Accreditation working group meeting 5 – October 19, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
Please note that during the last meeting, the accreditation working group agreed to proceed with the topic planned for meeting 6 (Organizations subject to accreditation) as the content planned for meeting 5 (Privacy and security) is being captured in separate dedicated working groups.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Organizations subject to accreditation
The proportional application of requirements is a recurring theme in many of the working group discussions. This is even more relevant in the context of accreditation. As the Final Report of the Advisory Committee on Open Banking (the Report) states, the crucial challenge in establishing an accreditation framework is striking the right balance between promoting entry to the system for smaller participants while maintaining security and protection for all. As such, the Report suggests that the accreditation process reflect the degree of risk that a third-party service provider poses to the system. To this end, flexibility and tiered levels should also be considered to encourage entry of emerging firms or new entrants that may not pose the same risks as other entities.
This working group meeting will explore potential pathways to entry into the open banking system outside of accreditation, differing system admission requirements as well as related obligations and responsibilities.
Accreditation of incumbent data holders
As per the Report, we expect that federally and provincially regulated financial institutions would be exempt from accreditation, to the extent that they are already subject to prudential and other forms of oversight.
Accreditation requirements of incumbent data holders vary in other jurisdictions. In the United Kingdom (UK), nine financial institutions (CMA 9) are subject to mandatory participation in their open banking system, while other banks and building societies can opt in. The Australian Consumer Data Right (CDR) requires all authorized deposit-taking institutions (ADIs) to allow data sharing. However, ADIs are exempt from the full accreditation processFootnote 1, having only to complete a "streamlined" approval form listing their CDR data management policy and details of membership in the external dispute resolution body for banking. The ADI is also not obligated to hold insurance or a comparable
guaranteeFootnote 2.
Pathways for accessing consumer-permissioned data
Both the UK and Australia allow entities seeking access to consumer data to either complete accreditation or enter into an arrangement with an accredited party.
The UK places an emphasis on whether services are provided to an end user. For example, it defines a "technical service provider" (TSP) as a "business that obtains and processes payment account information in support of an authorized or registered account information service provider, but does not itself provide the information to the user"Footnote 3. TSPs do not require accreditation though the accredited entity nevertheless remains the party responsible for its actionsFootnote 4.
Account Information Service ProvidersFootnote 5 (AISP) are however subject to accreditationFootnote 6. Among the benefits include accessing data directly from data holders such as banks and providing services to their end-users. However, unaccredited parties may also provide account information services by acting as an "agent" of an accredited party, the "principal". The agent can only present the principal's account information service to its users on its own platform (e.g., app or website). It cannot however collect data from the principal and use it to provide AIS to its own customers, hence why it must make clear that it is simply acting as the principal's agent. This can take the form of using the principal's branding for example. The principal remains responsible for all activities of its agents, must register the name of the agent with the Financial Conduct Authority and must carry insurance reflective of the relationship, among other requirements. In addition, the principal remains responsible for collecting consumer consentFootnote 7.
Australia provides two options for accreditationFootnote 8. Unrestricted accreditation allows an entity direct access to consumer-permissioned data from a data holder. Entities under "sponsored" accreditation face less stringent requirements with regards to information security, namely self-assessment against fulfilling requirements rather than an evidencing through an independent third-party assurance report. The key difference with the unrestricted level is that the sponsored entity, referred to as the "affiliate" of the sponsor, is unable to directly request data from a data holder. Instead, it must rely on its sponsor with who it has a written agreement to collect data on its behalf or another accredited person who is not their sponsor. The sponsor assumes responsibilities for this arrangement, namely undertaking due diligence on its affiliate, as well as assistance with compliance with the CDR rules.
An agency-like scenario is also available in Australia. The "CDR Representative Model"Footnote 9 allows entities who do not wish to be accredited to access CDR data via a single, fully accredited principal. In this model, the principal collects CDR data on behalf of the representative based on the terms of a written contract. Importantly, the principal remains fully liable for the actions of the CDR representative.
Finally, the CDR regime recognizes the role of "outsourced service provider"Footnote 10 (OSP) in the chain of data sharing. These entities facilitate the collection of CDR data for an accredited person, the principal, or provide them with services using data that it collected on their behalf. These entities do not require accreditation though an outsourcing arrangement in a prescribed formFootnote 11 must exist between the principal and the OSP. The agreement provides for, among other items, restrictions on how the OSP can deal with the data. In addition, the principal remains liable for the actions of the OSP.
Discussion
- Except for federally and provincially regulated financial institutions, which organizations should be subject to accreditation?
- What type of accreditation could be available to potential open banking ecosystem applicants?
- What accreditation requirements should vary between tiers of accreditation? Similarly, what rights and obligations (for example, access to data) should differ between them?
- In addition to different tiers of accreditation, are there any legislative, regulatory or other requirements that potential participants are subject to which may be considered in accreditation to streamline an application?
- Should tiered accreditation be available in the first stage of open banking? Alternatively, should it be phased in and at what point?
Outcomes
Organizations subject to accreditation
Discussion 1
Except for federally and provincially regulated financial institutions, which organizations should be subject to accreditation?
- The lead clarified that the terms “provincially regulated financial institutions” in the discussion question made reference to credit unions.
- Participants proposed two related views, namely that entities that directly access a data holder’s application programming interface or that collect consumer-permissioned data should be subject to accreditation. However, certain participants cautioned that this approach may capture a large group of entities involved in the data chain which only act to provide technical services to system participants, similar to the definitions of “technical service provider” and “outsourced service provider” included in the discussion guide.
Discussion 2
What type of accreditation could be available to potential open banking ecosystem applicants?
- In the interest of promoting access to the system and learning from experiences of other jurisdictions, most participants agreed to options other than full accreditation, including the sponsorship and agency models described in the discussion guide.
Discussion 3
What accreditation requirements should vary between tiers of accreditation? Similarly, what rights and obligations (for example, access to data) should differ between them?
- There was a general consensus that only fully accredited entities should be able to access data directly from a data holder.
- Participants also agreed that fully accredited entities providing sponsored or agency like system access would be subject to greater accreditation requirements relating to risk management and financial capacity.
Discussion 4
In addition to different tiers of accreditation, are there any legislative, regulatory or other requirements that potential participants are subject to which may be considered in accreditation to streamline an application?
- Participants provided examples of regimes that could be considered in streamlining accreditation applications, including being regulated provincially as a securities dealer or registered as a payment service provider under the Retail Payment Activities Act.
Discussion 5
Should tiered accreditation be available in the first stage of open banking? Alternatively, should it be phased in and at what point?
- There was a general consensus that tiered accreditation should be available in the first stage of open banking.
Accreditation working group attendees
Members
- Desjardins
- Flinks
- National Bank of Canada
- Plaid
- Scotiabank
- Stripe
- TD Canada Trust
- Vancity Credit Union
- Wealthsimple
- Central 1 Credit Union
Absent
- Laurentian Bank of Canada
External guests
- British Columbia Financial Services Authority
- Competition Bureau Canada
- Financial Consumer Agency of Canada
- Office of the Superintendent of Financial
Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: