A Review into the Merits of Open Banking
Submission to the Department of Finance Canada
February 11, 2019
The Advisory Committee to the Open Banking Review/Financial Institutions Division
The Financial Sector Policy Branch
Financial Systems Division
Department of Finance Canada,
90 Elgin Street,
Ottawa, Ontario K1A 0G5
Dear Members of the Committee,
Thank you for the opportunity to provide comments on the Department of Finance Canada Consultation Document: A Review into the Merits of Open Banking.Footnote 1
Introduction
- By way of background, the mandate of the Office of the Privacy Commissioner of Canada (OPC) is to oversee compliance with both the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's private-sector privacy law, along with some aspects of Canada's anti-spam law (CASL). The OPC's mission is to protect and promote privacy rights of individuals. As such, our comments will be limited to those issues that relate to our mandate.Footnote 2
- PIPEDA is a technology-neutral law; its application covers the collection, use, and disclosure of personal information in the course of commercial activity regardless of the technology used. It does not have specific requirements for specific sectors, but rather applies to organizations across industry sectors, including financial institutions.
- Our Office supports innovation and innovative business models. As part of this, we have identified the “Economics of Personal Information” as one of the OPC’s strategic priorities, with the goal of enhancing the privacy protection and trust of individuals so that they may confidently participate in the digital economy. Key to this is the notion of maintaining and enhancing individual control over their personal information.
- As Commissioner Therrien has commented with respect to the Government of Canada’s National Digital and Data Consultations: “The digital revolution is causing us to examine some of the most fundamental questions of our time…It is not an exaggeration to say that the digitization of so much of our lives is reshaping humanity. There are lofty ambitions for the power of digital technologies and big data, and its anticipated ability to drive productivity, growth and competitiveness, and improve our lives in various ways. Yet, at the same time, we have reached a critical tipping point upon which privacy rights and democratic values are at stake.”Footnote 3
- Changes in the financial ecosystem, including those related to Open Banking, should prompt a revisit of privacy laws to ensure that privacy and other fundamental rights are not compromised in the process.
Risks to Privacy
Trust and the Changing Character of Privacy
- The OPC recognizes the importance of innovation in encouraging economic growth. Meeting obligations related to information and privacy rights is a catalyst for building trust and increasing consumer participation in the digital economy.
- The importance of trust and privacy as enablers of a fully participating digital economy are also echoed by international fora such as the Organization for Economic Cooperation and Development (OECD).Footnote 4
- The trust needed to allow the digital economy to flourish, and the social license that organizations will need from Canadians to innovate with their personal data, hinges on having an appropriate legal framework in place that puts at the forefront key privacy issues such as those related to consent, transparency and accountability.
- As the Open Banking consultation paper notes, financial legislative changes in some jurisdictions that have facilitated Open Banking have also seen amendments made to privacy legislation, including the European Union’s General Data Protection Regulation (GDPR) which is cited as an example.
- Privacy has become a central issue for Canadians, as we have seen with respect to issues such as Cambridge Analytica and Statistics Canada’s involvement with banking information. This increased sensitivity shines a light on the need to ensure that our privacy laws are meaningfully reviewed to respond to the realities of the digital economy.
- Moreover, our Office has raised concerns related to the privacy implications of financial technology companies’ (FinTechs) business relationships and engagement with federally regulated financial institutions introduced in Bill C-74, the Budget Implementation Act, 2018, No.1.Footnote 5
- Specifically regarding C-74, Commissioner Therrien expressed concern regarding organizations not obtaining express consent and about the need to ensure the protection of sensitive financial information through appropriate safeguards. He also noted that while advancement in new technologies and innovation is indeed desirable and could provide many benefits to Canadians, these objectives must be balanced with robust privacy protections.
- In line with this, in the context of Open Banking, we remain concerned that in order for innovations in the financial sector to be implemented responsibly, there needs to be parallel legislative measures adopted to privacy legislation to ensure adequate protection of individuals’ personal information.
- The regulatory enforcement of certain practices such as the use of big data analytics and artificial intelligence in the financial technology realm is an area requiring more attention. The exact role and extent of automated algorithms in Open Banking will raise privacy concerns to do with transparency and accountability, among others, and can pose challenges for individuals in obtaining access to their information and challenging compliance.
- To better support consumer trust, confidence, and participation in the digital economy, we believe there is a need for strengthened data protection and regulation. Specifically, we call for changes to PIPEDA to confer to the OPC stronger enforcement powers, including the power to make orders and impose fines for non-compliance with the law. These powers should include the right to proactively verify compliance, without grounds, to ensure organizations are truly accountable to Canadians for the protection of their personal information.
- Enhanced regulation of this nature would help bring stability and ensure recourse in this developing sphere, which the consultation paper acknowledges other jurisdictions have done in order to address privacy expectations under Open Banking.
Oversight of Privacy
- In addition to these enhancements, our Office recommends that any policy or legislative framework that is developed to support Open Banking explicitly refer to the existing privacy legislative framework in Canada and that oversight in this realm is exercised by the OPC. While there is the possibility that a number of different regulators may be involved in aspects of Open Banking, there is already an established framework when it comes to privacy.
- Clarity on roles and responsibilities where there may be multiple regulators involved will help to provide assurance to Canadians and reduce potential frictions.
- Although this sector is still developing, activities of FinTechs involving the collection, use and disclosure of personal information are regulated by existing privacy laws. Our Office has concluded this in past investigation findings, and encourages Finance Canada to echo this point.Footnote 6
Consent
- As Commissioner Therrien said before the Standing Committee on Banking, Trade and Commerce on Bill C-74 “Financial information has been held by the Supreme Court of Canada to generally be extremely sensitive. Therefore, we would expect that financial institutions and FinTechs generally obtain express consent from their customers.”Footnote 7
- While we understand that the new European payments directive addresses Open Banking, it also references the need to comply with privacy laws, and specifically highlights the importance of obtaining consent from individuals prior to them engaging in Open Banking initiatives.
- It is integral that both existing and new organizations and business models contemplated in the Open Banking context develop policies and procedures to ensure there is a process for obtaining meaningful consent.
- We recommend that this be done by building these processes in the design phase of new products and offerings, and also in a privacy management program which would require organizations to demonstrate accountability.
- The consultation paper notes that terms and conditions can often be long and confusing. Our Office has developed guidance on consent to address this issue.
- Starting January 1, 2019 businesses - including those in the financial sector – will have to follow the guidelines on meaningful consent developed by our Office.Footnote 8 We will be assessing organizations against these guidelines and expect organizations’ adherence.
- We encourage the Committee and Finance Canada to broadly share these guidelines with their internal and external stakeholders.
Cybersecurity
- The sensitivity of financial information and increased number of players potentially collecting, using and/or disclosing this sensitive information as part of Open Banking means safeguards are increasingly important.
- Our Office recognizes the risks associated with cyber intrusions, and the potential privacy risks for individuals who chose to participate in Open Banking. In an environment where cyber-attacks are a daily occurrence, one cannot overstate the importance of a comprehensive, overarching security framework to protect against unauthorized breaches of personal information.
- Banks, FinTechs, and most all players in the financial and payments ecosystems have responsibilities under PIPEDA.
- In addition to existing requirements related to the safeguarding of personal information, mandatory breach provisions in PIPEDA, while not perfect, will help organizations enhance security as their mandatory obligations under the law for recordkeeping and reporting will be an important tool to help identify and address systemic issues. Our Office has developed guidance to assist organizations understand these obligations.Footnote 9
- Strengthening consumer confidence in the digital economy necessitates a strong cyber security strategy. Consumer confidence can be broken if privacy protection measures are not meaningfully incorporated as part of such strategy.
- The need to ensure that personal information is protected and handled appropriately by the financial sector is becoming even more vital as the financial sector continues to include new stakeholders, expand on business models, and innovate in the digital economy.
