Budget 2024: Canada’s Consumer-Driven Banking Framework

1. Introduction

Consumer-driven banking, also known as open banking or consumer-directed finance, refers to frameworks that allow consumers and small businesses^{Footnote 1} to securely transfer their financial data through an application programming interface (API) to approved service providers of their choice. Consumer-driven banking enables consumers to securely use data-driven financial services that can help them better manage their finances and improve their financial outcomes.

For example, through consumer-driven banking, people could access services that allow them to build their credit by reporting their on-time rental payments to credit bureaus, making it easier to qualify for a mortgage.

An estimated nine million Canadians currently share their financial data by providing confidential banking credentials to service providers. This process, known as screen-scraping, raises security, liability, and privacy risks to consumers and the financial system. The government wants to make it safer and more secure for Canadians to share their financial information and access new financial tools.

Benefits of Consumer-Driven Banking

1.1 What Will Consumer-Driven Banking Do?

The implementation of Canada’s Consumer-Driven Banking Framework will:

• Empower Canadians to securely access and share their financial data with financial service providers.
• Ensure that Canadians are not subject to fees when accessing and sharing their data.
• Protect Canadians and the financial system from risky practices like screen-scraping.
• Ensure parties at fault for any damages or data breaches are held to account and liable for any harm to Canadians.
• Allow Canadians to safely access innovative products and services that can help them improve their financial outcomes. For example:

  • Apps that build credit scores using transaction data or use rental payment data to demonstrate ability to pay when applying for a mortgage;
  • Account aggregators that provide a fuller financial picture and support improved decision making;
  • Budgeting tools that monitor spending and provide insights to improve financial well-being;
  • Platforms that provide automated financial advice, tailored to a consumer’s unique financial situation, and needs;
  • Tools that use transaction data to manage all paid subscriptions in one place.

1.2 Policy Objectives of Consumer-Driven Banking

The development of Canada’s Consumer-Driven Banking Framework has been guided by three public policy objectives:

• Safety and Soundness: Ensuring the continued safety and soundness of the financial sector by addressing the security risks arising from existing data sharing practices, such as screen scraping, and establishing oversight of financial data sharing activities;
• Protecting Canadians’ Financial Well-Being: Ensuring that Canadians can securely and confidently exercise their right to access, use their financial data to improve their financial outcomes, and benefit from enhanced consumer choice through innovative products and services; and,
• Economic Growth and International Competitiveness: Establishing a cohesive framework, with a clear, fair, and transparent approach to accreditation, to support the continued security and stability of the Canadian financial sector, including existing financial institutions, while enabling innovation and competition.

1.3 Core Framework Elements

These policy objectives have guided the development of the government’s course of action on six core framework elements, including:  

• Governance: Oversight and management of the framework;
• Scope: The types of data and functionalities the system will provide, the participants, and the pace at which the system should expand;
• Accreditation: The requirements and process for participating in consumer-driven banking;
• Common Rules: To protect consumers and govern the areas of privacy, liability, and security;
• National Security: Safeguards to protect the integrity and security of the consumer-driven banking framework and financial system; and,
• Technical Standard: Establishment, maintenance, and oversight of a technical standard (also referred to as pipes) flow of data between Canadians and the financial tools of their choice.

The remainder of the policy statement outlines the government’s position on the core elements of the Framework as a means of providing clarity to consumers and industry.

2. Course of Action

The government will introduce legislation that will enable consumers to securely and confidently access their financial data and, in turn, safely use services that can help them improve their financial outcomes. This spring, the government intends to introduce the first of two pieces of legislation to implement the Framework, starting with key elements, such as governance, scope, and criteria and process for the technical standard. Remaining elements of the Framework would be legislated in fall 2024.

In line with international best practices, the legislation will expand the mandate of the Financial Consumer Agency of Canada (FCAC) to include oversight of consumer-driven banking and establish foundational Framework elements related to scope, system participation, safeguards in respect of integrity and national security, and common rules covering privacy, liability, and security.

The Framework will also include the principles and process for the selection of a single technical standard for data sharing that will ensure the standard is fair, open, and accessible. This will ensure that the Framework meets key public policy objectives for a Canadian consumer-driven banking system, including interoperability with the coming American framework overseen by the U.S. Consumer Financial Protection Bureau.

The government will review Canada’s Consumer-Driven Banking Framework after three years to ensure it continues to meet core policy objectives, and reflects the needs of Canadians.

2.1 Governance

Governance design is key to ensuring the Framework achieves the public policy objectives of safety, stability, innovation, integrity, and utility for all Canadians. A strong governance Framework will ensure participants abide by common rules by outlining clear roles and responsibilities for participants and government, and what actions will be taken when non-compliance occurs.

To ensure all Canadians benefit from the effective oversight of financial data sharing, legislative amendments will expand the mandate of the FCAC to include oversight, administration, and enforcement of Canada’s Consumer-Driven Banking Framework. This will include responsibility for monitoring and supervising the Framework, maintaining its integrity and security, enforcing common rules, accrediting entities, maintaining a public registry of participants, and overseeing the technical standard. The legislation will also expand existing authorities of the Minister of Finance, such as issuing directions to the FCAC, including to protect national security and the best interests of the financial system within the Consumer-Driven Banking Framework.

