Budget 2025: Canada's Consumer-Driven Banking Framework

1. Introduction

Consumer-driven banking, also known as open banking, refers to a secure framework that lets Canadian individuals and businesses share their financial data with approved service providers of their choice. This framework will give consumers^{Footnote 1} greater control over their data while promoting a competitive and innovative financial sector that strengthens Canada's position in the global digital economy.

The absence of a such a secure framework means that about nine million Canadians currently share their financial data by providing their confidential banking credentials in a process known as screen-scraping. These consumers face increased security, liability, and privacy risks and may be left without recourse if something goes wrong. The consumer-driven banking framework will address these risks by using application programming interfaces (APIs), a type of technology that provides a more secure communications connection between entities.

1.1 What Will Consumer-Driven Banking Do?

The goal of Canada's consumer-driven banking framework is to promote innovation in the financial sector, improve financial outcomes for Canadians, and ensure that consumers can share their data securely. In other countries, regulated frameworks have proven effective at achieving these policy goals by empowering consumers, enhancing data accessibility, and supporting new financial service providers and business models.^{Footnote 2}

Giving Canadians greater control over their financial data opens the door to new financial products and greater choice between providers, fostering a more dynamic financial sector and productive economy. Unlocking these new opportunities will lead to improved financial decision-making, lower costs, and more tailored products and services for consumers.

Benefits of Consumer-Driven Banking

For example, consumers using consumer-driven banking will be able to leverage data from their timely rental payments to demonstrate creditworthiness, which will increase access to credit and enhance financial inclusion. Consumers will also be able share their data for loan adjudication which could lead to greater choice in borrowing options and better pricing. For small- and medium-sized businesses, increased access to data-driven tools can help streamline payroll and other administrative functions and provide better access to the capital they need to grow their businesses.

1.2 Policy Objectives for Canada's Consumer-Driven Banking Framework

The development of Canada's Framework was guided by three public policy objectives:

• Competition, Innovation, and Economic Growth: Accelerating the growth of Canada's digital economy while supporting new entrants, existing financial institutions, and homegrown innovators. Regulated data-sharing will preserve Canada's secure and stable financial sector, while enabling innovation and competition.
• Consumer Financial Well-Being and Protection: Ensuring Canadians can securely share their data with more trusted financial service providers. Regulated data sharing will give consumers control over their data and establish consistent rules that limit consumers' liability, ensure data is kept safe while in transit, and address outdated practices like screen scraping.
• Safety and Soundness: Strengthening the overall integrity of the financial sector by addressing risks related to existing data sharing practices. Establishing a robust accreditation process and oversight framework will ensure participating entities meet high standards of security and reliability, supporting stability and trust in the financial sector.

2. Course of Action

The Government will introduce two key legislative changes through the 2025 Budget Implementation Act:

• Legislative amendments to complete the Consumer-Driven Banking Act that will include provisions for accreditation and common rules that address security, national security, liability, and consent. Additional amendments will reinforce competition as a key objective of the framework, clarify the inclusion of small- and medium-sized businesses, and ensure Canadian public policy objectives can be met through the designated technical standards body. Amendments will also streamline governance and accreditation by leveraging the Bank of Canada's existing supervisory role for the Retail Payment Activities Act and registered payment service providers.
• To reinforce the importance of data-driven innovation and the role it plays in enhancing competition, the legislation will also amend the Personal Information Protection and Electronic Documents Act to ensure Canadians have access to an economy-wide right to data mobility in sectors that develop secure and interoperable frameworks. Consumer-driven banking will be the first iteration of such a framework. This measure will provide the foundation for consumers to have greater control over their information, while unlocking greater competition, wider economic benefits and enabling cross-sector collaboration.

Subject to Royal Assent, the Government will move quickly to advance regulation while supporting the Bank of Canada as it implements the first phase of consumer-driven banking. The Department of Finance will concurrently undertake consultation and policy work over the next 12 to 18 months to advance a second phase of consumer-driven banking that considers broader functionality and participant scope.

This work will consider "write access", the ability to initiate an action from an account. This functionality would let consumers make payments or manage a product or service enrollment across participating entities through consumer-driven banking. Beyond write access, several leading economies are laying the foundation for "open finance" and "open data" with the goal of advancing digital public infrastructure. Recent estimates project that the United Kingdom's Data (Use and Access) Bill will lead to a £10 billion boost to their economy over 10 years^{Footnote 3}. By enshrining a right to data mobility in federal privacy legislation, Canada moves one step closer to unlocking the advantages of cross-sectoral data sharing.

2.1 Governance

Governance design is key to ensuring the framework achieves its public policy objectives. A strong governance framework will ensure participating entities abide by common rules by outlining clear roles and responsibilities for participating entities and government, as well as what actions will be taken when non-compliance occurs.

To improve government efficiency and align with existing oversight for the Retail Payment Activities Act, the responsibility for implementation and oversight of Canada's Consumer-Driven Banking Framework will be delegated to the Bank of Canada. This shift also aligns with the Government's intention to accelerate progress towards the next phase of consumer-driven banking, which will involve write-access functionality, such as payment initiation. Once the framework is in place, oversight of consumer-driven banking will operate on a cost-recovery model.

All participating entities will be subject to the consumer-driven banking framework and Bank of Canada supervision. To facilitate participation of provincially regulated financial institutions, the governance model will be structured in a manner that allows provincial credit unions and crown corporations that act as banks to "opt-in" to the framework. Provinces and territories retain the authority to impose their own requirements on entities subject to their jurisdiction and participating entities will continue to be required to follow all applicable federal and provincial frameworks.

The consumer-driven banking framework includes safeguards to protect national security, as well as the integrity and security of the consumer-driven banking framework and financial sector. The Consumer-Driven Banking Act provides the Minister of Finance with the authority to address risks related to national security. The Minister's exercise of the national security authorities will be supported by security and intelligence agencies.

The Department of Finance will retain its role in respect of policy and legislative/regulatory development.

2.2 Facilitating Provincial and Territorial Involvement

Following ongoing engagement with provincial and territorial governments, the Government is amending the Consumer-Driven Banking Act to provide the Minister of Finance with the authority to designate a provincial regulator to oversee certain provisions of the Act for the entities within its jurisdiction (e.g., provincial credit unions). In provinces where this designation has occurred, some parts of the Act would be supervised by the Bank of Canada, and other parts by the appropriate provincial regulator. The provisions that will be eligible for designation relate to areas where provinces already supervise provincial financial institutions, and include security, privacy (including consumer consent and authentication), liability, complaints, and consumer protection. Provisions that relate to accreditation (entry into the framework), suspension and revocation, or national security, will remain the responsibility of the federal government.

Once an agreement or Memorandum of Understanding with the Bank of Canada is in place and a Ministerial order is issued, the designated provincial or territorial regulator would gain responsibility for the supervision of the agreed upon provisions. Once a designated regulator determines that a violation of the Act has occurred, it would work collaboratively with the Bank of Canada to determine the appropriate next steps. The Bank of Canada will retain the enforcement powers to issue fines and penalties and apply them consistently across all the provinces, regardless of the province in which the participating entity is located and will work closely with provincial regulators in this regard.

This legislation will also establish a permanent federal, provincial and territorial advisory committee to inform the Bank of Canada's work on administering and implementing the framework. The advisory committee will provide a vehicle to inform uniform guidelines for penalties including Administrative Monetary Penalties.

This approach preserves a consistent foundation of baseline standards that ensures all Canadians are similarly protected, and all entities participating in the framework operate on a level playing field, while providing flexibility for provinces and consistency for provincially regulated financial institutions. The Government remains committed to working with provinces to ensure a consistent regulatory approach, informed by provincial input.

2.3 Scope

Scope for the framework covers which entities can participate, the breadth of data sharing, and functionality.

The Government will initially mandate participation for banks based on a threshold for retail volume. Remaining federally regulated financial institutions, as well as credit unions, crown corporations acting as banks, registered payment service providers, and other entities seeking accreditation will be able to opt-in, provided they meet the requirements for entry and demonstrate adherence to technical and security specifications.

At the request of a consumer, participating entities will be required to share consumer data, account information, balance data, transaction data, and product data that they hold for deposit (chequing and savings), payment products, investments (registered and non-registered), and lending accounts (secured and unsecured).

Derived data is excluded from the scope of the Consumer-Driven Banking Act. Derived data refers to data about a consumer, product or service that has been enhanced by a participating entity to significantly increase its usefulness or commercial value. The following are non-exhaustive, illustrative examples of what may be considered derived data: 

• The outcome of an assessment such as a consumer credit rating, whether generated by the institution itself or provided by a third party such as a ratings agency;   
• Categorization of spending based on account data, for example classifying spending as related to rent, groceries, or car payments;  
• Saving and budgeting recommendations based on analysis of account data; and,    
• Highlighting upcoming fund shortfalls (or surpluses) based on past spending behaviours. 

To promote competition and innovation, all participating entities will be equally subject to data sharing requests (reciprocal access). When requested on behalf of a consumer, in-scope data will have to be shared free of charge, in a standardized, machine-readable format.

The prohibition of screen scraping will come into force once the framework is fully operational. The Department of Finance will continue to consult with stakeholders to determine an appropriate timeline for bringing the prohibition into force. The existing prohibition on the sharing of customer information by banks for the business of insurance will be maintained.

2.4 Accreditation

A formal accreditation process and a set of criteria that includes a national security screen will ensure Canadians can confidently engage in financial data sharing with trusted entities. Tailored process and criteria will be used for different classes of entities. The Bank of Canada will evaluate applications and publish the list of accredited participating entities in a central public registry. Once accredited, a participating entity will be able to make a data sharing request at the instruction of a consumer.

Accreditation will not be a static obligation. Participating entities will be subject to mandatory reporting of key information on a regular basis and as their business models evolve to maintain their accreditation. The Bank of Canada will have the authority to suspend or revoke an organization's accreditation if they fail to meet their obligations under the framework or present a risk to consumers.

The Consumer-Driven Banking Act will also require participating entities who wish to outsource certain tasks related to consent management, authentication management, and the movement of data, to use an accredited third-party service provider. Participating entities that elect to do so will continue to be liable for their responsibilities under the Act.

Accredited third-party service providers will be entities that have met the necessary eligibility criteria, including a national security screen, and have been approved by the Bank of Canada to participate in the framework. Accredited third-party service providers will only be permitted to engage in the framework on behalf of a participating entity; they will not be participating entities themselves and will not be permitted to engage in consumer-driven banking activities on their own behalf.

2.5 Common Rules

To build trust and establish a level playing field where new entrants and incumbents alike can innovate and compete while protecting consumers, the framework includes common rules that establish obligations related to privacy and consent, liability, security, national security and integrity. The common rules complement existing legislative frameworks, such as the Bank Act and the Retail Payment Activities Act.

2.6 Privacy and Consent

In terms of privacy, participating entities are already required to comply with applicable legislative frameworks. The framework includes additional rules that are unique to financial data sharing which will address the difference between consent and authentication activities for participating entities, the provision of express consent to access data, consent management, and the withdrawal of consent. Participating entities will be required to manage consent in a manner that is clear, simple, and not misleading and free of undue pressure or coercion. Participating entities will be required to reconfirm consent every 12 months or following certain events.

They will also be required to provide consent dashboards to ensure consumers have real-time knowledge of who has access to their data so they can maintain control over the type of data they share, the accounts from which it is being shared, the length of the consents, as well as the ability to withdraw access.

Finally, unless otherwise required by law, participating entities will be required to delete a consumer's data, if requested by a consumer who does not renew or who has withdrawn their consent. Participating entities will be required to inform affected consumers of this right.

2.7 Liability

The framework's liability structure will set out transparent rules and responsibilities for sharing, providing, and receiving data that will give certainty to participating entities, make attribution of liability easier, and protect consumers. Consumers will not be held liable if a financial loss occurs as a direct result of sharing their data within the framework, as long as they have not been grossly negligent (gross fault in Quebec) in safeguarding their authentication information.

The liability structure establishes a statutory relationship between participating entities, eliminating the need for bilateral contracts between participating entities. Liability moves with the data and rests with the party at fault if anything goes wrong. A participating entity is not liable for the actions of another participating entity (e.g., errors or breach of safeguards) that they have provided data to or received data from.

2.8 Complaint Handling

Participating entities will also be required to put in place policies and procedures for complaint handling to ensure consumers have a clear path for addressing their complaints. These requirements align with existing financial sector practices.

2.9 Security

Clear security requirements will ensure participating entities protect consumers' data. In particular, participating entities' information security management systems will have to capture all the people, processes, technology, and infrastructure that interact with in-scope data that is shared through the framework.

The security requirements outlined in the framework will ensure that all participating entities dedicate the necessary attention and resources to safeguarding against risks.

2.10 Financial Sector Integrity and National Security

To protect the integrity and security of the consumer-driven banking framework, the framework provides authorities to the Minister of Finance that align with existing financial sector statutes, including the Retail Payment Activities Act and the Bank Act.

These authorities will enable the Minister to refuse, suspend or revoke access to the framework for national security-related reasons.

2.11 A Single Canadian Technical Standard

Consumer-driven banking will significantly reduce security, privacy, and liability risks by using APIs, a technology that acts as secure data "pipes" to allow participating entities to communicate with one another in a consistent manner. A common technical standard is critical to data sharing, as it sets out the specifications to which APIs are built, and supports functionality and interoperability.

Participating entities will be required to implement a single, specific technical standard to provide certainty to regulators and other participating entities. This common standard will provide certainty to new entrants, allowing them to allocate more resources to innovation, enabling greater competition and greater choice of financial products and services.

The Consumer-Driven Banking Act authorizes the Minister of Finance to designate a technical standards body and sets out criteria and considerations for evaluating candidates. The Act will include additional factors that ensure the standard is developed with Canadian interests in mind and underscore the importance of an independent technical standards body.

The Bank of Canada will supervise the technical standards body to ensure it complies with the framework and develops the standard with Canadian public policy objectives in mind, including security, competition, innovation, and global interoperability.

3. Next Steps

Following Royal Assent of the Consumer-Driven Banking Act, the Department of Finance intends to develop the supporting regulations. The Department will engage closely with all implicated stakeholders and Canadians, including through public consultations once draft regulations are published.

The Department will continue to work with the Bank of Canada and other key government and regulatory partners to prepare for the successful launch of Canada's Consumer-Driven Banking Framework.

Concurrently, the Department will conduct policy work and consultation to advance a second phase of consumer-driven banking that considers broader functionality and participant scope.

These next steps will help build a competitive, consumer-focused financial sector that drives inclusive growth in secure, data-driven financial services.