The Advisory Committee on Open Banking (Committee), appointed by the Department of Finance Canada (Finance) in November 2018 to lead a two-phase consultation evaluating the merits of an open banking framework for Canada, recently released a report entitled Consumer-directed finance: the future of financial services (Report).
The Report provides a summary of the Committee’s findings and formal recommendations on the future of open banking in Canada; it also launches the second phase of Finance’s consultation process, which began in January 2019 with the release of their paper, A Review of into the Merits of Open Banking. For more information about the initial consultation, please see our January 2019 Blakes Bulletin: Canada Seeks Input on Open Banking Framework.
In the first phase, the Committee was tasked with: (i) considering whether open banking would provide meaningful benefits for Canadians; (ii) assessing how to manage and mitigate risks related to consumer protection, privacy, cybersecurity and financial stability; and (iii) determining what role the federal government should play in enabling open banking.
The Report summarizes the Committee’s extensive consultation process that involved wide-ranging submissions from a broad range of participants across Canada, multi-stakeholder roundtables, qualitative public opinion research and discussions with international policy makers and industry experts in other jurisdictions. In the Report, the Committee ultimately concluded that, in its view, and in the view of most stakeholders, “all participants in the financial services ecosystem—from established financial institutions, to fintechs, to other innovators and most importantly, consumers—stand to benefit from consumer-directed finance.”
The Report recommends that the federal government move forward to enable open banking in Canada by developing a framework to “set the guardrails in a manner that protects consumers and participants, while allowing innovation to flourish.” The Report recommends that the government’s approach to consumer-directed finance use the following three principles as a guide:
Focus on enabling consumer choice and meaningful control in order for consumers and small businesses to securely direct and control the use of their data in ways that benefit them
Provide consumer confidence and engender trust through respect for privacy and security, and be designed with clear and straightforward accountability mechanisms to ensure liability rests with the appropriate party, if something goes wrong
While privacy and cybersecurity concerns are real, equal weight must be given to growing a vibrant and innovative financial ecosystem. To that end, innovation should guide the development of consumer-directed finance that is founded on a safe, secure and standardized data-sharing mechanism
The Committee concludes that a robust consumer-directed finance framework, with proper safeguards, could be “a first step on the continuum toward a broader digital transformation within the financial services sector and in the broader economy,” and towards greater financial inclusion, if the framework is designed with these goals in mind.
The Report provided a number of other formal recommendations and considerations for next steps in the development of a framework to enable consumer-directed finance. The following are some highlights and key takeaways from the Report.
NEW YEAR, NEW NAME
Notably, as part of its recommendations to Finance, the Committee proposed replacing the term “open banking” with “consumer-directed finance” and, interestingly, adopted its recommended change in terminology throughout the Report. According to the Committee, “open banking” is a misnomer as it “is often misunderstood; as for some, it leaves the impression that their banking information would be laid out in the open, with little consideration for privacy rights.” Instead, the Committee said the term “consumer-directed finance” would more accurately capture what is being contemplated as it “recognizes that consumers should be in control of their information and able to benefit from the use of it“ in an environment that is controlled, secure and protects privacy.
While the move away from the term “open banking” is consistent with the Report’s recognition of the need for a framework that is “part of a broader conversation about Canadians’ ability to use, control and protect their data across all sectors,” the new term falls short by emphasizing the benefits to Canadian “consumers,” which, at first glance, appears to exclude business customers. This may be an oversight, since the Committee recognizes in the Report that consumer-directed finance may “be of particular benefit to small business owners.”
MEANINGFUL BENEFITS FOR CANADIANS
The Committee finds that there is an existing and increasing demand from Canadians to use their financial information in connection with data-driven services. According to the Report, consumer-directed finance has the potential to deliver meaningful benefits for Canadian consumers and small businesses, including by providing greater control of their information thereby allowing “Canadians to better and more efficiently manage their finances.” Consumer-directed finance may make this possible by allowing Canadians to use their information to obtain better rates, access non-traditional products and services, use new tools and manage a small business more effectively, including by “pulling their financial transaction data to seamlessly manage invoices and cash flow.”
In the Committee’s view, “the consumer’s interests must be the primary guide directing the development of any consumer-directed finance framework.” The Committee also recognized that consumer-directed finance presents opportunities for existing financial services providers, as well as new entrants, to drive innovation in the financial services sector by providing a more secure and reliable way to enhance and expand services that are already in market, while simultaneously enabling innovators to participate in ways that strengthen and enhance the sector for the benefit of Canada’s citizens and economy. In that regard, the Report provides that a “robust consumer-directed framework could support a more innovative and competitive [financial services] sector by setting rules and protections around data use, and requiring data to be transferred in a more secure form.”
THE RISKS, HOWEVER, ARE NOT NEW
The Report acknowledges that data sharing is already very prevalent in the financial services sector in a significant albeit unregulated way as part of the digital transformation driving rapid change in all sectors. With that in mind, the Report serves to refocus the Committee’s mandate on finding a balance between innovation and competition on one hand, and consumer protection, privacy, cybersecurity and financial stability on the other. The Committee posits that “managing risk and fostering innovation should be viewed as equally important objectives.”
In assessing the risks relating to privacy and security, consumer protection and financial stability posed by consumer-directed finance, the Report provides that many stakeholders agreed that risks exist in the market today, particularly in the “screen-scraping” environment. The Report notes that information received by the Committee from stakeholders estimates that 3.5- to 4-million Canadians share their financial data to access data-driven services that offer convenient ways to manage finances and their businesses through a process called screen-scraping. Screen-scraping is an unregulated process that poses security and liability risks to both customers and financial institutions and, in many cases, requires the sharing of the customer’s log-in and password information.
The Report notes that the technical limitations of screen-scraping, including its lack of security, constrain the development of new applications and services that limit the potential for innovation in this sector. The Committee also expressed concern over the lack of control that consumers currently have over their own data and the lack of safeguards to protect their data in the current environment. According to the Report, “there is a growing expectation on the part of consumers to be able to control and leverage” their information, along with “significant and increasing consumer demand for the convenience offered by data-driven services.”
MANAGING RISK THROUGH ACCREDIDATION AND MODERNIZATION OF PRIVACY FRAMEWORK
While the Committee recognized that there are risks related to consumer protection, privacy and cybersecurity, it concluded that “these risks exist in the current unstructured environment and implementation of a structured framework could serve to better address and manage them.”
According to the Report, there was broad consensus among stakeholders that an appropriate way to manage, address and possibly mitigate privacy and cybersecurity risks could be through an accreditation framework that admits trusted service providers into the ecosystem. Although there are a number of different accreditation models to consider, the Report proposes that an accreditation system could “require participants to meet certain standards for risk management and could be overseen on an ongoing basis by either a regulator or independent expert body.” In addition, the proposed accreditation system could be introduced in concert with digital identification for consumers, which are the subject of separate industry initiatives, bringing additional security to online financial transactions.
The Report identifies privacy as a key risk consideration for all stakeholders and an area ripe for modernization. The Report recognizes consent as the centerpiece of consumer-directed finance and, in order to mitigate privacy concerns, recommends establishing a “meaningful, opt-in consent by consumers when they direct their bank to share information with other participants.” According to the Report, the consent process could include:
Clearly defining what consumers are agreeing to, and outlining the implications of that agreement, in plain language
Providing a level of control by setting parameters over what data can be shared with a party, for what purposes and for how long, as well as allowing consumers to revoke their consent at any point
Being accountable to and traceable for consumers
OTHER KEY TAKEAWAYS AND RECOMMENDATIONS
Other key takeaways and recommendations in the Report include:
Any framework must consider how to attribute liability between different participants in a consumer-directed finance transaction
The Report warns of the risk of inaction to the global competitiveness of Canada’s financial sector as “the innovative potential of the financial sector is an important source of economic strength for Canada”
Consumer awareness and education are critical components of ensuring a successful consumer-directed finance regime
Consumer-directed finance presents the potential for greater financial inclusion and could provide increased access to financial services for those who are underbanked, less financially literate or marginalized, as well as improve access to credit for underserved markets, such as women and new Canadians
The framework would benefit from drawing on the experience of open banking models in other jurisdictions with a view to striking a balance between allowing Canadians to access the benefits and mitigate the risks of consumer-directed finance, while simultaneously ensuring that Canada’s approach provides for interoperability with international systems
THE GOVERNMENT’S ROLE
With the proliferation of financial data-sharing that relies on “inefficient technological workarounds that present liability and security risk for all,” the Report highlights the fact that consumer-directed finance is at a stage in Canada from which there is no going back. In light of these facts, the Report agreed with the majority of stakeholders that both “government and industry should work in tandem to develop a consumer-directed finance framework.” Consistent with stakeholder feedback, the Committee also agreed that industry should be the driving force for establishing technical standards and that the technical approach should be “nimble and avoid being overly prescriptive.” While acknowledging that all participants in the ecosystem must be engaged in the process, the Committee was clear that the government should have a defined role in order to “set a clear timeline for moving forward, prioritize consumer interests and the development of an ecosystem that is accessible to a broad range of stakeholders.” In addition, the Committee emphasized that the establishment of a consumer-directed finance framework that enables “enhanced data choice and control for Canadians across all sectors of the economy” needs to be developed “in consultation with regulators across sectors and in alignment with other related initiatives including payment modernization, updates to privacy frameworks, consideration of digital identity and the Department of Innovation, Science and Economic Development’s digital and data initiates.”
FINDING A WAY FORWARD
As a next step, the Report provides that the Committee and Finance will explore in greater depth some of the more complex issues raised by stakeholders in the consultation process including “liability, accreditation, governance, the question of how screen-scraping should be dealt with and how to build an ecosystem that is accessible to all participants.” Following those discussions, the Committee recommended that Finance develop a White Paper on a proposed consumer-directed finance framework for further consultation with stakeholders. The Committee also encouraged Finance to set a “bold, clear and concrete timeline for delivering consumer-directed finance,” recommending one to two years as a guideline as being reasonable, drawing on examples from other jurisdictions.
For further information, please contact:
Paul Belanger 416-863-4284
Mena Bellofiore 416-863-3858
Alana Scotchmer 416-863-4236
or any other member of our Financial Services Regulatory group.