Implementation in Canada
As of March 2024, Canadian open banking is still in the initial legislation stage with the first reading of the proposed Bill C-365 occurring on November 9, 2023.
What is and why should we care?
Open banking, also known as consumer-led banking within Bill C-365, is freedom for your financial information.
This made two-thirds of you gasp in terror as the idea of your bank transactions could become public. For the other third, you probably wonder how this will benefit you. This is what I hope to explore in this article. By the end, I hope to focus your fears on high-risk areas that the legislation should address and highlight the significant benefits that this legislation can bring.
Background and Overview
Opening Banking enables consumers to securely and efficiently transfer their financial data among financial institutions and accredited third-party service providers1. Translated this means requiring banks to have an API for your financial information available to other banks and accredited companies.
An analogy for this is authorizing your accountant to deal with the CRA rather than giving him all your passwords and login information to pretend they are you when dealing with the CRA. The person you’re trusting with your information is accredited and they are working on your behalf to organize the information and present it to you in a way that is more beneficial to you.
Open World Banking
As seen above, the majority of Europe has already adopted open banking, while Africa appears to be struggling with its adoption. While the USA is highlighted green they have not reached true open banking with registrations of third-party providers. The only ones able to access financial data through an API are other financial institutions, this does not allow the full benefits of open banking to occur and keeps it within the financial institution club.
Why is Canada so far behind?
Canada has a highly regulated banking system, which has resulted in a lack of competition over many decades. This has increased stability and security within the Canadian banking system, and it also stagnated innovation. This is illustrated by multi-billion dollar companies having websites that feel like they are from the early 2000s.
While there is no law preventing banks from creating APIs and adopting open banking in some form, they do not see the benefit of allowing access to their customer’s data. For the banks, this is a security risk that is not required of them and it seems this is the only viewpoint they have been able to take over the past decades. This is also why open banking is referred to as consumer-led or consumer-driven banking, as the consumer will normally do things that are in their best interests and allow them greater control over sharing their financial data.
Regulatory Framework and Policies
The current open banking framework in Canada is best summed up as “on the agenda”.
On September 26, 2018, the Minister of Finance Bill Morneau created the Advisory Committee on Open Banking with four members heading the inquiry. A TD banker, a Montréal-based Investor, a cybersecurity lawyer, and a Toronoto-based start-up specialist.
Overall the makeup of the committee appear to be qualified to generate a report to the Minister regarding the merits of open banking in Canada. Additional weight was put on consumer privacy, security and financial stability. This was to be done after the committee completed consultations with Canadians. This was completed and a final report was issued in April 2021.
Final Report
The summary of the Executive Summary is that the financial information we currently have available within our banks should be included in the data, however banks will be allowed to exclude their derived data. This data is the reports and analysis that the bank performs on your financial information, this basically prevents you from seeing how the financial institution is using your data. The committee is also recommending a tiered approach to implementation, with a suggestion that Canada should pursue a hybrid method of Government and industry to collaborate on the implementation. After the recent ArriveCan app scandal this should be done with strict guidelines and an implementation plan to reduce the chance of overages and misappropriated funds.
The open banking system in Canada should have core fundamentals including.
- Common Rules, including where liability rests and how consumers are to be protected.
- Accredidation, the process of becoming accredited, including those outside the banking system.
- Technical, how the transfer will happen, formatting, and security.
The first step according to the committee is to appoint a head of open banking in Canada that reports directly to the Deputy Minister at Finance Canada. This person’s job would be to advance each element in the final report. In addition to this individual the government is being advised to create a specific government entity to deal with regulating this system and open banking products and services.
They acknowledge that consumer trust is essential for the system and allowing consumers the right to control, edit, manage, and delete their financial information while also deciding when, how and the extent the information is communicated to others will help ensure trust in the system. But they do suggest that the consumer protection legislation should be updated.
