Canada's CDBA Draft Regulations Are Here: What Fintechs Need to Prepare For

By Laith Sarhan

When the Consumer-Driven Banking Act (CDBA) received Royal Assent on March 26, 2026, it established the legal foundation for Canada's open banking framework. But a legal foundation without operational rules is a house without plumbing. The Act left the hard part — accreditation criteria, security standards, consent mechanics, liability allocation, record keeping, enforcement — to regulation.

On June 27, 2026, the Department of Finance published the proposed Consumer-Driven Banking Regulations in Canada Gazette Part I (Volume 160, Number 26), launching a 60-day public consultation period that runs until August 26, 2026. For the first time, we can see how the framework will actually work.

The Regulations are not final. They are subject to stakeholder feedback, and the Bank of Canada has indicated it will publish additional guidelines on accreditation, data usage, consent management, and data sharing. But the direction is clear enough that fintechs should be preparing now, not waiting for final publication.

This post breaks down what the draft Regulations actually require, what they leave open, and what fintechs should be doing during the consultation window.

Oversight: Who Runs the Framework

The Bank of Canada is the primary supervisor. Under the CDBA and the draft Regulations, the Bank is responsible for:

The Department of Finance led the development of the Regulations with support from the Bank. The Minister of Finance retains national security authorities — including the power to direct the Bank to refuse, suspend, or revoke an entity's participation, and to impose conditions or require undertakings from applicants, participating entities, or Accredited Third-Party Service Providers (ATPSPs).

A Consumer-Driven Banking Advisory Committee provides industry perspective and advice to both the Bank of Canada and the Department of Finance.

Accreditation: Four Pathways

Any entity that wants to participate in consumer-driven data sharing — other than banks mandated to participate — must be accredited by the Bank of Canada. The draft Regulations establish four accreditation pathways tailored to entity type:

Pathway Who It Covers Streamlined? Key Requirements
1. Fintechs and other entities Non-regulated businesses, technology firms No (full accreditation) Proof of Canadian presence, insurance coverage, baseline security controls, integrity and good character policy for key personnel, full information submission
2. RPAA-registered PSPs Payment service providers registered under the Retail Payment Activities Act Yes Leverages existing RPAA regulatory oversight; declaration of security compliance rather than starting from scratch
3. Federal/provincial FIs Banks, credit unions, other regulated financial institutions not mandated to participate Yes Leverages existing prudential/regulatory oversight
4. ATPSPs Accredited Third-Party Service Providers (aggregators, consent managers) Separate pathway Can perform specific activities (consent management, authentication, data movement) on behalf of participating entities; cannot operate on their own behalf

All applicants must submit through the Bank of Canada's electronic system. The prescribed accreditation fee is C$2,500, subject to annual indexation. Participating entities will also be subject to ongoing annual assessment fees once the framework becomes operational.

What this means for fintechs: If you're not already regulated under the RPAA or as a federal/provincial financial institution, you're in Pathway 1 — the most extensive accreditation process. The requirements include demonstrating a place of business in Canada, maintaining insurance coverage, implementing baseline security controls, and having an integrity and good character framework for key personnel. This is not a rubber stamp.

ATPSPs are a distinct category. They are not participating entities. They can only operate on behalf of a participating entity, and the participating entity remains liable for the ATPSP's activities. This matters for fintechs that currently act as aggregators — you'll need to decide whether to seek full accreditation as a participating entity or operate as an ATPSP under a sponsor.

The Small Fintech Access Problem

The draft Regulations have drawn immediate industry feedback on a structural concern: the cost and complexity of full accreditation may be prohibitive for smaller fintechs.

On June 8, 2026, the Financial Data and Technology Association (FDATA) submitted a formal proposal to the Department of Finance and Bank of Canada recommending a Sponsored Fintech Model (SFM). The proposal would allow accredited aggregators or data intermediaries to serve as sponsors for smaller fintechs, providing the API infrastructure, consent management, and compliance oversight that the CDBA requires. Sponsored fintechs would still be subject to national security screening, data minimization commitments, and independent audits — but without the full accreditation burden.

The government's own Regulatory Impact Analysis Statement acknowledges the disproportionate impact on small businesses, noting that approximately 578 of the 680 affected businesses are small businesses and that many compliance costs are fixed, representing a larger burden relative to firm size.

The consultation period is the window to weigh in on this. If you're a smaller fintech, the accreditation cost question is the one most likely to determine whether you can participate in Canada's open banking ecosystem at all.

Security Requirements

The draft Regulations prescribe detailed security safeguards that participating entities must implement and maintain. These are not principle-based aspirations — they are specific, operational requirements:

The Bank of Canada will develop and publish guidelines on these requirements ahead of the Act's coming into force. But fintechs should not wait for those guidelines. The requirements broadly align with established security frameworks (ISO 27001, NIST), and the work of building a security program that meets this standard is a months-long effort, not a weeks-long one.

Consent is the engine of the consumer-driven banking framework. The draft Regulations specify:

For fintechs, this has direct product implications. Your consent flows, data retention policies, terms of service, and user experience all need to be built around express consent and revocation. If a consumer revokes consent, you need to be able to demonstrate that you stopped accessing their data and handled any previously accessed data in accordance with the deletion request.

This intersects with PIPEDA's data mobility provisions, which were also amended through Bill C-15. The compliance surface is broader than the CDBA alone — fintechs handling financial data accessed through the framework need a privacy compliance program that accounts for both regimes simultaneously, not two separate programs running in parallel.

Record Keeping: Five-Year Retention

Participating entities must retain records demonstrating compliance with the CDBA and its Regulations for five years. Records must be stored electronically in a format intelligible to the Bank of Canada and protected against loss, destruction, falsification, inaccuracies, and unauthorized access.

This is consistent with the record retention requirements under the Retail Payment Activities Act, which means RPAA-registered PSPs may already have infrastructure that can be extended. For fintechs without existing record-keeping frameworks, this is a build requirement.

The scope of what must be retained is broad: compliance records, consent records, data sharing logs, breach reports, security safeguard documentation, and complaint records. This is not just a data retention policy — it's an information governance framework.

Annual Reporting

Participating entities must submit an annual report to the Bank of Canada containing prescribed information, including:

The annual report is the Bank of Canada's primary supervisory tool. Fintechs should design their reporting infrastructure before they need it, not after the first reporting deadline.

Breach Reporting

Security breaches must be reported to the Bank of Canada "as soon as feasible." This mirrors the language in PIPEDA's breach reporting provisions (s. 10.1), which also require reporting "as soon as feasible" to the Privacy Commissioner of Canada when a breach poses a "real risk of significant harm." Neither regime prescribes a fixed deadline (unlike GDPR's 72-hour rule) — both rely on a reasonableness standard. The key difference for CDBA participants is that a breach within the framework may trigger reporting obligations to both the Bank of Canada and the OPC simultaneously, plus notification to affected consumers.

This means your incident response playbook needs escalation paths to the Bank of Canada, not just to affected consumers and the Privacy Commissioner. A breach within the CDBA framework could trigger reporting obligations to multiple regulators simultaneously.

National Security Review

The Minister of Finance has national security authorities that overlay the entire framework. The Minister can:

The draft Regulations specify the timelines and information requirements for the national security review process. Applicants must provide information including corporate ownership, governance structure, foreign regulatory status, and details about persons subject to integrity and good character assessments.

For fintechs with foreign ownership or cross-border operations, this is a gatekeeper worth taking seriously. The national security review is not a formality — it's a substantive assessment that can block participation.

Liability: The Framework Takes Shape

The existing post on the CDBA noted that liability rules were among the most consequential and least resolved questions. The draft Regulations begin to fill this gap.

The framework establishes liability-related consumer notices — participating entities must provide consumers with information about liability allocation in the prescribed form. The Regulations also prescribe complaint procedures that participating entities must implement and follow.

The emerging principle — consistent with the government's policy documents — is that liability follows control. Once a bank transfers data to an accredited third party through a mandated API, the bank's exposure ends at the point of transfer. The receiving entity owns what happens next.

But the chain complexity remains. What happens when a breach involves multiple parties — a bank, an ATPSP, and a fintech? What's the standard of care for a fintech holding consumer financial data? What happens when consent is revoked but data has already moved downstream? The Regulations provide the framework for these questions but do not answer all of them. The Bank of Canada's forthcoming guidelines are expected to provide additional clarity.

Data Scope: What's Covered

The Act specifies that participating entities will be required to share, at a consumer's request, both data provided by the consumer and product data related to:

The Regulations clarify that the data covered includes:

This is the Phase 1 scope — read access. The government has confirmed that the screen scraping prohibition will not come into force as part of the initial implementation. Future policy work will consider a broader second phase, including "write access" functionality such as payment initiation, account opening, and account closure.

Enforcement

The draft Regulations designate violations for contraventions of a broad range of Act provisions and specified regulation provisions, including:

Enforcement tools available to the Bank of Canada include suspension, revocation of accreditation, compliance agreements, and administrative monetary penalties.

What's Still Open

The draft Regulations represent significant progress, but several elements remain to be finalized:

  1. Technical standards body — The Regulations reference a technical standards body responsible for establishing the single technical standard applicable to all participating entities, but it has not been designated
  2. Bank of Canada guidelines — The Bank plans to issue guidance on accreditation, data usage, consent management, and data sharing
  3. External complaints body — A body to provide consumer-driven banking dispute resolution services is referenced but not named
  4. Screen scraping prohibition — Deferred from initial implementation; no timeline confirmed
  5. Phase 2 / write access — Payment initiation, account opening, and account closure are future policy work, contingent on the Real-Time Rail
  6. Final regulations — The current draft is subject to the 60-day consultation; final publication will follow

Staggered Implementation

The Regulations will come into force in a staggered approach, beginning with accreditation. Requirements related to common rules and assessment fees will follow within one year of final publication. Further details on the coming-into-force timing for different products and services will be set out when the final regulations are published.

This means the accreditation window will open first — and the fintechs that are ready to apply on day one will have a structural advantage.

The Consultation Window: August 26, 2026

The 60-day consultation period closes on August 26, 2026 at 11:59 p.m. EDT. Stakeholders can submit feedback through:

This is not a passive exercise. The draft Regulations address issues that will directly shape the competitive landscape — accreditation costs, liability allocation, the role of ATPSPs, the treatment of small fintechs. The entities that engage with the consultation process are the ones that will influence the final rules.

What Fintechs Should Be Doing Now

  1. Map your accreditation pathway. Determine which of the four pathways applies to your business model. If you're a non-regulated fintech, start preparing for Pathway 1 requirements now — Canadian presence, insurance, security controls, integrity framework.
  2. Conduct a security gap assessment. Compare your current security program against the prescribed requirements. The gap between where most early-stage fintechs are and where the Regulations require them to be is wider than expected.
  3. Design your consent architecture. Build for express consent, revocation, and deletion — not as features bolted on later, but as core product infrastructure.
  4. Build your record-keeping framework. Five years of compliance, consent, data sharing, and breach records, in a format the Bank of Canada can inspect. This is an information governance build, not a policy document.
  5. Engage with the consultation. Submit feedback on the issues that matter to your business — accreditation thresholds, the sponsored fintech model, liability allocation. The window closes August 26.
  6. Integrate CDBA compliance with your privacy program. The CDBA doesn't operate in isolation. It sits alongside PIPEDA (including the new data mobility amendments), the RPAA, and provincial privacy legislation. Design one compliance architecture that accounts for all of them.

The fintechs that win in Canada's open banking ecosystem won't just be compliant. They'll have built compliance into the product from the start — and they'll have shaped the rules during the consultation window rather than reacting to them after they're final.