The Government of Canada plans to develop and implement open banking legislation by 2025.
The federal government intends to introduce a legislative framework for open banking, which has been re-branded “consumer-driven banking.” The announcement was accompanied by the federal government’s Policy Statement on Consumer-Driven Banking (the “Policy Statement”). The Policy Statement contains a useful summary of what the planned legislative framework for consumer-driven banking will contain. In this blog post, we will highlight four aspects of the Policy Statement that we will be monitoring from a legal perspective as the legislative exercise unfolds.
Shared federal and provincial jurisdiction
Although it is Ottawa leading the way in Canada to develop a legislative framework for consumer-driven banking, provincial governments may also have a role to play in this banking sector. The Policy Statement indicates that “provincial entities” – which we understand to mean provincially-led regulatory entities – may opt-in to the federal legislative framework. It is uncertain what this will look like in practice, but there is clear recognition that the federal legislative framework will need to respect provincial jurisdiction. Relatedly, the Policy Statement also contemplates provincial governments retaining authority to impose their own requirements on sector participants, such as provincially-regulated credit unions. This creates the possibility that provincially-regulated entities that intend to participate in the consumer-driven banking sector may need to comply with different sets of rules. This could increase the complexity of the regulatory landscape.
Accreditation requirements
The Policy Statement explains that most entities looking to participate in consumer-driven banking will need to be accredited in accordance with a formal accreditation framework. Federally-regulated banks and credit unions, as well as provincially-regulated credit unions, will be exempt from federal accreditation requirements (although provincially-led regulatory entities may impose different rules). For other entities looking to participate in consumer-driven banking, accreditation appears mandatory.
The accreditation requirements are expected to focus heavily on privacy and cybersecurity-related matters, as well as national security and validation of financial standing. It is further expected that maintaining accreditation will require reporting to regulatory authorities. A list of accredited entities will be published for public reference to permit consumers to validate the accreditation status of entities offering consumer-driven banking services.
Notably, although it is not clear from the Policy Statement, it seems implicit that the accreditation requirements may apply to all entities that process data to deliver consumer-driven banking services. That is to say, it appears that the accreditation requirements may apply to (i) an entity holding itself out as providing consumer-driven banking services, and (ii) affiliates and subcontractors of that entity that process data in connection with those consumer-driven banking services. However, this is not explicit in the Policy Statement.
New privacy requirements
Related to accreditation, consumer-driven banking is expected to come with new privacy-related requirements. Existing privacy legislation will continue to apply, but additional privacy rules are also expected to be enacted that speak directly to financial data sharing and consumer consent.
Statutory contracts with consumers
The Policy Statement explains that consumer-driven banking legislation will establish “a statutory contractual relationship between participants.” The mechanics of this statutory relationship are expected to be driven by the principle that liability will follow data, like a game of cybersecurity hot potato. The Policy Statement indicates there will be clear rules for delineating where in the data chain liability starts and ends for the entities involved. It will be interesting to see how this matter is addressed, given the potentially high-degree of complexity in data flows. It will also be interesting to see if the proposed approach to delineating liability in the data chain filters down into information technology contracting practices more generally, given the ubiquity of the issue.
Conclusion
The Policy Statement represents a good first step in setting market expectations with respect to how federal and provincial governments will regulate consumer-driven banking in Canada. With that said, and as we have seen, the Policy Statement also raises a number of questions. We will continue to monitor these and other issues related to consumer-driven banking in the coming months as the legislative framework begins to come into focus.
The lawyers in MLT Aikins Innovation, Data & Technology group have extensive experience assisting financial institutions and technology leaders in navigating matters of this nature. We would be pleased to assist your business in planning for Canada’s open banking future. Contact us to learn more.
Note: This article is of a general nature only and is not exhaustive of all possible legal rights or remedies. In addition, laws may change over time and should be interpreted only in the context of particular circumstances such that these materials are not intended to be relied upon or taken as legal advice or opinion. Readers should consult a legal professional for specific advice in any particular situation.