Liability working group meeting 5 – October 12, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Source of obligations of market participants
In their final report, the Advisory Committee on Open Banking outlined the guiding principle with regard to liability, stating that it should flow with the data and rest with the party at fault.
Issues of liability can arise in a variety of circumstances in an open banking environment. The first meeting of this working group discussed the liability as it pertains to consumers. Notably, working group participants reached a consensus that, barring cases where the consumer was proven to have committed gross negligence/gross fault, or criminal acts, liability should be limited up to a small fixed dollar amount. As a corollary, this meeting will focus on the potential liability between participants, namely where the technical requirements of an open banking system are not fulfilled.
As has been the case for previous discussions, experiences from other jurisdictions may help guide the discussion. It is notable that under Australia's Consumer Data Right (CDR) regime, liability between participants is addressed through legislation. The Competition and Consumer Act 2010 (CCA)Footnote 1 provides for the creation of "data standards"Footnote 2 that must be followed when consumer-permissioned information is disclosed between a data holder and a data recipient. To strengthen this requirement, the CCA provides clarity on responsibilities by establishing a deemed contractual relationship between data holders and accredited parties whereby each agrees to observe the standardFootnote 3. As a result, a party may seek judicial redress from the failure of the other to meet its obligations, namely the disclosure of data in accordance with the standardFootnote 4. The Australian Competition and Consumer Commission may also take the matter to courtFootnote 5. In addition, the CCA allows a consumer to take action against a system participant that has not complied with their obligation to disclose data in accordance with the standard in the event it suffers loss or damage as a result Footnote 6.
This approach provides certain benefits. Among them are: establishing clarity for the relationship between the data holder and data recipient and clearly outlining responsibilities that system participants have toward each other. Providing such clarity could, in turn, translate into greater adherence to requirements which would provide for better overall system performance.
The United Kingdom (UK)'s framework contrasts with the Australian one. Unlike the CDR, there is no legislative provision to enforce obligations system participants owe to each other. In addition, these obligations are not prescribed in legislation as they are under the CDR data standards. However, the UK's Open Banking Implementation Entity (OBIE) has outlined certain expectations with respect to the roles and responsibilities of system participantsFootnote 7. These expectations were dependent on their status as an "API user"Footnote 8 or an "API provider"Footnote 9, the latter being the nine UK banks mandated to provide data. For API providers, the obligations generally require that:
- data is made available through open banking APIs in accordance with the prescribed data standards and service levels;
- data shall be as accurate, comprehensive and up to date as reasonably practicable;
- there are no corruptions or failures in the content or structure of data made available through open banking APIs;
- API providers are responsible for the operation and security of their systems and processes it to make consumer data available through open banking APIs; and,
- API providers test their open banking APIs to ensure they meet the standards, and provide evidence on request on such testing.
API users, meaning those accessing open banking data from API providers, share similar but pared down responsibilities.
Discussion
- How should the legal relationship between participants be addressed? Should enforcement of obligations follow the Australian approach of a deemed contract or the UK one?
- How should the obligations between participants be addressed? Should they be prescribed like the Australian Data Standards?
- Should the obligations apply uniformly between participants? For example, should the obligations for those mandated to participate differ from those who voluntarily participate?
- Should the right to enforcement be extended to open banking end users?
Outcomes
Source of obligations of market participants
Discussion 1
How should the legal relationship between participants be addressed? Should enforcement of obligations follow the Australian approach of a deemed contract or the UK one?
- There was no consensus on which model to follow. Some participants expressed preferences for the non-legislative approach of the UK model, and others for the clarity of the more prescriptive Australian model.
- Participants also noted that clear guidelines favour consumer legal redress, reduce operational costs and uncertainty while a more flexible approach allows for rapid changes to the framework.
Discussion 2
How should the obligations between participants be addressed? Should they be prescribed like the Australian Data Standards?
- A majority of participants agreed that obligations should be prescribed.
- Proponents of the opposite view mentioned the ability of networks to hold participants to account, with payment network rules given as an example.
Discussion 3
Should the obligations apply uniformly between participants? For example, should the obligations for those mandated to participate differ from those who voluntarily participate?
- There was a general consensus that obligations should apply uniformly to ensure accuracy of data and reciprocity.
- A participant suggested setting a model where uniform obligations would only come into effect once a participant meets a certain threshold (for example, 10,000 customers). This would promote competition and entry of smaller players. Another participant cautioned that such a requirement could increase ecosystem risk in case of a breach.
Discussion 4
Should the right to enforcement be extended to open banking end users?
- No consensus was reached, with some participants proposing to extend the right to consumers and others suggesting that it be limited between participants, given the recourse that consumers may have with external complaints bodies.
- It was noted that in the absence of a legal relationship between an open banking participant and the end user, obligations would be limited between system participants. A right to enforcement would be of value to consumers because it would give them an additional avenue for redress.
Liability working group attendees
Members
- Bank of Montreal
- Banque Nationale du Canada
- Canadian Western Bank
- Canadian Imperial Bank of Commerce
- Neo Financial
- Meridian Credit Union
- Option consommateurs
- Plaid
- Prosper Canada
- Public Interest Advocacy Centre
- Servus Credit Union
- Vancity Credit Union
- Wealthsimple
Absent
- Intuit
- Portage Ventures
External guests
- Autorité des marchés financiers
- Competition Bureau Canada
- Financial Consumer Agency of Canada
- Office of the Superintendent of Financial
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: