Canada’s Consumer-Driven Banking Framework Takes Shape with Draft Regulations

The federal government has released the Consumer-Driven Banking Regulations (the “Regulations”) under the Consumer-Driven Banking Act (the “Act”) for consultation, with comments due by August 26, 2026.

Key Takeaways

• The Regulations provide the first detailed operational rules for Canada’s consumer-driven banking framework, including in respect of scope, accreditation, security, consent, liability, registry, service levels, fees and enforcement.
   
• Accreditation will be risk-based, with streamlined pathways for federal and provincial financial institutions and payment service providers (“PSPs”) registered under the Retail Payment Activities Act (“RPAA”) and more detailed requirements for other applicants.
   
• Security, authentication, consent renewal, breach reporting, record-keeping and annual reporting requirements will require participating entities to build or adapt compliance, operational and technical controls.
   
• The real-time registry and service-level standards will create ongoing operational requirements for participants, including counterparty verification, uptime monitoring and response-time management.
   
• The Act contemplates a prohibition on screen scraping, but the prohibition is not yet being brought into force and its timing and parameters remain subject to further consultation and policy development.
   
• Industry participants should review the proposed requirements closely and consider whether to comment before the August 26, 2026 consultation deadline.

Scope and Application

The Regulations provide further detail on the types of data that constitute “in-scope data” for the products and services that are in scope of the Act (which under the Act are deposit accounts, registered investment accounts, non-registered investment accounts, payment products, lines of credit, mortgages or hypothecs and other kinds of loans), namely:

• Consumer profile data – data pertaining to the identity of consumers of the products or services;
   
• Account data – account numbers, branch numbers, transit numbers and other identifiers pertaining to the products or services; the terms under which the products or services are provided, including in relation to fees, interest rates and authorizations; current or past balances or amounts owing; and data pertaining to completed, pending or pre-authorized transactions; and
   
• Product data – data respecting the products or services that are available or offered to consumers, including the terms under which they are available or offered.

Accreditation

The Act contemplates two key categories of framework participants: “participating entities”, which may request or provide consumer data, and accredited third-party service providers (“ATPSPs”), which provide services to participating entities.

The accreditation process varies depending on the type of entity:

• Accreditation for federal and provincial financial institutions – Certain banks will be required to participate on a mandatory basis. Other federal and provincial financial institutions (including banks, credit unions, trust companies and insurance companies) may choose to become accredited, by completing an application and submitting certain organizational and operational information.
   
• Streamlined accreditation for RPAA registered PSPs – Similarly, PSPs registered with the Bank of Canada could become accredited entities by completing a streamlined application process. The Regulations also require such entities to put in place compliance policies to ensure the integrity and good character of key personnel involved in activities related to the Act, as well as demonstrate compliance with the Act’s security requirements.
   
• Accreditation for third-party service providers – ATPSPs will be required to confirm that they maintain a place of business in Canada and to provide organizational and operational information. The Regulations also require such entities to put in place compliance policies to ensure the integrity and good character of key personnel involved in activities related to the Act.
   
• Non-streamlined accreditation – The Regulations require applicants using this pathway, including Fintechs that are not registered PSPs, to maintain a place of business in Canada and to demonstrate that their insurance coverage or comparable guarantees address risks associated with the handling of consumer-driven banking data. Applicants would also need to provide organizational and operational information, including evidence of compliance with applicable technical standards, complaints-handling procedures and consent management processes. These applicants will also be required to adopt a policy under which individuals who have significant responsibility for consumer-driven banking activities are periodically assessed for integrity and good character. Applicants would also need to demonstrate compliance with baseline security requirements.

The Bank of Canada will charge an accreditation fee of $2,500 (to be adjusted for inflation) and may refuse an application, suspend or revoke accreditation, or otherwise affect an entity’s participation in the framework, as applicable.

When their accreditation is revoked — whether voluntarily or involuntarily — former participating entities are required to notify affected consumers in writing, and former ATPSPs must notify, as soon as feasible, the participating entities they serve.

The accreditation pathways suggest that Finance Canada is seeking to balance market access with risk-based oversight. Regulated financial institutions and RPAA-registered PSPs benefit from more streamlined entry points, while other Fintechs and other applicants will face more detailed operational, governance and security requirements. This may affect how Fintechs structure their Canadian market entry strategy, including whether RPAA registration should be considered in parallel with consumer-driven banking accreditation.

Registry

The Regulations require a public registry of participating entities and ATPSPs, which is to be updated on a real-time basis. The registry will include each entity’s name and contact information, the date on which it became subject to mandatory participation or received accreditation, its accreditation status (including any suspension or revocation), and the contact details for the individual responsible for overseeing complaints related to the entity’s participation in the framework. It will also include a feature enabling participating entities to access a developer portal to support data sharing, as well as a list of the activities offered by each ATPSP.

