Skip Navigation

Proposed Regulations Addressing Consumer-Targeted Fraud in Banking Released for Comment

June 30, 2026

On June 27, 2026, Canada’s Department of Finance published proposed regulations amending the Financial Consumer Protection Framework Regulations under the Bank Act, aimed at combatting consumer-targeted fraud (Fraud Regulations). These developments build on legislative and policy measures discussed in our prior bulletin, Budget Implementation Act: Financial Services Highlights, and align with the government’s broader objective to develop a National Anti-Fraud Strategy.

The Fraud Regulations, which are scheduled to come into force on July 1, 2027, are now open for a 30-day comment period which closes on July 27, 2026.

Statutory Framework and Implementing Regulations

As discussed in our earlier bulletin, the Budget Implementation Act, 2025, No. 1 (Bill C-15), which received Royal Assent on March 26, 2026, introduces a new framework in the Bank Act to address “consumer-targeted fraud,” defined to include both unauthorized transactions and transactions authorized as a result of coercion or deception.

At a high level, the amendments to the Bank Act, which are not yet in force, establish a structured regime requiring banks and foreign bank branches (banks) to implement (1) stricter fraud detection procedures, including the establishment of policies and procedures to detect and prevent consumer-targeted fraud and to mitigate its impact, (2) consumer-controlled account capabilities, (3) enhanced fraud governance (including victim and remedy determinations), (4) mandatory notifications, and (5) annual fraud reporting to the Financial Consumer Agency of Canada (FCAC).

The proposed Fraud Regulations build on this statutory framework by setting out the operational requirements needed to give effect to these obligations.

Prescribed Account Capabilities and Consent Mechanics

The Fraud Regulations specify that the “prescribed account capabilities” referred to in the Bank Act are those that permit the transfer of funds by electronic means associated with personal deposit accounts, including wire transfers, global money transfers and Interac e-Transfers, subject to certain exclusions (e.g., intra-institution transfers between accounts held by the same natural person, ATM withdrawals, card payments, preauthorized debits and bill payments).

They also establish detailed requirements for obtaining express consent, although the requirements are technology-neutral, allowing flexibility in how consent is obtained:

  • Consent must be obtained separately for each capability and cannot be bundled with any other express consent;
  • Banks must provide information on the nature and potential uses of each capability before activation; and
  • Banks must implement procedures to verify the identity of the individual requesting activation.

Banks must also allow consumers to disable the electronic funds transfer capability.

Notably, banks are not required to obtain consent for capabilities already enabled on existing accounts at the time the framework comes into force.

Account Opening Disclosure

The Fraud Regulations also impose additional account opening disclosure requirements on banks in respect of personal deposit accounts. Specifically, consumers must be informed of:

  • Account capabilities that require express consent to enable
  • Account capabilities that can be disabled
  • Account capabilities for which the transaction or withdrawal limits may be adjusted (increased or decreased)

Banks are also required to notify consumers by electronic means whenever an account capability is activated, deactivated, or a transaction or withdrawal limit is adjusted.

These requirements are intended to ensure consumers make informed decisions when choosing the capabilities available to them and allow consumers to adjust features to protect themselves from fraud.

Transaction Limits

The Fraud Regulations also prescribe timing requirements for implementing consumer-requested changes to transaction limits:

  • Without delay where the institution has verified the account holder’s identity
  • No later than the next business day where it has not

These timing rules are intended to balance usability and fraud mitigation.

Fraud Policies and Procedures

The Fraud Regulations supplement the statutory framework by requiring banks to include additional criteria in their fraud policies and procedures, including:

  • Criteria used to investigate suspicious transactions
  • Criteria used to determine whether to notify consumers of suspicious requests to activate capabilities or increase transaction limits

Banks must also conduct an annual review of the effectiveness of their policies and procedures. The Fraud Regulations introduce this as an explicit governance requirement, supplementing the broader obligation under the Bank Act to establish and adhere to such policies.

Fraud-Related Data Collection and Reporting

The Bank Act amendments establish an obligation for banks to prepare and submit annual reports on consumer-targeted fraud to the FCAC Commissioner, who must in turn provide a consolidated report to the Minister of Finance. The Fraud Regulations build on this framework by prescribing the content, timing and governance expectations for these reports. In particular, they require:

  • Submission to the FCAC within 135 days of calendar year-end
  • Granular, case-level data for each instance of fraud (including attempted, alleged and confirmed cases), such as fraud type, tactic and communication channel, transaction method and amounts lost or sought, whether the transaction was unauthorized or authorized due to coercion or deception, whether the bank delayed or stopped the transaction, and limited demographic information (age range, gender and partial postal code)
  • Reporting on implementation of policies and procedures, employee training, and any internal fraud reduction targets

Additionally, the FCAC Commissioner is required to submit a confidential consolidated report to the Minister by September 30 each year. Notably, the Fraud Regulations include a transitional provision that would allow banks a six-month lead time after the Fraud Regulations come into force to build the necessary systems to allow for the collection and reporting of fraud data. Specifically, under the current formulation, data collection for the first period would begin January 1, 2028, and would end on December 31, 2028, and the first report would be due to be submitted to the FCAC by May 15, 2029.

Fraud Response and Remedies

In order to address the growing rate of fraud, the Bank Act amendments also establish a structured framework governing how institutions respond to instances of consumer-targeted fraud. With consumer-targeted fraud seen as a foreseeable risk associated with bank-enabled payment features, the Fraud Regulations prescribe more robust and consistent institutional safeguards to supplement the currently limited mechanisms in place to protect consumers from fraud. In particular, the Fraud Regulations require banks to take on a more prominent role as they must establish and apply criteria to determine whether a consumer is a victim of fraud, assess whether a remedy is available, and communicate those determinations to affected consumers.

Interestingly, the Fraud Regulations do not introduce additional prescriptive requirements in relation to liability or remedies. The existing allocation of liability, under which consumers are generally protected for unauthorized card transactions but may bear losses for account-based transfers, including those induced by deception, remains largely unchanged. The amendments instead require institutions to formalize the criteria and processes used to assess fraud incidents and determine available responses, which is likely to result in a more structured approach to how such cases are evaluated and handled.

Banks will need to consider the implications of the framework as they prepare for the July 1, 2027, coming-into-force date and should consider submitting comments on the Fraud Regulations during the 30-day comment period for those provisions that may be problematic or require further clarity.

For more information, please contact any member of our Financial Services Regulatory group.

More insights