Beyond past due
Canadians are ready for open banking. But too many questions remain around security and liability risks.
Pandemics come and go, but money marches on. While the federal government has been distracted by COVID-19, the wheels have kept turning on some longer-term policy projects — open banking among them.
Back in April, Finance Minister Chrystia Freeland received the final report of a federal advisory committee on the prospects for an open banking system in Canada — one that would give consumers complete control over their banking data, allowing them to share it easily and securely with any accredited financial service providers. The report (which was released publicly in early August) calls on Ottawa to design, test and launch an open banking system by January 2023.
That’s a tight timeline for such an ambitious undertaking. Canada’s financial sector has many moving parts: the banks themselves, the fintech firms trying to build the market for their services here, federal regulators and the credit unions, and other financial institutions that fall under provincial regulation.
The 2021 federal budget made no mention of open banking, although it did task the Bank of Canada with regulating domestic payment services providers. Legislation that would have enabled the data portability essential to open banking — Bill C-11 — died when the election was called.
“January 2023 is not that far off, given that there are a lot of puzzle pieces that still need to be put in place,” says Ronak Shah, a senior associate at Torys whose practice covers privacy law and cybersecurity.
“The problem is the government’s ranking of priorities. In November, C-11 was looking like a top priority for the federal government, but it just didn’t get the push it required. It should have gone to committee for debate before the House shut down. So it’s quite clear that the government will have to push hard on this when the Commons comes back.
“It’s a complicated policy space. The marketplace is ready for this. Canadians are ready. They’re just waiting on government to take the next steps.”
If there’s a greater sense of urgency now, it’s likely because the federal government is several steps behind the fintech sector itself.
Roughly 3.5 to 4 million Canadian consumers already share their financial data with third-party financial services providers through “screen-scraping” — offering their banking login information to fintech firms.
By doing so, these consumers may be violating the terms and conditions set by their banks — which means that if a fintech firm is hacked, its customers could be held liable by their banks for the damage done. So the push for open banking is as much about protecting the financial sector itself (and its millions of customers) as it is about embracing consumer choice.
“These fintech firms are sitting on a vast number of passwords. If they get breached, multiple financial institutions could get hit at once,” says Ryan Clements, chair of the Business Law and Regulation section at the University of Calgary Faculty of Law.
“The personal banking information of millions of Canadians is vulnerable.”
The fact that Ottawa is playing catch-up on open banking means that some elements of the system we ultimately get may be in place already. APIs — application programming interfaces — are software platforms that allow fintechs to securely access client data held by banks. Some banks have started working on relationships with fintechs that include “custom-made” APIs, says Shah.
“They’ve been working on the functionality of data transfers because they know this is something important to their clients,” he says.
The advisory committee report is agnostic on whether the system should have a single API standard; some stakeholders (possibly concerned about sunk costs) have argued a single standard would inhibit competition.
But multiple APIs could increase the cost of entry for financial institutions looking to join open banking — not a big deal for a giant like RBC, says Clements, but a burden for a smaller credit union.
“But if they don’t opt in at whatever cost, they lose market share,” he says. “This is something their customers are going to demand from them.”
Another possible point of friction is the report’s incremental approach. It calls for “read-only” access to banking data in the initial version of open banking. That means fintechs approved to participate in open banking would have access to the data the client shares with the bank but would not be able to alter any of it — they wouldn’t be able to move money or make payments on their clients’ behalf.
“That still leaves a lot of informal benefits of open banking — things like AI-driven budgeting and credit scoring, things that can be done with read access alone,” says Clements.
“But that’s not where the real value-added in open banking is to be found. The real value is in the ability to move money around, to automate bill payments or avoid overdraft fees. The U.K. has ‘write’ access.”
Clements argues that, without that “value-added,” open banking in Canada loses some of its poverty-fighting potential. Cheaper banking means more financial stability for the “under-banked” working poor who depend on fringe operations like payday loan and check-cashing services.
“We might end up with a system where the banks benefit from being able to read each other’s data, only a small number of fintechs can afford to get over the accreditation bar and things haven’t changed much,” he says. “It would be an improvement, but still.”
The current practice of screen-scraping exposes customers to risk and liability. The advisory committee’s report recommends that liability follow the data. In the event of a breach, it should lie with “the party at fault,” says Ana Badour, partner at McCarthy Tetrault and co-leader of the firm’s fintech group.
“How far a fintech firm should be considered legally liable for the cost of personal information breaches that occur as a result of their access would be for a court to decide,” she says. “We see no reason that the factors that would normally underpin a court’s determination of damages should change.”
The advisory committee report says that a set of common rules for open banking would eliminate the need for bilateral contracts between banks and third-party companies. Clements says the federal government and stakeholders still need to clarify how liability would work in the absence of those agreements.
“Banks are still liable for how their data is used when they outsource functions to other companies. So they do significant due diligence on those contracts, which is one of the reasons why we have such a stable system,” he says.
“The report envisions liability flowing with the data itself, to keep responsibility with the perpetrator. But the Office of the Superintendent of Financial Institutions still holds banks responsible for how their data is used. So how is that going to be squared?”
Add that to the long list of questions Ottawa needs to answer between now and 2023.