Recent proposed amendments to the Bank Act that would expand the power of banks and other financial institutions to engage in fintech activities have faced a number of challenges before the Senate Committee on Banking Trade and Commerce. The proposed amendments were considered at recent hearings held by the Committee at which concerns were raised that engage policy issues relating to fintech, open banking, and control and protection of customer data. This Bulletin summarizes the key issues raised at the hearings and discusses how these relate to the broader policy issues at hand.
The Budget Implementation Act, 2018, No. 1 (the "Budget Bill") introduced earlier this year proposes the following amendments to the Bank Act, the Trust and Loans Companies Act and the Insurance Companies Act:
- Broad powers for financial institutions to refer customers to other entities.
- Broad powers for financial institutions to collect, manipulate and transmit information, as well as engage in a broad range of technology-related activities without regulatory approval.
- New powers for financial institutions to commercialize activities developed in-house and provide them to third parties.
- New powers for financial institutions to provide identification, verification and authentication services.
- New powers for financial institutions to invest in entities a "majority" of whose activities consist of financial services activities that a financial institution is permitted to carry on.
There is some debate about the extent to which banks already have some of these powers on the basis that they fall within the "business of banking". As well, it is envisioned that these new and expanded powers will be subject to regulations which have not yet been issued. Nevertheless, these amendments are a significant development and, if implemented, would give banks explicit powers to engage in a wide range of innovative technology related activities.
These proposed amendments were welcomed by the banking industry, which was generally of the view that the current provisions of the Bank Act inhibited innovation and were out of step with technological developments. In a response to the consultation paper, the Canadian Bankers Association (CBA) stated that the Bank Act in its current state imposes onerous obstacles to partnering with fintechs, which are a remnant of a time when the now strong link between technology and banking activities was far less clear. In recent years, innovative new technologies have become integral to nearly every industry, and these legislative barriers are hindering the ability of banks to take full advantage of the products that fintechs can offer.
The proposed amendments are consistent with a move toward "open-banking", which would see consumers have the right to choose to share their own banking information with a wide range of other financial services providers and other businesses.
The Department of Finance issued a consultation paper last year entitled "Potential Policy Measures to Support a Strong and Growing Economy: Positioning Canada's Financial Sector for the Future" that sought input on, among other matters, the merits of open banking. The paper described the benefits of open banking as making it easier for consumers to interact with financial service providers, and increasing competition. At the same time, the consultation paper noted the importance of protecting consumer's security and privacy.
In a response to the consultation paper, the CBA noted that protection of consumer privacy will be a central component of any system which allows third party access to financial data. The CBA stated that both verifying customer instructions when third parties request access to information, and ensuring the legitimacy and capacity of the third party to handle the information would be considered before granting access. Similarly, the CBA wrote that ensuring customers comprehend the scope and risks associated with data sharing will be paramount to obtaining informed consent.
In December 2017, the Competition Bureau published a market study on technological innovation and the financial services sector. One of the recommendations therein is that "Policymakers should embrace broader 'open' access to systems and data through application programming interfaces. With more open access to consumers' data (obtained through informed consent and under an appropriate risk-management framework), fintech can help consumers overcome their inability or unwillingness to shop around by paving the way for the development of bespoke price-comparison tools, and other applications that facilitate competitive switching."
The Competition Bureau also recommended that industry participants and regulators should explore the potential for digital identification to facilitate client identification processes, which is also reflected in the proposed amendments to federal financial institutions legislation.
The Senate Committee Hearings
In response to the amendments proposed in the Budget Bill, the Senate Committee on Banking Trade and Commerce recently conducted hearings with a range of witnesses and stakeholders to discuss the proposed amendments, cybersecurity concerns, and other implications.
Privacy and Cybersecurity
The Committee sought assurances that the changes will not allow banks to transfer sensitive banking records to third parties in ways that are not clearly understood and agreed to by their customers. Bank officials responded that customer consent is required and that information sharing contracts with third parties have strong privacy and security safeguards that allow banks to audit how the outside companies use customer data.
The Committee was also concerned about cybersecurity, and the potential for data breaches in entities to whom the banks transfer information both domestically and internationally. In drafting the amendments, the government has identified a goal of creating a new cybersecurity strategy, and making Canada a global leader in this regard. Bank officials called the Committee's attention to the proposal to create a centralized hub for sharing best practices and information concerning cybersecurity which would apply to all important financial sectors. Bank officials argued that this will help to consolidate cybersecurity expertise across the federal government, thereby increasing consumer protection. Similarly, they argued that this consolidation would lead to a unified approach to dealing with foreign entities and associated threats. Officials clarified that the resulting sharing of information to protect against cybersecurity risks will not entail central storage of sensitive data.
The Privacy Commissioner of Canada (who reportedly had not been consulted about the proposed amendments), told the Committee that based on available information, the proposed provisions failed to strike the right balance between fostering commercial innovation and protecting consumer privacy. The Commissioner expressed the view that fintechs are generally required to obtain valid, meaningful express consent from customers before dealing with their financial information. However, the Commissioner expressed the concern that problems with the current consent model will inhibit adequate protection and that he had reason to believe that financial institutions and fintech organizations intended to proceed under the proposed amendments without obtaining customers' express consent.
The Commissioner stated that if the financial sector actually obtained express, informed consent and privacy issues were addressed in the regulations that will be implemented under the Budget Bill, reasonable privacy protection could be achieved, but that he lacks legal authority to compel compliance with privacy law. He suggested that giving his office the authority to require the financial sector to obtain express consent would be the most direct way to rebalance the legislation (although currently the Commissioner has the power to initiate investigations and to seek enforcement through the Federal Court).
Questions of privacy and cybersecurity are plainly among the key issues that the Committee is grappling with. However, the Commissioner's submissions to the Committee must also be read in a broader context. First, the Commissioner's stated concerns regarding the efficacy of current approaches to consent are not specific to the financial industry or fintech. Indeed, commencing in 2016, the Commissioner undertook a sweeping review of the concept of consent across all industries and activities regulated by PIPEDA: see Consultation on consent under the Personal Information Protection and Electronic Documents Act. This consultation recently led the Commissioner to issue a new guidance document, Guidelines for Obtaining Meaningful Consent, which will be applied by the Commissioner as of January 1, 2019. The Commissioner simultaneously issued a second guidance document, Guidance on Inappropriate Data Practices: Interpretation and Application of Subsection 5(3) to be applied on July 1, 2018. These guidance documents were published two days after the Commissioner appeared before the Committee and are discussed in the following bulletin: Privacy Commissioner Issues Key Guidelines for Consent and Inappropriate Data Practices.
Second, the Commissioner's call for the power to compel the financial sector to obtain express consent is the latest example of the Commissioner's broader push for the power to make binding orders to enforce compliance with PIPEDA. This question is not unique to fintech or the financial industry. Earlier in 2018, the Standing Committee on Access to Information Privacy and Ethics issued a sweeping set of recommendations for amendments to PIPEDA: Towards Privacy by design: Review of the Personal Information Protection and Electronic Documents Act, including that PIPEDA be amended to give the Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance.
Following his submissions to the Committee, the Commissioner sent a follow-up letter to the Committee to request that PIPEDA be amended to include an additional requirement to obtain valid consent and that the Commissioner be given order making power. These changes were not limited to the financial sector, however. Consistent with the broader initiatives described above, the requested amendments to PIPEDA would be applicable to all organizations subject to that law and would therefore represent a sweeping change to PIPEDA and the ombuds model that has been in place under that statute for nearly two decades.
Concerns were also raised during the hearings about whether the proposed amendments could allow banks to expand their activities in the insurance space. The Association of Mutual Insurance Companies (AMIC) told the committee that the Bank Act changes "open up a new line of business for banks" to sell customer data. The concern is that this would allow banks to conduct insurance activities, which is restricted under the Bank Act and the Insurance Business (Bank and Bank Holding Companies) Regulations. It was argued that the amendments would facilitate the transfer of banking data, to fintechs, who in turn can use the data to underwrite insurance products.
Committee members expressed concern that banks could further the sale of insurance through a relationship with a fintech by using either the referral power, or a reduction in an outsourcing cost. Bank officials responded that this would not be the case because the networking powers are subject to s. 416 of the Bank Act, which prohibits banks from undertaking the business of insurance except as permitted under the Bank Act. The CBA also assured the committee it was not the intention of the banks to attempt this.
The debate over the desirability of fintechs having access to bank data and using it for insurance purposes is related to the debate over the desirability of open banking. Some committee members expressed the view that there should be no complaints about fintechs partnering with banks and moving into the insurance market because it promotes more competition.
It remains to be seen whether any changes will be made to the proposed amendments to federal financial institutions legislation or PIPEDA. Regardless, issues relating to fintech, open banking, and protection of customer data will undoubtedly continue to be at the forefront of financial sector policy for the foreseeable future.
 Currently, FRFIs are permitted to engage in collection, manipulation and transmission of information which is primarily economic (in Canada), or to design, hold, manage or otherwise deal with data transmission devices or platforms which provide primarily financial or economic information only with the approval of the Minister of Finance.
 Ibid, at page 12.
A special thanks to Sarah Chouinard, Summer Law Student, for her contributions to this article.