Legislative amendments to the FCAC Act will also establish a new position, called the Senior Deputy Commissioner of Consumer-Driven Banking at the FCAC, which will be responsible for fulfilling the FCAC’s consumer-driven banking mandate.

The Department of Finance will retain its role in respect of policy and legislative or regulatory development. The Department of Finance will also work with the FCAC to begin preparation and planning for these new responsibilities. FCAC will also develop a consumer education campaign to increase Canadians’ awareness of consumer-driven banking. Once the Framework is in place, FCAC oversight of consumer-driven banking will operate on a cost-recovery model.

All participants will be subject to the Consumer-Driven Banking Framework and FCAC supervision. To facilitate oversight of provincial entities, while respecting their jurisdiction, the governance model will be structured in a manner that allows for provincial credit unions and Crown corporations that act as banks to “opt-in” to governance, supervision, and participation. The creation of a new FCAC Senior Deputy Commissioner for Consumer-Driven Banking would ensure that provincial credit unions and Crown corporations that act as banks that opt-in to the Consumer-Driven Banking Framework would not be subjected to direct oversight by the federal market conduct regulator. Provinces and territories retain the authority to impose their own requirements on entities subject to their jurisdiction.

2.2 Scope

To ensure the efficient implementation of secure, consumer-driven banking, the government will adopt a phased approach to the three elements of scope: participants, breadth of data sharing, and functionality. The development of Canada’s Consumer-Driven Banking Framework will be an iterative process and the Framework may evolve significantly over time.

Scope refers to:

1. What entities can participate;
2. The breadth of data that must be shared among them; and,
3. Functionality, such as read or write access.

In the initial phase, the government will mandate participation for banks that meet a specified threshold for retail volume. This threshold will scope-in Canada’s largest retail banks. The remaining federally regulated financial institutions, as well as credit unions, Crown corporations acting as banks, and other entities seeking accreditation, will be provided the ability to opt-in to the Framework. There will be clear requirements for how various entities such as fintechs, can enter and exit the Consumer-Driven Banking Framework. All entities entering the Framework will be required to demonstrate adherence to technical and security requirements.

In the initial phase, the scope of data that participants will be required to share at the request of a consumer will initially include data related to chequing and savings accounts, investment products available through their online portals, and lending products, such as credit cards, lines of credit, and mortgages. Data that has been materially enhanced by a participant to offer significant additional value or insight will be excluded from scope. The existing prohibition on the sharing by banks of customer information for the business of insurance will be maintained.

To fully implement consumer rights to data portability, all entities will be equally subject to consumer-permissioned data sharing requests (reciprocal access) and the ability to provide reciprocal access will be a condition of entry and requirement for continued participation in the Framework. When authorized by a consumer, in-scope data would be shared in its unaltered, original format, free of charge. The government may consider an expansion of the scope at a later date, to include additional data, entities, entry processes (e.g., tiered accreditation), and functionalities (such as the ability to initiate payments).

2.3 Accreditation

To ensure Canadians can confidently engage in financial data sharing with trusted entities, Canada’s Consumer-Driven Banking Framework will include a formal accreditation process, inclusive of process, oversight, and criteria for entities wishing to collect consumer-permissioned data from data holders.

Accreditation ensures that only trusted entities can access financial data when requested by a consumer. The Framework will set out the process and specific criteria for data requestors to access consumer financial data. The FCAC will evaluate applications against these criteria and publish a list of all authorized participants in a central registry to ensure consumers have clear information when choosing to share their financial data with an entity.

Recognizing the highly sensitive nature of financial data, this process will ensure that only those who meet certain requirements can participate in a data sharing ecosystem. It will create trust among consumers and participants by validating the merit and financial capability of organizations outside of traditional regulated financial services.

Entities wishing to become accredited will need to submit an application to the FCAC. Applications will include information on the organization (including existing oversight arrangements and governance structure), operational standards (including security and privacy controls), and financial capacity (including liability instruments such as insurance). Once accredited, a participant will be permitted to request financial data, at the instruction of a consumer, from another participant, and will in turn be obligated to follow all common rules of the Framework and make available any in-scope data to other participants.

Accreditation will not be a static obligation. Entities will be subject to mandatory reporting of key information on a regular basis and as their business models evolve to maintain accreditation. The FCAC will have the authority to suspend or revoke an organization’s accreditation if they fail to meet their obligations under the Framework or present a risk to consumers.

2.4 Tiering

Tiered accreditation—the practice of establishing different accreditation requirements for entities, for example, based on the levels of data they are permitted to access—will not be included in an initial phase.

2.5 Common Rules

To provide a consumer-centric, safe, and transparent foundation for consumer-driven banking in Canada, the Framework will include common rules that address consumer protection interests, privacy, liability, security, national security, and integrity obligations. All participants will be required to abide by these rules as a condition of access to consumer data.

