Report on Findings and Resolutions
On May 7th, Canada 2020 convened a five-hour policy lab on Open Banking – an idea proposed in Budget 2018 by Finance Minister Bill Morneau. Open Banking has the potential to radically transform the banking sector by increasing consumers’ access to their financial data across platforms and institutions.
The Policy Lab brought together 41 stakeholders and experts from government, academia, and industry to share information and resources on the topic of Open Banking. The discussion was held in camera and participants collaboratively designed a set of resolutions. A lively discussion and debate took place to determine which of the resolutions had a broad consensus of support. For resolutions that lacked a broad consensus, Canada 2020 noted these as issues to resolve and summarized the debate that took place in the room.
At the end of this document, we have attached a backgrounder on Open Banking that describes the issue and details the state of Open Banking policy around the world.
Areas of Consensus
1. At the end of the session; the attendees identified several broad areas of consensus, through a voting process
2. Consumers must provide informed consent before any data is shared and must have the ability to retract consent at any time.
3. An evolving financial services market may create new or enhanced risks, understanding that some of the risks are unknown; government, the private sector, and consumer advocates should collaboratively develop mechanisms to mitigate and reduce risks.
4. Rules around the sharing of data should ensure that the data shared is proportionate to the stated use.
5. Common standards, including API standards, must be created to ensure interoperability, avoid fragmentation and drive safe adoption. Those standards should be developed by public and private sectors collaboratively.
6. Technical standards around authentication and data sharing should comply with ISO and global standards, as closely as possible, to match rules in other jurisdictions since the issues are universal.
7. Before rules and standards are put in place, regulators must consider the impact they will have on inclusive innovation.
8. When designing rules and standards, ethical considerations need to be taken into account on how data can be used.
9. A well-designed system of Open Banking puts the consumer at the centre of their information through increased transparency and the introduction of new products that will lower costs, give consumers more options, and enhance global competitiveness and accelerate innovation.
10. The National Retail Payments oversight model should reflect the realities of Open Banking.
Issues to Resolve
During the session, participants created a number of resolutions that failed to receive broad consensus. We have reframed these resolutions as open-ended questions and summarized the debate that occurred in the room.
1. How can the scope and understanding of consent be developed?
There was consensus in the room that the consumer must be educated to understand what they are consenting to and the consequences of providing that consent. The devil is in the details, however. What knowledge does the user need to be considered educated? Who should provide that education? What responsibilities does the user have to become educated?
2. Should the consent process be standardized?
There was consensus in the room that terms and conditions must be clear, simple and not misleading. Furthermore, there was consensus that consent should be retractable at any time. There should also be a way to make sure that consent is sustained throughout the use of the consumer’s data. In order words, the consumer must be at the centre of the process and it must be beneficial for them. It should also be clear what the consumer is consenting to: is it the business model or the data transaction for the data to be shared with the third party. Where there was disagreement was on how standardized the consent process should be between apps. A standardized consent process would make it easier for the end user to know what they are consenting to, but standardization could stifle innovation.
3. Should a “white list” of authorized players that have met a required level of standards proportionate to the nature and size of the product or service be created?
An ‘authorised’ white list could be created by a regulator, which would hold a list of firms that are regulated and will set the rules and implement sanctions if these are not followed. There was considerable discussion in the room on what “problems” a white list would solve, and what the standards should be to be included in the white list. Defenders of the approach see it as an attempt to create a clear public facing list of these parties so that the fraud rates of fishing and spoofing attacks are reduced, by consumers and businesses being better able to identify legitimate firms. But a number of questions remained in the room. Would the white list take into account financial soundness of the company? How would it address privacy and security? Authorized players would need to adhere to privacy and security standards, but what are those standards? Who makes sure these are followed?
4. Should Canada consider consumer data rights (eg “open data” more broadly) where Open Banking is the first use-case?
There are complexities around what data and applications are in the scope of Open Baking. Should Canada restrict Open Banking to payments, as in some other jurisdictions (noting that these jurisdictions may add use cases in the future, with Australia already publishing a time-table for delivery)? With Open Banking, Canada could use the opportunity to develop an Open Data Consumer Rights Act, where Open Banking would be its first use-case. There was considerable discussion in the room on how narrowly governments should be defining Open Banking. Should the government rather be considering Open Data policy more broadly, where Open Banking is simply one portion of a larger Open Data discussion?
Backgrounder on Open Banking
What is Open Banking?
There are a number of competing definitions and descriptions of Open Banking, but all of them revolve around a common theme: giving consumers access to the data generated by their financial activities. In a report commissioned by Barclays, Faith Reynolds describes Open Banking in the context of the UK’s Competition and Market Authority’s (CMA’s) ‘Open Banking remedy’ and the European Payment Services Directive 2 (PSD2) as follows:
Open Banking requires firms to:
1. Make it possible for people to share their financial transactional data far more easily with third parties online.
2. Allow third parties to initiate payments directly from a person’s account as a bank transfer as an alternative to credit or debit card payments.
3. Make public and openly share their product information and importantly, their customer satisfaction scores and separately other ‘service level indicators’.
As further described by Reynolds, Open Banking, through the use of Application Programme Interfaces (APIs) can facilitate the creation of new products and services and increase choice for consumers:
Open Banking has the power to revolutionise the way we manage our money, shop around and buy things. For SMEs, managing cashflow and receiving payments should be cheaper and easier.
Technologies like Application Programme Interfaces (APIs) have the potential to create new services delivered by existing players and new intermediaries, like Personal Finance Management platforms. They have the power to bring substantial benefits to consumers, aggregating their financial products in one place; providing new insight about spending patterns; making recommendations about saving money; automating parts of the decision-making process and even offering new ways to pay.
Open Banking could widen access to existing products, like credit, debt advice or financial advice. And bring new products to market from overseas or the UK, at the click of a button. Open Banking will make things simpler, quicker and more convenient.
The innovation that new technologies make possible is endless and over time could create new forms of value we can’t envisage today.
Beyond the advantages specified by Ms. Reynolds, a big advantage of Open Banking is that it allows financial institutions to specialize in the specific segments of the supply chain, as detailed in a recent blog post by IBM:
A traditional retail bank has its own distribution channels (such as branches, contact centers, and digital channels). It also creates its own products and has its own back-office operations. The emergence of financial technology (fintech) and the push of regulators for more competition are disaggregating and open this closed value chain. In a world of open banking, participants can specialize in one or more sub-steps of the end-to-end process. They can focus on areas that have a clear competitive advantage and leverage the scale and efficiency that partnerships with other players enable.
Any industry disruption creates new value for consumers and new opportunities for non-incumbent companies, but also creates challenges and risks to both incumbent players and societies as a whole. As such, regulators need to be aware of those challenges.
The Challenges and Risks
Open Banking and APIs can present many regulatory challenges. First, Open Banking is based on the sharing of information, as highly sensitive personal data is shared across many platforms, which raises some security and privacy concerns. For Canada, it will be important to consider national and international frameworks when implementing Open Banking. A key threat is security vulnerability which could undermine the entire ecosystem, along with high risks of cyberattacks. One possible solution is blockchain technology. However, blockchain comes with its own shortcomings.
Banks will have to adapt to the rapid change that our financial ecosystem is experiencing.
Financier WorldWide touches on compliance and Open Banking:
With government agencies and financial regulatory bodies proposing independent authority to oversee open banking standards, governance and compliance requirements, banks will have to immediately comply with GDPR and PSD2. Failure to accommodate GDPR and PSD2 regulations as part of the open banking framework may expose banks to the risk of financial or reputational loss.
Each jurisdiction must develop its own regulatory framework for dealing with these risks and challenges.
The Canadian Context
The federal government’s 2018 budget calls for a review of Open Banking, citing both opportunities and risks around consumer privacy, data security, and financial stability.
Financial technology (fintech) is driving change in the financial sector, and has the potential to increase innovation and competition, providing Canadians with more affordable and useful services, and increasing financial inclusion as specific customers or markets (e.g. small and medium sized businesses) are better served.
Within this overall context, a number of international jurisdictions are implementing open banking platforms. At its core, open banking is about empowering consumers to share their financial data between their financial institution and other third party providers through secure data sharing platforms. This in turn enables financial service providers to offer more tailored products and services, on a more competitive and innovative basis. Open banking also has the potential to provide consumers with greater transparency on the products and services offered by financial institutions, thus allowing them to make more informed decisions, and makes it easier for consumers to move and manage their money.
Recognizing these potential benefits, the Government proposes to undertake a review of the merits of open banking in order to assess whether open banking would deliver positive results for Canadians with the highest regard for consumer privacy, data security and financial stability.
Despite the current lack of a regulatory framework, a handful of Canadian start-ups are operating in the Open Banking space, as described by Phil Siarri:
There are a few companies in Canada which took an interest in the open banking movement and are offering financial services APIs. Montreal-based Wealthica is one of them. Founded in 2015, it offers an API-powered investment aggregation platform (for the sake of transparency: I am a brand ambassador for the company). Wealthica allows users to consolidate their investment accounts and portfolios in one simple interface with various reporting functionalities. The company is embarking on an ambitious journey to $10B aggregated investments. Other Canadian startups that are part of such emergent ecosystem include Questrade and Flinks.
The ability of these start-ups to operate is hampered by the lack of a Canadian regulatory framework. Canada can look to other jurisdictions to obtain best practices in navigating these tensions.
The International Context
Financier Worldwide outlines a few highlights of Open Banking in different jurisdictions:
The UK has taken the lead in open banking initiatives, in producing an open banking framework that could enable the open banking standard in the UK. This has also prompted the CMA to draft the recommendations in its final report released in 2016. According to the report, large banks are to adopt and maintain a common standard for open APIs, to address the lack of innovative and competitive products in the financial market.
In Europe, the Payment Services Directive (PSD2) and General Data Protection Regulation (GDPR), which have been designed to regulate financial innovation, are driving Europe towards an open banking standard.
Other markets such as the US, Latin America and Asia have been experimenting with open banking in pockets and have expressed strong interest in pursuing technological advancements in the financial services industry.
Given that the pace and scope of open banking reform differs by jurisdiction, it is helpful to look at several different ones on an individual level.
Open Banking has been implemented in Australia since November 2017 and is already undertaking a review process. Banks and large financial institutions have already announced initiatives to increase data sharing and expand services with Open Banking.
The European Union has been quick to adapt to change. The EU is looking at expanding Open Banking to functions beyond simple payments. They strive to ensure consumer protection. Starting in May 2018 the EU will be implementing a new Data Protection initiative. This regulation creates a framework for consumers to control their data through consent mechanisms.
Singapore is attempting to implement a different type of regulatory framework, with a less aggressive and more organic approach. It is not planning on forcing regulations on financial institutions. The Monetary Authority of Singapore will be working towards guidelines for ethical usages of data and artificial intelligence that would work for all players within the ecosystem.
For the UK, the new directive set out by the Competition and Markets Authority will force the country’s nine biggest banks to share customer data (with permission) to third parties.
Download PDF here : Open Banking Report on Findings and Resolutions
Further Reading: The Open Banking Resource Library