Consent management and the right to be forgotten: Any sharing of information across entities via APIs will require explicit consent from the data subject. For example, Québec’s Protection of Personal Information in the Private Sector states that consent must be clear, free and informed and be given for specific purposes. It must be requested for each such purpose, in clear and simple language and separately from any other information provided to the person concerned. We expect the federal regulations to follow suit, which means that any open banking strategy needs to include consent as a central item to allow an organization to use APIs.
Consent and its management are often underestimated in practice. Many organizations are looking toward fintechs to help them manage consent. Under new privacy laws, data subjects have an additional “right to be forgotten,” meaning that organizations should ensure they have the mechanisms in place to meet this request from a data subject and ensure all third parties do the same. It remains the responsibility of the data controller to maintain the consent, withdrawal of consent and sharing of all personal information. The data controller is an individual or organization that manages how data is processed and is responsible for complying with data protection regulations.
Data management: Operationally, the flow of data should be mapped end to end to ensure that the data controller can demonstrate they understand how data flows across different business functions and enabling technology components, and who has access to it.
Identification, classification, protection, retention and destruction of client records should be agreed between the data controller and data processor in the organization and/or any third party engaged in any capacity through the data’s lifecycle. A data processor is a person or organization who deals with personal data as instructed by a controller for specific purposes and services offered to the controller.
The need to align with regulatory requirements should be kept front and centre when developing policies governing the classification, level of protection, retention and destruction of client records. Further, with many organizations adopting advanced analytics engines, AI and machine learning capabilities gain insights from their data, organizations should also consider the risks associated with data ethics and quality.
Another key aspect for organizations to consider is data portability. How capable would your organization be to actually move the data at the data subject’s request? How quickly could you do it? And have you considered all these checks and balances in your open banking strategy?
Security risk: Process to deal with data breaches or incidents will also be a factor. In a world where the protection of IT systems has become mandatory and fundamental for every kind of business, it is important to be prepared to face cyberattacks in the most cost-effective way.
According to EY’s Global Information Security Survey Results 2019-20, 59% of organizations have faced a material or significant incident in the past 12 months. The EY Global Board Risk survey reveals 48% of boards believe that cyberattacks and data breaches will more than moderately impact their business in the next 12 months. A cyber event such as a successful attack can have a major impact on an organization both reputationally and financially, including potential fines, if they don’t appropriately manage their cybersecurity mechanisms.
In addition to adapting to cybersecurity threats, it’s important for organizations to consider the impact of the API architecture on their security strategy. Additionally, regulators are playing close attention to the development of cyberthreats. For example, the Office of the Superintendent of Financial Institutions (OSFI) published Draft Guideline B‑13, Technology and Cyber Risk Management, with primary focus on cybersecurity and risk management.
The evolving business and regulatory landscape with increasing cyber threats makes it necessary for organizations to take a proactive approach to reduce risk. Organizations should develop security resilience programs using industry leading practices related to specific threats potentially impacting their businesses.
Business risk: As the post-pandemic industry takes shape, consumer expectations are changing. Increased use of technology and the ready availability of information means that consumers’ knowledge around their rights, privacy and data use is growing. Banks can no longer afford not to meet their customers’ expectations and needs with regards to the speed at which they want information, flexibility of product offerings, transparency around how their data is being used and with whom their data is shared.