Consumer-Targeted Fraud: What Banks Need to Know About Proposed Amendments to the Financial Consumer Protection Framework Regulations

The federal government has published proposed Regulations Amending the Financial Consumer Protection Framework Regulations (the “Regulations”) under the Bank Act (the “Act”) for consultation, with comments due by July 27, 2026. The Regulations are scheduled to come into force on July 1, 2027.

If enacted, the proposed amendments will require banks to implement new controls to detect and prevent to consumer-targeted fraud, including obtaining customer consent before enabling electronic funds transfers (“EFTs”) capabilities for certain accounts, enhancing fraud monitoring and investigation processes, and reporting fraud-related data to the Financial Consumer Agency of Canada (“FCAC”).

Key Takeaways

• The proposed Regulations would introduce new operational requirements for banks aimed at addressing consumer-targeted fraud.
• Banks would be required to obtain express consent before enabling certain electronic funds transfer capabilities for personal deposit accounts and to allow consumers to disable those capabilities.
• Banks would need to implement processes for transaction-limit increase requests, suspicious transaction investigations and consumer notifications.
• The proposal would create new fraud-related data collection and reporting obligations to the FCAC, with the first annual reporting period beginning January 1, 2028.
• Enforcement of the provisions of the proposed Regulations would be imposed through a variety of approaches, from warning letters or undertakings to FCAC to compliance agreements and Notices of Violation and Administrative Monetary Penalties (AMPs).

How Do the Proposed Regulations Fit Within the Broader Increasing Focus on Fraud Prevention?

The Regulations are intended to operationalize amendments to the Bank Act announced in Budget 2025 (see our earlier blog post) and enacted through the Budget Implementation Act, 2025, No. 1. Although those amendments are not yet in force, once effective they will impose new requirements on banks to address consumer-targeted fraud, which the government has stated is a “foreseeable risk associated with bank-enabled payment features, including Interac e-Transfers, wire transfers and global money transfers.”^[i]

In particular, these amendments would be made subsequent to legislative amendments to the Bank Act that would introduce a new definition of “consumer-targeted fraud”:

“consumer-targeted fraud,” in relation to a product or service in Canada that is offered, sold or provided by an institution to a natural person other than for business purposes, includes a transaction that is unauthorized or that is authorized as a result of coercion or deception.^[ii]

Notably, the definition captures both unauthorized transactions and transactions that are technically authorized by the consumer, but only as a result of coercion or deception. This recognizes that fraud risk is not limited to traditional unauthorized account access, and may also include circumstances where a consumer is manipulated into authorizing a transaction, such as through romance, investment, or merchandise or online marketplace scams.

Banks will therefore need to consider not only whether a transaction was authenticated or initiated through valid credentials, but also whether their fraud prevention, monitoring, investigation and consumer-notification processes can identify and respond to indicators of coercion, deception or social-engineering activity.

The Regulations also come in the context of the federal government’s broader consultation on a National Anti-Fraud Strategy, discussed in our earlier blog post, which focused on strengthening fraud prevention and response measures across the banking, telecommunications and digital services sectors. After consultation, the government determined that a regulatory rather than voluntary approach was needed to provide consumers adequate protections, achieve consistency across the banking sector and provide reliable fraud data to the Department of Finance and FCAC.

At the same time, Québec has also moved to address consumer fraud through amendments to its consumer protection legislation that would require banks, in certain circumstances, to reimburse consumers for unauthorized transactions, underscoring the broader regulatory focus on shifting more responsibility to financial institutions to prevent and respond to fraud.

What New Consumer-Targeted Fraud Requirements Will Apply to Banks?

The Regulations propose a number of new requirements that would apply to banks and authorized foreign banks under the Act (collectively, “banks”):

• Account capabilities

The Regulations propose that banks be required to:

• obtain a consumer’s express consent before enabling EFT capabilities for personal deposit accounts (including wire transfers, global money transfers and Interac e-Transfers), after first informing the consumer of the nature of those capabilities and how they may be used; and
• permit consumers to disable EFT capabilities.

EFTs between accounts held by the same person within the same financial institution, automatic teller machine withdrawals, payments using payment card credentials (including debit and prepaid cards), pre-authorized debits and direct bill payments are exempt from the above.

In practice, banks will need to ensure that account-opening, digital-banking and customer-service channels can capture and evidence express consent, clearly explain the relevant EFT capabilities to consumers, and support consumer requests to disable those capabilities without creating unnecessary friction.

