Submission in response to the Department of Finance Canada’s Consultation Document entitled “A Review into the Merits of Open Banking”
The Advisory Committee to the Open Banking Review/Financial Institutions Division The Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street, Ottawa, ON K1A 0G5
Email: [email protected]
Toronto, February 11, 2019
Re: Consultation on the Review into the Merits of Open Banking
Section One: Open Banking Benefits and Outcomes Open Banking Can Make Data Sharing Secure Open Banking Can Transform Small Business Credit in Canada Open Banking and Payments Initiation Canada Can Lead North America into Open Banking - There Is No ‘US Model’ Section Two: Innovation and Competition Benefits from Open Banking Open Banking Can Lay the Foundation for Canada’s Data Economy Open Banking Makes APIs the Foundation for Financial Technology Innovation The Case for a Standardized Approach to Open Banking to Drive Innovation Open Banking Will Stimulate Competition in the Canadian Banking Sector Open Banking in the UK - ‘One Year On’ Section Three: Managing the Potential Risks in Open Banking Cyber Security Data Sharing Privacy, Consent and Confidentiality Consumer Protection Issues: Accreditation, Liability Model and Suitability Financial Stability and Prudential Issues Section Four: Role of the Federal Government and Implementation Considerations Government Must Play a Central Role Implementation Considerations Ideas for Implementation
Portag3 Ventures (“Portag3”) is pleased to provide this comment letter on the Consultation.
Portag3 is a Canadian venture capital fund focused on the financial technology (FinTech) sector and is one of the most significant investors in early-stage FinTech in Canada. The Portag3 portfolio of investments in Canada include Wealthsimple, Borrowell and KOHO. We are an early-stage investor dedicated to backing innovating financial services companies working to benefit all consumers.
Scott Farrell, senior partner at King and Wood Mallesons, who led the ‘Review into Open Banking in Australia’ offers in it a simple synopsis of the logic for Open Banking:
“There is a firm foundation in the duties that a bank owes a customer. A bank has a duty to keep a customer’s money safe and to pay it to others at the customer’s direction. Similarly, a bank has a duty to keep the customer’s information confidential. So, an obligation for a bank to provide a customer’s information to others at a customer’s direction makes sense. Both money and information are valuable, and the bank would not have either without the customer.” 
Open Banking is required to enhance competitiveness in the Canadian financial system while driving innovation. There are a dozen countries that are ahead of Canada in their deliberations and implementation plans for Open Banking, as well as the 28 member states of the EU that are implementing the second Payment Services Directive. Without moving swiftly to this new competitive norm, Canada will inevitably become a future importer of innovative financial technologies scaled in other markets, rather than the creator and exporter of them that Canada has the potential to become.
In every country pursuing Open Banking, government has been actively involved in some capacity. There is no country where there has been a pure ‘market-driven’ approach. The one country that stands out as lagging in the discussion on Open Banking is the United States, where market forces have been insufficient to overcome a fragmented financial regulatory framework and produce a unified solution for data sharing. Large banks are pursuing non-standardized proprietary solutions and bilateral relationships with individual FinTech companies. This significantly limits the benefits consumers would obtain if instead an open and standard framework was implemented.
Open Banking is of course not simply about implementing a technical standard as the comprehensive approaches taken in the UK and Australia, markets with similar banking sector structures to Canada, have shown. A properly functioning system requires legislative and regulatory support for data rights, privacy and consumer protection, governance to enforce and keep standards current, and a central body to accredit participants operating within the system. In Canada, the federal government and in particular, Finance Canada, should play the central role in coordinating these aspects of Open Banking.
Section One: Open Banking Benefits and Outcomes
Portag3 supports the compelling and thorough case for the benefits of Open Banking for consumers and small business that is laid out in the Consultation.
In this section, Portag3 strengthens the case, explaining how bank data is shared today for purposes that are useful to consumers and how Open Banking can improve the process to access data in a more secure environment, and then lays out a specific case for how Open Banking can benefit small business, a sector of major importance to Canada’s economy.
Portag3 emphasizes that payments initiation is fundamental to Open Banking and must be part of the framework but only when access to the new real time payment system is broadly available to all parties.
Portag3 concludes by advancing the idea that Canada can lead North America into Open Banking, creating further opportunities for banks and FinTech in other markets.
Open Banking Can Make Data Sharing Secure
Banks today in Canada routinely make customers’ data available to them at bank branches and from websites, phone banking and mobile banking applications. Customers can share data as paper statements or manually download and export PDF or CSV files. Data in these formats, however, are difficult for customers to easily and safely share with third parties, such as credit bureaus, accountants, financial advisors and others or to use in personal financial management applications. Sharing data this way is also highly inefficient, particularly when used for applications requiring regular updates.
Given the demand by many third party services to more efficiently obtain a customer’s own data, these services automate access to banking information by asking customers to provide them with their login details. The credentials are then used by aggregation technology, sometimes referred to as ‘screen-scraping’, that logs into the customer’s online banking account. The software then extracts data or performs actions that customers would usually perform manually themselves on the website.
The practice is widespread in North America and around the world. The largest US data aggregators, most of which have considerable presence in Canada, include Yodlee and Plaid. Each connects to over 20 million customer accounts and aggregates data from most of the top financial institutions on behalf of hundreds of FinTech companies. Intuit, to populate its own small business software directly, also engages in the practice in the US and in Canada. Flinks and Wealthica are two examples of Canadian based financial data aggregators both of which connect with dozens of Canadian financial institutions to verify account ownership, and to access customer account balances and transaction history.
The US Department of the Treasury ‘White Paper on Nonbank Financials, Fintech and Innovation’, released in July 2018, concludes that ‘screen-scraping’ poses significant cyber security and fraud risks, and that these risks have been recognized for nearly two decades. The report states “During outreach meetings with Treasury, there was universal agreement among financial services companies, data aggregators, consumer fintech application providers, consumer advocates, and regulators that the sharing of login credentials constitutes a highly risky practice.” They further conclude that Application Programming Interfaces (APIs) are potentially a more secure method of accessing financial account and transaction data than ‘screen-scraping’. 
