Open Banking Concept

Creating an Open Banking 

Framework for Canada 

October 2018

Creating an Open Banking Framework for Canada 

Table of Contents 

Executive Summary............................................................................1 

Introduction........................................................................................2 

What is Open Banking?..................................................................................................2 

Driving Forces of the Open Banking Movement.........................................................2 

Current Open Banking Methods in Financial Services...............................................3 

Global Precedents and the Canadian Context.........................................................3/4 

Guiding Principles...............................................................................5 

An Open Banking Framework...........................................................6 

Which accounts should be included?...........................................................................6 

Who are the participants in the Open Banking System?...........................................8 

What data and level of access are data recipients provided?...................................9 

Which types of data (e.g., transaction, account balance, customer info)?............10 

How is the system governed?.....................................................................................11 

How does the system operate?..................................................................................14 

Conclusion.........................................................................................17 

Contributors......................................................................................18 

1.


Executive Summary 

1.


Introduction 

What is Open Banking? 

Open Banking is a global movement that promotes customers’ right to share their financial 

information with third parties. 

While many global jurisdictions have legislated Open Banking policies, Open Banking is 

broader than just policy - rather, it is part of a broader movement of customer, technological, 

and regulatory shifts that facilitate customers regaining control of their own data and for that 

data to be easily portable between institutions. 

Driving Forces of the Open Banking Movement 

The rise of the fourth industrial revolution has been marked 

by the emergence of companies that monetize customer 

data to deliver value. Businesses, governments, and 

customers are embracing the idea that customer data has 

inherent value, and that customers should have ultimate 

control over usage of their data. As a result, the concept of 

customer ownership and control of their data, as well as 

data portability, has become a key pillar of modern privacy 

principles. 

In the financial services industry (which generates and 

processes a vast amount of personal data) various data 

sharing practices – from Extract Transform Load to APIs - 

have emerged over the past two decades to meet growing 

customer demand for better interoperability and visibility. 

Over the past few years, regional efforts to create a 

harmonized approach to enable data sharing while 

addressing security, privacy and interoperability challenges 

have resulted in both regulatory actions and industry-driven 

collaborations in various jurisdictions around the world – 

efforts that Canada can learn from. 

This paper aims to discuss the key choices 

that define an Open Banking framework and 

their downstream implications, independent 

of whether the framework is driven by a 

policy or by the market participants. 

Emergence of the Data Economy 

Over the last few decades, advancements in technology 

have made data significantly more accessible, while 

driving down the cost of their acquisition and processing. 

Concurrently, organizations have realized the importance 

of using data to both improve operations and strengthen 

relationships with customers. This has bolstered the value 

that market participants assign to data, ultimately spurring 

innovation that enables businesses and customers to 

benefit from its inherent value. 

2.


Current Open Banking Methods in Financial Services 

A variety of technologies already enable the sharing of 

customers’ financial data: CSV downloads, screen scraping, 

closed APIs, and open APIs. In addition to this, jurisdictions 

including the EU, the UK, and Australia have started to develop 

agreed-upon Open Banking frameworks to govern the use of 

open APIs in the financial services industry. 

The development of a harmonized and agreed-upon Open 

Banking framework would ensure a secure and efficient system 

for data sharing, providing a number of benefits: 

(concerned about the misuse of their data) and financial 

institutions (concerned about new liability and reputational 

risks posed by third parties). 

.. 

Improved accessibility, as it materially reduces the cost 

of data sharing amongst financial services organizations 

through the establishment of Open APIs and the transfer of 

data control to the customer. 

.. 

Increased interoperability, driven by the widespread 

adoption of standardized data-sharing protocols and 

guidelines, making it easier for third parties to access 

customer data and deliver new value for customers. 

.. 

Greater reliability and security, as it provides a safer 

and more stable alternative to current data sharing 

practices (e.g., screen scraping). 

.. 

Clearly defined standards on issues such as liability, 

leading to a higher degree of confidence and participation 

in the data-sharing ecosystem from both customers 

Global Precedents and the Canadian Context 

These forces driving increases in data sharing - in conjunction 

with the limitations of existing solutions - have led to the 

development of agreed-upon Open Banking frameworks in other 

jurisdictions around the world. However, there is a high degree of 

variation in the specific design in each jurisdiction: 

.. 

In the UK, Open Banking regulation was driven by a policy 

objective to decrease the market power of the largest 

9 banks in an effort to increase the range of service 

providers in the market. In its 2016 Retail Banking Market 

Investigation, the Competition and Markets Authority 

concluded that “older and larger banks do not have to 

compete hard enough for customers’ business, and smaller 

and newer banks find it difficult to grow. This means that 

many people are paying more than they should and are not 

benefiting from new services”. 

.. 

In Australia, Open Banking regulation was driven by 

regulators in an effort to empower customers to own and 

benefit from their data. The government’s review into Open 

Banking identified that it is useful in “providing customers 

with better access to [financial] data [and] reduces the 

time, cost and inconvenience associated with identifying 

and selecting financial products and services. When 

consumers make better choices about how and what to 

consume, the industry affected is driven to become more 

efficient and competitive.” The movement is broader than 

financial services, and is expected to eventually encompass 

telecom and utilities; initially, all Authorized Deposit-taking 

Institutions are subjected to the legislation; 

.. 

