Open Banking: What New Consumer-Driven Banking Legislation Means for Fintechs in Canada
May 23, 2024
Written By Matthew Flynn
If your company is a fintech operating or hoping to operate in Canada with a business model that offers financial products, you should be aware that Canada’s federal government has announced its intention to enact legislation that could apply to your organization.
What's Happening?
This impending legislation is the Consumer-Driven Banking Act (CDBA), and it will set the foundation for a framework that enables consumers and small businesses to securely transfer their financial data through an API to approved service providers of their choice.
The framework for consumer-driven banking—a.k.a. “open banking”—includes six core elements, all of which will play into whether your organization is subject to the framework, and what obligations could apply. These obligations will come in two phases because the CBDA will be enacted in two pieces—the first, expected in H1 2024 will implement elements including governance, scope and a technical standard. The remaining elements are expected to be legislated in the fall of 2024.
What Will it Mean for Fintechs?
The table below gives a high-level snapshot of the core elements of the framework as introduced in the Government’s policy statement: Budget 2024: Canada’s Consumer-Driven Banking Framework1. Note: the CDBA has not yet become law and could yet change. Further, the Government’s policy statement makes clear that the development of Canada’s Consumer-Driven Banking Framework will be an iterative process and may evolve significantly over time. Lastly, the table is not exhaustive and does not constitute and should not be relied upon as legal advice.
If you have any questions about the information in this blog post or require legal advice, please contact Matt Flynn.
Canada’s Consumer-Driven Banking Framework
|
Core Framework Element
|
Fintech Obligations/Considerations
|
Governance:
Oversight and management of the framework
|
- Oversight and management rests with the Financial Consumer Agency of Canada (FCAC);
- FCAC to establish framework elements: scope; system participation; safeguards re: integrity and national security; and common rules covering privacy, liability, security;
- FCAC to select a single, technical standard for data sharing (including interoperability with coming U.S. open banking framework);
- FCAC to review framework after 3 years to ensure it continues to meet policy objectives and consumer needs.
|
Scope:
What entities can participate
Data that must be shared
Functionality, such as read or write access
|
- CBDA will set requirements on fintechs’ entry into / exit from the framework2;
- Participating entities required to meet prescribed technical and security requirements;
- Initial scope of data required to be shared at consumer’s request: deposit accounts; investment products; lending products. Note: data “materially enhanced” by a fintech to offer “significant additional value or insight” will be excluded from scope;
- Reciprocal access must be granted b/w participants;
- Data to be shared free of charge.
|
Accreditation:
Requirements and process for participating in consumer-driven banking
|
- Formal accreditation process, inclusive of process, oversight, and criteria for entities to collect consumer-permissioned data;
- Applicants for accreditation will be evaluated by the FCAC;
- Evaluation points to include: info on the organization; operational standards (including security and privacy controls); financial capacity;
- List of authorized participants will be published by the FCAC;
- Participants subject to reporting on a regular basis and as business model evolves;
- FCAC may suspend or revoke accreditation
|
Common Rules:
To protect consumers and govern privacy, liability, security
|
Privacy:
- In addition to existing privacy legislation, framework will include rules unique to financial data sharing to address consent and revocation of access to data;
- Participants to reconfirm consent at regular intervals or following certain events;
- Participants to provide consent dashboards to give consumers real-time knowledge of who has access to their data and to maintain control over the type of data they share, the accounts from which it is being collected, the length of the consents, as well as the ability to revoke consent;
- Participants required to adopt user experience guidelines to govern all areas of consent and revocation.
Liability:
- A statutory rather than contractual liability structure between participants;
- Liability will move with the data and rest with the party-at-fault;
- Consumers not liable for financial losses incurred due to sharing their data;
- Required policies and procedures for complaint handling and redress.
Security:
- Participant’s information security management system must capture all people, processes, tech and infrastructure that interacts with consumer data;
- Established security that will serve as the minimum “floor” to safeguard consumer data;
- Ongoing reporting obligations that will be overseen by the FCAC.
|
National Security:
Safeguards to protect the integrity and security of the consumer-driven banking framework and financial system
|
- Framework to include safeguards and provide authority to the Minister of Finance that aligns with existing financial sector statutes, such as the Retail Payment Activities Act, the Bank Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act;
- Minister of Finance enabled to refuse, suspend, or revoke access to the framework for national security-related reasons. Minister provided an expanded authority to direct the FCAC to take measures related to the framework for reasons related to national security, to safeguard the integrity or security of Canada’s financial system, or in the best interest of the financial system.
|
Single Technical Standard:
Establishment, maintenance, and oversight of a technical standard flow of data between consumers and the financial tools of their choice
|
- API’s to be used to enable different products and services to communicate in a consistent manner;
- Framework will mandate a single technical standard to which APIs are built to support functionality and interoperability.
|
1 https://www.canada.ca/en/department-finance/programs/financial-sector-policy/open-banking-implementation/2023-fes-policy-statement-consumer-driven-banking.html
2 The framework will apply to in-scope fintechs that opt into the framework. The government will mandate participation for banks that meet a specified threshold for retail volume. This threshold will scope-in Canada’s largest retail banks. The remaining federally regulated financial institutions, as well as credit unions, Crown corporations acting as banks, and other entities seeking accreditation, will be provided the ability to opt-in.
Authors
Matthew Flynn 416.777.7488 flynnm@bennettjones.com
|
Please note that this publication presents an overview of notable legal trends and related updates. It is intended for informational purposes and not as a replacement for detailed legal advice. If you need guidance tailored to your specific circumstances, please contact one of the authors to explore how we can help you navigate your legal needs.
For permission to republish this or any other publication, contact Amrita Kochhar at kochhara@bennettjones.com.
|