Canada’s cautious stance on regulating open banking

When it comes to banking, Canadians tend to reach for the familiar.  Loyal to a fault, consumers here look to their primary financial institution for most products, even when they suspect they could get a better deal elsewhere.  No surprise then that few have taken notice of the open banking phenomenon sweeping across the globe, particularly in Europe, the U.S. and parts of Asia.

What is open banking? It’s an emerging model, fashioned by a mix of fintech innovation, changing consumer habits and regulatory forces, in which banks are being pressured to open up their customers’ data to third parties. This is done by allowing them to access open APIs, which offer a standard way for programmers to work with code they didn’t write, so that they can develop new and useful financial products for consumers. Those products, in turn, remove much of the hassle — known as friction — that comes with signing up new customers, and getting them to complete transactions using data collected by their banks.

For the consumers, the appeal is in getting better rates on lending rates and more transparency on financial products.

There’s upside for the banks, too, who can remain relevant in a digital environment where they would otherwise risk eventually being disintermediated by fintech upstarts with better offerings and services. 

But open banking raises concerns about privacy, security and competition policy. So regulators across different jurisdictions are trying to figure out what are the best approaches to balancing innovation with consumer protection.

At the moment, the United Kingdom and the EU are leading the way. The EU regulates the sharing of consumers’ banking account data with third parties through its revised Payment Services Directive' – known as PSD2 – in force since January. PSD2 forces big banks to open up their data online in a secure, standardized form, to authorized fintech companies.

In the UK, regulators imposed open banking in response to PSD2 and a report released by the Competition and Markets Authority (CMA) which found there wasn’t enough competition among big banks for customers’ business. It’s still early days there, and public awareness is still low as the major banks have come under criticism for being slow to embrace open banking reforms. An open banking regime is also scheduled for implementation in Australia next summer.

Predictably, it’s in the more fragmented market in the U.S., where banks number in the thousands, that regulators are taking a more hands-off approach and letting market forces shape the direction of open banking.

Canada, with its consolidated market in financial services, is taking a wait-and-see approach. “We don’t have legislation at this point mandating open banking or providing detail on it,” says Ana Badour, a partner at McCarthy Tétrault in Toronto. But the federal government is undergoing a review of open banking to assess its impact on consumers and the risks involved for consumer privacy and data security. There are other ongoing related consultations, including on a new federal oversight framework for retail payment systems.

And last year, the Competition Bureau expressed its support for open banking in a market study into innovation in the Canadian fintech sector.  According to Badour, we heard echoes of the same argument around the 2016 ruling by the Federal Court of Appeal that upheld an order by the Competition Bureau requiring the Toronto Real Estate Board to remove restrictions on its members’ access to home sale prices. 

The concern for now, however, is that the absence of regulations opens the door to dubious activities, such as screen scraping to harvest data from websites, which carry legal and security risks for consumers.

There are also questions on the privacy front. What standards should be followed, and who in the supply chain of providers need to follow them? What counts for explicit consent and how must it specify specific uses for particular types of data? The EU General Data Protection Regulation (GDPR), in force since May, has addressed this to some extent at least by giving back some control to consumers over how their data is used.

Then there is the issue of liability, “which require(s) careful consideration, particularly given that open banking involves both very large entities and small start-ups with limited resources,” says Badour. “What happens if there is a data breach or unauthorized transaction?  What if there is an issue with the data being shared?  Should there be a requirement that parties participating meet minimum thresholds in terms of insurance or capital requirements?"

But legislative changes will take time, says Badour, as we’ve seen with the modernization of the Canadian payments system. “Constitutional issues need to be considered,” she says. “There are federal and provincial jurisdiction aspects to this.”

Meanwhile, key players in the Canadian fintech space are showing signs of impatience. “We need open banking and something similar to [GDPR],” said Paul Desmarais III, the executive chairman of Portag3 Ventures, during his keynote at the Canada FinTech Forum in Montreal last month. Desmarais worries that Canada is falling “quite a bit behind” other countries by not incentivizing banks to share their payment networks. “Until new fintech players can access infrastructure directly rather than via a bank, they will only be able to be as good as their partner who has no real incentive to allow the emerging player to shine,” he said.

With or without regulations though, industry changes seen elsewhere in fintech are likely to spread quickly to Canada, says Badour. “When you have a development that is commercially successful, it tends to filter over to other jurisdictions even if the regulatory framework is not yet well aligned with innovations,” she says. “Open banking creates the ability to build on top of data and innovate on top of things. There’s a lot that can happen at a very accelerated pace.”

Canadian consumers will likely find themselves in unfamiliar territory before long.