Skip Navigation

Proposed Consumer-Driven Banking Regulations Released for Comment

July 3, 2026

On June 27, 2026, the Department of Finance published long-awaited proposed regulations (CDB Regulations), aimed at supporting the implementation of the Consumer-Driven Banking Act (CDB Act).  

The CDB Regulations represent a significant step toward implementing Canada’s consumer-driven banking framework (Framework) and are open for a 60-day comment period ending August 26, 2026.  

Statutory Framework and Implementing Regulations

As discussed in our earlier bulletins, the CDB Act, enacted through the Budget Implementation Act, 2025, No. 1 (Bill C-15), which received Royal Assent on March 26, 2026, establishes the Framework. The Framework is overseen by the Bank of Canada and includes rules relating to governance, scope, participation, accreditation, common rules (consent, liability, security), technical standards and national security review.  

The CDB Regulations build on this legislative framework by prescribing detailed requirements, including rules relating to accreditation, security, national security review, consent, authentication, liability, reporting, record keeping and data sharing. What follows is a high-level overview of the key requirements.  

Accreditation and Participation Requirements

Under the CDB Act, participation in the Framework is divided between: 

  • Participating entities, such as financial institutions and registered payment service providers (PSPs), that directly provide, request or receive consumer data 
  • Accredited third-party service providers (ATPSPs), which perform prescribed functions on behalf of participating entities, such as consent management, authentication or data movement 

The Bank of Canada will be responsible for accrediting eligible participants, maintaining a public registry of participating entities and ATPSPs, and supervising compliance with the Framework. It will also have access to a range of enforcement tools, including suspension and revocation powers, compliance agreements and administrative monetary penalties.  

Accreditation

Banks mandated to participate in the Framework are not subject to the accreditation process. Other entities seeking to participate must apply through one of four accreditation pathways: 

  1.  Fintechs and other entities 
  2. Payment service providers (PSPs) registered under the Retail Payment Activities Act (RPAA) 
  3. Federal and provincial financial institutions 
  4. ATPSPs

Regulated financial institutions and RPAA-registered PSPs benefit from streamlined accreditation processes that leverage existing regulatory oversight, while fintechs and other non-regulated entities are subject to more extensive accreditation requirements. 

Regardless of the accreditation pathway, applicants will be required to pay an accreditation fee of C$2,500 (subject to annual indexation and rounding). Participating entities will also be subject to ongoing annual assessment fees once the Framework becomes operational. 

National Security Review

Consistent with the Bank Act and RPAA, all accreditation applicants may be subject to review by the Minister of Finance on national security grounds. The Minister may refuse accreditation, impose terms and conditions, require undertakings or direct the revocation of accreditation where national security concerns arise.  

Security and Operational Requirements

Baseline Security Requirements

Given the sensitive nature of the consumer financial data handled by participating entities, the CBD Regulations establish comprehensive security requirements intended to provide a common baseline across the Framework to address operational and cybersecurity risks.  

Participating entities will be required to implement extensive security safeguards, proportionate to the sensitivity of the data, including: 


  • Procedures for identifying and remediating vulnerabilities 
  • Secure default configurations 
  • Security software and monitoring tools 
  • Robust authentication methods 
  • Access management policies 
  • Encryption and backup processes 
  • Network security controls and safeguards 
  • Controls relating to external storage 
  • Restrictions on unauthorized devices and applications 
  • Contractual protections governing third-party service providers for data protection 
  • Employee training and incident response planning 


Federal and provincial financial institutions are generally permitted to rely on existing prudential and supervisory frameworks to demonstrate compliance with these requirements, subject to oversight by their respective regulators (i.e., OSFI or applicable provincial regulators). 

Service-Level Standards

Participating entities will also be required to comply with minimum service-level standards, including baseline expectations for uptime by requiring participating entities to maintain 99.5% monthly endpoint availability and making 24 months of consumer financial data available upon request. The government has indicated that the 24-month requirement is intended to support core consumer-driven banking use cases such as budgeting, credit building and credit adjudication. 

Record Keeping and Reporting

Consistent with requirements under the RPAA, participating entities will be subject to a five-year record retention requirement for records demonstrating compliance with the CDB Act and CDB Regulations. They must also implement safeguards to protect those records against loss, destruction, falsification, inaccuracies and unauthorized access. 

Participating entities will also be required to provide annual reporting to the Bank of Canada regarding prescribed matters, including: 

  • Consumer data sharing activities 
  • Express consents and deletion requests 
  • Changes to security safeguards and policies and procedures 
  • Security breaches 
  • Financial performance metrics 
  • Continued compliance with applicable technical standards 

In addition, participating entities must: 

  • Report breaches involving consumer data to the Bank of Canada as soon as feasible after becoming aware of the breach 
  • Notify affected consumers where a breach poses a real risk of significant harm

Scope of Data

The CDB Act establishes the general categories of consumer-authorized information that must be shared under the Framework, while excluding derived data that has been significantly enhanced to increase its usefulness or commercial value. The CDB Regulations provide additional detail regarding the scope of data that must be shared. 

The CDB Regulations specify that in-scope data includes: 

  1. Consumer profile data, such as name, address, date of birth and employment information 
  2. Account data, including account identifiers, account agreements, balances and transaction information 
  3. Product data, such as the terms under which financial products or services are available or offered by participating entities to consumers

The CBD Regulations also permit data to be used by participating entities for purposes other than those initially consented to in limited circumstances: 

  • Investigations relating to contraventions of law 
  • Emergencies involving threats to life, health or security 
  • Where the data is publicly available 

In addition, deletion requests may be refused if the data has been irreversibly and permanently anonymized such that re-identification is not reasonably foreseeable, or where legal retention obligations prevent deletion.  

Data Sharing

A central feature of the Framework is that a participating entity must share in-scope consumer-authorized data with other participating entities as directed by the consumer. The CDB Regulations prescribe the operational requirements governing that process. 

Before sharing or requesting data, a participating entity must: 

  1. Verify the identity of the counterparty 
  2. Confirm through the Bank of Canada registry that the counterparty is accredited and authorized to provide or receive data

The CDB Regulations permit participating entities to refuse a data-sharing request notwithstanding valid consumer consent where there are reasonable grounds to believe:  

  1. Sharing would cause physical, psychological or financial harm to the consumer 
  2. Sharing would adversely impact the security, integrity or stability of the framework or of a participating entity’s information and communication technology systems 
  3. The account to which the data relates has been blocked or suspended

These exceptions permit participating entities to refuse or discontinue data sharing where consumer protection, account status or system integrity concerns arise, but require participating entities relying on one of these exceptions to notify both the requesting entity and the Bank of Canada. 

Consent Renewal and Authentication

Under the CDB Act, express consent is required and is valid for a maximum of 12 months, after which it must be renewed. The CDB Regulations also prescribe circumstances in which renewal is required before the end of the normal consent period. The circumstances include: 

  • Where the consumer’s authentication information has been compromised or exposed to imminent risk 
  • Where there has been a significant change to the consumer’s circumstances 
  • Where there has been a significant change to the participating entity’s circumstances 
  • Where another participating entity has requested renewal of such consent based on the previous reasons

The authentication framework divides responsibilities between: 

  • Data-requesting entities that are responsible for obtaining consent and initiating authentication through the data provider 
  • Data-providing entities that are responsible for authenticating the consumer, including through multi-factor authentication, before data is shared

Reauthentication is required upon renewal of consent and at the beginning of each new consent period. 

Liability

The CDB Act establishes the core liability framework applicable to financial losses arising from data sharing under the Framework, including the principle that liability generally follows the data. The proposed CDB Regulations provide additional clarity regarding the respective responsibilities of participating entities when requesting, authenticating, transmitting and receiving data. 

A participating entity is responsible for safeguarding consumer data within its control during data sharing, including where an affiliate or ATPSP performs activities on its behalf. It is liable to the consumer for any financial loss arising directly from the loss of, unauthorized access to, or unauthorized use of data resulting from a breach of its security safeguards. 

The CDB Regulations clarify that:  

  • Data-requesting entities are responsible for obtaining consent and securely receiving data 
  • Data-providing entities are responsible for authenticating consumers and securely transmitting data

Consumers are generally not liable for financial losses arising from data sharing. However, liability may shift to the consumer if they have demonstrated “gross negligence” (or, in Quebec, “faute lourde”) in safeguarding their authentication credentials. Misuse of credentials alone does not establish gross negligence, and the participating entity bears the burden of proving such conduct. 

Notably, the CDB Regulations also require participating entities to advise consumers regarding reasonable measures to safeguard authentication information and the consequences of gross negligence (or faute lourde in Quebec). 

Next Steps

The CDB Regulations will come into force on a staggered basis as relevant provisions of the Consumer-Driven Banking Act are brought into force by orders of the Governor in Council. Accreditation requirements are expected to be phased in first, followed by common rules and assessment fees. In-scope data categories will also be phased in by account type, beginning with deposit and payment accounts, followed by lending accounts, registered accounts and non-registered accounts. The timing and sequencing of implementation will ultimately depend on the coming-into-force orders issued under the CDB Act. 

Prior to implementation, the Minister of Finance is expected to designate: 

  • The technical standards body responsible for establishing the single technical standard applicable to all participating entities 
  • The external complaints body, which will provide consumer-driven banking dispute resolution services

The Bank of Canada is also expected to issue guidance on accreditation, data usage, consent management and data sharing. 

As anticipated, the prohibition on screen scraping will not come into force as part of the initial implementation of the Framework. The government has also confirmed that future policy work will consider a broader second phase of consumer-driven banking, including “write access” functionality such as payment initiation, account opening and account closure.  

Financial institutions, fintechs and other stakeholders should consider the implications of the proposed framework and may wish to submit comments during the 60-day consultation period. 

For more information, please contact any member of our Financial Services Regulatory group. 

More insights