What is "Open Banking," and why should we care?
An Explainer with Fintech VC Christian Lassonde
As a “glass half full” guy who had to worry about what would happen if a deal didn’t work out, you’ll forgive me if I’ve spent the last few years trying to first better understand — rather than blindly promote — the promise, risks and tangible benefits of “Open Banking.”
Now that both major Canadian political parties are squarely in favour of the concept, I figured it was time to help my readers get a handle on what the fuss is all about. To do the topic justice, I asked one of Canada’s true Fintech venture capitalists — Christian Lassonde — to participate in a bit of a Q&A. As co-founder of Impression Ventures, he is far better positioned than I to tackle the many natural questions that regulators, politicians and public servants have about Open Banking. His firm has invested in dozens of start-ups, including BorderPass, Brim, Fraction, Safekeep and Wealthsimple.
As Mr. Lassonde sees it, this is about far more than merely improving the plumbing in the Canadian financial services market. Thank you for taking the time to help slay some of the more sacred cows!
1. What does Open Banking mean to you? (Qs by MRM)
Christian with the answers: Open Banking, at its core, is a tool granting people access to their own bank statements in digital form, in a way that allows them to safely forward that digital statement to others. The easiest example is providing the last 30 days of financial transactions on your credit card and bank account to a financial recommendation engine to recommend ways for you to save money.
We have a form of Open Banking today - giving your online portal username and password [to a 3rd party] - that is insecure and more easily prone to abuse and fraud. The idea behind Open Banking is about providing legitimate and secure access, a safer alternative to what people are already doing and benefiting from today.
2. When you speak of “providing legitimate and secure access” to your financial info, let’s give folks some specific examples of Fintechs that I might like to grant access to my CIBC banking or wealth management info.
Some of the more common use cases are for identity verification, Wealthsimple and many others use your pre-existent bank account as part of their identity verification process. If you have an open bank account they can use that information to confirm that you are who you say you are.
Services like Borrowell and Credit Karma, could also use open banking for account verification but more interestingly, could be used as part of their credit monitoring and counseling service by being able to securely analyze your bank statements.
Some lenders have also started to use your transaction history as part of their underwriting model. Koho, which has direct access to your Koho account history, presumably uses that to inform their line of credit decisions. Paays uses your banking information to verify IDs, provide anti-money laundering checks, and provide underwriting intelligence for auto finance.
In small business, reconciliation of your accounts on a daily basis is made far easier when your accounting platform (example: Freshbooks, Wave, Quickbooks, or Xero) can directly access your bank account and download your daily transactions and enter them into your accounting ledger.
3. In countries that have already embraced Open Banking, how have consumers benefited?
In countries like the UK that have embraced Open Banking, consumers have experienced significant benefits as highlighted in the UK’s Open Banking Impact Reports of October 2021 and June 2022. The key benefits include:
a. Increased Adoption and Service Accessibility: The availability of Open Banking services has expanded, and consumer adoption has grown. By June 2022, around 10-11% of digitally-enabled consumers were using at least one Open Banking service, showing a notable increase from previous years. (Explainer: “Open Banking Services” is really just one thing: Access to Account Information - Banks must provide secure access to customer account data to registered third-party providers {TPPs}, when the customer has given their consent. This allows customers to share their financial data with trusted third-party financial service providers.
In some jurisdictions, like the UK, they have also included Payment Initiation in Open Banking. In Canada that is unlikely to be the case because Payments Canada is in the middle of a modernization process, started in 2016, still ongoing, that is meant to bring payment initiation to 'open banking'.)
b. Enhanced Financial Management: Consumers using Open Banking apps have reported that these services have aided them in managing their finances better. This includes sticking to budgets, reducing unnecessary expenditures, and shopping around for better deals. (Explainer: We have seen a small number of companies that have built new underwriting models based off financial transactions, that successfully identify individuals with a low credit score that payback loans like a high credit score individuals {and thus, in theory should get a lower rate on a loan product}. Hence, access to open banking does indeed open up at the least the possibility of shopping for better rates.)
c. Positive Impact on Savings and Expenditures: A significant proportion of consumers have stated that Open Banking services have helped them save more and build a financial cushion. This is particularly beneficial in the context of post-pandemic financial challenges.
d. Continued Use and Trust in Services: A majority of users find these services easy to set up, and a significant percentage intend to continue using them, indicating a high level of satisfaction and trust in Open Banking services.
