THE STANDING SENATE COMMITTEE ON BANKING, TRADE AND COMMERCE
OTTAWA, Thursday, February 28, 2019
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to examine and report on the potential benefits and challenges of open banking for Canadian financial services consumers, with specific focus on the federal government’s regulatory role.
Senator Carolyn Stewart Olsen (Deputy Chair) in the chair.
The Deputy Chair: Good morning, and welcome colleagues and members of the general public who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening via the web. My name is Carolyn Stewart Olsen. I’m deputy chair of this committee filling in for Senator Doug Black, the chair, who is regrettably unable to be here today. At this moment, I’d like to introduce the other members of our committee.
Senator Klyne: Good morning. Marty Klyne, Saskatchewan.
Senator C. Deacon: Colin Deacon, Nova Scotia.
Senator Verner: Josée Verner from Quebec.
Senator Duncan: Pat Duncan from the Yukon.
Senator Dagenais: Jean-Guy Dagenais from Quebec.
Senator Wetston: Howard Wetston from Ontario.
Senator Marshall: Elizabeth Marshall, Newfoundland and Labrador.
Senator Wallin: Pamela Wallin, Saskatchewan.
The Deputy Chair: Thank you all for that. Today marks our fourth meeting on our study of the potential benefits and challenges of open banking for Canadian financial services consumers, with our specific focus on the federal government’s regulatory role.
I’m very pleased to welcome our witness from the U.K., Open Banking Implementation Entity, or OBIE for short, Mr. Imran Gulamhuseinwala, Implementation Trustee.
Mr. Gulamhuseinwala, thank you for being with us today. I understand you’ve kindly agreed to have us refer to you by your first name Imran for ease and flow of interactions. I greatly appreciate that.
Imran, would you please proceed with your opening remarks after which we will go to a question and answer session. Your words are being simultaneously interpreted over this teleconference. After your presentation, we will continue on for questions and answers from the members of our committee. Please go ahead.
Imran Gulamhuseinwala, Implementation Trustee, (UK) Open Banking Implementation Entity (OBIE): Many thanks. I will start by apologizing, which I know you are not supposed to do, but unfortunately only a few hours ago I began to lose my voice, but I will persevere with this and hopefully it is not too inconvenient.
I will start by saying it’s a real honour to be here virtually rather than in person. I’m sorry I can’t be there in person with you. It was only a few months ago I was in Canada visiting in Montreal to talk about open banking, and I intend to be in Canada once again towards the end of March to present at a university on open banking. So I do care passionately about open banking in a broader international context. Anything I can do to be helpful at all to the journey you’re on in Canada, I’d be delighted to do so.
I would like to spend the few minutes that you have given me, by way of opening remarks, to refer to a few elements within open banking that I think are most pertinent, given where you are in your journey.
I’d like to explain what I perceive open banking to be. I’d like to spend a couple of minutes talking about the why we do open banking the way we’re doing here in the U.K. I’d like to spend a minute or so on how — I promise not to get too technical — and a bit of time on where we’re at. If you’re interested, I can go into lessons learned, but that may be best within Q and A.
Starting with the “what,” there are many different definitions of open banking not just internationally but also here in the U.K. I think it’s helpful if you hear it from my perspective, and the context behind it is that as implementation trustee I am responsible for delivering open banking here in the U.K. So my definition of open banking is it is a secure technology that allows a consumer or small business to safely share their transaction data with authorized third parties. Should they want to instruct those third parties to execute a payment from their bank on their behalf, they’re able to do so.
Now, I think that’s a factually correct definition, but to most consumers and small businesses it’s still gobbledygook. But I do want to say that, frankly, any consumer who has ever stepped out of an Uber or used Amazon 1-Click or has aggregated accounts from different bank providers is already using a form of open banking. But the form of open banking we’re creating here will be much more secure and much more designed around the customer’s interests.
The other thing I would say about open banking is that open banking is only an enabling technology. It relies on other parties, banks, fintechs and so on to build propositions on top of open banking. In that regard, it’s very similar to the Internet. When consumers and small businesses use the Internet, they’re not consuming the Internet per se; they’re consuming those services and propositions that exist on top of the Internet. Open banking is a similar way or the rails that allow consumers to do this.
So if that is the “what,” and it’s helpful to baseline on definitions, it would be worth spending a little time on the “why.”
The “why,” for me, falls into two discrete buckets. The first bucket is very much around consumer rights.
So the journey that I think we’ve all been on globally over the last 20 years is one of a recognition that data has real value. I remember it wasn’t that long ago when The Economist on the front page showed a picture of an oil well with data coming out of the top of it, referring to data as a new asset class. People, consumers and small businesses now recognize that data has real value. Fundamentally, the data that the financial institution holds on the customer belongs to the customer and not to the financial institution.
So in open banking, what we’re doing is giving control and ownership of the customer’s data back to the customer. We’re doing it in as safe and secure a way as we can possibly manage. The impact of this is that it will effectively rebalance the power between the customer and the financial institution and give the customer many more opportunities to find better services, better propositions. Critically, if they don’t want to do that, and they don’t want to touch their data, they absolutely should also be able to do that too.
So that’s one factor, the consumer’s right to their own data. The other factor as to why the U.K. government, in particular, has put so much time and effort and political capital into delivering open banking is because, in some respects, the U.K. financial services landscape is broken.
This may be entirely different in Canada. I’m not an expert at all on the Canadian financial services markets, but the kinds of problems that we have here in the U.K. are material. While they are not directly solved by open banking, open banking can be an enabler to solving some of these problems.
To give you an indication of the kinds of things I’m talking about, in the U.K. we have circa one and a half million people that are unbanked. Open banking can help support them and bring them into the financial services ecosystem.
We have over 4 million people in the U.K. that can’t get access to credit. Open banking can help those with thin credit files. We have several million people that are paying too much for overdrafts.
Open banking can help them by unbundling the overdraft from the current accounts. We have several million people who get a bad deal on savings. The Bank of England only recently suggested that as much as a billion pounds a year is underpaid to savers because of low rates. In some regard, we have almost as many as 12 million people on the wrong financial services products, the wrong mortgage and credit card and so on.
The other important element is we have circa 4 million people here on debt repayment plans. Debt repayment plans are a particularly stressful and problematic way that consumers have found themselves in. Open banking can help support them by turning dumb debt repayment plans into smart repayment plans.
I am particularly excited that some of the early fintechs — and they are clearly not fintechs — in the open banking ecosystem in the U.K. includes the money advice service and charities, such as The Big Issue which helps homeless people.
That’s just on the consumer side. On the small business side, there is a huge amount that open banking can do to help support those companies.
Many of these small businesses struggle to get credit from entities other than their banks. Using open banking, they can get access to many more credit providers.
Those same businesses struggle enormously with cash flow predictions. Again, open banking can support them. Of course, open banking can help support their administrative activities such as accounting and tax returns.
So there are a large number of issues that exist among U.K. consumers and small businesses. While open banking doesn’t per se fix these particular issues, it is that enabling technology that allows third parties and banks themselves in order to provide solutions to some of these problems.
That is my point on “why.” I will move on to the “how” with delivering open banking. What we’ve created in the U.K. is a single API. If I need to explain what an API is, I will do that, but suffice to say that an API is an electronic communication protocol used throughout the online landscape. Effectively, it’s the way that Google Maps get plugged into things like Uber.
We have created a single API that connects 90 per cent of the U.K. consumer market and U.K. small business market covering transfer of data on current accounts, credit cards, eWallets and prepaid wallets. That’s the technical synopsis of what we’re building.
It is absolutely crucial to mention some of the things we’ve done to embed security and control right at the very core of the architecture we’re building here in the U.K. If I may, I would like to take you through six of those specific functions.
The first one is that open banking in the U.K. is an opt-in activity. It is not an opt out. If consumers and small businesses do not want to use open banking, they do not have to use open banking.
The second point is that in using open banking in the U.K., no customer or small business will ever have to share their user name and password with any entity other than their bank or financial institution. That’s actually critical. Because the way that old-fashioned versions of open banking work at the moment is using something called screen scraping. Screen scraping involves a customer giving their user name and passwords to a third party who then impersonates them over the Internet, opens up their accounts and then scrapes the information from those screens and delivers it back to the customer.