With Open Banking, including the standardization of Open APIs across the market, customer data can be transmitted in a more efficient and secure fashion.
Financial Data Aggregation in Canada Today
Approximately three and a half million Canadians, one in five Canadian adults, use at least one financial data aggregation service. 
Open Banking can ensure that Canadians do not violate their banks terms and conditions. The federal Financial Consumer Agency of Canada published a ‘Fraud Month’ Bulletin in March 2018 stating “By disclosing their online banking user IDs and passwords to a third party, consumers may breach their financial institutions' user agreements and be held liable for any losses resulting from unauthorized transactions despite any security measures the third party service may have in place”.  The only way consumers can withdraw the third party’s access to their account is if they change their password.
Today, data aggregation technology services face a constant challenge in interfacing with banks, who frequently make changes to their websites and in doing so impede access to the customer information being sought at the customer’s direction. This is inefficient, for example, for small businesses, which rely on their accounting information being always available and up to date. The inherent instability also means that the providers of the software must repeatedly fix functionality broken from minor, unexpected changes on bank websites, which is costly, distracting and time- consuming. Many banks even go so far as to block third party aggregator traffic while at the same time offering their own unidirectional screen scraping services to customers.
The federal government has placed a major emphasis on small business, with Minister Mary Ng recently commenting “Small businesses are the backbone of our economy and employ over 8 million hard-working Canadians. That’s why our government is committed to helping small businesses start up, scale up and access new markets”.  It will be hard for small businesses to succeed at scaling up without first eliminating the productivity drag and inefficiencies many now face in trying to keep their accounting current.
Consumers and small businesses clearly highly value the services being made available by data aggregation technology, including those being made available by Portag3’s own portfolio companies. With Open Banking using standardized Open APIs, more Canadians can receive the benefits from these services and use them confidently.
Open Banking Can Transform Small Business Credit in Canada
There are 1.2 million small businesses in Canada, 98% of which have fewer than 100 employees. They employ 8 million Canadians, representing 70% of the private sector workforce. Small businesses contribute 30% of Canada’s GDP. 
The Competition Bureau, as part of their study into FinTech that was released in December 2017, reviewed the state of SME lending. They observed that since the 2008 financial crisis, increasing risk aversion has led to a tightening of credit markets, particularly for SMEs. Further, half of SMEs in Canada rely on informal financing sources such as personal financing, personal loans from family and friends, retained earnings and personal savings, and 30% of SME owners have turned to financing with business and personal credit cards. 
There are certainly challenges for banks financing small business today. Capital requirements since the 2008 financial crisis make small business loans less profitable for banks. Small business loans are costly to originate, underwrite and service, and the wide variation in types of small businesses make standardized credit scoring difficult. Many small businesses, especially newer ones in the sectors such as technology, do not have assets to use as collateral for loans, and banks prefer to have credit secured.
Data is a critical element in lending and while cash flow is not the only criteria for credit decisions, it is still the most important. With Open Banking, small business owners can access their current and historical financial transaction data from banks and provide a clear profile of their finances to any credit provider they choose.
These include non-bank credit providers, who will benefit from the timely and pertinent data made available from small businesses engaged with Open Banking. ‘Alternative lending’ (or ‘Innovative lending’) to small business is still a minor part of the market but is growing quickly. In 2017, 9,000 small businesses in Canada borrowed $500 million from non-banks, an increase of over 100% year-on- year. 
The types of finance available will become increasingly tailored to the needs of small businesses trying to manage their cash flow. Working capital loans in the form of merchant cash advances and invoice factoring are becoming more available, enabled by technology innovations that lower the costs of originating and make servicing more efficient. Better data from Open Banking will also allow lenders to price risk more precisely for an individual business, rather than simply applying one higher rate to a set of businesses with generally similar characteristics.
The more precise pricing of risk will also bring more capital into the market because loan losses from defaults can be better predicted and returns on capital will be more stable. The funding sources for non-bank lending to small business are increasingly institutions, providing 70% of capital in 2017, gravitating to this attractive asset class that is uncorrelated to equity and fixed income markets.  It is possible that while banks don’t normally “lend to lenders”, they too may put capital to work with credit providers who have low cost and technology advanced platforms.
Open Banking can transform small business credit in Canada, making the credit decision process more efficient by giving small business tools to access and share their bank data, and opening the market to expand the availability of credit providers with products tailored to small business.
Open Banking and Payments Initiation
The concept of payments initiation is that customers can direct authorized third parties to make payments from their bank accounts to other parties.
In the Consultation Paper, on the topic of Payments Initiation and Open Banking, Finance Canada states “some jurisdictions are including payments initiation”. In fact, every jurisdiction that is pursuing some form of Open Banking includes payments initiation, except for Australia for the reason cited below. Payments initiation is fundamental to Open Banking and payments must be part of an Open Banking framework in Canada.
The EU second Payments Services Directive (PSD2), being implemented in 28 member states from January 2018, prescribes data sharing and opens the payments infrastructure to give new entrants the ability to initiate payments. PSD2 and Open Banking give accredited third parties with customer consent the ability “to access information and/or request payments”. PSD2-style legislation has also been implemented in countries as diverse as Japan, Mexico and Rwanda, each country recognizing that opening the payments system will unlock innovation and spur competition.
Australia is the only country that is not moving to allow customers to access payments initiation services in a first implementation of Open Banking. Australia’s real time New Payments Platform (NPP) went live in February 2018. The Farrell Review suggests that there was a desire to move as fast as possible to implement the core aspects of Open Banking and that an additional focus on payments might have slowed this down.
While Australia may not initially be including payments initiation in Open Banking, the Reserve Bank of Australia, the regulator responsible for the NPP, has been clear in its comments on the access regime since the start of the project: member banks should not be restrictive on access to the NPP. 
In Canada, the Competition Bureau made their views known on who should be able to access the retail payments infrastructure in their December 2017 Market Study on FinTech, and recommended the broadest levels of access that should include FinTech companies, current indirect clearers and non-financial institutions. They noted that a similar model in the UK had resulted in a significant increase in the number of new entrants gaining direct access, and greater innovation on top of the modernized payments infrastructure was expected as a result.
