Accreditation working group meeting 3 – August 23, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Financial capacity
The Advisory Committee on Open Banking noted that adequate insurance or some comparable financial guarantee for accredited open banking participants is important to protect consumers and ensure accountability among accredited participants. Organizations seeking accreditation must have the financial capacity to meet their liabilities.
Other jurisdictions have taken different approaches in respect of financial capacity for accredited open banking participants.
In Australia, the Consumer Data Right (CDR) rules require that organizations seeking accreditation maintain adequate insurance or a comparable guarantee. The Australian regime does not prescribe the insurance product type that an applicant must obtain (for example, liability, cyber or both). Nor does it outline the requirements of an “adequate” insurance policy, placing the onus of determining adequacy on the service provider applying for accreditation. Instead, there is a non-exhaustive list of factors which the assessor will consider in determining the adequacy of insurance. Annex A provides a high-level description of the Australian approach to insurance adequacy.
In addition and under limited circumstances, the Australian regime also allows potential applicants to provide a comparable guarantee as a replacement for insurance. The requirements are described in Annex B.
The United Kingdom and the European Union follow the European Banking Authority (EBA) guidelines on insurance and comparable guarantee. To calculate the minimum monetary amount of the required insurance or guarantee, a three-pronged formula was developed with consideration for an applicant’s risk profile, type of activity, and size of activity. Annex C provides a high-level overview of this approach.
Discussion
- Should the amount of the insurance policy or comparable guarantee required be set or should participants determine the adequacy? What are the advantages/disadvantages to each approach?
- What are the elements of an adequate insurance policy? Are those described in Annex A and C sufficient or should others also be considered? Are any unnecessary?
- What are the elements of a comparable guarantee? Are those described in Annex B and C sufficient or should others also be considered? Are any unnecessary?
- Should the requirement be perpetual or time-fixed? If the former, how often should the potential applicant review adequacy and on what grounds?
- Should adequate insurance or a comparable guarantee be mutually exclusive or can both be provided by a potential applicant?
- How should the insurance or a comparable guarantee be evidenced as part of the accreditation process (for example, statement from company execs, documentation evidence or otherwise)?
Annex A – Adequacy of insurance (Australia)
| Factor for assessing adequacy of insurance | Considerations for accredited organization |
|---|---|
| Nature of products or services to be provided | Whether the services or products to be offered are professional in nature. |
| Nature of CDR data likely to be managed | The nature and sensitivity of the CDR data to be held will determine the appropriate insurance coverage. |
| Volume of CDR data held | The greater the volume of data held or managed the greater the potential risk associated with a breach of legislation, the CDR Rules, or standards. |
| Financial resources | Financial resources required to cover the excess and any gaps in cover due to insurance exclusions. |
| Scope | Scope of coverage as it pertains to professional indemnity, cyber and general liability (such as fraud). |
| Policy limit | The annual aggregate insurance cover for certain events are adequate to provide an indemnity for claims. |
| Persons covered | The insurance policies must name the accredited person as a named insured. Policies that cover corporate groups may also be acceptable. |
| Exclusions | The insurance must not exclude (i) claims stemming from the external complaints body as well as (ii) privacy and data related claims related to CDR data. |
The high-level summary was developed from Table 1 of the CDR-Supplementary accreditation guidelines insurance. Refer to the guidelines for further details. Additional information is also available in the insurance section of Consumer Data Right Accreditation - Sample Application - Full - updated April 2022.pdf (cdr.gov.au).
Annex B – Comparable guarantee (Australia)
The guarantee must be:
- provided by a related company to the applicant or the accredited person;
- provided by a company that is of substance; and
- on terms that are appropriate in the circumstances, including with respect to the value and limitations applicable to the guarantee.
The high-level summary was developed from Table 1 of the CDR-Supplementary accreditation guidelines insurance. Refer to the guidelines for further details. Additional information is also available in the insurance section of Consumer Data Right Accreditation - Sample Application - Full - updated April 2022.pdf (cdr.gov.au).
Annex C – Professional indemnity insurance (PII) or comparable guarantee (European Banking Union)
| Formula | Formula criterion details |
|---|---|
| The EBA provides the following formula for competent authorities to calculate the minimum amount of the PII or comparable guarantee for service providers: Amount reflective of risk profile criterion |
Risk profile criterion indicators include:
|
Type of activity criterion indicators include whether the service provider:
|
|
Size of activity criterion indicators include:
|
|
The comparable guarantee criterion indicators include:
|
Annex C was developed from the Payment Services and Electronic Money – Our Approach (fca.org.uk) and the Final Guidelines on PII under PSD2 (EBA-GL-2017-08).pdf (europa.eu)
Outcomes
Financial capacity
Discussion 1
Should the amount of the insurance policy or comparable guarantee required be set or should participants determine the adequacy? What are the advantages / disadvantages to each approach?
- There was general agreement that it would be best to let participants determine the adequacy of insurance or comparable guarantee. Participants also suggested guidelines to provide direction, similar to the example proposed in Annex A of the discussion guide, which gave a high level overview of the Australian model.
- Some were supportive of clearly prescribed minimum levels, though certain participants warned of difficulties in obtaining insurance products as well as the barrier to system entry this may pose.
Discussion 2
What are the elements of an adequate insurance policy? Are those described in Annex A and C sufficient or should others also be considered? Are any unnecessary?
- There was general consensus that Annex A’s methodology (Australia) described in the discussion guide was preferable over Annex C (EU). In particular, participants highlighted the nature of the products or services to be offered, the nature of data to be managed as well as the volume of data as elements for consideration for determining the adequacy of an insurance policy.
- While certain participants suggested data location as a consideration, others noted that this is not an insurable risk.
Discussion 3
What are the elements of a comparable guarantee policy? Are those described in Annex B and C sufficient or should others also be considered? Are any unnecessary?
- Participants noted that the speed at which funds can be made available and liquidity constitute key elements of a comparable guarantee.
- Examples of comparable guarantees were also provided, including surety bonds, a pool of funds in an escrow account and capital buffers.
Discussion 4
Should the requirement be perpetual or time-fixed? If the former, how often should the potential applicant review adequacy and on what grounds?
- There was general consensus that the requirement should be perpetual, though certain participants raised the prospect of it being waved in the event that the financial situation of the organization improved to the point that it would merit a dispensation.
- Among the causes for review cited were a change in the type of data collected, the nature of the services offered or a significant change in business. Alternatively, it was proposed that the review be conducted on the expiration of the insurance policy, which can be on an annual basis.
Discussion 5
Should adequate insurance or a comparable guarantee be mutually exclusive or can both be provided by a potential applicant?
- There was general consensus that insurance and comparable guarantees are not mutually exclusive owing to, among other factors, the flexibility offered by having both options.
Discussion 6
How should the insurance or a comparable guarantee be evidenced as part of the accreditation process (for example, statement from company execs, documentation evidence or otherwise)?
- There was general consensus that in addition to a certificate of insurance, an attestation from executives in a standardized form would be appropriate.
Accreditation working group attendees
Members
- Desjardins
- Flinks
- Laurentian Bank of Canada
- National Bank of Canada
- Plaid
- Scotiabank
- Stripe
- TD Canada Trust
- Vancity Credit Union
- Wealthsimple
- Central 1 Credit Union
External guests
- British Columbia Financial Services Authority
- Competition Bureau Canada
- Financial Consumer Agency of Canada
- Office of the Superintendent of Financial
Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: