Liability working group meeting 4 – September 14, 2022

This discussion guide is provided to assist working group members in preparing for the meeting.

For questions or comments, please contact obbo@fin.gc.ca.

On this page:

• Discussion guide
• Outcomes

Discussion guide

Public accountability

Transparency is an important feature of an open banking system. Participating organizations can instill confidence in the system by reporting certain information to the public or to regulators. The type of information, and how it is reported, varies based on the objective for the reporting.

Open banking system participants are subject to various reporting requirements already. For this discussion, these reporting requirements are referred to as incident reporting and proactive reporting. Incident reporting refers to when an event or circumstance triggers a report (typically to a regulator). Proactive reporting is information regularly disclosed on a periodic basis.

Incident reporting

Standardization of incident reporting requirements create confidence in the resiliency of the open banking system. There are a variety of existing incident report requirements that could be adopted or aligned to the open banking framework.

There are existing reporting requirements for firms that have had a breach of security related to consumers’ sensitive financial data. Firms subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) are required to report to the Privacy Commissioner of Canada about any breaches of security safeguards involving personal information that pose a real risk of significant harm to individuals, as well as notify affected individual about those breaches^{Footnote 1}.

As well, federally-regulated financial institutions are required to notify the Office of the Superintendent of Financial Institutions when technology and cyber incidents relating to their operations occur. The requirement to report incidents depends on the severity of the incident. Banks are also required to report incidents that did not originate from the bank but would impact the security of bank assets, or the security or data of banking customers^{Footnote 2}.

In addition, federally-regulated banks and external complaints bodies are required to report on consumer complaints and their outcomes, depending on the case. The Advisory Committee on Open Banking recommended that open banking participants disclose complaints in line with requirements of the Financial Consumer Protection Framework^{Footnote 3}. External complaints bodies are also required in certain cases to report to the public about complaints cases that they receive. Note that complaints handing processes were discussed in liability working group meeting 2, but this discussion did not extend to complaints reporting.

Proactive reporting

The core objective for Canada’s open banking system, outlined by the Advisory Committee on Open Banking, is to realize consumers' right to data portability, and to move towards secure, efficient consumer-permissioned data sharing. Proactive reporting can demonstrate how well the system is working. 

An approach taken in the United Kingdom has been to report periodically on application programming interface (API) call performance. These reports are posted monthly on the Open Banking Implementation Entity’s website. They provide information for consumers on the robustness and effectiveness of open banking platforms offered by data providers. Key metrics include average call response time, number of failed, rejected and successful calls, and average API availability. These metrics are segmented by category, as well as by brand (that is, by data provider)^{Footnote 4}.

Outcomes

Incident reporting

• There was a general consensus that the categories provided as examples in the discussion guide to the meeting were complete.
• Participants noted however that reporting obligations based on existing requirements would not extend to all participants and that the system should ensure uniform application.

• There was a general consensus that disclosing complaints in line with the Financial Consumer Protection Framework is appropriate.
• Participants again raised the issue of ensuring the uniform application of the framework.

Proactive reporting

• Participants generally agreed that the reporting metrics captured by the United Kingdom and Australian systems were sufficient.

• Participants suggested a variety of areas, including overall health and efficiency of the ecosystem, number of users, number of complaints and number of parties with accreditation revoked.

Liability working group attendees