The federal government released alongside the 2024 federal budget a paper entitled Budget 2024: Canada’s Consumer-Driven Banking Framework (the “Paper”), setting out additional details on the federal government’s plan to legislate a Consumer-Driven Banking Framework (the “Framework”).

1. Role of the Financial Consumer Agency of Canada

The federal government announced its plan to expand the mandate of the Financial Consumer Agency of Canada (“FCAC”) to include the oversight of consumer-driven banking (also known as open banking). Additionally, it intends to amend the FCAC Act to create a new position, the Senior Deputy Commissioner of Consumer-Driven Banking, who will be responsible for consumer-driven banking.

The FCAC will supervise all participants in the Framework. Provincial credit unions and Crown corporations that act as banks will have the option to “opt-in” to governance, supervision, and participation in the Framework. Upon opting in, they will be subject to oversight by the new Senior Deputy Commissioner for Consumer-Driven Banking in respect of the Framework, as opposed to being subjected to broader oversight by the FCAC as a whole. The Paper also notes that “[p]rovinces and territories retain the authority to impose their own requirements on entities subject to their jurisdiction.”

2. Consumer-Driven Banking Legislation Being Introduced in 2024

The federal government announced that it intends to introduce two pieces of legislation to implement the Framework. The first piece of legislation, slated for spring 2024, will address key elements, such as governance, scope, criteria and process for the technical standard. Additional legislation will follow in fall 2024.

3. Accreditation Process and Criteria

The Framework will include an accreditation process, where entities can apply with the FCAC for accreditation. The FCAC will review such applications against criteria to be set out in the Framework and will publish and maintain a list of accredited participants. The Paper contemplates that accreditation applications will assess information about the organization itself (e.g. oversight arrangements and governance structures), its operational standards (e.g. security and privacy controls) as well as financial capacity. Accredited entities will be required to report certain information to the FCAC in order to maintain their accreditation.

The initial phase of the Framework will not include a concept of “tiered accreditation” (where certain participants may be subject to different criteria based on for example size or nature of access).

4. Scope of Framework

The federal government intends to mandate participation for banks that meet a specified threshold for retail volume, which will capture Canada’s largest retail banks. Other entities (such as Fintech companies and financial institutions that do not meet the specified retail volume) will not be required to participate but will be permitted to opt-in to the Framework.

The Paper also sets out the scope of data that will initially be in-scope of the Framework: 

• In-scope data: The Paper states that “In the initial phase, the scope of data that participants will be required to share at the request of a consumer will initially include data related to chequing and savings accounts operations, investment products available through their online portals, and lending products, such as credit cards, lines of credit, and mortgages.”
• Out of scope data: The Paper states that “[d][ata that has been materially enhanced by a participant to offer significant additional value or insight will be excluded from scope.” and that “[the existing prohibition on the sharing by banks of customer information for the business of insurance will be maintained.”

The federal government stated that it “may consider an expansion of the scope at a later date, to include additional data, entities, entry processes (e.g., tiered accreditation), and functionalities (such as the ability to initiate payments).”

5. Framework Access Parameters

The Framework provides for the following access parameters in respect of consumer-permissioned data sharing requests:

• Reciprocal access: Participants in the framework will be required to provide reciprocal access to in-scope data.
• No charge for access: In-scope data will be required to be shared in “unaltered, original format, free of charge.”
• Common rules: All participants will be required to comply with common rules in the Framework that will “address consumer protection interests, privacy, liability, security, national security, and integrity obligations.” The Paper states that there will be an effort to ensure such rules align with and complement existing legislation, including the Financial Consumer Protection Framework within the Bank Act.

6. Liability Regime

The Paper states that the Framework legislation will address liability by creating a statutory relationship between participants when they enter the Framework, eliminating the need for contracts between participants. The liability structure is to be “based on the principle that liability moves with the data and rests with the party at-fault if anything goes wrong”, with consumers not to be held liable for financial losses incurred as a result of sharing their financial data within the Consumer-Driven Banking Framework.

Participants in the Framework will also be required to put in place policies and procedures for complaint handling and redress.

7. Single Technical Standard

The Framework will mandate the use of a single technical standard, and will set out the principles and processes to identify such technical standard, with the aim “that the standard is fair, open, accessible, and able to meet key public policy objectives for the Consumer-Driven Banking Framework, including interoperability with standards used in other jurisdictions.”

The Minister of Finance will have the authority to identify and revoke a technical standard, and the FCAC will have the authority to supervise the technical standard body to ensure compliance with the Framework.

8. Privacy and Consent Management

While participants will remain obligated to comply with existing privacy legislation, the Framework will include additional rules regarding how consents must be provided, revoked and otherwise managed within the Framework. Participants will be required to provide consent dashboards that provides consumers with “real-time knowledge about who has access to their data and to maintain control over the type of data they share, the accounts from which it is being collected, the length of consents, as well as the ability to revoke it”. In particular, it is noted that participants will be required to re-confirm consents at specified intervals (every 12 months) or following certain events. 

9. Security Requirements and Certifications

All participants will be required to adhere to specified security requirements in connection with the protection of consumers’ data, which will cover “all the people, processes, technology and infrastructure that interact with in-scope data”. The forthcoming legislation will establish these mandatory security requirements that all participants must adhere to, and participants will have ongoing reporting obligations that will be overseen by the FCAC (including audits). As noted above, the security controls of each participant will be assessed as part of the accreditation process managed by the FCAC.

Further, it is expected that each participant will be required to obtain and maintain a security certification as it is noted in the Paper that the Department of Finance will be engaging with industry, as well as other regulators, governments and stakeholders, to finalize a recommendation on “which security certifications will be mandated and the extent of the reporting obligations”.