a hand holding a guitar

Insights

ARTICLE

Introducing Canada’s Open Banking Law: The Consumer-Driven Banking Act

Canada has reached another landmark in its winding road to open banking (which we illustrated in our last article, 2024 Federal Budget: Money Talks). On April 30, the federal government introduced the Budget Implementation Act, 2024, No. 1 (Bill C-69) which included the inaugural Consumer-Driven Banking Act (CDB Act), as well as related amendments to the Financial Consumer Agency of Canada Act (FCAC Act) to coordinate with the regulatory structure of the draft CDB Act.

Join our team in-person at Open Banking Expo Canada as we present the kick-off session, “Open Banking 101 Primer”, on June 11, 2024.

Key takeaways

  • The draft CDB Act provides for a read-only open banking model in Canada
  • The draft CDB Act includes data relating to traditional banking and payment products, consumer loans, as well as investment accounts.
  • A Senior Deputy Commissioner of the FCAC will be appointed to supervise “participating entities”.
  • The draft CDB Act allows users to access financial information and services through consent-based data portability.
  • The draft CDB Act describes a cost-recovered framework, whereby participating entities must pay an annual assessment fee. It’s unclear how costs will be allocated among participating entities.
  • Although the draft provisions address some aspects of the framework, including the Minister of Finance’s authority to appoint a technical standard setting body, the CDB Act does not present a comprehensive model, which we expect to see in further legislation this fall.

Taking part in consumer driven banking

Once the CDB Act (and its regulations) are fully implemented, businesses who wish to participate in consumer-driven banking will need to become “participating entities”. The FCAC will publish a publicl registry of participating entities and certain details about each one. As it is currently written, it is unclear what constitutes a participating entity, however, there are heavy penalties associated with falsely claiming to be one.

The word-use prohibition of “participating entity” is akin to the parallel prohibition under the Bank Act (Canada) for “bank” and “banking” words. A person or business that uses the term “participating entity” or any of its derivations, in any language, in a manner that may reasonably lead someone to believe they are a participating entity under the CDB Act, or represents themselves as such, in any way or by any means, is liable for significant fines and possibly imprisonment.1

The costs associated with the proposed framework will be borne by the participating entities, who will be required to pay an annual assessment fee. It is unclear how the Senior Deputy Commissioner will allocate the costs to participating entities.

The proposed framework also includes an administrative monetary penalty regime. For example, the Senior Deputy Commissioner may issue a notice of violation if they believe on reasonable grounds that a person has not complied with a requirement of the CDB Act, its regulations, or any terms and conditions, undertakings or directions. Any person that is issued a notice of violation may seek a review by making representations to the Senior Deputy Commissioner, after which it may be appealed in court.

We expect the regulations, when ready for review, will address remaining aspects of the framework, including specific rules for liability, privacy and security for participating entities.

Read-only vs. write functionality

As we expected, the draft CDB Act permits read-only functionality. The CDB Act excludes write-only functionality by excluding “derived data”, which is defined as “data about a consumer, product or service that has been enhanced by a participating entity to significantly increase its usefulness or commercial value”. There is much market commentary about the limitations of read-only functionality to advance the purpose of increasing competition in the financial services industry.

Nevertheless, as the government’s Advisory Committee on Open Banking recommended in 2023, the limited scope of read-only model would be the initial scope of consumer driven banking; once the system is operating, and operating well, consideration may be given to expanding to allow write access functions.

Further, the Minister of Finance may designate one technical standard setting body for data sharing. It is unknown who that entity would be. Nevertheless, the CDB Act requires the Minister to account for principles of fairness, accessibility, good governance and transparency, and uphold the object of secure and safe data sharing, when designating the technical standards body.

Federal vs. provincial regulation

To account for organizations who are regulated by provincial authorities rather than federal agencies like the FCAC, the creation of the Senior Deputy Commissioner is meant to avoid encroaching on the authority of provincial consumer financial services regulators. Concurrently, the allowance for provincially regulated financial entities (such as provincial credit unions or certain Crown corporations) to opt-in to the CDB regime will not be subject to direct oversight by the FCAC (which is a federal market conduct regulator).

Privacy perspective

During the initial rollout of the CDB Act, participating entities will be required to share certain types of data at the request of the consumer. This data encompasses information on chequing and savings accounts, investment products accessible through their online platforms, and various lending products like credit cards, lines of credit, and mortgages. However, data that has been materially enhanced by a participant to offer significant additional value or insight will be excluded from the scope of this requirement. Additionally, the current restriction preventing banks from sharing customer information for insurance purposes will remain in place. In addition, this initial phase will include a requirement for participating entities to demonstrate adherence to technical and security requirements for data protection.

To fully enforce consumer data portability rights, all participating entities must be equally subject to consumer-approved data sharing requests (known as reciprocal access). Providing reciprocal access will be obligatory for entities wishing to join the Framework, and it will also be a prerequisite for ongoing participation. If a consumer authorizes it, the relevant data will be shared in its original, unaltered format at no cost. There is potential for expansion of the scope in the future. This could include additional data categories, more entities, varied entry processes (like tiered accreditation), and new functionalities such as the capability to initiate payments. The government might explore these expansions at a later stage.

Finally, to further in respect of privacy, participants will be required to reconfirm consent every 12 months or following certain events; provide “consent dashboard” to provide consumers with real-time knowledge and control over the accessibility of their data; and adopt user experience guidelines to govern all areas of consent and revocation. Overall, the draft CBD Act will facilitate the reuse of data and enhance the ability of consumers to switch providers, thereby enhancing individual control over their personal information and promoting greater competition.

What’s next?

The draft provisions in the CDB Act and related amendments to the FCAC Act may still change as they move through the legislative process to eventually become law. As is, the draft CDB Act defines the skeleton of the consumer driven banking framework, but also leaves gaps. We anticipate the Government will introduce more legislation to address these gaps in the fall.

Key Contacts