On April 16, Canada’s federal government (the Government)
released its 2024 budget (the Budget). As part of the
Government’s ongoing efforts to establish a modern digital
payments system for Canada, the Budget included additional details
on the establishment of a consumer-driven/open banking framework
(the Framework).
What you need to know
- In a previous bulletin, we considered the future of
payments in Canada and assessed what steps the Government needs to
take to establish a modern digital payments system. The Government
has already introduced certain initiatives, such as the launch of
Lynx (Canada’s new high-value payment system). Other
initiatives, such as the Retail Payment Activities Act
(RPAA), are being rolled out. - Open banking frameworks allow financial data to be shared
between financial institutions and third parties using secure
application program interfaces (APIs). Such frameworks are already
in place in several jurisdictions, including the UK and Australia.
The Government estimates that nine million Canadians already share
their financial data by providing banking credentials to service
providers, a process known as screen-scraping. - The development of the Framework, which was first announced in
the 2023 Fall Economic Statement, is guided by six core elements:
governance, scope, accreditation, common rules, national security,
and a technical standard.
Governance
In a significant step, the Budget signalled the Government’s
intention for the Financial Consumer Agency of Canada (FCAC) to
oversee the Framework. To support the FCAC in this new mandate, the
Government announced the creation of a new FCAC position, the
Senior Deputy Commissioner of Consumer-Driven Banking. The
Financial Consumer Agency of Canada Act will be amended to
create this new position.
As part of its new mandate in supervising the Framework, the
FCAC will maintain its integrity and security, enforce common
rules, accredit entities, and oversee technical standards. The new
role adds to the FCAC’s existing mandate of supervising
federally regulated financial institutions, such as banks, as well
as payment card network organizations, and external complaint
bodies. Recognizing potential jurisdictional issues with the
provinces, the Government notes that the FCAC Commissioner will not
be responsible for the direct oversight of the Framework, leaving
that responsibility to the Senior Deputy Commissioner. In its 2021
submission to the Advisory Committee on Open Banking, the FCAC
highlighted the benefits consumers receive from consistent consumer
protection and market conduct standards, potentially offering
insight into the FCAC’s regulatory priorities for open banking.
As the FCAC observed, consumer confidence is necessary for the
success of open banking.
All industry participants will be subject to the Framework and
FCAC supervision. To facilitate oversight of provincial entities,
while respecting their jurisdiction, the Framework will be
structured in a manner that allows for provincial credit unions and
Crown corporations that act as banks to “opt-in” to
governance, supervision, and participation. This is a key area of
uncertainty for the Framework, as it is uncertain the extent to
which provincial credit unions and crown corporations will choose
to opt in. If they do not, the Government will need to clarify
whether organizations that choose not to opt in will be able to
provide open banking-type services.
Scope
The Government will mandate participation for banks that meet a
specified threshold of retail volume, while the remaining federally
regulated financial institutions—as well as provincial credit
unions, Crown corporations that act as banks, and other entities
seeking accreditation—will be able to opt in. There will also
be clear requirements for how various entities such as fintechs can
enter and exit the Framework.
The development of the Framework will be an iterative process.
In the initial phase, participants will be required, at the request
of a consumer, to share data related to deposit accounts,
investment products and lending products. All participants will be
equally subject to data-sharing requests, a process known as
reciprocal access.
The issue of data sharing is likely to be a key area of
contention as the implementation of the Framework progresses. The
Government notes that data that has been “materially
enhanced” by a participant to offer significant additional
value or insight will be excluded from scope. This is likely to
pose challenges for entities in drawing a line around
bank-developed information and information that is owned by the
individual.
Accreditation
The Framework will establish a formal accreditation process for
entities wishing to collect consumer data. Entities wishing to
become accredited will need to submit an application to the FCAC.
Applications will include information on the organization,
operational standards, and financial capacity. Once accredited,
entities will be subject to mandatory reporting of key information
on a regular basis, with the FCAC retaining authority to suspend or
revoke an organization’s accreditation.