In Japan, the Open Banking movement was triggered 

due to heavy market-reliance on cash payments and the 

framework aims to modernize the banking system and 

promote adoption of lagging card-based debit online 

payments; 

.. 

In the EU, the objectives of Open Banking policy were to 

better harmonize the EU banking sector, modernize the 

banking system, and provide customers with alternatives to 

big banks that were involved in systemic failure. All Account 

Service Payment Service Providers (ASPSPs) across the EU 

are subject to Open Banking; 

3.


.. 

In the US, a market-driven approach was taken: although 

some regulatory bodies have issued non-binding 

guidelines, individual financial institutions have largely 

developed their own approach to open banking as a source 

of competitive advantage; 

.. 

In Singapore, mandatory Open Banking regulation has not 

been enacted. However, financial institutions have started 

to share data with third parties using open APIs under 

the strong encouragement and guidance of the Monetary 

Authority of Singapore (MAS). 

Differing circumstances have resulted in varying policy and 

design choices across jurisdictions. Similarly, the Canadian Open 

Banking framework should be purposefully designed based on 

Canada’s unique characteristics, including: 

.. 

A sound financial services system that has not 

experienced systemic failure or relied on public funding. 

.. 

A bifurcated regulatory landscape where federal and 

provincial bodies govern different entities, but with a 

manageable number of institutions. This creates complexity 

in developing standardized approaches and governing 

Open Banking participants (compared to jurisdictions with 

central oversight - e.g., UK). 

.. 

Lack of governance for non-traditional entities that 

do not fit into existing definitions of “financial institutions”, 

which may expose customers to new sources of risk 

without protection, or expose the financial services 

ecosystem to foreign institutions. 

.. 

Ongoing efforts to strengthen Canadian privacy 

legislation through proposed amendments to the 

Personal Information Protection and Electronic Documents 

Act (PIPEDA), which would act as guardrails for an 

Open Banking framework on the permitted usage, data 

management, and disclosure requirements. 

.. 

Ongoing payments modernization efforts to enhance 

Canadian payments infrastructure, which may address 

certain elements of an Open Banking framework (e.g., thirdparty 

payment initiation) 

As a result of these unique circumstances, Open 

Banking in Canada should… 

1. Focus on delivering value to Canadians: Open 

Banking presents an opportunity to develop a 

governance framework for non-traditional financial 

services providers (in conjunction with other 

concurrent efforts in Canada) and spur innovation. 

These unique objectives indicate that the design of an Open 

Banking framework in Canada should differ from those 

observed in other geographies; while certain elements 

may be transferable, Open Banking in Canada should be 

developed from the ground-up with the country’s unique 

circumstances in mind. 

2. Increase transparency and ownership of 

customer data: Open Banking should align to the 

broad, industry-agnostic movement that is returning 

control of data to the hands of customer. 

3. De-risk the sharing of financial data: current 

financial data-sharing methods threaten the safety and 

stability of the financial services system by requiring 

customers to share their banking credentials with third 

parties. 

4. Not unduly burden certain institutions: given 

the stable financial services system that has not 

faced systemic failure on the scale observed in other 

jurisdictions, punitive intent against specific institutions 

should not be a key objective of Open Banking. 

4.


Guiding Principles for 

Open Banking 

In the 2018 budget, the government of Canada refers to “a review of the merits of open 

banking in order to assess whether open banking would deliver positive results for 

Canadians with the highest regard for customer privacy, data security and financial 

stability.” 

Delivering positive results for Canadians is two-sided. On one side, Open Banking should 

support the development of a new ecosystem of financial services, delivered by market 

participants. On the other, Open Banking should continue to protect and maintain the 

value customers enjoy today (i.e., safe and reliable financial services). As a result, several 

key principles can be articulated to guide the design of Open Banking in Canada. The 

framework should be: 

1. Value Focus: 

Focus on delivering true value to Canadians, 

without placing undue burdens (e.g., of cost, 

risk exposure) on any participant. 

2. Transparency: 

Ensure customers are fully informed of their 

rights and responsibilities regarding the 

transfer, possession, and usage of their data. 

3. Safety: 

Balance customer convenience with safety 

and security. 

4. Momentum: 

Prioritize speed to market over a wide scope 

of products and / or data. 

This report presents several thoughts for consideration against the key 

choices that define an Open Banking framework - all focused on the key 

objective of delivering positive results for Canadians. 

5.


An Open Banking 

Framework for Canada 

Framework Overview 

The following provides considerations on the design choices of a Canadian 

Open Banking framework, considering the choices and outcomes observed 

in other jurisdictions, and consideration for Canada’s unique context. 

Which accounts should be included? 

What functions are covered (e.g., deposits, 

lending, wealth)? 

Including different functions would enable a different scope 

of use-cases for third party providers: 

clearly defined in order to prevent confusion around which 

institutions are in scope and which are not. 

Are online accounts in scope? Are offline 

accounts in scope? 

Deposits and lending accounts: allow for most cash-flow 

management use cases 

Plus Wealth: allow for personal financial management 

use cases 

Plus Insurance: allow for total financial management use 

cases 

While increasing the breadth of accounts in scope enables 

a broader suite of use cases, it places additional burden 

on data generators to make data available to third parties; 

specifically, certain forms of data (e.g., wealth, insurance) are 

not fully digitized and would require expensive and timeconsuming 

systems restructuring. 

Other jurisdictions that have clearly defined an Open 

Banking framework (i.e., the EU, UK, and Australia) have 

all taken unique approaches. The UK and Australia have 

taken an account-based approach, defining specific types 

of accounts that are included. The EU defined the scope 

on an activity basis (i.e., “all online payment accounts”), 

which includes any type of payment account. Like the 

UK and Australia, the EU’s definition includes chequing 

accounts, credit cards, etc., but also may include other 

comparable accounts such as online wallets (e.g., PayPal). 

An activity-based approach has the benefit of more fairly 

requiring participation from institutions but needs to be 

When deciding between online and offline accounts, there 

are two key considerations: 

1. Scope of work: Having institutions make data 

available that is not currently stored digitally available 

would result in significant additional complexity (in 

digitizing existing datasets and building brand new 

digital processes to make new data available digitally); 

this would increase the cost of implementation for 

institutions and likely result in a longer timeline to 

launch. 

2. Scope of customers: As of 2016, ~90% of Canadians 

have regular access to the Internet, and ~80% of 

these users use some form of online banking (and 

this number is projected to increase over time). 

Furthermore, many of the use cases of Open Banking 

would be delivered through digital means (e.g., 

websites, apps) 

Developing a deeper understanding of how many 

Canadians would be involuntarily excluded from Open 

Banking if non-digital data is excluded from scope is crucial 

to understanding if the additional complexity and cost to 

financial institutions is justified. 

6.


Which types of users are covered (i.e., 

personal vs. commercial)? 

For each type of user, there exists a tradeoff between 

implementation cost and complexity, and value to 

consumers. Currently, different users are afforded different 

levels of service: retail (i.e., personal) account holders 

receive largely off-the-shelf products and services, while 

large corporate account holders are already provided 

with some of the benefits that new solutions under Open 

Banking would support (e.g., personalized cash flow 

management and advice), and SMEs receive a mix of off-theshelf 

and easily customized offerings, as befits their position 

between retail and large corporate customers. 

Timeline: 

The framework should be designed to stage out the 

functions and types of users in scope over time. The 

introduction of every additional function and/or type of 

users adds complexity to the framework, both for data 

generators (in terms of implementation) and for governance 

(as the number of institutions in scope would increase). As 

a result, staging the implementation will ensure that the 

framework is able to evolve safely, without exposing the 

financial services ecosystem of Canada to undue risk. 

Who are the participants in 

the Open Banking system? 

Who is required to open access to their data? 

The requirement to open access to data can be institutionbased 

(i.e., all financial institutions with a certain 

classification, such as Schedule II and Schedule I banks), 

or activity-based (i.e., all financial institutions that provide 

Canadians with the functions discussed on page X). An 

activity-based approach would ensure that the framework is 

flexible to adapt to new types of non-traditional institutions 

that may emerge over time and may foster a more level 

playing field where all players offering competing products 

and services are required to make data available regardless 

of their legal classification. 

However, it creates a more nebulous governance 

environment, as lines between institutions in-scope and 

out of scope blurs (e.g., would PayPal’s online wallet be 

considered a “deposit account”?). Furthermore, the current 

financial regulatory systems in Canada are institution-based, 

meaning activity-based requirements would necessitate 

either a change in scope or a new regulatory body. 

What are the allowable types of data 

recipients? 

There are two types of data recipients: data consumers 

and data transporters. Data consumers are end-users of 

customers’ financial data (e.g., Fintechs and other thirdparty 

providers) while data transporters are intermediaries 

that facilitate the flow of data to data customers. The key 

difference between the two is that the latter does not 

create value from the storage of data. Data consumers are 

a prerequisite for Open Banking, bu t data transporters are 

not necessarily required. 

They introduce significant risk to the ecosystem by acting 

as a central source of large volumes of data (where a 

single breach would result in the potential misuse of many 

data generators and customers’ data). However, they also 

provide value to the ecosystem by creating interoperability 

between financial institutions, as well as across geographies 

where differing Open Banking systems have already been 

implemented. 

Ultimately, the value of Data Transporters is dependent on 

the level of standardization of the data transfer mechanisms 

employed by the various data generators in scope. This is 

explored in greater detail in X. 

Precondition: Governance of Non-Traditional Payment 

Service Providers (PSP) 

Existing payments regulation in Canada is heavily focused 

on governing systemically important and prominent 

national payment systems (i.e., LVTS and ACSS); thus, nontraditional 

PSPs (i.e., Fintechs that manage flows of money 

outside of the core systems) are not subject to regulatory 

oversight. 

There is currently an effort underway - the Retail Payments 

Oversight Framework (RPOF) - to govern non-traditional 

PSPs effectively, thereby ensuring the safety and soundness 

of the Canadian payments ecosystem, fostering efficiency 

and innovation within payments, and protecting end-user 

interests (e.g., privacy). 

8.


Open Banking’s accreditation process is likely to involve many of 

these same players, so it is important that the RPOF and Open 

Banking regime are co-developed. This would help prevent 

the creation of conflicting and overlapping legislation and 

optimize the allocation of resources and responsibilities across 

regulatory bodies. 

What data and level of 

access are data 

recipients provided? 

What access rights do data recipients have 

(e.g., read vs. write)? 

There are two types of access that data recipients could 

be granted: 

Write access: Allows data recipients to make modifications 

to customers’ financial data held by other institutions; 

this would enable additional use cases such as payment 

initiation, account opening/closing, and changes to 

information (e.g., change of address) performed by the 

recipient on behalf of the customer 

.. 

Read access: Allows data recipients to obtain copies 

of customers’ financial data; this supports use cases 

such as data aggregation. 

.. 

Write access: Allows data recipients to make 

modifications to customers’ financial data held by 

other institutions; this would enable additional use 

cases such as payment initiation, account opening/ 

closing, and changes to information (e.g., change of 

address) performed by the recipient on behalf of 

the customer. 

Write access enables many additional use 

cases, but it would also present several new 

complexities: 

on their behalf. This may threaten the safety and 

soundness of the financial services system and the 

risk posed by a breach, and would require a longer 

timeline to implementation to allow data generators 

sufficient time to build the more complex systems 

required to allow for third-party write access 

.. 

Other concurrent efforts (e.g., Retail Payments 

Oversight Framework, Payments Modernization) have 

some overlap with certain write access functions (e.g., 

payments initiation); the inclusion of such elements 

in the scope of an Open Banking system would 

require extra coordination to minimize duplicate and 

contradictory guidance. 

Precondition: Canadian Payments 

Modernization 

Open Banking is being contemplated at the same time 

that Payments Canada is leading modernization efforts 

for Canada’s two primary payments systems, the Large- 

Value Transfer System (LVTS) and the Automated Clearing 

Settlement System (ACSS). LVTS will be replaced by Lynx, 

a high-value payments system that will process payments 

in real-time with settlement finality. ACSS will be replaced 

by the Real-Time Rail (RTR) system and the Settlement 

Optimization Engine (SOE) system. 

.. 

Write access introduces a number of security 

concerns, as data recipients would be able to make 

changes to customers’ accounts and move money 

9.


RTR will facilitate the transfer of low-value funds in realtime 

and will further support the development of overlay 

services (i.e., value-adding services owned by third 

parties and deployed on RTR infrastructure), ultimately 

spurring payment innovations. SOE will enhance the 

clearing of less time-sensitive batch paper and electronic 

payments, enabling faster and more convenient payments 

for businesses in Canada. Through this modernization 

effort – in conjunction with the Retail Payments Oversight 

Framework (detailed on page X) – third-party payment 

initiation will likely be addressed outside of an Open 

Banking Framework.[SH(-T9] 

Which types of data 

(e.g., transaction, account balance, customer info)? 

Based on a review of the total scope of data access in other 

jurisdictions, a number of “types” of data can be identified: 

.. 

Public data: Information that is readily accessible 

online and can be freely used, reused and 

redistributed by any entity (e.g., customer reviews, 

publicly available product information). In Canada, 

much of this information is already accessible 

programmatically through other data-sharing 

ecosystems (e.g., Google, Yelp, and Foursquare APIs). 

.. 

Customer data: Personal and financial information 

provided directly by the customer to a financial 

services entity (e.g., personal address and 

contact information). 

.. 

Balance data: Information pertaining to the amount 

of money in a deposit-based account held by the 

customer at any given time (e.g., e-wallet 

account balance). 

.. 

Transaction data: Information that is generated 

through transaction activity on a customer’s account 

(e.g., withdrawals, transfers, deposits). In conjunction 

with customer data and balance data, transaction data 

facilitates the bulk of Open Banking use cases. 

.. 

Identity verification results: Confirmation of a 

customer’s identity through a validation process 

using personal and financial information (e.g., KYC 

verification results). In Canada, there are other digital 

identity solutions currently in development (e.g., 

Verified.me). 

Note: In other jurisdictions, Open Banking frameworks 

provide institutions with freedom to make data beyond the 

scope of their Open Banking framework available to third 

parties through private, commercial agreements. 

How far back must data be made available 

(e.g., from 2017, 2018, etc.)? 

Different jurisdictions have taken different approaches to 

historical data requirements from data generators, both 

in the “initiation date” (i.e., from which date onwards data 

must be made available upon the public launch of the Open 

Banking framework) and the “rolling requirement” (i.e., from 

the date of a data request, how many months/years of 

historical data should be provided). 

.. 

Australia: 

.. 

UK: 

.. 

EU: 

There is a direct tradeoff between the value delivered to 

Canadians (e.g., from longer-term uses of historical data 

that enable trends-based spending and savings advice) and 

the burden imposed on data generators; specific attention 

should be drawn to institutions’ existing digital datasets (i.e., 

understanding how much data institutions already store 

digitally). 

10.


How is the system governed? 

Who should provide oversight to the Open 

Banking system? 

The governance responsibilities for an Open Banking 

system involve both the definition of the system (e.g., 

developing an accreditation framework) and the ongoing 

operational oversight (e.g., acting as a dispute resolution 

body for liability issues between data generators, 

data recipients, and customers). Specifically, these 

responsibilities could include but are not limited to… 

Defining the Open Banking system 

.. 

Developing the data-sharing standards that data 

generators must abide by to make customer data 

available. 

.. 

Developing the specific accreditation criteria that 

governs which data recipients are allowed to request 

data from data generators. 

.. 

Define the liability framework that clearly outlines the 

roles and responsibilities of data generators, data 

recipients, and customers. 

Operating the Open Banking system 

.. 

Providing ongoing oversight over data generators and 

accredited data recipients (e.g., regularly auditing data 

recipients to ensure accreditation criteria are 

being met). 

.. 

Acting as a central dispute resolution body for 

customer complaints and liability issues. 

.. 

Support the development and execution of 

customer education. 

.. 

Providing a mandatory insurance product (similar to 

the CDIC) that pays out in case of disruptive losses 

that lead to the complete failure of a data recipient; 

this program could be funded by a mandatory fee as 

part of the accreditation process. 

.. 

Offering a digital identity, consent, and authentication 

management system. 

The responsibilities can be either consolidated into a central 

governance function, or distributed to data generators, 

data recipients, and industry bodies that represent 

customers (e.g., the Office of the Privacy Commissioner). 

This report does not attempt to outline the ideal allocation 

of responsibilities between these various parties. Instead, 

we outline several key considerations that demonstrate 

how the guiding principles for the Open Banking framework 

as a whole (on page X) could inform the distribution of 

responsibilities: 

Value focus: 

Prevent conflicts of interest that inhibit 

the delivery of value to Canadians. 

The governance framework should consider the 

interests of the parties involved in the oversight of 

the system. For example, neither data generators 

nor data recipients should have sole control over the 

development of an accreditation framework, as it 

may lead to an overly complex process (that unduly 

limits participation from data recipients) or an overly 

open ecosystem (that exposes the financial services 

ecosystem to undue risks). Ensuring that the interest 

of the customer is represented across governance 

functions is critical to developing an Open Banking 

system that delivers true value for Canadians. 

Safety: 

Leverage regulatory authority where needed 

to protect the safety and soundness of 

the financial system in Canada. 

The governance framework should ensure that 

Canadians are not exposed to undue risk. For 

example, the system should consider where access to 

datasets through non-open banking methods should 

be permitted for data that is available through Open 

Banking. Given the Open Banking framework should 

provide more secure, cost-efficient, reliable, and 

customer-friendly access to data, alternatives (such as 

screen scraping) may be a source of unnecessary risk 

to the system. 

.. 

Manage the recovery of variable costs incurred by data 

generators to make data available to third parties. 

11.


Momentum: 

Efficiently leveraging the various participants 

in the ecosystem to minimize the 

duplication of effort. 

Given the variety of concurrent efforts regarding 

the oversight of financial institutions and system 

infrastructure (e.g., RPOF), the governance framework 

should be designed to minimize the duplication 

of responsibility between parties. Economies of 

scale could be realized by centralizing governance 

responsibilities but should be considered on a caseby-case 

basis to decrease the total cost of the system. 

For example, managing liability issues or cost recovery 

through a singular central entity may be helpful in 

simplifying these processes (at a lower cost) for all 

participants in the Open Banking system. 

How should oversight be structured? 

Ultimately, while the specific allocation of oversight 

functions between regulators, data generators, data 

consumers, and industry bodies that represent the 

customer are not outlined, there are two choices on how 

responsibilities should be structured: consolidated to a 

central body or delegated to individual market participants. 

For the functions that are centralized into a single “Open 

Banking Oversight Body”, the entity could take one of 

three forms: 

1. Regulator-led: The entity (and thus the Open 

Banking framework) is led by regulation, with input 

from industry participants. 

2. Consortium-led: The entity is led by a collaborative 

effort between a defined set of institutions (e.g., 

Interac), separated from the business-as-usual 

operations of those institutions to prevent conflicts 

of interest. 

3. Industry-led: The entity is a collaborative and open 

entity that allows any institution meeting certain 

criteria (e.g., offers financial products and services) to 

participate in the design and oversight of 

Open Banking. 

This report is designed to offer considerations for 

Open Banking in Canada, regardless of which model of 

governance and oversight is selected in Canada, but the 

possible outcomes differ based on the chosen method of 

oversight. 

For example, the scope of data generators would be 

dependent on the type of central entity selected (if any). 

A regulator-led central entity would have the authority to 

mandate that a broad set of participants (e.g., credit unions, 

trusts) be included as data generators; however, both a 

consortium-led and an industry-led effort would rely on 

voluntary participation from financial institutions. As a 

result, the scope of data generators would likely be 

more limited. 

Ultimately, as Open Banking in Canada is explored further, 

the choice or the role and structure of the central body will 

be a key question with many follow-on effects; it is a choice 

that should be made early in the process of defining a 

framework for Canada. 

How do data recipients gain access to 

generators’ data? 

Two models could be used to facilitate access: 

1. Commonly agreed-upon accreditation requirements 

and standard contracts between data generators 

and data recipients: Access to the ecosystem would 

require data recipients to receive certification that 

demonstrates their compliance to a pre-set criteria 

12.


(e.g., regarding data privacy and security). Certain 

elements that concern the data generators’ and 

data recipients’ relationship (e.g., method and 

terms of cost recovery, liability) would be defined 

by a standardized contract with some flexibility to 

accommodate the unique circumstances of the datasharing 

arrangement. [SH(-T13] 

The intended “use case” of data is a hotly debated topic 

in other jurisdictions with more advanced Open Banking 

systems. Including use case as a criteria would be helpful 

in protecting consumers from malicious actors; however, 

it may limit the scope of third party providers with novel 

business models, potentially limiting innovation in the 

marketplace. 

2. Bilateral commercial agreements (between data 

generators and data recipients): Both access to the 

ecosystem and specific elements would be defined 

through one-on-one agreements between data 

generators and data recipients, where parties have 

complete flexibility to negotiate the terms of the 

agreement. 

A commonly agreed-upon accreditation framework would 

simplify the process of gaining access to data, ultimately 

allowing more third parties to participate in the Open 

Banking ecosystem. However, it would be less flexible 

to changes in marketplace dynamics, and would require 

continuous updating in order to accurately reflect the 

broader environment in Canada. Commercial agreements 

would more rapidly adapt to changing conditions, but 

may limit the efficiency of the system (e.g., financial data 

aggregators would be required to negotiate individual 

bilateral contracts with every financial institution 

participating in Open Banking as a data generator). 

If a central-accreditation-based system is selected, criteria 

observed in other jurisdictions could serve as inspiration for 

a Canadian system. Some of these criteria could include: 

.. 

Security and privacy protocols: to ensure that sensitive 

personal and financial data is responsibly managed, 

and that data recipients are not introducing undue 

security risks to the system. 

.. 

Indemnity insurance: to provide data generators with 

some reasonable certainty that data recipients will be 

able to pay out if a liability issue occurs. 

.. 

Defined customer complaint management process: 

to provide customers with some reasonable certainty 

that accredited third parties will be able to support 

them in case of any issue. 

.. 

Defined mitigation measures for material disruptions: 

to ensure appropriate protocols are in place in the 

event of system failures, security breaches and other 

blockages to continuity 

How should liability be managed? 

Generally, Open Banking should decrease total risk in 

the system by reducing the need for customers to share 

their banking credentials with screen scrapers to benefit 

from services that require their financial data. However, 

it may result in a shift of liability from customers (who are 

in breach of their contract with banks by screen scraping) 

to other participants in the system. As a result, a clearly 

defined liability framework is critical to the development of 

an Open Banking framework that garners buy-in from data 

generators and data recipients alike. 

However, the liability framework is highly contingent on 

a variety of other framework choices; included below are 

several principles that may be helpful in guiding its design: 

.. 

Liability for data in general should be designed 

to be compatible with other existing relevant 

regulations (e.g., PIPEDA), not supersede them. This 

prevents the development of overlapping/conflicting 

requirements, ensuring that all participants 

have a common understanding of the roles and 

responsibilities of each player; additionally: 

.. 

For unintentional data breaches, liability 

should be assigned to the party responsible 

for the breach itself (the data recipient in the 

vast majority of cases). The data recipient 

should have adequate liability coverage for 

data breaches, and any accreditation program 

for data recipients should include both a 

security standard and a liability coverage 

standard. This will raise customer trust in 

Open Banking, even after a hypothetical data 

breach incident occurs. 

.. 

For companies intentionally misusing 

customer data (e.g. malicious actors acquiring 

accreditation), liability should be assigned to 

the body that a) granted that accreditation 

and/or b) extended that accreditation most 

recently. 

13 .


»» 

Data generators should have the ability to 

sever a linkage with a data recipient if they 

suspect either an unintentional data breach 

or misuse, and should be responsible for 

reporting suspected breaches/misuse within 

a short time period to other data generators 

and/or the accreditation body to minimize 

the impact of that breach. This is on top of 

any PIPEDA requirements that the breached 

institution must report in a similar matter. 

.. 

Open Banking Participants should be responsible 

for their own actions, but not the actions of others 

(e.g., data generators should not be liable for losses 

caused by data recipients). While account providers 

are the designated first responder in case of a loss, 

they should have the ability to seek recourse from 

the responsible third parties (including all relevant 

expenses such as the cost of investigation). This 

ensures account providers are not left unfairly 

holding the burden of liability, leading to greater 

participation from account providers in 

Open Banking. 

.. 

Data generators should have an obligation to report 

all in-scope information to data recipients truthfully 

(e.g., they cannot report false statements), but they 

should not be held liable for unintentional mistakes 

/ inaccuracies in transferred data. 

How does the system 

operate? 

How should consent and authentication be 

managed? 

A successful model for data-sharing should include 

secure and user-friendly processes for both customer 

authentication (i.e., verifying the customer’s identity) and 

consent (i.e., obtaining permission from the customer to 

share data with a third party). 

Customer authentication could be managed by the 

data generator or by the data consumer. Managing 

authentication through the data consumer may lead to 

smoother user experiences (since login would be completely 

integrated into third parties’ interfaces and match their user 

experience design) but may expose customers to additional 

risk (since their banking credentials would be shared with 

each third party they choose to use). Furthermore, data 

recipients to develop secure authentication processes 

could be a complex and time-consuming process and 

potentially act as a barrier to entry for smaller third party 

data recipients. 

If authentication is assumed to be conducted by the data 

generator, there are three possible models: 

.. 

Embedded: At the time of authentication, the 

customer enters their banking credentials into a 

“widget” hosted and operated by the data generator 

that is embedded directly into a third-party interface. 

.. 

Redirect-Based: At the time of authentication on 

a third party platform, the customer is redirected to 

their data generator’s website (i.e., online banking 

portal), where they enter their credentials; after 

authenticating, they are redirected back to the 

data recipient. 

.. 

Decoupled: At the time of authentication, the 

customer is asked to navigate to the data generator’s 

online portal. After authenticating, the customer 

retrieves and manually copies + pastes the code, 

which acts as a token proving the customers’ identity, 

into the third-party website. 

Each of these methods offers its own balance between 

user experience and security. While the embedded 

workflow is convenient for customers, it creates significant 

opportunities for phishing. The redirect-based flow is the 

most common among Internet services (e.g., Facebook) 

and customers are largely familiar with the process. The 

decoupled flow is less commonly used, as it requires manual 

effort from customers that creates additional friction 

and may hinder the pace of adoption. However, it is less 

susceptible to phishing attacks than the other two models. 

Phishing is a type of socially engineered fraud where bad 

actors attempt to obtain sensitive information for malicious 

purposes using deceptive means. For example, a bad 

actor may set up a fake third-party website that redirects 

a customer to a page disguised as their banks’ interface, 

stealing their credentials, other personal information and, 

ultimately, their money. 

Requiring more than one form of evidence is known as 

“multi-factor authentication” and increases the safety of the 

authentication flow at the cost of user experience (e.g., by 

14.


requiring them to receive a code on their mobile device and 

inputting it into the system). Precedent in other jurisdictions 

(e.g., PSD2’s Strong Customer Authentication requirements) 

suggest that requiring more than one form of evidence is 

prudent. 

Authentication can rely on 

a combination of evidence: 

.. 

Knowledge (e.g., password) 

.. 

Possession (e.g., key, mobile phone) 

.. 

Inherence (e.g., fingerprint) 

Precondition: Role of a Digital ID Utility 

Digital ID is the electronic storage of identity information 

that allows people to identify themselves online without 

having to continuously present physical documentation. If 

a standard form of Digital ID is developed and mandated in 

Canada, authentication would not need to happen entirely 

on the bank’s online interface. The utility providing the 

Digital ID service could serve as the central authentication 

manager, leading to greater safety and security, improved 

user experience, and reduced authentication costs for 

market participants. 

authentication and consent process is not a barrier 

to Open Banking adoption. Abiding by this principle 

will help enforce transparency and ensure that 

the consent is meaningful and informed. A robust 

customer consent process is critical to a Canadian 

Open Banking regime, as current privacy legislation 

(i.e., PIPEDA) has underdeveloped standards 

of consent in regard to both explicitness and 

enforcement, due to its age. 

.. 

Customers should be able to withdraw consent at 

any time. In line with the shift of data ownership 

back into customers’ hands, they should be able to 

revoke access if desired. However, the original data 

held by the data generator should not fall under this 

principle, as it is often required by existing regulatory 

frameworks for AML purposes. 

Precondition: Updates to PIPEDA 

Open Banking is reliant on privacy law reform as privacy 

laws regulate how information should be kept, stored and 

used; Open Banking expands on that by regulating how it 

should be shared between financial institutions and third 

party providers. 

Canada is in the midst of a consultation process for changes 

to PIPEDA, which would bring it into line with much of the 

changes brought by the European Union’s General Data 

Protection Regulation (GDPR). GDPR mandates financial 

institutions to erase customer data (collected directly from 

customers and received from third parties) upon customer 

request if one of the following six conditions is met: 

Under Open Banking, customers will be the controllers 

of their own data and should be able to provide specific 

direction regarding the transfer and use of that data. The 

consent on how this data is used could occur on the data 

generators’ side, data recipients’ side, or both. 

Regardless of which model of consent is chosen, several 

common principles can be garnered from precedent set by 

other jurisdictions: 

.. 

Consent prompts should be simple (e.g., written in 

plain language, display all the important information 

concisely on one screen). This ensures that the 

I. The personal data is no longer necessary in relation 

to the purposes for which they were collected or 

otherwise processed. 

II. The data subject withdraws consent […] 

III. The data subject objects to the processing […] and 

there are no overriding legitimate grounds for the 

processing […] 

IV. The personal data have been unlawfully processed 

V. The personal data have to be erased for compliance 

with a legal obligation […] 

VI. The personal data have been collected in relation to 

the offer of information society services […] 

This regulation expands across digital and physical 

documentation and includes backup files. However, the 

right to be forgotten may be overruled, or delayed, for some 

or all data classes due to regulatory obligations imposed 

on the controller of that data (e.g., record-keeping for 

accounting and taxation). 

15 .


It is uncertain how closely changes to PIPEDA will reflect 

the privacy stipulations outlined in GDPR. Nonetheless, as 

Open Banking is developed in Canada, care must be taken 

to ensure that Open Banking a) is abiding by any changes to 

PIPEDA, and b) there are no gaps in coverage with respect 

to the consensual sharing of financial services data between 

Open Banking and PIPEDA. 

What is the supporting economic model? 

In order to make data available, data generators are likely to 

incur upfront fixed costs (i.e., system upgrades and changes) 

as well as ongoing variable costs (i.e., costs of fulfilling data 

requests). Whether data generators are able to recover their 

variable costs (e.g., through a minimal fee charged to data 

recipients) is a critical decision for the design of an Open 

Banking framework. There are several considerations that 

can support the choice: 

.. 

Fairness to data generators: Beyond the direct costs 

of making data available, data generators are likely 

to face additional indirect expenses (e.g., customer 

complaint management); ensuring that they are able to 

sustainably perform these functions ensures that data 

generators are not unfairly burdened by the process. 

.. 

Barrier to entry: Charging fees for access to data may 

act as a barrier to the market; this could be considered 

a negative (i.e., stifling innovation) or a positive (i.e., 

stifling the creation of low-value use cases), depending 

on the size of the data transfer fee 

How often should data requests be allowed? 

In the UK, data recipients are limited to making 4 requests 

in a 24 hour period, unless a higher frequency is agreed to 

in a commercial agreement between the data generator 

and data recipient. However, customers can initiate data 

requests an unlimited number of times, which is similar to 

the level of access currently provisioned through online 

banking services. (i.e., customer has 24/7 access to their 

banking information through the bank’s online interface). 

Allowing for a large number of requests enables additional 

use cases (e.g., an account balance monitor that notifies 

users when they are approaching overdraft), at the cost of 

burden to data generators (i.e., of data transfer). Depending 

on whether a fee is charged to data recipients for every 

request they make, a limit may or may not be necessary to 

prevent data generators from being overwhelmed by a large 

volume of requests. 

.. 

Comparison to current state for data recipients: 

API-based solutions are likely to be significantly less 

resource-intensive (and thus, less costly) than the 

solutions that data recipients use today; as a result, 

the costs of accessing customers’ financial data for 

data recipients is likely to be lower than the 

current state. 

16.


Conclusion 

Canada sits at an inflection point in the modernization of its financial services ecosystem. When looked 

at in conjunction with payments modernization and an expected overhaul of privacy legislation via 

PIPEDA, Open Banking represents the third pillar of a new landscape, one that will reshape customer 

expectations for the delivery and consumption of financial services. It will do so by: 

.. 

Lowering barriers for customer movement between organizations. 

.. 

Allowing for more personalized and tailored experiences. 

.. 

Automating unnecessary procedures and tasks. 

However, this will not lead to a drastically different financial services ecosystem overnight. Rather, 

Deloitte predicts that the major changes arising from Open Banking will arrive in time, meaning that a 

window of opportunity exists for all organizations to prepare - either to defend their market share and 

customers, or to shift their position within the ecosystem. In other words, this is not just an opportunity 

for new entrants, but also for incumbents to address the pain points in their current banking solutions, 

in order to reshape the market and come out ahead. 

Lastly, Open Banking is just one step in a broader movement of returning customer data ownership 

back to where it belongs - with the end customer. Customers’ right to data ownership is about far more 

than just financial data, which means that Open Banking should set the precedent for the opening 

up of other industries as well. By taking the first step, Open Banking can act as a template for others, 

illustrating the leadership role that Financial Services has in Canadian society, and in protecting the 

customer above all. 

Footnotes: 

[1] CIRA Internet Factbook 2017 

[2] eMarketer Digital Banking Adoption Rates 

[3] OSFI Annual Report 2016/17 

17 .


Contributors 

18.


19.

www.deloitte.ca 

Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, 

tax and related services to public and private clients spanning multiple 

industries. Deloitte serves four out of five Fortune Global 500® companies 

through a globally connected network of member firms in more than 150 

countries and territories bringing world-class capabilities, insights and service 

to address clients’ most complex business challenges. To learn more about 

how Deloitte’s approximately 264,000 professionals—9,400 of whom are based 

in Canada—make an impact that matters, please connect with us on LinkedIn, 

Twitter or Facebook. 

Deloitte LLP, an Ontario limited liability partnership, is the Canadian member 

firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more 

of Deloitte Touche Tohmatsu Limited, a UK private company limited by 

guarantee, and its network of member firms, each of which is a legally separate 

and independent entity. Please see www.deloitte.com/about for a detailed 

description of the legal structure of Deloitte Touche Tohmatsu Limited and its 

member firms. 

© Deloitte LLP and affiliated entities. 

Designed and produced by the Deloitte Design Studio, Canada.

Open Banking Concept

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?