Blog

Canada Advances Consumer-Driven Banking Framework with Proposed Regulations

Adam W. Taylor, Matthew Flynn and Simon Grant
July 8, 2026
Modern fintech design with blue silver gradient and abstract shapes for corporate backgrounds and data flow concepts
Authors
Adam W. TaylorPartner
Matthew FlynnPartner
Simon GrantPartner

For fintechs, payment service providers and banks, the proposed Consumer-Driven Banking Regulations (the Regulations) released by the Department of Finance under the Consumer-Driven Banking Act (the CDBA) on June 27, 2026 provide the first detailed look at what it will take to participate in Canada's new open banking regime.

As we noted in Fintech in Canada Q1 2026, once enacted in force, together the CDBA and proposed Regulations would establish Canada’s consumer-driven banking framework, to be overseen by the Bank of Canada. Designed to bring financial systems into a consumer-centered future, the proposed regulations aim to empower individuals and businesses by giving them more control over their financial data.

The proposed Regulations set out detailed requirements for accreditation, security, national security, authentication, consent, reporting, record keeping, transparency, technical standards, assessments, liability and violations. Key features of the proposed regime are summarized below.

Stakeholders have 60 days to provide comments, with the consultation period closing on August 26, 2026. Comments may be submitted through the Canada Gazette website.

Key Implications

The proposed Regulations would move Canada closer to implementing a formal consumer-driven banking framework.

Entities seeking to participate will need to assess whether they qualify for streamlined or non-streamlined accreditation and prepare for prescribed application requirements.

Participating entities should expect ongoing obligations relating to security, consent, authentication, record keeping, reporting and service levels.

Organizations that may be affected should consider reviewing the proposed Regulations and submitting comments before the August 26, 2026 deadline.

Key Features Of the Proposed Regulations

In-Scope Data

The CDBA requires participating entities to share certain financial data at a consumer’s request. This includes information provided by the consumer, as well as product data related to deposit accounts, payment products, investment accounts and lending accounts.

The proposed Regulations clarify that this data includes:

  • consumer identity information;
  • account, branch, transit and other product or service identifiers;
  • current and past balances, including amounts owing;
  • completed, pending and pre-authorized transaction data; and
  • information about products or services available to consumers, including applicable terms.

Accreditation Pathways

The proposed Regulations establish four accreditation pathways, depending on the applicant:

  • federal and provincial financial institutions;
  • entities registered under the Retail Payment Activities Act, which may qualify for streamlined accreditation;
  • ·other entities, which would follow a non-streamlined accreditation process; and
  • third-party service providers.

Applicants would be required to submit prescribed information to the Bank through its electronic system and pay an application fee of C$2,500, subject to annual adjustment. The proposed Regulations also include appeal mechanisms where accreditation is denied, suspended or revoked.

Ongoing Duties of Participating Entities

Participating entities would be subject to a range of ongoing obligations under the proposed Regulations, including the following:

Display of Participation Sign

Participating entities would be required to display a sign indicating their participation in the consumer-driven banking framework. The sign must appear in both physical and digital locations and comply with the requirements set out in the proposed Regulations.

Notice of Change

Participating entities would be required to notify the Bank of changes that could have affected the outcome of their accreditation application had those changes existed during the Bank’s review. This includes changes to information submitted during accreditation and changes involving accredited third-party service providers. Urgent changes must be reported as soon as feasible; all other changes must be reported within 30 days.

Record Keeping

Participating entities would be required to maintain records sufficient to demonstrate compliance with the CDBA and the proposed Regulations. Records must be retained electronically, in a form the Bank can understand, for five years unless another period applies. The proposed Regulations also require safeguards to protect records from loss, destruction, falsification, inaccuracies and unauthorized access.

Security

Participating entities would be required to report breaches of security safeguards involving consumer data to the Bank as soon as feasible. If a breach creates a risk of significant harm to a consumer, the consumer must also be notified, either directly or indirectly. Participating entities must also report to the Bank on any investigation they conduct into a security breach.

Consent

The proposed Regulations provide additional detail on consent-related obligations, including:

  • Use of data: A participating entity may use shared consumer data for a purpose different from the one originally consented to only in limited circumstances, such as legal investigations, emergencies involving life, health, or security or where the data is publicly available.
  • Record of consent: Participating entities must keep records of express consent and provide them to the Bank when required.
  • Consent renewal: Consent generally remains valid for no longer than 12 months. Earlier renewal may be required where authentication information has been stolen or exposed to imminent risk, where there is a significant change in the consumer’s circumstances, or where there is a significant change in the participating entity’s circumstances.
  • Data deletion: Participating entities do not have to delete data at a consumer’s request where the consumer has consented to the use of modified data that has been irreversibly and permanently changed so that the consumer cannot reasonably be identified, directly or indirectly.

Authentication

Participating entities that provide data would be required to use identity and access controls, including multi-factor authentication. Reauthentication would be required when consent must be renewed.

Data Sharing

Before sharing data, participating entities would generally be required to confirm that the other participating entity is listed on the Bank of Canada registry and that its registry status does not include conditions limiting its ability to send or receive data.

The proposed Regulations would also permit a participating entity to refuse an initial data-sharing request, or to stop sharing data despite valid consumer consent, in specified circumstances. These include situations where there are reasonable grounds to believe that sharing data could cause physical, psychological, or financial harm to the consumer; create risks to the security, integrity, or stability of the framework or a participating entity’s technology systems; or involve an account that has been blocked or suspended.

