Open banking review: FCAC submission to the Advisory Committee on Open Banking
1. Overview
The Financial Consumer Agency of Canada (FCAC) is a federal financial sector regulator, which oversees federally regulated financial entities’ compliance with consumer protection measures, promotes financial education, and raises consumers’ awareness of their financial rights and responsibilities. In addition, FCAC is responsible for monitoring and evaluating trends and emerging issues that may have an impact on consumers of financial products and services, as well as providing timely and objective information and tools to help consumers navigate financial products and services.
The Advisory Committee on Open Banking (the Committee) shared consultation materials with interested stakeholders, including the FCAC, in fall of 2020. FCAC welcomes the opportunity to participate in the development of a uniquely Canadian open bankingFootnote 1 solution that prioritizes the right of the consumer to control their financial data and puts in place safeguards to ensure they are protected from financial and non-financial harm. This submission has been submitted to the Committee for their consideration in the context of their consultations.
FCAC is broadly supportive of a hybrid model for open banking that carves out specific roles for government and industry and sets out the building blocks outlined in the Committee’s consultation materials. FCAC supports the Committee’s advocacy of a framework centred on several core consumer outcomes:
- Consumer data is protected;
- Consumers are in control of their data;
- Consumers receive access to a wider range of useful, competitive and consumer friendly financial services;
- Consumers have reliable, consistent access to services; and
- Consumers have recourse and redress when issues arise.
We strongly recommend adding a sixth core consumer outcome: Consumers benefit from consistent consumer protection and market conduct standards. Based on experiences in other jurisdictions, consumer confidence is necessary for the success of open banking. A core outcome related to market conduct and consumer protection should be explicitly stated to provide assurance to consumers and as a signal to the industry. This would include the following base level requirements: clear, simple, and not misleading language; no coercion or tied-selling; express consent; and a robust complaints-handling system which prioritizes a fast and seamless process for the consumer.
It is inherent in the Committee’s consultation materials that consumers will have meaningful protection; FCAC recommends that the sixth core consumer outcome be added to reinforce this foundational principle. This central focus on consumer issues is critical to enable adoption of open banking and also needs to be ongoing – consumer protection must be embedded in every stage of accreditation, implementation, and in the governance and maintenance of any open banking system. Consumers should continue to receive at least the same level of protection that they currently enjoy, including in terms of liability protection. For example, today consumers are not held liable for unauthorized transactions on their debit and credit cards, provided that they have taken reasonable care to protect their information. FCAC believes that similar protections should apply in the open banking framework.
FCAC recognizes that the time to act is now and acknowledges the positive role that open banking can play in the future Canadian economy. We agree that the risks of the status quo (i.e., screen scraping) will lead to adverse outcomes for consumers. FCAC has already warned consumers of these risks through a consumer alert and will continue educating consumers on open banking as implementation moves forward. To that end, FCAC plans to publish additional consumer education web content on open banking and fintechs in early 2021.
Summary of Recommendations
FCAC’s consumer protection mandate is exercised in two principal ways: 1) we oversee regulated entities’ compliance with consumer protection provisions, and 2) we educate consumers to improve their knowledge, skills, and confidence in making financial decisions. As a result, FCAC is well-positioned to contribute to the design and implementation of an open banking framework. The following are the main recommendations and issues that FCAC believes would merit further consideration by the Committee.
Consumer protection / market conduct standards and consumer recourse
- Incorporate legally binding consumer protection and financial inclusion requirements into the accreditation criteria from the outset (e.g., fair access to financial products and services; the requirement and verifiable ability to provide financial redress; policies and procedures related to effective complaint handling; express consent for data sharing and how consumer data will be used; and, communicating product and system disclosures in a manner that is clear, simple and not misleading). These requirements should trigger enforcement actions when non-compliance occurs.
- Invest in a national awareness and education campaign focused on open banking to ensure consistent and unbiased messaging to consumers that does not select winners and losers. This campaign should be jointly funded by the industry and government and be coordinated by a respected authority who will employ evidence-based practices. FCAC has the experience and mandate to contribute to and coordinate such a campaign.
- Apply stricter accreditation and implementation programs for firms seeking write access. Write access carries greater risks for consumers than read access and therefore should only be allowed when the framework is established and operating effectively.
- Apply a liability framework that ensures a single, seamless consumer experience, which does not put the onus on the consumer to navigate the attribution of liability, and provides fast redress / reimbursement for consumers.
- Designate a single external complaints body (ECB) for open banking activities and afford the ECB binding resolution authority.
Oversight
- Careful consideration must be given to the delineation of the role, scope and authority of both the accreditation body and the implementation entity.
- It may be appropriate for the accreditation body to be industry-led and responsible for technical standards, particularly in relation to accreditation criteria. It will be important to ensure that consumer issues are adequately represented within this body.
- The implementation entity should be a regulator or be under the oversight of a regulator or other appropriate government body. The implementation entity needs to be set up in a way that is transparent, prioritizes consumer interests and protection, and manages conflicts of interests.
- Appropriate government oversight of both bodies will be fundamental to consumer confidence, particularly if the accreditation or implementation entity is afforded the authority to establish and enforce rules. Close monitoring will be required to ensure that the rules and their application do not advance business interests at the expense of consumer protection.
Data access
- Given that open banking-type activities are already present in Canada (e.g., screen-scraping), immediate direction is required during the interim period while a framework is developed. This direction should include expected commitments/roles for government and industry, guidance on interim liability allocation and access to redress, how consumer protection will be incorporated, and a sunset date for screen-scraping.
- The open banking framework should include barriers to prevent firms performing similar functions from operating without accreditation and under different rules (i.e., by continuing to use screen-scraping).
- Reciprocity should be driven by consumer consent; firms should not require reciprocal data access in order to provide a product or service.
2. Detailed Analysis
Consumer protection
The Committee’s consultation materials highlights the importance of incorporating consumer protection in the framework. However, there are no specific recommendations regarding market conduct standards, how consumer complaints will be handled, how liability will be allocated, and how consumers will be made whole when things go wrong. FCAC recommends a more detailed analysis of and recommendations for these critical issues which will be essential to foster consumer acceptance.
Market Conduct
The Committee recognized the role of existing financial sector regulators to mitigate consumer risk. As a market conduct regulator, FCAC is well placed to contribute significantly to further policy discussions in this area to ensure that the consumer protection perspective is represented.
Where appropriate, best practices in Canada and abroad should be implemented. As suggested by some stakeholders, there also may be a need to consider revising some existing market conduct obligations and guidance in preparation for open banking. For example, banks are subject to mandatory complaints reporting requirements – will accredited participants be subject to similar requirements? Do the requirements need to be adapted to an open banking environment? At a minimum, entities operating in this space should be required to meet the objectives of existing federal market conduct standards.
Having a level playing field is important for industry to promote competition, but it is also critical for consumers. Consumer confidence will be enhanced if they can expect the same level of protection, regardless of where they live in Canada and which third party providers they are doing business with. For example, the major credit and debit card networks in Canada have publicly committed to reimburse consumers when their credit or debit card is used without their authorization, if the consumer took reasonable care to keep their information safe. This public commitment is further strengthened by the limited liability clause in the new Financial Consumer Protection Framework. It is important that the same level of consumer protection is incorporated in the open banking framework.
The framework must recognize jurisdictional boundaries; however, we agree that this should not be a barrier to moving forward with open banking. The industry is seeking one standard and FCAC supports the need to work within these legislative constraints to construct a framework and standard that will allow fair competition without sacrificing consumer protection. Innovation and flexibility will be required to manage the level of regulatory burden. For example, consideration could be given to employing substituted compliance, where appropriate, to help mitigate these concerns.
Liability and Complaint Handling
The framework should include protocols to assign liability that are in the consumer’s interest, and a clear and fair process for consumers to register complaints and seek redress. When something goes wrong, the process for consumers to be made whole must be simple, quick and effective – the onus should not be on consumers to navigate complicated liability issues and consumers should not have to wait for financial institutions (FIs) and fintechs to sort out which of them was liable for the error, breach or fraud.
It is important to establish a clear and simple structure for how consumers register complaints and seek redress should they experience losses or non-financial harm. Canada can leverage lessons learned in other jurisdictions, for example, access to the complaints process could be built into the functionality of the app to make it easier for consumers to access redress.
The liability framework should be seamless with a single window of complaints for consumers, regardless of where in the ecosystem the problem occurred. Consenting to the use of an open banking provider, product or service should not mean that consumers assume liability for issues outside of their control. Requirements should also make clear that consumers should not be held liable if unauthorized or fraudulent transactions occur because of authorized data sharing. Consumers should not have to wait for redress during lengthy arbitrations to determine the attribution of liability within the system.
In order for such a system to work seamlessly, it will be important that all parties have the resources to make consumers whole when unauthorized or fraudulent transactions occur. We are not advocating for any single approach – access to a common fund, capital provisions and / or liability insurance could all be appropriate. However, the accreditation process should ensure that entities have access to sufficient funds to be able to compensate consumers for potential losses. The level of risk and types of services that the entity provides (e.g. payment initiation vs. data aggregation) should be taken into consideration when determining the level of access to funds required.
In line with international best practices, FCAC would recommend that the proposal include the designation of an ECB for open banking activities and that the ECB is afforded binding resolution authority. Given that existing regulators currently oversee various participants (e.g. banks, investment firms) and will inevitably handle consumer complaints about open banking activities, consideration will need to be given to how complaints handling entities will work together to provide a frictionless complaint handling experience to consumers.
Any open banking framework requires a fair, consumer-friendly process to ensure effective redress for consumers. Specifically, a robust consumer protection regime within the open banking framework would apply equally to all participants, regardless of their jurisdiction. FCAC recommends that the open banking framework include the consumer’s right to escalate complaints about any open banking participant to an ECB, at no cost to the consumer. Consumers should have access to a frictionless, transparent, and consistent complaints experience, regardless of whether they are dealing with a FI or a fintech. The importance of an effective ECB system was highlighted in our recent report.
We would encourage the Committee to consult international best practices on how to implement an effective, efficient, and accessible complaints handling process as related to open banking activities. Careful consideration should be given to the Dispute Management System established by the Open Banking Implementation Entity in the UK, which ensures redress to consumers immediately and creates a mechanism to help determine which entities bear responsibility for covering this cost. In the UK, the responsibility always lies with the consumer’s bank. We are concerned that some of the approaches being considered will result in delays and confusion for the consumer. One of the key pillars in the UK is to “put the customer first”, which includes taking ownership of a case and not re-routing the customer. Such a principle should be first and foremost in any complaint handling scheme considered in Canada.
Consumer education
Based on the experiences of other jurisdictions, consumer education and awareness will be key to adoption. Providing clear, simple, and not misleading disclosure of benefits, risks and key information should be a requirement of all participants (market conduct standard). Information provided should be evidence-based and grounded in international best practices for fostering consumer understanding and positive consumer outcomes.
The Committee should recommend a mechanism to fund an investment in consumer education regarding open banking. This could include different types of programs by the various players, as well as an advertising campaign, but should be overseen by a trusted authority to ensure that the information is objective, consistent, and unbiased. These activities should be supported and coordinated with existing players in the financial sector to ensure that Canadians are not only aware of open banking but are educated on how to best use it personally.
However, industry should not be the sole source of educational materials for consumers. As a trusted source for unbiased information on financial products and services, FCAC is well-positioned to play a role here, both in terms of crafting and delivering the messages to Canadians, as well as coordinating with the industry.
