THE STANDING SENATE COMMITTEE ON BANKING, TRADE AND COMMERCE
EVIDENCE
OTTAWA, Thursday, March 21, 2019
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to examine and report on the potential benefits and challenges of open banking for Canadian financial services consumers, with specific focus on the federal government’s regulatory role.
Senator Douglas Black (Chair) in the chair.
[English]
The Chair: Good morning and welcome, colleagues and members of the general public who are following today’s proceedings of standing committee on audit and oversight. I would ask senators to introduce themselves, starting with my colleague and friend.
Senator Wallin: Pamela Wallin, Saskatchewan.
Senator C. Deacon: Colin Deacon from Nova Scotia.
[Translation]
Senator Dagenais: Jean-Guy Dagenais from Quebec.
[English]
Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.
The Chair: We are ably assisted by our clerk and our analysts. We’re appreciative that you’re all here.
Today marks the sixth meeting of our study of the potential benefits and challenges of open banking for Canadian financial services consumers, with a specific focus on the federal government’s regulatory role.
Today, we have a busy morning and we have two very constructive panels. It gives me great pleasure to welcome the witnesses in the first panel: Kirsten Thompson, Member, Advisory Committee on Open Banking, and Partner, Dentons Canada; Steven Boms, Executive Director of the Financial Data and Technology Association; from the Electronic Transactions Association, Scott Talbott, Senior Vice-President; and from Wealthsimple Financial Corp., Blair Wiley, General Counsel and Head of Regulatory Affairs.
We are looking forward to your introductory statements, and then we may have questions for you.
Kirsten Thompson, Member, Advisory Committee on Open Banking, and Partner, Dentons Canada, as an individual: Thank you and good morning. First, I’d like to thank the committee for inviting me to appear here today and to provide input.
I am a member of the Advisory Committee on Open Banking. I was appointed last September by the Minister of Finance.
I speak today as a member of the advisory committee, but I do not speak for the advisory committee. Neither do I speak for the ministry of finance.
In addition to my role on the advisory committee, I am a partner in the law firm Dentons Canada which is part of the global law firm. In that capacity, I lead the firm’s transformative technology and data strategy group. A significant portion of my practice involves addressing privacy, cybersecurity and other data-related issues, particularly as they intersect with new business models and technologies.
While my practice affords me deep insight into these areas, I am here today in my personal capacity. I am not representing any clients nor am I speaking on behalf of my firm. That ends the disclaimers.
I would like to focus my remarks on two things: an update on the advisory committee’s work and a brief summary of why open banking matters.
First, to the update. The advisory committee was charged with considering whether open banking would provide meaningful benefits to Canadians; and if so, what an open banking regime in Canada should look like.
The consultation paper, as you know, was published in January 2019. Over 100 written submissions have been received. They are in the process of being reviewed by the committee. I have two binders this thick on my desk, so yes, it’s a process.
Between February and March, the committee held round table and stakeholder consultations in Vancouver, Montreal and Toronto, and we continue to consult bilaterally with stakeholders. The committee is assessing and evaluating the considerable input it has received. We have not yet made any determination on the issues before it.
With respect to open banking, first I would like to provide some clarity about what open banking is and what it includes. The term itself tends to create a misunderstanding as it raises for some the spectre of Canadian banks being forced to throw open their doors to their customer data rights to anyone and everyone, with personal privacy rights being trampled in the process.
Let me be clear: This is not at all what is being proposed here.
Given the lack of clarity inherent in the term “open banking,” I’d like to change the narrative a bit. Instead of discussing open banking, I would like to suggest a term that adequately captures what it is, namely, consumer-directed banking.
Consumer-directed banking has two key features: information sharing and payment initiation. As payment initiation is not within the scope of the current review, I am going to focus solely on the information-sharing aspect.
The information-sharing aspect that’s consumer-directed banking allows a bank customer to give instructions to their bank to share their transaction information with a third party, and that third party is of the customer’s choosing.
Consumers are already familiar with aspects of this model. Banks already share some customer personal information with third parties, for instance, loyalty programs, affiliates, selected partners for marketing. Such sharing of customer information right now is done at the bank’s discretion and initiative. Customer consent is typically obtained on an opt-out basis, for instance, notice of such sharing is given in the bank’s privacy policy. Customers who disagree can opt out. In this current model, however, the customer is not able to direct the bank to share their information, nor is a customer able to choose with whom the bank could share this information.
In a consumer-directed banking model, the consumer is able to direct the bank to share certain types of personal information with other entities of the customer’s own choosing. In examples from around the world, these entities have included service providers, accounting service providers, insurance companies, fintech companies, other banks, and so on. In existing models these entities are regulated in some manner in order to qualify them as being recipients of this information.
So why does any of this matter?
If you are mid-life or mid-career, have established credit, own a home or vehicle, consumer-directed banking will likely offer you some convenience. Frankly, it is not likely to change the world of banking for those sorts of consumers, as the existing banking regime serves them well. The majority of Canadians, however, do not fall into that category. Many Canadians live paycheque to paycheque. A significant portion are new to Canada and do not have established credit here. A large number of Canadians are recent graduates, starting their career, beginning families, looking for housing and trying to juggle a student loan debt, often at the same time. Other Canadians are small-business owners who find it difficult to access credit, manage payroll and pay suppliers. It is these people who have the most to gain from a consumer-directed banking regime.
With consumer-directed banking, there is an opportunity to increase financial literacy, promote the stability of small business, drive innovation through increased competition and many other positives that you have no doubt heard about from others who have appeared before the committee.
There are risks. We have heard a lot of about them on this committee. Some of them have been overstated, for instance, risks related to privacy and cybersecurity. While privacy and cybersecurity risks are real and must be addressed, they must be addressed in ways that do not stifle the growth of a vibrant financial ecosystem and technological innovation.
Certainly amendments will be needed to existing privacy legislation in Canada, but the preamble to that legislation should be borne in mind. It is an act to: “Support and promote electronic commerce by protecting personal information.”
We must ensure that these otherwise legitimate concerns about privacy and cybersecurity do not become justification for inaction.
Consumer-directed banking that places the consumer in control of their own information can be done and has been done in ways that are privacy protective.
There is another significant risk that is not mentioned as often. If Canada fails to make timely and bold steps forward on consumer-directed banking, whatever it may ultimately look like, there is a significant risk that innovation will falter. Talent and businesses will relocate to more accommodating financial ecosystems elsewhere, foreign players will dominate the Canadian market and the Canadian economy and financial services industry will suffer. This was a consistent theme in the round table and stakeholder consultations, and in that regard most participants were aligned.
I would like to thank the committee again for inviting me here and I look forward to answering any questions you may have.
The Chair: You have been very helpful and succinct, Ms. Thompson. Thank you very much.
Steven Boms, Executive Director, Financial Data and Technology Association (FDATA): I am pleased to be here on behalf of the Financial Data and Technology Association of North America, a trade association for which I serve as director. FDATA North America has participated in Finance Canada’s deliberations on open banking and is comprised of financial service providers that are united behind the notion that consumer and small business digital financial data access is both a fundamental right and a market-driven imperative. We are also a regional chapter of FDATA Global, an organization on whose board I serve and which was the driving force for open banking in the United Kingdom. FDATA Global and its international chapters continue to provide technical expertise to regulators and policy-makers in London, to the European Commission and to regulatory bodies internationally contemplating many of the same questions you are today.
Our chief concern is how to thoughtfully harness innovation in the fintech ecosystem to help consumers and small businesses improve their financial well-being while ensuring that end users and the financial system itself are well protected in a framework that leads to macro-economic benefit and job creation.
To start today, I would like to take a moment to address the global movement towards open banking and specifically any misconception that the U.K.’s experience indicates there is little consumer demand for such a framework. I understand the committee heard recently from Imran Gulamhuseinwala on some of these topics.
Here is what we know: First, more than 200 third-party provider firms have connected to the U.K. open banking system, with another 130 winding their way through the regulatory process. These are all firms who were not part of the national domestic regulatory framework before. Several banks have created their own third party provider tools to consume the open banking APIs and deliver technology-based services to open banking consumers. More than 7,500 net new customers per day are being added to the U.K.’s open banking system via account aggregation. The U.K. attracted U.S. $3.3 billion in fintech venture capital investments in 2018. Only the United States and Canada attracted more.
Not everything across the pond is perfect. The U.K.’s open banking system has wrestled with complexity, expansion to additional account types, and nearly all stakeholders agree that communication and messaging, both to end users of the system and to the TPPs required to submit themselves to regulatory oversight, should have been more of an initial focus.
Other markets should review, in our opinion, the lessons learned from the U.K.’s open banking deployment to determine how best to implement their own frameworks. But one lesson is abundantly clear: Any challenges to implementing open banking are far outweighed by the benefits to all stakeholders.
It is based on these lessons that we recommend a well-framed open banking regime in Canada will support financial inclusion and access, provide to the consumer or small business full control and utility over their own financial data, reduce costs and burdens associated with switching financial services providers, provide for a well-regulated system with consumer protection at the heart of it, spur innovation and lower fees, provide to regulators and financial institutions significantly more transparency and certainty with regard to third-party service providers than they have today, and ideally, in an interoperable system, provide access for Canadian providers to offer their products and services in open banking markets globally, spurring new and scaling existing Canadian companies creating new jobs.