Typically, this has worked very well in the past. However, it’s clearly a risk and a vulnerability if we have consumers sharing user names and passwords with third parties.
The third point in our architecture is that we have built it around explicit consent. That means that information only flows and is shared if the customer has given their explicit consent. That does not mean 32 pages of terms and conditions. It means one mobile phone screen that explicitly determines what information should be shared, for how long and for what purpose. That information cannot be used for activities other than that explicit purpose.
The fourth point is that it is very easy for customers to revoke permission. From our perspective, it needs to be as easy for customers to revoke permission as to give permission. We also create a dashboard that looks familiar to anyone who may, for example on their iPhone, be sharing their location data with third-party apps. You can see a list of all those apps that you have shared your information with, and in one central place you can stop sharing that information should you want to.
The fifth point is that we only allow authorized third parties to participate in the open banking ecosystem. It is impossible for an unauthorized third party to get access to that ecosystem. In order to become authorized, a third party has to be authorized and then supervised and regulated by the Financial Conduct Authority. They go through a rigorous process in order to get to that point.
My final point is that if and unfortunately when customer detriment happens, and that could happen, for example, because payments are mislaid, wrong data is sent or wrong advice given on the back of erroneous data, the customer should have a mechanism by which they can make them compliant. So we have created a dispute management system that sits across the entire ecosystem that takes care of customers should those things happen.
Of course, if they’re still not satisfied, once that has happened, they can go to the Financial Ombudsman Service and on to the court should they so wish.
Forgive me for spending a little bit of time on those elements of how. I think it’s important to recognize how much time and effort, at the very beginning, we went to in order to make sure that customers are taken care of and their control, security and interests are at the very heart of what we’re doing here.
The final point, I promise, by way of my opening remarks is to give you an indication of where we are.
We are halfway through the process. There is a lot of work required to bring an industry with you and open up an entirely new channel for sharing data and executing payments. A large part of what we do is the implementation of that effort. We are about to launch release three of four releases. That will conclude in September 2019. To date, we have approximately 200 third parties now in our ecosystem, all beginning to build propositions that address some of those detriments that I referred to earlier on.
What excites me is already in the market we are beginning to see interesting propositions around the personal financial management space, which is helping and enabling customers to manage their finances in a less stressful way.
We’re also beginning to see applications that allow those customers, for example, renters, who have not got credit files to be able to access credit. We’re seeing on boarding of customers to new financial products, particularly mortgages, being significantly improved with the removal of friction. We’re seeing top-up propositions that enable customers to engage with their savings and save on a regular basis. We’re seeing cash flow forecasting for small businesses.
Most importantly, we’re on a journey whereby we’re providing an alternative to screen scraping and an alternative to something called card on file, which are two of the biggest risks that occur currently within the financial services space.
I would say a couple of other things, which is that I’m excited as well to see that the banks themselves are beginning to compete and innovate in this space. Of the nine largest banks that fall under my jurisdiction, almost all of them are now building aggregator propositions which they are delivering to their own customers and thereby delivering great innovation, greater choice and greater competition without customers having to switch accounts.
I’m also excited and encouraged by the fact that we have non-financial services players coming into the ecosystem. By that I’m not talking about Apple, Facebook, and Google, but about large, blue-chip businesses such as telcos, OEMs, insurance companies and credit agencies, all of whom their primary business is not financial services, but by accessing, with the customers’ explicit consent the customer data, they can give better services and solutions in their own core industries.
I recognize that I have covered a lot of ground there. Thank you for giving me the time to explain what I think open banking is, why we’re doing it, why the customers’ interests are essential to what we’re doing, how we’re going about it and building security and control right into the architecture and to give you an indication of where we are. We’re still only halfway through, but the signs are encouraging.
Senator Klyne: Thank you for a brilliant overlay for us. It’s greatly appreciated.
First question: Throughout our study, much of the interest has gravitated around privacy and data breaches, generally speaking, but I would like to hear from you specifically about how the client is approached to obtain consent to opt in. I’m asking if you can outline how these third party providers obtain the consent to access the client’s data from their account, to opt out or revoke. I heard from you they can revoke later on or opt out. Is it a retroactive thing and their data that has already been shared with providers is brought back or does it remain with the third party providers?
Mr. Gulamhuseinwala: I will do my best to answer that question, senator.
Now, I think there is an important point which I may not have explained properly. The consent that a customer gives when they opt in, is not universal. It is not that a customer says: I’m now in open banking and any authorized third party can access my data. The way it works is that consent is given to a specific third party for a specific purpose.
When that customer wishes to revoke their consent, it is to that specific third party for that specific purpose. So the way it might work, senator, you engage with a personal financial app, and it says, if you share your data with me for the purposes of showing you how much you spend on coffee — I just made that up as a theoretical example — then you would give your explicit consent to that app to access your data purely for the purposes of showing you how much you spend on coffee.
Now you may not think that’s a very attractive proposition, and it isn’t, but I’m using it to make the point that further down the line, if you decide you want to revoke that consent, it isn’t to all the other propositions out there and all the other fintechs, it is to that specific one.
So the dashboards that you would see if you were here in the U.K. — and let’s say that you banked with Barclay’s — would show you all the fintechs and banks and other companies that you shared your information with and there you could say I no longer want to share my information with them and you could do it on an individual basis.
What we’re trying to do is give the customer complete control, not only of whom receives their information, what purpose they receive it for, but also the ability to stop providing it from that point on.
You mentioned a very important point which is that if I have given my information to a third party, and I no longer want to share further information with them, can I suck it back? You can, but that doesn’t exist within the open banking ecosystem. In the U.K. in particular, in Europe we have GDPR and within there is a right to be forgotten, so you can also instruct that third party that they need to delete all the information connected with you.
In Canada, you’re starting from a blank piece of paper. If I were in your shoes, I would make that a seamless piece of functionality. In Europe and the U.K., we have to jump between two different pieces of legislation. It’s not great for a customer, but the fundamental desire you expressed to be able to get all your information back, that exists.
Senator Klyne: Thank you very much for that. How do these third party providers monetize this? They’re not doing it for the goodwill, but is it the banks or the customers that are paying the fee for this?
Mr. Gulamhuseinwala: We are not prescriptive as to how the third parties monetize this. What we’re trying to do, a little bit like the Internet, is create the enabling technology, and then the third parties can create their own business models on top of it. Let me give you an example of one business model that I think is easy to understand.
If you’re a small business, typically in the U.K. you go to your bank if you want a loan and you request that your bank typically provide a loan two weeks before you the business. Small businesses always leave it far too late. What you can do with open banking is go to a third party broker, and that broker will ask you some questions, but a lot less than they would otherwise usually, because you would give them access to your transaction data. When they look at the transaction data, they can do some of the underwriting, application filling in for you and they can actually find the best deal in the market for you.
The first live proposition and the first live activity that we had in the U.K., which was in summertime of last year, was a hairdresser in Kent who managed to secure a $20,000-pound loan in under one and a half hours, typically a process that would have taken two weeks.
Your question is how is that monetized? It is monetized the same way that any credit brokering or loan providing business would monetize. The banks are not able to monetize this using the process we have in the U.K. We’ve taken a view here — and it comes from European legislation called the Payment Services Directive — that the data belongs to the customer, and if the bank wants to provide a current account to the customer in much the same way they have, they have to provide the customer with an online banking interface. They also have to provide APIs to allow their customer to share data with third parties. Because it is the customer’s data, it would be unfair of the bank to charge the third party for sharing the data with them. That’s the logic that sits behind it.
We’re two and a half years into this and I recognize personally that while that, in principle, is a very smart way of doing it, practically, we need to create something that is for the banks as well. The kinds of things we are developing — and this is stuff for the future — are what we call “premium APIs,” which sit outside but on top of the same infrastructure. That allows banks to offer to the market, again with the customer’s explicit consent, value-added bits of data for which they can charge, but we are not there yet.