Financial inclusion
FCAC shares the Committee’s goal of ensuring that vulnerable Canadian consumers are able to participate in open banking in a fair, safe and secure manner. To ensure that an open banking framework meaningfully fulfills this goal, the framework and any rules developed by an accreditation and/or implementation entity should be legally binding and consider how best to integrate inclusion policies and principles into the design and development of all aspects of the system (including technical standards, APIs, consumer experience, consent management, etc.) from the onset.
FCAC would urge the Committee to think broadly about what financial inclusion means and encourages them to consider:
- what obligations will open banking participants have to bridge Canada’s digital divide (access and literacy) to ensure vulnerable and remote populations can obtain the benefits of the open banking system if they wish?
- what protections are required to ensure that the risk of open banking accelerating bank branch closures does not leave certain demographics of Canadians underserved?
- what obligations will open banking participants have related to minimum access and basic banking standards that currently exist?
FCAC has significant expertise on matters related to financial inclusion and financial literacy. FCAC is prepared to contribute to policy development in this area and believes additional discussion on this topic is merited. As we move to integrate more technology into our daily lives, further work is also needed in the area of digital literacy more generally.
3. Building Blocks
Accreditation
FCAC agrees that an accreditation system is necessary to protect consumers and that participation should be limited to entities that can demonstrate they meet high standards of security, data protection, and privacy.
The process for entities to join the system and meet these tests should be transparent and fair to all market participants. FCAC supports a risk-based accreditation system based on the type of data, products and organization. For example, if write access is enabled, the nature and materiality of consumer risk is significantly greater, and appropriate safeguards (e.g., additional accreditation criteria) would be necessary.
A strong and transparent accreditation process and ongoing supervision of new entrants will be important to maintain consumer confidence in open banking.
FCAC recommends that consumer protection requirements are built into the accreditation criteria from the outset. For instance, we would expect that liability allocation, ability to provide financial redress (e.g. liability insurance, capital requirements), and effective complaint handling policies and procedures be assessed during accreditation.
An accreditation body that is industry-led could be well placed to determine technical standards and best practices for data security. However, it is equally important that there is appropriate government oversight and involvement to ensure that consumer protection is prioritized in setting appropriate accreditation criteria.
Setting consumer protection rules should not be within the scope of an industry-led body. Issues such as market conduct, complaint standards, and liability standards should be determined by relevant regulators at the federal and provincial levels.
FCAC recommends more discussion on oversight and governance structures for the accreditation entity, membership, powers and authorities, enforcement abilities, and how meaningful representation of consumer interests will be balanced against industry interests. FCAC is concerned that if an industry-led accreditation entity is not structured appropriately, with strict governance and regulatory oversight, there is a real risk that the organization will in effect become an industry group, rather than a public purpose entity.
FCAC recommends that the proposed entity needs to be set up in a way that is transparent, manages conflicts of interests, and prioritizes consumer interests and protection.
Specifically, FCAC has concerns about the following:
- how perceived and real conflicts within such a model would be managed,
- if the accreditation entity is to be governed by open banking participants that have business interests – how would these be managed when in conflict with consumer interests?
- how would such an organization ensure sound market conduct practices amongst open banking participants?
- some members would need to seek accreditation – if accreditation criteria and process are managed by the implementation entity, how would it ensure criteria are set independently of business interests and accreditation is granted and maintained appropriately, and is not anti-competitive?
- how would enforcement tools be set out and how would it ensure business interests do not override the application of enforcement tools in instances of non-compliance, including revocation of accreditation for members?
A key consideration for FCAC is how meaningful and ongoing consumer representation would be achieved in such an organization. If the majority of governing members are financial institutions and fintechs, we are concerned about the significant power asymmetry between industry and consumers, especially in times of dispute. During industry consultations, there was some discussion of including consumer advocates, which we are in favour of. However, consumer advocates would require access to sufficient resources to ensure they can play a meaningful role.
Regardless of the level of consumer representation however, FCAC remains concerned that mere participation and numerical equivalence may not be sufficient to address the fundamental power imbalance between industry and consumers. Oversight by a regulator is recommended to help address this imbalance and provide consumers with further confidence in open banking.
