On June 27, 2026, the federal government published the proposed Consumer-Driven Banking Regulations in the Canada Gazette, Part I, marking another major milestone in Canada's transition toward an open banking framework. The regulations are open for public consultation until August 26, 2026, after which they may be finalized and brought into force under the Consumer-Driven Banking Act.
The proposed regulations provide the detailed rules that will govern how accredited participants access, share and protect consumer financial data in Canada.
Consumer-driven banking (commonly referred to as open banking) allows consumers and businesses to securely authorize the sharing of their financial information with accredited third-party providers using standardized APIs instead of sharing online banking usernames and passwords.
The Government estimates that approximately nine million Canadians currently rely upon “screen scraping” to connect financial applications with their bank accounts. Under screen scraping, consumers provide their banking credentials directly to fintechs, creating cybersecurity, privacy and liability concerns that the new framework seeks to eliminate.
The proposed regulations are designed to implement a supervised alternative administered by the Bank of Canada.
The Bank of Canada Will Become Canada's Open Banking Regulator
One notable aspect of the legislation is that oversight will be placed largely with the Bank of Canada, rather than creating an entirely new regulator.
This builds upon the Bank's existing supervisory role under the Retail Payment Activities Act (RPAA), where it already regulates payment service providers.
The Bank will be responsible for:
- Accrediting participants;
- Maintaining a public registry of accredited entities;
- Supervising ongoing compliance;
- Receiving reports regarding security incidents;
- Monitoring operational requirements; and
- Suspending or revoking accreditation where appropriate.
Who Can Participate?
The proposed framework initially includes:
- Certain large federally regulated banks (mandatory participants);
- Other federally regulated financial institutions;
- Provincial financial institutions that opt in;
- Payment service providers already registered under the RPAA;
- Fintech companies;
- Accredited third-party service providers.
Interestingly, the regulations create a streamlined accreditation process for payment service providers already registered under the RPAA, reducing duplication for businesses already supervised by the Bank of Canada.
Accreditation Requirements
Applicants seeking accreditation will generally need to demonstrate:
- A place of business in Canada;
- Appropriate insurance or comparable financial guarantees;
- Security controls and cybersecurity safeguards;
- Organizational governance;
- Complaint handling procedures;
- Technical standards compliance;
- Consent management procedures; and
- Policies ensuring the integrity and good character of individuals responsible for consumer-driven banking activities.
Unlike many licensing regimes, accreditation does not require periodic renewal. Instead, accredited entities must continuously satisfy the eligibility requirements and notify the Bank of Canada whenever material information changes.
National Security Review
The proposed regulations introduce a significant national security component.
Applicants must disclose extensive information regarding:
- Ownership structures;
- Directors and senior officers;
- Persons exercising significant influence;
- State-owned enterprise involvement;
- Creditors;
- Corporate relationships; and
- Data collection and sharing practices.
The Minister of Finance will have authority to review applications for national security concerns and may direct the Bank of Canada to refuse, suspend or revoke accreditation where necessary.
These provisions closely resemble the national security review powers already found under the Retail Payment Activities Act.
Security and Consumer Protection
The regulations impose extensive security obligations, including requirements relating to:
- Multi-factor authentication;
- Incident response;
- Encryption;
- Access controls;
- Cloud security;
- Record retention;
- Security awareness training;
- Annual reporting; and
- Mandatory breach reporting.
Participating entities would also be required to notify consumers whenever security breaches create a risk of significant harm.
Consent Rules
Consumer consent is one of the cornerstones of the proposed framework.
The regulations establish detailed rules governing:
- Obtaining express consent;
- Renewing consent;
- Revoking consent;
- Retaining records of consent;
- Limited exceptions allowing data use without renewed consent;
- Deleting consumer data following requests.
Generally, consumer consent will not remain valid for more than 12 months before renewal becomes necessary.
Liability Framework
The regulations attempt to clearly allocate liability between participants.
Generally speaking:
- The organization requesting data is responsible for obtaining consumer consent and securely receiving the data.
- The organization providing the data is responsible for authenticating the consumer and securely transmitting the information.
This division of responsibility is intended to reduce uncertainty when data-sharing incidents occur.
Technical Standards
The framework will require all participants to implement a single technical standard established by a designated technical standards body.
The goal is interoperability across Canada's financial system while avoiding fragmentation between competing standards.
Proposed Service Standards
The regulations also establish baseline operational expectations, including:
- 99.5% monthly system availability;
- Availability of at least 24 months of historical consumer financial data;
- Reasonable API response times;
- Limited use of rate limiting; and
- Advance notice of planned outages.
These operational requirements are intended to create a consistent consumer experience regardless of which financial institution or fintech is involved.
Why These Regulations Matter
Although the Consumer-Driven Banking Act established Canada's legislative framework earlier this year, legislation alone could not operationalize the system.
These proposed regulations provide many of the practical details businesses have been waiting for, including:
- Accreditation criteria;
- Reporting obligations;
- Security requirements;
- Consent management rules;
- Technical standards;
- National security reviews; and
- Consumer protection measures.
For banks, fintechs, payment service providers and technology companies hoping to participate in Canada's future open banking ecosystem, these regulations deserve careful review.
Substance Law Comment
Businesses operating in financial technology, payments or digital financial services should begin assessing whether they intend to participate in Canada's consumer-driven banking framework.
Many organizations that already comply with the Retail Payment Activities Act may benefit from the proposed streamlined accreditation pathway, but they will still need to satisfy the consumer-driven banking requirements relating to consent, security, technical standards and ongoing compliance.
The consultation period closes on August 26, 2026, giving stakeholders an opportunity to provide comments before the regulations are finalized.