The final objective of open banking will be when Canadians can intentionally share their financial information in a safe and effective method. This will in turn allow enhancements to the welfare of Canadians through new technologies able to utilize this data without relying on screen scraping. The committee has estimated 9 months to design the system and another 9 months to implement and test the system. A total of a year and a half.
Technological Advancements and Infrastructure
The current technology used to access financial information through things like bank feeds are a screen scraping software that uses your login information to scrap the screen and import the data into the system. This results in a significant risk to all parties, as there is a threat of breach through the third party software performing the screen scraping. In another slap in the face, the banks will normally have a clause in your documentation that giving out your banking information to a third party will breach the agreement to secure your deposits. This could allow them to deny any claim of lost funds due to theft as you wanted to integrate your bank with your accounting software. It seems the banks in general have chose to ignore or plead ignorance to the existence of such services.
Open Banking Technology
As mentioned in the previous section, open banking is still being developed in regards to the software and security. But it will be using an Application Programming Interface (API) which is essentially allowing access to certain endpoints through a request from an authorized party. The details around the authorization is the key implementation challenge. Financial technology companies are constantly hounded by those attempting to breach the security.
A breach can occur in several different way, but open banking could result in bad actors gaining access to a less secure third party to gain access to your data. This is why certain protocols will need to be established before open banking can be considered viable. There could be several good and bad pathways to take with the protocols of third party accreditation. Allowing the Government of Canada to open an authorization system for your financial data to third parties, might be the most secure way, but it would also be extremely cumbersome and would impede a lot of efficiency. On the other hand allowing Google or another technology company to handle the implementation of protocols would likely work extremely efficiently but could result in financial information of Canadians being given to foreign entities.
Innovations
I have on several occasions logged into various big banks online banking or app and thought to myself, did they really make more than a billion dollars last year? I’ve commented multiple time that the feel of the user experience(UX) is from the early 2000s.
Access to financial information through these banks for the personal or even the commercial consumer have been in general terrible. The banking sector is not associated with innovation, most fintechs in Canada are offering financial services outside the normal banking industry. Access to a wider range of financial products and services through sharing financial data will result in a revitalization of the banking sector. If the bigger banks are being outshone by credit unions and fintech startups they will lose customers forcing them to improve.
Integration Challenges
Banks. While they appear to be accepting of the potential changes, this would result in them ignoring a significant threat to their insultated sector. Cutting into their earnings as more innovative products come onto the market. This would be a net benefit to the Canadian consumer, but at the cost of the larger banks. If they can find a loophole to minimize the amount of data or make it near unusable through the legislation they will likely do so if they see it as a threat to their profits.
The timeline proposed to the implementation is unreasonable. If they are able to design and implement this entire system within 18 months, it will likely have significant issues. Most likely in the accreditation section, there has already been discussion of how to deal with a significant backlog to applications, as the committee has stated they want a 3 month application window for third parties looking to get accreditation, accepting that when introduction of open banking legislation happens there will be closer to a 12 month backlog.
High-Risk Areas
What happens when that accredited company is revealed to be a bad actor? What is the punishment? Should the directors of the company be liable directly if the controls in place to secure our data were fraudulent or grossly insufficient? Without a significant punishment for breaches in customer data, the system could soon find itself infested with pop-up companies abusing this system.
To ensure open banking handles banking data with great care, a significant punishment will need to be levied against bad actors, especially those who coordinate with foreign powers. In the March 21, 2019 standing session of the Senate Committee on Banking, Trade and Commerce5, there was brief mention of criminal charges for those who break the trust and harm the welfare of Canadian consumers and businesses. This was then pushed aside as punishments were premature to consider.
Liability
There are as many scenarios of how someone could manipulate the system of an unwritten Bill as there are stars in the sky. However, one aspect that recognizes the potential for government and industry to work together, or at least their lawyers, is ensuring that we know who is at fault. It has been mentioned multiple times that knowing where the liability lies is a high priority for the committee and should be addressed in the legislation.
