A Call to Action on Open Banking
A Call to Action on Open Banking
On June 19, 2019, the Standing Senate Committee on Banking, Trade and Commerce (“the Committee”) published a report on open banking entitled Open Banking: What it Means for You (“the Report”). The Report is part of the Federal Government’s ongoing exploration into the merits and risks of open banking, many of which we previously summarized in our February 2019 bulletin.
Open Banking at a Glance
Open banking refers to both free access to banking application interfaces, and free distribution of consumer banking information (with that consumer’s consent).
On the technology side, an open banking industry is one in which financial institutions make their application programming interface (“API”) freely available. This allows emerging fintech companies to work seamlessly with the API of an established financial institution. On the consumer data side, open banking gives more freedom for consumers to access their personal information, and allows for the transfer of such information between financial service providers. This free information exchange encourages innovation and competition between financial service providers. It also allows consumers to retain control over their personal information and its use by third parties.
Open banking may potentially bring greater competition among financial services companies, increased services for consumers, and more rapid innovation in the financial industry. However, there are risks and challenges associated with open banking as well. These include concerns surrounding privacy and data security, financial crime, and financial stability.
In its report, the Committee highlighted a number of key short-term and long-term recommendations to the Federal Government to encourage government action moving forward. The recommendations include the following:
(a) Examine and Regulate Screen-Scraping Fintech
The Report notes that approximately 4 million Canadians are already making use of fintech services that use “screen scraping” to collect user data. These services ask for their customer’s financial institution username and password, and gather their banking information from a screen capture of their banking page.
The problem with screen scraping is twofold. First, it does not limit the duration, scope, or use of a consumer’s information. Second, the process of screen scraping may violate contracts between the user and their financial institution, leaving them unprotected in the event of a data breach.
In light of the above, the Report calls for the Government of Canada to place the Financial Consumer Agency of Canada (“FCAC”) in an interim oversight role over screen scraping, which would empower them to:
- conduct research into the risks and benefits of screen scraping and other aspects of open banking, and publish findings periodically to Canadians;
- create education and marketing campaigns bringing public awareness to the risks and benefits of screen scraping;
- respond to complaints and questions from the public regarding screen scraping; and
- coordinate efforts with relevant provincial and territorial regulatory authorities to respond to screen scraping.
(b) Fund Consumer Protection Advocacy Groups
The Report recognizes that a consumer voice is missing from the Committee. It calls for immediate funding for consumer protection advocacy groups to allow them to independently conduct and publish research on the risks and benefits of open banking.
(c) Develop a Principles Based Framework
The Report calls for the government to work with industry stakeholders to develop a principles-based framework, to be integrated into the existing legislative framework for the financial sector. These stakeholders include federally and provincially regulated financial institutions, financial services providers, Payments Canada, as well as the consumer advocacy groups described above.
The framework would provide guidance concerning:
- the data to be made accessible to financial services providers;
- the participation of the payments sector;
- the general timeline for implementation; and
- which financial services providers would participate.
It is also expected to guide the development of a common data governance standard for financial institutions to ensure, among other things, that it can be implemented in a technology-agnostic way (i.e. one that appeals to multiple interfaces).
(d) Create a Registry for Accredited Third-Parties and Innovation Sandbox
To counter the risks of third parties taking and misusing financial information, the Report recommends the implementation and maintenance of a registry for accredited third parties.
Since a registry can be a barrier for new third party providers entering the market, the Report also calls for the creation of an innovation sandbox, to allow fintech companies to experiment and evaluate financial tools on a smaller scale before earning accreditation. This is similar to the Ontario Securities Commission’s “OSC LaunchPad” which also provides a creative space for fintech companies to experiment with technology and ensure adherence to OSC policies.
(e) Amend Legislation
The Committee recommends three main legislative amendments. First, preventing the use of consumer banking data for insurance underwriting purposes, in line with the longstanding restriction in the Bank Act prohibiting banks from engaging in the insurance sector.
Second, ensuring stability of the Canadian banking sector. Given the possibility of massive disruptions to the industry from large tech companies, and the potential for a massive increase in the number of transactions, this legislation would require more risk management standards and resilient funding models.
Third, the Committee recommends implementing consumer protections as needed, such as a requirement for algorithm transparency, and for consumers to have the ability to track their information and delete it when they no longer consent to its transfer.
(f) Ensure Alignment and Accessibility
The Report also provided a number of recommendations focused on alignment and accessibility. Specifically, it was recommended that the Federal Government work collaboratively with the provinces and territories to update and align their respective legislative frameworks to allow for participation across jurisdictions. It was also recommended that the development of an open banking system should be done in coordination with the payments modernization efforts. In addition, to further improve accessibility, the Committee recommends that the Federal Government expand its efforts to improve internet access and capacity in rural or remote communities.
(g) Update PIPEDA
The Report recognizes that the Personal Information Protection and Electronic Documents Act (PIPEDA) needs to be updated to account for the move to a more fluid system of information transfer and to more closely align it with global privacy standards. These recommendations would prioritize consumer protection and may include:
- Data Portability Rights. Allowing users to direct that their information be transferred upon request. This makes it easier for consumers to change banks, or grant third party providers access to a small amount of information (without needing to give them their username and password);
- Consent. A requirement of “explicit, meaningful, plain language consent” separate from any service contract, which describes in detail the use of the information and the third parties that will have access to the information;
- Standards. Evaluating businesses on their internal guidelines, codes of practice, accreditation schemes, and technology standards to establish compliance with privacy and cybersecurity obligations;
- Enforcement. Enhancement of the Privacy Commissioner’s enforcement and oversight powers, including order making powers (in the form of cessation and records preservation orders) and increasing the scope and range of fines; and
- Reform. Redrafting sections of PIPEDA to clearly set out a consumer’s rights with respect to their information.
(h) Establish Oversight
Finally, in conjunction with the above, the Committee recommends that the Privacy Commissioner of Canada, together with the Canadian Commissioner of Competition, act as co-regulatory and enforcement authorities in an open banking system. The Privacy Commissioner would ensure compliance with PIPEDA and respond to privacy related issues, while the Commissioner of Competition would be responsible for ensuring increased and fair competition in the industry.
It is increasingly clear that Canada is moving towards a future with open banking, or at least some form of it. This is in line with the current trend, globally, towards information autonomy. However, the Committee’s short-term and long-term recommendations highlight that there is still much to be done if open banking is to become a reality in Canada.
by Pat Forgione, Darcy Ammerman, Anthony Pallotta and Robbie Grant, Summer Law Student
A Cautionary Note
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2019
Related Publications (5 Posts)
This bulletin provides an overview of the regulations surrounding psychedelics in Canada and psychedelics companies in the Canadian capital markets.
Stopping a Slippery Slope: Ontario Divisional Court Clarifies that Auto Insurance Coverage Applies Only to Direct Causes of Injuries
Ontario Divisional Court clarifies that automobile insurance only applies to direct causes of injury under the Statutory Accidents Benefits Schedule.
The decision in Barz concerns the interplay between Alberta’s Workers’ Compensation Act and Traffic Safety Act.
The British Columbia government has announced proposed amendments to the Employment Standards Act to provide for paid sick leave.
Get updates delivered right to your inbox. You can unsubscribe at any time.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.