Senator C. Deacon: Is it Mr. Gulamhuseinwala? Did I get that right?
Mr. Gulamhuseinwala: Imran is absolutely fine.
Senator C. Deacon: So clearly not. Anyway, thank you for an exceptional presentation. There are two things I want to dig a bit more into. One is in creating the API, this is a tool primarily used by private sector groups and would be developed cooperatively between private sector groups. The extent to which the government has been involved in this process, and it’s been led by government or executed by public servants, can you speak a little about that process, please?
Mr. Gulamhuseinwala: There is very little public sector resource either being consumed in designing or implementing this. The public sector input has been to create a legal mechanic that creates a requirement on the banks to build a single API to deliver open banking. The way that we have decided to do that is the Competition and Markets Authority created an act of Parliament that required the banks to do it. It’s my firm view the banks wouldn’t have done this voluntarily. They did need a catalyst that would make it a function to comply with. The critical thing that we did here in the U.K., which is very different from Europe, is that we recognized that implementation is the hard bit. Designing the standard, though complicated, is actually the easy bit. So we also decided that the banks had to fund an implementation entity, and that is the entity that I run, and I run it as a chief exec, but it is a special-purpose vehicle, not for profit. It will be disbanded once the business of implementing the open banking standards has concluded.
Senator C. Deacon: So you have been a facilitator versus a doer. The government mandated and you have been facilitating this process.
Mr. Gulamhuseinwala: It really is a combination of the two, because when you build something like this, there is a lot of central infrastructure that needs creating. I would argue that’s the doing it. Then the banks need a lot of, if I say politely, help in implementing this, and that would be the facilitating. But the reason it worked is I have significant powers delegated to me by the Competition and Markets Authority.
Senator Wallin: Thank you. I too am interested in the structure. You are the implementation trustee of OBIE. Who is your boss? Who do you work for?
Mr. Gulamhuseinwala: I work for the Competition and Markets Authority.
Senator Wallin: What is that exactly?
Mr. Gulamhuseinwala: When the Competition and Markets Authority typically investigate a sector and decide that they want that sector to implement remedies, they will typically create an order, which is an act of parliament that ensures that these remedies are undertaken. Then they will typically appoint a trustee to ensure the remedies are undertaken to the satisfaction of the trustee. This is a highly unusual situation in the sense that there is a significant implementation requirement. Typically, when the CMA get involved they are asking two merger partners to spin off XYZ or asking for fees to be dropped, recompense to be made.
Here, we needed a two-year build operation, so they said: Well, we have a concept of trustees. Why don’t we make this trustee an implementation trustee? But, effectively I act as the CEO of this entity. I have about 200 people working for me, technologists in the main designing and implementing standards. Each of the banks have their own implementation teams, and it’s my job to coordinate and cajole the banks to get this all done at the same time.
Senator Wallin: Thank you. A second question, and you may have answered this and I missed it: Do you have or do you recommend the force of law behind personal ownership rights?
Mr. Gulamhuseinwala: I don’t think I made that comment specifically. I think the comment I made is that I do believe that you need a very strong regulatory mandate in order to get banks to do this. I do not think they will do it voluntarily. I do also believe that in order for this to work you need a liability — that supports the principle of consumer rights and ownership of their own data.
Senator Dagenais: The Canadian banking system is different from yours, of course. In Canada, banks like to live well. For example, if you close an account at one institution, they already have your contact information, so they send you a bill for $100 through the other institution, just for closing your account.
Who oversees your companies in the United Kingdom? Have you received complaints from customers?
Mr. Gulamhuseinwala: Thank you very much. I’m not sure that the U.K. financial services sector is really that different from the Canadian one, based on the description that you gave. What I would say is that the very reason that the Competition and Markets Authority got involved is that they undertook a two-year investigation into bank behaviour and they specifically found that, number one, consumers were paying way too much for overdrafts; number two, consumers were not getting paid enough interest on their savings; and number three, consumers were not engaging sufficiently with their financial services, in particular, their current accounts.
In the past when we have looked at this and tried to fix it, we looked at things like capping fees, and whilst attractive, it never really works in the long run. We have also looked at things such as trying to persuade customers to switch accounts, and they don’t switch accounts. Financial services is one of the sectors that benefits from the economics of incumbency, so this is a different way of trying to tackle that problem. Rather than trying to get a customer to switch their accounts, why don’t you actually enable those other businesses that want to give customers what they want and, by using their transaction data, can make it easy and convenient for them whilst also being safe and secure?
So far we haven’t had any complaints from open banking, but it is very early days. We have not yet got significant customer volumes using open banking. I think that will change over the course of 2019, but it’s still too early to say we have a lot of complaints on this.
Senator Dagenais: What are the differences between the banking systems in Canada and the United Kingdom? Do we need those services as much in Canada as in your country?
Mr. Gulamhuseinwala: I’m sorry, could you repeat the last part of the question?
Senator Dagenais: I understand that it works in the United Kingdom, but do we really need the service in Canada? For example, I know they do not have it in the United States. Why should we start the service here in Canada?
Mr. Gulamhuseinwala: I really am not qualified to talk about the financial services sector in Canada. One of the things I will say, though, is when I’ve travelled around the world I have noticed that open banking is happening. Open banking is happening because customers are sharing their data. Whether you like it or not, customers are engaging with screen scraping. Customers are putting cards on file. Customers are engaging with things like continuous payment authorities. And the fact of the matter is that that is typically an unregulated activity and it has associated risk with it.
My fear as to what’s happening in the United States is that because the regulators are not catching up with consumer behaviour they are creating a market that is very fragmented, unregulated and is not a level playing field for competitors.
What I’m excited about is the U.K. is getting just a little ahead of that trend so that we can create something that is good for customers rather than letting corporates create something that is in their interests. I think it’s for you to decide where Canada sits on that spectrum.
The Deputy Chair: Thank you, sir.
Senator Marshall: Thank you for an excellent presentation.
Now, I understand your organization, OBIE, is an agent of government or was created by the government? I want to get a handle on your structure. You were created by the government through an act?
Mr. Gulamhuseinwala: The competition market authority instructed the banks to write and create an open banking standard. They told the banks that in order to do that they should set up and fund the Open Banking Implementation Entity. But they recognized it should be independent of the banks. They recognized therefore that the banks were not allowed to sit on the board, they weren’t allowed to be the shareholders, and they were not allowed to put their people seconded into the entity to run it.
Senator Marshall: That was my next question. Who is on your board?
Mr. Gulamhuseinwala: Because we are a special purpose vehicle there are only two board members. It is I and my finance director.
Senator Marshall: And who do you report to?
Mr. Gulamhuseinwala: I am employed by Open Banking Limited. I have a contract with the nine banks that fall under my jurisdiction, and that’s a two-way contract that defines what they need to do for me and I need to do for them. But that contract was approved by the Competition and Markets Authority.
Senator Marshall: I think I understand what your mandate is. How big is your organization? How many people do you have in your organization and can you give us some idea as to the size of your budget?
Mr. Gulamhuseinwala: I can certainly give you an indication of how many people are in the organization. At the moment I believe there are 187 people working here. We have had between that number and 100 for the past two and a half years.
Senator Marshall: Who is paying? Who finances you? Where do you get your money to operate?
Mr. Gulamhuseinwala: When the banks were instructed to fulfill the requirements of the order, one of their requirements is that OBIE is fully resourced. So they pay for it; the banks pay for it.
Senator Wetston: Thank you very much for your testimony today. We have had a number of witnesses who appeared before us to date to talk about open banking. It’s being driven somewhat differently. Have you had an opportunity to read the Department of Finance report on open banking in Canada? Have you had a chance to look at that?
Mr. Gulamhuseinwala: I’m afraid I have not.
Senator Wetston: I just refer it to you for your information. It may not be of much value to you, but it’s called A Review into the Merits of Open Banking. We’ve had some comment here about that. I’m not going to pursue with you the differences between the U.K. and Canada in various aspects of regulation, financial services, banking or competition law. And you have referred to the role of the Competition and Markets Authority. Then I understand the background of how you got there so that’s my preamble.