The real-time registry will likely become a key operational dependency for participants, particularly for confirming accreditation status, identifying any conditions, suspensions or revocations, and facilitating data-sharing connections. Entities may need to develop processes to monitor registry changes, pause or adjust data-sharing relationships where a counterparty’s status changes, and evidence that registry checks were completed.

National Security

As with the RPAA and the Bank Act, the Act gives the Minister of Finance (the “MoF”) the ability to address risks related to national security. The MoF has the ability to review applicants and accredited entities, and to direct the Bank of Canada to refuse, suspend, or revoke access to the framework. Applicants for accreditation will be required to submit information necessary for national security review purposes to the Bank of Canada, which under the Regulations includes information about their owners, senior officers, directors, and other persons with significant influence (including creditors and state-owned enterprises), information about personal data collection and use, and information about relevant corporate and business relationships.

Under the Regulations, the MoF will have 60 days following the date it is provided with a copy of an application by the Bank of Canada to decide whether to conduct a national security review of the applicant (this period may be extended by one or more 60-day periods). If it does, the review must be conducted within 180 days (which may be extended by one or more 180-day periods). Following the issuance of the MoF’s decision, the applicant may, within 30 days, request that the MoF review such decision.

Security

The Act requires participating entities to maintain security safeguards to protect in-scope data, and the Regulations provide further details on the required safeguards and processes:

• Specific Security Requirements – Section 37(1) of the Regulations prescribes a list of security safeguards that participating entities must implement, including: vulnerability remediation and timely patching; secure configurations, security software and robust authentication on systems and devices; role-based access controls, unique accounts and limits on shared accounts; encryption and backup of stored data and controls protecting data in transit; controls against unauthorized data transfers, devices and applications; network-traffic monitoring and screening of suspicious content; an up-to-date asset inventory; data-protection terms in third-party contracts; employee cyber-threat training; and an incident response plan.
  
  The Regulations also require that these safeguards be implemented in a manner proportionate to the sensitivity of the data, and contemplate that an entity may segment its network into security zones. In addition, a participating entity providing data must confirm the consumer's authentication information using multi-factor authentication on the first data request in each consent period.
  
  These largely reflect recognized baseline cybersecurity practices, but are now mandatory conditions of participation. Entities should map their existing security programs against Section 37 and document how each safeguard is met.
   
• Presumption for Federal and Provincial Financial Institutions – The Regulations specify that these institutions are presumed to have implemented the Section 37 safeguards unless the Office of the Superintendent of Financial Institutions (“OSFI”) or the applicable provincial regulator has identified deficiencies and directed remedial measures.
  
  They therefore need only provide a declaration of their compliance with the security safeguards as part of their application (rather than the independent confirmation required of other applicants – see next bullet), reflecting that they are already subject to security oversight under existing prudential frameworks.
   
• Independent third-party confirmation for other participating entities – Registered PSPs and other entities, such as Fintechs, do not benefit from the above presumption: they must obtain confirmation from a sufficiently skilled independent third party that they have implemented the Section 37 safeguards and submit evidence of it with their application.

ATPSPs are not directly subject to these safeguards; instead, the participating entities engaging them must impose contractual data-protection terms.

This distinction will be important when structuring outsourcing, vendor and service-provider arrangements, because participating entities may remain accountable for ensuring that ATPSPs handle consumer-driven banking data in accordance with contractual safeguards.

• Breach Notification and Investigation – The Act requires participating entities to report security-safeguard breaches to the Bank of Canada, to notify affected consumers where there is a real risk of significant harm, and to investigate and report their conclusions.
  
  The Regulations prescribe the details for each: the breach report must cover the breach's circumstances and cause, the data and consumers affected, the impact on consumers and other participating entities and ATPSPs, and mitigation steps; the consumer notice must explain the breach and how to reduce the risk of harm; and the investigation report must address root causes, impacts and steps to prevent recurrence.
  
  Entities should build these layered, time-sensitive requirements into their incident response plans, including by assigning responsibility for Bank of Canada reporting, consumer notices, root-cause analysis and remediation tracking.

Service-Level Standards

The Act provides for minimum service-level requirements so that in-scope data is shared consistently across the framework. The Regulations set those requirements for any participating entity that shares a consumer's data:

• Service-Level Requirements – The Regulations impose two distinct standards on a participating entity sharing data.
  • First, a general performance standard: its response times must be consistent with generally accepted international standards.
  • Second, a specific availability standard: any electronic system it uses to share the data must be operational at least 99.5% of the time in a calendar month, apart from planned outages.
    