- While our Office will continue to advocate for strengthening the breach provisions in PIPEDA, we nonetheless urge the Committee and Finance Canada to remind their stakeholders of these mandatory compliance requirements.
Complex Information Sharing
- Today’s digital economy involves complex information sharing models, much more than we have seen even in the early days of electronic commerce.
- Given the sensitivity of financial data, there should be strict limits on information sharing and consumers should be made fully aware of any sharing in advance of their participating in Open Banking.
- Business models in the digital economy have resulted in complex and seemingly invisible data sharing practices. Without transparency and robust privacy protections, there is the risk of creating consumer confusion and eroding the public’s trust in the financial system.
- While the consultation paper notes the merits of Open Banking, fundamental details related to its implementation remain unclear. As such details are being developed, our Office would welcome the opportunity to discuss proposed plans with Finance Canada insofar as potential risks to privacy are concerned.
- From a consumer-centric position, individuals will undoubtedly want to have control of their personal information, be provided with the opportunity to provide meaningful consent, and know to whom their information is being disclosed, as well as the full uses that are being made of it by all parties.
- Given the multiple parties involves, and the reliance on information sharing for Open Banking to function, it is imperative that accountability be a central component of these new digital business models.
- From an oversight perspective – clear accountability will not only play a role in holding responsible parties accountable for their actions, but may also help mitigate consumer complaints.
- Thus, our Office recommends that issues of accountability be addressed as a priority in any future policy and legislative framework related to Open Banking.
Other
- As mentioned, there are a number of issues that are unclear with respect to how the Open Banking initiative may be implemented in Canada. In the absence of such details, the full scope of potential privacy issues cannot be anticipated.
- For example, from the consultation document it is unclear how:
- communication protocols will be developed and approved for Open Banking in Canada.
- players in Open Banking will be approved or reviewed as a participant in Open Banking.
- identification and authentication protocols will be implemented.
- We understand that Open Banking is intended to increase competition and consumer choice. However, there is the risk that many “new” entrants and business models may in fact be part of larger existing companies which could result in an environment where there is perceived competition but instead market dominance, including of privacy practices, by larger organizations. The broader impacts of the potential accumulation of both financial and non-financial data and uses of this data for multiple purposes should be explored further.
- This notion has recently been expressed in a 2019 World Economic Forum (WEF) White Paper on economic dimensions of the fourth revolution which notes “For example, one effect of market concentration is that over time incentives to invest in and provide high quality services, including privacy and variety, decline.”Footnote 10
Concluding Remarks
- The consultation paper calls for comments as to whether Open Banking would provide meaningful benefits to and improve outcomes for Canadians. Our Office notes that, if important privacy considerations are not part of the design of Open Banking, there is a risk that any potential benefits will be significantly diminished for the consumer.
- The best way for Canada to position itself as a digital innovation leader is to demonstrate how we can establish a framework for innovation that also successfully protects Canadian values and rights, including privacy, human and democratic rights.
- As Commissioner Therrien has stated with respect to the Government of Canada’s National Digital and Data Consultations: “I strongly believe that the trust needed to allow the digital economy to flourish, and the social license the government will need from Canadians to innovate with their personal data, hinges on having an appropriate legal framework in place. Yet, when it comes to effecting real legislative change in this context, the Government has been slow to act, putting at continued risk the trust Canadians have in the digital economy and confidence that our Canadian values will be preserved.”Footnote 11
- Changes in financial policy and legislation require updating Canada’s privacy legislation to ensure that consumers and their data are not just viewed as a commodity, but that there is an equal importance given to the treatment of data as an inextricable part of one’s identity and that privacy is indeed at the core of innovation.
- We look forward to hearing the outcomes of your consultations. Please note that our Office would be pleased to discuss these important issues further. Feel free to contact arun.bauri@priv.gc.ca.
Sincerely,
(Original signed by)
Lara Ives
Executive Director, Policy, Research and Parliamentary Affairs
Office of the Privacy Commissioner of Canada
- Date modified: