Canada's Consumer-Driven Banking Act Is Now Law: What Every Fintech Needs to Know.

By Laith Sarhan

May 8, 2026

After years of consultation, false starts, and cautious optimism, Canada has finally done it. On March 26, 2026, Bill C-15 — the Budget Implementation Act, 2025, No. 1 — received Royal Assent, formally enacting a comprehensive new Consumer-Driven Banking Act (CDBA). Canada's open banking framework is now the law of the land.

For Canadian fintechs, this is the starting gun.

The CDBA establishes the legal foundation for a consent-based, API-driven financial data ecosystem. The implementation details, however, including accreditation criteria, technical standards, liability frameworks, and consent rules, are still being worked out. That gap between law passed and regulations finalized is precisely where fintechs face the most consequential decisions.

This post breaks down what the CDBA actually does, what it still leaves open, and the five legal questions every fintech should be asking right now.

What the law actually does

The CDBA gives Canadians the legal right to direct their financial institutions to share their data with third-party providers of their choice. This ends screen scraping and the risky, credential-sharing workaround that roughly nine million Canadians currently use to access fintech apps. Standardized APIs replace it.

The framework runs in two phases:

Phase 1 — Read access (2026): Accredited entities can access deposit, investment, credit, and payment account data, with consumer consent.

Phase 2 — Write access (mid-2027): Once the Real-Time Rail is live, the framework expands to payment initiation, account switching, and other transactional capabilities.

Oversight is split. The Financial Consumer Agency of Canada handles accreditation, participant oversight, and consumer protection while the Bank of Canada sets and supervises the technical standards. A public registry of participating entities will be maintained.

That's the structure. Clean enough on paper. The harder question is what it means in practice.

Here's the part most people are glossing over

The CDBA is a legal foundation, not an operational framework. As of today, several things that actually matter are still undefined:

The list of mandated banks required to participate hasn't been published
The technical standards body hasn't been designated
Accreditation criteria and security standards for third-party providers are still being developed
The consent and authorization framework — how consent gets obtained, validated, and revoked — is still being finalized
Liability rules for breaches, unauthorized access, and fraud within the ecosystem remain unresolved

The fintechs that treat this ambiguity as a reason to wait are going to find themselves retrofitting their compliance architecture at significant cost when the accreditation window opens. The ones that engage now will be building something defensible from the start.

Five legal questions worth asking right now

1. Do you need to be accredited — and for what role?

Any entity that wants to participate in consumer-driven data sharing needs to be a "participating entity" under the CDBA. For fintechs that aren't federally regulated financial institutions, that means going through a formal accreditation process with the FCAC.

But accreditation isn't uniform. Different roles — data recipients, data providers, intermediaries handling consent or authentication — will carry different compliance thresholds. Understanding which category maps to your business model is step one. Miss this and you're designing your compliance program for the wrong test.

Consent is the whole engine here. The CDBA requires express consumer consent before any data access. Consumers can understand, control, and revoke that consent at any time. That has direct implications for how your product works — your consent flows, data retention policies, terms of service, and user experience all need to be built around this.

It also intersects with PIPEDA's updated data mobility provisions, also introduced through Bill C-15. The compliance surface is broader than it looks at first.

Ask yourself: if the FCAC audited your consent architecture today, could you show that every data access event was properly authorized?

3. Who's liable when something goes wrong?

This is the most consequential and least resolved question in the framework. The emerging principle is that liability follows control: once a bank transfers data to an accredited third party through a mandated API, the bank's exposure ends at the point of transfer. The receiving entity owns what happens next.

But the real complexity is in the chain. What happens when a breach involves multiple parties? What's the standard of care for a fintech holding consumer financial data? What happens when a consumer revokes consent but the data has already moved downstream?

These questions will be answered in regulation — but the answers will be shaped by how the industry engages with the consultation process now. This is not the kind of thing you want to figure out after a breach.

4. How does the CDBA interact with your existing privacy obligations?

The CDBA doesn't operate in isolation. It sits alongside PIPEDA — and in some places creates friction with it. Bill C-15 introduced amendments to PIPEDA specifically around the data mobility right. For fintechs, CDBA compliance obligations and PIPEDA obligations overlap in material ways: data minimization, purpose limitation, retention schedules, breach notification.

If you're handling financial data accessed through the CDBA framework, you need a privacy compliance program that accounts for this intersection — not two separate frameworks running in parallel.

5. Is your data governance built for a regulated ecosystem?

This is the sharpest break from the pre-CDBA world. Many fintechs operated in a grey zone — accessing financial data through screen scraping or informal bank arrangements, without a formal legal framework governing the relationship. That grey zone is closing.

The CDBA will require participating entities to meet prescribed technical and security requirements, maintain records of data sharing activity, and operate within a governed, auditable framework. Your API documentation, data governance policies, vendor agreements, and security controls all need to be built to a regulated standard. For fintechs that have been operating informally, that's a real lift. For those that build this into their architecture now, it's a competitive advantage.

What the smart fintechs are doing

They're not waiting for every regulation to be finalized before they start preparing. They're conducting readiness assessments to map their current operations against the emerging framework. They're engaging with the Bank of Canada and FCAC consultation processes to understand — and where they can, influence — the direction of accreditation criteria and technical standards. They're reviewing consent frameworks, stress-testing liability exposure, and integrating CDBA work with their broader privacy compliance programs.

The fintechs that win in Canada's open banking ecosystem won't just be compliant. They'll have built compliance into the product from the start.

The CDBA is a structural redesign of how financial data moves in Canada. That creates real opportunity for fintechs that are positioned to participate on day one.

The window to prepare is now.