for consent, which requires consent to be explicit, to list to the customer the implications of the data use, full transparency on how the data will be used, to be limited in time, and revocable. There was consensus that revocation of consent will be deemed where the consumer closes their account or if the purpose for which the data was collected changes. There was also general agreement that the consent approach should align with the existing financial services industry standards and that the disclosure approach found in the Bank Act consumer protection provisions provide a solid baseline for disclosure principles to be applied to open banking.
The security working group focused on (1) foundational risks; (2) risk management; and (3) governance. The main risk types identified were data security, cybersecurity, and operational risks. The working group is not responsible for developing the principles and technical standards of the API, which is a crucial piece of open banking that will facilitate the data exchange between financial services providers and open banking platforms. A majority of the participants agreed that the National Institute of Standards and Technology (NIST) framework provided the best balance to serve as a baseline requirement to address data security risk, providing flexibility and prescriptive requirements. Participants appreciated the flexibility the NIST framework provides in addressing proportionality needs.
The outcomes of the working group meetings provide an appreciation of the operational, commercial, and technical approaches that will shape open banking in Canada. 2023 will provide more opportunities to see how the conclusions of these meetings are implemented.
The one elephant in the room that has not been discussed is the “governance” of Canada’s open banking initiative. Although the report recognized that “in all open banking approaches, effective governance of the system is central to success”, it does not appear as if any decisions have been made as to how the government plans on tackling the governance of Canada’s open banking framework. The “hybrid” open banking approach recommended in the report, where both government and industry play a role, is commendable but can only work if the governance model is properly designed and implemented. The diverging opinions of stakeholders on the precise governance model that should be adopted certainly point to the challenges of establishing a governance model that would be supported by various stakeholders and that will eventually lead to a successful Canadian open banking framework3.
While Mr. Tachjian, Canada’s open banking lead, is making progress on the design of the system, stakeholders are still waiting to hear from government officials on the design of the “purpose-built governance entity” which they have been tasked to develop.
In addition to the open banking steering committee, other groups are also working to advance Canada’s open banking framework. One such group is the CIO Strategy Council. In November 2022, the council published its national standard for consumer directed finance. The council brings together Canada’s chief information officers and executive technology leaders to collectively mobilize on common digital priorities. The standard includes provisions on design and experience principles, authentication, authorization, consent, and data portability. The standard is applicable to organizations in the financial products and services space, including third-party providers. This development is another step towards ensuring that industry is aligned in the development of open banking in Canada.
Stakeholders and consumers alike are excited to see Canadian developments in open banking. 2023 should yield pivotal developments in the implementation of open banking in Canada. This will provide clarity to industry members as to how open banking will impact their businesses and services.
To discuss these issues, please contact the author(s).
This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.
For permission to republish this or any other publication, contact Janelle Weed.
© 2023 by Torys LLP.
All rights reserved.