These benefits demonstrate that Open Banking is not only increasing in popularity but is also positively impacting consumers by providing them with tools to manage their finances more effectively and make informed financial decisions.
4. What innovations would North American consumers see if either or both the Canadian and U.S. governments embraced Open Banking? Canadian banks already have tools such as “goal planners,” that assist you with retirement planning, saving for school, a downpayment for a first home or even a holiday.
I would imagine that North American consumers would benefit much like UK consumers: helping them stick to budgets, reducing unnecessary expenditure, and giving them the ability to shop around for better rates on financial products. And in some cases, getting access to loan products that they wouldn’t otherwise have access to with their primary banking relationship. Overall consumers would benefit from more competition driving better customer service and more product offerings.
North American governments can surpass the UK in terms of innovation by prioritizing small businesses in open banking plans, and ensuring the ecosystem develops and markets tools specific to the needs of SMBs. After all, the ~30MM small businesses throughout North America are the primary engine of our economy. What better way to supercharge that engine then providing them better and more secure access to financial products: budgeting/cash flow/expense management tools and lending products just to name a few.
Banks, by their desire to have a diversified customer base (and avoid the fate of SVB) generally provide solutions that are good for everyone. Fintechs have the luxury of building niche solutions for small parts of the market. All to say - I'm sure the bank tools are fantastic but they may not always be the best solution for all.
Fintech firms such as Expensify, Dext, and so forth do help SMBs manage their financial affairs, but I suppose one has to consider how Open Banking might enhance the SMB CFO’s ability to integrate his/her banking info with these financial and accounting tools.
5. What steps would the Canadian government need to take to make Open Banking a reality here?
My understanding is the framework is largely in place but that the oversight body is the biggest point of contention. Our federal government needs to step in and tell the Bank of Canada the job is theirs and get on with it.
While the advantages of open banking likely outweigh its drawbacks, it's important to acknowledge that there are some concerns. Issues such as security standards, inadequate governance, third-party liability, and the impact on established financial institutions are crucial in the discussion of open banking's potential pitfalls.The broader access to financial data, if not adequately protected, might lead to data breaches, fraud, or unauthorized use of confidential information. As the industry broadens its data-sharing through banking channels, ensuring robust protections remains critical to earn the trust of Canadian consumers.
The recent experience in the U.S., with its swift adoption of fintech solutions, highlighted the absence of stringent governance over new market entrants and their sponsoring banks. For the sustainability of open banking in Canada, learning from these oversights and implementing unobtrusive governance standards and monitoring practices is essential for consumer protection.
With the progression of open banking, liability issues are likely to emerge. In situations like data breaches or unauthorized transactions, pinpointing responsibility in an open banking context can be challenging. Such issues should not be left for consumers to handle alone; instead, banks or fintech companies should address them proactively in a clearly defined manner.
Lastly, the introduction of open banking is set to allow more players in the financial services sector, potentially disrupting the operations of traditional banking institutions, including Canada's big five banks. While it's difficult to foresee the exact changes, the shift away from conventional banking practices could have unforeseen effects on consumers.
6. Why would the Bank of Canada take this role on, rather than the Office of the Superintendent of Financial Institutions, which has a mandate that covers consumers, asset protection, solvency and so forth? Or perhaps a Consumer oversight body? I suppose National rules would make more sense than ones which are legislated Provincially.
The consideration of provincial oversight in the context of Open Banking is not a primary focus, which arguably serves the interests of the sector. Both banks and fintechs in Canada seem to prefer avoiding the complexity of navigating regulatory frameworks from multiple provincial authorities.
The more challenging aspect lies in identifying an impartial regulatory body to supervise the open banking framework in a manner that neither advantages nor disadvantages any stakeholder involved in Open Banking. In this regard, Canada is fortunate to have multiple national regulatory institutions with global reputations for excellence, including both the Bank of Canada and OSFI, which could potentially fulfill this role effectively.
7. If North Korea is able to exploit a cyber weakness in a domestic fintech, and gain access to RBC’s customer data via the Fintech’s own API relationship with RBC (via Interac or payment rails), who should be liable for losses? RBC, the Fintech, Ottawa? No one?
A couple issues with this question, first off it’s highly unlikely that a fintech would have access to all of RBCs customer data. At best, if the fintech’s data were breached, they would have “tokens”, a form of secure passwords, for a subset of RBCs customers that have both used the fintech and given them permission to access their RBC bank accounts.
Second, in the worst case, let’s say it’s the largest fintech, the bad actor would have access to a large number of Canadian bank accounts to read their transactions, not - importantly - the ability to transmit money.
Arguably the risk is far worse today; as access today is being granted in such a way that not only can accounts be read but also money can be sent. There are many safeguards in place today, but accounts are hacked from time to time. The risk here is really mass identity fraud, a risk we very much live with today with or without open banking.
However, I still want to address your question. Who pays damages? In this case we would have to understand where the data breach occurred. No different than today, the access relationship with the bank and the customer is between the two. If they experience a breach, the loss to the consumer and bank is ruled by the Service Agreements between the two, including the Electronic Access Agreement. Today's agreements clearly articulate that the bank is not responsible for any losses that may result from sharing of passwords. Today the customer is liable for the losses. What’s not clear to me is if the Open Banking regulation would continue to allow the banks to offload the risk to their customers.
8. You’re right in that if I give my password and log-in info to a Fintech, a hacker would use that data to access my own account and attempt to transfer or wire money without my authorization. But that would just impact me. If a hacker could access my bank via the Fintech’s APIs, wouldn’t they be able to attempt to swipe all of the shared customer accounts?
Your concern about the potential risks associated with Open Banking APIs is valid. There are indeed differences in the scale and impact of security breaches when comparing individual account access through shared login credentials to systemic access via APIs.
However, it's important to consider the following points, even assuming hackers were able to bypass robust security protocols and that the bypass of those security protocols went unnoticed. Not straightforward assumptions at all but we’ll assume the hackers have gotten the list without any trace.
First off, there is typically limited access per consent. APIs in an Open Banking environment typically operate on a consent basis, meaning they only access the data that the customer has explicitly permitted. This limits the scope of what can be accessed through each API connection.
Monitoring and detection systems on the Open Banking rails and the bank would soon detect unusual activity when large scale data amounts start to be transmitted in an unusual manner to new destinations on the internet.
While the risk of a large-scale breach via open banking APIs cannot be entirely dismissed, the combination of advanced security measures, regulatory oversight, and proactive risk management significantly mitigates this risk. Nevertheless, the evolution of digital banking and fintech solutions will continue to challenge security paradigms, necessitating ongoing vigilance and adaptation of security strategies.
9. Canadian banks spend billions each year on Cybersecurity security, in part to protect client banking and stock accounts. If Open Banking gives access and some form of protection to a Fintech by extension, should that Fintech contribute to the cost of those Cyber defences?
I disagree with the framing of the question. Open Banking is centrally about giving customers access to their data. While fintech’s believe, accurately or not, that they are the big winners in Open Banking, that simply isn’t the case. The winners are consumers. Just as when mobile phone regulation allowed for number portability, the winners weren’t the upcoming carriers, it was the consumer who could keep their number.
A more accurate framing, in my view, is that regulation is forcing banks to provide customers access to their data. Given those customers pay fees for services, and access to their capital stored at their bank (their deposits), isn’t it fair in turn that a small portion of the revenue from those streams of income be used to secure access to the customers’ data?
If a client chooses to give access to their account to a third party, fintech or otherwise, presumably for their own benefit, should that not be the customers’ prerogative? Similarly, when the bank sends you a text message should we be asking customers to fund a portion of the banks’ cellular network or should we presume that, as a customer of the carrier; the customer in question is already paying for a portion of the network that the bank uses, in this case, to receive a security code from a bank?
However, on the receiving end of that data, I do believe fintechs should secure the data and if they hold data, like loan payments, that fintechs in turn should be providing consumers with that data in a secure fashion.
In other words, while I disagree with the framing, I do agree that all ecosystem players should pay to secure the customer data for which they are a custodian.
10. Is Open Banking all upside for consumers and the broader economy?
Much like how mobile phone portability was “all upside” for consumers, open banking promises to be as well, with far more financial upside consumers will benefit from.
MRM
(this post, like all blogs, is an Opinion Piece)
photo: Sewer Cleaner, New York 1951 by Irving Penn
Excellent article. Thank you for sharing.
Question - I’ve heard a few theorize that rolling out open banking could lead to new bank competitors (example - Power Corp has a lot of fintech… could they also bank… and become a fully integrated bank + insurance company)… and from there could we also see the old rule that banks and insurance can’t cross sell fall away? After all - if pow can move organically towards insurance+fin tech + banking… why can’t a bank work the other way… or even allow MFC and CIBC to merge.