Given the enormous consumer benefits of open banking and the move towards this framework globally, it is urgent that Canada move forward and move forward quickly. A thoughtful yet swift implementation of open banking will put Canada in a position to compete with services customized to individual customers’ needs and yield greater economic opportunity for consumers along the income spectrum. Further, with so many Canadians already having adopted many of these tools to help them manage their finances, FDATA North America’s members today provide approximately 3.5 million Canadians with aggregation-powered technology-based financial tools.
A thoughtful approach that further encourages the use of these tools, balancing legal requirements with the ability of the market to innovate over time, will provide for more widespread consumer benefit.
The first critical step towards open banking is the assertion of the customer’s legal right to their data. Open banking in its simplest form can be thought of as the digitized version of a consumer bringing a shoebox filled with receipts and bank statements to their service provider of choice.
Security principles go hand in hand with improved data sharing. In an open banking framework, companies that hold, transmit or provide services based on an end-user financial data should be regulated and accept liability and security standards to protect the data to which they are entitled. To protect consumers, an open banking framework must require a third party to obtain explicit consent from a consumer, using disclosures and clear language that’s easily understood. Consumers must also be permitted to opt out of using a service and sharing their data at any time.
While internationally different countries have taken different approaches to implementing these regimes, lessons from abroad show that the benefits that an open banking receives from an appropriate regulatory oversight are key. The introduction of an implementation entity can establish a level playing field in which all stakeholders can offer their perspectives regarding policies, standardization and security measures for market participants and which is empowered, with the consumer experience squarely in mind, to resolve areas of disagreement among different stakeholders.
FDATA North America respectfully suggests that Canada’s federal government should: play a proactive role in a new financial system framework by taking steps that make clear that consumers have the right to use any data field in an open banking regime that is currently available to them through other means; ensure that third parties entering the Canadian marketplace register within an appropriate centralized authority that provides oversight of this system; require third parties to conform with appropriate certification requirements to gain entry to that system; recognize the need for the system to evolve over time, particularly with regard to the need for screen scraping to continue until all data currently available to the customer through their online or mobile banking application, or through some other means, is made available by financial institutions using a different technology; and ensure a consistent measuring of outcomes over time that are aligned with the objectives of ensuring consumer interests, such as data ownership, transparency, safety, privacy and financial stability.
As you know, not only is open banking well under way in the U.K. but implementations are happening in many countries, from Australia, to India, to the United States. In these markets, the technology-powered products and services provided by incumbent financial services and fintech firms are supporting consumers and businesses as they manage and improve their finances.
Canadian consumers are already demanding and using these tools and they deserve to receive it.
Thank you very much for the opportunity to join you this morning. I look forward to answering any questions you may have.
Scott Talbott, Senior Vice-President, Government Affairs, Electronic Transactions Association: ETA is the leading trade association for payment companies. We have over 500 companies operating worldwide that process about $7 trillion of credit card, debit card and prepaid card transactions in North America, including $700 billion each year here in Canada.
ETA members include companies on all sides of the open banking issue. We have traditional banks, data aggregators and online small business lenders. What’s key to note is that ETA members are in favour of open banking and of moving forward. I don’t think there’s any debate among the panellists here about whether we should move forward. The debate is about how we should, which we will talk about shortly.
ETA member companies are continuously focused on developing and deploying new products, technologies and services to revolutionize the way Canadian consumers make their payments in a convenient and secure environment.
Specifically on this topic, all our members are already working on deals to deliver products to consumers. Consumers are demanding this product, and the industry is responding. It’s very exciting, actually. There are a lot of benefits to open banking. I know the community has heard from previous witnesses as well as this panel, but it’s worth talking about the benefits to the consumer, as well as small businesses. Both parties have to be considered as part of this effort.
In terms of consumers, empowering consumers will help them to better understand and control their entire financial picture, as well as harness the competitive marketplace, enable them to make timely and well-informed financial decisions, track spending and debt and set and achieve savings goals.
From the perspective of a small business, there are many similar benefits. In particular, small businesses use open banking to provide potential lenders with the ability to see the full financial picture of the small business, which helps simplify the application process, accelerate credit decisions as well as tailoring of loan products and decrease the probability of repayment.
Success of the open banking or consumer-directed banking depends upon a policy framework that encourages continued innovation while simultaneously establishing rules that protect consumers and small businesses.
Specifically, ETA supports developing an industry-led and principles-based framework that promotes innovation and competition among all participants. The goal is to create a positive policy environment that encourages this continued innovation in open banking as well as in other areas. This approach should be product and service-agnostic and done in collaboration with all parties, both private and public sectors. Any guiding principles adopted should avoid creating a barrier of entry to new players. New players are at the heart of what is driving a lot of this innovation. To achieve this, we are supportive of a sandbox or greenhouse approach that allows new entrants into the markets while applying existing regulatory regimes based on their corresponding risk profile.
I would like to touch on three guiding principles that must be addressed simultaneously to strengthen open banking and ensure its success in Canada: consumer choice, privacy and then security and protection of financial information and data.
With respect to consumer choice, access to consumer data is the heart of open banking. The critical point is that consumers must have choice and control over how their data is used and shared.
With respect to privacy, ETA believes that access, use and sharing of financial data must be done with the consumer’s informed consent. In this regard, Canada’s existing privacy framework under PIPEDA is a strong example that can be drawn from.
Under data security, that is a crucial, key point. There is a study that came out today that talks about how Canadians are in favour of open banking, but they are worried about the security of their data. That makes sense both in terms of physical protection and privacy.
As for instilling consumer confidence, ETA supports a security standard that allows for flexibility and innovation, rather than a prescriptive requirement that necessarily favours one security method over another.
A flexible approach will allow any framework to be updated continuously to account for new security techniques.
As we work to protect data, thieves work to try and steal it. The line I like to try and use is that as we build a 10-foot wall, they build an 11-foot ladder, so we must build a 12-foot wall.
We encourage the committee to take a comprehensive approach to the entire issue of open banking. This includes working with other ongoing efforts like the Department of Finance Canada’s new retail payments oversight framework, the language of which we expect to be released shortly, as well as Payments Canada’s efforts to create a real-time rail. Additionally, open banking should work with existing laws and regulations, both industry self-regulation, like the code of conduct, and PIPEDA, as I mentioned earlier.
ETA members are operating globally, in the U.K., Australia, Japan and Singapore on this issue. We stand ready to provide our thoughts, expertise and guidance on what works and doesn’t work in other parts of the globe to help Canada build the most robust system for Canadians.
In conclusion, Canada should carefully consider implementing a principles-based governance framework led by the market which protects consumers and small businesses and allows them to enjoy all the benefits of open banking, as well as other developments in fintech space. I appreciate the opportunity to testify and look forward to your questions.
[Translation]
Blair Wiley, General Counsel and Head of Regulatory Affairs, Wealthsimple Financial Corp.: Good morning ladies and gentlemen. My name is Blair Wiley, and I am the general counsel for Wealthsimple. Thank you for the opportunity to speak with you today.
[English]
As Wealthsimple is a relatively young company, I will provide a little background on who we are and what we do. Wealthsimple is a leading financial technology company or fintech company based in Toronto. We deliver our services to clients primarily through our mobile app and website; however, we also place great emphasis on offering clients the option of speaking to an adviser whenever needed.
Our services are used by over 120,000 Canadians, approximately 85 per cent of whom are aged 45 and under. We have also leveraged our innovative technology and product design to expand to the United States and to the United Kingdom.
Wealthsimple’s mission is to enable everyone to achieve financial freedom. We do this by offering financial advice and services that are accessible to all Canadians. We promote accessibility in a few ways. For example, our products are low-cost, easy to understand and readily available online. We believe this is essential for helping Canadians adopt prudent financial behaviour.
One of our core company values is “Do What’s Right for Each Client.” We work hard to ensure that every product we build and every regulatory initiative we support, be it the open banking proposal that we’re discussing today or the client-focused reforms proposed by Canadian securities regulators in recent years, meet that high bar.
We believe that open banking complements our values and mission by enhancing consumer rights around the control of their financial data. Greater control of financial data will in turn provide Canadian consumers with greater choice of and better access to high-quality financial services.
As a rapidly scaling technology company, we also recognize that open banking can be a catalyst for Canadian innovation. In this moment, Canada has all the ingredients to become a global leader in fintech. Canadian banks have tremendous scale, both in Canada and abroad, and can be supportive partners to growing fintech companies. Canada also has a significant concentration of world-class talent, both technical and financial, and a supportive venture capital funding environment.
In our view, Canada should be a creator and exporter, rather than an importer and consumer of innovative financial services. With respect to open banking, we believe the government should develop and adopt a bold regulatory framework while there is still an opportunity for Canada to be a global leader in this space.
Competition is fierce and global. Many jurisdictions offer supportive regulatory regimes and other incentives that enable fintech companies to rapidly grow and flourish. If we delay, the opportunity for open banking in Canada will pass us by.
I’d like to take a moment to speak briefly about a specific benefit of adopting an open banking framework that we’ve observed firsthand from our consumer interactions.
Currently, if a Canadian banking customer wishes to make use of their financial data or share it with a third party like Wealthsimple, the process is inefficient and cumbersome. Customers often must resort to using paper statements or downloading and exporting files. In response many companies, including Wealthsimple, have attempted to automate access to financial data using aggregation technology as others on the panel have discussed today.