A survey commissioned by Payments Canada in March 2018 on small business payments revealed that the demand for innovation in payments in Canada is high. If there were other options, 61% of respondents would be willing to move away from cash and 67% would be willing to move away from cheques. As well, 54% of small businesses believe they are spending too much time on payment processing activities and 87% think it is important that the payments industry continues to evolve. 
In announcing the survey results, Payments Canada CEO Gerry Gaetz commented. “We know the operational efficiencies from modernizing the payments system will be significant and businesses will be able to chip away at the $3 billion to $6.5 billion they spend on payments each year. Add to that the emergence of new and innovative products and services, and there is much for businesses to look forward to”. 
While we would recommend payments initiation be included in an open banking framework from the start, we acknowledge the Payments Canada Modernization timeline needs to be taken into consideration. Based on the current implementation plan we understand the real-time payments system (RTR) will be ready in 2020. Unfortunately, it appears that only incumbents will have access to the new rail until, at minimum, release 2 which we believe would put new market entrants at a competitive disadvantage. The timing for release 2 is unknown at this point in time. Therefore, we recommend that the government only includes payments initiation, in the context of Open Banking, once access is made available to all accredited participants. We also encourage the government to explore ways to expedite release 2 of the RTR implementation plan.
The Competition Bureau made opening access to the payments system a core recommendation in their December 2017 report and made it independent of Open Banking. Including payments initiation in Open Banking, assuming access to the RTR is broadly available to market participants at that time, would deliver a consistent approach to using APIs for bank customers to share data and initiate payments across the Canadian financial sector, which would be a positive outcome for consumers.
Canada Can Lead North America into Open Banking - There Is No ‘US Model’
Most of Canada’s largest banks have significant operations in the United States in retail banking and wealth management. The United States financial services sector is very different to that in Canada, in terms of size and the nature and diversity of its regulatory models. There are over 3,500 FDIC supervised financial institutions in the US and the federal regulatory framework is comprised of five agencies, with multiple agencies also involved in consumer protection related to financial services. 
While the term Open Banking is not used in the July 2018 US Treasury ‘White Paper on Nonbank Financial, Fintech and Innovation’, the recommendations made in it are very closely aligned with the principles governing Open Banking.
In the report, Treasury states their commitment to the principle that consumers should be able to freely access and use their financial account and transaction data. They recommend that the US market would be well served by a solution developed in concert with the private sector that addresses issues of data sharing, standardization, security, and liability. Treasury believes that improved approaches to data aggregation, away from screen-scraping and towards APIs, “will benefit consumers and financial institutions alike and are surely attainable”. 
Treasury suggests other areas where collaboration amongst market participants could improve consumers’ ability to use their data, including a standardized set of data elements and formats. They advise that a single taxonomy would foster innovation in services and products that use financial account and transaction data, and that standardization could improve market efficiency by making it easier to engage in comparative analysis. Standardized Open APIs and Open Banking achieve these goals.
There is no model for Open Banking in the US and no one body or group is taking a leadership role to bring the market together around the principles that Treasury espouses. This may be an opportunity for Canada. By adopting Open Banking while the US is still sorting out how to address the issues within their fragmented regulatory framework, Canadian banks operating in the US may have a competitive advantage and can play a leadership role in setting standards.
A forum for that role might be within the recently formed US Bank Policy Institute, which combined the advocacy functions of The Clearing House Association and the Financial Services Roundtable. Four of Canada’s largest banks have joined the Institute and could make their voices heard on Open Banking to the 45 member banks, which include several of the large US banks that have developed proprietary APIs, which limit interoperability and the potential for innovation across the market.
The link between Canada and the US regarding Open Banking has another dimension. As noted earlier, several of the major US data aggregators and service providers who currently collect customer data using aggregation technology also operate in Canada. By moving to Open Banking, these companies would have to develop the Open API structure to comply with Canadian regulation or practice. Canadian banks operating in the US could then also implement the Open API for their US operations, improving security and customer experience, and leverage their Open Banking implementation investment.
Further evidence that the sector is heading in the direction of APIs comes from the largest data aggregator in the US, with 20 million customers, the aforementioned Yodlee. The company announced last year that it had created a single API solution aligned with PSD2 and compliant with the UK Open Banking API protocol for Account Information service providers. With Canada adopting Open Banking, the Canadian banks operating in the US could quickly and easily integrate with any service provider that is using standardized APIs, which will be increasingly the norm in the EU, Australia and elsewhere.
While only one of the large Canadian banks has major operations in Mexico, the market of over 115 million may also be relevant in Canada’s adoption of Open Banking. There are five dominant retail banks in Mexico and five of the top seven banks are foreign subsidiaries of large global financial groups, most from jurisdictions where APIs are being implemented in financial services.
Mexico passed a new FinTech law in March 2018, which included many concepts from PSD2 and UK Open Banking which will provide customers with fair access to their data and require the market to adopt Open APIs. The regulator, CNBV, has 24 months to come up with the detailed implementation plan, and is working with the UK Prosperity Fund to study best practices.
With 90% of consumer transactions being conducted using cash and 60% of the population not using banks, there is a very large opportunity in retail payments in Mexico that will be enabled by Open APIs. Canadian FinTech can tap into that opportunity by having Canada adopt Standardized Open APIs and Open Banking. 
Section Two: Innovation and Competition Benefits from Open Banking
Portag3 is in the business of investing in innovation in FinTech, and agrees that open access to data is vital to allow Canadian FinTech companies to grow and scale.
Portag3 is aware of the National Digital and Data Consultations and believes that Open Banking can lay the foundations for Canada’s data economy and APIs can be the foundation for financial technology innovation. However, for these promises to be realized, Canada needs to adopt a standardized approach to Open Banking that places all market participants on a level playing field to innovate and compete.
Portag3 observes that competition in the financial sector in Canada has not been studied as closely as in markets with comparable structures such as the UK and Australia. Nonetheless, it seems obvious for the reasons outlined below that Open Banking in Canada will stimulate competition in the sector.
Open Banking was implemented in the UK in January 2018. At the end of this section, Portag3 profiles the experience in the UK ‘One Year On’.
Open Banking Can Lay the Foundations for Canada’s Data Economy
The Canadian government’s main strategy to sustain economic prosperity in the coming years is through innovation. Since 2017, Innovation, Science, and Economic Development (ISED) has been promoting a plan for ‘Innovation and Skills’. Adopting Open Banking in Canada is completely aligned with ISED’s objectives since doing so will harness technologies like APIs, lead to a vibrant and growing FinTech sector equipped to compete in global markets and reinvigorate the established banking sector.
ISED launched a Consultation on a ‘Digital and Data Strategy for Canada’ in June 2018, recognizing that digital innovation is essential to growing the economy, and asking how Canada should position itself to take advantage of the new data economy.
Open Banking as a system requires dealing with the full range of issues around individuals and small businesses’ rights to data, how to share it, and the data infrastructure necessary to make it work. Issues include technical, regulatory and legal, governance, security, liability, standards and public communication. Open Banking requires figuring out how an authentication and consent model for customers and a liability framework and dispute resolution management should work. There needs to be a central repository for participants and clear routes to access it and decisions need to be made on which participants should be regulated, by whom and how.
Overall, Open Banking is a good exemplar and can be the catalyst to lay the foundations of Canada’s data economy, since many of these same design questions will need to be addressed across all sectors of the economy. The banking sector in Canada can be the first.
In Australia’s planned implementation of Open Banking, the migration beyond banking is already specifically anticipated. They have underpinned their planned implementation of Open Banking with a new national ‘Consumer Data Right’, and plan to extend it over time to all market sectors, starting with banking and moving next to consumer energy and telecommunications. The Data Right is part of the government’s response to the Productivity Commission’s extensive inquiry into the availability and use of public and private data by individuals and organizations. It gives consumers the right to direct the data that arises from their own interactions with service providers to be shared with others they trust, so that they can benefit from its value.
Open Banking Makes APIs the Foundation for Financial Technology Innovation
Banking products are increasingly just digital products. Open Banking will accelerate further digitization of bank processes and activities, along with the architecture of banking services design and delivery will be improved using APIs. The potential for innovation and efficiencies for Canadian banks of all sizes is material as is the opportunity for existing and new FinTech companies.
APIs are a critical feature of Open Banking. In the most technologically advanced markets, such as Singapore, Open APIs are regarded across all sectors of the economy and government as the means to realize their broader vision of a ‘Smart Nation’. The Monetary Authority of Singapore, which is both the central bank and the financial regulator, has actively promoted the use of APIs in the financial sector and DBS Bank of Singapore has since launched the world’s largest API developer platform.
APIs are central to the approach taken in the UK, where Open Banking was implemented first in January 2018. It was posited within Treasury as early as 2013 that “data portability in banking alongside APIs will have a big impact on innovation”. When the Competition and Markets Authority (CMA) announced the package of competition remedies to UK retail banks in 2017, they were explicit that “of all the measures we have considered as part of this investigation, the timely development and implementation of an Open API Banking Standard has the greatest potential to transform competition in retail banking markets”. 
The Chief FinTech Officer of the Monetary Authority of Singapore, Sopnendu Mohanty captures the benefit of APIs commenting “fundamentally, the core advantage of an ecosystem built around APIs is the ease of collaboration and co-creation between industry players, which engenders new ideas and innovative solutions. By adopting open APIs, traditional financial institutions can more readily experiment, collaborate and leverage on innovative solutions and business models that other participants in the financial ecosystem have developed”. 
The Case for a Standardized Approach to Open Banking to Drive Innovation
There is strong rationale for Canada and other countries considering Open Banking to use the Open Banking Standard and a standardized approach. Doing so will coordinate efforts, reduce duplication, increase interoperability, minimize costs and maximize benefits for all market participants within and across countries. Minimizing costs is a very real consideration. The Open Banking Standard and the work of the Open Banking Implementation Entity (OBIE) is freely available to all through the market mechanism of ‘open licenses’. The work of the OBIE was funded in the UK by the nine largest retail banks (now known as the CMA9) that were mandated by competition order to fund and centrally implement.
The CMA emphasized that Open Banking needed to be implemented to a ‘Standard’. The UK Open Banking Standard was initiated by the Open Banking Working Group (OBWG) in late 2015, convened by Treasury. The OBWG brought together a highly diverse group of 150 individuals from 80 organizations across the public and private sectors. Various work groups tackled the issues of governance, legal, policy and technical as well as focusing on user needs, business cases, and communications. The OBWG developed a set of specifications and rules addressing the data, technical and security aspects of sharing data in an API environment. 
Initial implementation work was undertaken in January 2018 by the CMA-mandated OBIE where 125 full-time consultants worked on all the relevant issues on the API and the marketplace, including customer dispute resolution and the liability model. In 2018, the OBIE produced v2 and v3 of the Open API Standard and have published extensive Customer User Experience Guidelines for banks and will extend these to guidelines for third party providers early in 2019. Australia is moving forward with Open Banking using APIs for sharing customer data. They have used the UK’s technical specification as the starting point and have already completed their first working version of the API. New Zealand has also used the UK Standard as the basis for their pilot project in Open Banking which was completed in December 2018. 
FDATA, the trade association for technology companies in the financial sector and an important voice on Open Banking, also advocates for a standardized approach within and across markets. As they point out, in a well-functioning market, commonality in technical standards, security profiles and methods of dispute resolution are highly preferable to individual approaches. 
A standardized approach to APIs also makes it more likely that the developer community will become engaged with Open Banking and innovate, and expand the FinTech ecosystem. Standard extensible APIs can be leveraged for as yet unknown opportunities to reuse digital assets and unprecedented new services that produce better customer experiences and outcomes. This is a better way to ensure innovation in Open Banking rather than attempting to detail every possible ‘use case’ or use market research to gauge customer demand.
Open Banking Will Stimulate Competition in the Canadian Banking Sector
Facilitating improvement in competition has been a specific driver for Open Banking in the UK, Australia and New Zealand. Competition was again a key driver in the move by the European Union when they promoted the concept of data portability in the second Payment Services Directive.
