This is going to be a very important year for the future of open banking in Canada. By way of a refresher, you can check out our open banking primer from a few months ago. In a nutshell, open banking is a shift away from the traditional banking model, allowing individuals and businesses to securely share their financial data with authorized third-party services providers to provide innovative financial services.
Along with the Fall Economic Statement last November, the federal government released a policy statement on what they’re calling consumer-driven banking that directs banks and other financial institutions to give fintechs access to consumer data if they meet certain criteria.
The Department of Finance indicated that the government will table legislation alongside the next budget that will scope out what is and isn’t covered as part of the framework, assign responsibility within government to regulate and oversee it, and critically, set out rules to determine who gets access.
The American Consumer Financial Protection Bureau also released a draft set of rules this past fall that shows a different path forward. Instead of creating a fulsome set of new rules to frame an ecosystem from scratch, they’re creating a legal consumer right to share financial data. They’re defining strong privacy and data misuse protections, but leaving most of the details regarding governance to consensus-based industry standards that are developed fairly, openly and inclusively.
The CFPB has essentially recognized that moving to define everything in regulation is enormously difficult, and by default protects incumbents by precluding new business models unless regulation changes. To avoid that, they have deliberately opted for a flexible model that allows for new issues and challenges to be accommodated and solved by stakeholders collectively and openly through standards setting.
The upshot of all this is that the US is building a commons, centred around consumers’ rights. Canada’s approach is set to build a locked and walled garden with government holding the keys.
This is worse for consumers and fintechs, and leaves too much power in the hands of banks and government.
A policy approach based around maximizing consumer rights ultimately creates a better environment for innovators than one where financial institution interests dominate. It’s a simple matter of alignment of interests. Consumers want to have options and flexibility. Banks want to protect their business.
Recognizing that it’s probably too late to start from scratch and build a system without walls, the next best thing is to build a system where the process of getting a key to the gate is fair, open and inclusive.
What does that mean in practice? It means that accreditation should not be based on a set of rules crafted behind closed doors. What should happen instead is that government should work with innovators, consumer groups and yes, banks, to figure out what standards could cover elements that everyone knows are critical to handling financial data. This would include things like privacy and cybersecurity. Then we would adopt those consensus standards and move to set those as the route to accreditation. Essentially, if you check all the privacy and cybersecurity boxes, you should automatically get a key to the walled garden.
There are a few existing standards out there that could be a workable basis for accreditation, or at least offer an expedited path to it. Lots of organizations offering services online are already SOC2 compliant and report out regularly, to a fairly granular level of detail, about how their organizations collect, process, store, use and protect all kinds of confidential information.
No system is perfect on its first iteration. There probably will be teething problems. Eventhebankshavebreaches. Luckily, there is an open, timely and transparent way forward to address them through standards bodies.
What is even more appealing about this system for consumers and innovators alike is the prospect of export. If the US has a process to recognize standards, there is no reason that Canadian organizations couldn’t push to get our standards recognized there. This would mean a big new market for Canadian companies without having to rejig their entire compliance structures.
This is an important moment and the stakes are high. With December’s disappointing news about the Canadian Innovation Corporation being punted out for years, it’s more important ever that the government get the here-and-now of innovation policy right.
Mooseworks is the Council of Canadian Innovators' innovation policy series. To get posts like this delivered to your inbox twice a month, sign up for CCI's newsletter here.