OPEN BANKING ON THE HORIZON

Next Article

Meet the Mortgage Broker & the Mayor

Open banking will change mortgage brokering

BY RAY BASI, J.D., LL.B., DIRECTOR OF EDUCATION FOR CMBA-BC AND MBIBC

Mortgage brokering is very likely on the cusp of a seismic change – the result of Canada moving toward structured and regulated open banking. While government policy appears to be clearly and quickly moving in that direction, the nature and degree of change will depend largely on the details in the yet-to-be-determined legislation and regulations. Mortgage brokers would be well advised to keep abreast of these developments to ensure they are ready to adapt as and when needed.

WHAT IS OPEN BANKING?

In basic terms, open banking is a system that allows for transfer of consumers’ financial data between financial institutions. Details in definitions relating to speed, efficiency, purposes, goals and consumer control merely describe the characteristics of particular visions of open banking.

Hence the definition of open banking used by the Advisory Committee on Open Banking (Committee) appointed by Canada’s Department of Finance is very telling. The committee, in its Final Report issued in April 2021 and released to the public on August 4, 2021, recommended that open banking be operational by January 2023. The Final Report defines open banking as:

… a system that allows consumers to securely and efficiently transfer their financial data between financial institutions and accredited third-party service providers in order to access services that can help them improve their financial outcomes.

The definition includes goals, aspirations and parameters that the open banking system include secure and efficient transfers, accredited third parties and improved financial outcomes for the consumer. The definition being used by the Committee makes it clear that it supports a fairly structured robust system rather than one that develops more organically.

SCREEN SCRAPING – THE CURRENT STATE OF OPEN BANKING

Financial institutions already use a form of open banking to collect, analyze and access large amounts of customer financial data including borrower information, credit history and financial circumstances. They generally do not share the gathered information with other financial institutions. Much of this crude form of open banking is referred to as ‘screen scraping.’

Screen scraping is presently used by approximately four million Canadians and involves the borrower providing their online banking username and password to an entity that uses new technology to automate the delivery and use of financial services (commonly referred to as a fintech). The fintech uses this information to log into the borrower’s financial institution accounts and data, as if it were the borrower, and scans and scoops the borrower’s financial history and copies it to an external database. That database is then used to provide the borrower with products and services. This process gets around the fact the financial institutions do not share financial information they have gathered and gives the borrower access to data-driven financial services.

BENEFITS AND RISKS TO BORROWERS OF SCREEN SCRAPING

Screen scraping can provide borrowers with benefits, including easier transferring of data between potential lenders, faster transferring of data between potential lenders and faster adjudication of loan applications. However, screen scraping is unregulated, unsecure, inefficient and unreliable. It creates data-protection, privacy and cybersecurity risks for consumers and financial institutions. Among the problems are the following:

• Other than the general protection provided by protection of privacy legislation, fintechs are not regulated as to what information they access, how they access the information, to whom they disclose the information, how the information is stored and for how long they keep the information.

• There are no required standards or processes concerning screen scraping.

• Fintechs do not need to meet any qualification criteria to be authorized to screen scrape.

• Once the borrower provides the username and password to the fintech, the borrower loses control of the related financial information (including account balances, details of investment portfolios, the history of transactions, and the history of using other financial products and services).

• The borrower, in most cases, will not have limited the length of time the fintech can have access to the financial data (although this could be possibly overcome by changing the username and password).

• The borrower’s sharing of the username and password may void the financial protection the financial institution offers against unauthorized transactions.

• The sharing of the information by the borrower creates more opportunities for the borrower to be hacked and the data to be breached.

• Financial institutions are an attractive target for hackers, given the amount of personal financial information they store. The target becomes even more attractive when the quantity of data is increased by open banking links and is even more vulnerable due to those same links.

The reality of the privacy risk presented by screen scraping is demonstrated by Plaid Inc. agreeing to pay $58 million to settle a California-based class action lawsuit and agreeing to change its business practices in ways that better protect privacy. Plaid Inc. is a fintech that helps users connect their bank accounts to their apps. The claim was that it used dubious tactics to obtain login particulars for individuals’ financial institution accounts and then used those particulars to obtain private transaction histories, investment histories, income information and other personal information.