Canada lacks a specific focus on competition in regulating financial services, especially compared with the UK and Australia, countries with very similar banking sector market structures. In the UK, the top 5 retail banks have an 85% share of current accounts; in Australia, the top 4 banks hold 75% of assets and a roughly equivalent share of most retail banking products; in Canada, the top 6 banks hold 90% of assets and also dominate in all aspects of retail banking.
In the UK, the regulatory framework for banking and financial services is inherently pro- competition. The Financial Conduct Authority has an operational objective to promote competition, and the Prudential Regulation Authority and Payments Systems Regulator have secondary competition objectives. In Australia, the Australian Competition and Consumer Commission has dedicated staff working on matters related to Financial Services Competition, including market studies and advocacy.
In Canada, within the Competition Bureau, there is no permanent staff role examining financial services. The Bureau has, though, more recently advocated for a dedicated policy lead in Canada's financial regulatory framework charged with examining competition and innovation. Portag3 supports this recommendation by the Bureau.
In the UK and Australia, there was extensive study of the competitive dynamics in the banking sector before they adopted policies on Open Banking. In the UK, the CMA spent close to two years investigating retail banking, which culminated in the 700-page report ‘Making Banks Work Harder for Customers’. In Australia, the 2014 Financial System Inquiry was followed by the Standing Committee on Economic Review of Four Banks and a further Financial System Inquiry was conducted by the Productivity Commission with its findings released in August 2018.
In Canada, the only recent study of competition in retail banking has been the Market Study on FinTech completed by the Competition Bureau in December 2017. This was a thorough examination conducted over 18 months but was limited in its review of retail banking to small business lending and retail payments.
Several general observations from the UK and Australian reviews are likely relevant in the Canadian context. One is that retail banks tend to bundle and cross-subsidize products, and while bundling may be convenient for consumers and small business, the practice makes it difficult for them to switch accounts and to switch banks. Another is that it is difficult for customers to find information on products and services in a way that lets them easily compare products and find alternative products and better deals. As well, the pricing, rates and fees offered for the same product or service are often different for different customers, with new customers often being offered more favourable terms that current ones.
In the UK, the CMA used their powers to legally order a package of remedies to the CMA9 banks to tackle the competition issues they had discovered. In their announcement, the CMA commented “weak customer response plays such a central role in our diagnosis of the competition problems in the retail banking markets, measures to engage, empower and inform personal and business customers are at the heart of our remedies package.” 
With the aforenoted similarities in retail banking market structures with the UK and Australia, had competition been as thoroughly studied in Canada, it is likely that the findings here would be broadly similar.
A final further note on competition is warranted on transparency, which is a core issue in competition policy. Transparency becomes possible with Open Banking and makes data available on bank products and services and how they are priced, including applicable interest rates and fees. In this regard, Open Banking is consistent with the transparency initiative principles of the ‘Client Relationship Model’ (CRM) that was phased into the Canadian securities markets from 2012 to 2016. CRM is the set of rules developed by the provincial securities regulators designed to enhance transparency in dealings between investment firms and advisors, including in investment reporting and compensation. Open Banking can build on this important development in investments and expand the principles into the banking sector.
Open Banking in the UK - ‘One Year On’
While several of the CMA9 banks were not ready for the January 2018 deadline and needed time to finalize developments, all were up and running within a few months. The first account types opened up were personal and business current accounts, and credit cards and savings accounts will come on stream in 2019.
It has been widely observed that not all the bank’s APIs worked particularly well early on in the implementation and the authentication processes for customers to get access to their data were initially cumbersome. In discussions with the OBIE, it is clear that performance and conformance of the APIs still need to be improved across the system and that this is happening. Likewise, a focus on creating a positive customer experience in the authentication process has seen it substantially refined to become ‘app to app’, avoiding the frustration and redundancy of earlier multiple redirections.
It has also been regularly observed in the UK press in the past year that not many UK consumers seem to be aware of Open Banking. However, this may not be particularly relevant since awareness is not in itself a business result. What is important is that the products and services built to sit atop the system of Open Banking attract customers. With the infrastructure now in place and poised only to get better, and when the backlog of third party providers waiting to get accredited by the FCA clears, those at the OBIE expect many new offerings to come to market.
What is clear in the past year is that while compliance by the CMA9 banks was the initial driver to get Open Banking started, the banks are increasingly finding ways to make use of their own new features.
As a senior banker at one of the largest retail banks commented “You can’t underestimate the size of the technical challenge given the timeframe we were given to deliver this. There’s a bandwidth question, it was only once we broke the back of that initial delivery that we could free up the teams to say ‘now let’s think about how we can really use this.” 
Of note is that all of the UK’s biggest banks have or will imminently launch their own applications for customers to view information from different accounts in one place.
In September 2018, Barclays extended aggregation in their mobile banking app to current accounts from other banks with ‘Your Banks in One Place’. They started with eight banks on the service and are now building out the base, and already claiming six million are using the service.  HSBC launched a new app ‘Connected Money’ that allows customers to see accounts from up to 21 different banks on one screen, allowing customers with an HSBC current account to view, though not manage, current accounts, online savings accounts, mortgages, loans and cards.  Aggregation looks to quickly become a market norm rather than a competitive differentiator, which is certainly positive for consumers.
There is also evidence of a burgeoning ecosystem developing in the UK. There are already more than 80 third party providers registered with the Financial Conduct Authority to provide either account information or payment initiation services, and another 100 are in the FCA process waiting to join. Ten banks beyond the original CMA9 have registered, which suggests that the standardized APIs are becoming a competitive necessity. 
On the FinTech side, 2018 was a year of making progress on basic connections with the new APIs and all indications are that the infrastructure is beginning to work.
First API Payment: Token made the first end-to-end payment through Open Banking APIs. When the payment of £4.99 was made on June 1, 2018, Token co-founder commented “This was one small payment for a PISP, one giant leap for the world of banking. Billions of payments will follow. Ours was the first.” 
First API Connection to all CMA9 Banks: One of the most successful applications from a bank that is not one of the CMA9 has come from Yolt, a standalone app from Dutch bank ING that re-entered retail banking in the UK in 2016. Yolt is a mobile finance platform to help people keep track of their finances across providers. Initially operating by using screen-scraping, with Open Banking, Yolt has migrated to connecting with Open APIs and has 300,000 people in the UK using the app. In September 2018, Yolt became the first third party provider to successfully connect to all CMA9 banks using APIs. 
First API Business Loan: in November 2018, Iwoca made the first business loan through Open Banking APIs. Iwoca has since announced new open banking connections to Barclays and HSBC adding to the one with Lloyds Bank. Small businesses receive direct access to five years of transaction history instantly and use that to quickly and easily apply to Iwoca for loans or a credit facility. Iwoca co-founder commented that since the first loan in November “We’ve found that more than two thirds of our customers are choosing to use it. Twice as many are completing applications in one hour or less with Open Banking compared to those manually uploading files. So we’ve seen the difference the Open Banking makes.” 
Leon Muis, COO of Yolt, sums up where Open Banking in the UK is headed. "2019 looks set to be an exciting year for Open Banking as we see the legislation really take hold and move into the next phase to include credit cards and savings plus the increasing availability of Payment Initiation Service APIs. The success of APIs has been proven and it is now time for all UK banks to improve the quality and availability of their APIs to enable more consumers to benefit from Open Banking.” 
Section Three: Managing the Potential Risks in Open Banking
Portag3 agrees with the view expressed in the Consultation that an Open Banking system must provide confidence that there are safeguards to ensure that Canadians’ rights as consumers are respected, their privacy is protected, their information is secure and that the financial sector continues to be stable and resilient.
After a careful examination of the potential risks cited in the Consultation, Portag3 concludes that there are no inherent risks in adopting Open Banking and none of the issues that need to be addressed are without precedent or insurmountable. Portag3 comments in this section on cyber security and data sharing; privacy, confidentiality and consent; consumer protection issues of accreditation, the liability model and suitability; and concludes with comments on financial stability and prudential issues.
Portag3 also supports the perspective expressed in the Consultation that a robust Open Banking framework may even enhance privacy and security since the whole approach is purpose-built around customers to address the concerns about sharing data. Portag3 notes that Open Banking will leverage and may expand Canada’s already strong approaches and legislation and policy regarding privacy.
Portag3 notes that issues such as privacy, cyber security and digital identity apply across all sectors of the economy, however no issue arising from any of these is a reason to delay Open Banking.
The issue of information security and the processes designed to protect data assets from breach and fraudulent use are already well addressed in Canada at the federal level and within the Canadian banking system. Open Banking in Canada can build on this secure base.
Public Safety Canada has overall federal government responsibility for cyber security and has taken leadership to create and adopt models and best practices that can be transferred to the private sector. Canada has embraced a National Cyber-Security Strategy and the 2018 federal Budget allocated more than $500 million dollars over five years, including for a new Canadian Centre for Cyber Security. The Centre is intended to be a single source of expert advice, guidance, services and support on operational matters related to cyber security. In the development of the detail of the implementation of Open Banking, the Centre can be an expert and unbiased contributor to the discussion. 
Within the financial system, the Bank of Canada has regulatory oversight of financial market infrastructures, including the major payments systems operated by Payments Canada. The Bank of Canada formed the Joint Operational Resilience Task Force, a collaboration across eight large financial institutions, three payment systems, the Department of Finance and the Office of the Superintendent of Financial Institutions and the Canadian Bankers Association to improve cyber readiness and operational resilience. The Task Force should give confidence that there is an established group and process considering these issues generally for the financial system and can do so also specifically for Open Banking.
Banks in Canada are regarded as trusted custodians of their customers’ highly sensitive personal and confidential information. Canadian banks have devoted very significant resources to creating well-established information security and data warehouses that meet the highest standards worldwide. Banks in Canada are at the forefront of the prevention and detection of cyber security threats, have invested heavily in cyber security and have sophisticated security systems in place. In addition, banks are leading the discussion on the related issue of a federal digital identity strategy. Open Banking APIs to access bank data will be built on this secure bank infrastructure.
Open Banking introduces data sharing amongst banks and with third parties using standardized APIs.
Implementing well defined security standards should give customers the confidence that any party they choose to transact with under Open Banking has appropriate security in place. Customers should expect their banking data to be securely transferred and held at all stages and that there are mechanisms to deal with any failure to meet the security standards.
There is ample precedent for Canada to look to for secure data sharing in the banking sector. The CMA9 banks in the UK have been sharing data amongst themselves and accredited third parties since January 2018.
Canada can look also to the work by the EU on the Regulatory Technical Standards (RTS) being implemented for PSD2 in the UK and other EU countries going into effect in September 2019. The RTS are the combined work of hundreds of experts and have been subject to extensive review and revision after consultation with numerous banks and other market participants.
The RTS include strong customer authentication, and common and secure open standards of communication. These are designed to ensure security and safety of electronic payments and establish strict anti-fraud measures. They also require payment services providers to follow a specific process when verifying a customer’s identity.
Privacy, Consent and Confidentiality
The concepts of privacy, consent and confidentiality are critical to the discussion of Open Banking. An important characteristic of Open Banking is that data sharing is entirely elective and can only be done with the informed consent of the customer, and all parties must comply with their obligations under governing privacy legislation.
The relationship between data and privacy is important and nuanced. As the Australian Productivity Commission in their extensive report on ‘Data Availability and Use’ in 2017 observed, viewing consumer data sharing only in the context of protecting privacy “encourages data to continue to be viewed as a risk rather than an asset”.  The Commission advocated finding ways to actively build trust in data use and sharing.
In Canada, the regulator of privacy is the Office of the Privacy Commissioner. The Office oversees compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law. PIPEDA sets out the ground rules and principles for how businesses must handle personal information in the course of commercial activity. Canadians already have strong protection rights for their data and Open Banking does not change or undermine these protections.
It is imperative that Canadians have a high degree of confidence if they are to entrust their data into the Open Banking system. In the UK and EU, the General Data Privacy Regulation, introduced in May 2018, now sits alongside the second Payments Services Directive and together they offer a joined-up approach to data privacy and data sharing. Legislative amendments to PIPEDA that reflect the principles of the EU regulation, which are in discussion, would similarly add to a sound privacy backdrop to Open Banking in Canada.