What’s the nature of the standards that have been put in place? You have been operating for a couple of years now. Who developed the standards? What is the nature of the standards? We invariably talk about privacy and issues of that sort, but can you elaborate on what you have in place and also what you need to do? I recognize that ultimately it’s protection of consumers that will be at the heart of making this model work.
Mr. Gulamhuseinwala: The nature of the standards is in the main technical. So we have defined API standards, which are effectively data models that allow banks to characterize a customer’s transaction data at a fairly granular level and allow customers to share information. That’s the easy bit.
You probably only need a team of around 10 people to make that happen. What we realized you really need to do to make this work is to have a security protocol and a trust framework that sits underneath it. That is the really smart stuff. In order to make that work, you need to make sure that all of the parties in the ecosystem are who they say they are. So we created a white list. That white list, which is very easy to say, probably took the best part of 40 people a year and a half to build. That makes sure that only those entities that are authorized entities get the cryptographic certificates that mean they can actually participate in the ecosystem.
Now that is an asset we had to build. We have standards and we have assets. That probably represents half of the organization that I run. The other half falls into two discrete pieces. One is a monitoring function and there I have people who ensure that the banks do produce high quality open banking APIs. You have to remember that a third party business who then relies on a bank API needs to have good quality. The information coming through needs to be right. So we also monitor them. We have a team that does the monitoring there.
The other piece we do is we have a decent sized team that does policy. That policy team does customer research to make sure they are doing things that are in the customers’ interests. They are trying to make sure that the functionality does address some of the detriments that we identified at the outset. And I’ll be frank: sometimes I need those policy people to go head to head with the banks because they frequently have highly paid lawyers whom they will bring to the party to slow things down to stop certain things happening.
Even though it sounds like quite a lot of people, we do actually need all these people to move on what is actually a very challenging timeline.
There are two comments I would go on to make. One is that there was no playbook for us to work from. We have had to do this from scratch. As my colleagues at the CMA sometimes say, it is the pioneers that take the arrows. Maybe an easier way of saying it is if you did it again, you could do it in half the time and half the cost. There is some truth in that.
There is also some truth in the fact that assets that were created are deployable for other sectors and other geographies. One of the things people need to think about is, are you in the business of reinventing the wheel, or do you want to do it in a similar way again and again?
One of the conversations we are having in the U.K. is now that we are getting close to the end of the beginning of the implementation of open banking, what should we be thinking about other sectors? For example, pensions. What does “open finance” mean? If you look at the Australian model, they have started already from a multisectoral perspective.
Senator Wetston: Energy and telecommunications and that sort.
Mr. Gulamhuseinwala: Absolutely.
Senator Duncan: Thank you very much for your presentation, Imran. It was amazing; I learned a great deal.
I’m a brand new senator sitting in on this committee. I would like to ask — and if it’s possible, perhaps, you would prefer to respond in writing because I suspect that’s probably where the information might be in with the policy group.
My questions are two, very specific: Canada, as you can appreciate, is very spread out. Is the technology — the wire, the infrastructure that supports what you do — does that come under another part? Is it part and parcel of your work, or where does that responsibility fall? I’m referring to situations where we have had people dig up a line 1,500 miles south, and all of a sudden nobody in an area will have access to the Internet. So who has responsibility for the infrastructure?
I believe you touched on this when you outlined the problems. You spoke about what I’ll call the vulnerable sectors in our society, those folks to whom a computer is completely foreign and may or may not still keep their money in a mattress, so to speak. Is there a policy document that addressed that area? And, if so, could I have a copy of it? Could you tell us where and when you are speaking in March? Thank you.
Mr. Gulamhuseinwala: There is no physical network infrastructure for open banking at all. Everything that we do sits on the Internet. So anyone who has broadband or mobile 3G or 4G, you have the same coverage.
The second point you made about there are some members of society who are both vulnerable and don’t have access to the Internet. Like you, I was very worried at the outset that open banking would miss them completely. In fact, I have been really excited and heartened by the fact that the debt charities themselves are coming to me and saying that we can use open banking in order to make things better for our clients.
So the reality is any debt charity that tries to offer a service to a vulnerable customers, someone who has fallen behind on their debt or hard times, they spend the first two hours meeting with them, trying to draw up a financial picture of that individual. The problem is that after two hours, it’s often wrong, and they need to meet with them again because they are building trust. The client hasn’t been entirely forthright about what their debts really are because it can be embarrassing and stressful experience.
With open banking, what the debt charities are looking at is becoming authorized themselves as fintechs. The client comes in — often they already have an online bank account, even if they are not using it — and they essentially give the debt charity the ability to suck the information directly out of their current account, and they use that as the basis for the financial picture.
Now, whilst that doesn’t change things a great deal, necessarily, for the client, for the debt charity, it means you don’t spend two hours every time you meet a client for the first time. You can do it in 10 or 20 minutes. You don’t have to meet them multiple times. They think this is valuable because we can, with the same resources, help a lot more people.
Senator Frum: I would like to follow up on the original line of questioning from Senator Klyne at the beginning about the ability of the consumer to opt out. You spoke about it being a two-step process in the U.K. First you opt out with the third party, but then you have to go through the right-to-be-forgotten process. We don’t have a right-to-be-forgotten legislation in Canada. As I understand it, right-to-be-forgotten legislation applies to information that’s reputationally damaging, not just data per se.
So I’m clear, in fact, once a consumer opts out, their data remains with the third party permanently even though they have opted out. We don’t have a right to be forgotten. I’m not quite sure how it would apply to your coffee habits, for example.
Mr. Gulamhuseinwala: Maybe it’s something that we can follow up in writing.
But, yes, you are right. If you don’t have GDPR, then you need some other mechanism for doing it.
I am running out of my ability to speak. You have been really kind putting up with me. I’m not usually like this, but I might have to call time.
The Deputy Chair: Thank you. What I’m going to ask for, led by Senator Duncan, is our second line of questioners put their questions on the record and ask if you wouldn’t mind responding in writing.
Senator C. Deacon: I want to echo everyone else’s comments: your presentation has been superb, Imran. Very clear, very enlightening.
My second question is about the authorization that the bank needs to get from their customer in order for the customer then to trigger the use of data within specific applications and how that process is going to be functioning at the bank branch.
Obviously, I would expect that unless somebody opts in, they don’t give the authorization at the bank. There is nothing that needs to be explained, and that it’s triggered for each additional application that they then choose to access.
If you could follow up with information to clarify that process for us, we would be grateful.
Senator Marshall: Thank you very much. It was excellent information. I wanted to know how much your annual budget is, which I expect will continue on into the future.
My second question is, once it’s built and your job is finished, who takes over and who pays for it?
Senator Wetston: If you could tell us when the original scope of open banking was arrived at, when initiated. Second, who oversees compliance with the standards that you have in place and that will evolve? If you could provide some information on that, I’d appreciate it.
The Deputy Chair: Thank you, Mr. Gulamhuseinwala. I must appreciate the extra effort you made to be with us today. You have been a tremendous asset to our understanding of the whole concept of open banking.
I am pleased to welcome our second panel of witnesses: From Portag3 Ventures, Mr. Adam Felesky, Chief Executive Officer; from Deloitte, we have Todd Roberts, Payment Expert; and from Mastercard, we have Jennifer Sloan, Vice President, Public Policy, and Iain McLean, Senior Vice President, Market Development.
Thank you for being with us today. Mr. Felesky, please go ahead with your presentation.
Adam Felesky, Chief Executive Officer, Portag3 Ventures: Madam Chair, members of the committee, I’m pleased to be here today to discuss why we believe open banking will be significantly beneficial for Canadian consumers, small businesses, and the economy in general, while at the same time maintaining our competitiveness globally. We believe the government and industry stakeholders need to work closely together to quickly implement this important policy initiative.
For background, Portag3 Ventures is a Canadian-based global venture capital fund, one of the largest in the world dedicated to fintech, focused on the financial tech sector, including banking. We are also one of the most significant investors in early-stage fintech companies here in Canada.
As you heard this morning, in the United Kingdom, the Competition and Markets Authority used its power to create a legal and regulatory package of remedies for the nine big banks, chief among them being open banking. The objective was to tackle the competition issues outlined in their 700-page report, Making banks work harder for you. In their announcement of these measures, they commented that “weak customer response plays such a central role in our diagnosis of the competition problems in the retail banking markets, measures to engage, empower and inform personal and business customers are at the heart of our remedies package.”
We truly believe that is the same case here in Canada. An open banking framework is one in which the consumer has a right to access and share their financial data with third parties. We would argue that actual ownership is not the place for this discussion; it’s truly about the right.
Open banking will make access to specific product information, including fees and the associated costs, more accessible and transparent so that consumers and small businesses know exactly what they’re paying for. This, in turn, should mean that consumers will be more informed and empowered to choose the products and services most appropriate to meet their financial needs.
Importantly, open banking, as prescribed in the U.K., is not prescriptive; it’s about providing a technology infrastructure for other service providers to distill that transparency. In this regard, we believe open banking has the potential to deliver to more Canadians important consumer benefits that have already been championed in recent years by the Canadian provincial securities regulators, including the OSC and the AMF in Quebec.
As many of you would be aware, in the investment industry these reforms are known as the Client Relationship Model, or CRM. CRM is enhancing transparency in dealings between investors and advisers by requiring the latter to disclose, among other things, performance of the funds they have recommended, the fees associated and the adviser’s compensation. They also put the onus on the adviser to recommend steps and products that are appropriate to the client circumstance, including stage of life.
We believe open banking can build on this important regulatory development and expand these valuable principles into the banking sector and eventually into all aspects of a consumer’s financial life and, therefore, personal balance sheet management.
In addition to making banking and products and services more transparent and tailored to the consumer’s best interest, we’ve seen how open banking in other markets is improving access to credit for small businesses.
There are 1.2 million small businesses in Canada, 98 per cent of which have fewer than 100 employees. They employ 8 million Canadians and represent 70 per cent of the private sector workforce. Small business contributes to 30 per cent of the Canadian GDP.
The Competition Bureau, as part of their study into fintech that was released in December of 2017, reviewed the state of small- and medium-sized enterprise lending, and they observed that since the 2008 financial crisis, increasing risk aversion has led to a tightening of credit markets, particularly for SMEs. Further, half of SMEs in Canada rely on informal financing sources such as personal loans from family and friends, retained earnings or personal savings. Some 30 per cent of SMEs have turned to financing with business and personal credit cards.
Data is a vital element in lending, and while cash flow is not the only criteria for credit decisions, it is the most important. With open banking, small business owners can conveniently access their current account and historical financial transaction data from banks and provide a clear profile of their finances to any credit provider they so choose.
Better data from open banking will allow lenders to price risk more precisely for individual businesses rather than simply applying one rate to a set of businesses with similar general characteristics. With more precise pricing of risk, more capital will be attracted into the market because loan losses from defaults may be better predicted, and returns of capital will be more stable.
Similarly to SMEs, affordable credit tools and, most importantly, advice that can help consumers better understand and manage their spending, savings and borrowing habits is difficult for many Canadians. These widespread problems can be addressed through open banking.
Financial insecurity is a major source of stress for many Canadians. In the latest financial stress survey from the Financial Planning Standards Council, Canadians ranked money as their biggest source of stress, more than personal health, work and relationships.
Another recent study by MNP Ltd. found that 46 per cent of Canadians are $200 or less away from financial insolvency at the end of each month. Many of these people are the ones who are the least able to afford high banking and credit card fees, overdrafts or NSF fees, access to financial advice, and too often have to resort to payday lenders.
Personal financial management, or what is known as PFM tools, are just one example of innovation that open banking can make broadly available to underserved and poorly served Canadians. PFM tools aggregate a consumer’s financial data, with their consent, to provide a holistic view of their financial status and provide simple advice and recommendations on spending, borrowing and saving habits. In many cases, these services help automate those behaviours which, if adopted, can meaningfully improve one’s financial well-being.
Today, access to these valuable services is limited because consumers don’t have the ability to access their data easily or securely.
In conclusion, we believe open banking is required to enhance the competitiveness of the Canadian financial system, while driving innovation for consumers. Canada needs to move forward on the concept with policies and regulations that respect and protect privacy, and ensure that the security of a consumer’s data ensures the trust and confidence of that customer.
We believe this can be achieved through a regulated body, including an accreditation system and a comprehensive and fair liability.
There are dozens of countries that are ahead of Canada in their deliberations and even implementations of open banking. Without moving swiftly to this new competitive norm, we fear Canada will inevitably become a future importer of innovative financial technology that has already scaled and created jobs in other jurisdictions rather than having the creator and the exporter of them here at home. Thank you.
Todd Roberts, Payment Expert, Deloitte: Thank you, Madam Chair and senators. I very much appreciate the opportunity to share some perspectives.
Open banking, as it has been noted, is a global movement towards creating a more harmonized and secure model for customers to share their financial information with third party providers, whether that’s a bank or a fintech.
Globally, many jurisdictions have undertaken efforts already to stand up an open banking framework to provide greater competition and innovation within the financial services sector and, importantly, de-risk the current data sharing practices. Open banking can be understood within the broader context of a societal shift, and that’s a shift towards open data as a prerequisite for the digital economy.
In many jurisdictions and certainly in Canada, industry participants, regulators and lawmakers recognize the need to enable secure ways for consumers to share their data and give them greater control over what is clearly a valuable asset. Open banking, at its core, is the beginning of a more general movement towards greater customer rights over their data and to empower customers to obtain stronger and more meaningful control over their data.
In some markets, open banking consists of two separate but interconnected changes to the banking system: third party data access and payments initiation. Most of the discussions that we’ve had so far have principally centred around open data rather than open payments as well.
The payments initiation component of this leverages third party data infrastructure to create a model for third party entities to facilitate the initiation of moving money from one account to another account. In Canada, we already have a mature and well-functioning payments ecosystem, and ongoing payments modernization efforts, such as those led by Payments Canada, as well as the work that the Department of Finance is doing on the retail payment oversight framework as well as the creation of the real-time rail, address many of the components that in other jurisdictions are also referred to as open banking. So there is already a fair amount of work under way with respect to the payments initiation side of open banking.
The rest of my comments will principally focus on the open data side of open banking.
The two principal benefits of that are de-risking current practices around data sharing, notably screen scraping as well as actively promoting competition and innovation.
Today, third parties, from fintechs to large banks, facilitate the gathering of financial data from screen scraping. Many of you will ask, “Why is it done that way?” It’s not as though there is a better alternative at this point that has been currently implemented.
Typically, these models involve customers sharing their online banking credentials with third parties: their account number or their password and their user ID. In these circumstances, there is an automated program which accesses the client’s information by logging into the bank’s online platforms on their behalf.
This model presents a number of material risks both for Canadians as well as for financial institutions, from the storage of online banking credentials all the way through to lacking proper consent and protocols for the ongoing management and verification of that information. Open banking can create a safer and more reliable model for customers to share their data with trusted organizations.
More importantly, open banking promotes incumbent financial institutions as well as new entrants to leverage their data by creating more competitive, accessible and innovative products. This is both about what incumbents do as well as what new entrants can do.
The innovation community globally has explored interest in these cases from simple aggregation interfaces all the way through to more sophisticated and automated financial management tools. The possibility for innovation and improvement in consumers’ lives is quite vast. However, in order to reap these benefits, Canada’s open banking framework must be designed practically in order to generate real value for Canadians, transparency and empowering customers’ rights and safe participation among various stakeholders.
We have a very safe and very sound financial system but we need to ensure that participation on the data side is optimized and that the safety and soundness of the financial system that we’ve built is not put at risk.
One of the important critical design choices will be the administration of open banking. In particular, to what degree will the government be prescriptive and involved in the operating of an open banking system? There are a number of areas where potential roles in the market can be explored. Accreditation, monitoring liability triaging, customer education, identity and token management are all critical roles where a degree of centralized authority is necessary in order for the system to function with the greatest effectiveness.