    Participating entities will need to measure and monitor both response times and system uptime on an ongoing basis to demonstrate compliance.
     
• Planned Outage Requirements – The 99.5% availability standard excludes planned outages, but the Regulations define these narrowly. A planned outage must be notified to the Bank of Canada at least one week in advance — or, where necessary to resolve a critical service or security issue, as soon as feasible — and its duration and frequency must be commensurate with outages of the participating entity's own consumer-facing electronic systems.
  
  In other words, entities cannot hold their data-sharing systems to a lower availability standard than the systems they offer their own customers.
   
• Restriction on Rate Management – The Regulations also limit how participating entities may manage traffic on their data-sharing systems. Traffic management measures — including rate-limiting, throttling and preferencing — may be used only as necessary to ensure the technical stability or security of the system, and only in a manner that is proportionate and non-discriminatory, that does not degrade outcomes for consumers, and that does not prevent other participating entities or ATPSPs from effectively performing their activities under the Act.
  
  This is designed to prevent entities from using traffic management to disadvantage competitors or frustrate data sharing, while preserving their ability to protect system stability and security.

Authentication and Consent

The Regulations fill in a number of details regarding how consent, authentication and verification are intended to operate in practice. Based on the additional information provided in the Regulations, a typical sequence would proceed as follows:

• Consent obtained – The requesting entity obtains the consumer's express consent to request and receive their data, including the required disclosures as to the purpose, scope and duration of the consent.
   
• Counterparty verification – Before any data is exchanged, each participating entity verifies the identity and registry status of the other, confirming, by reference to the Bank of Canada's public registry, that the other entity is a participating entity whose accreditation has not been suspended or made subject to conditions that would preclude the exchange.
   
• Request and hand-off to the provider – On the first request for the consumer's data during the consent period, the requesting entity, with the consumer's knowledge, redirects the consumer to the providing entity for authentication and advises the providing entity of the duration and scope of the consumer's consent.
   
• Provider authenticates and obtains consumer acknowledgement – Before providing the data, the providing entity: (a) confirms the consumer's authentication information using multi-factor authentication; and (b) obtains the consumer's acknowledgement of the name of the requesting entity, the nature of the request, and the accounts from which the data will be provided.
   
• Data shared and consumer redirected back – Once authentication and acknowledgement are complete, the providing entity shares the consumer's data with the requesting entity and redirects the consumer back to it.

The Regulations also include a number of other notable details regarding the consent and authentication process, including the following:

• Circumstances requiring renewal of consent – Consent is valid for a maximum of 12 months, but the Regulations require earlier renewal where: the consumer's authentication information has been stolen or exposed to imminent risk; there has been a significant change to the consumer's circumstances, or to the participating entity, that would reasonably call the consent into question; or another participating entity requests a renewal under Section 93 of the Act (see next bullet).
  
  Several of these triggers, particularly a “significant change”, are relatively subjective. Entities will need internal criteria and monitoring processes to identify when renewal is required, and should ensure that customer-facing consent flows can support renewals without unnecessary friction.
   
• Cross-entity renewal requests – Section 93 of the Act requires a providing entity to ask the requesting entity (which holds the consent) to renew a consumer's consent, but only "in the circumstances and within the period provided for in the regulations". The intended scope of this was unclear until now. Section 46 of the Regulations fills the gap: a providing entity must make the request as soon as feasible after becoming aware that the consumer's authentication information has been compromised, or of a significant change to the consumer's circumstances or to the providing entity itself.
  
  This gives the providing entity, often the first to detect a problem such as compromised credentials, a defined route to require the requesting entity to seek a renewal.
   
• Deletion and the de-identification alternative – Under the Act, where consent is withdrawn or not renewed, the participating entity must, on request and unless prohibited by law, delete the affected data.
  
  The Regulations clarify that this duty does not extend to data that has been irreversibly and permanently modified so that there is no reasonably foreseeable risk the consumer can be identified from it, directly or indirectly, by any means, meaning a participating entity may de-identify the data to that standard instead of deleting it.

Annual Reporting Obligations

Similar to the requirements under the RPAA, annual reporting of certain information by participating entities to the Bank of Canada is required. The information specified in the Regulations includes information relating to sharing of consumer data, express consents obtained, deletion requests and availability, certain changes with respect to security safeguards and policies and procedures, breaches of security safeguards, and financial performance metrics, among other things, as well as a declaration that the entity remains in compliance with the prescribed technical standards.

