This document contains both information and navigation buttons. To read information, use the Down Arrow from a form field.
Creating an open banking framework for Canada Considerations and implications
of key design choices 1 Creating an open banking framework for Canada | Contents This page has been left intentionally blank
Contents
12 Creating an open banking framework for Canada | Executive summary Creating an open banking framework for Canada | Executive summary
Executive summary
As the strategic importance of data Enabling customers to share their Canada is renowned for its ability to To do so, Canada must contemplate on the ultimate objectives of open banking and grows in the digital economy, various personal financial data with trusted uphold financial safety and stability. As reflect them, as well as unique characteristics of the Canadian financial services models of enabling customers to share third parties has a potential to deliver the initial discussions on open banking landscape, to the design of the data access framework. In particular, throughout this their personal data with third-party improvements and new value in financial progress over the next few years, Canada design process, stakeholders will have to find answers to three key questions: organizations are proliferating in the services—from digital advice to financial has a unique opportunity to design financial services industry. Building on automation to new products. However, a third-party data access model that the principles of customer control and widening access to the sensitive data delivers ultimate value to customers by portability of their personal data, many without proper safeguards can also balancing innovation and competition 1. Scope global or industry-led open banking data introduce new risks to the financial with preservation of systemic resilience. access models over the past five years system, eroding the new value generated. What type of data and which institutions should be to address the shortcomings of current data access models and accelerate data- part of the framework? driven innovations.
2. Standardization How centralized and standardized should governance, data sharing, and authentication be?
3. Commercial and liability model How should interactions between data generators and data consumers be structured?
This paper is designed to help stakeholders consider the implications of these choices by analyzing decisions made by other jurisdictions, enabling them to establish an open banking framework that works for Canadians. It is our belief that by effectively framing the dialogue—and learning from the experiences of other jurisdictions— Canada not only has the ability to embrace the benefits of open banking, but establish a blueprint for a truly digital economy as well.
32 Creating an open banking framework for Canada | Introduction
What is open banking?
Open banking is a global movement that promotes a customer’s right to share financial information with third parties.
While many global jurisdictions have legislated open banking policies, open banking is broader than just policy—it’s a movement comprised of technical, competitive, and regulatory shifts to help customers regain control of their own data and make it more portable between institutions.
Introduction Open banking policies in some jurisdictions dictate openness in both data access and payment initiation activities. In this paper, we focus primarily on laying out Canadian considerations for data access or the “account information” portion of open banking policies rather than payment initiation.
54 Creating an open banking framework for Canada | Introduction This page has been left intentionally blank
Driving forces of the open banking movement
The rise of the fourth industrial It is not a coincidence that various revolution has been marked by the models of data sharing have emerged emergence of companies that leverage over the past two decades in the data to deliver value. The rising financial services industry, which importance of data has bolstered the generate and process a vast amount value customers, businesses, and of personal data, to meet growing governments assign to data and in turn customer demand for data sharing. has sparked deeper contemplation However, many of these practices on who ultimately has the right to have inherent shortcomings that control it. As a result, many now believe present trade-offs across security, customers have a right to control their interoperability, and accessibility. Over personal data that is held by various the past few years, regional efforts organizations—including being able to create a harmonized approach to to share it with third parties of their enable data sharing while addressing desire. This philosophy is deeply these challenges have resulted in both embedded in the modernization of regulatory actions and industry-driven privacy laws, such as the General Data collaborations in various jurisdictions Protection Regulation (GDPR) in the EU around the world—efforts that Canada and proposed changes to the Personal can learn from. Information Protection and Electronic Documents Act (PIPEDA) by the House of Commons in Canada.
This paper aims to discuss the key choices that define an open banking framework and their downstream implications, independent of whether the framework is driven by a policy or by the market participants.
76 Creating an open banking framework for Canada | Introduction Creating an open banking framework for Canada | Introduction
CSV and storage of data gathered by ETL • Greater reliability and security: Current data-sharing methods From the onset of online banking, most providers. Because of these risks, Open banking provides a safer and financial institutions offered customers many financial institutions are putting more stable alternative to current the opportunity to download their temporary measures into place to block data-sharing practices. in financial services transaction data through online portals ETL access, resulting in issues around in a commonly analyzable CSV file data availability and increased costs to • Clearly defined standards on format that can be shared with other maintain connectivity. In fact, these risks issues such as liability: Open A variety of mechanisms are used today to facilitate the sharing providers. However, this method comes are so great that ETL is being banned in banking has the potential to increase with its fair share of challenges—most some existing open banking markets— confidence and participation in the of customers’ financial data, such as CSV downloads, extract notably, it is often cumbersome for but only for the institutions and types of data-sharing ecosystem—both on the customers, not ideal for repeated data data subject to open banking. part of customers (concerned about transform load (i.e., “screen scraping”), and bilateral data-sharing sharing, inconsistent across institutions, the misuse of their data) and financial and often limited to transaction data. institutions (concerned about new partnerships. To develop an effective open banking framework, it Most importantly, this method of data Bilateral data sharing liabilities and reputational risks posed sharing lacks security measures to To address security and operational by third parties). is therefore important to first understand the movement as the protect the data, creating opportunities concerns with screen scraping, many for data manipulation. global financial institutions have • Improved accessibility: evolution of these data-sharing models. formed more controlled one-to-one Open banking materially reduces data-sharing partnerships, either the cost of data sharing among Extract transform load (ETL) directly with third-party providers or financial services organizations Often called “screen scraping”, with ETL providers. In most cases, through the establishment of open ETL practices were first developed these partnerships replace unsecure APIs and the transfer of data control to address customer pain points credential capture and online platform to the customer. associated with CSV file sharing. ETL access with API-based authentication providers enable a customer-approved and data sharing supported by third party to use users’ online formalized commercial and liability banking credentials to log into financial terms. However, because they are mostly In designing the open banking institutions’ online portals and “scrape” conducted on a one-to-one basis, these framework for Canada, it is or extract the data from the portals. closed data-sharing partnerships are important to note that open, These providers then reconcile, enrich, not scalable and are often limited to the harmonized data sharing and transform the extracted data and largest data consuming organizations, load the newly formatted information such as digital accounting platforms. exists within an evolutionary into the third party’s database. spectrum along with these other methods of sharing data. In many financial markets, particularly The next phase of data sharing Even with the introduction of in the US, the growth of ETL has fueled The development of a harmonized and Open Banking, these methods many early innovative use cases of agreed-upon open banking framework of data sharing will continue enhances the process of data sharing in data sharing—from the evolution to exist to fill in the gaps. of personal financial managers to a number of ways: enriched accounting dashboards for small businesses. While this method • Increased interoperability: reduces customer friction, it introduces Driven by the widespread adoption of many additional security concerns, standardized data-sharing protocols including those related to the storage of and guidelines, open banking makes customers’ online banking credentials, it easier for third parties to access lack of ability to enforce informed customer data and deliver more value consent, unclear liability responsibilities, to customers.
98 Creating an open banking framework for Canada | Introduction Creating an open banking framework for Canada | Introduction
Open data and the future of financial services
By offering broader access to customer data, open banking not only has Intensified product-level competition Granularized loan adjudication The proliferation of central interfaces Increased access to individual, the potential to create a more competitive and innovative financial services will allow customers to gain better transactional data will allow lenders visibility into alternative financial to better understand customers’ risk industry, but, combined with other industry shifts, like streamlined payments products, compare them, and switch profiles at a more granular level. Lenders providers without foregoing the main will be able to augment credit scores infrastructure, artificial intelligence (AI), and an influx of non-traditional players, relationship with the central interface. with empirical cash flow data to better It will also allow for the needs-based understand individual customers who it has the potential to make broader shifts to the economy as a whole. substitution of traditional products, do not currently hold relationships with such as replacing long-term deposits them. Furthermore, lenders will be able to with money market funds, for instance. price risks for each individual transaction to reflect its context, from purchase type Below are just a few ways open banking management tools and accounting Lower barriers to play Products on top of products to total borrowed amount. could change the face of the Canadian platforms could enhance the quality and The emergence of central interfaces will Near-real-time visibility of customers’ financial sector: scope of their interfaces. present unique opportunities for non- financial transactions will also allow for the traditional players, including retailers, development of innovative products that Emergence of central interfaces Proliferation of digital advice global financial institutions, large can be bought on top of existing products. Today, financial product providers are As the central financial interface evolves, technology companies, and fintechs. For instance, digital installment loan the controllers of customers’ financial the value the interface needs to provide Without the regulatory burden of products may be bought on top of existing data, largely because these companies increases to captivate customers. providing deposit accounts, these players debit and credit cards to provide a more own the digital interfaces. For individuals Advances in machine intelligence, faster can more easily participate in the banking sustainable borrowing option. Similarly, that work with more than one financial payment vehicles, and broader access to value chain and will likely leverage their warranty insurance may be bought on institution, this can be inconvenient as customer data will allow online financial new market position by becoming central top of purchases on third-party cards to it causes fragmented visibility into their platforms to offer more than merely interfaces themselves, relying on a provide flexibility. financial portfolio. an aggregated display of information third-party product shelf. As a result, the and instead provide more active digital organizations that will have protected By allowing trusted third parties to gain financial advice. proprietary data—such as retailers with access to customers’ financial data, access to transaction information or open banking enables certain players There are signs this is starting to large technology companies with access to act as a central interface by linking happen. Many personal finance to user preference information—may information from multiple financial and management tools are already moving gain an advantage against traditional adjacent product manufacturers. This into subscription management and financial institutions. Others will disaggregation of the financial services product comparison, such as Bean in participate in the market as providers value chain could change how Canadians the UK and Clarity Money in the US. As of investment and lending products access and manage their financial open banking matures, these offerings by working with central interfaces. information. For instance, without may further evolve to enable next-best today’s existing roadblocks separating action recommendations and near-total financial product distributors from automation of finance management. manufacturers, digital personal finance
1110 Creating an open banking framework for Canada | Introduction Creating an open banking framework for Canada | Introduction
Open banking and emerging risks
While open banking offers countless opportunities for the financial services This will require asking a variety of Privacy also grow. Without fairly distributing difficult questions: What improvements to privacy these costs, the benefit of open industry, it’s clear the subsequent growth of data-sharing practices with measures will be required to properly banking might be offset by these New entrants protect customers’ data? added costs passed on to customers. third parties will also open our financial system up to a new host of risks. To How will their activities be governed to ensure customer and ecosystem For open banking to work effectively, A prudent open banking framework preserve the safety and soundness of our financial ecosystem, An open banking protection and control measures are customers must not only be educated will not only recognize these emerging in place? and informed, but they must also consent risks, but will also establish a strong framework must not only proactively identify these new risks, but take steps to to how their data is used. Without the supporting regulatory environment Open banking allows “product light” proper mechanisms in place, customers’ to mitigate them—one that includes, mitigate them. non-traditional participants to enter the private information may be used for among many things, robust financial financial services value chain without purposes that are against their interests. governance frameworks and privacy becoming fully licensed banks or regulations. This foundational step financial institutions. Recourse is critical because, without carefully How will the open banking managing potential risks associated Data breaches ecosystem be operationalized to with open banking, the net benefit How will we ensure the data effectively deal with liabilities while of and participation in an open data shared among ecosystem minimizing customers’ exposure? landscape will diminish. participants remains secure? A distributed data landscape will make As customer data is distributed across it increasingly difficult to seek recourse a larger number of industry players following a breach, fraudulent event, or (with potentially different standards other cybersecurity incident, potentially for data security), organizations will creating a shortfall in customer support. become more vulnerable to malicious third parties as well as mistakes, Distribution of costs increasing the likelihood of cyberattacks How will the open banking and inadvertent data leaks. system collectively address the efforts associated with open Fraud banking to incentivize all parties How will we ensure the to proactively participate? ecosystem is not exposed to fraudulent third parties? Setting up and operating a more secure data-sharing mechanism will cost both As the number of interactions increases individual institutions and the overall across ecosystem participants in an financial system substantial amounts open framework, the opportunities of resources (up to $200M for a leading for fraudulent third parties to engage Australian bank1). If open banking in phishing activities and access increases the volume of data-sharing customers’ personally identifiable practices by customers as intended, information may increase. the cost of maintaining the system will
1312 Creating an open banking framework for Canada | Considerations for a Canadian open banking framework
Global precedents
Given that countless jurisdictions across the world have already adopted open banking, there are many examples for Canada to pull from when establishing its own framework. That being said, because every country has different banking systems and circumstances, there is far from a standard design; in fact, those that already exist feature a high degree of variation in policy and design choices. Considerations for a Canadian open banking framework
1514 Creating an open banking framework for Canada | Considerations for a Canadian open banking framework Creating an open banking framework for Canada | Considerations for a Canadian open banking framework
A number of jurisdictions across the globe have begun to implement Open UK: CMA Japan: Open API Hong Kong: Open API Banking policies, each finding themselves at varying stages of maturity. Requires nine identified banks Banks in Japan are required to HKMA issued a consultation to share banking data and announce support on open API paper in January 2018 setting out payment initiation through by March 2018 for deployment by its intended approach to open open API standards. 2020. Third-party service providers APIs as part of the “New Era of Effective January 2018 are required to register and Smart Banking.” establish contracts with banks.
Canada Regulators have begun discussing open banking as part of the 2018 federal budget. An advisory committee on open banking was established in September 2018, and the Singapore: Open API consultation process began in January 2019 with the release As part of building a “Smart of a consultation paper. Nation”, the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS) issued an Open-API playbook to encourage financial institutions to develop and share their APIs openly. 4 global approaches to open banking EU: PSD2 Requires banks to share banking US data and payment initiation, but America Various discussions among banks, technology neutral. Laissez-faire approach to regulation; screen- fintechs, intermediaries and Effective January 2019 scraping predominant. regulators taking place to discuss Australia: Consumer approach for data sharing regime in data right the US. Asia New legislation announced Reliance on institutions to drive open banking innovation; in November 2017 will grant A number of banks already supportive, rules-light regulatory environment. consumers open access to their participate in API regimes (e.g. Plaid) banking, energy, phone, and and Citi has created Open API for Europe internet data. Banking is the first verified third parties. Open banking borne out of payments legislation industry that will be subject to and desire to harmonize legislation. this new legislation. Effective 2019 Australia Rules-driven approach; banking simply one of a broader push to develop a data economy.
1716 Creating an open banking framework for Canada | Considerations for a Canadian open banking framework Creating an open banking framework for Canada | Considerations for a Canadian open banking framework
United Kingdom Japan the open banking initiative—Payment Singapore covering products and services such In the UK, open banking regulation was In Japan, the open banking movement was Services Directive 2, or PSD2—expands The Monetary Authority of Singapore as payment cards, rewards, and loans. driven by a policy objective to decrease driven by a policy objective to promote the scope of previous legislation to (MAS), the city-state’s central bank and a The MAS also maintains a strong and the market power of the largest banks innovation and modernization in the cover a greater breadth of transactions, highly progressive advocate of innovation highly collaborative relationship with by increasing the range of service banking industry as part of the Japanese ensure consistent application across in financial services, has cultivated a Singaporean banks, which lessens the providers in the market. In its 2016 government’s 2017 Growth Strategy4. In Member States, and provide third- robust open banking ecosystem without need for prescriptive legislation to achieve Retail Banking Market Investigation, Japan, there is a perception among key party access to customer payment developing mandatory legislation certain market outcomes. An example of the Competition and Markets Authority regulatory and government stakeholders data. It also broadens the range of governing third-party data access. In this collaboration, as well as the central concluded that “older and larger banks that the nation’s financial services sector eligible payment service providers part, this is due to Singapore’s unique bank’s progressive outlook on the banking do not have to compete hard enough is lagging behind other jurisdictions, (thereby encouraging innovation) by market conditions. Strong competition industry, is Singapore’s API Playbook, for customers’ business, and smaller making it more susceptible to the effects easing market entry for new providers, in the banking sector has seen the which developed jointly between the MAS and newer banks find it difficult to of potential exogenous shocks and while ensuring consumer protection nation’s largest financial institutions, and the Association of Banks in Singapore. grow. This means that many people affecting its global competitiveness. through improved standards. including DBS and OCBC Bank, take a The Playbook contains over 400 are paying more than they should and Furthermore, a heavy reliance on cash proactive approach to innovation and recommended APIs for banks to develop, are not benefiting from new services.”2 payments and historically strict regulatory United States be among the first to experiment with stretching far beyond the scope of open As a result, the UK’s open banking practices (e.g., limiting banks’ abilities to In the US, there is no imminent Open API technology. Indeed, today banking (i.e., third-party data access) to framework focuses only on the largest take sizeable equity stakes in fintechs) regulatory driver to open banking; they are global leaders in terms of data cover all aspects of the banking value nine banks without any reciprocity. have stifled the innovative capacity of the however, various market participants— sharing; DBS, for instance, provides chain, from front end to back end. sector. Open banking and the regulatory including regulators, trade associations, developer access to over 200 APIs, Australia modernization that will accompany it financial institutions, and data In Australia, open banking regulation (including a relaxation of investment aggregators—are publishing standards was adopted in response to growing limitations with respect to fintechs) are and perspectives on a potential data- public scrutiny of large banks, and aims seen as key tools to increase growth, drive sharing model across the industry. to empower customers with the right competitiveness, and promote innovation. For instance, the Consumer Financial to control and benefit from their data. Protection Bureau (CFPB), a consumer The government’s review into open European Union protection watchdog for the financial banking identified it as a useful tool in In the EU, the objectives of the open industry, has published a set of non- “providing customers with better access banking policy are to better harmonize the binding principles focused on financial to financial data and reduces the time, fragmented payment sector, modernize data sharing and aggregation, while cost and inconvenience associated the financial sector, and provide the National Automated Clearing with identifying and selecting financial customers with alternatives to big banks House Association (NACHA), a financial products and services. When consumers that were involved in systemic failure. industry association, has convened an make better choices about how and The EU has chosen to take a distinctly API Standardization Industry Group what to consume, the industry affected activity-based approach to regulation (by to develop consistent API standards is driven to become more efficient and regulating payment services as a whole for the financial services sector. competitive.”3 The movement extends vs. specific types of institutions) and A number of prominent fintechs beyond financial services and is part has put particular emphasis on applying (including Betterment and Kabbage) of the country’s broader Customer consistent technical standards, especially have also joined forces to create Data Right ambition to create an open those focused on improving security a lobbying group, the Consumer data economy. Over time, this open (e.g., authentication and communication). Financial Data Rights group, to data regime, similar to open banking, is This focus on regulating activities and promote the sharing of consumer expected to eventually encompass other promoting technical standardization financial data with third parties. industries, starting with telecom and can be seen as a direct result of the EU’s utilities. Because of this vision, Australia’s unique market structure; thousands of open banking policy is broad and all payment providers of various sizes and encompassing, requiring all deposit- levels of sophistication are domiciled taking institutions—not just banks—to across 28 Member States, each with participate, and covering both digital its own unique regulatory and market and physical channels, for example. context. The key piece of legislation driving
1918 Creating an open banking framework for Canada | Considerations for a Canadian open banking framework Creating an open banking framework for Canada | Considerations for a Canadian open banking framework
The Canadian context
A Canadian open banking framework should be purposefully designed As a result of these unique circumstances, based on Canada’s unique characteristics. Specifically, it should consider: open banking in Canada should:
• A sound financial services system that • Ongoing efforts to strengthen Focus on delivering value Preserve our stable financial has not experienced systemic Canadian privacy legislation through to Canadians services system failure or relied on public funding. proposed amendments to the PIPEDA, Open banking presents an opportunity Punitive intent against specific which would act as guardrails for to develop a governance framework institutions should not be a key • A bifurcated regulatory landscape An open banking framework on the for non-traditional financial services objective of open banking. where federal and provincial bodies permitted usage, data management, providers (in conjunction with other govern different entities, but with a and disclosure requirements. concurrent efforts in Canada) and to These unique objectives indicate manageable number of institutions. spur innovation. that the design of an open banking This creates complexity in developing • Ongoing payments modernization framework in Canada should differ from standardized approaches and governing efforts to enhance Canadian Increase transparency and those observed in other geographies. open banking participants (compared payments infrastructure, which customer control of data While certain elements may be to jurisdictions with central oversight). may help facilitate the building of Open banking should be a broad, transferable, Canada should strive to An open banking framework (e.g., industry-agnostic movement that develop an open banking infrastructure • Lack of governance for non-traditional third-party payment initiation). focuses on placing the control of data from the ground up, with the country’s entities that do not fit into existing back in the hands of customers. specific circumstances in mind. definitions of “financial institutions”, Mitigate data-sharing risks which may expose customers to new Current financial data-sharing methods sources of risk without protection, threaten the safety and stability of the or expose the financial services financial services system by requiring ecosystem to foreign institutions. customers to share their banking credentials with third parties.
2120 Creating an open banking framework for Canada | Considerations for a Canadian open banking framework
This page has been left intentionally blank
Design principles for an open banking framework
In its 2018 budget, the Government of Canada said it would review the merits of open banking to assess whether the movement would deliver “positive results” for Canadians. But what are “positive results”? The answer to this question is two-fold.
On the one hand, a successful open banking framework should support the continued evolution of innovation within the financial services ecosystem. On the other, open banking should continue to protect, maintain, and bolster the safety and soundness of Canada’s renowned financial system.
To generate these types of results, Canada must focus on several key guiding principles when designing its open banking system:
1. Value: 3. Safety: Focus on delivering true value to Canadians Balance customer convenience with safety without placing undue burdens on any and security. participant (e.g., of cost, risk exposure).
2. Transparency: 4. Adoption: Ensure customers are fully informed of their Balance the net cost to the economy, participation, rights and responsibilities regarding the transfer, and speed to market with the scope of products possession, and use of their data. and/or data.
While there are countless factors to keep in mind as we move forward with an open banking framework in Canada, these four guiding principles should be the cornerstone on which all decisions are based.
2322 Creating an open banking framework for Canada | An open banking framework for Canada
Framework overview
To build an effective Canadian open banking framework, stakeholders must consider the choices and outcomes observed in other jurisdictions and weigh them against Canada’s unique context.
The design of open banking can be categorized into three key decision areas:
An open banking 1. Scope of open banking framework for Canada 2. Standards
3. Commercial and liability model
2524 Creating an open banking framework for Canada | An open banking framework for CanadaCreating an open banking framework for Canada | An open banking framework for Canada
1. Scope of open banking What products should be covered?
The choices made by other jurisdictions around the scope of open banking help define the types of accounts and entities from which open banking will mandate data access, how this access might change over time, and methods by which this data can be accessed. Choices made by other jurisdictions :
While building an open banking framework, Canada should answer these questions: None
• What products should be covered? Transaction accounts Savings/lending products Broader financial products
• Should “offline” accounts be covered?
• Which types of users should be covered? One of the first steps in establishing an open banking framework is to determine the types of financial products it should encompass. To date, most open banking systems focus on three core areas: • Which types of data should be included?
• How far back should data be made available? 1. Transaction accounts 2. Savings/lending products 3. Broader financial products • Who should be required to open access to their data? Examples: Debit, credit, savings Examples: GICs, TFSAs, mortgages, LOCs Examples: Wealth and insurance products Impact of open banking: Allow for more Impact of open banking: Allow for Impact of open banking: Allow for more • How should the rollout work? personal financial management and seamless product switching and holistic financial management use cases. adjudication use cases. comparison use cases. • Which types of data recipients will be allowed?
• What access rights should data recipients have?
Ideally, open banking has the not be fully digitized, or may require Of those jurisdictions that have already potential to both increase the new forms of online access. This could adopted open banking, the UK and breadth of products available in result in expensive and time-consuming Australia have taken an account-based the marketplace and generate a system restructuring. approach, while the EU defines its broader scope of use cases. That scope on an activity basis (e.g., “all A Canadian open banking framework online payment accounts”). Like the being said, achieving this end also must have a clearly defined scope. UK and Australia, the EU’s definition goal is not without its challenges, This means stakeholders will have to includes chequing accounts, credit and the products Canada chooses decide whether to regulate functions cards, etc., but also may include to include in its framework will on a product-based approach (which other comparable accounts such require careful consideration. defines specific types of accounts in as online wallets (e.g., PayPal). and out of scope) or an activity-based For instance, certain financial approach (which defines specific actions products—such as wealth and insurance that are in and out of scope). An activity- products—will inevitably create based approach has the benefit of additional burdens for data generators more fairly requiring participation from as they strive to make data available institutions, but it needs to be clearly to third parties. Unlike transaction defined if regulators hope to prevent accounts, which are updated on a confusion around which institutions are continuous basis, these products may in scope and which are not.
2726 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Personal versus commercial: Should “offline” accounts be covered? Which types of users should be covered?
Choices made by other jurisdictions : Choices made by other jurisdictions :
None
Online accounts only Online and offline accounts Personal only Personal and SME Personal and commercial (with Personal commercial opt-out clause) and commercial
Should a Canadian open banking framework only include online financial products, or should “offline” accounts For each type of user, there exists a accounts, the degree to which banks have also be in scope? To find the answer to this question, we must look at two key factors: tradeoff between implementation cost built single points of access for a firm’s and complexity, and value to consumers. products and funds is highly variable. Currently, different users are afforded Because of this, applying open banking different levels of service: retail (i.e., to the breadth of a firm’s corporate 1. Scope of customers: 2. Scope of work: Developing a deeper understanding personal) account holders receive largely accounts may be a technological As of 2016, 90 percent of Canadians For offline products to work with open of how many Canadians would off-the-shelf products and services, challenge as well as a regulatory one. had regular access to the internet, and banking, institutions would have to make be involuntarily excluded from while large corporate account holders 80 percent used some form of online existing data available digitally—an effort open banking if non-digital data already enjoy some of the benefits that From a global perspective, the vast banking—a number that is expected to that would not only require the building of new solutions under open banking majority of open banking initiatives and is excluded from the scope, increase over time.5 This means that, digital processes, but also the onboarding would support (e.g., individualized regulations have been focused on retail as well as the unique needs of since open banking will most likely be of customers to an online platform to cash flow management and advice). and SME use cases. This is primarily those Canadians, is crucial to delivered through digital means, the simplify authentication. While this would Those customers using small business because technical implementation majority of Canadians will have access ensure all Canadians had access to open understanding if the additional banking accounts (small-to-medium for these users is often easier and to it, but not all. By ignoring those banking, it would inevitably increase the complexity and cost to financial sized enterprises, or SMEs), on the other democratizing data for retail customers is customers without online banking cost and complexity of implementation, institutions is justified. hand, receive a mix of off-the-shelf and more closely aligned with most countries’ access, open banking would inevitably resulting in a longer timeline to launch. easily customized offerings, as befits catalysts for open banking. However, be excluding society’s most vulnerable, their position between retail and large Australia has included a provision in its most notably, the elderly and low- corporate customers. open banking framework to open it up income Canadians. to all accounts—including commercial— Also, different types of user accounts although the details have yet to be have different levels of digital access finalized by the Australia Competition and and integration (i.e., API-led or bespoke Consumer Commission (ACCC). integrations). Personal accounts have largely been digitized around the world, and customers can usually view most- to-all of their accounts and products at one institution through a single web or mobile portal, making opening up access to that data through APIs relatively straightforward. However, for corporate
2928 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Which types of data should be included? How far back should data be made available?
Choices made by other jurisdictions : Choices made by other jurisdictions :
Public data Customer-generated data Balance data No specific historical data requirments Rolling historical data requirements Initiation date requirement * Note: Varies by data type
Choices made by other jurisdictions :
Different jurisdictions have taken of data (e.g., aggregated data are shared on different approaches to historical a 25-month rolling basis, while transaction Transaction data Identity verification data Aggregated data data requirements imposed on data data have an initiation-date requirement). generators. One approach is to mandate an “initiation date” (i.e., the When establishing its own rules surrounding date from which data must be made this issue, Canada must recognize the available upon the public launch of the tradeoff between the value delivered to Based on a review of the total scope of In conjunction with customer data The inclusion of public data, identity open banking framework), while another Canadians and the burden imposed on data access in other jurisdictions, a number and balance data, transaction data verification, and aggregated data is imposing a “rolling requirement” data generators. For instance, while longer- of types of data can be identified: facilitates the bulk of open banking would promote competition in (i.e., the amount of historical data (in term historical data may offer invaluable use cases. the market, but the additional months/years) that should be provided trends-based spending and savings advice • Public data: Information that is readily complexity and potential liabilities from the date of a data request). Some for consumers, many institutions may have accessible online and can be freely used, • Identity verification results: involved in sharing them, while also jurisdictions, like the UK, have also made a limited amount of data available in their reused, and redistributed by any entity Confirmation of a customer’s identity protecting competitive insights that different decisions based on the type existing digital datasets. (e.g., customer reviews and publicly through a validation process using could be extracted from that data, available product information). In personal and financial information should be carefully considered. Canada, much of this information is (e.g., KYC verification results). In already accessible through other data- Canada, there are other digital identity sharing ecosystems (e.g., Google, Yelp, solutions currently in development It is also important to note that and Foursquare APIs). (e.g., Verified.me). the open banking frameworks in other jurisdictions allow institutions • Customer-generated data: Personal • Aggregated data: The compilation to enter private commercial and financial information provided of information across multiple agreements to make data excluded directly by the customer to a financial customers that may be de-identified from the scope of open banking services entity (e.g., personal address and/or summarized (e.g., average policies available to third parties. and contact information). account balances across an age band or postal code). This would enable • Balance data: Information a variety of new use cases (e.g., pertaining to the amount of money in “people-like-me” comparisons), but a deposit-based account held by the would require significant additional customer at any given time (e.g., e-wallet effort from data generators. account balance). From a data-sharing perspective, • Transaction data: Information that customer-generated data, balance data, is generated through transaction and transaction data would fall under activity on a customer’s account (e.g., customer data. withdrawals, transfers, and deposits).
