Open Banking in Canada: Navigating the Future of Money

Borden Ladner Gervais LLP (BLG) provides quality client service in all areas of FinTech, including payment card merchant processing; payment card issuing, loyalty, affinity and co-brand cards; payment systems; mergers & acquisitions; partnerships and joint ventures; privacy and cybersecurity concerns; consumer protection and anti-money laundering regulatory compliance; cost of borrowing, credit business practices, capital treatment, businesses and investments; and outsourcing and corporate governance. For more information, please contact Stephen Redican – National Group Head, Specialized Business Law – at (416) 367-6134 or sredican@blg.com.

The Canadian financial services industry is at the threshold of change. Regulatory overhaul, the ubiquity of online services, and technological innovation and disruption will affect all players—from banks to FinTech start-ups.

Open banking will introduce new opportunities and business models for the financial services industry and new services from FinTech entrants to the market—but these opportunities come with unprecedented risks and operational requirements for a banking system that prides itself on stability. Given Canada’s unique financial system and constitutional structure, the implementation of open banking won’t look the same as it has in the UK, the EU or Australia, where its introduction is already underway.

We spoke with a diverse group of leaders from across the Canadian financial services industry to understand open banking’s current and emerging issues: What do you see changing? How will your organizations fit into the new landscape? What might a made-in-Canada model of open banking look like for consumers and industry?

Lisa Ford, Royal Bank of Canada
Senior Counsel, RBC Law Group, Enterprise Payments and Open Banking

“Open banking”—clients giving access to third parties to their financial transaction data—is not a new concept in Canadian banking. It’s been happening for decades. Take business clients, for example. In the 15 years I’ve been at RBC, there’s always been a need for our business clients to give trusted third parties (like accountants and professional advisors) access to their accounts to bring holistic views and insights to their business planning needs. What is new, however, are technologies such as application programming interfaces (APIs) which we are exploring for these use cases.

There is a myth being perpetuated in some commentary that Canada has “lagged behind” other jurisdictions when it comes to open banking. I disagree—the financial services industry in Canada, which consistently ranks high in trust among consumers, is actually leading... Ultimately, the myth that Canada is lagging behind can potentially lead to overzealous calls for regulation. Critics of the Canadian system often point to jurisdictions such as the EU and UK, where regulators felt the need to intervene and mandate open banking due to a general public distrust in banks after the financial crisis, and in order to foster competition and innovation.

This is simply not the case in Canada. Open banking has existed in some form since the turn of the century and now technology and other changes are fuelling a more public debate. The challenge for policymakers in these fast-moving areas stems both from the desire to “protect but do no harm”, as well as from Canada’s fragmented regulatory environment that regulates based on the type of entities involved versus the nature of their business activities. This makes it difficult for regulators to establish comprehensive oversight when it comes to activities such as open banking, which involve a variety of different entity types.

The open banking ecosystem in Canada requires a collective and collaborative effort—one that will involve financial institutions, governments, third parties and consumers. Fortunately, the Canadian banking industry has a history of collaboration that has worked well in our regulatory environment. I think of a similar situation when banks launched chip and PIN systems in the card business. The industry got together and worked cooperatively with each other and the government to implement standards everyone agreed to follow. Open banking is similarly conducive to this type of approach, since all players have a vested interest to enable open banking while maintaining the safety and security of the financial system. Everyone ultimately has “skin in the game” and an incentive to work together for the common good of our financial system, evolving as the world evolves over time.

Anne Butler, Payments Canada
Chief Legal Officer and Head of Policy and Research at Payments Canada, the organization responsible for the country’s clearing and settlement infrastructure and the processes and rules essential to those transactions

As the body in charge of the national payments system, Payments Canada processes an average of $3 million in payments per second and sits in a unique position at the centre of Canada’s financial ecosystem. The safety, security, and reliability of our systems at all times is integral to ensure the national economy is running smoothly. That means we are deeply integrated within the Canadian financial system, with institutions looking to us as the rule and standard setter when it comes to payments. As a result of being at the centre of this ecosystem, we have a unique perspective when it comes to open banking, especially as we are currently in the process of significantly upgrading and modernizing our own systems. For us, the conversation about open banking is happening at the perfect time: in step with the industry-wide effort to modernize payments in Canada.

There are two main streams to the modernization efforts at Payment Canada already underway. One of them is to modernize our high-value payments system. The other is to increase the speed and efficiency of payments through the delivery of a real-time payment system. How do these relate to open banking? Let’s think of it for now in the most basic terms as enhancing individuals’ ability to control and share their banking information, enabling companies to deliver more robust and personalized financial services across a spectrum of activities. Any new payments system needs to be developed with that front of mind, allowing for all potential use cases presented by open banking, as well as other new developments and technologies in the future. It must be built in a way that will enable—rather than hinder—innovation.

We are at an opportune moment, where through collaboration between the federal and provincial regulators and the financial services industry itself, we can support a positive outcome for Canada. Every country has its own regulatory environment and challenges to overcome; in Canada, we have multiple jurisdictions with the constitutional power to make rules in this space, which will need to find some coherence. And though the contexts can be different, we do have the benefit of observing how other countries are handling implementation of open banking. In the UK and Europe, with PSD2, the approach prioritizes the obligation of all players to protect the information of individuals, to make sure that the consumer is in control of who has access to their data and for what purposes. Other jurisdictions might be phasing in open banking more slowly, but they’re also working first to establish within the system the consumer’s right to control their own data and how parties are allowed to interact with it.

Working with government, it’s important to have a clear understanding of what the policy objectives are, so industry can have a long-term strategy around adding value to the economy. In addressing the risks presented by open banking, having a centralized organization like ours that’s dealing with standards, and the expectations of conduct required of participants, can be instrumental in building the capacity for trust across the entire system—from the consumer and their data to all of the players participating in the ecosystem.

If there isn’t trust in the security and integrity of the system, especially among consumers, open banking will not succeed. Part of this means helping consumers to better understand what open banking means, and what the standards are. In a recent consumer survey, we asked Canadians about open banking and only seven per cent said they had even heard of it. That would seem like there isn’t this great call to action. But when asked whether they would want to have all of their financial data consolidated in one place, in a helpful way, enabling them to better track their spending or do financial planning, 77 per cent said yes. When you present it to consumers in a way they understand, they want access to those benefits. Fortunately, Canadians have a high degree of confidence in the stability and security of their financial services providers. The key thing now is to leverage that general sense of trust so we can fashion a system with consistent rules and standards across the board as we open up access to their data to other players.

One of the insights we welcome from the recent Senate report on open banking is that there are existing regulatory entities already mandated and equipped to address these new areas of financial activity—whether it be consumer protection, competition, or privacy. There is no need to create a whole new regulatory agency to manage open banking. Let’s look at the tools we already have and adapt them. Some tools are heavier than others. Regulation is a heavy tool but you want to use it as lightly as possible to support the outcomes you want. Payments Canada—along with its bylaws, rules, and standards—can also be a tool. Where you have gaps in regulatory needs, look to other tools in the ecosystem that you can possibly leverage. But sometimes you also need to back away and let standards or processes evolve without administering a heavy touch.

It’s not an easy thing to accomplish by any means. But it’s critical that that regulation be responsive to the evolution of the industry and the technologies that support it.

Andrew Boyajian, TransferWise
Head of Banking, North America, for TransferWise, an international money transfer service headquartered in the UK

For a FinTech like TransferWise to grow in the Canadian market, we needed to address both operational and regulatory issues. From our experience in other markets, we find Canadian payments infrastructure can be a bit guarded. And this is a challenge not only to us, but to the entire FinTech ecosystem. As an example, in Canada only a select group of financial institutions can participate in payment systems. But Canada also goes one step further. To be a direct clearer, the current rules require financial institutions to handle a specified percentage of the gross payment volume in Canada. While this is slated to change, it can limit the system to a few big banks and financial institutions. For a company whose primary role is to provide payment services to customers, this is a challenge. First, we need to find a bank that’s willing to actually onboard us as a customer. And second, we’re going to rely on that banking relationship as part of our business continuity.

Fortunately, we’ve seen some progress overseas with central banks becoming more open to including non-traditional financial institutions in payment systems. TransferWise was one of the first non-banks in the UK to hold a settlement account with the Bank of England, which supported our direct participation in the Faster Payments Service. And more recently we learned that the Bank of England is considering even broader access rights for non-banks, in terms of holding deposits. We’re seeing some progress in Canada, too, where Payments Canada is considering roles like associate memberships in the payment schemes, including the proposed real time rail. All of this movement is good, but until it’s a reality there is an over-reliance on financial institutions to properly support FinTechs and their customers.

On the regulatory side, some laws and regulations are antiquated. In general, frameworks are written with the idea that businesses are physically present, with face-to-face settings for their customers. Unfortunately, we don’t always see policymakers thinking about how to modernize these regimes for digital companies. But when they do look to modernize frameworks, it’s important that they do so in a way that is technology agnostic. So, instead of references to specific file types, “.pdfs” as an example, we encourage policymakers and regulators to think about principles that transcend today’s technology to future-proof them as much as possible.

One example of regulation that is already changing for the better is the move to safeguard customer funds held by payment service providers. It’s a protection that doesn’t currently exist for Canadian consumers. If you hold a balance with a FinTech, there isn’t a live regulatory framework to ensure that the balance is protected, set aside, and guaranteed for the consumer. It’s in a similar vein to CDIC or provincial schemes to protect deposits at financial institutions. Fortunately, the Department of Finance, as part of their overhaul of the retail payment system, saw this gap and is taking steps to put in place safeguarding methodology for Canadian consumers. It will mean protection and transparency for consumers, so they can know they’re getting the same level of service from FinTech providers as they are with banks.

Often banks or regulators may feel that money transmitters, payment service providers, or FinTechs pose a higher risk for money laundering. But if we think about the topics of money laundering or financing of terrorism, those can occur through any channels—whether it’s a FinTech or a bank. So, we don’t think the argument of higher AML risks is a reason to exclude FinTechs from direct access to payment systems. The challenges in addressing AML are the same for FinTechs as for banks—laws do not really differentiate between the type of provider.

We can see more validity in the argument that keeping a smaller number of entities with that clearing access could promote stability. Generally, a regulator should be thinking about sound capitalization or business models and then the operational risk policies that entities have. Those concepts are broad and universally applicable. If one institution or entity is capable of meeting them in the same fashion that a defined depository financial institution is, we really don’t see the difference and need to create a division in access rights between the two.

In the UK, while TransferWise has been in a position where we have advised policy makers relating to the implementation of open banking deriving from PSD2, we have instead focused more on transparency in fees. That said, we can certainly see areas where there are benefits. For example, with any payment method other than payment cards—like direct debit—there is quite a bit of information that could be obtained about a customer to help inform a merchant whether or not those funds are actually going to settle, as well as the overall risk profile of the individual with whom they’re engaged in business. One of the benefits that I can see in open banking is the ability for consumers to share that information in a standardized way.

Some technology already exists through a screen-scraping service, where a consumer might choose to enter an online bank ID and password in a third-party application. That application essentially logs in to that customer’s online bank account and scrapes the screen to obtain this data and then provides that data back to a platform. But that’s brittle. If a bank decides to change its interface or implement two-factor authentication, for example, that could easily break the service. Also, depending on the bank, that could be a violation of the terms of use for the account because the account owner has granted access or authorization to a third party. Open banking can be a way to simplify these protocols and allow that same data set to be universally applied. And, more importantly, it gives consumers an active role in deciding with whom and how to share that information.

In today’s world, where digital information is increasingly being passed through digital channels, cybersecurity is an area that we need to deal with. And the payments industry saw that with payment cards—as things began to move from point-of-sale to card-not-present, the idea of security and how these payment instruments are being authenticated and validated became important. It’s a matter of the market adapting to understand how data is being stored and transmitted, identifying where the vulnerabilities are, and knowing that responsibility is not housed within any particular provider or role in the payment chain. Instead, it’s universal.

Whether the industry is using cloud services or their own infrastructure, they’re all susceptible to possible attacks by any type of bad actor. That’s not something that’s exclusive to a FinTech. So, all entities need to have robust plans for fraud, cybersecurity, and data protection. Meanwhile, regulators should understand that these aren’t always challenges defined by entity type, but rather by entity preparedness. A concept like, “We’re a known bank, we’ve been around for hundreds of years and therefore we’re better equipped,” doesn’t necessarily make sense. Instead, it comes down to the contents and adherence to risk policies, and the importance that institutions give to cybersecurity.

Oscar Roque, Interac
AVP, Innovation, Research & Emerging Solutions, at Interac Corp.

At Interac, we have a successful 35-year history of bringing together all the key players and stakeholders in the ecosystem, both through our technology platforms and our governance structure.

The discussion around open banking, understandably, is mostly framed around its merits, providing consumers with mechanisms so that they can take greater control over their data. Beyond that, there are considerable benefits associated with open banking such as greater financial independence, management, and access. The balance that needs to be struck with these benefits is around risk management, liability models and consumer protection. All these things have to be figured out before open banking can truly take flight.

As systems and models are built to support open banking, our experience at Interac can provide guidance. Over our history, Interac has operated at the centre of the Canadian financial services ecosystem. What this means is that we are connected not only to financial institutions from coast-to-coast, but also to acquirers, merchants, governments and consumers. A future open banking framework must have the right balance between all of these entities, offering both a great user experience as well as an efficient governance model and integration process for industry.

Digital ID presents one interesting opportunity, and though it’s a separate innovation from open banking, it’s been running on a parallel track. Given how central privacy and security is to the integrity of any open banking system, where it’s clear the consumer has consented to share only specific pieces of data, digital ID should have an important role to play. If those tracks can come together, a system for digital ID that accesses some form of open banking directly, we can have an equation in which one plus one equals three, where the merits of each help build a much stronger digital economy for Canada.

Whatever framework is put in place needs to strike the right balance of protecting the consumer, while also enabling all the potential benefits of open banking. Remember, it’s not just about the security of the technology, but also governance structure, accreditation, and making sure that the proper controls are in place so that it’s not just anybody accessing that system.

Government has an important role to play in setting policy direction, establishing rules and regulations, and bringing stakeholders together. One potential model we could see is a hybrid ecosystem, where the government and regulatory bodies provide the framework, while industry—from legacy financial institutions to FinTechs—collaborates on solutions that aren’t heavily specified or overly constraining, ensuring there is space for fluidity and innovation. Based on our history, Interac can have a vital role to play in that conversation.

Tanya Postlewaite, Concentra
VP Compliance and Governance, Corporate Secretary, Chief Compliance Officer and CAMLO with Concentra, a Canadian bank and trust company

Canadian financial services organizations are responding with accelerated innovation to industry pressures such as spread compression, changes in mortgage regulations, new entrants to the market, changing consumer expectations and regulatory caps. New channels, emerging technologies, and reimagined service models are creating value within the industry and for Concentra.

Many of our financial activities are already delivered via third parties, including FinTechs. Most often, the customer who is interacting with our partners—whether for a $5,000 consumer loan from a FinTech online, or a $500,000 mortgage through a broker—doesn’t know that Concentra is the bank that funds and beneficially owns those debts. The end customer doesn’t have any connection to or knowledge of Concentra because, to date, we’ve been in the background.

Here’s where open banking presents many exciting opportunities for us. Open banking is a framework wherein consumers and businesses can authorize third-party financial service providers to access their financial transaction data using secure online channels. Because so much of what we do is built around third-party partnerships, open banking fits our business model perfectly. A bank like ours can add the capabilities of FinTechs into our ecosystem through open APIs that directly hook into our banking system.

Bigger financial institutions already have a direct-to-customer model, so for them partnering with FinTechs may not fit as easily into their strategy. With open banking, customers of bigger financial institutions might expand their financial relationships without a significant hurdle/cost/time investment; therefore, larger banks risk losing their competitive advantage of customer inertia. Being smaller, we’re able to be more agile and, compared with many financial institutions, we’re not constrained by legacy relationships.

If big banks seek to reduce costs by moving away from legacy products, FinTechs could gain by servicing these opportunities with a partner like Concentra. Smaller financial institutions like ours can leverage customer data to provide more segmented opportunities to drive sales, without the costs of providing a full-service offering. FinTechs can drive more awareness of their products and gain more privileged access to customers through financial institutions.

One area where FinTechs have a greater need for support and understanding is in building better compliance and customer data/privacy platforms. The purpose of any public-facing FinTech is to provide customers with an easy, seamless experience and this is where they currently enjoy a competitive advantage. Whereas a financial institution is obliged to ask more questions and acquire a lot more data before making a loan, FinTechs aren’t. And obviously they don’t want to put up barriers to the customer experience when ease of service is a selling feature.

When Concentra considers partnering with a FinTech, compliance can become an issue. If the FinTech isn’t already partnered with a federally-regulated financial institution, a lot of development is often necessary for them to meet federally-regulated standards before we can work with them. Some FinTechs prefer not to work with any financial institution because they don’t want to change their business model to meet regulatory requirements. They may try to find funding from a source that does not have to be concerned with OSFI, FINTRAC and anti-money-laundering regulations.

We hope open banking will bring FinTechs into the same realm of regulation as other financial institutions, to ensure everyone is operating on the same playing field and that the integrity of the entire system is protected. In recent years we’ve seen an uptick in fraud related to smaller consumer loans. Anytime there’s money moving around in a system, people will study how to take advantage of or manipulate that system to fraudulently access funds. It’s an issue that the government is not going to leave unchecked forever.

We expect it will be a few years before there is a functioning open banking platform in Canada, and we look forward to joining the dialogue in helping to shape it. Open banking presents exciting opportunities for Concentra to create the future of banking in a way that benefits us, our credit union partners and all Canadians.