Parna Sabet-Stephenson wasn’t impressed by the 2024 fall economic statement’s promise of open banking. Allowing financial institutions to securely share client account details with third parties such as banks and wealth management firms by 2026 sounded promising.
But that promise has been made before.
Data sharing services currently depend on screen scraping, which requires users to share login details with a third party, raising security risks. Open banking will replace that.
The 2023 fall economic statement committed to open banking by 2025. As for the first open banking bill that received royal assent in June 2024? There was “very little” in it, said Sabet-Stephenson, the leader of financial services and technology at the Gowling WLG law firm in Toronto.
A second open banking bill, expected to become law in 2024, was thrown off track when Parliament was prorogued at the request of outgoing Prime Minister Justin Trudeau. It would’ve introduced substantive elements of the open banking framework, such as details on accreditation for participating entities. So far, the government has only updated a related framework.
“That framework without the legislation doesn’t do anything,” Sabet-Stephenson said. “This is a promise of 2026, but what’s the promise [worth] if the legislation hasn’t been passed?”
Still, open banking is making progress. That means financial institutions and fintechs will need to convince customers to move data into their systems, said Robert Hayman, head of emerging initiatives and product delivery at Central1, which provides back-end banking services to more than 250 financial institutions.
But financial institutions that can opt-in to open banking might face a dilemma.
“Do I want to be so insular to say I’m not going to let them move their data [to a competitor] and risk the entire customer relationship?” said Hayman. “Or [are we] going to enable you to move that data to that fintech in the hopes of continuing to maintain that overall customer relationship? And who knows, maybe in time we will be able to offer a similar type of service.”
The FCAC and complaints mechanisms
The framework that defines the Financial Consumer Agency of Canada’s (FCAC) regulatory role in open banking promises to align players with a single technical standard, states the need for accreditation and certification requirements and mandates a common liability structure. That regulatory role will include developing a consumer awareness campaign and creating a public registry of banks, credit unions, fintechs and other participating financial services providers.
Each participating organization will have independent policies to handle consumer complaints, Sabet-Stephenson said. It could be similar to the code of conduct for the payment card industry in Canada, also under the FCAC’s authority, which requires clear, simple and transparent complaint-handling processes.
The FCAC will not be directly handling open banking complaints. Instead, complaints will be managed through the external complaints body of each participating entity, the FCAC said in an email.
The federal government will select a single technical standard so that application programming interfaces (API) are interoperable.
Adopting the same standards as the U.S. would help fintechs access data from both countries, said Saba Shariff, senior vice–president and chief strategy, product and innovation officer with Symcor, a payment processor in Mississauga, Ont. In January, the U.S. Consumer Financial Protection Bureau approved Financial Data Exchange’s (FDX) application to issue open banking standards.
“I would be shocked if FDX wasn’t the standard that Canada chooses,” Hayman said, noting that the U.S. is the most relevant market with which Canada might want to exchange data.
But financial institutions don’t need to wait for the final technical standard, Shariff added. The risk in picking a standard for a pilot project can be eased by working with a technical service provider that bridges the gap between standards once the FCAC makes a decision.
Whatever an organization chooses to do, it’s important to select an existing standard instead of starting from scratch, Shariff said. “At least they’ve actually figured out the best practices. … Even if it’s not 100% the standard that will get selected in Canada, you usually don’t see a massive variation between APIs.”
Fintech accreditation and technical certification
Financial institutions that want to be accredited will apply to FCAC with information on oversight arrangements, governance, security and privacy controls and liability instruments, among other requirements. Key information will need to be regularly reported to maintain accreditation.
Only fintechs, such as technology vendors that support banks, will need to be accredited, said Hayman, who’s part of the Department of Finance’s open banking accreditation working group. They will need to demonstrate privacy and security controls as well as an ability to make consumers whole in case anything goes wrong with something like liability insurance coverage.
“The accreditation process is more around the government ensuring that the participants in the system are of a certain level of sophistication … and that these are known entities if they are going to be on the receiving end of sensitive customer data,” he said.
Meanwhile, financial institutions and fintechs will need to undergo certification, proving they comply with the technical standard and are open to reciprocity. Where fintechs typically consume data, banks usually provide data, so everyone involved will need to send and receive data to create a level playing field, Hayman said.
First-phase data scope
At first, banks meeting a specific retail volume will need to participate, while other federally regulated financial institutions can opt in. The data scope will initially include information about chequing and savings accounts, investment products available through online portals and lending products.
“That is a pretty comprehensive scope of data for phase one,” Hayman said.
It will all support common applications like aggregating accounts, preparing taxes, opening accounts and personal finance management tools.
For example, account information could include an account number, product type, currency code, balances, transaction history and merchant names, Hayman said. In future phases, open banking could even include derived data such as risk tolerance.
A question of liability
The underlying framework says liability will move with the data and rest with an at-fault party if anything goes wrong. Consumers won’t be held liable for financial losses incurred from sharing data.
But there isn’t enough clarity on what that means, Sabet-Stephenson said. For example, the rules are still unclear about what happens if there’s a mid-transmission data breach.
Nonetheless, having a single liability structure and defined security standard will be better than what exists today, Shariff said, referring to the inefficiency of leaving financial institutions to make decisions between themselves. Open banking will make liability solutions scalable across the industry.
“It takes that guesswork out, she said. “It makes it clear where the liability resides.”
This article has been updated with information from the FCAC.
aHR0cHM6Ly93d3cuaW52ZXN0bWVudGV4ZWN1dGl2ZS5jb20vbmV3cy9mcm9tLXRoZS1yZWd1bGF0b3JzL29wZW4tcXVlc3Rpb25zLWFib3V0LW9wZW4tYmFua2luZy8(U2NyZWVuSGVpZ2h0)NzIw(U2NyZWVuV2lkdGg)MTI4MA(T0ZTWVNfUmVmZXJyZXI)(dmlzaXRvcktleQ)YzN6UDZ1RDQ(dmlzaXRLZXk)M1U3c2ZwQkI){kind=small}