The designated technical standards body is also required to submit an annual report to the Bank of Canada to demonstrate that it remains compliant with the requirements to maintain such designation.

Record-Keeping

Participating entities will also be required to maintain sufficient records to demonstrate their compliance with the Act and the Regulations and retain such records for a period of five years – this also aligns with the requirements under the RPAA. Such entities will be required to take measures to protect the records from loss, destruction, falsification, inaccuracies, and access by unauthorized persons.

Liability

The Regulations require participating entities to notify consumers of reasonable steps they can take to protect their authentication information and to explain the consequences that may arise from gross negligence (or gross fault in Quebec).

The Regulations also seek to provide further clarity on liability under the consumer-driven banking framework. In particular, they provide that if a consumer is not liable, as between the participating entities, liability is to be determined as follows:

• the participating entity that requests the data is liable to the extent that the loss occurs in relation to that participating entity’s seeking of the consumer’s consent to request their data, its making of that request or its receipt of the requested data; and
   
• the participating entity that provides the data is liable to the extent that the loss occurs in relation to that participating entity’s receipt of the request to provide the consumer’s data, its confirmation of information or its preparation and provision of the requested data.

The liability framework is designed to allocate responsibility based on the role each participating entity plays in the data-sharing transaction. This should provide greater certainty for participants, but will also make it important for entities to clearly document their respective obligations, controls and hand-off points. Participating entities should also consider whether their contractual arrangements appropriately address operational failures, incident response, indemnities and audit rights.

From a consumer protection perspective, the framework preserves the principle that consumers should generally not bear losses unless they have acted with gross negligence or, in Quebec, gross fault.

Although the framework provides a clearer starting point for allocating liability, disputes may still arise where a loss involves overlapping failures, multiple hand-offs, or uncertainty as to where the failure occurred. Participating entities should therefore ensure that their technical logs, consent records, authentication records and incident documentation are sufficient to establish the point at which an issue arose.

Prohibition On Screen Scraping

The Act contemplates a prohibition on screen scraping, the practice of granting a service provider access to financial data by sharing online banking credentials. The consumer-driven banking framework is intended to replace this practice with a secure, accredited channel for data sharing.

The prohibition appears in the Act, but its implementation looks likely to be some way off. The Regulatory Impact Analysis Statement (“RIAS”) explains that the prohibition is not required to operationalize the broader framework and will not be brought into force until further consultation and policy development have taken place. Consistent with this, the Regulations do not bring the prohibition into force or define its parameters, and no timeline has been provided.

That said, a ban is clearly contemplated, with only its timing and parameters left to be settled. Entities whose models depend on screen scraping should therefore follow the coming consultation closely and prepare for an eventual transition to the accredited, API-based framework.

Technical Standards Body

The Regulations do not designate the technical standards body, which, pursuant to the Act, is to be designated by ministerial order.

However, the Regulations set out additional reporting requirements for the technical standards body, which will be required to provide an annual report including information about security features. In addition, the Regulations require the technical standards body to notify the Bank of Canada of any changes that could be relevant to the body’s designation under the Act.

Assessment Of Fees

The consumer-driven banking regime is a cost recovery regime, which seeks to ensure that entities with larger asset bases bear a greater proportion of the costs, while helping to minimize volatility and administrative burden for smaller participants and new entrants.

The Regulations set out a tiered assessment formula for participating entities, consisting of a base fee and a variable fee component based on total asset value, and prescribe flat fees for ATPSPs ($10,000) and the external complaints body ($50,000).

Under the Regulations, participating entities will be required to report, on an annual basis, the information necessary for the Bank of Canada to calculate the applicable fee, including the participating entity’s total asset value as of December 31 for each calendar year.

Violations

Contravention of the Act may result in significant penalties, with the maximum penalty per violation being $1,000,000 if the violation is committed by an individual and $10,000,000 if committed by a participating entity or an ATPSP.

Unlike the RPAA, violations are not subject to defined severity classifications; rather, they are within the discretion of the Bank of Canada. The Bank of Canada also has other enforcement tools available to it, such as the ability to suspend or revoke accreditation, issue undertakings and impose terms and conditions.

Privilege

The Regulations outline the types of information that will be privileged for purposes of civil proceedings:

• any direction, notice, letter, plan, report or recommendation that is issued or prepared by the Bank in connection with its supervision of an entity under the Act;
   
• any compliance agreement; and
   
• any correspondence between the Bank and an applicant, a participating entity, an ATPSP, the external complaints body or the technical standards body, or between the external complaints body or technical standards body and an applicant for accreditation, a participating entity or an ATPSP relating to the Bank’s supervision of an entity under the Act;

Appeal Period

The Regulations establish a 30-day timeframe for exercising the right of appeal to the Federal Court.

Coming Into Force

The Regulations are proposed to take effect on the date that the corresponding provisions of the Act are brought into force by orders of the Governor in Council.

Implementation would occur in phases, beginning with the accreditation requirements, followed by the common rules and assessment fee requirements at subsequent dates.

The implementation of requirements relating to “in-scope data” (for example, accounts) would also be phased, with different coming-into-force dates based on account-type complexity. According to the RIAS, deposit and payment accounts would come into scope first, followed by lending accounts, registered accounts and non-registered accounts.

The phased approach means participants will need to track both framework-level implementation dates and product-specific coming-into-force dates. This may affect sequencing for accreditation, technology builds, counterparty onboarding, consent design, operational testing and customer communications.

Broader Policy Context

Consumer-Driven Banking and Canada’s Payments Modernization

When leveraged in connection with Canada’s new payments rail, the Real-Time Rail (“RTR”), which is anticipated to launch in Q4 2026, the consumer-driven banking framework could provide an important foundation for a modern Canadian open-finance payments ecosystem.

Although “write access” is not part of the first phase of the framework, “read-only access” still has the potential to benefit consumers and merchants through the use of reliable financial data in connection with real-time payments and financial management tools, such as cash flow management. “Write access” would allow even greater innovation and automation of payments, including through embedded finance tools. For some Fintechs, in particular, registering as a PSP under the RPAA is a first step toward unlocking these potential opportunities, as it may be an important precondition to accessing both consumer-driven banking and RTR in Canada.

Consumer-Driven Banking and Privacy Reform

The consumer-driven banking framework does not operate in isolation from Canada's broader privacy regime. It is best understood as the first sector-specific application of a wider shift in federal privacy law toward "data mobility", the ability of individuals to move their personal information between organizations (though Quebec’s Law 25 does have a data mobility right that came into force in September 2024).

Canada's current private-sector privacy law, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), has not traditionally given individuals a standardized way to have their personal information transferred from one organization to another. As the RIAS notes, recent amendments to PIPEDA began to change this by enshrining an economy-wide right to data portability - but one that takes effect only in sectors that develop secure, interoperable frameworks. Consumer-driven banking is intended to be the first such framework.

Bill C-36 reinforces this direction. The proposed Protecting Privacy and Consumer Data Act ("PPCDA"), which received first reading on June 15, 2026, would repeal PIPEDA's privacy provisions and replace them with a modernized statute – see this post for more details. Most relevant here, the PPCDA would create a data mobility right: at an individual's request, an organization must disclose the personal information it collected from that individual to another organization the individual designates — but only where both organizations are "subject to a data mobility framework".

The two regimes dovetail. The privacy statute creates the right to move personal data, while the consumer-driven banking framework supplies the secure, interoperable and supervised framework that makes that right operational in the financial sector.

An implementation challenge is that privacy legislation is generally focused on personal information about individuals, while the consumer-driven banking framework applies to consumers that include both individuals and certain businesses. As a result, participants will need to distinguish between data mobility obligations rooted in privacy law and consumer-driven banking obligations that may apply to business account data, including where business records contain personal information about owners, employees, guarantors or other individuals.

For participating entities, this means consumer-driven banking activities will sit at the intersection of the two regimes. Entities should keep their consent, security and breach practices consistent across both, and should monitor Bill C-36 as it advances through Parliament, since it remains at an early stage and may still change.

Consultation and Next Steps

Industry participants should consider whether to provide comments on areas that will be particularly important for implementation, including accreditation pathways, third-party security confirmation, consent renewal triggers, service-level standards, registry functionality, the transition away from screen scraping and the sequencing of coming-into-force dates.

Once the consultation period ends, the Department of Finance will consider feedback and finalize the Regulations. At the same time, the Bank of Canada will continue developing its supervisory framework for participating entities, including expectations relating to governance, risk management and operational resilience. In addition, as set out in the 2025 federal budget, the Department of Finance will begin to consider steps needed to implement “write access” functionality.

The Regulations also leave several important areas for future development, including the treatment of derived data, exceptions to data-sharing obligations, the timing and parameters of the screen scraping prohibition, designation of the technical standards body and related technical standards, consumer-facing signage, complaints-handling mechanics and the scope of direct obligations applicable to ATPSPs. These areas will be important to monitor as consumer-driven banking moves from legislative framework to operational implementation.

Market participants should also monitor the Canadian Investment Regulatory Organization’s parallel consultation on how it can support the adoption of consumer-driven banking in Canada, as it may affect the broader evolution of consumer-permissioned data sharing in Canada.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.