Open banking and Canadian privacy concerns
This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.
In 2018, millions of individuals in the United States were outraged to discover they lacked access to their bank accounts through several popular mobile applications. Due to changes instituted by their bank Capital One, Plaid Technologies (a subsidiary of Visa) lost access to the bank’s data streams, resulting in the financial technology (fintech) company’s inability to provide critical information to applications such as Venmo, Coinbase, Blend and Robinhood. The ability for companies to reliably access and incorporate banking information into their products and services is commonly referred to as “open banking.”
With a lack of open banking regulations in North America, many up-and- coming fintech companies are vulnerable to situations like this. In many cases, they must resort to “data scraping” to collect information from financial institutions that refuse to share it. This is because under current legal frameworks, banks are free to restrict it from whomever they choose based on privacy concerns. This contrasts with new legislation, privacy law reforms and market forces that are pushing other countries to embrace open banking.
For many Canadians, privacy is top of mind when it comes to the sharing of information that open banking is based on. According to a survey conducted by Accenture in 2019, data security and privacy was the main concern for 62 per cent of those surveyed, with 71 per cent of those polled believing additional security measures would be required to help address their concerns. Canadian privacy law amendments that address open banking will likely have to be strong in order for there to be confidence in its introduction.
What is open banking?
In its simplest form, open banking is the idea that an individual’s banking information should belong to the person and not the financial institution that generates it. To illustrate, if an individual has accounts at Bank A, Bank B and Bank C, each bank may be protective of the data associated with the accounts created by them. The banks may also restrict the information for their accounts from one another and any third party that wants access to it. Under an open banking regime, that individual could consent for their financial information at each bank to be shared among each other and with any fintech company.
Many developed countries and areas have already begun to introduce legislation and regulations to accelerate the growth of open banking. The European Union introduced the second version of its Payment Services Directive (PSD2) in 2015. This regulation mandated the eventual creation of secure application programming interfaces (APIs) by banks that would ensure consistent, reliable and secure access of banking information by payment services providers and other financial intermediaries.
In Australia, the Consumer Data Right is mandating the largest banks to provide others with APIs that allow for access to their customer’s information with consent. Singapore and Hong Kong have also launched API frameworks and other initiatives promoting the adoption of open banking in their countries.
What opportunities does open banking create?
As has been observed in recent years, there are numerous ways to provide value to individuals through aggregating financial data across sources and providing services based on that information. Lawmakers are waking up to the fact that there is value in understanding an individual’s financial position and that as long as banks restrict that information, it limits their incentive to innovate and provide new services.
Under an open banking framework and the compelled sharing of data, fintech companies’ positions on the value chain are immediately bolstered by the commoditization of the data, their innovative focus and their ability to provide value-added services.
This has been the case for innovative European fintech companies like Amsterdam-based Adyen and Sweden’s Klarna, whose popularity has increased in recent years under Europe’s open banking regime. The ability for startups to be guaranteed access to banking information is believed to promote more competition in the financial services spaces and creates opportunities for new peer to peer (P2P) payment, investing, cryptocurrency, consumer finance and international remittance services.
What is the state of open banking laws in Canada?
There are no open banking laws in Canada, but there is a growing grassroots movement to change that. The Canadian government created the Advisory Committee on Open Banking in 2018 and in 2019 the Senate Standing Committee on Banking, Trade and Commerce released its report on open banking, coming out in favour of its implementation. In the report it provided a glimpse of what future rules may look like.
For example, the Senate committee recommended amending the Personal Information Protection and Electronic Documents Act (PIPEDA) to provide consumers with the right to “direct that their personal financial information to be shared with another organization” and for the Privacy Commissioner of Canada to act as one of the authorities to enforce this. This recommendation was made alongside recommendations to develop a standardized application programming interface standard and promote sandbox testing, closely mirroring some of Europe’s PSD2 rules.
There are still many aspects to be addressed on how open banking will be rolled out in Canada. These include: i) whether there will be mandated security measures or policies concerning disclosed personal information that goes beyond PIPEDA requirements; ii) secured API specifications, if they are decided as the transmission mechanisms; and iii) potential penalties for violations of the rules.
With growing support for open banking rules in Canada, it will be interesting to observe how privacy legislation will be reformed, what new Canadian fintech companies will emerge and how the traditional banks will respond to the increased competition.
Alex Davis is a Toronto-based corporate and technology lawyer. He assists both traditional and innovative businesses with their strategies and legal needs. He is the Founder of Davis Law and can be reached at firstname.lastname@example.org.
Photo credit / Christiann Koepke UNSPLASH.COM