The Senate Standing Committee on Banking, Trade and Commerce has spent the past month and a half actively engaged in a detailed study of the regulatory framework for open banking. The study has included government officials, representatives from Australia and the UK, and Canadian banking stakeholders. I appeared before the committee yesterday as a single person panel, spending a full hour discussing a wide range of policy concerns.  My core message was that the committee debate over whether Canada should have open banking missed the bigger issue that millions of Canadians already use open banking type services despite the friction in making their data easily portable to third party providers. I recommended several reforms in response, including stronger privacy laws, mandated data portability with informed consumer consent, and consumer protection safeguards that recognizing the likely blurring between incumbent banks and third party providers.

My full opening statement is posted below.

Appearance before the Senate Standing Committee on Banking, Trade and Commerce, April 11, 2019

Good morning. My name is Michael Geist.  I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law, and I am a member of the Centre for Law, Technology, and Society. My areas of speciality include digital policy, intellectual property, privacy and the Internet. I appear in a personal capacity representing only my own views.

This committee’s study on open banking has been exceptionally interesting and insightful, providing far more context, nuance, and information than the Department of Finance consultation on the issue.

Yet the review has left me somewhat puzzled. Open banking is typically framed – both before this committee, by the government consultation, and in the media – as a matter of “if” or sometimes “when”.  In other words, some debate whether we need it and others suggest that it is only a matter time.

However, I believe the record confirms that open banking is effectively already here. While the banks have largely not provided data portability to their customers, millions of Canadians already provide their banking data to third parties, who frequently use screen scraping to gain access to the banking information. This is presumably provided with customer consent since they are the ones providing the necessary login information.

The screen scraping approach is widely recognized as risky given questions about security of the sensitive data including login information, the identity of the third parties, and the absence of industry standards. The willingness to use these third party services, even in the face of the friction that exists without easy data portability, points to the real risk for government policy.

In my view, that real risk lies in doing nothing, not doing something.

The prospect of account aggregation, the use of AI, and the identification of alternative products and services may sometimes only come from a third party provider. We need to act – and act quickly – to facilitate a marketplace that responds to customer demands, fosters innovation, and addresses longstanding consumer frustrations with a banking system that invariably insists trading cost competitiveness for “stability” is a virtue. If we adopt a consumer-centric perspective on the issue, we should recognize that consumers have demonstrated their interest in open banking but they have been placed at risk by banks that make it difficult to port their data and by the absence of associated policies and effective privacy safeguards.

I’ve heard several senators ask witnesses what can or should be done. I’ll offer three recommendations.

First, Canada’s private sector privacy law must be updated. Simply put, the law was drafted more than two decades ago and is no longer fit for purpose. There are important debates about the legal protections for data, but the immediate issue is that Canadians rely on PIPEDA for their statutory protections. This law does not have an effective enforcement mechanism, meaning there is limited recourse in the event of a potential misuse, whether by the big banks or by a third party provider.

Moreover, privacy law standards that are increasingly common in other jurisdictions are simply absent from the Canadian landscape. In fact, the Privacy Commissioner of Canada has recently taken to reinterpreting the law as a means of expanding its scope and relevance.  For example, earlier this week, the OPC released a new consultation that included its preliminary view that it now believes that cross-border disclosures of personal information require prior consent. The approach is a significant reversal of longstanding policy that relied upon the accountability principle to ensure that organizations transferring personal information to third parties are ultimately responsible for safeguarding that information.

This change in approach has enormous implications for e-commerce, data flows and potentially open banking. It points yet again to the need for legislative review and reform of the law, rather than OPC guidelines that if adopted will likely end up being challenged in Canadian courts.

Second, the government needs to mandate data portability for consumer and small business banking.  The major banks may talk sweetly about their potential support for open banking, but it was only in 2017 that the Canadian Bankers Association was issuing warnings about the open banking risks to consumers and the economy as a whole.

Third party innovative services exist precisely because they offer products and services not offered by the big banks. The only way to restore the safety of Canadian consumers who face real risks with screen scraping is to mandate that their data must be openly shared by the banks where the customer provides an informed consent to do so.  There are undoubtedly security protocols and standards to be developed, but the starting point is regulated support for a consumer-focused system that gives consumer control by opening their data at their request.

Third, as the committee identifies consumer protections and other safeguards, recognize that the difference between the big banks and third party financial providers will become increasingly blurry for many Canadians. That blurring already exists in other sectors – think telecom and the incumbent providers who operate alongside third party services such as Skype, WhatsApp, and a host of other services that offer functionality once limited to the incumbent providers.

The same will be ultimately be true in banking as consumers come to rely on new service providers that offer services alongside the big banks. That suggests that consumer protections and the identification of risks should take a big picture perspective. In fact, just yesterday, the CBC reported that a report from the Financial Consumer Agency of Canada about aggressive sales tactics by the banks underwent revisions after early drafts were provided to the government and the banking sector. The revisions included the removal of proposed consumer protections.

In other words, we should not pretend that it is only new technologies and third parties that bring with them consumer risks.

I look forward to your questions.