• Withdrawal and transfer limit implementation periods

The Regulations propose that banks be required to implement requests to increase transaction limits “without delay” where the consumer’s identity has been verified, or by the next business day where identity verification has not been completed.

The use of the terminology “without delay” is not new to the Bank Act or to the FCAC.  In particular, in the FCAC’s recent Thematic Review on Electronic Alerts, the FCAC indicated that it interpreted “without delay” in the context of e-alerts as being immediate and as soon as the trigger is met.

This suggests that FCAC may expect banks to process verified requests to increase transaction limits essentially in real time once the relevant trigger is met, which may have implications for system design, staffing and exception handling.

• Consumer-targeted fraud policies and procedures

Section 627.134 of the Bank Act^[iii] already requires an institution to establish and adhere to policies and procedures to detect and prevent consumer-targeted fraud and mitigate its impact. Such policies must include “any prescribed criteria."

The Regulations propose to add additional “prescribed criteria” that banks must include in their policies and procedures and would require banks to review these procedures at least annually. Under the proposed Regulations, the following would also be “prescribed criteria”:

• the criteria the institution uses to investigate transactions it has decided are suspicious under paragraph 627.134(2)(a) of the Act;
• the criteria the institution uses to decide whether to notify the natural person in whose name that account is kept that a suspicious request to activate a prescribed account capability; and
• the criteria the institution uses to decide to increase a limit referred to in subsection 627.132(1) of the Act has been received with respect to the account.

Banks should consider whether existing fraud-monitoring, investigation, escalation and customer-notification processes are sufficiently documented, consistently applied and reviewed on an ongoing basis, including whether employees have clear guidance on when a request or transaction should be treated as suspicious.

• Fraud-related data collection and reporting

The Regulations propose requiring banks to collect and report specified fraud-related data to the FCAC, including the type of scheme and transaction method used to defraud the consumer, through an annual reporting process.

Banks would also be required to report to the FCAC on:

• steps taken to implement and adhere to their consumer-targeted fraud policies and procedures;
• training provided to employees in respect of consumer-targeted fraud;
• internal fraud reduction targets.

These reporting requirements may require banks to enhance fraud taxonomy, data capture, case-management and reporting systems so that fraud incidents can be categorized consistently and the required information can be extracted and reported to the FCAC within applicable timelines.

• Disclosures at account opening

The Regulations propose requiring banks, at account opening, to disclose to consumers that certain account capabilities require express consent before they may be enabled, that those capabilities may be disabled, and that transaction limits may be adjusted.

Banks will need to review account-opening disclosures, scripts and digital flows to ensure that consumers receive clear information about consent-based account capabilities, the ability to disable those capabilities and the availability of transaction-limit adjustments at the appropriate point in the customer journey.

What Should Banks Do Now to Prepare?

Industry participants should consider whether to provide comments on aspects of the Regulations that may be particularly important for implementation, including the scope of the consent requirements, the timing for implementing transaction-limit increases, expectations for identifying suspicious requests or transactions, the format and granularity of fraud-related reporting, and the operational feasibility of the proposed annual review and reporting requirements.

Banks should also begin assessing the practical changes that may be required if the Regulations are finalized substantially as proposed. Given that several requirements may require changes to digital channels, operational workflows and fraud data architecture, banks may want to begin readiness planning well before the July 2027 coming-into-force date.

This may include:

• reviewing account-opening and digital-banking flows;
• assessing consent capture and disablement processes;
• updating transaction-limit workflows;
• enhancing fraud-monitoring and escalation procedures;
• strengthening employee training programs;
• reviewing fraud taxonomy, case-management systems and FCAC reporting capabilities.

The Regulations are scheduled to come into force on July 1, 2027. The first annual report to the FCAC is expected to be due by May 15, 2029, covering the period beginning January 1, 2028 and ending December 31, 2028.

Given these timelines, banks should consider using the consultation period and the lead-up to implementation to identify internal owners, assess current-state readiness and develop a practical implementation roadmap.

For more information about our firm’s financial institutions regulatory expertise, please see our firm’s Financial Institutions Regulatory and White Collar Defence and Investigations pages.

^[i] Regulatory Impact Analysis Statement.

^[ii] See Bill C-15 proposing amendment to Bank Act, s. 627.01(1). The amendments come into force on a day to be fixed by order of the Governor in Council.

^[iii] This section come into force on a day to be fixed by order of the Governor in Council.