A committee advising Ottawa on the feasibility of open banking is about to turn its attention to the toughest part of the issue: How regulators and the financial sector can manage the data security and privacy risks.
Finance Minister Bill Morneau made the announcement Friday, saying an advisory committee on open banking will now turn its attention to how allowing consumers to safely electronically pass their personal financial data across multiple web sites can be achieved.
The federal government hasn’t formally approved open banking, but that’s the committee’s recommendation. Presumably, the government doesn’t disagree.
The four-person advisory committee, made of experts from the private sector, called on the federal government and the finance sector to create a framework for enabling what the committee calls “consumer-directed finance.”
In this second phase the committee will hold meetings starting in the spring, and then offer advice on potential solutions and standards to enhance data protection in the financial sector. It will examine issues such as governance, consumer control of personal data, privacy, and security. Recommendations are expected later this year.
Needs consumer trust
“Consumer-directed finance should give consumers confidence and engender trust,” said the committee in a report issued Friday. “It should be secure; respect and enhance privacy; and, be an improvement over the status quo. If something goes wrong, there must be a clear and straightforward accountability mechanism for consumers and a means to ensure that liability rests with the appropriate party.
But, the committee added, “equal weight must be given to the growth of a vibrant financial ecosystem and technological innovation.”
For software developers, consulting firms and startups, federally-approved consumer-directed finance could mean big bucks, depending on the standards and regulations the government sets.
Open banking/consumer-directed finance lets consumers give financial institutions the right to share the financial data they have in separate accounts — like their banks, investment dealers, mortgage brokers and insurance companies — for easier services.
Examples include switching banks, comparing their accounts at different banks on one screen, securing an online loan to refinance credit card debt, searching the Internet for recommendations for products that would provide better mortgage rates, getting access to alternative sources of financing or faster adjudication of small business loans, and using spending data to enable customized loans. Many of these services would be offered by so-called fintech startups either providing money or be the third-party network linking financial providers.
“The potential for consumer-directed finance to deliver meaningful benefits to Canadians is evident,” the advisory committee said in its report.
Another hope is that it will increase competition in the financial sector.
One of the reasons the advisory committee backs open banking is that other countries are further along than us. Open banking actually exists in the U.K., which has created an Open Banking Standard. The European Union, through its Second Payment Services Directive (PSD2), and Australia are well on their way.
In an interview Thersa Scassa, who holds the Canada Chair in information law at the University of Ottawa, noted that open banking means giving consumers data portability. “The concept of open banking is to put consumers at the heart of controlling their personal financial information, which will be in standardized and interoperable across financial institutions.”
However, as any infosec pro knows, the more information is shared in a standardized format greater the risk to data if there is a compromise. Open banking approaches have to minimize those risks.
There will have to be some kind of user credential system to verify identity, she said, as well as security standards within the data-sharing ecosystem. One question is whether the government or the financial sector will set those standards. Third parties handling personal financial information not currently regulated may also need to be certified, Scassa added. There may also need to be global financial sector interoperability.
Making open banking work may also mean toughening penalties in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s privacy legislation. “If you’re going to have this kind of system there have to be serious and real consequences if there are breaches,” Scassa said.
“There’s a lot of building that has to be done to make sure the technological architecture and the legal infrastructure are in place. Some of that will come from the government, and some from the industry.”
APIs and digital IDs
Generally, open banking proposals use application programming interfaces (APIs) to secure the transfer of customer data between companies. Such APIs eliminate the need for screen-scraping. But open banking also needs an ironclad online identity and access management. One way, the report notes, is the creation of a digital identity that can be presented to websites in the same way that a driver’s licence confirms physical identity.
Canada’s biggest banks have already created a blockchain-based digital identity service called Verified.Me. Meanwhile the Digital ID and Authentication Council of Canada (DIACC) continues to work on drafting a Pan-Canadian Trust Framework for public and private sector organizations to safely authorize access to and exchange sensitive data with each other and citizens.
One question is whether open banking will be driven by government regulations (as in Europe) or be self-regulated by the financial sector. The committee suggests Ottawa at least set the “guardrails.” Another question is how open banking will benefit people who can’t get a digital identity because they don’t have computers, smartphones or bank accounts.
Ottawa will also have to deal with provincial and territorial governments, who have power to licence financial institutions like trust companies, credit unions and mortgage companies.
To some degree open banking/consumer-directed finance is happening in Canada now through screen scraping of data.
But the committee described that as “a technological workaround” with big problems: There are security and liability risks for both customers and financial institutions because screen-scraping can require the sharing of log-in credentials.
“Without making data sharing more secure and trusted, a broader group of Canadians will not benefit from the tools that consumer-directed finance could offer,” it said.
In addition, it said, screen-scraping isn’t a secure connection for businesses trying to build out new applications and it creates unreliability in the services they offer, which can seriously constrain the growth of their businesses. This will make innovators wary of growing their business in Canada, potentially resulting in the loss of talent, and placing the global competitiveness of the sector at risk.
The committee had submissions from some 130 groups, ranging from banks to the federal privacy commissioner. Canada’s biggest banks emphasized that third parties accessing and collecting customer financial transaction data “must be held to appropriate standards, including with respect to privacy and security.” Third parties must also be accountable under Canadian privacy laws for the security and appropriate use and disclosure of customer information, the banks add.
The Office of the Privacy Commissioner warned the use of big data and artificial analytics in open banking raise privacy concerns. The OPC called for the Personal Information Privacy and Electronic Documents Act (PIPEDA) to be updated to give it more enforcement powers. It also wants regulations that ensure consumers are properly informed so they can give meaningful consent to third parties accessing their financial data. Finally, it also notes that many “new” players may be part of existing companies, thus blunting the hope of greater competition.
In its submission PricewaterhouseCoopers (PwC) noted the U.K. created an implementation authority called the Open Banking Implementation Entity (OBIE), with representation from both businesses and consumers. Its mandate was to create software standards and establish industry guidelines on data exchange using APIs.
OBIE was also responsible for defining security and messaging standards, as well as designing a process for managing complaints. OBIE is governed by the U.K. Competition and Markets Authority (CMA), and funded by U.K. financial institutions.
As far as security, PwC said any framework must ensure that the data transferred to, and stored by, the new participants meets the same standard federally-regulated banks have to meet.
PwC also said Ottawa must define the criteria for participation in the Open Banking network, which products would be in scope (e.g. deposit, lending, etc.).