Implementation and Rule setting
FCAC agrees that compliance with the framework and other open banking rules needs to be a requirement for successful accreditation in the open banking system and as a condition of on-going participation.
The Committee has advised that there may be a requirement for an implementation organization to set rules for on-going participation, provided that they comply with the regulatory requirements, guidelines and objectives set out by the framework on open banking, which FCAC recommends be legally binding. FCAC highlights the following significant issues that will need clarity prior to implementation:
- How will the scope of rule setting by the implementation entity be determined?
- How will these rules be monitored and, how will non-compliance be addressed?
- How does the Committee propose to balance the desire to have an adaptive approach to regulation with the need for sufficient oversight?
- How will current financial sector regulators and relevant government organizations (federal and provincial) intersect with the implementation entity to ensure no conflicts, overlaps or duplication in rule setting?
- How will the proposed structure achieve the public policy objective for consumer protection?
FCAC agrees that any process for rule setting should be transparent and have the opportunity for public comment. Should an implementation entity be afforded the authority to set rules, it will need to be monitored closely to ensure rules do not advance business interests at the expense of consumer protection. Given the level of oversight required, it may be more prudent to consider establishing or designating a public sector body or regulator to oversee the operations of the implementation entity.
Privacy and data protection
FCAC agrees that data protection and privacy is of the utmost importance for uptake, consumer confidence, and consumer protection, and that any framework should integrate privacy by design throughout the process. FCAC is supportive of concurrent work on a Canadian Digital ID and believes that this could significantly help facilitate open banking implementation and potentially improve access.
Express consent for data sharing should be obtained in a manner that is clear, simple and not misleading, in alignment with current requirements for banks, and also in compliance with the related privacy legislation now being considered by Parliament. Stakeholders raised questions about how consumer data can be made available for innovative secondary purposes such as product development. FCAC recommends that any use of a consumers’ individual data must be consent-driven and not interdependent on the provision of a product or service. Legislative safeguards and oversight need to be established to prevent unauthorized use of consumer data for secondary purposes and make clear under what circumstances aggregate consumer data can be used and how consumers will be informed. Consideration should be given to whether the proposed Digital Charter Implementation Act and Consumer Privacy Protection Act will be sufficient. This analysis should also take into consideration the work of the Consumer Data Protection Working Group.
The Committee did not address data sharing with and among existing regulators, but any open banking framework should consider granting appropriate access to regulators. Part of FCAC’s mandate is to monitor, evaluate, and make public information on trends and emerging issues that may have an impact on consumers of financial products and services. Access to this data could provide FCAC and other regulators with near real-time, comprehensive data to better understand the financial circumstances of Canadians to inform agile policy responses and inform supervision/regulatory activities– this would be particularly useful in times of crisis. Traditional limitations may be appropriate to make clear what information must remain confidential, as well as when and to whom regulators would be able to disclose such information.
Reciprocity
FCAC agrees that consumers should be able to move and share their data to and from all accredited participants. Open banking is based on a fundamental principle: the data that FIs hold about the individual belongs to individuals and not to FIs.
FCAC strongly agrees that reciprocity needs to be driven by express consumer consent and that firms should not be allowed to require reciprocal data access in order to provide a product or service. To this end, rules may need to be set out to prevent the data-sharing equivalent of the “coercive tied-selling” provisions in the Bank ActFootnote 2 .
Competition
One of the benefits of open banking is that consumers “receive access to a wider range of useful, competitive and consumer friendly financial services” and FCAC recommends the inclusion of a specific building block to achieve this goal. To encourage competition, it must be easy for consumers to switch between FIs and fintechs when transferring or opening new accounts. Consideration should be given to policy interventions at the outset that would help reduce friction when switching between providers (e.g., response time limits, fee caps), as well as to prevent incumbent providers from introducing roadblocks.
FCAC is supportive of the recommendations in the Competition Bureau’s report on Canada’s progress in Fintech. Recommendations 3 – 6 have particular interest for FCAC. Taken together, these recommendations speak to ensuring a consistent consumer protection approach, greater collaboration amongst regulators and policy makers, and ensuring that the level of regulation is proportional to risk.
