Privacy and security considerations loom large as Canada explores the open banking concept that has already been adopted by the European Union and the United Kingdom, say lawyers.
Privacy and security considerations loom large as Canada explores the open banking concept that has already been adopted by the European Union and the United Kingdom, say lawyers.
The idea behind open banking is providing a framework for customers to give access to financial institutions and third parties to safely share information allowing them to develop products.
“The [federal] government is starting to basically join the chorus of the other countries that have already gotten on board,” says Ronak Shah, whose practice with Torys LLP in Toronto focuses on privacy law, data management and technology contracting.
He points out that Australia, too, is in the process of developing the means to adopt the open banking concept.
“They understand that to ensure that the financial industry remains competitive and to provide more choice to consumers and to be more innovative they need to provide some guidance,” he says.
In releasing its consultation paper in January, the federal finance department emphasized the need to balance a globally competitive financial sector that provides consumer choice while ensuring privacy and security are protected. That was followed by consultations that closed in February in its review of open banking.
Open banking is described in the paper to have the potential for consumers to consent to sharing their financial transaction data with third-party financial service providers, allowing them to benefit from a broader range of financial products and services.
The point of the consultations is to gauge Canadians’ views on the benefits of the concept, whether they want it and how the consumer protection, privacy, cybersecurity and financial stability risks should be managed.
According to the paper, there are some limited services in place, but they don’t allow for a single access point of the various products provided through different providers. There is also concern that those who currently use “account aggregation” applications offered by non-banks are trading off security and privacy protections.
Shah sees open banking as a new paradigm in the financial services sector with its focus on consumer data portability and an openness around the data to provide customers more choice in terms of how they can get more services out of information that is already existing.
But there are different models for Canada to explore. The European Union, with its recently enacted General Data Protection Regulation, is looking at it as information that the consumer provides financial institutions, he says, whereas Australia’s approach includes the information that customers provide as well as the process.
“I think we need to figure out what the right balance is and try to ensure that there’s protection in the innovation these financial institutions have . . . by creating intellectual property but also giving consumers the right over the data,” he says.
The open banking framework needs to ensure that any data sharing is done in a secure way and only after the customers have provided their permission and after their identity has been authenticated, says Wendy Mee, a partner at Blake Cassels & Graydon LLP in Toronto.
She believes there should also be assurances built in to confirm what the customer is agreeing to. There is currently no standardized process.
“I think the open banking initiative is to look at how can we create the framework that has the appropriate security in place, has the appropriate privacy protections in place and have it maybe standardized so all of those things are thought through and dealt with in an appropriate way,” she says.
Molly Reynolds, counsel at Torys LLP, says open banking is in some ways an extension of what is already happening. But a proper framework of how it should operate ensures the necessary protections are in place, she says.
“There are smaller digital banks or lending organizations that have been leveraging technology to try to get to many of the same objectives as what’s being discussed in this consultation paper,” she says.
One of the ways some financial organizations use technology is through screen scraping, in which a computer program extracts data from a screen. That allows those service providers to look at the various products and other financial information to determine eligibility for other products, she says. But the concern, she says, is that approach involves releasing log-in information.
She expects that, as organizations continue to innovate, they’ll look for ways to make the consumer experience simpler and faster to attract customers. Open banking, she adds, will help foster that innovation while standardizing the expectations for both the financial technology companies developing these new approaches and the larger financial organizations.
The federal government’s consultation paper acknowledges that these innovations challenge existing regulatory frameworks so there is a need to consider new ways to give Canadians more control over their personal financial information while at the same time protecting them from the consequences of privacy breaches and fraud.
“Open banking gives consumers the ability to provide their consent to allow for financial transaction data to be accessed without requiring consumers to give their personal login credentials to third party financial service providers. This can be accomplished through the use of secure data sharing mechanisms called may application programming interface (API),” it states. “This consultation paper seeks input on how risks related to consumer protection, privacy, cyber security and financial stability should be managed for open banking going forward.”
As that structure is being developed, Mee points out that Canada still has an overarching privacy law framework in place with which all of the players currently have to comply. That means any collection, use or disclosure of personal information has to be done in compliance with privacy laws, so there are broader protections in place if the open banking process takes time.
Those existing protections might also be deemed adequate to accommodate an open banking framework, she adds.
“It’s possible that, because we have the underlying privacy framework, that maybe the focus is going to be on security standards, for example,” she says.
Victoria Allsopp, an associate at Blake Cassels & Graydon LLP, says Canada can benefit from the jurisdictions that have already adopted an open banking framework.
She points to the prescriptive approach in the European Union and United Kingdom as one example and Hong Kong as another where industry standards are being developed allowing the private sector to come up with solutions that balances the privacy needs with the desire to open up banking.
“Canada can kind of benefit from all of those that came before it and learn from their examples and come up with a uniquely Canadian solution,” she says. “Approaching it with that caution is probably going to save us more time in the long run.”
Allsopp adds that, because the financial technology industry and financial services have different regulatory regimes and different industry standards, a single solution could be developed to address both.
But there may also be a disconnect and it could be determined that a new approach would provide seamless protections and rights around data portability, adds Shah. The EU’s open banking framework was developed at about the save time as the GDPR regulations were drafted, so that included rights around data portability, he says.
A federal advisory committee under the Department of Finance is expected to review the merits of open banking and starts its second phase this year to assess implementation considerations.