On June 27, 2026, the Department of Finance published the proposed Consumer-Driven Banking Regulations(the “Regulations”) under the Consumer Driven Banking Act (the “Act”). Together with the Act, the Regulations introduce a framework, to be overseen by the Bank of Canada (the “Bank”), that enables Canadian individuals and businesses to share their financial data with accredited service providers of their choice. The Regulations include requirements related to accreditation, security, national security, authentication and consent, reporting, record keeping, framework transparency, technical standards, assessments, and violations. Selected key aspects of the Regulations are discussed below.
The Regulations are subject to a 60-day consultation period ending on August 26, 2026, during which interested stakeholders can provide feedback using the comment feature on the Canada Gazette website.
For more information on the consumer-driven banking framework, please refer to our publication titled Budget 2025: The Bank of Canada’s Mandate Expands to Stablecoin and Open Banking.
The Regulations
In-Scope Data
The Act specifies that, at the request of a consumer, participating entities will be required to share both data provided by a consumer and product data related to deposit accounts, payment products, investment accounts, and lending accounts.
The Regulations clarify that the data in respect of which the Act applies includes the following:
- data pertaining to the identity of consumers of the products or services;
- account numbers, branch numbers, transit numbers and other identifiers pertaining to the products or services;
- current or past balances or amounts owing;
- data pertaining to completed, pending or pre-authorized transactions; and
- data respecting the products or services that are available or offered to consumers, including the terms under which they are available or offered.
Accreditation Pathways
The Regulations address four pathways of accreditation specific to applicant entity type:
- accreditation for federal and provincial financial institutions;
- streamlined accreditation for entities registered under the Retail Payment Activities Act;
- non-streamlined accreditation for other entities; and
- accreditation for third-party service providers.
The Regulations set forth the information applicants must submit to the Bank using the electronic system provided for that purpose, as well as the prescribed application fee of $2,500 (subject to an annual adjustment). The Regulations also set forth appeal mechanisms in the event accreditation status is denied, suspended or revoked by the Bank.
Selected Duties of Participating Entities
The Regulations provide details regarding duties that participating entities must fulfill, including:
Display of Sign
Participating entities must display a sign indicating they are a participating entity in the consumer-driven banking framework in their physical and digital properties, and the sign must meet requirements set out in the Regulations.
Notice of Change
Participating entities must notify the Bank of changes that would have impacted the entity’s accreditation outcome had that change been in place during the time that the accreditation application was being reviewed by the Bank. Changes to be reported include those related to information submitted during accreditation, as well as changes to the Accredited Third-Party Service Providers (ATPSPs) with which participating entities contract to perform activities under the Act. Changes with more immediate or pressing impacts must be reported as soon as feasible, while all other changes must be reported within 30 days after they occur.
Record Keeping
Participating entities will need to retain sufficient records to demonstrate their compliance with the Act and the Regulations in an electronic form that is intelligible to the Bank for a period of five years, unless otherwise specified. The Regulations also specify measures that must be taken to protect records from loss, destruction, falsification, inaccuracies, and access by unauthorized persons.
Security
Participating entities must submit a report to the Bank as soon as possible after a breach of security safeguards involving consumer data occurs. Where a breach creates a risk of significant harm to the consumer, the consumer must be notified either directly or indirectly. Participating entities must also report to the Bank with respect to any investigation it undertakes regarding a breach of security safeguards.
Consent
The Regulations clarify the following consent-related obligations for participating entities:
- Use of data: The Regulations create a limited set of circumstances where the participating entity can use a consumer’s data that has been shared under the framework for a purpose that is different from the purposes listed when express consent was initially obtained from the consumer. These exceptions are related to investigations of contraventions of the law, emergencies that threaten the life, health or security of an individual, or publicly available data.
- Record of consent: Participating entities must keep and provide a record of express consent to the Bank.
- Consent renewal: The Regulations set out exceptional circumstances in which a consent renewal is required outside of the normal period of valid consent (which is no longer than 12 months), including: (i) when a participating entity becomes aware that a consumer’s authentication information has been stolen or otherwise exposed to imminent risk, (ii) when a participating entity becomes aware of a significant change in the consumer’s circumstance, and (iii) when there is a significant change to the participating entity’s circumstance.
- Data deletion: The Regulations provide that a participating entity’s duty to delete data at a consumer’s request is not required when consumers have provided consent for participating entities to use “modified versions of their data that have been irreversibly and permanently modified so as to ensure that there is no reasonably foreseeable risk that the consumer can be identified from it, whether directly or indirectly, by any means.”
Authentication
The Regulations require participating entities providing data to use identity and access controls, including multi-factor authentication, and require reauthentication when consent renewal is required.
Data Sharing
In general, participating entities are required to verify the identity of other participating entities prior to sharing data by ensuring that they are on the Bank of Canada registry and that there are no conditions on their registry status that places conditions on their ability to provide or receive data. However, the Regulations also create exceptions to the duty to share where a participating entity can refuse an initial sharing request or stop providing data despite valid consumer consent. These circumstances include instances where there are reasonable grounds to believe that sharing data would cause physical, psychological or financial harm to the consumer, where there are reasonable grounds to believe that sharing data would create risks to the security, integrity, or stability of the framework or a participating entity’s information and communication technology systems, and where consumer accounts have been blocked or suspended.
Participating entities seeking to utilize these exceptions would be required to inform the other participating entity that is requesting or providing the data, as well as the Bank, in order to ensure appropriate application of such exceptions.
Minimum Service Level Standards
The Regulations set the baseline expectations for uptime by requiring Application Programming Interface (API) endpoints to be available 99.5% per month, response times to be reasonable and consistent with generally accepted standards, rate limitations to only be permissible for reasons of technical stability or security, and participating entities to make available a minimum of 24 months of consumer data upon request.
Other Provisions
The Regulations also provide clarity on and set forth requirements relating to:
- National security safeguards: The Minister of Finance will have the power to review applicants and accredited entities, to issue directives to the Bank to refuse, suspend, or revoke access to the consumer-driven banking framework, and to require undertakings from, or impose terms and conditions on, an applicant, participating entity, or ATPSP for national security reasons.
- Annual reporting: Participating entities must submit an annual report to the Bank, in the prescribed form and manner, containing prescribed information.
- Duties of ATPSPs: ATPSPs agree to undertake certain duties regarding record keeping, notices of change and notices of exit from the consumer-driven banking framework.
- Technical standards body: The Regulations prescribe information to be included in the technical standards body’s annual report to the Bank.
- Evidentiary privilege: The Regulations set forth information that must not be used as evidence in any civil proceedings and that is privileged for that purpose.
- Assessment fees: The Regulations set forth an annual assessment regime applicable to participating entities, ATPSPs, and the external complaints body, and mandate that participating entities report, on an annual basis, the prescribed information necessary for the Bank to administer the assessment fee.
- Violations: The Regulations designate which provisions of the Act and regulations are subject to Administrative Monetary Penalties (“AMP”) if contravened. The maximum AMP for a violation is $1,000,000 if committed by an individual and $10,000,000 if committed by a participating entity or ATPSP.
Looking Ahead
Although the Act and Regulations have not yet come into force, they represent an important step in Canada’s journey to open banking and align with the government’s 2026 Spring Economic Update commitment to advance initiatives to promote competition and lower financial costs for Canadians.
Interested stakeholders should review the Regulations in detail and consider providing any feedback during the consultation period.
In addition to the Act and the Regulations themselves, the Bank also plans to develop guidelines further clarifying the requirements therein, which will provide additional insight into the obligations of participating entities.