In summary, Canada has an outstanding opportunity to create an open banking system that delivers meaningful impact to Canadians while also maintaining high standards for protection and privacy. We’re in a privileged position to learn from the experiences of other markets, including the U.K., and to build a framework that can propel innovation and modernize financial data sharing.
Thank you very much.
The Deputy Chair: Thank you, Mr. Roberts. We’ll go on to Mastercard and we will hear from Ms. Sloan, Vice-President, Public Policy.
Jennifer Sloan, Vice-President, Public Policy, Mastercard: Good morning, senators. Thank you for the opportunity to be with you here today. My name is Jennifer Sloan, and I am the Vice President of Public Policy at Mastercard Canada. With me today is my Mastercard colleague Iain McLean, Senior Vice President of Market Development. Iain joined us from our U.K. office and has invaluable experience in both the U.K. and European markets.
We are pleased to be here today to discuss open banking, a new evolution in financial services and one that puts the individual consumer firmly at the centre. However, before I get into that, let me give you my quick Payments 101 reminder. As you probably know, from our past appearances before this committee, Mastercard does not issue credit cards nor have a direct relationship with consumers. That is the purview of the banks that issue our cards. Sorry, we can’t help you get a better interest rate.
Mastercard is a technology company. We provide the network that allows a consumer to use their Mastercard virtually anywhere in the world, in more than 210 countries and territories, and to have that transaction processed in mere seconds. We connect 2.3 billion cardholders with tens of millions of merchants around the world. Therefore, as a technology company, we are generally in favour of policies that support innovation. Open banking falls within that category.
Open banking takes the technology and innovation that is impacting virtually every aspect of our lives and applies it to the financial sector. There has been a major shift in consumer expectations of how and when they make purchases and in their ability to control their banking and payment experiences. The movement towards open banking looks to ensure making and receiving payments is secure, simple and match expectations of service while guaranteeing consumer protection. We believe this can contribute to an ever more vibrant payments sector, one where banks and third party providers will both collaborate and compete to bring new services to market.
Technology has opened a whole new world of opportunity to deliver new and improved services as virtually any device can be used for payments, providing the infrastructure for a payments evolution. To do so, we need to ensure a policy framework that efficiently supports innovation.
Therefore, to address the mandate of this study, let me first state that Mastercard does see enormous potential benefits for Canadian consumers arising from open banking. Consumers can receive new products more tailored to their individual needs and interests, while at the same time exercising greater control over their personal financial information.
The committee has also asked about challenges of open banking. The main one we see, as with any innovation, is building trust between all participants. Without trust, consumers will reject new solutions and that requires safety and security measures to be integrated from the beginning. However, at the same time, consumers want a seamless experience. If measures are too clunky, consumers will reject them. This is where balance comes in and where an appropriate framework is critical.
Protections are obviously needed, but flexibility is needed to allow for innovation. The key areas that need to be addressed are privacy, security and consumer protection. I will touch on each briefly.
With privacy, consumers need to have adequate information to understand how the open banking process works and how their information will be protected.
As for security, for open banking to succeed, third parties need to be able to access the data and infrastructure controlled by banks while, at the same time, banks need confidence that the third parties requesting account access are legitimate. To manage this effectively, trusted partners are to enable this connectivity between third parties and banks in a safe and secure fashion.
To adequately protect consumers against potential risks created by such data sharing, the following must be core components of an open banking system. One, clarity in the consumer experience. Simple, easy-to-understand disclosures and clear direction on when and how to provide consent to the disclosure of that data. Two, protective controls. Use of privacy and security-enhancing technologies such as tokenization and simple, secure authentication methods. Three, data minimization and integrity. A transmission process that minimizes the amount of personal financial information required and prioritizes the preservation of data integrity.
The question then becomes how to incorporate consumer protection, privacy and security into an open banking framework? Based on our international experience, we recommend an industry-led, principles-based approach, with a clear set of guidelines which may be overseen by a regulatory authority, but without a central market entity governing the ecosystem.
Singapore, Japan, South Korea have all been moving quickly on industry-led, open banking initiatives and that has seen the introduction of exciting and innovative financial products in a more organic fashion without heavy-handed government intervention. While the EU has introduced some regulatory requirements, much has been left to the industry to drive; we believe that is a much more efficient approach.
From an execution perspective, we urge the government to consider how implementation of an open banking framework will intersect with other significant initiatives under way in the ecosystem. This includes payments modernization and the retail payments oversight framework which will bring fintechs into the regulatory fold. These dependencies must be built into implementation time lines. In particular, the relationship between open banking and the real-time rail component of payments modernization should be sequential.
The real-time rail should be launched and functioning well prior to introducing open banking solutions that would depend on the real-time infrastructure for its successful operation. This is just a snapshot of Mastercard’s perspective on open banking. We have submitted our views to the government’s advisory committee as part of that consultation and look forward to continuing the discussion here. We thank you for your time. Iain and I look forward to taking your questions.
Senator C. Deacon: Mr. Felesky, I’m deeply concerned about the risk of Canada not acting fast enough. You have been a hugely successful investor in this sector. Your companies are leading growth in this sector in Canada. Can you give us a sense of the loss it would be if we were to become a net importer of financial service activities? But I also want to look at the positive side, how much there is to be gained in job creation, high-skill jobs, wealth and opportunity for Canadians.
Secondly, I would like each of you, if you could, to focus on the one thing that we need to make sure that we get in our report. What is the one thing that we cannot miss? Is it that the government needs to mandate the Canadian banks to act? I think we heard from the CBA, Canadian Bankers Association, that, at best, they are cautious, if not reluctant, as it relates to this issue. I’m all in favour of private leadership, 100 per cent, but if you have a reluctant private leader, where do we go from there and how do we make that happen? What is the one thing we have to make sure we get right in our report that we don’t miss?
Mr. Felesky: We totally agree. Part of our mandate is creating global champions based in Canada, and some of the most exciting companies we have invested in are Canadian-based companies. But often the opportunity is, and we see the opportunity as, exporting their talent, product and services in other markets. Often we encourage our companies to find early customers more quickly in the United States because they are more innovative and willing to try to test young technology companies before Canadian companies. That has always been a challenge.
I think open banking is interesting because it forces the opening up of the data, and that data is so lucrative, to build these technologies on. And the truth is Canada is in an amazing spot right now. We are being recognized as an incredible talent pool. With the change in the visa programs, we are seeing the reverse brain drain every day. We are hosting 75 international VCs in May coming to Toronto to meet our ecosystem.
We are in a great spot, but it is a bit of a tragedy that our beta test, like an Israeli market, they think Israeli just to get their product right, but they are focused on the broader markets, mostly the United States.
Our banking platforms and our ecosystem are fantastic to develop these technologies and we should be the exporter. But the truth is our market is just not big enough to build global champions, so we have to do everything we can to support them.
Senator C. Deacon: If we go to the second question, maybe starting with Ms. Sloan and then move back down the panel: What’s the one thing we cannot miss?
Ms. Sloan: The one thing that we believe you cannot miss is you have to set the conditions right. The environment has to be right. So I think the clear direction that we need is an industry-led principle-based environment with a single regulator. I think that is absolutely imperative, because without the groundwork laid then it becomes a bit of a wild west.
We’re all for speed. I think everyone appreciates open banking is coming, but let’s set the conditions right at the start to ensure success.
Mr. Roberts: I think it’s important to acknowledge that the status quo is not tenable. When looking at the current methods for individuals to share their information, it doesn’t protect the individual well. It doesn’t ensure the efficient transmission of that information. It does not provide a good basis for innovation and collaboration.
I think it’s important to note the current system doesn’t work to the benefit of the parties involved, so it needs to be replaced by a framework that is workable and enduring. And it will need to be complicated. The reality is that privacy is important to all Canadians, so ensuring that people have the right to consent and the right to revoke. When we look at how liability plays out when things don’t work out that there is redress for the individuals but the institutions that are involved that didn’t create the problem are not held accountable for the restitution of the problem. I think those are good examples of the clear specifics that any enduring framework will need to cover off.
Iain McLean, Senior Vice President, Market Development, Mastercard: I was going to build on both those comments. I think the specific focus on deriving end-consumer benefit is important. I think it will be a change that will result in the industry. And it’s important that that’s focused on an outcome that realizes real consumer benefit. Underpinning that, we have used the word “trust” a few times — all the panellists have talked about that — and ensuring that the framework is one that the consumer can trust, so that matters such as liability and issues when things break down can be put right is important.
As a network, we have spent over 50 years establishing similar standards and frameworks to ensure that things like liability are handled efficiently and in the consumer’s interest. It’s a fundamental aspect to operating any kind of open network such as the ones we are talking about.
Mr. Felesky: I would just add a deadline.
Senator C. Deacon: And when would that be? Yesterday?
Mr. Felesky: Sadly.
Senator Wetston: Firstly, I want to thank Mr. Felesky for introducing us to Imran. It was at his encouragement we invited him, and I thank you for that. Thank you to the panellists as well.
Mr. Felesky, it took 10 years to put the CRM model in place. I think you know that.
Mr. Felesky: Yes.
Senator Wetston: That’s the client relation model within the CSA, the securities industry.
I’d like to ask a more general question because we’ll review your submissions today. They have been very helpful. I took note of the fact we do have some similarities with the U.K. when it comes to financial service, only some similarities, and that is maybe on the banking side, it is quite concentrated. It’s quite concentrated in Canada as well. I did note that in Australia they are using the competition authority to level the playing field and create the model. In the U.K. they are doing the same thing. In Canada we have a highly — you have heard me say this many times — fragmented system of oversight between the federal government and the provincial government. We do have a competition authority that has federal authority.
Could I have your collective views on how you view a competition authority having oversight responsibilities to develop a model, and would that be possible in Canada? Or will we continue to defer to a fragmented system of securities regulators doing one thing, the banks being overseen by OSFI and finance and insurance being fragmented across the provinces and federally? And I believe open banking allows itself to have much more — I’m going to use the word “interoperability” among all these systems. So could I have your views on that? What do you think about that opportunity? Because competition creates innovation, and innovation creates opportunities for consumers and businesses.
Mr. Felesky: I’m not a regulatory lawyer. I’m wading into an area that I don’t want to comment too much on.
From our discussions with Competition Bureau, enforcement or the lack thereof seems to be the issue, so I think we would support any way to provide them with the powers to enforce.
I would also note the payments modernization initiative, which is an important policy, is under the purview jointly between the Department of Finance and the Bank of Canada. It looks like they will oversee the new members that can access that infrastructure, so there seem to be some synergies that oversight of that infrastructure, which is somewhat related to open banking, would make sense.
Mr. Roberts: When you look at the U.K. and Australian examples, they made policy choices first around ensuring that there was a clear regulator. So the financial conduct authority didn’t exist 10 years ago. If you look in the case of Australia, it’s the Reserve Bank that has been very active. The equivalency here would be the Bank of Canada.
The important piece is certainty and clarity around the importance of getting this right and ensuring we don’t have a Balkanized approach where one agency has this piece and another agency has that piece. PIPEDA will be an important part of what the solution here is. That’s not under the bureau and it’s not under the Department of Finance. So I do think it will be incumbent on the country to achieve the speed that Adam was talking about before. We will need decisive direction from those that set policy and the ability to convert that decisive direction into an equally decisive implementation. So the jurisdictions that have shown more traction on this did it through different mechanisms, but they all had a party that was clearly in charge of driving the outcome.
Ms. Sloan: We haven’t coalesced around who that regulator should be. We have just focused on setting the conditions right, so industry-led principles based.
The example I used internally of how this system can work is the voluntary code of conduct for the debit and credit industry. So the code was developed as early as 2010, led by industry, based on principles, with the regulator being the Financial Consumer Agency of Canada. That code has evolved as conditions in the market have changed, but it works well. Everybody knows the parameters around it. And so we look to open banking to have a similar system to get success in Canada, but maybe Iain could speak to what we are seeing in the U.K. specifically with their different model.
Senator Wetston: There was a predecessor to the FCA, by the way just as a matter of comment.
Mr. McLean: FSA wasn’t it? It was then split. I think that regulation creates the conditions for competition and innovation to happen. It’s very difficult to force those things. I think there needs to be a balance struck between an authority that creates those conditions versus acting with a very heavy hand to try to force very specific solutions on to the market.
If we look at the U.K. and Europe and some of the things that are happening there around the fintech space, this has been building for a number of years, and it’s probably got its roots back in the original PSD regulation around accessibility of licences and such. I think we are seeing these tech companies starting to serve a specific underserved niche where there is a real genuine consumer needs. If I use TransferWise as an example, it’s foreign exchange. Potentially the high prices or the inaccessibility of those services act as a platform for them to develop a customer base and deliver that excellent service on a broader basis to those customers.
I’m probably looking back a few years in terms of how aspects of regulation laid a framework, if you like, that’s then subsequently encouraged investment to come into the market and then customers to be served by exciting new propositions.
Senator Wetston: Thank you.
Senator Wallin: As you can see, we are all wrestling with what the structure should be and the role of government. I’m going to hone in on one specific thing. The concept that data belongs to the customer has not yet really been agreed to or solidified. Do you think that we need the force of law behind personal ownership rights? I think the second stage would be GDPR. Could I hear from each of you on those two things?
Mr. Felesky: In our more lengthy submission, we definitely believe that an update of PIPEDA is a great first tool in this whole debate. And a consumer data right will lead to much of the operationalization of what we are talking about. The last piece I would say is that there needs also to be some coordination with ISED where they are also looking at data as an asset. Coordination between those two seem to make sense.
Senator Wallin: So a right with force of law.
Mr. Felesky: Correct.
Senator Wallin: Thank you.
Mr. Roberts: I don’t think that you can do anything sensible in this space without clear roles. Roles need to include elements like consent and the ability to revoke consent in a meaningful way. GDPR in Europe has a number of things in it. One of the components that is clear is the right of an individual to have their information removed, the right to be forgotten. So I cannot envision an environment where, if someone concludes that they want to do something on Monday and then changes their mind on Tuesday, that decision on Monday can’t be an irrevocable choice. We need to ensure that Canadians are protected. The right to give that data to others is their right and the parties that they entrust to generate that data have an obligation to ensure that information can be securely sent to another party. I believe we have a long history of an older way of justifying the individual’s right. I don’t believe that legislation and that law fully encompass the new realities we find ourselves in. So I do think it needs modernization.
Mr. McLean: I’ll leave the broader privacy question to Jennifer. I’ll just say that specifics of open banking, it’s important and something Europe is still grappling with is, what information is available, how it’s used and what purpose it’s used for, as well as the standards via which that data can be accessed and transmitted. Those standards were all established by the industry committee that is brought together to consider open banking in more detail. That is essential to the trust that we spoke about consumers ensuring that these functions properly.
Ms. Sloan: Senator, thank you for the question. Privacy is essential to open banking, as is consumer protection. When we talk to our colleagues who are responsible for privacy around the globe at Mastercard, they continually point to Canada as having the highest standard of privacy and data protection legislation and regulation. I think PIPEDA works. The Privacy Commissioner was very clear on consent in November. We think that those rules and regulations would work well in the open banking environment.
We want to ensure that we are not always reinventing the wheel every time we evolve in this environment. So take the privacy legislation and data protection legislation we have, PIPEDA, the consent guidelines from the commissioner, overlay that to open banking and we should be sufficient with consumer consent and the ability for the consumer to opt out.
Senator Wallin: I guess I see a small distinction there with force of law versus rules and regulation. And I want to be clear that the consumer has that ability. Thank you.
Senator Marshall: I can see all the benefits that would come with open banking. However, our first witness this morning spoke about the entity he is in charge of, OBIE. He indicated that he has a staff of over 100 people, and he will send us information on how much it costs to operate his agency. He told us the banks pay for what they are doing.
It’s not going to be free, so who do you see paying for open data? It’s going to be a big system. It has to be regulated.
Ms. Sloan, you mentioned that it should be industry-led. I’m not quite sure who is industry. If it’s industry led, I would think industry pays. I’m curious as to who is going to pay for it.
I know that in the U.K., the banks are passing these costs on to their consumers. So whatever the consumers are saving as a result of open banking, they are probably paying for it in some way.
Could you talk about the costs and conceptually how you see that working?
Mr. McLean: I think the first question is: Pay for what? I think the infrastructure change will need to take place on behalf of the banks and other participants to accommodate open banking. That is one bucket of costs. You then have the authority required to govern or stipulate the change that needs to take place. I think the first bucket of costs will be unavoidable for everyone. Whenever an industry or group of industries go through change, there will be technical costs involved.
I think the question at hand is whether or not a central body of 100 staff is necessary to achieve the outcomes that are designed by the open banking regulation. Our view would be that, provided there is clarity of mandate and a specific outcome that is required, the industry can organize itself to do that without incurring overhead.
Mr. Roberts: I think it will be incredibly important not to assume that OBIE is the only way to answer this question. It is one way. Japan and Singapore and Australia have gone about it in a way that is not creating an OBIE.
I think it is abundantly necessary for there to be common and agreed-upon standards. Typically, the way that works is that people contribute their resources, usually into a policy-led process, to come up with an answer, and they bear their own costs to implement that answer.
The U.K. environment is different. They chose to create a centralized supplier of things like accreditation and a common technology provider. That’s a really important choice.
In Canada, for example, Payments Canada is the operator of payments infrastructure because that was determined to be the most effective way to have a safe and sound system.
To make that same conclusion in Canada, you would need to believe that an extraterritorial agency, special-purpose corporation, would need to do that. That has implications for the role of the Privacy Commissioner and for the role of the FCAC.
I think it’s a very big choice to decide that infrastructure is where you need to go. When that choice has been made, it’s typically the users of the infrastructure that end up having to support it, whether that’s Payments Canada, NAVCAN, or any number of examples, but it is an extreme choice.
Mr. Felesky: I’d answer the question with the example of an existing model, which is Payments Canada. We have the situation where the modernization of the payment infrastructure has been devised by Payments Canada but is being implemented by industry via Interac. Payments Canada itself doesn’t have a budget. Some would argue that the delays in payment modernization are in part because you have those who could potentially be disrupted by the modernization building the infrastructure. I’m not saying that’s necessarily my view, but forcing industry to pay, when they are potentially most exposed to the innovation, can cause conflicts of interest.
Senator Marshall: Do you think there is an expectation out there that government will fund something with regard to open data, or do you think the expectation is that industry is going to pay?
Mr. McLean: To build on that example, I would use another example, which is Mastercard. We are part of a network. We work with all of the entities on the banking side and entities who facilitate card acceptance on the merchants side as well. We operate in the private sector, as you know. We have no mandate over the parties who operate on our network, aside from the standards we set, which were originally established many years ago, and we continue to evolve as the market evolves.
I think that’s a good example of where the private sector is able to achieve modernization. We modernize our network and the end points and the technology that’s applied all the time. I’m not saying that some kind of amendment isn’t necessary around open banking, but I think the outcomes can be achieved in different ways.
Mr. Roberts: If the outcome was the creation of a set of standards that were voluntarily agreed to under the catalyst of a party such as the Department of Finance, as was the case in the voluntary code of conduct that Mastercard colleagues were outlining earlier, that’s staff work and it’s not something that requires a 200-person implementation body to manage infrastructure to deliver against.
I think it’s important to decide what flavour of open banking Canada is to implement. Under certain circumstances, you do not have a funding question; on others, you have an extremely significant funding question.
Senator C. Deacon: I want to keep digging on this a bit more. Getting back to Mr. Felesky’s point about now or yesterday, to what extent do you see there being a reasonable opportunity for a regulatory sandbox of some form to be created that would provide contractually the protections that we believe are necessary for this to be successful for those who choose to opt in, and allow us to get moving and provide the confidence and the action? I’m worried, as somebody new to Ottawa, about how slowly things move, especially when you are dealing in federal-provincial areas. If you could speak to that. Thanks to each of you for the very insightful answers.
Mr. Felesky: I think a sandbox idea is quite interesting. I think creating what’s known as an IASP designation — Internet Access Service Provider — which you have to qualify in some form — and laying out some initial standards around that and putting it in a sandbox could be an innovative way to get started.
Mr. Roberts: Working under an approach like that has the requirement, in many ways, that you are using the existing regulatory framework and not creating a new one from whole cloth. That means being comfortable with PIPEDA and other frameworks to be able to say that’s the governing rule of law under which a sandbox is an efficient way to prove at a small scale that something is safe to deploy at a large scale.
The OSC, for example, has been quite effective in operating a sandbox to test the ability of a model at small scale to prove that it works prior to it being deployed at commercial scale.
Ms. Sloan: Senator, we are absolutely behind you on speed, innovation and ensuring that Canada stays at the forefront. However, I go back to my original statement about laying the right conditions. And right now, we’ve got separate tracks of incoming guidelines and regulations. I mentioned payments modernization. I mentioned the retail payments oversight. So until we understand what that means, for the ecosystem, we’re leaping too far ahead, and that’s coming soon as we understand it. The retail payments oversight legislation that we’re anticipating soon guides how fintechs enter the marketplace and how they conduct themselves. Right now, we have no idea. And so again, we can go back to worrying about the consumer and the protection he or she has, so I think we’ve got to get that in place.
I mentioned the real-time rail work being done by Payments Canada. Until that infrastructure is in place a lot of what open banking purports to do for the benefit of the consumer will be slowed down because you don’t have the infrastructure in place.
Senator Wetston: I think all the panellists here know that everything starts with the Constitution in this country, followed by the roles and responsibilities that are associated between the federal government and the provincial governments, and that not all aspects of open banking is really about banking. There are aspects about open banking that touch areas that are not under federal authority potentially. I’m raising it because we’ll be writing a report and we have to reflect on issues of this sort because there are as many opportunities as there are challenges. A sandbox approach is a great idea. We do it with stock exchanges now. We have a number of stock exchanges in this country, and Mr. Felesky will be familiar with what had to be created there to allow for the efficient trading of securities in Canada. Scope is important. My question is: What would you start with, with respect to APIs, with respect to an open banking “system” to ensure that we don’t get into constitutional arguments and issues of regulatory responsibility and other such matters? Do you have any thoughts about that?
Mr. Felesky: As I mentioned before, I think we believe updating PIPEDA and defining the right to your data is a federal jurisdiction and therefore an interesting place to start. Through that, if you will, through the Bank of Canada or other means forcing a requirement to offer a standard API so that people can access those rights, I think that would be a way to start. And quite frankly, many of the banks have already built open APIs. It’s just who can access them. I actually don’t think the build out is that significant.
Mr. Roberts: I think the department was effective in breaking this into open payments initiation and open data, and they said they have got other processes for handling open payments initiation. I think it’s important to focus on the open data side of the question as the principal topic to make choices around. We have 291-odd financial institutions, the minority of which are federally regulated, the majority of which are actually provincially regulated. So finding a way to create an accord among those, the provincial and federal regulators, for what looks to be an appropriate standard, for something that today is largely without standards. I do think there are grounds for the effective Canadian compromises that have been the hallmarks of most major changes.
So I’m optimistic that we can find the grounds for that compromise rather than having to go to the other pole of saying we need a hard, sharp, singular federal answer.
Mr. McLean: On a point I spoke about earlier, whatever is specified should derive specific benefit. We operate lots of open APIs for fintechs and other entities to consume our products. Typically, there is a very specific end goal in mind when we build those APIs. If you don’t have that specific end goal, it can both become difficult to implement and the trustworthiness of the system can be questioned.
The Deputy Chair: I would like to thank our witnesses for taking the time to come here and brief us on a, for me, very difficult subject to get my head all around everything and I think for Canadians as well. For me, one of the key things will be education of the Canadian public. Thank you so much. We really appreciate your great presentations, and they have been a big help.
(The committee adjourned.)