Is Canada Ready for Open Banking?

January 29, 2019
shutterstock_651747799.jpg
Toronto's financial district. (Shutterstock)

On January 11, 2019, Canada’s Department of Finance published a consultation document titled A Review into the Merits of Open Banking. While the consultation document invites stakeholders to provide feedback, the rather tight deadline (February 11) belies the complexity of the technological and policy challenges raised by open banking.

With the launch of this initiative, it's clear that time is also not on Canada’s side when it comes to navigating the frontiers of digital innovation. Indeed, the open banking consultation document discusses the steps already underway to develop open banking in Australia, the United Kingdom, the European Union and Japan. As with so many other digital innovation opportunities, this project requires technological infrastructure and innovation, as well as a sound policy footing — all elements that require significant time and resources to develop. And, although Canada has some digital law and policy frameworks in place, they are dated, underdeveloped and insufficient for leading the charge on technological challenges — open banking included. 

What Is Open Banking?

Open banking — described in the consultation document as “a framework where consumers and businesses can authorize third party financial service providers to access their financial transaction data, using secure online channels” — is part of the federal government’s suite of initiatives that seeks to position Canada to thrive in the burgeoning digital economy. Other, related projects address smart cities and artificial intelligence (AI), and the government is developing a national digital and data strategy.

The consultation document floats the possibility of an open banking environment in which only those third parties who meet certain standards for privacy, trust and security are entitled to participate, and where consumer consent to sharing information, as well as the ability to withdraw consent, remains a core principle. Access to data in this environment could be provided through secure application program interfaces (APIs). What does this look like in practice? An individual or a small business could allow an approved third-party financial adviser to access their data from multiple financial institutions in order to prepare detailed analyses to assist them in meeting financial objectives. Or, open banking could make it easier for a person to move funds or accounts from one institution to another. Given these examples, it’s obvious that the potential for innovation in the area of financial services is theoretically high once significant quantities of data become interoperable and more readily accessible. 

Open banking, however, is not without risks. Financial data is among the most sensitive of personal data, and making it more readily accessible raises significant privacy and security issues. It also generates concerns about the exploitation of vulnerable individuals who will face new sales pitches for technological fixes for their financial woes. The troves of interoperable financial data will also be a tempting resource for data analytics, AI and machine learning. Even if the data is de-identified, there may be legitimate concerns about how it is used and for what purposes.

A Test Case for Data Portability

In many ways, open banking feels like a test case for data portability in the Canadian context. Data portability is a new right under Europe’s General Data Protection Regulation (GDPR). The GDPR gives individuals more control over their personal information by allowing them to request their data from organizations in interoperable formats. For example, the long-time user of a content streaming service could port the data about their viewing history and preferences to a new service provider, in order to receive recommendations and other customized features right from the start. Open banking is built upon a kind of data portability: individuals will be able to provide access to their data to the companies of their choice — or, at least, to the companies of their choice that have met prescribed standards of trustworthiness. This right offers both portability and a measure of security and protection. There is a catch: although access to open banking APIs might be restricted to approved entities, consumers will also have access to their own banking data, and nothing can ultimately stop them from providing their data to any adviser or app provider they choose to deal with. This means that the protections for sensitive personal financial information both within and outside of the open banking system will need to be robust.

Canadian Legislation Is Playing Catch-up

The consultation document clearly reflects concerns that Canada must keep up with innovation in other jurisdictions, such as the European Union and the United Kingdom. Yet, there is at least one important difference between Canada and these jurisdictions. In Canada, without significant legislative amendment, any open banking scheme will be backstopped by the Personal Information Protection and Electronic Documents Act (PIPEDA,) a data protection statute with notoriously weak enforcement provisions. The European Union and the United Kingdom, by contrast, have the GDPR, which provides both a more robust normative framework and some hefty consequences for non-compliance. If Canadians are going to place trust in open banking, something must be done about the data protection framework. Specifically, a successful introduction of open banking will require a long-overdue overhaul of PIPEDA, or entirely new legislation addressing privacy and related data issues for the financial sector.

Fairness and Transparency

While privacy and security are obvious concerns with open banking, there are many other public and private harms that may emerge from this sector, just as they are emerging in other data analytics and machine learning contexts. Concerns over algorithmic governance, fairness in decision making and transparency come to mind.

For example, AI systems can draw on data to make decisions. The swaths of data used for such systems don’t always give a full or accurate picture, and they come with bias (bias in how the data was collected, or sorted, or weighted in an algorithm). And, in many cases, the systems using this data make decisions that have adverse impacts for people, such as whether or not someone can access credit and other financial services. As a result, data can facilitate discrimination; should the nation embark on new open banking initiatives, close attention must be paid to issues around transparency, accountability, oversight and ethics.

Open Banking and the Surveillance State

The consultation document is entirely silent on the relationship between open banking and a surveillance state. Making the financial data of Canadians and businesses available in standardized, interoperable formats across multiple institutions and service providers will create new scope for data analytics to detect activity linked to financial fraud, money-laundering and tax evasion, among other things. While reducing crime is generally a good thing, increasing surveillance, particularly on a broad scale, without adequate checks and balances is not. Large stores of data are tempting targets for data analytics. Concerns have been raised in the past about the ease with which production orders for data can be obtained, and about the lack of sufficient safeguards and conditions attached to some of these production orders. Open banking may require a rethinking of the parameters around access to financial data for regulatory, law enforcement and national security purposes.

Resistance Could Be Futile

Although some might be tempted to resist open banking — it comes with a lot of risks — resistance is probably futile. As the consultation document notes, there is consumer demand for financial data analytics, and the private sector is starting to meet that demand. Some services require customers to engage in the disturbingly insecure practice of providing passwords, enabling financial analytics companies to access and screen-scrape account data. With cooperation between government and the banking sector, open banking could facilitate innovation and provide customers with choices, while building in privacy, security and other important safeguards.

Open banking does, indeed, have incredible potential for innovation in financial services — the consultation document is clearly enthusiastic about it. However, the government’s innovation agenda must not limit its focus to technology — law and policy innovation are also required. In many ways, open banking could provide an interesting test bed for developing some of the law and policy infrastructure that Canada sorely needs in order to take its place in a global innovation economy in which effective, secure and ethical data sharing will be an essential feature. In the meantime, the window for comments on the consultation document is closing. Those interested in providing feedback to the government should act now.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Author

Teresa Scassa is a CIGI senior fellow. She is also the Canada Research Chair in Information Law and Policy and a full professor at the University of Ottawa’s Law Faculty, where her groundbreaking research explores issues of data ownership and control.