My guess, is the consumer will always be liable unless there was a recognized data breach, at which point the party subject to the breach will become liable.
Regulatory & Compliance
It has already been stated that all banks falling under federal rules should be required to adopt this while provincially regulated credit unions and banks should be able to join on a voluntary basis. This in itself could result in a system that has minimal teeth or an entire government agency devoted to the big five banks, as most of us did not know there were 36 Schedule 1, domestically owned and federally regulated, banks in Canada. Only 2 of which are credit unions. But 208 credit unions that could be exempted, but are normally the source of excellent resources for small business owners.
In addition to this, even with just the big 5 banks, the regulatory hurtle could be insurmountable. In spring 2018, I interviewed for a position with the Alberta Gaming and Liquor Commission (AGLC) for the position of financial auditor. I learned during that interview that they had a total of 8 auditors for all of southern Alberta, they were hiring the 9th as they expected more work when they took on cannabis legalization in the fall. This was to keep in compliance every liquor store (privately owned in Alberta), casino, and NPO that received funding from the AGLC. Least to say this amount of regulators was insufficient, this is often the case with governments. They implement rules, but are terrible at enforcing or regulating these rules. This could be due to poor implementation, unclear guidance, or just more rules implemented than needed.
Read vs Write
During the initial phase of open banking we are currently only looking at read only access for Canadian’s financial information. Write access would be the equivalent to allowing a third party, authorized by you, to send commands to the bank on your behalf. Send this money here. Pay this bill. Sell my investments. These are a much higher threat than simply reading the information you have authorized with the bank through your debit card, banking applications or at the bank. Write access is considered a significant risk and should be held off on implementation until such a time that the implemented current system has been reasonably tested before allowing Canadian financial services from accepting orders from other financial systems.
Future Prospects and Developments
The Next 3 Years
Within the next three years we should see a designed, implemented, regulated, and success of open banking in Canada. Implementing open banking should not be difficult from a technology point. APIs have existed since the 1950s, they were what bore the internet. How to secure open banking to ensure data shared with others is not used in ways you have not approved within the financial services industry. We do not want big tech able to scan our bank and credit card statements to learn how to better market to us. Something like this would ruin the trust in open banking when implemented in Canada.
Specifically we should see a design and start implementing a consumer-driven banking framework by 2025.
By 2026 we should see a full implementation.
By 2027 we should be able to assess the system and start planning on introducing open banking “Write function”,
3+ Years
Once a bank is able to share your financial information to other parties, this will open up a larger variety of fintechs to innovate in different areas we cannot imagine. The implementation of open banking presents a unique opportunity for Canadian entrepreneurs. This system would allow startups to provide unique financial opportunities within Canada, but if mismanged could result in something worst than consumers sharing their banking username and password with an unaccredited third party application.
Squirrel Thoughts
In order to introduce open banking legislation, the government of Canada should consider how this could impact the bank of Canada as well. Should a Canadian citizen be able to access banking services directly from the bank of Canada under accredited circumstances?
Open banking is coming, we just need to know when to pull on the reins to slow it down. Adoption of open banking is Canada’s way to improve the ability for consumers to manage their finances with a better system than we are presented with.
We have significant threats that will need to be dealt with in the framework for open banking implementation. The best way to deal with these threats is for the government to implement a really big stick for those who participation in open banking is proven to be with ill intent.
The benefits certainly outweigh the risks with regard to what open banking offers to Canadian consumers, while it is tempting to implement certain elements of open banking and not others, implementing all will help improve their financial outcomes by allowing access to opportunities.
References and Further Reading
1 Bill C-355 – [First Reading, November 9, 2023]
2 Kontomatik Blog – [Which countries have open banking?]
3 Open Banking Tracker – [Open Banking Tracker]
4 Final Report – [Advisory Committee for Open Banking in Canada]
5 Ottawa, Thursday, March 21, 2019 – [Senate Committee on Banking, Trade and Commerce]
Pingback: Newsletter March 2024