Policy-makers in countries such as the United Kingdom (U.K.) and Australia have argued that consumers should have more control of their personal financial data and are implementing what is called “open banking” to facilitate the transfer of that control to consumers. Open banking generally has two elements: the first is to provide consumers with the ability to direct banks when to share selected financial data with other businesses; the second is to provide customers with additional ways to make payments from their bank accounts.
In its 2018 Budget, the federal government indicated that it intended to undertake a review of the merits of open banking in Canada through an advisory committee and proceeded, in January 2019, to release a consultation paper to this effect.1 In June 2019, the Standing Senate Committee on Banking, Trade and Commerce released its report, Open Banking: What it Means for You, which contained several recommendations for the implementation of an open banking framework in Canada.2
As the financial technology (commonly known as fintech) industry continues to evolve, new financial products and services are being offered to consumers around the world.3 To access these products and services, consumers must transfer their personal financial data. However, in most cases, consumers lack control over their data as they are collected and stored by their financial institutions. Thus, if consumers wish to use a fintech service, such as data aggregators that consolidate consumers’ financial data from various accounts and institutions, they have no choice but to use “screen scraping” technologies to produce a snapshot of their financial situation.
Screen scraping is the process by which certain smartphone fintech apps gain access to a user’s banking data. In screen scraping, consumers provide a third party, usually a fintech company, with their login credentials for their online banking platform. The fintech then uses this information to log in and “impersonate” the customer to extract data. Having login credentials allows that fintech to gain access to the customer’s entire account, leaving the individual open to the risk of identity theft or fraud and potentially violating the terms and conditions of their service contract with their financial institution. Furthermore, in providing access to the data, the consumer loses control over where and for how long the data is stored.
The Department of Finance Canada estimates that almost 4 million Canadians currently use smartphone applications that use screen scraping to access their personal financial data and that number is growing rapidly.4
A more secure way to allow fintechs to access consumer financial data would be through application programming interfaces (APIs). An API is a software intermediary that allows two apps to talk to each other. It acts as a universal access point by which information is retrieved from a database. By using APIs to provide fintechs with access to personal financial information, consumers maintain the security of their login credentials and could potentially control which information to provide to fintechs and how long they would have access to it. APIs are a central element in open banking.
Source: Figure prepared by Library of Parliament.
APIs are the main technological mechanism by which banks provide access to consumer data to a fintech in an open banking framework. In a similar type of transaction, ride-sharing service Uber uses an API from PayPal to process payments and from Google to provide map functionality.
Open banking can take various forms, depending on the jurisdiction and its regulatory and market environments. Like other jurisdictions, Canada must decide whether participation by banks would be voluntary or mandatory. It must also decide which financial products a Canadian open banking regime would apply to, including possibly chequing and savings accounts, credit cards, mortgages, and personal and business loans. How fintechs are given access to the regime is another important consideration, including whether they should be accredited somehow and, if so, which body should manage that accreditation. Another important issue is how consumers would opt in and opt out of open-banking activities. Some jurisdictions are even considering going beyond the banking industry and applying open banking regulations to other industries with sensitive consumer data such as the energy or insurance industries.
Canada must also decide what type of privileges fintechs might have within an open banking regime. These types of privileges may be categorized as follows:
While most analysts agree that providing Canadian consumers with more control over their personal financial data would be a good thing, there has been a debate in the industry regarding how to implement it within Canada’s regulatory environment.
For example, over the past several years, privacy experts, the Office of the Privacy Commissioner of Canada and various stakeholder groups have noted the risks to privacy posed by open banking and urged the federal government to update the Personal Information Protection and Electronic Documents Act in this respect, in order to modernize Canada’s privacy regime and keep it up to date with privacy legislation in other jurisdictions, in particular the European Union (EU).6 According to the Department of Finance Canada, an open banking regime in Canada must ensure that privacy rights are respected and that there is adequate consumer protection when financial data is being shared.7
Another concern that has been expressed is whether a proposed open banking framework would apply to provincially or territorially regulated financial institutions, such as credit unions and caisses populaires.
In terms of benefits, experts have indicated that open banking may provide opportunities and benefits for financially vulnerable or “underbanked” individuals and that there may be significant economic gains for the Canadian economy from increased growth in the fintech sector.8 For consumers, the Department of Finance Canada indicated that open banking could make financial transactions easier to conduct, increase financial literacy and provide individuals with financial services that may not be accessible at traditional financial institutions.9
Like Canada, many countries are examining the benefits and challenges of open banking for their citizens, financial sector and economy as a whole. Some countries – including India, Japan, Singapore, South Korea, and the United States – are allowing the market to drive the implementation of open banking and data sharing measures, while others – such as Australia, the U.K. as part of the European Union, and Hong Kong – have chosen to legislate an open banking regulatory framework.10 Currently, the two countries that have the most established open banking regimes are the U.K. and Australia.
In order to address new digital payment services and consumer concerns about privacy and cybersecurity breaches, the EU introduced two key pieces of legislation which both came into effect in 2018: the General Data Protection Regulation (GDPR)11 and the Payment Services Directive 2 (PSD2).12 The GDPR sets out obligations for businesses to protect consumers’ personal data, as well as consumers’ rights with respect to personal data held by businesses. The PSD2 updates the EU’s directive on payment services to account for online and mobile payments and provides protection for consumers from payments-related fraud and abuse. As well, to promote the development and use of innovative digital payment services, PSD2 allows registered fintechs to access bank accounts upon receiving consent from a consumer.
To meet its PSD2 obligations and to address competition concerns in the U.K. retail banking market, the U.K.’s Competition and Markets Authority established the Open Banking Implementation Entity (OBIE), a private corporation funded by the U.K.’s nine largest banks.13 The OBIE’s mandate includes developing technical standards – including API standards – for sharing personal financial data, supporting regulated fintechs and banks in their use of the open banking standards, maintaining a registry of regulated financial services providers that are enrolled in open banking, and managing disputes and complaints. As of September 2019, the U.K. had 116 registered third-party providers. As PSD2 focusses primarily on payments, the U.K. established the Advisory Group on Open Finance in July 2019 to determine whether financial data sharing should be offered for a wider range of financial services.14
PSD2 came into effect on 14 September 2019. However, the European Banking Authority recently announced that, because businesses in some EU countries were not yet ready to implement elements of the “strong customer authentication”15 requirements set out in PSD2, the deadline for complying with these requirements is extended to 31 December 2020.16
In contrast to the EU and U.K., Australia has chosen to apply data-sharing measures on a much broader scope. In May 2018, Australia introduced a “Consumer Data Right,” which aims to give consumers more access to, and control over, their personal data.17 The Consumer Data Right will first apply to the banking sector to implement open banking, and then to the energy and telecommunications sectors and potentially to other sectors in the future. The lead regulator in the field is the Australian Competition and Consumer Commission (ACCC), with support from the Office of the Australian Information Commissioner and the Data Standards Body.
Open banking is to be introduced in phases, with the goal of having consumer data for mortgages, credit and debit cards, and deposit and transaction accounts accessible by 1 February 2020. As of 25 September 2019, the ACCC has published the framework for the implementation of the Consumer Data Right in banking and has released draft rules on how businesses can become accredited in order to provide products and services to consumers.18
With respect to applying the Consumer Data Right to other sectors, the ACCC has already issued a consultation paper on how to best apply this right in the energy sector.19 In August 2019, it also released a paper discussing the model it plans to use to share data in this sector.20
As the Department of Finance Canada’s Advisory Committee on Open Banking considers the various aspects of implementing an open banking regime in Canada, it faces the challenge of fostering the competitiveness of Canada’s financial sector by creating an environment where fintechs can provide Canadians with more options, while at the same time protecting the privacy and security of their personal financial data.
† Papers in the Library of Parliament’s In Brief series are short briefings on current issues. At times, they may serve as overviews, referring readers to more substantive sources published on the same topic. They are prepared by the Parliamentary Information and Research Service, which carries out research for and provides information and analysis to parliamentarians and Senate and House of Commons committees and parliamentary associations in an objective, impartial manner. [ Return to text ]
an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.[ Return to text ]
© Library of Parliament