A specific implication that Open Banking raises is the concept of data portability or data sharing which is not currently included in PIPEDA. An important step early on in the discussion of Open Banking would be to determine what federal and provincial legislation may need to be modified to accommodate the concepts that underpin Open Banking. Another would be to develop a communications plan to ensure that Canadians are aware of their rights and responsibilities when sharing their financial data under an Open Banking system to build the core of trust necessary to ensure success. This effort could be government-led, should be broad based and must include key consumer groups.
In Canada, ‘meaningful consent’ is an essential element of private sector privacy legislation. Organizations are required to obtain meaningful consent for the collection, use and disclosure of personal information. The Office of the Privacy Commissioner had observed that lengthy, legalistic privacy policies were increasingly eroding the control and personal autonomy that should be enabled by consent.
These principles should provide a good starting point in the journey to assure Canadians that they control the data they are sharing and know how it will be shared and used in an Open Banking framework.
Confidentiality is closely related to privacy but is not dependent on the nature of the information and with whom it is shared. Confidentiality refers to the duty that collectors of identifiable information about individuals or businesses have to keep the data ‘in confidence’, that is to restrict it from disclosure to unauthorised individuals, organizations or processes.
The duty of confidentiality is unaffected by Open Banking and all market participants will need be authorised to participate, as indicated in the following section.
Consumer Protection Issues: Accreditation, Liability Model and Suitability
A safe and secure Open Banking system requires participants to be subject to regulatory supervision and to be accredited into the system.
In the UK for example, the Financial Conduct Authority (FCA) is the regulator of participants in Open Banking. If not already registered by the FCA, a participant needs to become registered as an Account Information Services or Payment Initiation Service provider (or both). Due diligence in the registration process involves checking and verifying the directors and managers, and obtaining detailed evidence that the business conforms to appropriate data privacy and security standards. Participants are required to hold professional indemnity insurance.
Once a participant has obtained FCA approval, the participant is enrolled in a directory of all registered service providers which is maintained by the OBIE. A bank will comply with a customer’s request to transfer their data to a third party only if that party is enrolled in the Directory.
Australia has similar plans to accredit participants in Open Banking and regulators will establish a set of standards, including those for security, with which data holders and data recipients must comply. Australia contemplates a tiered accreditation system, based on the risk of the data set and the participant.
Canada will need to have a system to regulate and accredit participants in Open Banking. Discussion will be needed to determine which regulator is best placed to perform this role. However, federal oversight would strongly be encouraged to minimize multi-jurisdictional inefficiency.
Open Banking can only function properly if there if there is a procedure agreed amongst the participants to make a consumer whole if, through no fault of their own, the consumer suffers loss.
The FDATA association recommends that discussion regarding the liability model takes place early in the process of implementing Open Banking. FDATA has outlined the issues that need to be addressed to produce an appropriate liability model for any new market implementing Open Banking. From the work they have done in the UK and observed elsewhere, they recommend scenario planning as the best approach to resolving how to handle the issues.
Scenarios that need to be contemplated include circumstances where the wrong data is transferred by a data holder or the data transferred is incorrect; a data breach occurs during the transfer of data; a data recipient fails to adequately protect data they receive; a data recipient uses the data they receive inappropriately; or a data recipient fails to satisfy accreditation requirements. The liability of how the data is treated ‘at rest’ and ‘in transit’ must also be separately and carefully considered.
The liability model must establish the means to confirm with certainty both that the customer has given clear and informed consent, and the identity of the provider connecting on behalf on the customer.
In Australia, the Farrell Review recommended a liability model that is comprehensive and principles- based “underpinned by the premise that data-related liability should be allocated to participants for their own conduct, but not the conduct of other participants in the system”.
Transparency and Suitability
Open Banking involves not only customer data but also opening up bank product and service information under the principle of ‘open access to open data’.
Opening up this data can greatly improve the transparency in banking and facilitate comparisons across products, presenting complete and accurate information in a manner that is easily understood. In the UK, the OBIE has produced an ‘Open Data API Specification’ for just this purpose, prescribing the sets of field values that need to be used not only for core products but also for more detailed aspects such as start-up and switch costs, introductory offers, and the eligibility criteria for products.
The transparency that Open Banking enables can address issues related to the suitability of products and services for individual consumers. Open Banking gives customers the ability to share their data with service providers that can help them better assess their needs and financial goals. With clear and comparable information on terms, fees, conditions and penalties made available by Open Banking, consumers will be better served and less vulnerable to sales practices that may not put customers’ needs first.
Financial Stability and Prudential Issues
Open Banking, allowing bank customers to privately and securely share data about their transactions electronically, does not pose any inherent risk to financial stability.
The Financial Stability Board, the European Banking Authority and the Bank of Canada in staff discussion papers have observed that where Open Banking and financial stability might be connected is in a situation where non-bank FinTech companies grow to become dominant to banks in deposits or lending.
However, while the FinTech sector may be fast growing in Canada, it is still tiny in comparison to the traditional banking sector and as such could not have a material effect in the near term. As an example, non-bank lenders provided credit to small business of $500 million against the $225 billion from banks. 
The logical approach for Canadian regulators is to continue to monitor developments in the sector, and to liaise with international colleagues on approaches developing in markets where both Open Banking and the FinTech sector are more mature.
Prudential regulation has as its objectives the safety of individual institutions and the stability of the financial system as a whole. As noted previously, Open Banking does not inherently pose risk to the stability of the financial system. Nor is it obvious that Open Banking poses any inherent risk to the soundness of individual Canadian banks.
Open Banking may in fact play a role in making individual banks and the financial system as a whole considerably more efficient. And to the extent that FinTech companies are able to grow to a meaningful component of the financial system, the financial system may become both more resilient and diverse.
Section Four: Role of the Federal Government and Implementation Considerations
Portag3 believes that government should play a central role in all phases of Open Banking. Assuming that the Advisory Committee recommends that Canada should proceed with an Open Banking framework, the government should set an ambitious timeline and immediately begin developing the details of implementation.
