Security working group meeting 1 – July 6, 2022
This discussion guide is provided to assist working group members in preparing for the meeting.
For questions or comments, please contact obbo@fin.gc.ca.
On this page:
Discussion guide
Objective
To ensure the efficient functioning of an open banking system, the Advisory Committee on Open Banking (the Committee) recommended that common rules be established in the areas of liability, privacy and security.
The aim of this working group is to draft common rules on security to recommend to the government.
In their final report, the Committee noted that the core objective for implementing open banking in Canada is to realize consumers’ right to data portability and move to a system of secure, efficient and consumer-permissioned data sharing.
This working group will address security risk as they relate to open banking system participants. The open baking lead (the lead), with the support of the Department of Finance Canada (the Secretariat), will conduct separate due diligence on the security requirements of the application program interface (API) technical standards which will facilitate the exchange of data between participants.
Approach and timelines
Meetings will be held approximately every three weeks. Members are encouraged to review the following material in advance of meetings:
- Canada's Digital Charter: Trust in a digital world
- Final Report, Advisory Committee on Open Banking
- Terms of reference for the open banking working groups and steering committee
- Annex A – Timeline of security working group topics
The lead, with support from the Secretariat, will distribute documents guiding the discussion for each meeting which will also be available on the open banking implementation page. Members may also be asked to draft material for discussion.
Security working group topics and timeline
Discussion
- Are there other topics that should be considered by the security working group which were not captured in Annex A?
- What are your views on the proposed timeline and cadence of the work plan?
Approach to risk management
Just as financial institutions employ a “risk-based approach” for prioritizing areas which merit the greatest amount of attention, a similar approach may be useful in determining the security requirements. The likelihood and impact of the materialization of a risk is an important factor to consider.
As the Committee notes, there is a need to establish baseline security requirements as a minimum "floor" to serve as entry into an open banking system. With varying sizes, business models and risk profiles, this ensures that accredited participants dedicate the necessary attention and resources to the greatest inherent risks. In addition, this will support a proportional application of security requirements based on a participant’s profile.
Discussion
- Data security, cybersecurity and operational risk (e.g., external fraud) are key risks stemming from open banking. Considering the need to adopt a risk-based approach and setting baseline requirements, are there any other risk types that should be considered?
- What factors should be considered to assess the proportional application of the frameworks/controls which will be applicable to the risk types identified?
- What challenges can be foreseen in implementing the frameworks/controls?
Annex A – Timeline of security working group topics
|
Timeline July |
Topic | Outcome |
|---|---|---|
| Meeting 1 | Approach to risk management | Decision on key risks posed by open banking |
|
Timeline July. to Oct. |
Topic | Outcome |
|---|---|---|
| Meeting 2 | Data security | Common rules on the frameworks and controls related to data security |
| Meeting 3 | Cyber security | Common rules on the frameworks and controls related to cyber security |
| Meeting 4 | Operational risks | Common rules on the frameworks and controls related to operational risk (fraud/authentication/incident management) |
| Meeting 5 | Other foundational risks | Common rules on the frameworks and controls for additional risk types raised by stakeholders |
|
Timeline Nov. to Dec. |
Topic | Outcome |
|---|---|---|
| Meeting 6 | Internal governance (part 1) | Common rules on the governance associated with risk management at the organization (e.g., frameworks, policies, accountability and ownership risk appetite, testing, dedicated functions) |
| Meeting 7 | Internal governance (part 2) | Common rules on the governance associated with risk management at the organization (e.g., frameworks, policies, accountability and ownership risk appetite, testing, dedicated functions) |
| Meeting 8 | Reporting | Common rules with regards to ongoing reporting requirements (e.g., frequency of attesting to compliance, public disclosure) |
Outcomes
Security working group topics and timeline
Discussion 1
Are there other topics that should be considered by the security working group which were not captured in Annex A?
- There was general consensus that the proposed topics for the security working group were appropriate.
- There was some discussion relating to data quality, particularly where it fits in the context of the working groups; liability concerns; and, if data quality controls are necessary for the first phase of open banking.
Discussion 2
What are your views on the proposed timeline and cadence of the work plan?
- There was a general consensus that the proposed timeline and cadence of meetings for the security working group are appropriate. It was noted that more time may need to be allocated to operational risk and reporting discussions.
Approach to risk management
Discussion 3
Data security, cyber security and operational risk (e.g., external fraud) are key risks stemming from open banking. Considering the need to adopt a risk-based approach and setting baseline requirements, are there any other risk types that should be considered?
- There was general agreement with principle risk types, such as data security, cyber security, and operational risks. Participants noted the need to manage risks as the system evolves, including operational risks, reputational risk, data retention, residency and quality.
Discussion 4
What factors should be considered to assess the proportional application of the frameworks/controls which will be applicable to the risk types identified?
- There was general agreement for the need to assess the proportional application of risk frameworks. Factors included scope, nature of data use, client volume and service types.
Discussion 5
What challenges can be foreseen in implementing the frameworks/controls?
- A participant noted potential implementation challenges for banks due to legacy information technology systems.
- A participant noted that a challenge would be to ensure that controls evolve over time to limit risk to the financial system architecture.
Security working group attendees
Members
- Affinity Credit Union
- Alterna Savings and Credit Union Limited
- ATB Financial
- Canadian Imperial Bank of Commerce
- Clearco
- Equitable Bank
- Flinks
- nanopay
- PayBright
- Questrade
- Royal Bank of Canada
- TD Canada Trust
External guests
- Credit Union Deposit Guarantee Corporation of Alberta
- Financial Consumer Agency of Canada
- Office of the Superintendent of Financial Institutions
Chair
- Abraham Tachjian, Open banking lead
Secretariat
- Department of Finance Canada
Page details
- Date modified: