2024 Fall Economic Statement: Canada’s Complete Framework for Consumer-Driven Banking

The key goal of Canada’s consumer-driven banking framework is to ensure that the financial data of Canadians and small businesses is shared safely and securely. About nine million Canadians currently share their financial data by providing confidential banking credentials to service providers.

1. Introduction

Consumer-driven banking, also known as open banking or consumer-directed finance, refers to frameworks that allow consumers and small businesses^{Footnote 1} to securely transfer their financial data through an application programming interface (API) to approved service providers of their choice. It enables consumers to securely use data-driven financial services that can help them better manage their finances and improve their financial outcomes. For example, through consumer-driven banking, individuals can access services that allow them to build their credit by proving they have paid rent on time.

The key goal of Canada’s consumer-driven banking framework is to ensure that the financial data of Canadians and small businesses is shared safely and securely. About nine million Canadians currently share their financial data by providing confidential banking credentials to service providers. This process, known as screen-scraping, raises security, liability, and privacy risks to consumers and the financial system.

1.1 What Will Consumer-Driven Banking Do?

The implementation of a consumer-driven banking framework will:

• Empower Canadians to securely access and share their financial data with financial service providers.
• Ensure that Canadians are not subject to fees when accessing and sharing their data.
• Protect Canadians and the financial system from risky practices like screen-scraping.
• Ensure parties at fault are liable for any damages or data breaches.
• Allow Canadians to safely access innovative products and services that can help them improve their financial outcomes. For example:
• Apps that build credit scores using transaction data or use rental payment data to demonstrate ability to pay when applying for a mortgage.
• Account aggregators that provide a fuller financial picture and support improved decision making.
• Budgeting tools that monitor spending and provide insights to improve financial well-being.
• Platforms that provide automated financial advice, tailored to a consumer’s unique financial situation, and needs.
• Tools that use transaction data to manage all paid subscriptions in one place.

1.2 Policy Objectives for Canada’s Framework for Consumer-Driven Banking

The work of the Department of Finance has been framed by three public policy objectives:

• Safety and Soundness: Ensuring the continued safety and soundness of the financial sector by addressing the security risks arising from existing data sharing practices, such as screen scraping, and establishing oversight of financial data sharing activities;
• Consumer Financial Well-Being and Protection: Ensuring that Canadians can securely and confidently exercise their right to access and use their financial data to improve their financial outcomes; and,
• Economic Growth and International Competitiveness: Establishing a cohesive framework, with a clear, fair, and transparent approach to accreditation, to support the continued security and stability of the Canadian financial sector, including existing financial institutions, while enabling innovation and competition.

1.3 Core Framework Elements

These policy objectives have guided the development of the government’s course of action on six core framework elements, including:  

• Governance: Oversight and management of the framework;
• Scope: The types of data and functionalities the system will provide, the participants, and the pace at which the system should expand;
• Accreditation: The requirements and process for participating in consumer-driven banking;
• Common Rules: To protect consumers and govern the areas of privacy, liability, and security;
• National Security: Safeguards to protect the integrity and security of the consumer-driven banking framework and financial system; and,
• Technical Standards: Establishment, maintenance, and oversight of the technical standards (also referred to as pipes) that facilitate the flow of data between participants.

The remainder of this framework outlines the government’s position on the core elements of the legislative package as a means of providing clarity to consumers and industry.

2. Course of Action

To equip Canadians with the latest innovative tools for finance and banking, the government announced the initial framework in Budget 2024 and passed the Consumer-Driven Banking Act in June 2024. The Act included the foundational elements of scope and technical standards and designated the Financial Consumer Agency of Canada (FCAC) as the lead agency. Legislative amendments to the FCAC Act will also establish a new position, called the Senior Deputy Commissioner of Consumer-Driven Banking at the FCAC, which will be responsible for fulfilling the FCAC’s consumer-driven banking mandate.

The 2024 Fall Economic Statement announces the government’s intent to introduce legislation for the remaining elements of the Canada’s consumer-driven banking framework, including accreditation and common rules that will cover national security, liability, and privacy. This will enable consumers to securely and confidently access their financial data and, in turn, safely use services that can help them improve their financial outcomes.

The Government of Canada will review the framework after three years to ensure core policy objectives continue to be met.   

2.1 Governance

Governance design is key to ensuring the framework achieves the public policy objectives of safety, stability, innovation, integrity, and utility for all Canadians. A strong governance framework will ensure participants abide by common rules by outlining clear roles and responsibilities for participants and government, and what actions will be taken when non-compliance occurs.

To ensure all Canadians benefit from the effective oversight of financial data sharing, the previous legislation expanded the mandate of the FCAC to include oversight, administration, and enforcement of the consumer-driven banking framework. The legislation also expanded existing authorities of the Minister of Finance such as issuing directions to the FCAC, including to protect national security and the best interest of the financial system within the consumer-driven banking framework.

The Department of Finance will retain its role in respect of policy and legislative/regulatory development. The Department of Finance will continue its work with the FCAC to implement these new responsibilities. FCAC will also develop a consumer education campaign to increase Canadians’ awareness of consumer-driven banking. Once the framework is in place, FCAC oversight of consumer-driven banking will operate on a cost-recovery model.

All participants will be subject to the consumer-driven banking framework and FCAC supervision. To facilitate oversight of provincial entities while respecting their jurisdiction, the governance model will be structured in a manner that allows for provincial credit unions and crown corporations that act as banks to “opt-in” to governance, supervision, and participation. The creation of a new FCAC Senior Deputy Commissioner for Consumer-Driven Banking ensures that provincial credit unions and crown corporations that act as banks who opt in to the consumer-driven banking framework would not be subjected to oversight by the federal market conduct regulator. Provinces and territories retain the authority to impose their own requirements on entities subject to their jurisdiction and participating entities will continue to be required to follow all applicable federal and provincial frameworks. 

Following ongoing engagement with provincial and territorial governments, the federal government is amending the Consumer-Driven Banking Act to provide the Minister of Finance with the authority to designate a provincial regulator to oversee certain provisions of the Act for the entities within its jurisdiction (e.g., provincial credit unions). In provinces where this designation has occurred, some parts of the Act would be supervised by the FCAC, and other parts would be supervised by the appropriate provincial regulator. The provisions that will be eligible for designation relate to areas where provinces already supervise provincial financial institutions, and include security, privacy (including consumer consent and authentication), liability, complaints, and consumer protection. Provisions that relate to accreditation (entry into the framework), suspension and revocation, or national security, will remain the responsibility of the federal government.

Once the Ministerial order is issued and an agreement or Memorandum of Understanding with the FCAC is in place, the designated provincial or territorial regulator would gain responsibility for the supervision of the agreed upon provisions. When a violation of the Act has occurred, the designated regulator would bring the information to the FCAC who would take the appropriate next steps. The FCAC will retain the enforcement powers to issue fines and penalties and apply them consistently across all the provinces, regardless of the province in which the participating entity is located and will work closely with provincial regulators in this regard.

This legislation will also establish a permanent federal, provincial, and territorial advisory committee to inform the Senior Deputy Commissioner of FCAC’s work on administering and implementing the framework. The advisory committee would provide a vehicle to inform uniform guidelines for penalties including Administrative Monetary Penalties.

This approach preserves a consistent foundation of baseline standards that ensures all Canadians are similarly protected, and all entities participating in the framework operate on a level playing field, while providing flexibility for provinces and consistency for provincially regulated institutions. The government remains committed to working with provinces to ensure a consistent regulatory approach, informed by provincial input.

2.2 Scope

To ensure the efficient implementation of secure, consumer-driven banking, government will adopt a phased approach to the three elements of scope: participants, breadth of data sharing, and functionality. The development of the Consumer-Driven Banking framework will be an iterative process, and the framework may evolve significantly over time.

Scope refers to:

• What entities can participate;
• The breadth of data that must be shared among them; and,
• Functionality, such as read or write access.

In the initial phase, the government will mandate participation for banks that meet a specified threshold for retail volume. The remaining federally-regulated financial institutions, as well as credit unions, crown corporations acting as banks, and other entities seeking accreditation will be provided the ability to opt-in to the framework. There will be clear requirements for how various entities can enter and exit the consumer-driven banking framework. All entities entering the framework will be required to demonstrate adherence to technical and security requirements.

In the initial phase, the scope of data that participants will be required to share at the request of a consumer will initially include data related to chequing and savings accounts operations, investment products available through their online portals, and lending products, such as credit cards, lines of credit, and mortgages. Data that has been materially enhanced by a participant to offer significant additional value or insight will be excluded from scope. The existing prohibition on the sharing by banks of customer information for the business of insurance will be maintained.

To fully implement consumer rights to data portability, all entities will be equally subject to consumer-permissioned data sharing requests (reciprocal access) and the ability to provide reciprocal access will be a condition of entry and requirement for continued participation in the framework. When authorized by a consumer, in-scope data would be shared in its unaltered, original format, free of charge. The government may consider an expansion of the scope at a later date, to include additional data, entry processes (e.g., tiered accreditation), and functionalities (such as the ability to initiate payments). The prohibition of screen scraping is intended to come into force only after the framework is fully operational. The federal government is aiming to launch the consumer-driven banking framework in early 2026.

2.3 Accreditation

To ensure Canadians can confidently engage in financial data sharing with trusted entities, Canada’s framework includes a formal accreditation framework, inclusive of process, oversight, and criteria for entities wishing to collect consumer-permissioned data from data holders.

Accreditation ensures that only trusted entities can access financial data when requested by a consumer. The framework will set out the process and specific criteria for data requestors to access consumer financial data. The FCAC will evaluate applications against these criteria and publish a list of all authorized participants in a central registry to ensure consumers have clear information when choosing to share their financial data with an entity.

Recognizing the highly sensitive nature of financial data, this process will ensure that only those who meet certain requirements can participate in a data sharing ecosystem. It will create trust among consumers and participants by validating the merit and financial capability of organizations outside of traditional regulated financial services.

Entities wishing to become accredited will need to submit an application to the FCAC that provides information on their organization (including existing oversight arrangements and governance structure), operational standards (including security and privacy controls), and financial capacity (including liability instruments such as insurance). Once accredited, a participant will be permitted to request financial data, at the instruction of a consumer, from another participant, and will in turn be obligated to follow all common rules of the framework and make available any in-scope data to other participants.

Accreditation will not be a static obligation. Entities will be subject to mandatory reporting of key information on a regular basis and as their business models evolve to maintain accreditation. The FCAC will have the authority to suspend or revoke an organization’s accreditation if they fail to meet their obligations under the framework or present a risk to consumers.

2.4 Tiering

Tiered accreditation—the practice of establishing different accreditation requirements for entities, for example, based on the levels of data they are permitted to access—will not be included in an initial phase.

That said, the Consumer-Driven Banking Act will require participating ntities who wish to outsource certain tasks related to consent management, authentication management, and the movement of data, to use an accredited third-party service provider. Participating entities that elect to do so will continue to be liable for their responsibilities under the Act.

Accredited third-party service providers will be companies that have met the necessary eligibility criteria, including a national security screen and have been approved by the FCAC to participate in the framework. Accredited third-party service providers may only engage in the Framework on behalf of a participating entity, they are not participating entities themselves and may not engage in consumer-driven banking activities on their own behalf.

2.5 Common Rules

To provide a consumer-centric, safe, and transparent foundation for consumer-driven banking in Canada, the framework will include common rules that address privacy, liability, security, national security and integrity obligations. All participants will be required to abide by these rules as a condition of access to consumer data.

The intent of common rules is to ensure that consumers benefit from consistent protection and market conduct standards which would, in turn, help build confidence and trust for consumers. Where appropriate, the common rules align with existing legislative frameworks, such as the Financial Consumer Protection Framework (FCPF) within the Bank Act. Common rules will work to complement existing legislation, rather than creating duplicative or potentially conflicting requirements.

2.6 Privacy

In terms of privacy, participants are already required to comply with applicable legislative frameworks. The framework includes additional privacy rules that are unique to financial data sharing which will address the provision of express consent to access data, consent management, and revoking access to data shared by a consumer. Participants will also be required to have a standardized process for consent and revocation that is done in a clear, simple, and not misleading manner.

Additionally, participants will be required to reconfirm consent at specified intervals (every 12 months) or following certain events. Participants will also be required to provide consent dashboards to ensure consumers have real-time knowledge of who has access to their data and to maintain control over the type of data they share, the accounts from which it is being collected, the length of the consents, as well as the ability to revoke it. Finally, participants will be required to adopt user experience guidelines to govern all areas of consent and revocation.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize additional requirements that enhance consumer protection around consent, disclosure of key information, market conduct, and financial inclusion.

2.7 Liability

Clear attribution of liability is a critical component of the framework for consumer-driven banking. Predictable and transparent rules outlining where liability starts and ends will provide certainty to participants and make it easier to protect consumers.

The consumer-driven banking framework will clearly set out a liability structure that establishes a statutory relationship between participants when they enter the framework. This eliminates the need for bilateral contracts between participants.  Entry requirements will be established in the legislation for both mandated and voluntary participants.

This liability structure is based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong. This means that when a consumer initiates a data transfer, the data provider’s liability towards that consumer for how the data is managed or protected ceases once it leaves the institution. The data provider maintains liability toward the consumer for data under its control. 

To ensure consumers are protected and to strengthen confidence in the system, consumers will not be held liable for financial losses incurred as a result of sharing their financial data within the consumer-driven banking framework.

Participants will also be required to put in place policies and procedures for complaint handling and the provision of redress to ensure consumers have a clear path for addressing their complaints. These requirements will align with existing financial sector practices.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize additional liability requirements related to service level requirements, use of third-parties, reporting, investigations, recordkeeping, and traceability.

2.8 Security

To ensure voluntary and mandated participants protect consumers’ data, Canada’s framework establishes clear security requirements.

To set a high-bar, the scope of a participant’s information security management system will have to capture all the people, processes, technology, and infrastructure that interact with in-scope data that is collected through the consumer-driven banking framework. The legislation will establish security requirements for all participants that will serve as the minimum “floor” to safeguard consumer data. Participants will also need to fulfill ongoing reporting obligations that will be overseen by the FCAC, such as surveillance audits.

These requirements will ensure that all participants, regardless of size, risk profile, and business model, dedicate the necessary attention and resources to safeguarding against risks.

The Department of Finance will continue to engage with industry, federal regulators, provincial and territorial governments, and other stakeholders to finalize a recommendation on which security certification will be mandated and the extent of the reporting obligations.

2.9 National Security and Best Interest of the Financial System

To protect the integrity and security of the consumer-driven banking framework and maintain Canadians’ confidence in the financial sector, the framework includes safeguards and provide authorities to the Minister of Finance that align with existing financial sector statutes, such as the Retail Payment Activities Act, the Bank Act and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.

These authorities will enable the Minister to refuse, suspend, or revoke access to the framework for national security-related reasons. The Minister will also be provided an expanded authority to direct the FCAC to take measures related to the framework for reasons related to national security, to safeguard the integrity or security of Canada’s financial system, or in the best interest of the financial system.

2.10 A Single Technical Standard

Consumer-driven banking offers a means to successfully transition away from screen scraping to a more secure method for financial data sharing. The framework will significantly decrease the risks of personal data being compromised by bad actors and mitigate security, privacy, and liability risks for consumers and participants. This is achieved through the use of APIs, a type of software that acts as secure data “pipes” to enable products and services to communicate with one another.

Technical standards are a key element of financial data sharing as they form the specifications to which APIs are built and therefore support functionality and interoperability. To align with international best practices, the government will mandate the use of a single technical standard.

The consumer-driven banking framework includes the principles and processes that will be used to identify a technical standard. This ensures that the standard selected is fair, open, accessible, and able to meet key public policy objectives for the consumer-driven banking framework, including interoperability with standards used in other jurisdictions. The existing legislation provides authority to the Minister of Finance to identify and revoke a technical standard, and authority to the FCAC to supervise the technical standard body to ensure compliance with the framework.  

3. Next Steps

With the introduction of the remaining pieces of the consumer-driven banking framework, the Department of Finance will move to the development of the supporting regulations and will engage closely with all implicated stakeholders and Canadians, including through public consultations once draft regulations have been prepared. The FCAC continues to prepare for implementation and will be continuing its ongoing engagement with industry to support its successful launch.