In addition, the UK experience shows that it is important to ensure that deadlines for implementation do not allow financial institutions to proceed at the pace of the slowest actor as this could significantly delay timelines. Requirements should be put in place (e.g. accreditation criteria and implementation rules) to mitigate this risk and prevent anti-competitive behaviour.
4. Scope
It is clear that the Committee is working to design a forward-thinking system and has acknowledged that “open banking is part of a broader conversation about the use, control and protection of Canadians’ data and any system must be approached as a guide for the future application of these principles to other sectors.” While a system that enables payments initiation, open finance or open data may be an end state goal, open banking is an important first phase that should be carefully considered and implemented in a manner that allows a measured implementation.
Read vs. write functions
The existing scope under investigation relates to read access for data. FCAC supports this limitation at this stage as the nature and materiality of consumer risk is significantly greater when write access, like payments initiation, is enabled. In our view, write access should only be allowed when the framework has been implemented and is operating well.
It is imperative that key consumer protection aspects be included in any accreditation scheme that allows for write access. In fact, we support different accreditation and implementation standards – one for those entities that only want read access and a stricter one for those that want write access as well. The level of ongoing oversight should be similarly reflected.
With respect to screen-scraping, if this practice continues to be used by non-accredited firms, in interim or perpetuity, this would lead to a market where fintechs performing similar functions are operating under different rules; therefore creating confusion and increased risk for consumers. Rather than relying on financial institutions to put in place barriers to screen-scraping, FCAC recommends that screen scraping be prohibited, as was done in the EU.
Types of data
Some stakeholders felt that proprietary and aggregated data that are paid for should be outside of scope; however, the new Digital Charter Implementation Act sets out a right to data mobility and requirements for algorithmic transparencyFootnote 3 . Read together, these proposals seem to suggest that regardless of whether proprietary algorithms are involved, consumers should have access to the data being used to make decisions about their financial outcomes, the decisions, and explanations of the decisions – whether paid for or not.
FCAC raises the concern that entities may limit what data consumers can see in their online banking portals if certain types of data were to be placed in scope. Since the goal of an open banking system is to empower consumers, they should not end up with access to less information than they have access to today.
Implementation complexities
While we are contemplating open banking from a Canadian context, this is an international industry. An open banking framework could also include entities that are not located or regulated in Canada. Under such a scenario, having a clear liability, compliance and enforcement framework, including the possibility of substituted compliance, will be key to ensuring consumer confidence and reducing the regulatory burden.
5. Governance
Role for regulators and governmental oversight
The Committee is contemplating a hybrid model for open banking that is neither entirely industry-led nor government-led. While FCAC is largely supportive of carving out roles for both government and industry, we support the importance of government oversight over the open banking framework to help ensure that open banking is accessible to all Canadians and that they are protected equally. FCAC would encourage the Committee to consider how existing financial sector regulators (federal and provincial) will or will not play a role throughout the implementation of open banking. Additional areas for further consideration are governance within the accreditation and implementation entities, plans for managing perceived and real conflicts of interest, and roles for other governmental organizations.
Clarity will be required regarding what requirements will be set out in the overall framework and what requirements will be developed by the proposed accreditation and implementation entities. To ensure consumer protection is prioritized by all participants, FCAC recommends that, where possible, all consumer protection requirements be legally binding, be embedded in accreditation requirements, and trigger enforcement actions when non-compliance occurs.
FCAC would welcome further discussion on the Committee’s vision for enforcement tools and which organization will be afforded authorities and powers for supervising and addressing non-compliance with consumer protection requirements.
6. Conclusion
FCAC appreciates the opportunity to contribute these reflections for the Committee’s consideration and we would welcome further engagement in the development of the open banking framework. FCAC is well-positioned to coordinate a consumer education and awareness campaign for Canadians and to contribute to the consumer protection standards of the open banking framework.
Page details
- Date modified: