Open Banking Concept
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Creating an <strong>Open</strong> <strong>Banking</strong><br />
Framework for Canada<br />
October 2018
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Table of Contents<br />
Executive Summary............................................................................1<br />
Introduction........................................................................................2<br />
What is <strong>Open</strong> <strong>Banking</strong>?..................................................................................................2<br />
Driving Forces of the <strong>Open</strong> <strong>Banking</strong> Movement.........................................................2<br />
Current <strong>Open</strong> <strong>Banking</strong> Methods in Financial Services...............................................3<br />
Global Precedents and the Canadian Context.........................................................3/4<br />
Guiding Principles...............................................................................5<br />
An <strong>Open</strong> <strong>Banking</strong> Framework...........................................................6<br />
Which accounts should be included?...........................................................................6<br />
Who are the participants in the <strong>Open</strong> <strong>Banking</strong> System?...........................................8<br />
What data and level of access are data recipients provided?...................................9<br />
Which types of data (e.g., transaction, account balance, customer info)?............10<br />
How is the system governed?.....................................................................................11<br />
How does the system operate?..................................................................................14<br />
Conclusion.........................................................................................17<br />
Contributors......................................................................................18<br />
1.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Executive Summary<br />
1.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Introduction<br />
What is <strong>Open</strong> <strong>Banking</strong>?<br />
<strong>Open</strong> <strong>Banking</strong> is a global movement that promotes customers’ right to share their financial<br />
information with third parties.<br />
While many global jurisdictions have legislated <strong>Open</strong> <strong>Banking</strong> policies, <strong>Open</strong> <strong>Banking</strong> is<br />
broader than just policy - rather, it is part of a broader movement of customer, technological,<br />
and regulatory shifts that facilitate customers regaining control of their own data and for that<br />
data to be easily portable between institutions.<br />
Driving Forces of the <strong>Open</strong> <strong>Banking</strong> Movement<br />
The rise of the fourth industrial revolution has been marked<br />
by the emergence of companies that monetize customer<br />
data to deliver value. Businesses, governments, and<br />
customers are embracing the idea that customer data has<br />
inherent value, and that customers should have ultimate<br />
control over usage of their data. As a result, the concept of<br />
customer ownership and control of their data, as well as<br />
data portability, has become a key pillar of modern privacy<br />
principles.<br />
In the financial services industry (which generates and<br />
processes a vast amount of personal data) various data<br />
sharing practices – from Extract Transform Load to APIs -<br />
have emerged over the past two decades to meet growing<br />
customer demand for better interoperability and visibility.<br />
Over the past few years, regional efforts to create a<br />
harmonized approach to enable data sharing while<br />
addressing security, privacy and interoperability challenges<br />
have resulted in both regulatory actions and industry-driven<br />
collaborations in various jurisdictions around the world –<br />
efforts that Canada can learn from.<br />
This paper aims to discuss the key choices<br />
that define an <strong>Open</strong> <strong>Banking</strong> framework and<br />
their downstream implications, independent<br />
of whether the framework is driven by a<br />
policy or by the market participants.<br />
Emergence of the Data Economy<br />
Over the last few decades, advancements in technology<br />
have made data significantly more accessible, while<br />
driving down the cost of their acquisition and processing.<br />
Concurrently, organizations have realized the importance<br />
of using data to both improve operations and strengthen<br />
relationships with customers. This has bolstered the value<br />
that market participants assign to data, ultimately spurring<br />
innovation that enables businesses and customers to<br />
benefit from its inherent value.<br />
2.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Current <strong>Open</strong> <strong>Banking</strong> Methods in Financial Services<br />
A variety of technologies already enable the sharing of<br />
customers’ financial data: CSV downloads, screen scraping,<br />
closed APIs, and open APIs. In addition to this, jurisdictions<br />
including the EU, the UK, and Australia have started to develop<br />
agreed-upon <strong>Open</strong> <strong>Banking</strong> frameworks to govern the use of<br />
open APIs in the financial services industry.<br />
The development of a harmonized and agreed-upon <strong>Open</strong><br />
<strong>Banking</strong> framework would ensure a secure and efficient system<br />
for data sharing, providing a number of benefits:<br />
(concerned about the misuse of their data) and financial<br />
institutions (concerned about new liability and reputational<br />
risks posed by third parties).<br />
..<br />
Improved accessibility, as it materially reduces the cost<br />
of data sharing amongst financial services organizations<br />
through the establishment of <strong>Open</strong> APIs and the transfer of<br />
data control to the customer.<br />
..<br />
Increased interoperability, driven by the widespread<br />
adoption of standardized data-sharing protocols and<br />
guidelines, making it easier for third parties to access<br />
customer data and deliver new value for customers.<br />
..<br />
Greater reliability and security, as it provides a safer<br />
and more stable alternative to current data sharing<br />
practices (e.g., screen scraping).<br />
..<br />
Clearly defined standards on issues such as liability,<br />
leading to a higher degree of confidence and participation<br />
in the data-sharing ecosystem from both customers<br />
Global Precedents and the Canadian Context<br />
These forces driving increases in data sharing - in conjunction<br />
with the limitations of existing solutions - have led to the<br />
development of agreed-upon <strong>Open</strong> <strong>Banking</strong> frameworks in other<br />
jurisdictions around the world. However, there is a high degree of<br />
variation in the specific design in each jurisdiction:<br />
..<br />
In the UK, <strong>Open</strong> <strong>Banking</strong> regulation was driven by a policy<br />
objective to decrease the market power of the largest<br />
9 banks in an effort to increase the range of service<br />
providers in the market. In its 2016 Retail <strong>Banking</strong> Market<br />
Investigation, the Competition and Markets Authority<br />
concluded that “older and larger banks do not have to<br />
compete hard enough for customers’ business, and smaller<br />
and newer banks find it difficult to grow. This means that<br />
many people are paying more than they should and are not<br />
benefiting from new services”.<br />
..<br />
In Australia, <strong>Open</strong> <strong>Banking</strong> regulation was driven by<br />
regulators in an effort to empower customers to own and<br />
benefit from their data. The government’s review into <strong>Open</strong><br />
<strong>Banking</strong> identified that it is useful in “providing customers<br />
with better access to [financial] data [and] reduces the<br />
time, cost and inconvenience associated with identifying<br />
and selecting financial products and services. When<br />
consumers make better choices about how and what to<br />
consume, the industry affected is driven to become more<br />
efficient and competitive.” The movement is broader than<br />
financial services, and is expected to eventually encompass<br />
telecom and utilities; initially, all Authorized Deposit-taking<br />
Institutions are subjected to the legislation;<br />
..<br />
In Japan, the <strong>Open</strong> <strong>Banking</strong> movement was triggered<br />
due to heavy market-reliance on cash payments and the<br />
framework aims to modernize the banking system and<br />
promote adoption of lagging card-based debit online<br />
payments;<br />
..<br />
In the EU, the objectives of <strong>Open</strong> <strong>Banking</strong> policy were to<br />
better harmonize the EU banking sector, modernize the<br />
banking system, and provide customers with alternatives to<br />
big banks that were involved in systemic failure. All Account<br />
Service Payment Service Providers (ASPSPs) across the EU<br />
are subject to <strong>Open</strong> <strong>Banking</strong>;<br />
3.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
..<br />
In the US, a market-driven approach was taken: although<br />
some regulatory bodies have issued non-binding<br />
guidelines, individual financial institutions have largely<br />
developed their own approach to open banking as a source<br />
of competitive advantage;<br />
..<br />
In Singapore, mandatory <strong>Open</strong> <strong>Banking</strong> regulation has not<br />
been enacted. However, financial institutions have started<br />
to share data with third parties using open APIs under<br />
the strong encouragement and guidance of the Monetary<br />
Authority of Singapore (MAS).<br />
Differing circumstances have resulted in varying policy and<br />
design choices across jurisdictions. Similarly, the Canadian <strong>Open</strong><br />
<strong>Banking</strong> framework should be purposefully designed based on<br />
Canada’s unique characteristics, including:<br />
..<br />
A sound financial services system that has not<br />
experienced systemic failure or relied on public funding.<br />
..<br />
A bifurcated regulatory landscape where federal and<br />
provincial bodies govern different entities, but with a<br />
manageable number of institutions. This creates complexity<br />
in developing standardized approaches and governing<br />
<strong>Open</strong> <strong>Banking</strong> participants (compared to jurisdictions with<br />
central oversight - e.g., UK).<br />
..<br />
Lack of governance for non-traditional entities that<br />
do not fit into existing definitions of “financial institutions”,<br />
which may expose customers to new sources of risk<br />
without protection, or expose the financial services<br />
ecosystem to foreign institutions.<br />
..<br />
Ongoing efforts to strengthen Canadian privacy<br />
legislation through proposed amendments to the<br />
Personal Information Protection and Electronic Documents<br />
Act (PIPEDA), which would act as guardrails for an<br />
<strong>Open</strong> <strong>Banking</strong> framework on the permitted usage, data<br />
management, and disclosure requirements.<br />
..<br />
Ongoing payments modernization efforts to enhance<br />
Canadian payments infrastructure, which may address<br />
certain elements of an <strong>Open</strong> <strong>Banking</strong> framework (e.g., thirdparty<br />
payment initiation)<br />
As a result of these unique circumstances, <strong>Open</strong><br />
<strong>Banking</strong> in Canada should…<br />
1. Focus on delivering value to Canadians: <strong>Open</strong><br />
<strong>Banking</strong> presents an opportunity to develop a<br />
governance framework for non-traditional financial<br />
services providers (in conjunction with other<br />
concurrent efforts in Canada) and spur innovation.<br />
These unique objectives indicate that the design of an <strong>Open</strong><br />
<strong>Banking</strong> framework in Canada should differ from those<br />
observed in other geographies; while certain elements<br />
may be transferable, <strong>Open</strong> <strong>Banking</strong> in Canada should be<br />
developed from the ground-up with the country’s unique<br />
circumstances in mind.<br />
2. Increase transparency and ownership of<br />
customer data: <strong>Open</strong> <strong>Banking</strong> should align to the<br />
broad, industry-agnostic movement that is returning<br />
control of data to the hands of customer.<br />
3. De-risk the sharing of financial data: current<br />
financial data-sharing methods threaten the safety and<br />
stability of the financial services system by requiring<br />
customers to share their banking credentials with third<br />
parties.<br />
4. Not unduly burden certain institutions: given<br />
the stable financial services system that has not<br />
faced systemic failure on the scale observed in other<br />
jurisdictions, punitive intent against specific institutions<br />
should not be a key objective of <strong>Open</strong> <strong>Banking</strong>.<br />
4.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Guiding Principles for<br />
<strong>Open</strong> <strong>Banking</strong><br />
In the 2018 budget, the government of Canada refers to “a review of the merits of open<br />
banking in order to assess whether open banking would deliver positive results for<br />
Canadians with the highest regard for customer privacy, data security and financial<br />
stability.”<br />
Delivering positive results for Canadians is two-sided. On one side, <strong>Open</strong> <strong>Banking</strong> should<br />
support the development of a new ecosystem of financial services, delivered by market<br />
participants. On the other, <strong>Open</strong> <strong>Banking</strong> should continue to protect and maintain the<br />
value customers enjoy today (i.e., safe and reliable financial services). As a result, several<br />
key principles can be articulated to guide the design of <strong>Open</strong> <strong>Banking</strong> in Canada. The<br />
framework should be:<br />
1. Value Focus:<br />
Focus on delivering true value to Canadians,<br />
without placing undue burdens (e.g., of cost,<br />
risk exposure) on any participant.<br />
2. Transparency:<br />
Ensure customers are fully informed of their<br />
rights and responsibilities regarding the<br />
transfer, possession, and usage of their data.<br />
3. Safety:<br />
Balance customer convenience with safety<br />
and security.<br />
4. Momentum:<br />
Prioritize speed to market over a wide scope<br />
of products and / or data.<br />
This report presents several thoughts for consideration against the key<br />
choices that define an <strong>Open</strong> <strong>Banking</strong> framework - all focused on the key<br />
objective of delivering positive results for Canadians.<br />
5.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
An <strong>Open</strong> <strong>Banking</strong><br />
Framework for Canada<br />
Framework Overview<br />
The following provides considerations on the design choices of a Canadian<br />
<strong>Open</strong> <strong>Banking</strong> framework, considering the choices and outcomes observed<br />
in other jurisdictions, and consideration for Canada’s unique context.<br />
Which accounts should be included?<br />
What functions are covered (e.g., deposits,<br />
lending, wealth)?<br />
Including different functions would enable a different scope<br />
of use-cases for third party providers:<br />
clearly defined in order to prevent confusion around which<br />
institutions are in scope and which are not.<br />
Are online accounts in scope? Are offline<br />
accounts in scope?<br />
Deposits and lending accounts: allow for most cash-flow<br />
management use cases<br />
Plus Wealth: allow for personal financial management<br />
use cases<br />
Plus Insurance: allow for total financial management use<br />
cases<br />
While increasing the breadth of accounts in scope enables<br />
a broader suite of use cases, it places additional burden<br />
on data generators to make data available to third parties;<br />
specifically, certain forms of data (e.g., wealth, insurance) are<br />
not fully digitized and would require expensive and timeconsuming<br />
systems restructuring.<br />
Other jurisdictions that have clearly defined an <strong>Open</strong><br />
<strong>Banking</strong> framework (i.e., the EU, UK, and Australia) have<br />
all taken unique approaches. The UK and Australia have<br />
taken an account-based approach, defining specific types<br />
of accounts that are included. The EU defined the scope<br />
on an activity basis (i.e., “all online payment accounts”),<br />
which includes any type of payment account. Like the<br />
UK and Australia, the EU’s definition includes chequing<br />
accounts, credit cards, etc., but also may include other<br />
comparable accounts such as online wallets (e.g., PayPal).<br />
An activity-based approach has the benefit of more fairly<br />
requiring participation from institutions but needs to be<br />
When deciding between online and offline accounts, there<br />
are two key considerations:<br />
1. Scope of work: Having institutions make data<br />
available that is not currently stored digitally available<br />
would result in significant additional complexity (in<br />
digitizing existing datasets and building brand new<br />
digital processes to make new data available digitally);<br />
this would increase the cost of implementation for<br />
institutions and likely result in a longer timeline to<br />
launch.<br />
2. Scope of customers: As of 2016, ~90% of Canadians<br />
have regular access to the Internet, and ~80% of<br />
these users use some form of online banking (and<br />
this number is projected to increase over time).<br />
Furthermore, many of the use cases of <strong>Open</strong> <strong>Banking</strong><br />
would be delivered through digital means (e.g.,<br />
websites, apps)<br />
Developing a deeper understanding of how many<br />
Canadians would be involuntarily excluded from <strong>Open</strong><br />
<strong>Banking</strong> if non-digital data is excluded from scope is crucial<br />
to understanding if the additional complexity and cost to<br />
financial institutions is justified.<br />
6.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Which types of users are covered (i.e.,<br />
personal vs. commercial)?<br />
For each type of user, there exists a tradeoff between<br />
implementation cost and complexity, and value to<br />
consumers. Currently, different users are afforded different<br />
levels of service: retail (i.e., personal) account holders<br />
receive largely off-the-shelf products and services, while<br />
large corporate account holders are already provided<br />
with some of the benefits that new solutions under <strong>Open</strong><br />
<strong>Banking</strong> would support (e.g., personalized cash flow<br />
management and advice), and SMEs receive a mix of off-theshelf<br />
and easily customized offerings, as befits their position<br />
between retail and large corporate customers.<br />
Timeline:<br />
The framework should be designed to stage out the<br />
functions and types of users in scope over time. The<br />
introduction of every additional function and/or type of<br />
users adds complexity to the framework, both for data<br />
generators (in terms of implementation) and for governance<br />
(as the number of institutions in scope would increase). As<br />
a result, staging the implementation will ensure that the<br />
framework is able to evolve safely, without exposing the<br />
financial services ecosystem of Canada to undue risk.<br />
Who are the participants in<br />
the <strong>Open</strong> <strong>Banking</strong> system?<br />
Who is required to open access to their data?<br />
The requirement to open access to data can be institutionbased<br />
(i.e., all financial institutions with a certain<br />
classification, such as Schedule II and Schedule I banks),<br />
or activity-based (i.e., all financial institutions that provide<br />
Canadians with the functions discussed on page X). An<br />
activity-based approach would ensure that the framework is<br />
flexible to adapt to new types of non-traditional institutions<br />
that may emerge over time and may foster a more level<br />
playing field where all players offering competing products<br />
and services are required to make data available regardless<br />
of their legal classification.<br />
However, it creates a more nebulous governance<br />
environment, as lines between institutions in-scope and<br />
out of scope blurs (e.g., would PayPal’s online wallet be<br />
considered a “deposit account”?). Furthermore, the current<br />
financial regulatory systems in Canada are institution-based,<br />
meaning activity-based requirements would necessitate<br />
either a change in scope or a new regulatory body.<br />
What are the allowable types of data<br />
recipients?<br />
There are two types of data recipients: data consumers<br />
and data transporters. Data consumers are end-users of<br />
customers’ financial data (e.g., Fintechs and other thirdparty<br />
providers) while data transporters are intermediaries<br />
that facilitate the flow of data to data customers. The key<br />
difference between the two is that the latter does not<br />
create value from the storage of data. Data consumers are<br />
a prerequisite for <strong>Open</strong> <strong>Banking</strong>, bu t data transporters are<br />
not necessarily required.<br />
They introduce significant risk to the ecosystem by acting<br />
as a central source of large volumes of data (where a<br />
single breach would result in the potential misuse of many<br />
data generators and customers’ data). However, they also<br />
provide value to the ecosystem by creating interoperability<br />
between financial institutions, as well as across geographies<br />
where differing <strong>Open</strong> <strong>Banking</strong> systems have already been<br />
implemented.<br />
Ultimately, the value of Data Transporters is dependent on<br />
the level of standardization of the data transfer mechanisms<br />
employed by the various data generators in scope. This is<br />
explored in greater detail in X.<br />
Precondition: Governance of Non-Traditional Payment<br />
Service Providers (PSP)<br />
Existing payments regulation in Canada is heavily focused<br />
on governing systemically important and prominent<br />
national payment systems (i.e., LVTS and ACSS); thus, nontraditional<br />
PSPs (i.e., Fintechs that manage flows of money<br />
outside of the core systems) are not subject to regulatory<br />
oversight.<br />
There is currently an effort underway - the Retail Payments<br />
Oversight Framework (RPOF) - to govern non-traditional<br />
PSPs effectively, thereby ensuring the safety and soundness<br />
of the Canadian payments ecosystem, fostering efficiency<br />
and innovation within payments, and protecting end-user<br />
interests (e.g., privacy).<br />
8.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
<strong>Open</strong> <strong>Banking</strong>’s accreditation process is likely to involve many of<br />
these same players, so it is important that the RPOF and <strong>Open</strong><br />
<strong>Banking</strong> regime are co-developed. This would help prevent<br />
the creation of conflicting and overlapping legislation and<br />
optimize the allocation of resources and responsibilities across<br />
regulatory bodies.<br />
What data and level of<br />
access are data<br />
recipients provided?<br />
What access rights do data recipients have<br />
(e.g., read vs. write)?<br />
There are two types of access that data recipients could<br />
be granted:<br />
Write access: Allows data recipients to make modifications<br />
to customers’ financial data held by other institutions;<br />
this would enable additional use cases such as payment<br />
initiation, account opening/closing, and changes to<br />
information (e.g., change of address) performed by the<br />
recipient on behalf of the customer<br />
..<br />
Read access: Allows data recipients to obtain copies<br />
of customers’ financial data; this supports use cases<br />
such as data aggregation.<br />
..<br />
Write access: Allows data recipients to make<br />
modifications to customers’ financial data held by<br />
other institutions; this would enable additional use<br />
cases such as payment initiation, account opening/<br />
closing, and changes to information (e.g., change of<br />
address) performed by the recipient on behalf of<br />
the customer.<br />
Write access enables many additional use<br />
cases, but it would also present several new<br />
complexities:<br />
on their behalf. This may threaten the safety and<br />
soundness of the financial services system and the<br />
risk posed by a breach, and would require a longer<br />
timeline to implementation to allow data generators<br />
sufficient time to build the more complex systems<br />
required to allow for third-party write access<br />
..<br />
Other concurrent efforts (e.g., Retail Payments<br />
Oversight Framework, Payments Modernization) have<br />
some overlap with certain write access functions (e.g.,<br />
payments initiation); the inclusion of such elements<br />
in the scope of an <strong>Open</strong> <strong>Banking</strong> system would<br />
require extra coordination to minimize duplicate and<br />
contradictory guidance.<br />
Precondition: Canadian Payments<br />
Modernization<br />
<strong>Open</strong> <strong>Banking</strong> is being contemplated at the same time<br />
that Payments Canada is leading modernization efforts<br />
for Canada’s two primary payments systems, the Large-<br />
Value Transfer System (LVTS) and the Automated Clearing<br />
Settlement System (ACSS). LVTS will be replaced by Lynx,<br />
a high-value payments system that will process payments<br />
in real-time with settlement finality. ACSS will be replaced<br />
by the Real-Time Rail (RTR) system and the Settlement<br />
Optimization Engine (SOE) system.<br />
..<br />
Write access introduces a number of security<br />
concerns, as data recipients would be able to make<br />
changes to customers’ accounts and move money<br />
9.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
RTR will facilitate the transfer of low-value funds in realtime<br />
and will further support the development of overlay<br />
services (i.e., value-adding services owned by third<br />
parties and deployed on RTR infrastructure), ultimately<br />
spurring payment innovations. SOE will enhance the<br />
clearing of less time-sensitive batch paper and electronic<br />
payments, enabling faster and more convenient payments<br />
for businesses in Canada. Through this modernization<br />
effort – in conjunction with the Retail Payments Oversight<br />
Framework (detailed on page X) – third-party payment<br />
initiation will likely be addressed outside of an <strong>Open</strong><br />
<strong>Banking</strong> Framework.[SH(-T9]<br />
Which types of data<br />
(e.g., transaction, account balance, customer info)?<br />
Based on a review of the total scope of data access in other<br />
jurisdictions, a number of “types” of data can be identified:<br />
..<br />
Public data: Information that is readily accessible<br />
online and can be freely used, reused and<br />
redistributed by any entity (e.g., customer reviews,<br />
publicly available product information). In Canada,<br />
much of this information is already accessible<br />
programmatically through other data-sharing<br />
ecosystems (e.g., Google, Yelp, and Foursquare APIs).<br />
..<br />
Customer data: Personal and financial information<br />
provided directly by the customer to a financial<br />
services entity (e.g., personal address and<br />
contact information).<br />
..<br />
Balance data: Information pertaining to the amount<br />
of money in a deposit-based account held by the<br />
customer at any given time (e.g., e-wallet<br />
account balance).<br />
..<br />
Transaction data: Information that is generated<br />
through transaction activity on a customer’s account<br />
(e.g., withdrawals, transfers, deposits). In conjunction<br />
with customer data and balance data, transaction data<br />
facilitates the bulk of <strong>Open</strong> <strong>Banking</strong> use cases.<br />
..<br />
Identity verification results: Confirmation of a<br />
customer’s identity through a validation process<br />
using personal and financial information (e.g., KYC<br />
verification results). In Canada, there are other digital<br />
identity solutions currently in development (e.g.,<br />
Verified.me).<br />
Note: In other jurisdictions, <strong>Open</strong> <strong>Banking</strong> frameworks<br />
provide institutions with freedom to make data beyond the<br />
scope of their <strong>Open</strong> <strong>Banking</strong> framework available to third<br />
parties through private, commercial agreements.<br />
How far back must data be made available<br />
(e.g., from 2017, 2018, etc.)?<br />
Different jurisdictions have taken different approaches to<br />
historical data requirements from data generators, both<br />
in the “initiation date” (i.e., from which date onwards data<br />
must be made available upon the public launch of the <strong>Open</strong><br />
<strong>Banking</strong> framework) and the “rolling requirement” (i.e., from<br />
the date of a data request, how many months/years of<br />
historical data should be provided).<br />
..<br />
Australia:<br />
..<br />
UK:<br />
..<br />
EU:<br />
There is a direct tradeoff between the value delivered to<br />
Canadians (e.g., from longer-term uses of historical data<br />
that enable trends-based spending and savings advice) and<br />
the burden imposed on data generators; specific attention<br />
should be drawn to institutions’ existing digital datasets (i.e.,<br />
understanding how much data institutions already store<br />
digitally).<br />
10.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
How is the system governed?<br />
Who should provide oversight to the <strong>Open</strong><br />
<strong>Banking</strong> system?<br />
The governance responsibilities for an <strong>Open</strong> <strong>Banking</strong><br />
system involve both the definition of the system (e.g.,<br />
developing an accreditation framework) and the ongoing<br />
operational oversight (e.g., acting as a dispute resolution<br />
body for liability issues between data generators,<br />
data recipients, and customers). Specifically, these<br />
responsibilities could include but are not limited to…<br />
Defining the <strong>Open</strong> <strong>Banking</strong> system<br />
..<br />
Developing the data-sharing standards that data<br />
generators must abide by to make customer data<br />
available.<br />
..<br />
Developing the specific accreditation criteria that<br />
governs which data recipients are allowed to request<br />
data from data generators.<br />
..<br />
Define the liability framework that clearly outlines the<br />
roles and responsibilities of data generators, data<br />
recipients, and customers.<br />
Operating the <strong>Open</strong> <strong>Banking</strong> system<br />
..<br />
Providing ongoing oversight over data generators and<br />
accredited data recipients (e.g., regularly auditing data<br />
recipients to ensure accreditation criteria are<br />
being met).<br />
..<br />
Acting as a central dispute resolution body for<br />
customer complaints and liability issues.<br />
..<br />
Support the development and execution of<br />
customer education.<br />
..<br />
Providing a mandatory insurance product (similar to<br />
the CDIC) that pays out in case of disruptive losses<br />
that lead to the complete failure of a data recipient;<br />
this program could be funded by a mandatory fee as<br />
part of the accreditation process.<br />
..<br />
Offering a digital identity, consent, and authentication<br />
management system.<br />
The responsibilities can be either consolidated into a central<br />
governance function, or distributed to data generators,<br />
data recipients, and industry bodies that represent<br />
customers (e.g., the Office of the Privacy Commissioner).<br />
This report does not attempt to outline the ideal allocation<br />
of responsibilities between these various parties. Instead,<br />
we outline several key considerations that demonstrate<br />
how the guiding principles for the <strong>Open</strong> <strong>Banking</strong> framework<br />
as a whole (on page X) could inform the distribution of<br />
responsibilities:<br />
Value focus:<br />
Prevent conflicts of interest that inhibit<br />
the delivery of value to Canadians.<br />
The governance framework should consider the<br />
interests of the parties involved in the oversight of<br />
the system. For example, neither data generators<br />
nor data recipients should have sole control over the<br />
development of an accreditation framework, as it<br />
may lead to an overly complex process (that unduly<br />
limits participation from data recipients) or an overly<br />
open ecosystem (that exposes the financial services<br />
ecosystem to undue risks). Ensuring that the interest<br />
of the customer is represented across governance<br />
functions is critical to developing an <strong>Open</strong> <strong>Banking</strong><br />
system that delivers true value for Canadians.<br />
Safety:<br />
Leverage regulatory authority where needed<br />
to protect the safety and soundness of<br />
the financial system in Canada.<br />
The governance framework should ensure that<br />
Canadians are not exposed to undue risk. For<br />
example, the system should consider where access to<br />
datasets through non-open banking methods should<br />
be permitted for data that is available through <strong>Open</strong><br />
<strong>Banking</strong>. Given the <strong>Open</strong> <strong>Banking</strong> framework should<br />
provide more secure, cost-efficient, reliable, and<br />
customer-friendly access to data, alternatives (such as<br />
screen scraping) may be a source of unnecessary risk<br />
to the system.<br />
..<br />
Manage the recovery of variable costs incurred by data<br />
generators to make data available to third parties.<br />
11.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Momentum:<br />
Efficiently leveraging the various participants<br />
in the ecosystem to minimize the<br />
duplication of effort.<br />
Given the variety of concurrent efforts regarding<br />
the oversight of financial institutions and system<br />
infrastructure (e.g., RPOF), the governance framework<br />
should be designed to minimize the duplication<br />
of responsibility between parties. Economies of<br />
scale could be realized by centralizing governance<br />
responsibilities but should be considered on a caseby-case<br />
basis to decrease the total cost of the system.<br />
For example, managing liability issues or cost recovery<br />
through a singular central entity may be helpful in<br />
simplifying these processes (at a lower cost) for all<br />
participants in the <strong>Open</strong> <strong>Banking</strong> system.<br />
How should oversight be structured?<br />
Ultimately, while the specific allocation of oversight<br />
functions between regulators, data generators, data<br />
consumers, and industry bodies that represent the<br />
customer are not outlined, there are two choices on how<br />
responsibilities should be structured: consolidated to a<br />
central body or delegated to individual market participants.<br />
For the functions that are centralized into a single “<strong>Open</strong><br />
<strong>Banking</strong> Oversight Body”, the entity could take one of<br />
three forms:<br />
1. Regulator-led: The entity (and thus the <strong>Open</strong><br />
<strong>Banking</strong> framework) is led by regulation, with input<br />
from industry participants.<br />
2. Consortium-led: The entity is led by a collaborative<br />
effort between a defined set of institutions (e.g.,<br />
Interac), separated from the business-as-usual<br />
operations of those institutions to prevent conflicts<br />
of interest.<br />
3. Industry-led: The entity is a collaborative and open<br />
entity that allows any institution meeting certain<br />
criteria (e.g., offers financial products and services) to<br />
participate in the design and oversight of<br />
<strong>Open</strong> <strong>Banking</strong>.<br />
This report is designed to offer considerations for<br />
<strong>Open</strong> <strong>Banking</strong> in Canada, regardless of which model of<br />
governance and oversight is selected in Canada, but the<br />
possible outcomes differ based on the chosen method of<br />
oversight.<br />
For example, the scope of data generators would be<br />
dependent on the type of central entity selected (if any).<br />
A regulator-led central entity would have the authority to<br />
mandate that a broad set of participants (e.g., credit unions,<br />
trusts) be included as data generators; however, both a<br />
consortium-led and an industry-led effort would rely on<br />
voluntary participation from financial institutions. As a<br />
result, the scope of data generators would likely be<br />
more limited.<br />
Ultimately, as <strong>Open</strong> <strong>Banking</strong> in Canada is explored further,<br />
the choice or the role and structure of the central body will<br />
be a key question with many follow-on effects; it is a choice<br />
that should be made early in the process of defining a<br />
framework for Canada.<br />
How do data recipients gain access to<br />
generators’ data?<br />
Two models could be used to facilitate access:<br />
1. Commonly agreed-upon accreditation requirements<br />
and standard contracts between data generators<br />
and data recipients: Access to the ecosystem would<br />
require data recipients to receive certification that<br />
demonstrates their compliance to a pre-set criteria<br />
12.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
(e.g., regarding data privacy and security). Certain<br />
elements that concern the data generators’ and<br />
data recipients’ relationship (e.g., method and<br />
terms of cost recovery, liability) would be defined<br />
by a standardized contract with some flexibility to<br />
accommodate the unique circumstances of the datasharing<br />
arrangement. [SH(-T13]<br />
The intended “use case” of data is a hotly debated topic<br />
in other jurisdictions with more advanced <strong>Open</strong> <strong>Banking</strong><br />
systems. Including use case as a criteria would be helpful<br />
in protecting consumers from malicious actors; however,<br />
it may limit the scope of third party providers with novel<br />
business models, potentially limiting innovation in the<br />
marketplace.<br />
2. Bilateral commercial agreements (between data<br />
generators and data recipients): Both access to the<br />
ecosystem and specific elements would be defined<br />
through one-on-one agreements between data<br />
generators and data recipients, where parties have<br />
complete flexibility to negotiate the terms of the<br />
agreement.<br />
A commonly agreed-upon accreditation framework would<br />
simplify the process of gaining access to data, ultimately<br />
allowing more third parties to participate in the <strong>Open</strong><br />
<strong>Banking</strong> ecosystem. However, it would be less flexible<br />
to changes in marketplace dynamics, and would require<br />
continuous updating in order to accurately reflect the<br />
broader environment in Canada. Commercial agreements<br />
would more rapidly adapt to changing conditions, but<br />
may limit the efficiency of the system (e.g., financial data<br />
aggregators would be required to negotiate individual<br />
bilateral contracts with every financial institution<br />
participating in <strong>Open</strong> <strong>Banking</strong> as a data generator).<br />
If a central-accreditation-based system is selected, criteria<br />
observed in other jurisdictions could serve as inspiration for<br />
a Canadian system. Some of these criteria could include:<br />
..<br />
Security and privacy protocols: to ensure that sensitive<br />
personal and financial data is responsibly managed,<br />
and that data recipients are not introducing undue<br />
security risks to the system.<br />
..<br />
Indemnity insurance: to provide data generators with<br />
some reasonable certainty that data recipients will be<br />
able to pay out if a liability issue occurs.<br />
..<br />
Defined customer complaint management process:<br />
to provide customers with some reasonable certainty<br />
that accredited third parties will be able to support<br />
them in case of any issue.<br />
..<br />
Defined mitigation measures for material disruptions:<br />
to ensure appropriate protocols are in place in the<br />
event of system failures, security breaches and other<br />
blockages to continuity<br />
How should liability be managed?<br />
Generally, <strong>Open</strong> <strong>Banking</strong> should decrease total risk in<br />
the system by reducing the need for customers to share<br />
their banking credentials with screen scrapers to benefit<br />
from services that require their financial data. However,<br />
it may result in a shift of liability from customers (who are<br />
in breach of their contract with banks by screen scraping)<br />
to other participants in the system. As a result, a clearly<br />
defined liability framework is critical to the development of<br />
an <strong>Open</strong> <strong>Banking</strong> framework that garners buy-in from data<br />
generators and data recipients alike.<br />
However, the liability framework is highly contingent on<br />
a variety of other framework choices; included below are<br />
several principles that may be helpful in guiding its design:<br />
..<br />
Liability for data in general should be designed<br />
to be compatible with other existing relevant<br />
regulations (e.g., PIPEDA), not supersede them. This<br />
prevents the development of overlapping/conflicting<br />
requirements, ensuring that all participants<br />
have a common understanding of the roles and<br />
responsibilities of each player; additionally:<br />
..<br />
For unintentional data breaches, liability<br />
should be assigned to the party responsible<br />
for the breach itself (the data recipient in the<br />
vast majority of cases). The data recipient<br />
should have adequate liability coverage for<br />
data breaches, and any accreditation program<br />
for data recipients should include both a<br />
security standard and a liability coverage<br />
standard. This will raise customer trust in<br />
<strong>Open</strong> <strong>Banking</strong>, even after a hypothetical data<br />
breach incident occurs.<br />
..<br />
For companies intentionally misusing<br />
customer data (e.g. malicious actors acquiring<br />
accreditation), liability should be assigned to<br />
the body that a) granted that accreditation<br />
and/or b) extended that accreditation most<br />
recently.<br />
13 .
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
»»<br />
Data generators should have the ability to<br />
sever a linkage with a data recipient if they<br />
suspect either an unintentional data breach<br />
or misuse, and should be responsible for<br />
reporting suspected breaches/misuse within<br />
a short time period to other data generators<br />
and/or the accreditation body to minimize<br />
the impact of that breach. This is on top of<br />
any PIPEDA requirements that the breached<br />
institution must report in a similar matter.<br />
..<br />
<strong>Open</strong> <strong>Banking</strong> Participants should be responsible<br />
for their own actions, but not the actions of others<br />
(e.g., data generators should not be liable for losses<br />
caused by data recipients). While account providers<br />
are the designated first responder in case of a loss,<br />
they should have the ability to seek recourse from<br />
the responsible third parties (including all relevant<br />
expenses such as the cost of investigation). This<br />
ensures account providers are not left unfairly<br />
holding the burden of liability, leading to greater<br />
participation from account providers in<br />
<strong>Open</strong> <strong>Banking</strong>.<br />
..<br />
Data generators should have an obligation to report<br />
all in-scope information to data recipients truthfully<br />
(e.g., they cannot report false statements), but they<br />
should not be held liable for unintentional mistakes<br />
/ inaccuracies in transferred data.<br />
How does the system<br />
operate?<br />
How should consent and authentication be<br />
managed?<br />
A successful model for data-sharing should include<br />
secure and user-friendly processes for both customer<br />
authentication (i.e., verifying the customer’s identity) and<br />
consent (i.e., obtaining permission from the customer to<br />
share data with a third party).<br />
Customer authentication could be managed by the<br />
data generator or by the data consumer. Managing<br />
authentication through the data consumer may lead to<br />
smoother user experiences (since login would be completely<br />
integrated into third parties’ interfaces and match their user<br />
experience design) but may expose customers to additional<br />
risk (since their banking credentials would be shared with<br />
each third party they choose to use). Furthermore, data<br />
recipients to develop secure authentication processes<br />
could be a complex and time-consuming process and<br />
potentially act as a barrier to entry for smaller third party<br />
data recipients.<br />
If authentication is assumed to be conducted by the data<br />
generator, there are three possible models:<br />
..<br />
Embedded: At the time of authentication, the<br />
customer enters their banking credentials into a<br />
“widget” hosted and operated by the data generator<br />
that is embedded directly into a third-party interface.<br />
..<br />
Redirect-Based: At the time of authentication on<br />
a third party platform, the customer is redirected to<br />
their data generator’s website (i.e., online banking<br />
portal), where they enter their credentials; after<br />
authenticating, they are redirected back to the<br />
data recipient.<br />
..<br />
Decoupled: At the time of authentication, the<br />
customer is asked to navigate to the data generator’s<br />
online portal. After authenticating, the customer<br />
retrieves and manually copies + pastes the code,<br />
which acts as a token proving the customers’ identity,<br />
into the third-party website.<br />
Each of these methods offers its own balance between<br />
user experience and security. While the embedded<br />
workflow is convenient for customers, it creates significant<br />
opportunities for phishing. The redirect-based flow is the<br />
most common among Internet services (e.g., Facebook)<br />
and customers are largely familiar with the process. The<br />
decoupled flow is less commonly used, as it requires manual<br />
effort from customers that creates additional friction<br />
and may hinder the pace of adoption. However, it is less<br />
susceptible to phishing attacks than the other two models.<br />
Phishing is a type of socially engineered fraud where bad<br />
actors attempt to obtain sensitive information for malicious<br />
purposes using deceptive means. For example, a bad<br />
actor may set up a fake third-party website that redirects<br />
a customer to a page disguised as their banks’ interface,<br />
stealing their credentials, other personal information and,<br />
ultimately, their money.<br />
Requiring more than one form of evidence is known as<br />
“multi-factor authentication” and increases the safety of the<br />
authentication flow at the cost of user experience (e.g., by<br />
14.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
requiring them to receive a code on their mobile device and<br />
inputting it into the system). Precedent in other jurisdictions<br />
(e.g., PSD2’s Strong Customer Authentication requirements)<br />
suggest that requiring more than one form of evidence is<br />
prudent.<br />
Authentication can rely on<br />
a combination of evidence:<br />
..<br />
Knowledge (e.g., password)<br />
..<br />
Possession (e.g., key, mobile phone)<br />
..<br />
Inherence (e.g., fingerprint)<br />
Precondition: Role of a Digital ID Utility<br />
Digital ID is the electronic storage of identity information<br />
that allows people to identify themselves online without<br />
having to continuously present physical documentation. If<br />
a standard form of Digital ID is developed and mandated in<br />
Canada, authentication would not need to happen entirely<br />
on the bank’s online interface. The utility providing the<br />
Digital ID service could serve as the central authentication<br />
manager, leading to greater safety and security, improved<br />
user experience, and reduced authentication costs for<br />
market participants.<br />
authentication and consent process is not a barrier<br />
to <strong>Open</strong> <strong>Banking</strong> adoption. Abiding by this principle<br />
will help enforce transparency and ensure that<br />
the consent is meaningful and informed. A robust<br />
customer consent process is critical to a Canadian<br />
<strong>Open</strong> <strong>Banking</strong> regime, as current privacy legislation<br />
(i.e., PIPEDA) has underdeveloped standards<br />
of consent in regard to both explicitness and<br />
enforcement, due to its age.<br />
..<br />
Customers should be able to withdraw consent at<br />
any time. In line with the shift of data ownership<br />
back into customers’ hands, they should be able to<br />
revoke access if desired. However, the original data<br />
held by the data generator should not fall under this<br />
principle, as it is often required by existing regulatory<br />
frameworks for AML purposes.<br />
Precondition: Updates to PIPEDA<br />
<strong>Open</strong> <strong>Banking</strong> is reliant on privacy law reform as privacy<br />
laws regulate how information should be kept, stored and<br />
used; <strong>Open</strong> <strong>Banking</strong> expands on that by regulating how it<br />
should be shared between financial institutions and third<br />
party providers.<br />
Canada is in the midst of a consultation process for changes<br />
to PIPEDA, which would bring it into line with much of the<br />
changes brought by the European Union’s General Data<br />
Protection Regulation (GDPR). GDPR mandates financial<br />
institutions to erase customer data (collected directly from<br />
customers and received from third parties) upon customer<br />
request if one of the following six conditions is met:<br />
Under <strong>Open</strong> <strong>Banking</strong>, customers will be the controllers<br />
of their own data and should be able to provide specific<br />
direction regarding the transfer and use of that data. The<br />
consent on how this data is used could occur on the data<br />
generators’ side, data recipients’ side, or both.<br />
Regardless of which model of consent is chosen, several<br />
common principles can be garnered from precedent set by<br />
other jurisdictions:<br />
..<br />
Consent prompts should be simple (e.g., written in<br />
plain language, display all the important information<br />
concisely on one screen). This ensures that the<br />
I. The personal data is no longer necessary in relation<br />
to the purposes for which they were collected or<br />
otherwise processed.<br />
II. The data subject withdraws consent […]<br />
III. The data subject objects to the processing […] and<br />
there are no overriding legitimate grounds for the<br />
processing […]<br />
IV. The personal data have been unlawfully processed<br />
V. The personal data have to be erased for compliance<br />
with a legal obligation […]<br />
VI. The personal data have been collected in relation to<br />
the offer of information society services […]<br />
This regulation expands across digital and physical<br />
documentation and includes backup files. However, the<br />
right to be forgotten may be overruled, or delayed, for some<br />
or all data classes due to regulatory obligations imposed<br />
on the controller of that data (e.g., record-keeping for<br />
accounting and taxation).<br />
15 .
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
It is uncertain how closely changes to PIPEDA will reflect<br />
the privacy stipulations outlined in GDPR. Nonetheless, as<br />
<strong>Open</strong> <strong>Banking</strong> is developed in Canada, care must be taken<br />
to ensure that <strong>Open</strong> <strong>Banking</strong> a) is abiding by any changes to<br />
PIPEDA, and b) there are no gaps in coverage with respect<br />
to the consensual sharing of financial services data between<br />
<strong>Open</strong> <strong>Banking</strong> and PIPEDA.<br />
What is the supporting economic model?<br />
In order to make data available, data generators are likely to<br />
incur upfront fixed costs (i.e., system upgrades and changes)<br />
as well as ongoing variable costs (i.e., costs of fulfilling data<br />
requests). Whether data generators are able to recover their<br />
variable costs (e.g., through a minimal fee charged to data<br />
recipients) is a critical decision for the design of an <strong>Open</strong><br />
<strong>Banking</strong> framework. There are several considerations that<br />
can support the choice:<br />
..<br />
Fairness to data generators: Beyond the direct costs<br />
of making data available, data generators are likely<br />
to face additional indirect expenses (e.g., customer<br />
complaint management); ensuring that they are able to<br />
sustainably perform these functions ensures that data<br />
generators are not unfairly burdened by the process.<br />
..<br />
Barrier to entry: Charging fees for access to data may<br />
act as a barrier to the market; this could be considered<br />
a negative (i.e., stifling innovation) or a positive (i.e.,<br />
stifling the creation of low-value use cases), depending<br />
on the size of the data transfer fee<br />
How often should data requests be allowed?<br />
In the UK, data recipients are limited to making 4 requests<br />
in a 24 hour period, unless a higher frequency is agreed to<br />
in a commercial agreement between the data generator<br />
and data recipient. However, customers can initiate data<br />
requests an unlimited number of times, which is similar to<br />
the level of access currently provisioned through online<br />
banking services. (i.e., customer has 24/7 access to their<br />
banking information through the bank’s online interface).<br />
Allowing for a large number of requests enables additional<br />
use cases (e.g., an account balance monitor that notifies<br />
users when they are approaching overdraft), at the cost of<br />
burden to data generators (i.e., of data transfer). Depending<br />
on whether a fee is charged to data recipients for every<br />
request they make, a limit may or may not be necessary to<br />
prevent data generators from being overwhelmed by a large<br />
volume of requests.<br />
..<br />
Comparison to current state for data recipients:<br />
API-based solutions are likely to be significantly less<br />
resource-intensive (and thus, less costly) than the<br />
solutions that data recipients use today; as a result,<br />
the costs of accessing customers’ financial data for<br />
data recipients is likely to be lower than the<br />
current state.<br />
16.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Conclusion<br />
Canada sits at an inflection point in the modernization of its financial services ecosystem. When looked<br />
at in conjunction with payments modernization and an expected overhaul of privacy legislation via<br />
PIPEDA, <strong>Open</strong> <strong>Banking</strong> represents the third pillar of a new landscape, one that will reshape customer<br />
expectations for the delivery and consumption of financial services. It will do so by:<br />
..<br />
Lowering barriers for customer movement between organizations.<br />
..<br />
Allowing for more personalized and tailored experiences.<br />
..<br />
Automating unnecessary procedures and tasks.<br />
However, this will not lead to a drastically different financial services ecosystem overnight. Rather,<br />
Deloitte predicts that the major changes arising from <strong>Open</strong> <strong>Banking</strong> will arrive in time, meaning that a<br />
window of opportunity exists for all organizations to prepare - either to defend their market share and<br />
customers, or to shift their position within the ecosystem. In other words, this is not just an opportunity<br />
for new entrants, but also for incumbents to address the pain points in their current banking solutions,<br />
in order to reshape the market and come out ahead.<br />
Lastly, <strong>Open</strong> <strong>Banking</strong> is just one step in a broader movement of returning customer data ownership<br />
back to where it belongs - with the end customer. Customers’ right to data ownership is about far more<br />
than just financial data, which means that <strong>Open</strong> <strong>Banking</strong> should set the precedent for the opening<br />
up of other industries as well. By taking the first step, <strong>Open</strong> <strong>Banking</strong> can act as a template for others,<br />
illustrating the leadership role that Financial Services has in Canadian society, and in protecting the<br />
customer above all.<br />
Footnotes:<br />
[1] CIRA Internet Factbook 2017<br />
[2] eMarketer Digital <strong>Banking</strong> Adoption Rates<br />
[3] OSFI Annual Report 2016/17<br />
17 .
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
Contributors<br />
18.
Creating an <strong>Open</strong> <strong>Banking</strong> Framework for Canada<br />
19.
www.deloitte.ca<br />
Deloitte provides audit & assurance, consulting, financial advisory, risk advisory,<br />
tax and related services to public and private clients spanning multiple<br />
industries. Deloitte serves four out of five Fortune Global 500® companies<br />
through a globally connected network of member firms in more than 150<br />
countries and territories bringing world-class capabilities, insights and service<br />
to address clients’ most complex business challenges. To learn more about<br />
how Deloitte’s approximately 264,000 professionals—9,400 of whom are based<br />
in Canada—make an impact that matters, please connect with us on LinkedIn,<br />
Twitter or Facebook.<br />
Deloitte LLP, an Ontario limited liability partnership, is the Canadian member<br />
firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more<br />
of Deloitte Touche Tohmatsu Limited, a UK private company limited by<br />
guarantee, and its network of member firms, each of which is a legally separate<br />
and independent entity. Please see www.deloitte.com/about for a detailed<br />
description of the legal structure of Deloitte Touche Tohmatsu Limited and its<br />
member firms.<br />
© Deloitte LLP and affiliated entities.<br />
Designed and produced by the Deloitte Design Studio, Canada.