30 31 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Who should be required to open access to their data? How should the rollout work?
Choices made by other jurisdictions : Choices made by other jurisdictions :
None
All financial institutions All entities offering online All deposit-taking institutions Selected banks No staged rollout Staged by entity type Staged by entity and product type payment accounts
The requirement to open access to data It is also important to consider consent. Under a proposed reciprocity Beyond account coverages, different jurisdictions have also rolled out can be institution based (i.e., all financial whether an open banking framework, data holders would not open banking regulations in different ways. To determine what will work institutions with a certain classification, framework would act as a stand- be allowed to request data from data best in Canada, stakeholders must ask two key questions: such as Schedule I and Schedule II alone framework within financial recipients unilaterally; they could only do banks), or activity based (i.e., all financial so in situations where consumers have services or exist as part of a institutions that provide Canadians with requested data recipients to share their broader open data framework the functions discussed on page 27). “equivalent data.” 1. How much time will data 2. When the proverbial switch incumbent banks. Australia has also across industries. In the case of generators need to comply with is flipped on, should there be made the conscious decision to stage the An activity-based approach would the latter, the concept of data the technical standards behind different timelines for deployment of open banking by product ensure the framework is flexible reciprocity could be used to enable open banking? different entities? type, with data on basic transaction enough to adapt to new types of non- other organizations to participate accounts being made available first, traditional institutions that may emerge in the open data system. followed by more complex products (e.g., Regulators must strike the right It should be noted that several over time, and may foster a more level mortgages). The EU, on the other hand, balance between launching jurisdictions (such as the UK and playing field where all players offering Australia is actively exploring the did not have this original mandate and, open banking in a timely fashion Australia) have made the conscious competing products and services concept of reciprocity, whereby data as a result, opted to open open banking and making sure institutions decision to impose open banking are required to make data available recipients who hold “equivalent data” on large, incumbent banks before to all accredited parties simultaneously. have enough time to comply, regardless of their legal classification. to the financial data being shared other types of financial institutions, so as to avoid jeopardizing However, it creates a more nebulous with them by data holders (this essentially “staging” the deployment Canada will need to carefully weigh the safety of user data. governance environment, as lines term has yet to be fully defined by of open banking. This is partially to the merits of both options, as well between institutions in scope and Australia’s Competition and Consumer allow the framework to evolve safely— as the reasons behind open banking out of scope blur (e.g., Would PayPal’s Commission) would be required to share Regulators must also be aware that, without exposing the financial services deployment, before coming to a decision. online wallet be considered a “deposit these data with data holders at the in markets where some form of open ecosystem to undue risk presented account”?). Furthermore, the current request of a consumer. It is important to banking has already been deployed, by smaller financial institutions with financial regulatory systems in Canada note that reciprocity is being explored uneven and/or non-customer-friendly limited IT resources—and partially to are institution-based, meaning activity- for the purposes of improving data compliance risks expose the customer to allow the punitive intent behind open based requirements would necessitate accessibility (as opposed to strictly less-than-optimal solutions, which may banking to play out. In these cases, either a change in a current regulatory increasing data access) and is based turn away the very customers that would open banking was introduced, in part, body’s scope or a new regulatory body. on the principle of explicit consumer otherwise be enthusiastic first adopters. to increase competition against large,
3332 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Which types of data Canadian market factor: Governance of recipients will be allowed? non-traditional payment service providers (PSPs)
Choices made by other jurisdictions : Existing payments regulation in Canada is heavily focused on None governing systemically important and prominent national payment Data consumers only Data consumers and data transporters systems, such as LVTS and ACSS, leaving non-traditional PSPs relatively free of regulatory oversight. One thing that seems to be consistent While data consumers are a prerequisite as consumers (e.g., in the UK, data across all jurisdictions is that only for open banking, data transporters transporters must be accredited AISPs). entities that meet their central governing are not necessarily required. This is The Retail Payments Oversight Framework (RPOF) is an effort body’s risk-based, tiered accreditation because they tend to introduce significant Ultimately, the value of data criteria are granted access to customer risk to the ecosystem by acting as a transporters is dependent on the level to ensure non-traditional PSPs are governed effectively, thereby data (details on accreditation central source of large volumes of data, of standardization of the data transfer criteria are outlined on page 51). making it possible for a single breach mechanisms employed by the various preserving the safety and soundness of the Canadian payments to threaten countless data generators data generators in scope. This is In addition, there are only two types of and customers. However, these players explored in greater detail on page 39. ecosystem, fostering efficiency and innovation within payments, and data recipients: data consumers and also provide value to the ecosystem data transporters. Data consumers are by creating interoperability between protecting end-user interests. end users of customers’ financial data financial institutions, as well as across (e.g., fintechs and other third-party geographies where differing open providers) while data transporters banking systems have already been Open banking’s accreditation process is likely to involve many of are intermediaries that facilitate the implemented. In most jurisdictions, there flow of data-to-data consumers. is no regulatory distinction between these same players, so it is important that the RPOF and open The key difference between the two data consumers and data transporters. is that the latter does not create Transporters are thus required to be banking regime are coordinated. This would help prevent the creation value from the storage of data. accredited based on the same criteria of conflicting and overlapping legislation and optimize the allocation of resources and responsibilities across regulatory bodies.
34 35 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
What access rights should data recipients have? Canadian market factor: Canadian payments modernization
Choices made by other jurisdictions :
As the industry contemplates open banking, Payments Canada is Read access Read and write access also taking steps to reshape Canada’s banking sector through the modernization of Canada’s two primary payments systems, the Another thing Canadians will have opportunities for financial institutions, it Large-Value Transfer System (LVTS) and the Automated Clearing to consider when building their would also introduce new complexities— open banking framework is how particularly in the realm of security. Settlement System (ACSS). LVTS will be replaced by Lynx, a high- data recipients will ultimately access customers’ data. Based on existing open Because data recipients would be value payments system that will process payments in real-time with banking systems, there are essentially able to make changes to customers’ two ways to access data: accounts and move money on their settlement finality. ACSS will be replaced by the Real-Time Rail (RTR) behalf, institutions would have to take • Read access, which allows data tremendous steps to mitigate the risk of system and the Settlement Optimization Engine (SOE) system. r ecipients to obtain copies of a data breach. Data generators would customers’ financial data and use it for have to build complex systems to ensure such activities as data aggregation; or customers’ information was safe—a RTR will facilitate the transfer of low-value funds in real time and will further support the development of overlay process that would require significant services (i.e., value-adding services owned by third parties and deployed on RTR infrastructure), ultimately • Write access, which allows data time to implement. spurring payment innovations. SOE will enhance the clearing of less time-sensitive batch paper and electronic recipients to make modifications to payments, enabling faster and more convenient payments for businesses in Canada. Through this modernization customers’ financial data held by The Retail Payments Oversight effort—as well as the Retail Payments Oversight Framework (detailed on page 35)—third-party payment initiation other institutions. Framework and payment modernization will likely be addressed outside of an open banking framework. initiatives have already taken some Write access would allow data recipients steps in addressing the challenges Another key element of the modernization effort is the adoption of the ISO 20022 standard, which will enrich the to act on behalf of the customer in related to write access. To avoid data transmitted with payments. In designing open banking, the interplay between its scope and additional data areas such as payment initiation, duplication of efforts or contradictory gathered through ISO standard will need to be carefully examined. account opening/closing, and changes guidance, the scope of An open to information (e.g., change of address). banking framework should take In addition, as Canada prepares for the introduction of RTR, it would be prudent to consider how the risks While this would obviously present many these initiatives into account. associated with screen scraping practices are mitigated in advance to reduce vulnerabilities for fraud (e.g., credential sharing).
36 37 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
2. Standards How should data-sharing standards be developed?
The choices made by other jurisdictions around the level of standardization help define how prescriptive and centralized technical standards (if any) will be, and how overall system oversight will be structured.
Choices made by other jurisdictions : While building an open banking framework, Canada should answer these questions:
• How should data sharing standards be developed? Centrally-defined standards Generator-led standards • How should consent and authentication be managed?
• How should system oversight be structured? The approach to data-sharing While developing prescriptive would allow for greater overall flexibility • Who should participate in oversight? standardization represents a data-sharing standards and responsiveness to change, and delicate balance between promoting would promote greater may quicken the pace of open banking competition among new entrants system security, increase adoption. Furthermore, it ensures that and existing players, and ensuring interoperability among the data-sharing approach is informed overall financial system security by deep industry expertise. However, players, and drive down as well as operational integrity. this could lead to the emergence of development and integration multiple competing standards that costs, strict standards could Here, regulators have two main choices: compromise interoperability and put undue compliance system security, as well as increase 1. Centrally defined standards: burden on some players development and integration costs for Regulators can develop highly (both financial institutions all players (who may have to develop prescriptive technical standards that and third parties alike) who multiple data-sharing processes to mandate specific technologies and may not have the resources integrate with different partners). processes for data sharing, while to develop against them. strictly enforcing compliance; In order to balance the promotion Furthermore, they could hinder of competition and innovation with 2. Generator-led standards: the ecosystem’s ability to quickly system security and integrity, the Regulators can define broad, high- adopt new and more effective Canadian open banking movement level data-sharing policies, while data-sharing technologies, as should consider a hybrid approach. allowing financial institutions and this would require significant re- This would mean developing certain third parties to independently writing of standards documents. centrally mandated minimum data- develop standards, technologies, and sharing criteria (to ensure baseline processes to abide by them. On the other hand, developing interoperability and protect customer broad data-sharing policies (e.g., a data), but leaving the majority of design code of conduct) while leaving the choices to the discretion of individual creation of standards, technologies, players and/or industry consortia. and processes to industry players
3938 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
How should consent and authentication be managed? Phishing
Authentication Phishing is a type of socially engineered fraud where bad actors Choices made by other jurisdictions : attempt to obtain sensitive information for malicious purposes using None deceptive means. For example, a bad actor may set up a fake third- Generator manages Both generator and consumer can Consumer manages authentication sessions manage authentication session authentication session party website that redirects a customer to a page disguised as their banks’ interface, stealing their credentials, other personal information and, ultimately, their money. Consent Choices made by other jurisdictions :
None
Generator seeks user consent Both generator and consumer Consumer seeks user consent seek user consent separately The elements of authentication
A successful model for data sharing If authentication is assumed to be the customer retrieves and manually should include secure and user- conducted by the data generator, there copies and pastes the code into the Authentication can rely on a combination of evidence: friendly processes for both customer are three possible models: third-party website. authentication and consent. • Knowledge (e.g., password) • Embedded: At the time of Each of these methods offers its own When it comes to managing customer authentication, the customer enters balance between user experience and • Possession (e.g., key, mobile phone) authentication, there are essentially two their banking credentials into a security. While the embedded workflow options: place the responsibility in the “widget” hosted and operated by the is convenient for customers, it increases • Inherence (e.g., fingerprint) hands of the data generator or the data data generator that is embedded the risk of phishing. The redirect-based consumer. Managing authentication directly into a third-party interface; flow is the most common among through the data consumer may lead to internet services (e.g., Facebook) and Requiring more than one form of evidence is known as “multi-factor a smoother user experience, since login • Redirect-based: At the time of customers are largely familiar with the would be completely integrated into authentication on a third-party process. The decoupled flow is less authentication” and increases the safety of the authentication flow at third parties’ interfaces and match their platform, the customer is redirected commonly used, as it requires manual user experience design. That said, it may to their data generator’s website (i.e., effort from customers that creates the cost of user experience (e.g., by requiring them to receive a code also expose customers to additional risk, online banking portal) where they additional friction and may hinder the since their banking credentials would enter their credentials and, after pace of adoption. However, it is less on their mobile device and input it into the system). Precedents set be shared with each third party they authentication, are redirected back to susceptible to phishing attacks than the choose to use. Furthermore, requiring the data recipient; or other two models. by other jurisdictions suggest that requiring more than one form of data recipients to develop secure authentication processes could act as a • Decoupled: At the time of evidence is prudent. barrier to entry for smaller third parties, authentication, the customer is asked as such an endeavour will inevitably be a to navigate to the data generator’s complex and time-consuming process. online portal. After authenticating,
4140 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Under open banking, customers will control their own data and should be able Canadian market factor: Role of a digital ID utility to provide specific direction regarding the transfer and use of that data. The consent on how this data is used could occur on the data generators’ side, data recipients’ side, or both.
Digital ID is the electronic storage of identity information that allows Regardless of which model of consent prompts should be simple—ideally is chosen, its ultimate purpose should written in plain language and concisely people to identify themselves online without having to continuously be to enforce transparency and ensure displaying all important information customer consent is meaningful on one screen. This ensures that the present physical documentation. If a standard form of digital ID is and informed. A robust customer authentication and consent process is consent process should also go not a barrier to open banking adoption. developed and mandated in Canada, authentication would not need beyond the requirements outlined in PIPEDA—particularly in the areas of Additionally, customers should be able to happen entirely on the bank’s online interface. The utility providing explicitness and enforcement—as these to withdraw consent at any time. In line standards tend to be underdeveloped, with the shift of data control back into the digital ID service could serve as the central authentication manager, due to the legislation’s age. customers’ hands, they should be able leading to greater safety and security, improved user experience, and to revoke access if desired. However, the To achieve these end goals, the original data held by the data generator reduced authentication costs for market participants. Canadian open banking movement should not fall under this principle, as should consider borrowing a few is often required by existing regulatory common best practices from other frameworks for AML purposes. jurisdictions. For one, consent In considering the evolutionary path for open banking, it would be important to consider how digital ID might help banks and other data generators better manage authentication risks, enable more thorough fraud analytics, and create a more harmonized customer experience.
4342 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
Canadian market factor: Updates to PIPEDA How should system oversight be structured?
Open banking will hinge on privacy law reform. While current Choices made by other jurisdictions : privacy laws dictate how information is kept, stored, and used, open banking will have to expand on these regulations—focusing Centralized enforcement Some functions centralized, Voluntary code of conduct others voluntary specifically on how data will be shared between financial institutions and third-party providers. An open banking system will require two phases of governance: the first will be needed to define the overall system, while the second will provide ongoing operational oversight (e.g., acting as a dispute resolution body for liability issues between data generators, data recipients, and customers). Canada is in the midst of a consultation 1. The personal data is no longer 4. The personal data have been process for changes to PIPEDA, which necessary in relation to the purposes unlawfully processed would bring it into line with much of for which they were collected or the changes brought by the European otherwise processed 5. The personal data have to be erased for The responsibilities of each governance structure will be unique. Below are a few examples of what they may entail: Union’s General Data Protection compliance with a legal obligation […] Regulation (GDPR). GDPR mandates 2. The data subject withdraws consent […] financial institutions to erase customer 6. The personal data have been collected data (collected directly from customers 3. The data subject objects to the in relation to the offer of information Phase 1: • Support the development and • Distributed to data generators, data and received from third parties) upon processing […] and there are no society services […] Defining the open banking system execution of customer education; recipients, and industry bodies that customer request if one of the following overriding legitimate grounds for the • Develop the data-sharing standards represent customers to self-regulate six conditions is met: processing […] that data generators must abide by to • Require a mandatory insurance through voluntary industry “codes of make customer data available; product, similar to the CDIC, that pays conduct”; or out in case of disruptive losses that • Develop the specific accreditation lead to the complete failure of a data • Divided between these two criteria that governs which data recipient (this program could be funded approaches, whereby some pieces GDPR encompasses both digital and physical documentation and includes backup files. However, the right recipients are allowed to request data by a mandatory fee as part of the of governance are mandated by a to be forgotten may be overruled, or delayed, for some or all data classes due to regulatory obligations from data generators; and accreditation process); centralized authority, while others are imposed on the controller of that data (e.g., record-keeping for accounting and taxation). distributed to industry participants to • Define the liability framework • Create a digital identity, consent, develop “codes of conduct.” As open banking is developed in Canada, care must be taken to ensure that open banking abides by any that clearly outlines the roles and and authentication management changes to PIPEDA and does not possess any glaring gaps in coverage with respect to the consensual sharing responsibilities of data generators, system; and While the ideal allocation of of financial services data between open banking and PIPEDA. data recipients, and customers. responsibilities between these various • Manage the recovery of variable costs parties is up for debate, Canadian In other jurisdictions like Australia, specific privacy provisions are included in the open banking policies to Phase 2: incurred by data generators to make stakeholders would be well served augment existing privacy laws in areas like granular consent and the rights to be forgotten. Operating the open banking system data available to third parties. to keep the aforementioned guiding • Provide ongoing oversight over principles in mind as they determine the data generators and accredited data The responsibilities of governance and distribution best suited to a Canadian recipients (e.g., regularly auditing data oversight of the open banking system can open banking framework. recipients to ensure accreditation be either: criteria are being met); • Centralized into a consolidated • Act as a central dispute resolution governance function; or body for customer complaints and liability issues;
4544 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
This page has been left intentionally blank
Some of the ways these guiding principles can be used to streamline the decision-making process include:
Value Safety Prevent conflicts of interest that inhibit the Leverage regulatory authority where needed delivery of value to Canadians. To ensure to protect the safety and soundness of the the open banking system delivers true value to financial system in Canada. The governance Canadians, the interests of the customer must framework should ensure that Canadians are not be represented across governance functions. exposed to undue risk. For example, the system Understanding this, measures should be put should consider whether access to datasets in place to ensure neither data generators through non-Open Banking methods (e.g., screen nor data recipients have sole control over the scraping) should be permitted for data that development of an accreditation framework, could be made available through open banking. as this could lead to an overly complex process Ideally, the open banking framework should (that unduly limits participation from data provide more secure, cost-efficient, reliable, and recipients) or an overly open ecosystem (that customer-friendly access to data, potentially exposes the financial services ecosystem to making alternatives (such as screen scraping) an undue risks). unnecessary risk to the system.
Transparency Adoption Ensure that Canadians are given full clarity Efficiently leverage the various participants and transparency when sharing data. in the ecosystem to minimize the duplication In order to ensure that Canadians have of effort. Given the variety of concurrent efforts consistent transparency when sharing data, regarding the oversight of financial institutions standards around what information is being and system infrastructure (e.g., RPOF), the shared and how it will be used should be put in governance framework should be designed to place. These standards may lead to a common minimize the duplication of responsibility between screen for information sharing, as is being parties. Economies of scale could be realized established in other jurisdictions. by centralizing governance responsibilities, but should be considered on a case-by-case basis to decrease the total cost of the system. For example, managing liability issues or cost recovery through a single central entity may help simplify these processes (at a lower cost) for all participants in the open banking system.
4746 Creating an open banking framework for Canada | An open banking framework for Canada
Who should participate in oversight? This page has been left intentionally blank
Typically, even centralized oversight This report is designed to offer Ultimately, as open banking in Canada bodies are comprised of both considerations for open banking in is explored further, the role and regulators and market participants. For Canada, regardless of which model of structure of the central body will instance, in the UK, the Open Banking governance and oversight is selected, and play a key role in its development. Implementation Entity, while created by who is ultimately involved in this process. Because of this, it is a choice that the Competition and Markets Authority That being said, the possible outcomes should be made early in the process. (a regulator), is funded by the UK’s nine differ based on the choices made here. largest banks. In the EU, while regulators are responsible for accreditation of For example, under a highly centralized third parties and are responsible for governance model, the scope of data policy development, bringing principles- generators would likely depend on who based policy into implementation participates in the governance entity. For across Member States requires the instance, a regulator-led central entity assistance of various standard-setting would likely have the authority to mandate organizations and consortia (e.g., the that a broad set of participants—for Berlin Group). instance, credit unions and trusts— be included as data generators. A consortium-led or industry-led effort, on the other hand, would rely on voluntary participation from financial institutions, likely making the scope of data generators more limited.
4948 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
3. Commercial and liability model How do data recipients gain access to generators’ data? The choices made by other jurisdictions around the commercial and liability model in place define how costs and liabilities will be distributed among market participants.
Choices made by other jurisdictions : While building an open banking framework, Canada should answer these questions:
• How do data recipients gain access to generators’ data? None Centralized accreditation Centralized accreditation with Decentralized bilateral • How should liability be managed? bilateral contracting contracting
• What is the supporting economic model?
• How often should data requests be allowed? There are two models that could be used be required to negotiate individual • A defined customer complaint to facilitate access to generators’ data: bilateral contracts with every financial management process: To provide institution participating in open customers with some reasonable 1. Commonly agreed-upon banking as a data generator). certainty that accredited third parties accreditation requirements and will be able to support them in case of standard contracts between data A commonly agreed-upon any issue. generators and data recipients. accreditation framework would In this model, data recipients simplify the process of gaining • Mitigation measures for material would have to receive certification access to data, ultimately allowing disruptions: To ensure appropriate to demonstrate their compliance protocols are in place in the event of more third parties to participate with pre-set criteria (e.g., regarding system failures, security breaches, and in the open banking ecosystem. data privacy and security). Certain other blockages to continuity. However, it would be less flexible to elements that concern the data generators’ and data recipients’ changes in marketplace dynamics, The intended “use case” of data is a hotly relationship (e.g., method and terms and would require continuous debated topic in other jurisdictions with of cost recovery, liability) would be updating to accurately reflect the more advanced open banking systems. defined by a standardized contract broader environment in Canada. Including use case as a criteria would with some flexibility to accommodate be helpful in protecting consumers the unique circumstances of the If a central-accreditation-based from malicious actors; however, it may data-sharing arrangement. system is selected, Canada may limit the scope of third-party providers look to other jurisdictions to with novel business models, potentially 2. Bilateral commercial agreements inspire the development of: limiting innovation in the marketplace. (between data generators and data recipients). In this model, both access • Security and privacy protocols: To to the ecosystem and specific elements responsibly manage sensitive personal would be defined through one-to-one and financial data, and make sure that agreements between data generators data recipients are not introducing and data recipients, where parties have undue security risks into the system. complete flexibility to negotiate the terms of the agreement. • Indemnity insurance: To provide data generators with some Commercial agreements would more reasonable certainty that data rapidly adapt to changing conditions, but recipients will be able to pay may limit the efficiency of the system out if a liability issue occurs. (e.g., financial data aggregators would
50 51 Creating an open banking framework for Canada | An open banking framework for Canada Creating an open banking framework for Canada | An open banking framework for Canada
How should liability be managed? What is the supporting economic model?
