Open banking will introduce new opportunities and business models for the financial services industry and new services from FinTech entrants to the market—but these opportunities come with unprecedented risks and operational requirements for a banking system that prides itself on stability. Given Canada's unique financial system and constitutional structure, the implementation of open banking won't look the same as it has in the U.K., the EU or Australia, where its introduction is already underway.

See:  Why Canada must be open to open banking

We spoke with a diverse group of leaders from across the Canadian financial services industry to understand open banking's current and emerging issues: What do you see changing? How will your organizations fit into the new landscape? What might a made-in-Canada model of open banking look like for consumers and industry?

Roundtable Participants

Anne Butler
Chief Legal Officer and Head of Policy and Research, Payments Canada
"If there isn't trust in the security and integrity of the system, especially among consumers, open banking will not succeed."

Lisa Ford
Senior Counsel, RBC Law Group, Enterprise Payments and Open Banking
"Open banking has existed in some form since the turn of the century and now technology and other changes are fuelling a more public debate."

Andrew Boyajian
Head of Banking, North America, Transferwise
"A concept like, "We're a known bank, we've been around for hundreds of years and therefore we're better equipped," doesn't necessarily make sense. Instead, it comes down to the contents and adherence to risk policies, and the importance that institutions give to cybersecurity."

Oscar Roque
AVP, Innovation, Research & Emerging Solutions, Interac Corp.
"...it's not just about the security of the technology, but also governance structure, accreditation, and making sure that the proper controls are in place so that it's not just anybody accessing that system."

Tanya Postlewaite
VP Compliance and Governance, Corporate Secretary, Chief Compliance Officer and CAMLO, Concentra
"We hope open banking will bring FinTechs into the same realm of regulation as other financial institutions, to ensure everyone is operating on the same playing field and that the integrity of the entire system is protected."

Andrew Boyajian, TransferWise

Andrew Boyajian is the Head of Banking, North America, for TransferWise, an international money transfer service headquartered in the U.K.

For a FinTech like TransferWise to grow in the Canadian market, we needed to address both operational and regulatory issues. From our experience in other markets, we find Canadian payments infrastructure can be a bit guarded. And this is a challenge not only to us, but to the entire FinTech ecosystem. As an example, in Canada only a select group of financial institutions can participate in payment systems. But Canada also goes one step further. To be a direct clearer, the current rules require financial institutions to handle a specified percentage of the gross payment volume in Canada. While this is slated to change, it can limit the system to a few big banks and financial institutions. For a company whose primary role is to provide payment services to customers, this is a challenge. First, we need to find a bank that's willing to actually onboard us as a customer. And second, we're going to rely on that banking relationship as part of our business continuity.

See:  Big Tech takes aim at the low-profit retail-banking industry

Fortunately, we've seen some progress overseas with central banks becoming more open to including non-traditional financial institutions in payment systems. TransferWise was one of the first non-banks in the U.K. to hold a settlement account with the Bank of England, which supported our direct participation in the Faster Payments Service. And more recently we learned that the Bank of England is considering even broader access rights for non-banks, in terms of holding deposits. We're seeing some progress in Canada, too, where Payments Canada is considering roles like associate memberships in the payment schemes, including the proposed real time rail. All of this movement is good, but until it's a reality there is an over-reliance on financial institutions to properly support FinTechs and their customers.

On the regulatory side, some laws and regulations are antiquated. In general, frameworks are written with the idea that businesses are physically present, with face-to-face settings for their customers. Unfortunately, we don't always see policymakers thinking about how to modernize these regimes for digital companies. But when they do look to modernize frameworks, it's important that they do so in a way that is technology agnostic. So, instead of references to specific file types, ".pdfs" as an example, we encourage policymakers and regulators to think about principles that transcend today's technology to future-proof them as much as possible.

One example of regulation that is already changing for the better is the move to safeguard customer funds held by payment service providers. It's a protection that doesn't currently exist for Canadian consumers. If you hold a balance with a FinTech, there isn't a live regulatory framework to ensure that the balance is protected, set aside, and guaranteed for the consumer. It's in a similar vein to CDIC or provincial schemes to protect deposits at financial institutions. Fortunately, the Department of Finance, as part of their overhaul of the retail payment system, saw this gap and is taking steps to put in place safeguarding methodology for Canadian consumers. It will mean protection and transparency for consumers, so they can know they're getting the same level of service from FinTech providers as they are with banks.

Often banks or regulators may feel that money transmitters, payment service providers, or FinTechs pose a higher risk for money laundering. But if we think about the topics of money laundering or financing of terrorism, those can occur through any channels — whether it's a FinTech or a bank. So, we don't think the argument of higher AML risks is a reason to exclude FinTechs from direct access to payment systems. The challenges in addressing AML are the same for FinTechs as for banks — laws do not really differentiate between the type of provider.

See: Inflection point:Seven transformative shifts in US retail banking

We can see more validity in the argument that keeping a smaller number of entities with that clearing access could promote stability. Generally, a regulator should be thinking about sound capitalization or business models and then the operational risk policies that entities have. Those concepts are broad and universally applicable. If one institution or entity is capable of meeting them in the same fashion that a defined depository financial institution is, we really don't see the difference and need to create a division in access rights between the two.

In the U.K., while TransferWise has been in a position where we have advised policy makers relating to the implementation of open banking deriving from PSD2, we have instead focused more on transparency in fees. That said, we can certainly see areas where there are benefits. For example, with any payment method other than payment cards — like direct debit — there is quite a bit of information that could be obtained about a customer to help inform a merchant whether or not those funds are actually going to settle, as well as the overall risk profile of the individual with whom they're engaged in business. One of the benefits that I can see in open banking is the ability for consumers to share that information in a standardized way.

Some technology already exists through a screen-scraping service, where a consumer might choose to enter an online bank ID and password in a third-party application. That application essentially logs in to that customer's online bank account and scrapes the screen to obtain this data and then provides that data back to a platform. But that's brittle. If a bank decides to change its interface or implement two-factor authentication, for example, that could easily break the service. Also, depending on the bank, that could be a violation of the terms of use for the account because the account owner has granted access or authorization to a third party. Open banking can be a way to simplify these protocols and allow that same data set to be universally applied. And, more importantly, it gives consumers an active role in deciding with whom and how to share that information.

In today's world, where digital information is increasingly being passed through digital channels, cybersecurity is an area that we need to deal with. And the payments industry saw that with payment cards — as things began to move from point-of-sale to card-not-present, the idea of security and how these payment instruments are being authenticated and validated became important. It's a matter of the market adapting to understand how data is being stored and transmitted, identifying where the vulnerabilities are, and knowing that responsibility is not housed within any particular provider or role in the payment chain. Instead, it's universal.

See: How Jack Ma’s $290b SME credit engine is changing Chinese banking

Whether the industry is using cloud services or their own infrastructure, they're all susceptible to possible attacks by any type of bad actor. That's not something that's exclusive to a FinTech. So, all entities need to have robust plans for fraud, cybersecurity, and data protection. Meanwhile, regulators should understand that these aren't always challenges defined by entity type, but rather by entity preparedness. A concept like, "We're a known bank, we've been around for hundreds of years and therefore we're better equipped," doesn't necessarily make sense. Instead, it comes down to the contents and adherence to risk policies, and the importance that institutions give to cybersecurity.

Continue to the full article --> here