The new Consumer‑Driven Banking Act explained

In April 2025, we published an introduction to open banking in Canada, outlining the federal government's plans to establish a consumer-driven banking framework. Since then, Parliament has made significant progress in advancing the enabling legislation. This article provides an update on key developments and summarizes the core features of the new Consumer‑Driven Banking Act.

Bill C-15, the Budget 2025 Implementation Act, No. 1, received Royal Assent on March 26, 2026. Division 9 of Part 5 of Bill C-15 repeals the original Consumer-Driven Banking Act (enacted as Part 1 in June 2024) and replaces it with a comprehensive new Consumer-Driven Banking Act (CDBA) to establish Canada's long-anticipated open banking framework.

What is consumer-driven banking?

Consumer-driven banking, also known as open banking, refers to a secure framework that enables individuals and businesses to share their financial data with approved service providers of their choice. Currently, approximately nine million Canadians share their financial data through "screen scraping," a process that requires users to provide their confidential banking credentials to third parties, exposing them to increased security and privacy risks. The new framework will use application programming interfaces (APIs) to facilitate secure data sharing, significantly reducing these risks.

Key changes from the 2024 framework

The following summarizes the principal differences between the 2024 framework and the new framework introduced in Bill C-15.

Shift in regulatory oversight and accreditation framework

The most notable change is the shift in regulatory oversight from the Financial Consumer Agency of Canada (FCAC) to the Bank of Canada, leveraging the Bank's existing supervisory role under the Retail Payment Activities Act. The Bank of Canada will be responsible for supervising all participants in the consumer-driven banking framework, monitoring market trends and consumer impacts, and fostering both participation in the system and competition in the financial sector for the benefit of consumers. The Bank of Canada will now be responsible for maintaining the public registry of participating entities and evaluating accreditation applications. The statute now sets out accreditation requirements applicable to federal and provincial financial institutions, registered payment service providers, and other eligible entities. Schedule I banks may be designated by the Minister of Finance (the Minister) for mandatory participation, while other entities may seek accreditation on a voluntary basis if they meet entry requirements. The Minister retains authority to designate a technical standards body, with Bank of Canada supervision.

Expanded purpose and third‑party roles

The new CDBA broadens the framework’s purpose to explicitly promote competition in the financial sector, in addition to its existing focus on consumer protection and data security. The scope has also been widened from “small businesses” to “businesses” generally, which may capture small‑ and medium‑sized enterprises. The bill introduced a new regime for accredited third‑party service providers, requiring participating entities that outsource consent management, authentication, or data‑movement functions to use only accredited providers.

Consumer liability protections and prohibition on screen scraping

Consumer liability protections are now addressed directly in the CDBA. Consumers will not be liable for financial losses arising from data sharing, except in cases of gross negligence (or, in Quebec, gross fault) in safeguarding their authentication information. A participating entity is liable to the consumer for any financial loss that directly results from the loss, unauthorized access, or unauthorized use of the consumer’s data caused by a breach of its security safeguards during data sharing. The entity remains liable even if it relies on a third-party service provider or an affiliate to carry out its activities. Where a consumer notifies a participating entity that their authentication information has been lost, stolen, or otherwise compromised, the consumer is not liable for any financial loss incurred after the entity receives the notice, unless the entity establishes, on a balance of probabilities, that the consumer contributed to the unauthorized use. Bill C-15 also enacts a prohibition on screen scraping, which is now considered an offence under the CDBA.

Strengthened enforcement and national security measures

The enforcement regime has been strengthened. The 2024 framework provided for criminal offences and penalties for misrepresentation (up to CAD 5,000,000 for entities on indictment). Bill C-15 retains these criminal offences and adds administrative monetary penalties of up to CAD 10,000,000 for participating entities and CAD 1,000,000 for individuals. National security provisions have also been enhanced, including review of accreditation applications, directives to refuse accreditation, and authority to suspend or revoke accreditation for national security reasons, with security and intelligence agencies available to assist.

Expanded provincial participation framework

The new CDBA expands the framework for provincial participation. While provincial credit unions and Crown corporations could "opt in" to FCAC supervision under the 2024 framework, the new legislation allows the Minister to designate a provincial regulator to oversee certain provisions, including security, privacy, liability, and complaints for entities within its jurisdiction.

Data mobility under PIPEDA

Bill C-15 also amends the Personal Information Protection and Electronic Documents Act (PIPEDA) to introduce a right to data mobility across economic sectors. This amendment requires organizations, upon an individual's request, to disclose personal information they have collected to a designated organization, provided both organizations are subject to a data-mobility framework. Consumer-driven banking will serve as the first iteration of such a framework, laying the groundwork for broader cross-sectoral data sharing.

Next steps

Although the CDBA has received Royal Assent, several steps remain before the framework is fully operational. The government has set out a two-phase roadmap for consumer-driven banking. The first phase, covered by Bill C-15, focuses on "read access," enabling consumers to securely direct their financial data to participating entities of their choice.

The Department of Finance intends to develop supporting regulations through a consultative process that will include public engagement. These regulations will address accreditation criteria and requirements, security safeguards, consumer liability protections, consent and data‑sharing procedures, complaint handling and reporting obligations, administrative penalties for non‑compliance, technical standards, and the scope of financial entities and data types required to participate in the initial phase.

The second phase, targeted for mid-2027, will introduce “write access,” allowing consumers to initiate payments, switch accounts, and take other actions through participating entities once Canada’s Real-Time Rail project is live and in widespread use.

Implications for financial institutions and fintechs

The CDBA represents both a compliance obligation and an opportunity for digital transformation. Participating Entities will need to ensure their systems are capable of secure, API-driven data sharing and that they have robust policies and procedures for consent management, security, fraud prevention, and complaint handling. The framework may also open new avenues for partnerships with fintechs and the development of innovative, data-driven products and services such as budgeting apps, alternative credit scoring models, and personalized financial advice platforms.

Contact a member of our Financial Services or Compliance team if you have any questions or need further assistance regarding open banking and its implementation in Canada.