Open Banking in Canada Moves from Blueprint to Law
Blog Techlex

As we have written about previously (here, here, here, here, here and here), the Canadian journey toward open banking (also called consumer driven banking) has been stop and go for quite some time. With Bill C-15 receiving Royal Assent, Canada’s consumer‑driven banking framework has crossed an important threshold and the new Consumer Driven Banking Act (the “CDBA”) has been enacted. With the CDBA now law, the focus shifts from legislative uncertainty to implementation, regulatory detail, and operational readiness.

The CDBA establishes a national, mandatory open‑banking framework applicable to both individuals and businesses, covering a broad range of financial products, including: deposit and transaction accounts, payment products, lending and credit products and certain investment accounts.

Phase 1 of the regime, now enacted, enables read‑only access, allowing consumers to securely direct participating entities to share their financial data with accredited data recipients. Phase 2, expected to follow, will introduce write‑access use cases, including payment initiation and account switching, subject to further regulatory development and supporting infrastructure.

Participation will be mandatory for certain large banks and voluntary for other financial institutions and service providers, subject to accreditation. However, there are still a number of details that have yet to be defined including listing the banks that are required to be participating entities, the designation of a technical standards body, accreditation and security standards, data sharing protocols, and requirements for consent and authorization. Future regulations and orders, or amendments to the CDBA will continue to provide more clarity and guidance.

Since our last publication, the CDBA underwent minor revision between First Reading and Second Reading. The CDBA now clarifies explicitly that, notwithstanding the open‑banking framework, a data provider must still obtain express consent from consumers prior to disclosing data to a data recipient as required under applicable laws.

This confirmation makes clear that the CDBA does not displace existing privacy‑law consent requirements, but instead operates alongside them. For organizations, this reinforces the need to align open‑banking consent mechanisms with broader privacy‑compliance obligations, including requirements around clarity, scope, and revocability of consent.

While Royal Assent marks a major milestone, the practical impact of open banking will be shaped by forthcoming regulations, technical standards, and Bank of Canada guidance. These instruments will address accreditation criteria, cybersecurity expectations, liability allocation, and consumer‑protection mechanisms.

With the CDBA now enacted, consumer‑driven banking in Canada has moved decisively from policy aspiration to legal reality. The broad application and consent oriented focus of the CDBA highlights the layered and evolving compliance landscape facing participants. As regulations are released and implementation dates come into sharper focus, we will continue to monitor developments closely and provide updates as Canada’s open‑banking framework moves from legislation to live operation.