Canada Moves Open Banking from Law to a Working Rulebook
Canada's draft open banking regulations define accreditation, data sharing, security, and compliance requirements.
Consumer driven banking has been under development in Canada since the federal government began reviewing open banking in 2018. The framework establishes a regulated system that allows individuals and businesses to securely share their financial data with accredited providers through application programming interfaces, replacing screen scraping with standardized and consent based data sharing.
In June 2026, the Department of Finance published the draft Consumer Driven Banking Regulations, providing the operational rules needed to implement the framework. The proposed regulations define the scope of data sharing, accreditation requirements, security safeguards, consent management, supervisory responsibilities, technical standards, assessment fees, and enforcement measures. Together, they move Canada's consumer driven banking framework from legislation to implementation and are open for public consultation until August 2026.
The specific requirements in the proposed regulations
Data scope: Defines the financial data that participating entities must make available, including consumer profile information, account details, balances, transactions, and product information across deposit, payment, investment, and lending accounts. Participating entities would generally be required to provide up to 24 months of historical transaction data.
Accreditation: Establishes four accreditation pathways covering fintech companies, registered payment service providers, financial institutions, and accredited third party service providers. Applicants must demonstrate compliance with security, technical, governance and consent requirements and pay a $2,500 accreditation application fee, while the Bank of Canada will oversee accreditation, maintain a public registry, and administer application reviews, suspensions and revocations.
National security safeguards: Provides the Minister of Finance with authority to review applicants and accredited participants for national security risks, with 60 days to decide whether a review is required and 180 days to complete it. Applicants must disclose ownership, governance, significant relationships and data handling practices, while the Minister may impose conditions or direct the Bank of Canada to refuse or revoke accreditation.
Duties of participating entities: Requires participating entities to maintain compliance through record keeping, annual reporting, consent management, security breach reporting, consumer authentication, secure data sharing, minimum service levels, liability management, notice of material changes and consumer notifications when exiting the framework.
Duties of ATPSPs: Requires accredited third party service providers to maintain compliance records, report material organizational changes, notify participating entities of accreditation changes and retain records for five years while supporting oversight by the Bank of Canada.
Technical standards body reporting: Requires the designated technical standards body to submit annual reports covering the performance of the technical standard, security improvements and any changes that could affect its designation or continued suitability.
Evidentiary privilege: Defines the supervisory documents, accreditation correspondence and regulatory directions that may be used as evidence in civil proceedings by designated public authorities.
Assessment fees: Introduces an annual cost recovery model administered by the Bank of Canada. Participating entities would pay a tiered assessment based on asset size, while accredited third party service providers and the external complaints body would also contribute through annual assessments.
Violations: Designates key obligations under the framework as regulatory violations subject to administrative monetary penalties. Maximum penalties remain up to $1 million for individuals and up to $10 million for participating entities or accredited third party service providers.
Regulatory development: The regulatory impact analysis estimates implementation costs of approximately $457.7 million over ten years, compared with estimated economic benefits of approximately $13.2 billion over the same period. The regulations remain under consultation before final implementation, with additional guidance from the Bank of Canada expected before the framework comes into force.
🚨 What this signals for the Canadian financial sector
The proposed regulations provide the operational blueprint for Canada's consumer driven banking framework and offer greater certainty around how institutions will participate. Banks, credit unions, FinTech companies and payment service providers can now begin aligning their technology, governance, security and consent management processes against defined regulatory expectations rather than broad legislative principles.
The regulations also confirm that consumer driven banking extends well beyond data sharing. Institutions will need to strengthen operational resilience, third party oversight, cyber security, record management and consumer protection while preparing for API based data exchange. As the framework evolves toward broader functionality, including future write access, these requirements establish the governance foundation for Canada's next phase of digital financial services.