The intent of common rules is to ensure that consumers benefit from consistent protection and market conduct standards which would, in turn, help build confidence and trust for consumers. Where appropriate, the common rules align with existing legislation, such as the Financial Consumer Protection Framework (FCPF) within the Bank Act. Common rules will work to complement existing legislation, rather than creating duplicative or potentially conflicting requirements.

2.6 Privacy

In terms of privacy, participants are already required to comply with existing legislation. The Framework will include additional privacy rules that are unique to financial data sharing which will address the provision of express consent to access data, consent management, and revoking access to data shared by a consumer. Participants will also be required to have a standardized process for consent and revocation that is done in a clear, simple, and not misleading manner.

Additionally, participants will be required to reconfirm consent at specified intervals (every 12 months) or following certain events. Participants will also be required to provide consent dashboards to ensure consumers have real-time knowledge of who has access to their data and to maintain control over the type of data they share, the accounts from which it is being collected, the length of the consents, as well as the ability to revoke it. Finally, participants will be required to adopt user experience guidelines to govern all areas of consent and revocation.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize additional requirements that enhance consumer protection around consent, disclosure of key information, market conduct, and financial inclusion.

2.7 Liability

Clear attribution of liability is a critical component of Canada’s Consumer-Driven Banking Framework. Predictable and transparent rules outlining where liability starts and ends will provide certainty to participants and make it easier to protect consumers.

The Framework will clearly set out a liability structure that establishes a statutory relationship between participants when they enter the Framework. This eliminates the need for bilateral contracts between participants.  Entry requirements will be established in the legislation for both mandated and voluntary participants.

This liability structure is based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong. This means that when a consumer initiates a data transfer, the data provider’s liability towards that consumer for how the data is managed or protected ceases once it leaves the institution. The data provider maintains liability toward the consumer for data under its control. 

To ensure consumers are protected and to strengthen confidence in the system, consumers will not be held liable for financial losses incurred as a result of sharing their financial data within the Consumer-Driven Banking Framework.

Participants will also be required to put in place policies and procedures for complaint handling and the provision of redress to ensure consumers have a clear path for addressing their complaints. These requirements will align with existing financial sector practices.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize additional liability requirements related to service level requirements, use of third-parties, reporting, investigations, recordkeeping, and traceability.

2.8 Security

To ensure Canadians can use this system with the confidence that their sensitive financial information is protected, Canada’s Framework will establish clear security requirements for how voluntary and mandated participants protect consumers’ data.

To set a high-bar, the scope of a participant’s information security management system will have to capture all the people, processes, technology, and infrastructure that interact with in-scope data that is collected through the Consumer-Driven Banking Framework. The legislation will establish security requirements for all participants that will serve as the minimum “floor” to safeguard consumer data. Participants will also need to fulfill ongoing reporting obligations that will be overseen by the FCAC, such as surveillance audits.

These requirements will ensure that all participants, regardless of size, risk profile, and business model, dedicate the necessary attention and resources to safeguarding against risks.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize a recommendation on which security certification will be mandated and the extent of the reporting obligations.

2.9 National Security and the Integrityof the Financial System

To protect the integrity and security of the Consumer-Driven Banking Framework and maintain Canadians’ confidence in the financial sector, the Framework will include safeguards and provide authorities to the Minister of Finance that align with existing financial sector statutes, such as the Retail Payment Activities Act, the Bank Actand the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

These authorities will enable the Minister to refuse, suspend, or revoke access to the Framework for national security-related reasons. The Minister will also be provided an expanded authority to direct the FCAC to take measures related to the Framework for reasons related to national security, to safeguard the integrity or security of Canada’s financial system, or in the best interest of the financial system.

2.10 A Single Technical Standard

Consumer-driven banking offers a means to successfully transition away from screen scraping to a more secure method for financial data sharing. The Framework will significantly decrease the risks of personal data being compromised by bad actors and mitigate security, privacy, and liability risks for consumers and participants. This is achieved through the use of APIs, a type of software that acts as secure data “pipes” to enable different products and services to communicate in a consistent manner.

Technical standards are a key element of financial data sharing as they form the specifications to which APIs are built and therefore support functionality and interoperability. To align with international best practices, the government will mandate the use of a single technical standard.

Canada’s Consumer-Driven Banking Framework will include the principles and processes that will be used to identify a technical standard. This will ensure that the standard is fair, open, accessible, and able to meet key public policy objectives for the Consumer-Driven Banking Framework, including interoperability with standards used in other jurisdictions. Legislation will provide authority to the Minister of Finance to identify and revoke a technical standard, and authority to the FCAC to supervise the technical standard body to ensure compliance with the Framework.

3. Next Steps

This spring, the government intends to introduce legislation to establish foundational elements of Canada’s Consumer-Driven Banking Framework, including governance, scope, and criteria and process for the technical standard. The government intends to introduce remaining elements of the Framework in legislation this fall.

The Department of Finance will continue to engage with industry, federal regulators, federal agencies, including the FCAC, provincial and territorial governments, and other stakeholders, as the Framework legislation is developed.

Related documents:

• 2023 Fall Economic Statement: Policy Statement on Consumer-Driven Banking