Choices made by other jurisdictions ::Choices made by other jurisdictions
None None
Data generators are first First point of recourse based Data consumers are No cost recovery permitted Bilateral agreements Mandated cost recovery point of recourse on bilateral contracting first point of recourse determine cost recovery
Generally, open banking should decrease typically has adequate liability So, while account providers are the To make data available, data generators • Fairness to data generators: less costly) than the solutions that total risk in the system by reducing coverage for data breaches, and designated first responder in case are likely to incur both upfront fixed Beyond the direct costs of making data data recipients use today. As a result, the need for customers to share their any accreditation program for data of a loss, many jurisdictions have costs as well as ongoing variable available, data generators are likely to data recipients’ costs of accessing banking credentials with screen scrapers. recipients includes both a security controls in place that allow them costs. An open banking framework face additional indirect expenses (e.g., customers’ financial data is likely to be However, it may result in a shift of liability standard and a liability coverage to seek recourse from the third must outline whether data generators customer complaint management). lower than the current state. from customers (who are in breach of standard. This framework has been parties responsible. This ensures are allowed to recover their variable Regulations should ensure they are their contract with banks by screen found to raise customer trust in open account providers are not left unfairly costs, for example, through a minimal able to sustainably perform these • Barrier to entry: Charging fees for scraping) to other participants in the banking, even after a hypothetical holding the burden of liability, fee charged to data recipients. When functions without being unfairly access to data may act as a barrier to system. As a result, a clearly defined data breach incident occurs. leading to greater participation contemplating whether this is the right burdened by the process. the market. This could cause negative liability framework is critical to garner from account providers in open option for a Canadian open banking consequences (such as the stifling of buy-in from data generators and data • In cases where companies banking. Certain jurisdictions also framework, stakeholders must consider • Comparison to current state innovation) or positive results (such recipients alike. intentionally misuse customer mandate capital requirements and/ a number of different factors: for data recipients: API-based as the stifling of low-value use cases), data, such as when malicious or indemnity insurance to third- solutions are likely to be significantly depending on the size of the data This type of liability framework, actors acquire accreditation, party providers to provide some less resource-intensive (and thus, transfer fee. however, is highly contingent on a some jurisdictions have assigned protection to account providers. variety of other framework choices. liability to the body that granted Below are some of the choices that accreditation and/or extended • In many jurisdictions, data generators observed in other jurisdictions: the accreditation most recently. have an obligation to report all in- scope information to data recipients How often should data requests be allowed? • Based on previous cases of open • Many jurisdictions currently allow truthfully, but they are not held banking adoption, it is helpful if a data generators to sever a linkage liable for unintentional mistakes/ Choices made by other jurisdictions : liability framework is compatible with with a data recipient if they suspect inaccuracies in transferred data. other existing regulations, rather either an unintentional data breach None than superseding them. This prevents or misuse. These data generators are the development of overlapping/ responsible for reporting suspected Limited number of data requests Unlimited number of data requests conflicting requirements and ensures breaches/misuse within a short time * Note: No information is available about data request limits in Japan all participants have a common period to other data generators and/ understanding of the roles and or the accreditation body to minimize responsibilities of each player. the impact of the breach. In the UK, data recipients are limited where customers have 24/7 access to account balance monitor that notifies • For unintentional data breaches, • Many open banking jurisdictions to making four requests in a 24-hour their banking information through their users when they are approaching many jurisdictions have chosen to believe participants should be period, unless a higher frequency is bank’s online interface. This distinction overdraft) at the cost of a greater burden assign liability to the party responsible responsible for their own actions, but agreed upon by the data generator between data requests initiated by to data generators (i.e., of data transfer). for the breach itself (the data recipient not the actions of others (e.g., data and data recipient. However, recipients (which are often limited) and Depending on whether a fee is charged in the vast majority of cases). In this generators should not be liable for customers can initiate data requests by customers (which are often unlimited) to data recipients for every request type of scenario, the data recipient losses caused by data recipients). an unlimited number of times, which is is common across many jurisdictions. they make, a limit may or may not be similar to the level of access currently necessary to prevent data generators provisioned through online banking Allowing for a large number of requests from being overwhelmed by a large services, for example, in instances enables additional use cases (e.g., an volume of requests. 52 53 Creating an open banking framework for Canada | Conclusion
Canada sits at an inflection point in more personalized and tailored financial Open banking is just one step in a broader the modernization of its financial experiences; and the automation of movement of returning control over services ecosystem. When looked traditionally time-consuming procedures customer data back where it belongs—the at in conjunction with payments and tasks. end customer. Customers’ right to data modernization and an expected control is about far more than just financial overhaul of privacy legislation via This movement, however, will not data, which means open banking stands to PIPEDA, open banking represents the overhaul the financial services ecosystem pave the way for other industries as well. third pillar of a new landscape, one that overnight. Rather, the major changes By taking the first step in a deliberate and will reshape customer expectations arising from open banking will likely arrive calculated manner, open banking can act for the delivery and consumption of gradually, meaning, a significant window of as a template for others, illustrating the financial services. opportunity exists for both new entrants leadership role that financial services has and existing players alike. During this in Canadian society and in protecting the If all goes according to plan, the time, longstanding institutions would be customer above all. financial services industry, and financial well served to address pain points in their customers of the future, will all benefit current banking solutions if they hope to from lower barriers to customer play a leading role in reshaping the market. Conclusion movement between organizations;
Endnotes:
1 ZDNet, “Westpac predicts Open Banking to cost AU$200m to implement,” by Asha McLean, October 12, 2018, https://www.zdnet.com/article/westpac-predicts-open-banking-to-cost- au200m-to-implement/ accessed on March 18, 2019.
2 Competition & Markets Authority, “Making banks work harder for you,” August 9, 2016, https:// assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/ file/544942/overview-of-the-banking-retail-market.pdf accessed March 18, 2019.
3Australian Government, “Review into Open Banking in Australia,” 2017, https://static.treasury.gov. au/uploads/sites/1/2017/08/Review-into-Open-Banking-IP.docx accessed March 18, 2019.
4 The Government of Japan, “Drive Innovation and Trade,” https://www.japan.go.jp/abenomics/ innovation/index.html, accessed March 18, 2019.
5 Abacus Data, prepared for Canadian Bankers Association, “How Canadians Bank,” 2016, https:// www.cba.ca/Assets/CBA/Documents/Files/Article%20Category/PDF/info-howCanadiansBank-poll- 2016-en.pdf, accessed March 18, 2019.
5554 Contacts
Rob Galaski Todd Roberts Hwan Kim Global Managing Partner Partner Canadian Open Banking Leader Banking & Capital Markets Canadian Payments Leader [email protected] [email protected] [email protected]
www.deloitte.ca
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights and service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 264,000 professionals—9,400 of whom are based in Canada—make an impact that matters, please connect with us on LinkedIn, Twitter or Facebook.
Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
© Deloitte LLP and affiliated entities.
56Designed and produced by the Deloitte Design Studio, Canada. 18-5879T