Accreditation working group meeting 6 – May 1, 2023

This discussion guide is provided to assist working group members in preparing for the meeting. This will be the last accreditation working group meeting as the remaining topics will be covered on May 1.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

• Discussion guide
• Outcomes

Discussion guide

Accreditation process

The Final Report of the Advisory Committee on Open Banking (the Report) underscored the importance of a clear and transparent process to gain, maintain, and display accreditation of organizations to Canadians and other participants. This working group has already discussed many of the potential requirements that an entity would need to fulfil in order to become accredited. The criteria covered included required information (Meeting 2),  financial capacity (Meeting 3), and certification (Meeting 4). Accreditation was also discussed at the first Steering Committee meeting.

Timeliness in reviewing an application is also a critical element of accreditation in so far as it provides clarity and transparency. Though delays in the process may exist – for multitude of factors, including the completeness of an application, open banking systems in other jurisdictions typically provide an indication of expected turnaround times. The Australian Competition and Consumer Commission (ACCC), the governance body in charge of accreditation, estimates a three-month standard for making a decision^{Footnote 1}. Similarly, the United Kingdom (UK)'s Financial Conduct Authority (FCA) describes a three-month process that could extend to 12 if an application is incomplete^{Footnote 2}.

A submission for accreditation may lead to a few outcomes. Where the application is deemed incomplete or deficient, approval will not be granted and may lead to further discussions to remedy the situation. As described in the Report, the reasons for the decision should be provided, along with an opportunity to address deficiencies without having to restart the accreditation process. Conversely, approval of an application would form the first step of admission into the system with subsequent administrative steps to follow, for example, addition to a registry of accredited participants. The Retail Payment Activities Act (RPAA) includes provisions for a public registry that captures activities performed by the entity^{Footnote 3}.

Accreditation approvals may be conditional. For example, in Australia, the ACCC may impose binding conditions on the applicant^{Footnote 4}. These conditions could include meeting testing requirements or limiting the products or services the applicant may offer to end users. Those conditions are then published on the central registry.

Accreditation may involve costs to the applicant. This could involve a cost related to the submission or work related to the preparation of the application. As noted by the Report, applicants should bear the cost of their own accreditation. This aligns with other practices in Canada, such as the proposed registration fee under RPAA regulations^{Footnote 5}. The FCA has similar application fees for on-boarding new applicants under PSD2^{Footnote 6}.

Maintaining accreditation

The Report indicated that accreditation should be renewed periodically. This could take the form of a full review at predetermined intervals or a simple submission of forms to an accreditation entity with management attestations. In addition, material changes to a business model, such as the scope of data an entity intends to collect on behalf of their customers, could trigger a mandatory renewal of accreditation.

Ongoing reporting obligations can serve as an alternative. Under this scenario, information is provided to the regulator at certain intervals as opposed to a full assessment. Australia's Consumer Data Right (CDR) rules require bi-annual reporting on complaints, the total number of product data requests, new services offered and what data those services require^{Footnote 7}. In addition, accredited entities must inform the ACCC within five business days if there is a change to any information displayed on the registry, or changes to fit and proper personnel^{Footnote 8}. The UK has similar reporting requirements applicable depending on the service provided, the occurrence of an event, as well as on a continuing basis. This includes reporting with regards to changes to control of the business, individuals responsible for management, capital adequacy, complaints, and operational and security risk reporting^{Footnote 9}. 

The RPAA takes an analogous approach. Payment service providers (PSP) subject to the legislation are required to submit annual reports on risk management practices and business operation to the Bank of Canada (the Bank). These reports are supported by an obligation to make the Bank aware of any significant changes to the operation of the PSP five business days before they take effect, or changes to information submitted at the time of registration between thirty days before to thirty days after the changes take effect. 

To maintain the trust and security in an open banking system, participants who are accredited may need to be stripped of accreditation. The Australian CDR rules set out several reasons for which accreditation may be suspended or revoked, including providing false or misleading information in the accreditation application, committing illegal activities pertaining to the CDR, posing a risk to the security of consumers or the system, or no longer possessing fit and proper persons in key positions^{Footnote 10}.

Discussion

1. What are the expectations with respect to time to accredit and costs borne by applicants as part of the application process?
2. What information should be made publicly available about an accredited entity?
3. What information regarding a rejected application should be made publicly available?
4. How frequently should an applicant need to resubmit/renew accreditation? Alternatively, should the process be limited to ongoing reporting for certain criteria?
5. Under what circumstances would accreditation be revoked or suspended?

Outcomes

Accreditation process

Discussion 1

What are the expectations with respect to time to accredit and costs borne by applicants as part of the application process?

• While acknowledging that clarity on final accreditation requirements would be a factor, participants agreed with a three-month timeline for an accreditation process, noting the precedent set by Australia and the United Kingdom.
• Participants provided the caveat that these timelines would be reasonable provided that all necessary information was supplied by the applicant.
• It was noted that initial accreditation could take longer due to an influx of applications.
• There was also consensus that the cost should not be an impediment for applicants to join the system.

Discussion 2

What information should be made publicly available about an accredited entity?

• Participants agreed on the need to focus on the intended policy outcomes of the information being disclosed, as well as how this information would help consumers.
• As such, there was consensus that only general corporate registry type of information (for example, ownership structure), as well as the accreditation type (if applicable) and status should be made publicly available.

Maintaining accreditation

Discussion 3

What information regarding a rejected application should be made publicly available?

• There was general consensus that no information on a rejected application should be publicized.
• There was consensus that guidance could provide clarity on expectations and lead to better prepared future applications, though such guidance should remain anonymized and not attributable to an organization.

Discussion 4

How frequently should an applicant need to resubmit/renew accreditation? Alternatively, should the process be limited to ongoing reporting for certain criteria?

• While certain participants advocated for ongoing reporting obligations, there was general consensus among others that an applicant should renew accreditation at defined intervals or at the occurrence of certain events, such as a material change in the business, provided such events are clearly defined.

Discussion 5

Under what circumstances would accreditation be revoked or suspended?

• There was consensus that certain events create a serious risk to the system including, where an organization: fails to meet accreditation requirements following their initial assessment; fails to make information available in accordance with service levels such as availability; makes a misrepresentation in the accreditation process; or is subject to a final finding of unlawful behaviour by a regulator or court on a matter related to open banking.
• There was further consensus that organizations should be given the opportunity to remediate certain events prior to revocation or suspension of their accreditation status.  

Accreditation working group attendees