Clients expect this convenience; however, the use of data aggregators is an imperfect solution. They have higher failure rates that we’d like because they depend on disparate third parties — banks — for the data and many banks do not have technology interfaces that are designed to efficiently handle these data requests.
The difficulties that we face enabling clients to share their financial data with us in an efficient, frictionless manner is one of the most significant hindrances to the growth of our business. It limits the types of products we can develop and offer to Canadians.
In an open banking system, these limitations could be addressed through standardized data elements and APIs so that customer data could be shared in a much more secure, efficient and reliable way. This would be doing what’s right for each client.
Ultimately, we believe that the adoption of an open banking framework presents a significant opportunity for Canada. Both the government and industry must proceed with urgency and ambition if we want to capitalize on this opportunity for Canada. In particular, the government can play a key role in setting high standards and, most importantly, efficient timelines for open banking adoption.
I’m grateful for your time today, and happy to take any questions you may have.
The Chair: What an outstanding panel you have been. Very interesting.
Senator Stewart Olsen: Thank you all for your presentations. I don’t know if you were able to catch the presentation by the Australian members yesterday evening, but for me it was extremely beneficial for me to understand the whole thing about fintechs and open banking. Their approach is quite different from the U.K. and the rest of countries looking at this. I must admit, I think it answered a lot of my questions about protection to consumers.
They are going into this whole area with the thought that the consumer protection — and they should get into it because it’s a coming thing and without that, consumers will drown. They compared it to a lifeguard on a beach and people out swimming in the water and they don’t really know what’s happening, which reflects me, totally. I like that approach better than what’s been discussed.
I wonder if you could quickly comment on that, Ms. Thompson, and then I have a question for Mr. Boms.
Ms. Thompson: I’d be happy to.
The Australians have adopted what’s called a consumer data right and it’s broadly some of what we’ve been talking about here, the idea is that an individual consumer has the right to control their own data. Aspects of that are part of what is under consideration here. The difference there is this is intended to be a broad right across all sorts of consumer data, and the Australians’ approach was to turn to the financial sector and say we’re going to start somewhere and we’re starting with you. It could potentially include utilities, transport, telecommunications, wherever the Australians choose to take it. You’re right, they did come at it a little differently.
An open banking or a consumer-directed banking regime in Canada, and we’re talking right now about the data aggregation principles, is a piece of that. It does have elements already with privacy legislation which is similar to design in what we see in Australia. In both cases, amendments would need to be made to federal and provincial legislation here and the Australian equivalent. It’s worth it to bear in mind that our privacy legislation doesn’t currently have what’s a data portability right. You and everybody in this room has a right to access personal information held by a company, but you don’t have the right to instruct the company to do anything. That’s called data portability and that’s the foundation of the data rights we’re talking about here.
The privacy legislation at the federal level is also fundamentally a consumer-protection legislation. It didn’t contemplate when it was passed about empowering consumers and that’s the next step the Australians have taken.
Senator Stewart Olsen: Thank you.
Mr. Boms, I may have been mistaken, but you mentioned screen scraping and I kind of raised my eyes. I may have misheard you because it sounded like it was an okay thing. Can you explain what you meant there?
Mr. Boms: I thought that might have spurred a question. I’m happy to and thank you for the opportunity to put a little bit more context into it.
Generally speaking, and FDATA represents aggregators and what we call use cases, so the companies that provide their services directly to the consumer or to a small business. Across the board FDATA members will tell you that screen scraping is an imperfect solution for a number of reasons. First and foremost, the reliability of screen scraping to get access to the data, compared to other ways of getting it like APIs, is relatively low. Financial institutions don’t like it for a number of reasons having to do with transparency, the drain on their systems, the list goes on and on. Of course policy-makers hear that part of it depends on the consumer giving their credential to a third party, and that raises some privacy concerns.
That said, I think we need to realize that the only way today to get access to the data and to use the tools that at least 3.5 million Canadians today use, those are the ones who use FDATA aggregated services, the only way for them to use those tools is through screen scraping; there is no other method. So if we’re going to say we’re turning screen scraping off, what we effectively are saying is we’re not going to allow those Canadians to keep depending on those tools.
Our position is simply: Are there more efficient, faster, frictionless ways to get access to data? Absolutely, and APIs are one of those ways. Until we can get data parity, in other words, until we can get all the data that is currently available to these use cases through screen scraping available through some other way, realistically our view is we have to allow screen scraping to continue.
I would just add — and I could go on for hours about this I’m sorry — this was an issue that came to a head quite a bit in Europe as they contemplated PSD2. Ultimately where they landed was to say screen scraping is a fallback option. This is how it’s considered under their regulatory technical standards, meaning if the APIs required by the banks, or whatever other way they’re getting data, are not reliable up to a certain standard — the standard they’ve chosen to use is as reliable as the bank’s native online banking experience or better — then a firm is permitted after some period of time to screen scrape to get access to that data. In fact it does two things. Number one, it ensures the consumer maintains access to their data for whatever use case they’re depending on; number two, and perhaps more importantly, it creates a very important incentive for the financial institution to keep the API, or whatever other access methods they’ve built, reliable and dependable because they, like the rest of us, would prefer that the data get used or consumed through the other method.
Senator Stewart Olsen: Thank you for that. That’s clear. Are you suggesting then that perhaps most fintechs that are starting up, for instance, Mr. Wiley’s Wealthsimple, are using screen scraping at the present time?
Mr. Boms: Yes, in the absence of any other way to get the data, that is the only way to get access to the data. As you heard from Mr. Wiley, the only way that fintechs can get access to the data is the way the bank either makes it available or doesn’t.
Mr. Talbott: If I can just add briefly. There are private solutions and a number of large financial institutions and large data aggregators have formed or signed bespoke contracts that allow the data to be shared outside of the screen scraping. They have APIs, for example, but that is on a private one-on-one basis and not on a country-wide basis. So the threat or downsides of screen scraping serve as an impetus for trying to create a more modern system that —
Mr. Wiley: I will add we do use screen scraping technology. It’s very important and I’ll give you a use case example. One of the products we offer is a service called Roundup. Roundup allows consumers to elect to round up their transactions to the nearest dollar and deposits those small balances into a savings account. We find it’s one of the best ways to help Canadians who don’t have a lot of money to invest to still start those healthy behaviour habits of investing maybe $5, $10, $15 a week which are really those roundup transactions of their daily spending.
The only way that we can actually offer that service is to connect to banks to actually see what the transactions were that occurred over the course of a week. As others on the panel have mentioned, currently our only means of connecting with banks is using those screen scraper technologies. It is still a constant challenge, but the demand is there.
The other thing I would say about screen scraping is it’s not even universal, in that there are many credit unions and smaller financial institutions in Canada where the aggregators don’t have those sort of ready access to connections. So our Roundup product works really well for clients of the big five banks, not so much if they’re a customer of a smaller credit union. It does not have that same sort of access.
The other thing I would say about the screen scrapers is while it’s far from perfect, the alternative which is a very slow and manual and high-friction process is far worse, both for us and for our consumers. The data is even less reliable and less secure, and we struggle to actually automate and scale in an efficient manner if we relied entirely only a manual process.
I would echo the view of Steven and others that until we have a new standard of APIs, or other secure transmission technology that is rolled out industry-wide, we’re left with no choice but to continue to improve and strengthen the screen scraping technology in an efficient and secure way.
Senator Stewart Olsen: Thank you. I apologize for going over my time.
The Chair: That was a very informative line of questioning, senator. Thank you very much.
Senator Wallin: Thank you all for being here. We have, as you have heard, been looking at this issue through the eyes of the Brits, the U.K., and last night an extensive discussion with the Australians, with their ideas that seemed very appealing to us. So we talked about control versus ownership of data, and they, of course, opt for control because you can’t really own in that sense. The notion of the data right, they basically argued that you need legislation to assert that right and you need criminal sanctions if that right is breached. That is the only way to make this work. Do you agree? Go ahead, Ms. Thompson.
Ms. Thompson: Let me take those one issue at a time. I agree that there is a distinction between a right to control your data versus a right to own data. Personal information, which is a subset of data writ large, is not capable of ownership. The rights that you and I have right now are the ability to allow people to use it in certain ways or to deny the consent to use that, and that’s really the extent of your rights. There are all sorts of enforcement and other aspects, but that’s what we’re talking about.
Ownership is a framework that we’re all very familiar with, but it really is about a property right. When you’re talking about widgets and pencils, it makes a lot of sense. I have a number of colleagues who deal in intangible things, and we’re talking about copyright and trademark and ideas and thoughts and patents. The two concepts between personal information and what’s called intellectual property rights don’t necessarily merge. We have to be very careful about where we draw the line between the two of them. It’s possible to take personal information, on the one hand, and transform it into something on the other that is capable of ownership; that, I think, will need to be discussed at length.
Those that invest energy into transforming personal information to something capable of ownership obviously are investing that energy because they want the returns from that ownership. But that is a separate issue from what we’re talking about today which is about personal information.
Senator Wallin: But I don’t think the core concept differs at whichever stage that information exists. If it turns into a good that you can sell or offer to a company, your own data for their marketing or sales purpose, that’s separate. The question is really: Should we have a data right? Should that be enshrined in legislation? And should there be criminal sanctions if it’s violated in whichever form on that spectrum?
Ms. Thompson: Following up on that piece of it, the current privacy legislation in Canada would need to be amended to recognize what I’ve called that data portability right, and that’s what you’re referring to, so an amendment would be an issue. Our current legislation has all sorts of rights and processes around that current regime. Should this stray into the criminal element of that? I don’t know that criminal sanction is necessary. We have robust regulatory regimes across Canada. We see it in security legislation; we see it in the competition bureau. The current model for the Privacy Commissioner is an ombudsman model. I know this is under review. I think it’s well worth looking at a review to determine what sort of coercion, nudging or enforcement mechanisms are necessary in this regime that comes with a new right.
Mr. Boms: I’m also not going to directly address the criminal component because I don’t think I’m qualified to do so.
Senator Wallin: In fairness to them, they said they hoped not to use it. It was there to incentivize behaviour, not punish behaviour.
Mr. Boms: That’s the key. That’s what I’d like to spend more time on.
The best way to think about opening banking is as a competition initiative. Really, open banking in this conversation exists because there are market disincentives for the holders of the consumer’s data to provide access to that data from third parties who are offering many of the same services that the holders of that data are offering, but with different user experiences.
What we have seen in other places — and Australia is obviously contemplating their own journey — is the creation of ways that the regulator or some type of public-private partnership can enforce the standard for data portability that has been asserted in that geography. The key here from FDATA’s perspective is this is precisely why — although Scott mentioned some bilateral agreements where scraping has been pushed to APIs, or other ways of getting data — in the long-term, we don’t think bilateral agreements work. The way that one agreement with one financial institution and one aggregator treats data, access to data and remedies if data is not permitted access to versus the way another aggregator and another financial institution treat that same data will be disparate. That means a consumer who has no line of sight into that bilateral agreement doesn’t know what data they’re entitled to make portable; and doesn’t know what remedy they have to them if that data portability has been breached. So you end up with an unlevel playing field for different consumers, based on which providers they choose and what bank they do business with.
Fundamentally, there must be some mechanism to endorse a data portability standard, but it must be universally applied and easily understood by all players and by consumers such that they understand what remedies they have available to them if something goes wrong.
Senator Wallin: I’m still searching for kind of a yes or no on this. Do you think that we should have a legislative definition of “data right,” as the Australians are pursuing, with consequences if it’s breached? We can debate what the consequences might be.
Mr. Talbott: That question can’t be answered as a stand-alone question. You need to answer that question as part of the overall structure. I don’t think our companies are prepared to say it should be a right at this point. You need to know what the entire package looked like in terms of data control, liability, privacy and security. The whole package together must be considered.
Some changes need to be made to Canadian law to update them to account for these products or services, but at this point we’re not prepared to say it needs to be a right necessarily.
Mr. Wiley: Without speaking to whether criminality is the right route to go or whether there should be an enshrined right, my observation on the Australian approach is really that they are addressing the significance and severity of the current system, which does not enable consumers to readily port their data between various service providers and the consequences to consumers. We see Canadian investors all the time who have been sold high fee investment products and are paying far more than they should be relative to the service they’re receiving and Canadians who have money sitting in a chequing account but are also carrying a large Visa balance with high interest rates accruing.
Service providers should be helping Canadians to make more informed decisions about all of their financial behaviours. Banks have a profit motive like every other business. That’s perfectly fine, but if new entrants can come in and have strong access to a complete financial picture of an individual consumer, they can help that consumer whether they have bank accounts at multiple institutions, savings across multiple institutions, mortgages and loans across other institutions. If an aggregator can access a comprehensive, accurate, up-to-the-minute picture of that person’s financial information, they can help people lead to much stronger financial outcomes, which will be, as we say, core to the ultimate mission of financial independence.
I think the lack of a kind any sort of hammer or stick that will actually force banks to provide that sort of ready access to aggregators is something that the Australians have tried to address through severe penalties because they see the downside risk to consumers.
Senator Wallin: Indeed. Thank you.
Senator Klyne: Welcome to the panel, and thank you very much for the interesting dialogue and information. My questions are for anyone on the panel. It’s kind of a two-part question.
Please explain to the committee who pays. Who profits in sharing customers’ data? How is the sharing of customers’ data being monetized?
Mr. Boms: It depends entirely on the use case we’re talking about in terms of how the service is paid for. For example, some use cases are in the robo adviser space. In those cases, there can be a transaction fee per trade, or a percentage or a management fee, similar to any other brokerage. If there is an automated savings application, that might be a monthly fee. In each case where the consumer pays, it is typically disclosed and agreed to by the consumer as part of the consent to onboard that application.
Through that supply chain, typically as you’ve heard, there is an aggregator that sits in the middle and can be thought of as the pipe between that use case and the bank where the data is held.
The typical aggregator model is that the use case pays the aggregator a fee for building the pipe to get access to the data to which the consumer has consented. Generally, that is the way it works. There is no hard and fast rule with regard to how a use case makes their money from the consumer. If they’re providing a service, typically they’re assessing some type of fee from the consumer in some way or another.
Senator Klyne: There are substantial upfront costs getting to the implementation stage of open banking and regulating the same. How would those significant start-up and implementation costs be distributed among stakeholders? Who will pay for the ongoing administration of a regulatory framework?
Mr. Wiley: If I may, senator, I think that’s an excellent question and one that requires careful thought.
Coming at your question about cost in a different manner, the current model carries very high costs. For us at Wealthsimple Financial Corp., we have a large number of people who must undertake manual processes of reviewing client information when it’s provided to us in one of those old-fashioned ways of downloading data and providing it to us and having us reconcile across multiple institutions. There is a significant cost to the industry currently of continuing to operate with very legacy systems and approaches to data sharing.
While I certainly acknowledge that for some institutions there will be a significant upfront cost to adopt an open banking framework, I believe that longer term there is considerable opportunity for cost savings and greater innovation that will actually bring costs down by the more automation of what are today manual and sometimes imperfect processes.
I think it’s important to take into account both those initial costs, which is an important factor, and also longer-term savings and opportunities for much more efficient service delivery to clients.
Mr. Talbott: Responding to your question, senator, ultimately the costs, short and long-term, will be borne in the price of the products and service. That’s the way economies work. I think that factor is key. I agree with Blair that the benefits will outweigh the costs in the long run in savings that consumers will see through increased competition in the marketplace. That is, the ability to see what various competitors are charging and the ability to lower your interest rate or receive a higher interest rate on your savings account.
Ultimately, all the costs are borne in the price of goods and services. That’s a key feature to keep in mind when we think about what role the government should play, because government regulation is the cost and so the goal here is that if we can create a principles-based system that is led by the industry, then they will search for the lowest cost to implement it. If you impose unnecessary, premature or excessive government regulations, that will have a cost ultimately borne through the system.
Senator Klyne: Is it the shareholder or the taxpayer on the regulations for the regulatory costs? Who is paying for the ongoing administration of the regulatory costs?
Mr. Talbott: In the end, that’s borne in the price of goods and services paid for by the consumer and small businesses. The shareholder.
Senator C. Deacon: Ms. Thompson, I was impressed with the phrase you used, consumer-directed banking. I think that’s a very important thing to think about. But specifically in today’s world, where it’s opt out with our existing financial institutions. Am I right in hearing you say that consumer-directed banking is more opt in with the approach that we would be taking? Consumers opt in to choose to have their data shared?
Ms. Thompson: That’s correct. The current legislative framework around privacy requires consent of an individual. That consent could be opt in or opt out. The type of consent is driven by the context and the sensitivity of the information. Sensitive information, such as medical information and financial information, will generally require an opt in consent. So if a financial institution has 300,000 customers and unveils a consumer-directed data initiative, those customers will not be automatically enrolled in it. They would be told it’s available. They would be told about the benefits of it, some of the risks of it and then they could opt in.
Some jurisdictions have standard language about what that consent would look like.
Senator C. Deacon: An important clarification. Thank you very much. I appreciate that.
Mr. Boms, in terms of the transition. In clarification to Senator Stewart Olsen’s question, I heard you saying that screen scraping would be a transition period, but you see it as an ongoing tool, which I think is really interesting. Very important.
Are there differences in terms of standards or obligations on those who utilize screen scraping in the way you envisage it as an ongoing basis? It’s a backstop, basically.
Mr. Boms: Thank you, senator. That is a good question.
Yes, there are ways to implement it. In Europe it’s called screen scraping plus. Additional transparency elements that make screen scraping less opaque, more visible to the financial institution and to the regulator. Importantly, in an open banking system, even if we’re using screen scraping as a fallback option, let’s say the APIs haven’t worked, we’re still talking about a regulated third-party provider who is accessing the data under the liability regime we all agreed to establish under an open banking system that is committed to making consumers whole if something has gone wrong. So there are a number of things we can do to make sure that screen scraping, if it must continue, is safer and well managed.
Senator C. Deacon: Than the unregulated environment today. Thank you.
Mr. Talbott, I love the idea of greenhouse versus sandbox because you’re nurturing both. I love that as a concept, thank you. Some people in Ottawa have noticed that there’s going to be an election this year and it’s changing the environment in terms of what we can get done legislatively in this city to move this along. It’s going to change the time frame of it.
To what extent might your greenhouse concept enable us to make recommendations that specifically allow progress to continue while there isn’t room for anything on the legislative agenda to enable change?
Mr. Talbott: Two things. One, creating an overall environment that encourages fintech. Whether that’s done through formal rule making or informal memos and staff briefings by the regulators to signal to the industry that we are willing to work with you, to encourage you to attract capital or jobs. Both can and have been utilized in other policymaking bodies. With respect to opening banking, you need to first build the structure before you can create it. You have to understand it before you legislate it.
Senator C. Deacon: So providing certainty and confidence.
Mr. Talbott: Creating a positive policy environment is an important thing for fintech.
Senator C. Deacon: Mr. Wiley, I was a broker for 10 years back in the 1980s and I remember the obligations around your client, disclosure and licensing.
You have to follow all the same rules as any other financial adviser group.
Mr. Wiley: Correct.
Senator C. Deacon: I like the whole client perspective that you spoke about. Do you have examples for us of how machine learning — machines are way smarter than people and more consistent than people, so we can constantly advance our system. Well, more than me for sure. I apologize, chair.
I see huge advancements in the company I’m involved in. We took a $10,000 item, and it costs $25 as a result. Do you have examples that you can provide us that shows the benefits to consumers? I think you spoke about one rounding up, but just in terms of the order of magnitude, the benefit that consumers are receiving as a result of the fact that you’re implementing more of a consistent, machine approach versus an individual. That does have the benefit of potential advisory services, personal advisory services, but the sort of order of magnitude of benefit that consumers can achieve.
Mr. Wiley: Thank you, senator. It’s an excellent question. There are really two angles that influence financial outcomes. One is the performance of the markets and interest rates, whether the stock market is increasing or decreasing, and the other is financial behaviours.
No one in this room can influence whether the market goes up or down. We all hope it goes up, but all of us can influence financial behaviours. The way that we approach your question is how, as a company, can we use new tools, new ways of communicating with clients and new types of services like the roundup service that I mentioned encouraging clients to adopt healthy behaviours like contributing to a savings account or investment account on a monthly basis, rather than waiting for some bonus or windfall that may or may not come?
Adopting those healthy behaviours of consistent investing over time is, we think, the best way to help people achieve good financial outcomes, good health outcomes too. So we kind of design all of our products and services around frictionless, easy ways for people to invest and save. The more information, the more efficiencies that we can provide, the better.
Senator C. Deacon: Thank you.
Senator Tkachuk: I have two questions. I’ll try and make them quick.
Doesn’t it always start this way? When I hear all of you speak and talk about the fact that it’s secure and you don’t have to worry. That’s the way it always starts. It used to be, your social insurance number, you and income tax had it. No one else had it, so they could protect your income tax records. Now everyone has it because people say if you want to rent an apartment, I want your social insurance number or else we won’t rent you an apartment. So your social insurance number became almost like your name except it had more personal statistics.
I’m sure that Facebook, when they started, didn’t know the potential revenue that they would be able to accrue once they started accumulating all this information about people. I’m sure Google was the same.
Now these organizations know everything about a human being that can be known. What you buy, what you watch, what you purchase, your personal habits, your health, and they find a way to monetize it. Well, good for them.
So in your case, Mr. Wiley, I’m trying not to be old-fashioned here, really, but I am.
You’re going to find ways to monetize future things that you haven’t even thought of. How do you protect the public from that? Because by this time, all the financial information that I would have, or any consumer would have, would all be in your account, and you’re going to find new ways to use it. How do I know what you’re going to do with it? I have no idea what the future holds; I only know what the present holds.
Mr. Wiley: That’s an excellent question, senator. Data is extremely valuable; there’s no question. Companies like Facebook and Google have become billion-dollar global juggernauts because of their ability to leverage data. I think there’s a fundamental difference when we’re talking about regulated financial services. We are registered entities. To Senator Deacon’s comment, we have to do the same processes as an online adviser as any traditional entity would, and we have to be extremely careful to disclose all the fees and all the ways we earn revenue from client activity.
I think financial services are different than the sort of personal preferences that are captured and monetized by the Facebooks of the world. I think with an appropriate regulatory framework and with appropriate behaviour by industry, we don’t necessarily need to go down the same path of clients actually being exploited through this framework. In fact, I think the opposite will happen and that clients will have far more visibility into all their products and services, how much they’re paying, where they’re paying too much, and where they can be reallocating their assets to actually result in better financial outcomes.
Senator Tkachuk: Kind of running their lives?
Mr. Wiley: That’s right.
Mr. Boms: I want to quickly say that I think you’ve made one of the most compelling arguments for open banking that can be made. We should all agree. We’re not talking about starting something from scratch. The genie is out of the bottle already. There are consumers using this today.
What we’re talking about is coming up with the standards, along the lines of what you’ve described, for how the data can be used, what the consent should look like and what the protections should be, for just that reason. Will they have to be modified and modernized as time goes on and more use cases are discovered? Absolutely, they should be, and we should know that going in. That’s precisely the reason why we think it’s so important to come up with these rules now. There is a lot of ambiguity today, and so we should solve for it.
Senator Tkachuk: He’s very good, because that was my second question: What does the government have to do to achieve this?
You talked, Mr. Wiley, about a bold regulatory framework. What does the government have to do to achieve this, and what does the oversight look like?
Mr. Wiley: I think setting standards, preferably standards that are already being worked on — and Steven and Scott have lots of global experience in their respective organizations on what standard-setting looks like in other jurisdictions — and allowing standards to flourish in Canada that are consistent with global initiatives is very important so that Canadian businesses can develop technology here and then expand outside of Canada. That’s one really great thing, and government has a role in influencing standard-setting.
Most importantly, we believe government has a role in setting an urgent agenda to move this forward. There will be a tendency among some industry stakeholders to want to take this very slowly, to say, “Yes, we support open banking, but let’s be cautious and do this the right way and really be careful.”
We understand that, but certainly, as a fintech company that is still pre-profit and scaling at a rapid pace, we do not have the time to wait for years to unfold for this to happen. We really need to move quickly.
I think there are a lot of things regulators can do today to encourage that urgency for the industry to move quickly on this.
The Chair: Very good, Senator Tkachuk. In fact, you’re not old-fashioned; you have shown that you’re actually very forward.
Senator Tkachuk: I am forward.
Senator C. Deacon: Mr. Boms, I would like to clarify one number you mentioned in your testimony and give context. Did you say 3.5 million Canadians are already using screen-scraping data?
Mr. Boms: Using FDATA member company technology-powered tools, so through aggregators, which would necessitate screen scraping.
Senator C. Deacon: So the genie is out there?
Mr. Boms: It’s out there.
[Translation]
Senator Dagenais: I’d like to revisit the matter of fees. I’ve never seen bank fees go down. That’s completely untrue. You’re saying that the system will absorb the costs, which means that they will eventually be passed on to the end user, the customer. Of that, I have no doubt. Not to mention the fact that the service provider will want to make a profit as well, just like the banks. What that means is that, at some point, whether transparent or hidden, the costs will filter down. One thing is certain, though, costs there will be. Don’t you think consumers need to know at the outset how much it could cost them? If institutions distribute the costs across the board, everyone will end up paying, even those who don’t use the service. You can try to convince me that the service won’t have any fees attached, but I firmly believe that it will. Can you tell consumers now what the new technology is going to cost them?
[English]
Mr. Talbott: Senator, it’s a great question, and there are a number of questions embedded in there. I have a couple of points to make.
Standard market forces are that the cost of any goods and services — whether that’s financial services or a pair of jeans or a cup of coffee — that the cost of goods is built into the price. I’m not lecturing you; just so you understand how the market forces work. The cost of providing the service gets added to the overall fee of the goods and services.
I think one of the benefits of open banking is that consumers will be able to see what all the marketplaces or all the competitors are charging for the goods and services, whether that’s an interest rate on a credit card or a loan, or an interest rate on a savings account. That sunshine will increase competition and you will see an equilibrium of all those interest rates, whether it’s the cost of borrowing or the interest rate for savings, and you will see competition. So interest rates or fees should come down as consumers will be able to see what other competitors are charging, and the market will drive business to that individual institution to reward it.
In terms of disclosing the fees, I think currently the way the model works, most aggregators pay the bank or the bank pays a fee. So at this point the fees aren’t directly borne by the consumer. They are paid between the parties that are behind the scenes, making the data exchange.
In the end, the cost of the service, plus any government regulation, will increase the cost, as I said earlier, of the goods and services in general. And it won’t be a sort of set fee. It will just be part of the process; it will be built in.
You may see some institutions — again, under the guise of market competition — saying that if you opt in for data aggregation or consumer banking, here is the fee. I think Mr. Wiley mentioned that his fees are disclosed for their products. You could clearly see that type of disclosure. But disclosure, whether it’s for privacy, or opt in, or how the data can be used, or fees, should be one of the principles that is employed as you look to set policy here — disclosure of fees, so the consumer understands exactly what they are paying for, if it is not embedded into the product or service.
Senator Klyne: I may be looking for an answer to a solution. I’m thinking about the customers in rural and remote Canada without connectivity or with slow connectivity. How will they benefit from this? How can they get served?
Mr. Boms: Senator, there are several ways, I’m sure. One just occurs to me as I think about the question. We should all realize that, in other jurisdictions, some of the key beneficiaries of open banking frameworks are the banks themselves, which are offering technology platforms as consumers, basically, of the APIs, not just the providers of the APIs.
For consumers in rural areas who may not have broadband access or connectivity but have relationships with traditional banks, they would also potentially benefit because those banks themselves might be able to launch technology platforms that the consumer might be able to, for example, go into the branch and take advantage of. Over time, of course, we would hope for more connectivity and the ability to have more choice. Even in the absence of that, I think there are opportunities for benefit.
Mr. Wiley: I would add that while I think broadband access is a high priority and we’re grateful that the government is doing various things to encourage more high-speed Internet access to rural Canadians, there’s an equal challenge that most rural Canadians may have a bank that’s an hour’s drive away or a day’s drive away.
Increasingly we see banks shutting down small rural branches. The same access is perhaps more magnified by relying on traditional bricks-and-mortar institutions.
We believe that there are far more efficient ways to deliver services and provide much greater choice to Canadians through digital means, but of course, the traditional bricks-and-mortar system is equally important, and the two need to work together.
Senator C. Deacon: You talked about things that could happen in this interim period. What could government charge industry with and say, “Look, guys, move ahead. Help us on these elements,” standardizing APIs, whatever it is. What could industry be charged with as a responsibility to keeping this moving in this period where legislatively not a lot can be done?
Mr. Talbott: I think a number of the topics we’ve talked about already. If you’re going to use a principles-based approach, there’s a long list of principles, access, data scope and usability, control and informed consent, whether you authorized payments or not — that’s something we haven’t touched on here — security, liability, transparency. All of those are important areas where, because of a lack of government oversight, the market forces are already driving forward on all of them.
I will be happy to provide, senator, a report on what the industry is doing to show you where they are leading.
At the same time, there are going to be weaknesses. Steve has already touched on some of those. It’s not an industry-wide solution; it’s company-by-company. The largest players are deeply involved, but the smaller players need to be brought along.
The answer to your question is two parts: Substantively there are a number of principles where we can and are leading, but then, how do we get that to the broader space to provide uniformity? The answer to your question is both of those.
Mr. Wiley: Senator, it’s a great question. We’re not a bank. We’re not regulated by OSFI, but many of the stakeholders that would be affected by an open-banking framework are regulated by OSFI.
OSFI publishes guidelines on a regular basis, and they have guidelines for things such as outsourcing, which are central to any financial institution that’s looking at adopting a new partner with a fintech company. Those outsourcing guidelines are very cumbersome and most banks interpret them in the most conservative way, to the point that it’s difficult for a bank to pilot with a fintech company, to try out new technology.
There are ways for regulators to modernize outsourcing guidelines for banks, signal to banks that already spend billions of dollars a year on technology improvements that some of those technology improvements and expenditures, should be oriented towards the evolution towards open banking.
The cost to the industry has been overblown, because the industry is already spending billions of dollars every year to upgrade legacy systems, mainframe computers that are still at the core of many of our products and services.
J.P. Morgan in the United States spends $12 billion a year on technology and investment. Canadian banks are not far behind relative in scale.
It’s not so much about introducing new costs; it’s about prioritizing some of that new investment.
Senator Tkachuk: Mr. Wiley made a point that in many rural communities, you drive an hour to the bank, and there’s only one bank.
The Chair: Fair point. Panel, thank you very much. This has been extremely helpful to us.
I also thank the analysts for bringing this panel together. It is of tremendous value.
Thank you for the preparation you did and for your strong delivery. It’s been very helpful to us.
We will continue our study of the potential benefits and challenges of open banking for Canadian financial consumers, with a specific focus on the federal government’s regulatory role. I’m pleased to welcome the witnesses on our second panel, from the Canadian Association of Mutual Insurance Companies, Normand Lafrenière, President; from Interac Corporation, Debbie Gamble, Chief Officer, Innovation Labs and New Ventures; and from the Canadian Credit Union Association, Athana Mentzelopoulos, Vice President, Government Relations and Member Relations. Thank you very much for being with us today.
I’m going to ask Mr. Lafrenière to start with his statement. And, senators, I would indicate that we must have a hard stop today at 12:30.
Please, Mr. Lafrenière.
Normand Lafrenière, President, Canadian Association of Mutual Insurance Companies: Thank you, Mr. Chair, and good morning.
The Canadian Association of Mutual Insurance Companies represents 78 mutual insurance companies across Canada who insure cars, homes, farms and businesses. We are pleased to appear here this morning on the government’s proposed consultation into the concept of open banking. In fact, we commend the committee in its follow-up flowing from its study last May into several sections of the BIA dealing with changes to the Bank Act.
As the committee may recall, CAMIC raised serious privacy and security concerns about changes to the Bank Act that will allow banks’ customer data to be transmitted to fintechs. We were happy to see that the committee agreed with some of these concerns and concluded in its report on May 31 that further study would be appropriate. Now that the terms of the consultation into open banking have been outlined, we believe that some of the same issues are once again in play. It will not surprise you, but we as members of the insurance industry still hold the same concerns today.
There are two rubrics we would like to mention for your consideration. The first is a general one, and the second is an insurance-specific one.
The first one deals with the issue of privacy. It’s clear to us that privacy issues appear not to have been adequately considered, neither in the budget bill nor in the consultation. The Privacy Commissioner himself noted this point in his submission on the matter last May. He added that he wasn’t even consulted on the proposed legislative changes that enable the open banking consultation.
I apologize, but I believe that we will leave this committee with more questions than answers: What privacy standards apply to fintechs or APIs? Would they fall under PIPEDA or provincial regimes? Who would enforce these standards and who would decide which standards apply? How does a consumer provide informed express consent for their banking data to be shared? How does a consumer withdraw this consent? What happens to the bank data once it is in the hands of fintechs? How does a consumer know which fintechs or APIs have their data? Who owns the banking data? And, perhaps more importantly, who controls this banking data?
Canada’s banks, thanks to our robust banking regime, have very stringent privacy standards. They spend billions on security, privacy and data and even they get hacked. How will a small start-up fintech match these standards? These, we believe, are the big-picture questions facing the consultation and yourself as legislators. When departmental officials appear before you, we would urge you to ask them specifically how they propose to deal with each of these issue, I have just mentioned.
As far as our specific interests, we are concerned that an open banking concept could undermine the long-standing prohibition barring banks from engaging in the insurance sector. This long-standing prohibition, supported by governments of all stripes, is in place to protect consumers of insurance from credit-granting institutions coercing them into buying an insurance product that is not appropriate for them. We know that the department has committed to ensuring that any open banking framework does not undermine this legislative prohibition, even inadvertently.
Currently banks are prohibited from using in any way their data to underwrite an insurance policy or transmit this data to any insurer, agent or broker for insurance purposes. The Bank Act is clear on this point. Once fintechs become involved in insurance, how can we be certain that these legislative and regulatory prohibitions will not be eroded and eventually disappear? Given that the regulations are many, even most fintechs will fall under provincial jurisdictions. How will the federal government be able to ensure that this does not happen?
As I mentioned, I believe that we are leaving this committee with more questions than answers. However, we would like to offer a few principles that we believe should guide your deliberations.
Banking data should be controlled exclusively by the consumer. Consumers should provide informed and explicit consent for any of their data to leave their bank. The federal and provincial standards of privacy protection should apply to all participants in the supply chain, including fintechs. Privacy regulations should have the mandate and required resources to enforce privacy standards. And any open banking framework should continue the legislative and regulatory prohibition of the use of consumer banking data for insurance underwriting purposes.
I thank you for the opportunity to appear, and I’m open for your questions.
The Chair: Thank you very much, sir.
Debbie Gamble, Chief Officer, Innovation Labs and New Ventures, Interac Corp.: Good morning. Thank you for the opportunity to address this committee. My name is Debbie Gamble, and I lead the innovation practice at Interac.
For my opening remarks today my goal is to share with you information on Interac, who we are and what we do, as well as describe how we can contribute to government discussions on open banking based on our experience.
Many of you will know Interac already. Like millions of Canadians each day, you may use our products and services to withdraw money, pay and transfer funds with security and convenience. But you may not know that Interac is 100 per cent Canadian owned and operated. While we manage one of the world’s only ubiquitous domestic debit networks, we are much more than a payments company. We are also a secure digital information exchange.
What sets us apart is not only our Canadian roots, but the trust we have established with Canadians over our 35-year history. Through our suite of products, including Interac Debit and Interac e-Transfer, we facilitate millions of transactions each day. Last year, Canadians made 6.6 billion transactions, moving over $400 billion in value across our secure network. As part of our ongoing commitment to innovation, Interac is focused on how we can help Canadians and small business owners transact digitally with confidence across a variety of devices, platforms and services.
Interac supports the concept of open banking and we agree that it can deliver meaningful benefits to both financial service providers and Canadians. A well-implemented open banking platform can help to foster long-term innovation, provide Canadians with greater choice and control over their data and serve as an important step towards the connected economy of the future. A sound open banking framework could also address and mitigate existing privacy and security risks in current data-sharing practices, such as screen scraping.
We believe there are three key considerations to open banking: One, enhancing protection and trust for Canadians, to make sure their personal, financial and digital information stays safe, secure and private; two, ensuring fair accessibility to the open banking system; and three, designing with practicality and efficiency for Canadians in mind.
A properly architected open banking framework can allow Canadians to better manage consent, enabling them to utilize innovative products and services without losing control of their data and security. We see key opportunities that will help enhance privacy and enable secure access to online services, such as the use of digital ID in banking, government and money movement capabilities.
The success of open banking will also be dependent on the participation and adoption from industry, including large and small financial institutions and fintechs, as well as Canadians themselves. It is important to design a system that is fair and accessible for all industry players.
For Canadians, there is a need to provide education to help them navigate open banking so they are in a position to make informed financial choices, based on their rights and risk appetite.
This is not a one-time investment, but must be ongoing if we are to encourage broader adoption and help Canadians benefit from the use cases that open banking enables.
Lastly, Interac believes that designing an open banking system with practicality and efficiency in mind will be pivotal to the success of the open banking regime. This includes putting Canadians at the centre of its design and thinking through implications from an end-user perspective as the principles of open banking are defined.
Interac sees the federal government playing an important role in managing these principles. We are supportive of the government’s exploration of open banking in Canada.
We have the capabilities and we would like to offer our capabilities to assist in those discussions as we look at how to best facilitate the governance, operational and technical experiences within the Canadian financial services landscape. We look forward to further dialogue as the development of open banking in Canada progresses. Thank you.
The Chair: Thank you very much, Ms. Gamble. That was very helpful.
We’re going to turn to our last witness, Ms. Mentzelopoulos, please.
Athana Mentzelopoulos, Vice President, Government Relations and Member Relations, Canadian Credit Union Association: Thank you, senators.
The Canadian Credit Union Association represents the 252 credit unions and caisse populaires outside of Quebec. Collectively, our sector contributes $6.5 billion to Canada’s economy. We have 5.7 million members. We employ almost 29,000 Canadians, and we manage over $225 billion in assets. In 2018, we donated $62.4 million back to community initiatives and projects across the country.
Credit unions are owned by the people who bank with them, and that’s what sets us apart. We are the only banking services provider with a physical branch in 395 communities across Canada. Despite our smaller asset size, we have comparable market share to the big five banks in agricultural and in small- and medium-sized lending. In the Western provinces, credit unions have between 30 to 50 per cent of the market. For example, in Manitoba, one out of every two folks in that province bank with a credit union.
Our sector supports the concept of open banking, but we believe it must be implemented in a way that ensures the safety and soundness of our financial sector. We believe that the development of open banking in Canada must align to three overriding objectives: open standards, coherent regulation and consumer protection.
A well-designed open banking framework, complete with open standards, should give space for smaller financial institutions like credit unions to compete and innovate with the large Canadian banks. Optimally, open banking could enhance consumer choice by increasing Canadians’ awareness of the credit union alternative to banks.
The introduction of an open banking regulatory framework could also have the positive downstream effect of modernizing some of the existing rules and regulations that our sector must comply with, thereby allowing credit unions to operate more cohesively and efficiently. For credit unions, the cost to comply with various regulations at all government levels in Canada is much higher in proportion to the large banks. Anything to bring down this cost would be good for our members and for competition.
We feel an open banking framework implemented in a prudent manner could help achieve this objective. Alternatively, the risk exists that an open banking framework facilitates the entry of new players who are relatively unburdened by existing regulatory regimes, and that could further tilt the regulatory playing field.
While the Department of Finance has its focus on this stage of the open banking implementation on federally regulated financial institutions, as you know, the majority of credit unions are provincially regulated. Considering credit unions provide banking services for 5.7 million Canadians, we believe that provincially regulated credit unions should be able to participate in an open banking environment. Coherent regulation must allow for provincial and federal jurisdictions to work together, particularly to ensure that provincially regulated credit unions are not disadvantaged.
It is imperative that regulations governing open banking have a strong consumer protection orientation. The framework should include rules that protect the most financially vulnerable and technologically adverse Canadians. Credit unions support financial inclusion and share expertise in financial literacy. We have much to offer in this regard.
To reflect on a comment from your last panellist about consumer driven banking, I believe — and our sector would agree — that this requires very well-informed consumers.
We take seriously the fiduciary responsibility of members’ wealth and personal data and can assist in overcoming the threats posed by open banking to ensure a smoother implementation. We believe —
The Chair: Excuse me for a second. Could you speak a tiny bit more slowly? Our interpreters are having difficulty, and we want to hear every word in both languages.
Ms. Mentzelopoulos: Certainly.
We believe the Office of the Privacy Commissioner’s guidelines on meaningful consent should be considered when designing data sharing processes. To mitigate the risk of financial exploitation by malicious actors, a strict consumer centric, regulatory regime is required.
We also strongly believe that digital identity is critical to making digital services safe, secure and accessible. Therefore, development of a robust digital identity system is a necessary precursor.
To those points, credit unions believe a strong certification process is needed for all parties to participate in the open banking ecosystem.
CCUA has been engaging with the Department of Finance about open banking, and we will continue to do so. We have made a submission, to the Department of Finance, and we would be happy to share that as well.
The Chair: Thank you very much to all panellists.
We will start with our deputy chair, Senator Stewart Olsen.
Senator Stewart Olsen: I have two brief questions. I’ll start with one for Mr. Lafrenière.
Do you think it would be more advantageous, should the government decide to go this way, to produce the regulations with any legislation? In other words, we’re not going to wait five years for the regulations to come in so that Canadians, companies and businesses can see the regulations for the protection of consumers before an act is enacted?
Mr. Lafrenière: Absolutely. In fact, the legislation was in the 2018 Budget; it was part of the BIA No. 1, 2018 as well. We haven’t seen those regulations and what they look like. It’s paramount that we do know what’s behind that.
Senator Stewart Olsen: Thank you for that.
Ms. Mentzelopoulos, can you explain to me how open banking would work with the co-op credo of being owned by the people who actually work with co-op or are members of it? How does that work, because it will be people whom you never see? I’d be interested to see what you’ve looked at for your own credibility issues.
Ms. Mentzelopoulos: I guess I would answer your question from the future conditional tense. Primarily, we have a couple of considerations that are at our heart, and we draw some learning from recent events. I was reflecting, in particular, on some of the commentary that we heard back from our members’ members late last year when Statistics Canada made an attempt to collect personal financial information. We heard a very sharp response from our members at that time. They wanted us to work with them to ensure that their privacy was protected.
The lesson that I would draw from that — and it’s reflected in both our comments and our submission — is that consumer protection and consumer education is vitally important. For credit unions, one of the significant linkages there is our long-standing track record in financial literacy.
We also see that there’s a potentially lumpy regulatory environment here. If I think, in particular, of credit unions, I mentioned that we are a sector that employs 29,000 Canadians. We also have a very significant head office presence. We are looking at the potential of competing with entry fintechs who have none of that investment. That creates a challenge for us as well. We would like to see a principle or a framework that places some value on the bricks and mortars’ presence that we have in so many communities, where, otherwise you would have to drive, as you mentioned in the last panel, for an hour to see a bank.
Those are some of the things that we value and we think drive this. We have always been innovators in the financial sector with credit unions. We will be innovators in this sphere as well, but we are looking for a framework that will ensure that there is a level playing field.
Senator Wallin: Thank you for the comments on the credit union, particularly. We keep coming back to that issue about rural and underserved areas, and how this is going to work. We heard some innovative things from the Australians last night in their testimony about when you show up in a remote community, actually having the provider offer tablets for people who don’t have the technology themselves.
But I want to come back to the questions you may have heard me pose earlier to the first panel. This consultation is under way and the debate is under way, but then we see Australia acting, and it makes us kind of jealous that they’re really getting there at this point. Again, it’s kind of a “do you agree or not” with this concept of enshrining a data right in law, in legislation, for consumers, customers and Canadians — and that we, in the second part, need some legislation, not only to assert that right, but to impose sanctios if that right is abused.
We will start with Athana.
Ms. Mentzelopoulos: I’ve had the advantage of being able to reflect on our question for the last hour, and I’m reluctant to give you a straight answer. These are things where we would need to consult with our members, but again, if I can draw from our past experiences, certainly the consumer-driven, consumer-protection bent would suggest that probably is something we would support as an association, if we were to canvass our members, but it is something about which we would have to have a further discussion.
I come back to our role in financial literacy: What do these rights mean, and how far do they extend? Those would be things around which there would have to be an active conversation, and those are the kinds of things we’ve been at the forefront of in the past.
Ms. Gamble: Again, I’m probably not going to be able to answer the “yes” or “no.”
When it comes to data rights, we’ve heard this morning and across the various witness conversations about the consumer at the centre of this. That is a principle of ours at Interac. Whether it’s rights, consumer control or data portability — and I think you probably heard from our Australian colleagues yesterday around the notion of, ultimately, data reciprocity. We would welcome conversations that support those whether that is enshrined in law.
We take a view that we have been very successful as a financial services ecosystem, working across the various players with a principle-based approach. We’re the industry lead. Our preference would be that approach but with consumers’ ability to be able to control their data and with explicit consent at the heart of the matter.
Senator Wallin: Just to put your comments, Mr. Lafrenière, in context, I know it seems nuanced, but control versus ownership. The Australians have come to the position and used the word “control” of information, not ownership, because we can’t. Just keep that in mind if you can answer, Mr. Lafrenière.
Mr. Lafrenière: I haven’t seen what the Australians said yesterday, but we have aspirations that the consumer should own and control their data. I don’t know how we should get there, but certainly under an open banking environment, we should make sure they have access to their data and control it.
I’m not sure if they do under the current regime, but they should.
Senator Wallin: Thank you.
Senator C. Deacon: Ms. Mentzelopoulos, I was concerned about one thing you said; namely, that credit unions not be disadvantaged. I’m looking for ways that credit unions could be advantaged. I’m looking for the upside here.
We talked about the value of bricks and mortar. That’s really important. You said you serve almost half of all Manitobans, I’m sure in a lot of smaller communities. The same is true, I know, in Atlantic Canada.
The question I have is this: Should the value of your bricks and mortar be legislated or innovated? I hope you understand the difference I mean by that.
I concern myself as somebody who really believes in markets, the value of the customer and moving where the customers are going. I concern myself when we look at things through another lens other than that as being the key driving force.
Ms. Mentzelopoulos: If given the choice between legislation and innovation, I will always choose innovation. You would find our sector more in an incremental camp if I can characterize it that way. That’s why I think it’s so important for government to develop a well-elaborated framework that should serve as a beacon for where a largely market-driven solutions should go.
Part of that is not so much the bricks and mortar — although those investments are important, and they’re important especially at this phase where you’re talking about other entrants into this that don’t necessarily have the stickiness of those kinds of investments; it allows them to be quite a bit more nimble. I think, arguably, there was probably at least one of those on your previous panel. When I say incremental, we continue to have a lot of Canadians who are under-banked, and we continue to have a challenge with raising the level of financial literacy. We see some provincial governments responding to that by including it in provincial curriculums.
Even if you’re able to amalgamate a lot of your data, there’s still a lot of mystery to it. I work in the financial sector, and there’s some mystery to it to me sometimes.
If you have a principles-based approach or framework that is going to be aiming for a level competitive field where market-driven solutions are not going to be at the exclusion of some players, then you will allow those bricks and mortar presences to innovate and not wither.
Senator C. Deacon: Ms. Gamble, how is your organization using customer data now?
Ms. Gamble: Interac is made up not only of the large institutions as our shareholders, but includes all the credit unions across Canada, plus some other financial service players. We provide service to our shareholders. Probably the closest area to address your question is around fraud and risk mitigation capabilities. You’ve heard, I’m sure, views around the need for a central aggregation player role. We actually do that to a large extent today, certainly for debit in Canada.
To answer your question, one example of that would be in those fraud mitigation areas. In the banking sector, we have world-class levels of fraud and risk management capabilities on debit, and we do that on a collaborative basis. We use things like predictive modelling and some technology tools to be able to detect potential fraud patterns, and we work collaboratively across the financial institutions, law enforcement and the government. An example of that would be those kinds of services prevented over $78 million worth of fraud losses last year. As a result of those services, we were able to shut down over 4,000 malicious websites.
We offer those kinds of collaborative capabilities for the ecosystem, and we do that among our participants and across some other networks.
Senator C. Deacon: Are you sharing the data with member organizations or just using it internally?
Ms. Gamble: We share it internally and with some of our participants at the aggregate level to help detect those fraud patterns.
Senator C. Deacon: So these are member organizations.
Ms. Gamble: Yes, they’re participants in Interac.
Senator C. Deacon: Mr. Lafrenière, you spoke about prohibiting the use of consumer data for underwriting.
Mr. Lafrenière: Yes.
Senator C. Deacon: Even if the consumers want it?
Mr. Lafrenière: Well, we haven’t had that in the past. We’re there for the protection of the consumer. If the consumer wants their data to be shared in the future with an organization, they are most welcome to share it, but we don’t want the banks to share it for their own purposes. That’s why the legislation is there, it’s to protect the consumer.
Senator C. Deacon: But if the consumer asks the bank to share it?
Mr. Lafrenière: I don’t see why not.
[Translation]
Senator Dagenais: I have two quick questions. Mr. Lafrenière, perhaps you can explain something to me because, as we know, the major banks, including the Desjardins financial cooperatives, sell insurance products and already have our data. Doesn’t that put your members at a disadvantage when it comes to the banks, which are already selling insurance? For example, CIBC sells insurance underwritten by The Personal Insurance Company.
Mr. Lafrenière: The Desjardins group falls under provincial jurisdiction. Under provincial law, Desjardins is allowed to use its banking data to sell insurance. That isn’t the case for federally regulated institutions. That means that no federally regulated bank selling insurance, TD and the like, is allowed to share data collected for banking purposes with its insurance arm. There is a wall separating the two, and that separation is very much respected.
Senator Dagenais: Ms. Gamble, I’d like to talk to you about Interac. I have a little anecdote that is going to make you smile. Interac is a very good system. I’m a technology buff, but I learned the hard way. There’s a limit on how much money you can withdraw in a day, so I was told I should go into the branch. When I got up to the counter, I asked to withdraw money but was told that the bank didn’t have the money I wanted and would have to order it. Sometimes I think technology actually has a negative impact on us, since we can no longer walk into a bank and walk out with cash. I wanted to share that story with you because that’s what I was telling Senator Tkachuk earlier.
That said, I think Interac should acquire new technology. You can test it and make it available to customers. You partially answered this question earlier. I think that if there’s too much personal information, the level of risk goes up. Shouldn’t all the data be held by Interac, which would then control and administer the information? I believe you talked about your robust security system. Adding lots of new technology and data comes at a greater risk to customers.
[English]
Ms. Gamble: Indeed, we have rigorous security and fraud management systems. We also are constantly looking at how to leverage new technology, including some things like predictive analytics, to continue to offer those services. I’d like to try to address your question with two comments.
I’d like to highlight that yes, we absolutely do provide those aggregate level services to our participants, and that is over 300 institutions across the country. It’s not just a small group of entities providing the service. We offer innovative capabilities to be able to look at how those institutions working with us and with other fintechs can continue to provide those services.
I think there was a comment this morning around the notion of sandboxes or greenhouses. We do that through partners with accelerators like Communitech in Kitchener-Waterloo, like Cooperathon in Quebec and like MaRS in Toronto. I wanted to raise the point that not only are we an incumbent, servicing our participants across the country, but we are also a fintech. Last year we were actually the recipient of FinTech Company of the Year, even though we are considered a significant player in the market.
So there is an opportunity for us to continue to leverage our expertise and the experience we have garnered in over 35 years of supporting consumers, small business and our participants.
On the data and privacy point, we are obviously adhering to whatever regulatory framework is required for that. We do that in a number of ways. I mentioned security by design is a core principle of who we are. That means whatever new service we bring to market and offer our participants, and ultimately Canadians and small businesses, we take a stringent approach in looking at data abstraction and other technical capabilities to ensure that data is not exposed. Our fraud practises, which we celebrate as being world leaders in the field and being recognized that way, allow us to ensure that we can provide those services to all Canadians through utility pricing. We are known as a provider of low-cost offerings to the marketplace through the lens of innovation.
Senator Klyne: One question for the credit union and one for the insurance side.
On the credit union side, in thinking about achieving that level playing field between provincial regulation and federal regulation, what do you see as some of the key considerations and potential impediments that might come in the way of those two regulators collaborating so that you have a level playing field?
Ms. Mentzelopoulos: It probably just boils down to the fact that, especially in the provinces, we have, in some cases, fairly outdated legislation. I would look at this as an opportunity, because if it spurs provincial governments to accelerate some of the work they’re doing now — but it tends to go very slowly to update their legislation.
It’s not perfectly relevant, but I will give you an example. In some jurisdictions, credit unions are still not allowed to advise their members of annual general meetings by email. It has to be by paper. So there is still some updating that has to occur for our regulatory frameworks and we hope that this presents itself as an opportunity to accelerate that.
Senator Klyne: How do the banks feel about that?
Ms. Mentzelopoulos: They should be happy for the competition.
Senator Klyne: With regard to insurance, you had mentioned that currently there are explicit restrictions on banks’ business powers related to insurance. For all intents and purposes, banks are prohibited from entering the insurance base if I am correct.
Mr. Lafrenière: They’re prohibited from sharing data between the bank business and their insurance subsidiary, but they’re allowed to be in the insurance business. They’re not allowed to share data.
Senator Klyne: At the point of credit, they also can’t —
Mr. Lafrenière: Exactly. If you go for a car loan or a mortgage, the last thing you want to be is coerced, if I can put it that way, to buy a specific insurance than a product that is more suitable for you. The banks cannot share data with their insurance company. That client is a client of ours. Buying your car or buying a home, they’re looking for a mortgage or a loan, why don’t you sell them the insurance right now? This is the right time to do it before we give them the loan.
Senator Klyne: Enter fintechs into the equation here, maybe as a subsidiary or controlled by a bank. Let’s just talk about open banking in this regard. What are some of the unintended consequences that may arise here that we should be concerned about?
Mr. Lafrenière: Fintechs, first of all, most would be under provincial jurisdiction. If banks are allowed to share data with fintech companies, they can go into the insurance business and therefore do away with the wall between the bank data and the insurance companies. So through the back door, they can get around legislation that prevents them from sharing data right now. What we’re saying is that the intent of the federal government is certainly pretty well intended. They want to maintain that wall under that new open banking scenario, but we don’t see yet how that will happen. I would like to see the regulations, but we haven’t seen them yet.
The Chair: Panel, thank you very much for your presentations. We always appreciate the work that must go into preparing for this, and we also appreciate your presentations and your openness to our questions. We look forward to welcoming you back at another time on another matter.
(The committee adjourned.)