The Senate Standing Committee on Banking, Trade and Commerce has spent the past month and a half actively engaged in a detailed study of the regulatory framework for open banking. The study has included government officials, representatives from Australia and the UK, and Canadian banking stakeholders. I appeared before the committee yesterday as a single person panel, spending a full hour discussing a wide range of policy concerns. My core message was that the committee debate over whether Canada should have open banking missed the bigger issue that millions of Canadians already use open banking type services despite the friction in making their data easily portable to third party providers. I recommended several reforms in response, including stronger privacy laws, mandated data portability with informed consumer consent, and consumer protection safeguards that recognizing the likely blurring between incumbent banks and third party providers.
My full opening statement is posted below.
Appearance before the Senate Standing Committee on Banking, Trade and Commerce, April 11, 2019
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law, and I am a member of the Centre for Law, Technology, and Society. My areas of speciality include digital policy, intellectual property, privacy and the Internet. I appear in a personal capacity representing only my own views.
This committee’s study on open banking has been exceptionally interesting and insightful, providing far more context, nuance, and information than the Department of Finance consultation on the issue.
Yet the review has left me somewhat puzzled. Open banking is typically framed – both before this committee, by the government consultation, and in the media – as a matter of “if” or sometimes “when”. In other words, some debate whether we need it and others suggest that it is only a matter time.
However, I believe the record confirms that open banking is effectively already here. While the banks have largely not provided data portability to their customers, millions of Canadians already provide their banking data to third parties, who frequently use screen scraping to gain access to the banking information. This is presumably provided with customer consent since they are the ones providing the necessary login information.
The screen scraping approach is widely recognized as risky given questions about security of the sensitive data including login information, the identity of the third parties, and the absence of industry standards. The willingness to use these third party services, even in the face of the friction that exists without easy data portability, points to the real risk for government policy.
In my view, that real risk lies in doing nothing, not doing something.
The prospect of account aggregation, the use of AI, and the identification of alternative products and services may sometimes only come from a third party provider. We need to act – and act quickly – to facilitate a marketplace that responds to customer demands, fosters innovation, and addresses longstanding consumer frustrations with a banking system that invariably insists trading cost competitiveness for “stability” is a virtue. If we adopt a consumer-centric perspective on the issue, we should recognize that consumers have demonstrated their interest in open banking but they have been placed at risk by banks that make it difficult to port their data and by the absence of associated policies and effective privacy safeguards.
I’ve heard several senators ask witnesses what can or should be done. I’ll offer three recommendations.
First, Canada’s private sector privacy law must be updated. Simply put, the law was drafted more than two decades ago and is no longer fit for purpose. There are important debates about the legal protections for data, but the immediate issue is that Canadians rely on PIPEDA for their statutory protections. This law does not have an effective enforcement mechanism, meaning there is limited recourse in the event of a potential misuse, whether by the big banks or by a third party provider.
Moreover, privacy law standards that are increasingly common in other jurisdictions are simply absent from the Canadian landscape. In fact, the Privacy Commissioner of Canada has recently taken to reinterpreting the law as a means of expanding its scope and relevance. For example, earlier this week, the OPC released a new consultation that included its preliminary view that it now believes that cross-border disclosures of personal information require prior consent. The approach is a significant reversal of longstanding policy that relied upon the accountability principle to ensure that organizations transferring personal information to third parties are ultimately responsible for safeguarding that information.
This change in approach has enormous implications for e-commerce, data flows and potentially open banking. It points yet again to the need for legislative review and reform of the law, rather than OPC guidelines that if adopted will likely end up being challenged in Canadian courts.
Second, the government needs to mandate data portability for consumer and small business banking. The major banks may talk sweetly about their potential support for open banking, but it was only in 2017 that the Canadian Bankers Association was issuing warnings about the open banking risks to consumers and the economy as a whole.
Third party innovative services exist precisely because they offer products and services not offered by the big banks. The only way to restore the safety of Canadian consumers who face real risks with screen scraping is to mandate that their data must be openly shared by the banks where the customer provides an informed consent to do so. There are undoubtedly security protocols and standards to be developed, but the starting point is regulated support for a consumer-focused system that gives consumer control by opening their data at their request.
Third, as the committee identifies consumer protections and other safeguards, recognize that the difference between the big banks and third party financial providers will become increasingly blurry for many Canadians. That blurring already exists in other sectors – think telecom and the incumbent providers who operate alongside third party services such as Skype, WhatsApp, and a host of other services that offer functionality once limited to the incumbent providers.
The same will be ultimately be true in banking as consumers come to rely on new service providers that offer services alongside the big banks. That suggests that consumer protections and the identification of risks should take a big picture perspective. In fact, just yesterday, the CBC reported that a report from the Financial Consumer Agency of Canada about aggressive sales tactics by the banks underwent revisions after early drafts were provided to the government and the banking sector. The revisions included the removal of proposed consumer protections.
In other words, we should not pretend that it is only new technologies and third parties that bring with them consumer risks.
I look forward to your questions.
My take on online banking is that the people who do it do not understand the risks they are running. Why not use an ATM instead. Keeping banking data on a mobile device is also a risk.
People who want a Financial Institution that is severely procedure and rule bound might want to check out Credit Unions. My wife and I found them much less flexible than banks, despite all their claims to the contrary, unless it suits them. At one point a local CU’s ATM started somehow got off by one and started printing the ATM slips for the previous user, leaving my ATM slip for the next user to see.
When I reported that I was told not to worry, many people leave their atm slips at the machine for anyone to look over. At that point my wife and I decided to switch our accounts to a bank.
What are you talking about… ?
You start off by proposing that ATM are more secure than online banking and then attempt to somehow support that claim with an anecdote about an apparent ATM security failure.
“My take on online banking is that the people who do it do not understand the risks they are running. ”
I actually have a very, very good understanding of on-line banking and I still choose to use it. Please stop making generalizations like that, it’s non-sense.
Thank you for posting and for presenting this view.
I find it so frustrating how difficult it is to keep track of my personal finances using any method other than moving all of your financial services under one bank. TD has their own tracking app but it only works if everything you do is under TD. Services like Quicken and Mint by Intuit work well until one company (PC Financial in my case) decide to stop allowing third party companies to access that data. Yes, I understand the security issues with providing banking credentials to a third party company but isn’t that something I can weight the pros and cons of?
PC Financial does of course offer their own tracking app and if I want to continue with my budgeting, I would have to move over to their ecosystem which comes back to my feelings of frustration. I wish there were regulations that could accept this reality of a user wishing to consent to the sharing of their data in a way that is granular and accessible, and that the financial institutions and companies pulling this data had security standards and protocols that they had to follow so the general dude on the street wouldn’t have to do their own research to determine whether a company met a basic acceptable security threshold.
I legitimately think I am the dumbest reader of this blog so maybe someone can fill me in on where I’m off here.
There really aren’t any “pros” to weigh in. It’s the 3rd-party access that kills not only your privacy and security, but everyone else’s as well.
The fact that “individuals” have been allowed to systematically throw away the collective security of personal data is why we’re in such a pickle now.
Obviously, most people we’re even aware of the damage they were contributing to. That why data mining should never have been made possible in the first place. Those that have been collecting info as a business model (Facebook, Google, etc.) have been knowingly selling us all out in the doing.
You mentioned a significant point and we have to prepare ourselves for such a case in the banking sector