Key takeaways

The Budget Implementation Act (Bill C-15) marks a significant milestone in Canada’s journey toward open banking and consumer data mobility. The CDBA is designed to empower consumers, including businesses, to control how their financial data is shared among “participating entities.” The CDBA aims to ensure that data sharing is secure, transparent, and fosters competition and innovation in Canada’s financial services landscape.

The key takeaways of the CDBA are:

Regime and supervisory authority

• The CDBA names the Bank of Canada (BoC) as the primary supervisory authority. The BoC is responsible for accrediting participating entities, overseeing compliance, and monitoring market trends. The Minister of Finance retains broad powers to issue guidelines and intervene for reasons of national security or public interest.

Scope of application

• The CDBA applies to data related to deposit accounts, investment accounts, payment products, credit products, and other regulated financial services. It covers federally regulated financial institutions, other regulated credit unions and financial institutions, registered payment service providers under the Retail Payment Activities Act and other accredited entities, together referred to as “participating entities” under the CDBA.

Accreditation and registration

• Entities wishing to become accredited participants must apply for accreditation, demonstrating compliance with technical standards and security safeguards. Accredited entities will be required to pay an annual fee and be listed in a public registry maintained by the BoC.

Consumer rights and data sharing

• Consumers can direct participating entities to share their financial data with other participants of their choice. The CDBA mandates express consent, clear communication, and the ability for consumers to withdraw consent or request deletion of their data at any time.

Security and liability

• Participating entities must implement robust security safeguards, report breaches, and notify affected consumers if there is a real risk of significant harm. The CDBA limits consumer liability for unauthorized access unless there is gross negligence.

Complaints and redress

• The CDBA requires all participating entities to establish internal complaints procedures and to be members of a designated external complaints body, ensuring accessible and impartial dispute resolution.

Enforcement and penalties

• The BoC is empowered to conduct audits, issue compliance agreements, and impose administrative monetary penalties for violations, with the maximum penalty for a violation committed by an individual being CAD 1,000,000 and CAD 10,000,000 where the violation was committed by a participating entity or accredited third-party service provider. The CDBA also provides for more serious court-enforced offences, which can lead to a fine of not more than CAD 1,000,000 and/or imprisonment for a term of not more than five years or in the case of an entity, to a fine of not more than CAD 5,000,000 for a conviction or conviction upon indictment.

Going forward

The consumer-driven banking regime is intended to create a secure system that allows individuals and businesses to share their financial data with participating entities and approved service providers of their choice. The CDBA also aims to foster innovation and competition in the financial sector.

The CDBA represents a foundational step toward open banking in Canada. While the government has set a target for launching the open banking framework in early 2026, much will depend on the passage of supporting regulations. Under the CDBA, participating entities will need to double their efforts in protecting consumer financial information as well as implementing a robust process for dealing with consumer complaints.

* * * * *

Tiana Gleason, Articling Student, has contributed to this legal update.