The Committee concluded that “(a)s screen scraping proliferates, so too will the associated risks.”

A BALANCED SOLUTION

The Committee concluded that the market has demonstrated a demand for data sharing services and for consumers to be allowed do more with their financial information. It stated:

Implementing a system of open banking is about enabling secure, efficient, consumer- permissioned data sharing – realizing Canadians’ right to data portability and allowing them safe and convenient access to a comprehensive picture of their finances.

COMMITTEE RECOMMENDATIONS

The Committee made 34 recommendations in the following six categories as to the type of open banking suitable for Canada: vision, scope, governance, common rules, accreditation and technical standards. Following are some of the highlights.

• The vision of open banking should be one that focuses on the consumer, including protecting consumer data; consumers being in control of their data; giving consumers access to a wider range of useful, competitive and consumer-friendly financial services; giving consumers reliable and consistent access to services; giving consumers recourse when issues arise; and having consumers benefit from consistent consumer protection and market conduct standards. It should benefit all Canadians, including those who are financially marginalized or who work in non-traditional employment settings (such as gig workers). Financial education policies, programs and resources should assist with financial inclusivity. Importantly, open banking should be a collaborative effort between government and industry. Government should set the rules, and industry should implement and administer the system.

• The scope of participants involved in open banking should include all federally regulated banks; provincially regulated financial institutions, such as credit unions, who choose to participate; and other entities who meet accreditation criteria and follow the rules of the open banking system. Individuals and small and medium enterprises should be allowed to participate from the very beginning, but their consent should be obtained before they provide any reciprocal data access. Participants should not be permitted to make giving this consent a condition of access to a product or service.

• The scope of data available in open banking initially should be that which is traditionally readily available to consumers through their online banking applications. This leaves room to expand the scope of data in the future. Financial institutions should be able to exclude data they enhanced to provide additional value or insight to the consumer, such as internal credit risk assessments or new product offerings. However, if this data is readily available to the consumer, the financial institution should have to justify excluding it. The initial scope of the program should allow third-party service providers (that is fintechs) to receive consumer financial data, but not edit it on the financial institution’s servers. Consideration to changing this in the future should be given. The data should not be permitted to be used for underwriting insurance.

• A two-phased approach to governance should be adopted as establishing and implementing a formal governance entity and legislative framework could take multiple years. In Phase 1, the government should appoint a lead to advance the design and early implementation of an open banking system. The lead should develop common rules, an accreditation framework, and processes to allow third-party service providers to participate in the open banking system. By the 18-month mark of the lead being appointed, consumers should be able to access open banking services at an initial stage level. Phase 2 should begin by January 2023. This phase would focus on transferring administration from the appointed lead to the governing entity created by the government during Phase 1. The entity would be run by open banking stakeholders, but the government would set the entity’s mandate and objectives. In Phase 2, the government would also consider codifying parts of the system implemented by the lead.

• Common rules should be developed that apply to open banking relationships, such as between banks and third-party service providers, regardless of an agreement otherwise. The common rules should include matters of liability (such as for misuse of information), privacy (such as requiring express consent of consumer regarding exchanging their data) and security (such as data security and infrastructure security).

• Accreditation criteria and audit requirements should be established that balance the entry of third-party service providers into the open banking system with robustly protected consumer data. The criteria should assess the participants’ operational, financial, privacy and security fitness.

• Technical specifications and standards should be set regarding matters such as data transfer and storage, consumer experience with the system interface, consumer authentication and consent management.

TAKEAWAYS

Open banking is on the horizon. Mortgage brokers will be impacted.

While open banking can address issues such as speed and convenience in the mortgage application process, it does not provide the consumers with qualified, neutral advice to equip borrowers to make informed borrowing choices. Mortgage brokers will need to know where and how their services best fit into the adjusted mortgage arranging process.

Because the details as to type of open banking Canada will adopt are not yet determined, mortgage brokers cannot determine the changes they will need to make. However, change is coming both to open banking and mortgage brokering; mortgage brokers need to keep informed as open banking develops and adjust as circumstances warrant.