Liability working group meeting 3 – August 18, 2022

This discussion guide is provided to assist working group members in preparing for the liability working group’s third meeting. It is the first of two meetings focused on promoting public accountability in open banking.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

Discussion guide

Traceability frameworks

In their final report, the Advisory Committee on Open Banking (the Committee) recommended that participants must “have protocols in place to trace data so that all API calls are recorded and can be audited as necessary.”

This recommendation stemmed from consultations in 2019 and 2020, in which stakeholders described how the ubiquity and replicability of data challenges efforts to allocate liability effectively and efficiently.

For example, stakeholders would note that an application programming interface (API) “call” can entail a number of steps in order to communicate, authenticate, and move the data from provider to receiver. What happens when data is lost while “in transit” between a data provider and data recipient? How are both parties responsible for protecting the data while it is in transit, and how should they respond to and resolve issues? A variety of solutions were proposed, but no general consensus emerged.

There were also questions about how to trace data once it is collected by an accredited participant then shared with an outsourced firm, third party, or agent, as part of the open banking service. Note that the accreditation working group will examine transparency regarding relationships between such entities. The outcomes of this liability working group may inform their discussions. Bear in mind that data providers may also be data recipients, and may also rely on third parties to disclose data in an open banking framework.

For this discussion, traceability frameworks refer to any means by which participants in an open banking system may trace and record connections and events (for example, pulled or pushed API calls). Logging API calls can help develop timelines and support the attribution of responsibility in the event of a breach.

There are two aspects of traceability frameworks to consider:

Aspect 1: (De)centralization of traceability models

The centralization or decentralization of traceability refers to the approach used to track data requests and their associated recipient firms. In a decentralized model, individual recipients and providers may employ technological solutions or recordkeeping practices subject to some standard. For example, API calls may be logged internally by open banking participants, or they may be recorded or logged by one or more intermediary entities. In a centralized model, a third layer of responsibility for dispute resolution, ecosystem transparency and safety is held by a governance entity in an open banking system.

Aspect 2: Clarifying intertwined responsibility

The Committee recommended that common rules should “articulate that liability flows with the data and rests with the party at fault.” In certain cases, data may be too intertwined between provider and recipient, or within the recipient’s ecosystem, for participants to trace liability effectively or timely enough for consumer redress. In these cases, an open banking framework might help by articulating the flow of liability.

For example, the Uniform Commercial Code in the United States indicates a wire transfer payment sender bears more responsibility than its recipient. Similarly, the Second Payments Services Directive (PSD2) includes automatic redress for consumers.

Discussion

  1. What are the technical challenges in a centralized and decentralized approach? How might these be resolved?
  2. Should we adopt a centralized or a decentralized approach to a traceability framework for the initial design of the open banking system, acknowledging this framework could change after testing?
  3. What obligations should data recipients (whether bank or non-bank) have for tracing data after it has been collected (for example, through third parties or agents that handle the data)?
  4. What approach should be taken when liability is too intertwined to support timely and effective redress?

Outcomes

Traceability Frameworks

Discussion 1

What are the technical challenges in a centralized and decentralized approach? How might these be resolved?

Discussion 2

Should we adopt a centralized or a decentralized approach to a traceability framework for the initial design of the open banking system, acknowledging this framework could change after testing?

Discussion 3

What obligations should data recipients (whether bank or non-bank) have for tracing data after it has been collected (for example, through third parties or agents that handle the data)?

Discussion 4

What approach should be taken when liability is too intertwined to support timely and effective redress?

Liability working group attendees

Members

  • Bank of Montreal
  • Banque Nationale du Canada
  • Canadian Western Bank
  • Canadian Imperial Bank of Commerce
  • Neo Financial
  • Meridian Credit Union
  • Plaid
  • Public Interest Advocacy Centre
  • Servus Credit Union
  • Vancity Credit Union
  • Wealthsimple

Absent

  • Intuit
  • Option consommateurs
  • Portage Ventures

External guests

  • Autorité des marchés financiers
  • Competition Bureau Canada
  • Financial Consumer Agency of Canada
  • Office of the Superintendent of Financial Institutions

Chair

  • Abraham Tachjian, Open banking lead

Secretariat

  • Department of Finance Canada

Page details

Date modified: