2023 Fall Economic Statement:
Policy Statement on Consumer-Driven Banking

1. Introduction

Consumer-driven banking, also known as open banking or consumer-directed finance, refers to frameworks that allow consumers and small businesses to securely transfer their financial data through an application programming interface (API) to approved service providers of their choice. It enables consumers to securely use data-driven financial services that can help them better manage their finances and improve their financial outcomes. For example, through consumer-driven banking, individuals can access services that allow them to build their credit by proving they have paid rent on time.

An estimated 9 million Canadians currently share their financial data by providing confidential banking credentials to service providers. This process, known as screen-scraping, is unsecure and raises security, liability, and privacy risks to consumers and the financial system.

Benefits of Consumer-Driven Banking

1.1 What Will Consumer-Driven Banking Do?

The implementation of a consumer-driven banking framework will:

• Empower Canadians to securely access and share their financial data with financial service providers.
• Ensure that Canadians are not subject to fees when accessing and sharing their data.
• Protect Canadians and the financial system from risky practices like screen-scraping.
• Ensure parties at fault are liable for any damages or data breaches.
• Allow Canadians to safely access innovative products and services that can help them improve their financial outcomes. For example:

  • Apps that build credit scores using transaction data.
  • Account aggregators that provide a fuller financial picture and support improved decision making.
  • Budgeting tools that monitor spending and provide insights to improve financial well-being.
  • Platforms that provide automated financial advice, tailored to a consumer’s unique financial situation, and needs.

1.2 Policy Objectives for the Consumer-Driven Banking Framework

The recent work of the Department of Finance was framed by three public policy objectives:

• Safety and Soundness: Ensuring the continued safety and soundness of the financial sector by addressing the security risks arising from existing data sharing practices, such as screen scraping, and establishing oversight of financial data sharing activities;
• Consumer Financial Well-Being and Protection: Ensuring that Canadians can securely and confidently exercise their right to access and use their financial data to improve their financial outcomes; and,
• Economic Growth and International Competitiveness: Establishing a cohesive framework, with a clear, fair, and transparent approach to accreditation, to support the continued security and stability of the Canadian financial sector, including existing financial institutions.

1.3 Core Framework Elements

These policy objectives have guided the development of a recommended course of action on five core framework elements, including:  

• Governance: Oversight and management of the system;
• Scope: The types of data and functionalities the system will provide, the participants, and the pace at which the system should expand;
• Accreditation: The requirements and process for participating in consumer-permissioned financial data sharing;
• Common Rules: To protect consumers and govern the areas of privacy, security, and liability; and,
• Technical Standards: Establishment, maintenance, and oversight of the technical standards (also referred to as pipes) that facilitate the flow of data between participants.

The remainder of the policy statement outlines the government’s position on the core elements of the framework as a means of providing clarity to consumers and industry.

2. Course of Action

The government will develop and implement a legislative framework for consumer-driven banking that will enable consumers to securely and confidently access their financial data and, in turn, safely use services that can help them improve their financial outcomes.

The framework legislation, to be introduced in Budget 2024, will prescribe a phased-in approach to scope, oversight of the technical standard, and a timeline for phasing-out screen scraping. In line with international best practices, the aim of legislation will be to:

• Codify key elements including scope, common rules for addressing liability, privacy, security, accreditation, and management of technical standards;
• Mandate responsibility to a government-led entity for monitoring and supervising the system, enforcing common rules, accrediting, defining, and updating technical standards; and,
• Address liability among industry participants.

2.1 Governance

To ensure Canadians benefit from effective oversight of financial data sharing, Canada’s framework for consumer-driven banking will mandate a government-led entity to supervise and enforce the framework. To facilitate oversight of provincial entities while respecting their jurisdiction, a model that permits provincial entities to “opt-in” to governance, supervision, and participation will be developed.

Governance design is key to ensuring the framework achieves the public policy objectives of safety, stability, innovation, and utility for all Canadians. A strong governance framework will ensure participants abide by common rules by outlining clear roles and responsibilities for participants and government, and what actions will be taken when non-compliance occurs.

2.2 Scope

To ensure the efficient implementation of secure, consumer-permissioned financial data sharing, government will adopt a phased approach to the three elements of scope: participants, breadth of data sharing, and functionality.

Scope refers to:

1. What entities can participate;
2. The breadth of data that must be shared among them; and,
3. Functionality, such as read or write access.

In the initial phase, the government will mandate participation for federally-regulated financial institutions that meet a specified threshold for retail volume while providing the remaining federally-regulated financial institutions, credit unions, and accredited third parties the ability to opt-in to the framework. To fully implement consumer rights to data portability, all entities will be equally subject to consumer-permissioned data sharing requests (reciprocal access).

When authorized by a consumer, in-scope data would be shared in its unaltered, original format free of charge. The government may consider an expansion of the scope at a later date.

2.3 Accreditation

To ensure Canadians can confidently engage in financial data sharing with trusted entities, Canada’s framework will include a formal accreditation framework, inclusive of process, oversight, and criteria for entities wishing to collect consumer-permissioned data from data holders.

A formal accreditation framework is a central part of the framework that ensures only trusted entities can access financial data when requested by a consumer. This framework would set out the process and specific criteria for data requestors to access consumer financial data. An accrediting body then evaluates applications against the framework’s criteria and publishes a list of all accredited organizations in a central registry.

Recognizing the highly sensitive nature of financial data this process ensures that only those who meet certain security and privacy requirements can participate in a data sharing ecosystem. It creates trust among consumers and participants by validating the merit and financial capability of organizations outside of traditional regulated financial services to participate in a consumer-directed data sharing economy.

Accreditation would not be a static obligation. Entities would be subject to mandatory reporting of key information on a regular basis and as their business models evolve to maintain accreditation. A public registry of accredited entities would be maintained to ensure consumers have clear information when choosing to share their financial data with an entity.

National security safeguards that align with existing financial sector frameworks would also be included in the accreditation process.

2.4 Exempt Entities

Given their well-established record as trusted stewards of financial data and that they are subject to prudential and other forms of regulation, federally-regulated banks and credit unions, as well as provincially-regulated credit unions, would be exempt from accreditation.

In the case of provincial credit unions, provinces retain the authority to impose their own requirements. All other entities that seek to collect and/or use in-scope data in order to provide products or services to consumers, as well as organizations that collect data on their behalf, would be subject to accreditation.

2.5 Tiering

Tiered accreditation—the practice of establishing different accreditation requirements for entities, based on the levels of data they are permitted to access—would not be included in an initial phase, but may be considered once the framework is well-established.

2.6 Common Rules

To provide a consumer-centric and transparent foundation for consumer-permissioned financial data sharing in Canada, the framework will include common rules that address privacy, security, and liability obligations. Accredited and mandated entities will be required to abide by these rules as a condition of access to consumer data.

The intent of common rules is to ensure that consumers benefit from consistent protection and market conduct standards which would, in turn, help build confidence and trust for consumers. To complement existing consumer protection and privacy legislation, additional rules governing the areas of liability, privacy, and security will be developed.

Where appropriate, the common rules will align with existing legislative frameworks, such as the Financial Consumer Protection Framework (FCPF) within the Bank Act. Common rules will work to complement existing legislation, rather than creating duplicative or potentially conflicting requirements.

2.7 Privacy

In terms of privacy, participants would be required to comply with applicable legislative frameworks. Additional privacy rules will also be enacted that are unique to financial data sharing, particularly around providing consumer consent to access. Participants would be required to have a standardized process for consent and revocation that is done in a clear, simple, and transparent manner.

Additionally, participants would be required to reconfirm consumer consent at specified intervals or following certain events. Entities would also be required to provide consent dashboards to ensure consumers have real time knowledge of who has access to their data.

2.8 Liability

Canada’s framework will clearly set out a liability structure that establishes a statutory contractual relationship between participants. This will be based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong. This means that when a consumer initiates a data transfer, the data provider’s liability towards that consumer for how the data is managed or protected ceases once it leaves the institution.

To ensure the common rules are credible, participants must be accountable for upholding them. Clear attribution of liability is a critical component of a framework for consumer-driven banking. Predictable and transparent rules outlining where liability starts and ends will provide certainty to participants and make it easier to protect consumers.

To ensure consumers are well protected, entities would also be required to put in place internal policies and procedures for complaint handling and the provision of redress.

2.9 Security

To ensure accredited and mandated entities protect consumers’ data, Canada’s framework will establish clear security requirements.

Though a wide range of risks exist, the key ones relate to operational risk, namely information security and cybersecurity. In this respect, federally-regulated financial institutions and credit unions have mature risk management regimes and are already overseen by prudential regulators. Other organizations seeking access to consumer data would need to demonstrate they can protect such data and would have to meet security requirements as part of the accreditation process, as well as fulfill ongoing reporting obligations.

2.10 A Single Technical Standard

To align with international best practices, the government will mandate the use of a single technical standard, and will set out in legislation, principles for, and oversight of the technical standard.

A framework for consumer-permissioned financial data sharing offers a means to successfully transition away from screen scraping to a more secure method for financial data sharing that significantly decreases the risk of personal data being compromised by bad actors and mitigates security, privacy, and liability risks for consumers and institutions. This is done through an API, a type of software that acts as secure data “pipes” to enable products and services to communicate with one another.

Consultation with stakeholders and review of international best practices have revealed a clear preference for a single standard. The government is in the process of concluding engagement with industry and international partners and will return to industry with a final announcement on a technical standard.

3. Next Steps

The Department of Finance will advance the work required to stand up a Canadian framework governing consumer-driven banking, with the goal of adopting legislation and fully implementing the necessary governance framework by 2025. As it does so, it will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders, including all Canadians.

This policy statement was informed by a series of expert-led recommendations, engagement with other jurisdictions, and extensive consultation with banks, credit unions, financial technology companies, consumer groups, and Canadians across the country. More information about this process, and recent working groups, can be found at Consumer-Driven Banking Implementation.