Information & Ethics Committee on April 4th, 2019

As I'm sure you know, the government issued its first formal consultation paper on open banking in January. We put in a submission, along with other stakeholders, in February. I'll get into that in a second.

Since the deadline in February, we've been in conversations. I would say it's very early days on open banking. The way we approached our comments was really to think through the risks that we think are posed. Those were aligned with what the government identified in its consultation paper: concerns around consumer protection, privacy, financial crime and financial stability. We focused primarily on the first three, and we talked about potential risk mitigation strategies, both from a regulator perspective and from a more industry-led solutions perspective.

That's how we have framed our thinking on open banking. It's really early days, and we're continuing to have discussions with the government when it asks us to provide some views. However, yes, it's early days and there's still a lot to come.

Sorry, do you mind if I add to that?

Symcor provided a submission to that call for papers as well.

Our recommendations really came down to what I had outlined earlier this afternoon in terms of recommendations primarily around privacy by design and security by design. As well, we had a framework to assess all actors in that ecosystem, with the concern potentially being vulnerabilities, essentially the weakest link vulnerabilities, so having an appropriate assessment process to ensure everyone in that ecosystem was maintaining at least a minimum level of privacy and security.

Essentially, what we recommended was ensuring that privacy and security was really cherished above all—so we were thinking about the utility, the convenience of open banking—and also that protecting Canadians was really paramount.

I think that, again, as Marina mentioned, it's early days. It is an important mandate for the government to be considering and looking at, especially with developments internationally. I also believe that it's an opportunity to look at international standards. Again, it's a little bit of go slow to go fast, potentially.

I think you've hit on, absolutely, what our key concerns were as the Canadian Bankers Association around cybersecurity and financial crime more broadly in the context of open banking, where, as you know, the customer consents to have their personal and financial information transferred to another provider, whether it's a bank or perhaps a fintech that's not as stringently regulated as banks.

Once that happens, and if that information then goes further down the line, the third party provider provides it to another party, we worry about both the increased connectivity and the proliferation of entities having access to the data. That definitely makes it harder in the case of a cyber-attack to determine your points of vulnerability, number one and number two. Again, not all third party providers will be regulated the same way.

We were pleased to see in the budget this year the announcement of the cybersecurity legislation forthcoming, but we worry about entities that might not be subject to comprehensive regulatory oversight on both privacy and on cyber.

So—

The term “trusted provider” to me is really that you have a commitment to what your values and standards are right from the get-go, and that you have support from the top of the organization all the way to every layer.

Essentially, that's necessary to actually do what you promise to do. It's not enough to just have a statement or a policy saying you're going to protect privacy. You really need to have the infrastructure, the communication, the buy-in across everybody who is involved in delivering a service. They need to understand, number one, what their goals and obligations are, and number two, that they have the tools to be able to execute on those things. That really requires a commitment. It requires understanding across the entire organization, and understanding really comes down to making things simple and easy for anyone to be able to understand what they have to do to achieve that trust or to achieve that commitment. In this case, we're talking about privacy, so what does that mean? It means making everyone understand.

At Symcor, we did this by implementing a set of data values. We have a set of data values that stand for privacy, accountability, compliance and trust, and we leverage these values to be able to communicate to everyone. It's not just a bunch of things that are buried in a policy. These are the things that you commit to doing every day. That communication is enforced through a lot of interesting and fun activities. We host an annual data privacy day, where we have quizzes and games. We have training. Our data values are actually represented by a little mascot, which is actually an owl. He's quite popular across the organization. People look forward to his little notes and messages.

It's about doing what you say you're going to do, and then standing behind it with the commitment, whether it be a financial commitment, because it does require that level of commitment as well—

I'll have Ms. Mandal speak to the actual data component of digital data, but in regard to the requirement that information be kept secure, as I said earlier, our privacy framework enables us to have data in Canada and outside Canada provided we have appropriate contractual and other measures to ensure the same level of safety.

On the data point as it ties into digital ID, I want to make sure we understand. I know you've heard from SecureKey, and I'm using SecureKey as an example because they are a live, private-public sector partnership that is in market.

The triple-blind authentication they talked about means no one has actually seen data. Let's say I go to the bank, or I use my bank credentials to log in to the CRA. The bank doesn't know that; the CRA doesn't know who my bank is, and SecureKey doesn't see any of that. The way the technology works is that no one is seeing anything. It's all done in such a way that, obviously, I am opting in, I am consenting, or I am proactively using the product. Digital ID isn't that flow of data back and forth; it's not the open banking situation. It's really just the authentication and attribute validation components of it.

I just want to make sure I understand the question. It's about the horizon to implement technologies in a safe way.

I believe it's an ongoing process, so I don't necessarily believe there's a specific time element tied to this. Technologies are not all on an equal playing field right now. Some are much more mature than others. If you look at large players that have invested significant amounts of time, energy and funding into those technologies where there is history, those are things that could be more readily adopted.

I would caution, however, as new technologies come to market, that we need to have an effective way to do proper assessment to ensure that those technologies are achieving the actual goal. That goes beyond just privacy and security to ensuring that the utility and functionality are doing what was originally intended. I believe it's not one size fits all. There could be a tiered approach to doing an assessment of technologies in terms of established technology in the marketplace versus ones that are emerging.

That's an excellent recommendation. Essentially, if you assess once, you can apply it multiple times, and that's an important efficiency play. As I mentioned earlier, Canada Health Infoway has a structure whereby they certify a technology. This essentially enables others to leverage that technology within the health care industry without having to do the same assessment over and over again.

I can add to that. I completely agree that is a great idea. It's a way to iteratively test without putting customer information at risk. To flag a couple of places where it's happening, in New Brunswick the government has rolled out digital IDs—I'm specifically talking about the technology around digital ID—only on a pilot project basis. In British Columbia, I believe that's the intent as well.

Illinois is using digital ID specifically for tracking who's licensed to be a doctor, so there's that kind of use case as well. Maybe the need is very high there for whatever reason. There are use cases based on the technology used, as well as those based on the type of identification authentication problem you're trying to solve for.