Importantly, while the Fall Economic Statement noted that
certain regulated entities, such as federally-regulated banks and
credit unions, would be exempted from accreditation, the Budget was
silent on this issue.
Common rules
The Framework will include common rules that address consumer
protection interests, privacy, liability, security, national
security, and integrity. The common rules are intended to
complement existing legislation, rather than create duplicative
requirements.
In keeping with the Government’s efforts to harmonize and
enhance broader consumer protections across Canada, “consumer
protection interests” were newly introduced as a common rule
in the Budget.
1. Privacy
The Framework will include additional privacy rules beyond
existing privacy legislation addressing the provision of express
consent to access data, consent management, and revocation of
access. In addition, participants will be required to have a
standardized and clear means for consumers to provide and revoke
their consent. These means will be based on user experience
guidelines which participants will be required to adopt.
Participants will also be required to reconfirm consumer consent at
specified intervals (every 12 months) or following certain events,
as well as to provide consent dashboards to ensure consumers have
real-time knowledge to how their data is managed.
This area is likely to pose a key compliance challenge as
organizations overhaul their back-end technological systems.
Moreover, participants will be required to manage different privacy
obligations enforced by the FCAC and privacy regulators
2. Liability
Recognizing the importance of clearly establishing where the
liability rests, the Framework will establish a statutory
liability–eliminating the need for bilateral contracts
between participants. Liability will move with data and rest with
the party at-fault. Consumers will not be liable for financial
losses incurred as a result of sharing their financial data within
the Framework, while participants will be required to put in place
a complaint-handling process that is aligned with existing industry
practices. The data provider maintains liability toward the
consumer for data under its control.
3. Security and national security
In developing security obligations, the Government has
acknowledged that they are setting a high bar. Unlike the
RPAA’semphasis on proportionality, which aligns risk management
with potential outcomes, the Government does not appear to favour a
proportional approach to imposing requirements as it notes that
legislation will establish security requirements for all
participants to serve as the minimum floor to safeguard consumer
data, along with ongoing reporting obligations.
The Government has indicated that the security requirements will
apply to all the people, processes, technology, and infrastructure
that interact with in-scope data that is collected through the
Framework. However, consultation is ongoing with respect to the
certification or reporting obligations that will be required.
The Minister of Finance would also receive new powers related to
national security and protecting the integrity of the financial
system. The Government proposes to empower the Minister to refuse,
suspend, or revoke access to the Framework for national security
reasons. The Minister would also be empowered to direct the FCAC to
take measures related to the Framework for reasons related to
national security, to safeguard the integrity or security of
Canada’s financial system, or in the best interest of the
financial system. These provisions are intended to align with
existing financial sector statutes, such as the RPAA, the Bank
Act and the Proceeds of Crime (Money Laundering) and
Terrorist Financing Act.
Single technical standard
To align with international best practices, the Government will
mandate the use of a single technical standard that is fair, open,
accessible, and interoperable with standards in other
jurisdictions. Legislation will provide authority to the Minister
of Finance to identify and revoke a technical standard, as well as
authority to the FCAC to supervise the technical standard body.
Next steps
An effective open banking framework requires a modern payments
infrastructure. As the implementation of the Framework progresses,
the Government will ideally ensure that the RPAA framework is fully
operational before open banking has launched. This may provide
consumers with increased confidence in using fintechs for their
financial services. Efforts are also required to increase
Canadians’ familiarity with open banking, given a recent Abacus poll noting that 57% of Canadians
acknowledge being unfamiliar with the concept.
In Spring 2024, the Government intends to introduce the first of
two pieces of legislation to implement the Framework, starting with
elements such as governance, scope, and process for the technical
standard. The remaining elements will be addressed through a second
piece of legislation in the fall, with a review of the Framework
after three years.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
#Budget #Canada #Moves #Step #Closer #Open #Banking #Terrorism #Homeland #Security #Defence
