Bennett JonesBlog Canada Advances Consumer-Driven Banking Framework with Proposed RegulationsAdam W. Taylor, Matthew Flynn and Simon Grant July 8, 2026 ![]() Authors Adam W. TaylorPartner Matthew FlynnPartner Simon GrantPartner For fintechs, payment service providers and banks, the proposed Consumer-Driven Banking Regulations (the Regulations) released by the Department of Finance under the Consumer-Driven Banking Act (the CDBA) on June 27, 2026 provide the first detailed look at what it will take to participate in Canada's new open banking regime. As we noted in Fintech in Canada Q1 2026, once enacted in force, together the CDBA and proposed Regulations would establish Canada’s consumer-driven banking framework, to be overseen by the Bank of Canada. Designed to bring financial systems into a consumer-centered future, the proposed regulations aim to empower individuals and businesses by giving them more control over their financial data. The proposed Regulations set out detailed requirements for accreditation, security, national security, authentication, consent, reporting, record keeping, transparency, technical standards, assessments, liability and violations. Key features of the proposed regime are summarized below. Stakeholders have 60 days to provide comments, with the consultation period closing on August 26, 2026. Comments may be submitted through the Canada Gazette website.
Key Features Of the Proposed RegulationsIn-Scope DataThe CDBA requires participating entities to share certain financial data at a consumer’s request. This includes information provided by the consumer, as well as product data related to deposit accounts, payment products, investment accounts and lending accounts. The proposed Regulations clarify that this data includes:
Accreditation PathwaysThe proposed Regulations establish four accreditation pathways, depending on the applicant:
Applicants would be required to submit prescribed information to the Bank through its electronic system and pay an application fee of C$2,500, subject to annual adjustment. The proposed Regulations also include appeal mechanisms where accreditation is denied, suspended or revoked. Ongoing Duties of Participating EntitiesParticipating entities would be subject to a range of ongoing obligations under the proposed Regulations, including the following: Display of Participation SignParticipating entities would be required to display a sign indicating their participation in the consumer-driven banking framework. The sign must appear in both physical and digital locations and comply with the requirements set out in the proposed Regulations. Notice of ChangeParticipating entities would be required to notify the Bank of changes that could have affected the outcome of their accreditation application had those changes existed during the Bank’s review. This includes changes to information submitted during accreditation and changes involving accredited third-party service providers. Urgent changes must be reported as soon as feasible; all other changes must be reported within 30 days. Record KeepingParticipating entities would be required to maintain records sufficient to demonstrate compliance with the CDBA and the proposed Regulations. Records must be retained electronically, in a form the Bank can understand, for five years unless another period applies. The proposed Regulations also require safeguards to protect records from loss, destruction, falsification, inaccuracies and unauthorized access. SecurityParticipating entities would be required to report breaches of security safeguards involving consumer data to the Bank as soon as feasible. If a breach creates a risk of significant harm to a consumer, the consumer must also be notified, either directly or indirectly. Participating entities must also report to the Bank on any investigation they conduct into a security breach. ConsentThe proposed Regulations provide additional detail on consent-related obligations, including:
AuthenticationParticipating entities that provide data would be required to use identity and access controls, including multi-factor authentication. Reauthentication would be required when consent must be renewed. Data SharingBefore sharing data, participating entities would generally be required to confirm that the other participating entity is listed on the Bank of Canada registry and that its registry status does not include conditions limiting its ability to send or receive data. The proposed Regulations would also permit a participating entity to refuse an initial data-sharing request, or to stop sharing data despite valid consumer consent, in specified circumstances. These include situations where there are reasonable grounds to believe that sharing data could cause physical, psychological, or financial harm to the consumer; create risks to the security, integrity, or stability of the framework or a participating entity’s technology systems; or involve an account that has been blocked or suspended. A participating entity relying on these exceptions would be required to notify both the other participating entity involved in the request and the Bank. Minimum Service Level StandardsThe proposed Regulations set baseline service expectations for participating entities. Application programming interface endpoints would be required to be available 99.5% of the time each month. Response times must be reasonable and consistent with generally accepted standards, and rate limits may be used only for technical stability or security reasons. Participating entities must also make at least 24 months of consumer data available on request. Other Notable ProvisionsThe proposed Regulations address several additional matters, including:
Policy Context: Consumer-Driven Banking and Privacy ReformCanada’s consumer-driven banking framework is not just a financial services initiative. It is part of a broader shift in privacy law toward giving people more control over their personal information—including the ability to move that information securely from one organization to another. This idea is often called data mobility. In simple terms, it means that individuals should be able to ask one organization to share their information with another organization in a secure and standardized way. Quebec has already taken a step in this direction through Law 25, which introduced a data mobility right that came into force in September 2024. At the federal level, the focus is now on creating practical frameworks that can make data mobility work in specific sectors. Consumer-driven banking is the first sector-specific application of this shift toward data mobility. Under the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s current federal private-sector privacy law, individuals have not had a clear, consistent way to require one organization to transfer their personal information to another. Recent privacy reform efforts are intended to change that by supporting a broader data portability right. But that right needs more than legal wording—it also needs approved systems, common rules and secure technical standards. Consumer-driven banking is expected to be the first major federal framework to put that idea into operation. In the financial sector, the framework would allow consumers to share financial data safely with participating organizations, subject to rules around consent, security, accreditation, liability and oversight. Bill C-36 would move federal privacy reform further along. Introduced at first reading on June 15, 2026, it would enact the proposed Protecting Privacy and Consumer Data Act (PPCDA) and replace the privacy provisions of PIPEDA with a modernized private-sector privacy law. For consumer-driven banking, one of the most important features of the PPCDA is the proposed data mobility right. If enacted, individuals could ask an organization to disclose personal information collected from them to another organization they choose—but only where both organizations are subject to a data mobility framework. The privacy legislation and the banking framework are designed to work together. Privacy law would create the individual’s legal right to move personal information. The consumer-driven banking framework would provide the practical system for doing so in the financial services sector. That connection matters because data mobility is only useful if it can be trusted. Consumers need confidence that their information will be shared only with consent, through secure channels, and with organizations that are subject to appropriate oversight. One important complication is that privacy law and consumer-driven banking do not focus on exactly the same thing. Privacy law is mainly concerned with personal information about identifiable individuals. The consumer-driven banking regime, however, applies to “consumers”, which can include both individuals and certain businesses. That means participants will need to understand which obligations arise because personal information is involved, and which obligations arise because business financial data falls within the consumer-driven banking framework. This distinction may be especially important for business accounts that include personal information about owners, employees, guarantors or other individuals. For organizations participating in consumer-driven banking, this is not just a banking compliance exercise. It is also a privacy compliance exercise. Consent processes, security controls and breach-response procedures should be aligned across both regimes. Organizations should also continue to monitor Bill C-36 as it moves through Parliament. The bill remains at an early stage, and the final version may look different from the text introduced at first reading. Key TakeawaysAlthough the CDBA and proposed Regulations are not yet in force, they represent a significant step toward open banking in Canada. They also align with the government’s 2026 Spring Economic Update commitment to advance initiatives intended to promote competition and help lower financial costs for Canadians. Organizations that may participate in, rely on or be affected by the framework should review the proposed Regulations carefully and consider whether to submit feedback during the consultation period. The Bank is also expected to develop guidelines that will further clarify requirements under the CDBA and proposed Regulations. Those guidelines should provide additional insight into the practical obligations of participating entities. For more information, or to discuss how the proposed Regulations may affect your organization, please contact us. Republication Requests To obtain permission to republish this publication or any other publication, contact Erica Wirthlin at wirthline@bennettjones.com. For Informational Purposes Only This publication provides an overview of trends and legal updates for informational purposes only. For personalized legal advice, please contact the authors. AuthorsAdam W. Taylor, Partner Toronto • 416.777.5515 • taylorad@bennettjones.com Matthew Flynn, Partner Toronto • 416.777.7488 • flynnm@bennettjones.com Simon Grant, Partner Toronto • 416.777.6246 • grants@bennettjones.com | |
Bennett Jones