Portag3 supports an implementation path that proceeds directly to allowing customers to share data with their consent, rather than a first phase with only a product data set to facilitate product comparisons. Portag3 supports including a broad set of transactional data from the start.
Portag3 also supports payments initiation (as outlined in Section One) to be included from the start.
Over time, Open Banking should move more broadly into other areas of financial services. Portag3 supports a thoughtful and practical approach to the further roll-out of Open Banking beyond retail bank products.
Portag3 concludes this section with some other ideas that might help prime Open Banking in Canada observed from other jurisdictions.
Government Must Play a Central Role
There are a dozen country markets that are at some stage on the journey towards Open Banking, from exploring to in development to implementing. These include the UK, India, Australia, Hong Kong, New Zealand, Mexico, Singapore, Malaysia, Japan, and Rwanda. As well, the 28 EU member states are implementing the Regulatory Technical Standards of the second Payments Services Directive mandated for September 2019, that will formalize data sharing with third parties.
In every country, government has been actively involved in some capacity. There is no country where there has been a pure ‘market-driven’ approach. All of these countries also faced the issue of needing to provide regulatory clarity for the emerging FinTech sector.
Also noted in the Introduction, there is no ‘US model’ for Open Banking. There is, however, considerable and valuable work from two markets with very similar banking sector structures, the UK and Australia, which should be used as the basis for the approach in Canada.
In Canada, the federal government should play a central role in all phases of Open Banking, and Finance Canada should lead. Open Banking needs to be developed within a legislative and regulatory framework that supports: efficiency, in the form of competitively priced products and services while accommodating innovation and contributing to economic growth; utility, in meeting the needs and protecting the interests of consumers; and stability, and the safety, soundness and resilience of the system. Finance Canada is well placed to accomplish this.
Initially, Finance Canada should act as the facilitator and convener of the conversation around Open Banking, as it is doing with this Consultation.
Assuming that the Advisory Committee recommends that Canada should proceed with an Open Banking framework, Finance Canada should shift to the role of coordinating the implementation path and timetable.
Issues that are of particular importance in the implementation discussion include the scope of implementation of Open Banking and the universe of market participants to which it would apply.
Scope: In the initial implementation in the UK, the CMA moved in two phases. They first mandated the CMA9 banks to open up public information relating to products and services and provide the data in standard formats to facilitate comparison in July 2017, before proceeding to customer data-sharing in January 2018. Australia is foregoing this first step having concluded that the UK approach of phasing did not provide much benefit to the market. Canada should move directly to customer data-sharing, requiring concurrent opening up of product and service data.
Types of Data: In the UK, the initial implementation was limited to personal and business current accounts, and will be extended to a broader group of retail accounts such as credit cards and e- wallets in 2019.
The Australian implementation plans a broader initial scope including all deposit and lending products - bank accounts, retirement and foreign currency accounts and all loans, lines of credit and credit cards. Mortgages will be added six months later, and all remaining products will be added twelve months from first implementation.
Universe of Participants: A broad universe of larger and smaller banks should be included in the discussions and participate in a Canadian Open Banking ecosystem. As will be the case in Australia, the timeline for the initial implementation may be phased to give smaller banks another year to implement.
Universe of Types of Customers: The universe of types of customers, retail, small business and corporate needs also to be decided. In Australia, for example, the determination by the Farrell Review was to not limit accounts by size: all customers are included by the first implementation.
Ideas for Implementation
Convene the Ecosystem:
Finance Canada should actively convene and engage with what should be the ecosystem for Open Banking, using as a guide the diverse group of stakeholders convened in the original UK Open Banking Working Group. This included large and smaller banks, standards bodies, policy makers and regulators, trade associations and institutes, and large financial technology companies and service providers and FinTech start-ups.
Accelerate the Timeline with Knowledge Sharing with Other Jurisdictions:
Assuming that the Advisory Committee recommends that Canada should proceed with an Open Banking framework, Finance Canada should make every effort to speed the timeline. Some sort of formal knowledge-sharing process should be established early on to seek out what can be learned from the work done in other jurisdictions, such as the OBIE in the UK, and the European Banking Authority in the EU, and the Data Standards Body in Australia.
Australia’s ambitious implementation timetable is possible because they are using the UK and EU standards as a starting point. The Farrell Review laid out the steps to implementation to set the timetable, which include amending existing laws and regulations, determining the roles of regulators and agencies, settling and promulgating rules, establishing and setting the criteria accreditation framework, establishing a data standards body and setting standards, and technology building and testing by participants in Open Banking.
Actions that helped prime Open Banking in other markets:
One example comes from Singapore, where in March 2016, the regulator the Monetary Authority of Singapore and the Association of Banks of Singapore held what they described as “the first conference by a Central Bank to catalyse API adoption in the financial sector” The two-day conference invited 140 key decision-makers across business, operations, technology, compliance and information security. It featured a line-up of speakers from around the globe. Content included companies reviewing their corporate API strategies, their experiences with API implementation, the future of APIs, and insights on information security and data governance in relation to API adoption.
Another example comes from the UK, which helped promote developing FinTech applications specifically with Open Banking APIs in mind in advance of the launch of Open Banking.
‘The Open Up Challenge’ prize fund was backed by the CMA and funded by the CMA9 banks by mandate, and managed independently by Nesta, an innovation foundation. The initiative was a global search for organisations seeking to use new Open Banking APIs to submit entries for products and services to help small businesses “to save time and money, find better services, reduce stress and discover the intelligence in their financial data”.
The prize fund awarded £4.5 million in equity-free funding to 25 established and early stage FinTech companies selected by an independent judging panel. They were given exclusive access to the ‘Open Up Data Sandbox’, one of the largest anonymized UK banking transaction datasets ever made available for open innovation. The participants also had access expert support from leading practitioners covering legal and regulatory considerations, user experience and investment readiness.
In 2019, there will be another round of the ‘Open Up Challenge’ aimed at consumer applications for Open Banking.
We welcome the opportunity to discuss this response with you and thank you for the opportunity to provide comments. We would be pleased to work with the Department as we recognize the need to lay the important groundwork for Open Banking in Canada.
Chief Executive Officer
Portag3 Ventures LP