The Consumer-Driven Banking Act: Canadian Open Banking Takeaways

On the heels of Canada’s Budget 2025 announcement earlier this month — which included an update on open banking regulations within the country, more news has been released about Canada’s open banking journey. The Canadian Budget Implementation Act detailed upcoming rules under Canada's Consumer-Driven Banking Act. 

Open Banking is not just a regulatory mandate; it represents a significant commercial opportunity for both established Canadian banks and the burgeoning domestic fintech sector. 

For large financial institutions, secure, API-driven data sharing is a chance to move beyond compliance and embrace digital transformation. It enables them to leverage customer data, with explicit consent, to develop personalized, data-rich products that enhance customer loyalty, improve risk assessment for lending, and reduce operational costs by moving away from legacy data access methods like screen scraping. 

For Canadian fintechs, this regulated framework is a game-changer. It provides them with the secure, reliable access to financial data they've long needed to build truly innovative services — such as sophisticated budgeting tools, alternative credit scoring models, and hyper-personalized lending platforms — leveling the playing field and fueling competition and rapid market growth within the Canadian financial ecosystem. 

By fostering collaboration and ensuring a safer environment for data exchange, the new legislation acts as a critical accelerant for innovation, positioning Canada's finance sector for greater global competitiveness.

There are 2 main buckets that this legislation’s key takeaways fall into: 

1. All participants must be accredited and maintain appropriate security practices. 
2. Consumers are fully in control of their financial data.

Overall, the latest legislation is a big win for consumers as it puts them in full control of their financial data, while also enabling Canadian financial institutions to better serve their customer base.

Here are the main areas of focus for Open Banking from the Consumer-Driven Banking Act:

Licensed and Secure Participants

The Key Regulators that Run the Show

There are 4 key players that financial providers must familiarize themselves with to comply with the legislation. These players are made up of 2 government groups and 2 specialized bodies that will oversee the new system.

• Bank of Canada: This is the system’s main regulator. It supervises every accredited company, checks for market trends, and makes sure everyone is playing by the rules.
• Minister of Finance: The Minister has the ultimate say on security, particularly when it comes to national security concerns that could impact accreditation.
• External Complaints Body: A dedicated ombudsman — or intermediary — handles consumer complaints that can’t be resolved internally. All licensed participants must be members of the external complaints body.
• Technical Standards Body: This body (which is yet to be identified) will set the required API standards. This is the mandatory technical blueprint for how data is safely shared.

Who Gets to Play?

Any organization that wants to participate in data sharing will be required to be officially accredited by the Bank of Canada. This will include banks, credit unions, fintechs, payment providers, and third-party service providers.

The Ban on Screen Scraping

The Act effectively establishes a secure, API-only ecosystem by outlawing the traditional method of data access — screen scraping. This new legislation prohibits using a consumer's login credentials to gain direct access to their data for the purpose of providing a product or service. This ban on screen scraping is an effort to mitigate the risks that credential sharing can create.

Consumers Own Their Data

The Scope of Data

Consumers are the ultimate owners of their data and have full power to make decisions regarding their data. The Act requires explicit permission from consumers to share data. The covered data includes: 

• Depository accounts
• Investment accounts
• Credit products
• Payment products

On the other side of the coin, the Act explicitly excludes derived data in its data-sharing ruling — meaning that financial institutions that enhance the data in a way that significantly increases its usefulness or commercial value are not required to share that resulting derived data externally.

Data access fees are strictly prohibited for consumers sharing their in-scope data.

Consent and Data Use

Getting — and keeping — a consumer's permission has strict and non-negotiable requirements. Participants must obtain the consumer’s consent before requesting data. A consumer simply using a product or service does not in and of itself qualify as consent.

Participants that have obtained consumer consent must tell the consumer:

1. Exactly what data they want
2. How they will use it
3. How long the consent lasts

Once consumers have granted content, it is valid for a maximum of 12 months. A participating organization must renew the consumer’s consent after the expiration of the previous consent’s effect. Additionally, consumers can withdraw their consent or request the deletion by the participating organization of their data at any time. Upon request, participating organizations must stop receiving the data immediately and delete it.

Security and Liability

The burden of security and financial loss is squarely placed on the shoulders of the participating entity. They are responsible for implementing the security safeguards in the framework and designating an officer responsible for the entity’s compliance with these safeguards.

In the event of unauthorized data loss, consumers are not financially liable unless they are shown to have been grossly negligent. For participating entities, liability flows with the data, and the party responsible for a breach is held responsible.

What’s Next?

Canada’s open banking legislation sets a high bar for participation, emphasizing consumer control, security, and accountability. One significant question remains unanswered: the timeline. As this regulation moves through the parliamentary process, the financial industry can expect exact timelines to be finalized.

As Canada works towards implementing this legislation, financial institutions should begin to assess their strategies for keeping data in the hands of consumers. Institutions that are already designing financial systems that prioritize customer consent and API-driven data access will set a new standard of trust and innovation across Canada’s financial ecosystem.