Canada's Consumer-Driven Banking Framework (Framework) was released alongside the 2024 federal budget, and serves as an update to the previously released 2023 Fall Economic Statement: Policy Statement on Consumer-Driven Banking. Here is what you need to know:
Wait, what is "consumer-driven banking"?
More commonly known as "open banking" or sometimes referred to as "consumer-directed finance," consumer-driven banking refers to a framework that allows consumers and small businesses to securely transfer their financial data through an application programming interface (API) to approved service providers of their choice.
Who benefits?
Building on the earlier Policy Statement, the Framework continues to emphasize benefits to consumers, small businesses and the Canadian economy at large. Among other things, it touts increased control over financial data and security protections for consumers; reduced administrative burdens, efficiency, and improved product access for small businesses; and global competitiveness and innovation in the financial sector.
So, what do we know about the Framework?
The development of the Framework is guided by three public policy objectives:
- Safety and Soundness
- Protecting Canadians' Financial Well-Being
- Economic Growth and International Competitiveness
These policy objectives have guided the development of the government's six (previously five, now including "National Security") core Framework elements, as follows:
1
|
Governance
|
The Framework expands on the oversight and management elements, notably:
- the mandate of the Financial Consumer Agency of Canada (FCAC) will be expanded to include oversight, administration, and enforcement of open banking in Canada;
- legislative amendments to the Financial Consumer Agency of Canada Act will establish a new position, called the Senior Deputy Commissioner of Consumer-Driven Banking, at the FCAC;
- FCAC will develop a consumer education campaign to increase Canadians' awareness;
- FCAC oversight of consumer-driven banking will operate on a cost-recovery model once the Framework is in place;
- all participants will be subject to the open banking regulation and FCAC supervision;
- provincial credit unions and Crown corporations that act as banks will be able to "opt-in" to governance, supervision, and participation; and
- provinces and territories will retain the authority to impose their own requirements on entities subject to their jurisdiction.
|
2
|
Scope
|
The Framework provides additional information on the entities that will be able to participate, the scope of data that participants will be required to share, certain functional requirements for participation and details on the future expansion of "scope." The initial phase of implementation will include:
- government-mandated participation for Canada's largest retail banks, with other participants provided with the ability to opt-in;
- clear requirements for how various entities, such as fintechs, can enter into, and exit out of, the open banking system;
- a requirement to demonstrate adherence to technical and security requirements;
- a requirement for participants to share (at the request of a consumer) data related to chequing and savings accounts operations, investment products available through their online portals, and lending products, such as credit cards, lines of credit, and mortgages;
- an exclusion from scope for data that has been materially enhanced by a participant to offer significant additional value or insight;
- maintaining the existing prohibition on the sharing by banks of customer information for the business of insurance;
- having all entities subject to consumer-permissioned data sharing requests (reciprocal access); and
- a requirement for participants to be able to provide reciprocal access.
The scope may be expanded at a later date to include additional data, entities, entry processes (e.g., tiered accreditation), and functionalities (such as the ability to initiate payments).
|
3
|
Accreditation
|
- entities wishing to become accredited will need to submit an application to the FCAC;
- applications will include information on the organization (including existing oversight arrangements and governance structure), operational standards (including security and privacy controls), and financial capacity (including liability instruments such as insurance);
- the FCAC will evaluate applications against a specified criteria and publish a list of authorized participants in a central registry;
- once accredited, a participant will be permitted to request financial data, at the instruction of a consumer, from another participant, and will in turn be obligated to follow all common rules and make available any in-scope data to other participants;
- participants will be subject to mandatory reporting on a regular basis; and
- the FCAC will have the authority to suspend or revoke accreditation if a participant fails to meet its obligations or presents a risk to consumers.
Tiered accreditation (i.e., different accreditation requirements for entities) will not be included at this initial phase.
|
4
|
Common rules
|
The implemented Framework will include common rules (as a condition to access of consumer data). The common rules:
- will address consumer protection interests, privacy, liability, security, national security, and integrity obligations (notably, this updated version of the Framework includes reference to "national security", "integrity" and "consumer protection interests" whereas it did not previously); and
- work to complement existing legislation, rather than creating duplicative or potentially conflicting requirements, but additional privacy rules unique to financial data sharing will be introduced to address consent to data access, consent management, and the revocation of access to data by a consumer.
Note further that in respect of privacy, participants will be required to:
- reconfirm consent every 12 months or following certain events;
- provide "consent dashboards" to provide consumers with real-time knowledge and control over the accessibility of their data (i.e., who has access to what); and
- adopt user experience guidelines to govern all areas of consent and revocation.
The implemented Framework will clearly set out a liability structure that establishes a statutory relationship between participants of the open banking system. This liability structure:
- is based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong;
- ensures consumers will not be held liable for financial losses incurred as a result of sharing their financial data within the system; and
- requires participants to put in place policies and procedures for complaint handling and the provision of redress to ensure consumers have a clear path for addressing their complaints.
Clear security requirements for how voluntary and mandated participants protect consumers' data will also be established by the implemented Framework. Legislation is expected to:
- establish security requirements for all participants that will serve as the minimum "floor" to safeguard consumer data;
- require participants to fulfill ongoing reporting obligations that will be overseen by the FCAC, such as surveillance audits; and
- mandate a security certification.
The Department of Finance will engage with stakeholders to finalize a recommendation in respect of the selection of this certification as well as the extent of the reporting obligations.
|
5
|
National Security
|
The implemented Framework will include safeguards and provide authorities to the Minister of Finance that align with existing financial sector statutes. The Minister will be able to:
- refuse, suspend, or revoke access to the open banking system for national security-related reasons; and
- direct the FCAC to take measures related to the Framework for reasons related to national security, to safeguard the integrity or security of Canada's financial system, or in the best interest of the financial system.
|
6
|
Technical Standard
|
The implemented Framework will include a government-mandated single technical standard that:
- forms the specifications to which APIs are built; and
- is fair, open, accessible, and able to meet key public policy objectives, including interoperability with standards used in other jurisdictions.
Legislation will provide authority to the Minister of Finance to identify and revoke a technical standard, and authority to the FCAC to supervise the technical standard body to ensure compliance with open banking regulations.
|
What's next?
- Spring 2024: Framework legislation was expected to be introduced in Budget 2024. Instead, the government intends to introduce the first of two pieces of legislation to implement the Framework this Spring. This legislation will address key elements such as governance, scope, and criteria and process for the technical standard.
- Fall 2024: Remaining elements of the Framework would be legislated in the Fall of 2024, which is expected to be introduced in connection with a second budget implementation act. The government has not indicated if FCAC's expanded mandate will be introduced as part of the first or second piece of legislation.
- Beyond: While the government previously set a goal of fully implementing the necessary Framework for the operationalization of open banking in Canada by 2025, Budget 2024 did not specify such a date. However, it noted that the implemented Framework is expected to be reviewed after three years to ensure it continues to meet core objectives and reflect the needs of Canadians.
In the meantime, the Department of Finance will continue to engage with all stakeholders, including federal, provincial and territorial governments, as open banking legislation is developed.