On October 17, 2024, The Canadian Association of Financial Institutions in Insurance (CAFII) held its fifth webinar of 2024 – a Conversation on Opening Banking: A CAFII Virtual Fireside Chat with Meaghan Obee Tower, Brigitte Goulard, and Sam Delechantos.
CAFII’s Executive Director, Keith Martin, moderated the webinar. He was joined by three expert lawyers from Canada’s leading legal firms to discuss what open banking means for Canadian financial firms. They were
- Meaghan Obee Tower (Partner, Stikeman Elliott);
- Brigitte Goulard (Co-head of Torys’ Consumer Protection Practice and Fintech Group, Torys); and,
- Sam Delechantos (Associate, Fasken Martineau DuMoulin LLP).
Many representatives from CAFII’s 15 member companies and 10 Associates attended the webinar, as did representatives from allied industry associations such as the Canadian Life and Health Insurance Association, or CLHIA; the Travel and Health Insurance Association, or THIA; the Canadian Bankers Association, or CBA; from LIMRA; and from the Association of Canadian Pension Management (ACPM). Many insurance and financial services regulators and policy-making authorities attended as well, including the following government organizations:
- The Insurance Council of British Columbia;
- The Government of British Colombia;
- The Government of Alberta;
- Québec’s Authorité des marchés financiers, or the AMF;
- The Financial Services Regulatory of Ontario, FSRA.
After K. Martin introduced the panellists, Brigitte Goulard defined open banking and explained its history within Canada. As is common knowledge, the real name for the opening banking framework in Canada is consumer-driven banking. However, for simplicity, it will be referred to as open banking.
Canada’s open banking framework was introduced in parliament in April 2024 and received royal assent on June 20, 2024. The framework is composed of two key pieces: the Consumer-Driven Banking Act (CDBA) and the Amendments to the Financial Consumer Agency of Canada Act (FCAC Act). The CDBA is the legislation establishing the framework, while the FCAC Act is actually an amendment to the Financial Consumer Agency Act of Canada. The FCAC will be the regulator responsible for administering, overseeing, and enforcing both the framework and the entities that participate in it. In terms of the CDBA, the first version of the act contained minimal governance, scope, and process details. The parts dealing with liability and privacy are expected to be revealed in the next budget implementation bill, which is usually presented in the fall. Another important element of the act is the requirement for the Minister of Finance to designate a body to establish the technical standards for data sharing. No one has been announced yet.
The purpose of open banking, as B. Goulard explained, is to put an end to screen-scrapping for aggregating financial information so that financial data can remain safe and customers can do whatever they want with their own information. Screen scrapping is the practice of organizations basically taking the credentials of consumers and scraping their data. The framework will allow consumers and small businesses to request that the financial data held by their bank be safely transferred to either another financial institution or a fintech that may have some interesting and appealing product offerings. The large banks will be required to become participating entities, however, the threshold for large remains unclear and undefined.
What will the framework apply to? As per the legislation, the framework will apply to the data that relates to deposit accounts, RRSPs, and other non-registered investment products, payment products, prepaid credit cards and so on, lending products, and other products or services that may be provided for in regulations. Because the regulation has not been released, it is unclear if other products or services will be included; however, it does seem that the Act will limit the products to those largely offered by the banks. Derived data, however, will not be subject to the open banking framework. Derived data is data that a financial institution, like a bank, would develop on a customer. For example, if a bank creates a profile on a customer that aims to offer them a type of credit card or certain service, that data cannot be transferred to another body. Furthermore, the data transferred cannot be modified by another participating entity. For example, if a consumer requests their data be transferred to a fintech, the fintech cannot then change or adjust that data.
The FCAC will maintain a public registry of participating entities. This is important because entities that present themselves as participating but are not can be subject to significant fines. The registry is, therefore, important to ensure consumer safety and entity accountability.
In terms of what was included in the amendments to the FCAC Act, the FCAC’s mandate was expanded to include oversight, administration, and enforcement of the new framework. As well, the FCAC Act will establish a parallel branch to deal only with the open banking framework. While entities and/or individuals who falsely represent themselves as a participant can be fined, so can entities and/or individuals who do not comply with the framework. The way that the framework was drafted aligns with the major banks’ consumer protection provisions, including the fines and penalties scale.
B. Goulard concluded her presentation with a few examples of the best use cases for fintechs and FIs participating in opening banking:
- Account aggregation: use an API to allow customers to get an overview of their accounts and financial information.
- Personal finance management: APIs will again facilitate budget management.
- Instant credit risk: Lenders can more rapidly review an applicant’s credit history by gaining access to instant banking data.
- Subscription management: Allowing customers to manage recurring payments to cancel unwanted subscriptions.
- Opening of new accounts: speeding up the process of account opening as information can more readily be accessed.
K. Martin commented that, with the increase in data sharing, privacy will become increasingly important. He asked Sam Delechantos if she could discuss the implications of these privacy concerns. S. Delechantos explained that with the implementation of opening banking, issues like screen scrapping will no longer be necessary, thanks to the establishment of dedicated API frameworks. How those APIs will be set up and their technical standards are still being developed, which is something that will need to be monitored. Previous technical standards have been flexible to apply to multiple organizations of varying sizes to limit compliance burdens and this may be the case for APIs within the opening banking framework.
Another interesting issue is consent. In countries that have already implemented open banking, consent is a struggle. There are technical issues with the interoperability between data holders and data recipients. How consent is obtained and then carried over into the transfer of data has been and will likely remain an issue. S. Delechantos did see a proposal that required regular establishment of consent while managing data (consent reaffirmed every 12 months). Furthermore, each organization will be required to have a consent dashboard where users can freely say who has access to what data, how long this access is permitted and under what circumstances. They can also withdraw their consent at any point using the dashboard. This is important because it asks questions about the longevity of consent. The new regulation will continue to put parameters around consent mechanisms and how consent is managed to protect consumers and their privacy.
Finally, data duplication and accuracy will remain risks. Within the Canadian framework, however, there is some protection because of the read-only clause that prohibits editing or alterations to the data received. What is risky is after the face: how that data is duplicated and distributed.
K. Martin commented that it sounds difficult to administer, to which S. Delechantos replied that, for the consent piece, yes, it will be. She explained that many companies in other sectors have been criticized for their consent practices, which forced them to develop fully functional consent dashboards. However, this model does not always lend itself well to every organization, so there may be technical challenges in the future.
Moving on, K. Martin asked Meaghan Obee Tower who will likely participate in open banking? While the big banks will have to participate, could other financial institutions refuse? M. Tower explained the expectation is that once the group of “large Canadian banks” have been determined, others in the space will be allowed to opt in, like fintechs or credit unions. Any entities that decide to participate, however, must adhere to all technical standards and governance requirements. There is no expectation for any compliance regime distinctions between those entities required to participate and those permitted to do so.
K. Martin then commented that consumer protection of banks is federally regulated while consumer protection for insurance companies is provincially regulated. Some insurance companies are federally incorporated, while some are provincially incorporated. He asked B. Goulard what the jurisdictional issues are around open banking. B. Goulard explained that there are a lot of jurisdiction issues; like insurance companies, credit unions can be federally or provincially regulated. While all the banks are federally regulated, they are also subject to provincial consumer protection legislation. In fact, some provinces are considering establishing their own open banking legislation. Because of this, if provincially regulated institutions decide to participate, like provincially regulated insurance companies and credit unions, they will become subject to the FCAC. This can be complicated because it requires established definitions for what is provincially relevant versus federally relevant. Consumer protection, for example, is considered provincially regulated, but it can bleed over into federal jurisdiction. To navigate this issue, the government has introduced a senior deputy commissioner who will make decisions regarding open banking, which includes determining what is subject to provincial or federal oversight.
S. Delechantos shared her knowledge of other open banking jurisdictions around the world and what Canada can learn from them. Canada has already looked at Australia, the UK, and the EU, who have all been working towards open banking for many years now. Canada’s proposed framework considered the missteps of those jurisdictions and attempted to correct them. S. Delechantos added that looking at Australia, its implementation of open banking was conducted in phases, thereby allowing organizations to become accredited or authorized to participate and ease into the framework. This did have to do with some technical limitations; the first accredited data recipients or data holders were minimal due to limited capabilities. Consumer uptake has been quite narrow. In fact, most of the participating recipients are the large banks. S. Delechantos explained that this slow adoption is concerning because, if no one is opting in, is the framework achieving the enhanced consumer experience that it was created for? Many organizations may also just continue using screen scraping models instead since it is less time-consuming.
Furthermore, S. Delechantos commented that, supposedly, many Australian banks complained that they had to make significant investments to comply with the framework’s obligations. Many smaller banks have also used significant resources and financing to follow compliance requirements. When considering what to do in Canada in terms of technical and security safeguards, regulators need to consider the burden it could place on organizations.
Finally, S. Delechantos concluded by noting that, in Australia, the original framework rules did not include insurance brokers as eligible data holders. This received major pushback and pressure on the regulators, who later introduced new accreditation levels. The framework became tiered to allow different types and levels of data recipients to be categorized. Insurance brokers fell into the trusted advisor category.
B. Goulard asked S. Delechantos if the Australian banks forced participation. The Australian government, like the Canadian, told companies that if they wanted to receive data under open banking, they needed to become authorized or accredited data recipients.
K. Martin then asked if there were any truly successful jurisdictions that saw tremendous consumer benefits or enhanced competition after the introduction of open banking. S. Delechantos explained that while Australia, the UK, and the EU have seen some benefits to consumers, there have also been many issues. This framework is new and, therefore, takes time to implement and perfect. She noted that, recently, these jurisdictions have begun to see an uptrend now that many of those technical difficulties have been ironed out. In fact, parts of Canada’s framework, including the consent dashboard, have been developed in response to issues the EU and the UK have experienced.
Looking at the large banks, K. Martin asked M. Tower why it could be an issue to require their participation and what it could mean for smaller FIs or fintech. She replied that the thought process from a public policy perspective is that for open banking to be successful, people need to buy in. As alluded to by S. Delechantos, there hasn’t been an immediate change to banking habits or banking products. Therefore, to make Canada competitive in the international sphere, it needs to adopt open banking while ensuring participation. The thinking, then, is that Canada’s large financial institutions have the resources to support the framework. They are also the largest holders of the relevant data. In terms of implications for FIs and fintechs, M. Tower explained that she believes that, because it is a resource-intensive system, it will take quite a bit of time, effort, money, people, structure, and trial and error. This may deter or limit smaller institutions. Some may view this as worthwhile and see it as an opportunity to increase competition and access more consumers that are otherwise entrenched within the large FIs. This is, however, dependent on their ability to comply.
K. Martin asked all three speakers what compliance, operational, and legal costs could be incurred through open banking. B. Goulard said that open banking is coming. Therefore, institutions will need to change their systems to participate and align with the technical standards. She warned about the dangers of underestimating the potential cost and encouraged all to increase their operational and compliance budgets, including legal input and staffing. M. Tower agreed and added that some institutions have been operating in an unregulated manner, meaning they have not been subject to any applicable regulation at this time. For those institutions, this new framework will be a big change. For already regulated institutions, like the big banks, this change may be incremental. Therefore, the degree of impact is dependent on the institution. S. Delechantos agreed with both previous speakers, noting that the technical pieces will likely be the most challenging for the bigger institutions that may not necessarily have the specific technical requirements to support the specific APIs that will be needed for data sharing. Because of this, they may need to engage contractors, technical experts, etc., to try and build their technical capabilities.
K. Martin then asked S. Delechantos to envision a scenario in which, under the opening banking framework, a bank transfers a consumer’s data, by request, to a fintech, and there is a breach. Who is responsible in this case? When the act was implemented, the rationale was that liability moved with the data. So, once the data leaves the data holder—the bank and its system—it is no longer their responsibility. In the case described, under the Act, liability falls onto the fintech. Depending on which province this occurred in, the fintech may also be liable under applicable privacy laws.
All three experts then explained the possible risks and benefits of open banking for FIs and fintechs. M. Tower commented that this depends on perspective. The expectation and the goal are that, in an open banking context, consumers are going to have an improved overall experience for their banking needs. The idea from a fintech perspective is that they are now able to compete in a field historically dominated by banks. Similarly, banks would benefit if they were able to be agile and adapt to have a broader product offering to benefit consumers. Whether consumers truly benefit from this framework as envisioned will depend on how many participants there are in the market and how much sharing is occurring. M. Tower explained that barriers to entry may be the biggest drawback for smaller fintechs. From a risk perspective, privacy breaches and data breaches are significant. The legislation is intended to address this and ensure participants have the right technological framework to prevent this, but data breaches occur, nonetheless.
Within Canada, there is a restriction on sharing data within a bank between the insurance division and other divisions. K. Martin asked, given these restrictions, if open banking will allow for the sharing of data between divisions of one organization where it is currently restricted. Alternatively, might a third-party fintech be able to receive and aggregate data from the different divisions and then aggregate it in a useful way? B. Goulard replied that, as per section six of the Act, “nothing within the legislation affects any restriction imposed under the Bank Act on banks with respect to the sharing of information about a consumer with an insurance company or broker for the business of insurance.” What is interesting is the interpretation of this clause. B. Goulard does not believe that a consumer will be able to tell their bank to send their information to an insurance company simply because a consumer requested it. This, however, begs the question: can a fintech ask for data as requested by a consumer and then share it with an insurance company? The restriction is imposed on banks, not fintechs; however, if the fintech is a participating entity, the Bank Act restrictions may apply. If the fintech is not a participating entity and, therefore, not subject to this particular restriction, would it be permitted to share the information? K. Martin asked if a fintech receives information from a bank and its insurance division after being instructed to send it by a consumer, does the fintech need to know the regulatory restrictions imposed on the bank? B. Goulard replied that it is complicated and unclear. If the restriction is not in the Act, then there would be no reason for the fintech to know the restriction. However, if the fintech is participating in the new legislation and there is reference to the restriction, then it may, indeed, extend to the fintech. Ultimately, this depends on how the FCAC will apply the restriction.
K. Martin commented that the FCAC has been given the responsibility of implementing the new framework and asked what this means. Will additional resources be allocated to the regulator to do so? S. Delechantos replied that a certain amount of money was pledged to facilitate the implementation. This is to support the additional resources required to implement and manage the new framework properly. M. Tower added that the FCAC is intended to be the overarching regulatory body for the framework, so their role will be all-encompassing. They will be responsible for everything from determining eligibility to maintaining compliance standards and more. It will be a large role that will likely require change and adjustment over the coming years.
B. Goulard commented that she feels the FCAC will grow and incur five new costs:
- Oversight of participating entities to ensure they comply with the Bank Act.
- Oversight of the ombuds body and OSBI.
- Oversight of the technical body, which will be appointed by the minister.
- Maintain the registry of participating entities.
- Conduct trend analyses of all aspects of the new framework.
Before the webinar concluded, K. Martin asked the three speakers if they had any words of advice on how to best prepare for open banking. B. Goulard told attendees it is important to understand the FCAC’s plans and where the regulator sees the new framework going. She encouraged everyone to start saving for the costs of implementation. M. Tower advised everyone to plan for the future by envisioning their institution within the framework of open banking in three years, five years, etc. She encouraged all attendees to think strategically about their institution’s role in the open banking sector. S. Delechantos advised more regulatory reflection. She stressed how important it is to pay attention to compliance, like privacy requirements.
K. Martin thanked the three speakers and concluded the webinar.