On June 19, 2019, the Standing Senate Committee on Banking, Trade and Commerce ("the Committee") published a report on open banking entitled Open Banking: What it Means for You ("the Report"). The Report is part of the Federal Government's ongoing exploration into the merits and risks of open banking, many of which we previously summarized in our February 2019 bulletin.

Open Banking at a Glance

Open banking refers to both free access to banking application interfaces, and free distribution of consumer banking information (with that consumer's consent).

On the technology side, an open banking industry is one in which financial institutions make their application programming interface ("API") freely available. This allows emerging fintech companies to work seamlessly with the API of an established financial institution. On the consumer data side, open banking gives more freedom for consumers to access their personal information, and allows for the transfer of such information between financial service providers. This free information exchange encourages innovation and competition between financial service providers. It also allows consumers to retain control over their personal information and its use by third parties.

Open banking may potentially bring greater competition among financial services companies, increased services for consumers, and more rapid innovation in the financial industry. However, there are risks and challenges associated with open banking as well. These include concerns surrounding privacy and data security, financial crime, and financial stability.

Recommendations

In its report, the Committee highlighted a number of key short-term and long-term recommendations to the Federal Government to encourage government action moving forward. The recommendations include the following:

(a) Examine and Regulate Screen-Scraping Fintech

The Report notes that approximately 4 million Canadians are already making use of fintech services that use "screen scraping" to collect user data. These services ask for their customer's financial institution username and password, and gather their banking information from a screen capture of their banking page.

The problem with screen scraping is twofold. First, it does not limit the duration, scope, or use of a consumer's information. Second, the process of screen scraping may violate contracts between the user and their financial institution, leaving them unprotected in the event of a data breach.

In light of the above, the Report calls for the Government of Canada to place the Financial Consumer Agency of Canada ("FCAC") in an interim oversight role over screen scraping, which would empower them to:

  1. conduct research into the risks and benefits of screen scraping and other aspects of open banking, and publish findings periodically to Canadians;
  2. create education and marketing campaigns bringing public awareness to the risks and benefits of screen scraping;
  3. respond to complaints and questions from the public regarding screen scraping; and
  4. coordinate efforts with relevant provincial and territorial regulatory authorities to respond to screen scraping.

(b) Fund Consumer Protection Advocacy Groups

The Report recognizes that a consumer voice is missing from the Committee. It calls for immediate funding for consumer protection advocacy groups to allow them to independently conduct and publish research on the risks and benefits of open banking.

(c) Develop a Principles Based Framework

The Report calls for the government to work with industry stakeholders to develop a principles-based framework, to be integrated into the existing legislative framework for the financial sector. These stakeholders include federally and provincially regulated financial institutions, financial services providers, Payments Canada, as well as the consumer advocacy groups described above.

The framework would provide guidance concerning:

  1. the data to be made accessible to financial services providers;
  2. the participation of the payments sector;
  3. the general timeline for implementation; and
  4. which financial services providers would participate.

It is also expected to guide the development of a common data governance standard for financial institutions to ensure, among other things, that it can be implemented in a technology-agnostic way (i.e. one that appeals to multiple interfaces).

(d) Create a Registry for Accredited Third-Parties and Innovation Sandbox

To counter the risks of third parties taking and misusing financial information, the Report recommends the implementation and maintenance of a registry for accredited third parties.

Since a registry can be a barrier for new third party providers entering the market, the Report also calls for the creation of an innovation sandbox, to allow fintech companies to experiment and evaluate financial tools on a smaller scale before earning accreditation. This is similar to the Ontario Securities Commission's "OSC LaunchPad" which also provides a creative space for fintech companies to experiment with technology and ensure adherence to OSC policies.

(e) Amend Legislation

The Committee recommends three main legislative amendments. First, preventing the use of consumer banking data for insurance underwriting purposes, in line with the longstanding restriction in the Bank Act prohibiting banks from engaging in the insurance sector.

Second, ensuring stability of the Canadian banking sector. Given the possibility of massive disruptions to the industry from large tech companies, and the potential for a massive increase in the number of transactions, this legislation would require more risk management standards and resilient funding models.

Third, the Committee recommends implementing consumer protections as needed, such as a requirement for algorithm transparency, and for consumers to have the ability to track their information and delete it when they no longer consent to its transfer.

(f) Ensure Alignment and Accessibility

The Report also provided a number of recommendations focused on alignment and accessibility. Specifically, it was recommended that the Federal Government work collaboratively with the provinces and territories to update and align their respective legislative frameworks to allow for participation across jurisdictions. It was also recommended that the development of an open banking system should be done in coordination with the payments modernization efforts. In addition, to further improve accessibility, the Committee recommends that the Federal Government expand its efforts to improve internet access and capacity in rural or remote communities.

(g) Update PIPEDA

The Report recognizes that the Personal Information Protection and Electronic Documents Act (PIPEDA) needs to be updated to account for the move to a more fluid system of information transfer and to more closely align it with global privacy standards. These recommendations would prioritize consumer protection and may include:

  • Data Portability Rights. Allowing users to direct that their information be transferred upon request. This makes it easier for consumers to change banks, or grant third party providers access to a small amount of information (without needing to give them their username and password);
  • Consent. A requirement of "explicit, meaningful, plain language consent" separate from any service contract, which describes in detail the use of the information and the third parties that will have access to the information;
  • Standards. Evaluating businesses on their internal guidelines, codes of practice, accreditation schemes, and technology standards to establish compliance with privacy and cybersecurity obligations;
  • Enforcement. Enhancement of the Privacy Commissioner's enforcement and oversight powers, including order making powers (in the form of cessation and records preservation orders) and increasing the scope and range of fines; and
  • Reform. Redrafting sections of PIPEDA to clearly set out a consumer's rights with respect to their information.

(h) Establish Oversight

Finally, in conjunction with the above, the Committee recommends that the Privacy Commissioner of Canada, together with the Canadian Commissioner of Competition, act as co-regulatory and enforcement authorities in an open banking system. The Privacy Commissioner would ensure compliance with PIPEDA and respond to privacy related issues, while the Commissioner of Competition would be responsible for ensuring increased and fair competition in the industry.

Conclusion

It is increasingly clear that Canada is moving towards a future with open banking, or at least some form of it. This is in line with the current trend, globally, towards information autonomy.  However, the Committee's short-term and long-term recommendations highlight that there is still much to be done if open banking is to become a reality in Canada. 

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2019