A participating entity relying on these exceptions would be required to notify both the other participating entity involved in the request and the Bank.

Minimum Service Level Standards

The proposed Regulations set baseline service expectations for participating entities. Application programming interface endpoints would be required to be available 99.5% of the time each month. Response times must be reasonable and consistent with generally accepted standards, and rate limits may be used only for technical stability or security reasons. Participating entities must also make at least 24 months of consumer data available on request.

Other Notable Provisions

The proposed Regulations address several additional matters, including:

  • National security safeguards: The Minister of Finance may review applicants and accredited entities, direct the Bank to refuse, suspend, or revoke access to the framework, and require undertakings or impose terms and conditions for national security reasons.
  • Annual reporting: Participating entities must submit annual reports to the Bank in the prescribed form and manner.
  • Duties of accredited third-party service providers: These providers must meet certain obligations related to record keeping, notices of change and notices of exit from the framework.
  • Technical standards body: The proposed Regulations prescribe information that must be included in the technical standards body’s annual report to the Bank.
  • Evidentiary privilege: Certain information must not be used as evidence in civil proceedings and is privileged for that purpose.
  • Assessment fees: The proposed Regulations create an annual assessment regime for participating entities, accredited third-party service providers and the external complaints body. Participating entities must report the prescribed information needed for the Bank to administer the assessment fee.
  • Violations: The proposed Regulations identify which provisions may lead to administrative monetary penalties if breached. The maximum penalty is C$1,000,000 for an individual and C$10,000,000 for a participating entity or accredited third-party service provider.

Policy Context: Consumer-Driven Banking and Privacy Reform

Canada’s consumer-driven banking framework is not just a financial services initiative. It is part of a broader shift in privacy law toward giving people more control over their personal information—including the ability to move that information securely from one organization to another.

This idea is often called data mobility. In simple terms, it means that individuals should be able to ask one organization to share their information with another organization in a secure and standardized way. Quebec has already taken a step in this direction through Law 25, which introduced a data mobility right that came into force in September 2024. At the federal level, the focus is now on creating practical frameworks that can make data mobility work in specific sectors. Consumer-driven banking is the first sector-specific application of this shift toward data mobility.

Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s current federal private-sector privacy law, individuals have not had a clear, consistent way to require one organization to transfer their personal information to another. Recent privacy reform efforts are intended to change that by supporting a broader data portability right. But that right needs more than legal wording—it also needs approved systems, common rules and secure technical standards.

Consumer-driven banking is expected to be the first major federal framework to put that idea into operation. In the financial sector, the framework would allow consumers to share financial data safely with participating organizations, subject to rules around consent, security, accreditation, liability and oversight.

Bill C-36 would move federal privacy reform further along. Introduced at first reading on June 15, 2026, it would enact the proposed Protecting Privacy and Consumer Data Act (PPCDA) and replace the privacy provisions of PIPEDA with a modernized private-sector privacy law.

For consumer-driven banking, one of the most important features of the PPCDA is the proposed data mobility right. If enacted, individuals could ask an organization to disclose personal information collected from them to another organization they choose—but only where both organizations are subject to a data mobility framework.

The privacy legislation and the banking framework are designed to work together. Privacy law would create the individual’s legal right to move personal information. The consumer-driven banking framework would provide the practical system for doing so in the financial services sector.

That connection matters because data mobility is only useful if it can be trusted. Consumers need confidence that their information will be shared only with consent, through secure channels, and with organizations that are subject to appropriate oversight.

One important complication is that privacy law and consumer-driven banking do not focus on exactly the same thing. Privacy law is mainly concerned with personal information about identifiable individuals. The consumer-driven banking regime, however, applies to “consumers”, which can include both individuals and certain businesses.

That means participants will need to understand which obligations arise because personal information is involved, and which obligations arise because business financial data falls within the consumer-driven banking framework. This distinction may be especially important for business accounts that include personal information about owners, employees, guarantors or other individuals.

For organizations participating in consumer-driven banking, this is not just a banking compliance exercise. It is also a privacy compliance exercise. Consent processes, security controls and breach-response procedures should be aligned across both regimes.

Organizations should also continue to monitor Bill C-36 as it moves through Parliament. The bill remains at an early stage, and the final version may look different from the text introduced at first reading.

Key Takeaways

Although the CDBA and proposed Regulations are not yet in force, they represent a significant step toward open banking in Canada. They also align with the government’s 2026 Spring Economic Update commitment to advance initiatives intended to promote competition and help lower financial costs for Canadians.

Organizations that may participate in, rely on or be affected by the framework should review the proposed Regulations carefully and consider whether to submit feedback during the consultation period.

The Bank is also expected to develop guidelines that will further clarify requirements under the CDBA and proposed Regulations. Those guidelines should provide additional insight into the practical obligations of participating entities.

For more information, or to discuss how the proposed Regulations may affect your organization, please contact us.

Social Media
Download
Download
Subscribe
Republication Requests

To obtain permission to republish this publication or any other publication, contact Erica Wirthlin at wirthline@bennettjones.com.

For Informational Purposes Only

This publication provides an overview of trends and legal updates for informational purposes only. For personalized legal advice, please contact the authors.

Authors

Adam W. Taylor, Partner
Toronto  •   416.777.5515  •   taylorad@bennettjones.com
Matthew Flynn, Partner
Toronto  •   416.777.7488  •   flynnm@bennettjones.com
Simon Grant, Partner
Toronto  •   416.777.6246  •   grants@bennettjones.com