ARTICLE
1 December 2025

Open Banking 2025: Read, Write, And Rewrite The Rules

MT
McCarthy Tétrault LLP

Contributor

McCarthy Tétrault LLP logo
McCarthy Tétrault LLP provides a broad range of legal services, advising on large and complex assignments for Canadian and international interests. The firm has substantial presence in Canada’s major commercial centres and in New York City, US and London, UK.
Explore Firm Details
Lexpert Firm Profile
As we have written about previously (here, here, here and here), the journey toward open banking (also called consumer driven banking) in Canada has been marked...
Canada Finance and Banking
TechLex Blog,Christine Ing,Mohammed M'Hiri
+1 Authors
 Your Author LinkedIn Connections
TechLex Blog’s articles from McCarthy Tétrault LLP are most popular:
  • with Senior Company Executives, HR and Finance and Tax Executives
  • in Europe
  • in Europe
  • with readers working within the Banking & Credit, Healthcare and Property industries

Background: From Framework to Implementation

As we have written about previously (here, here, here and here), the journey toward open banking (also called consumer driven banking) in Canada has been marked by a series of starts and stops, with significant legislative and policy milestones along the way. In April 2024, the federal government released its plan to legislate a consumer-driven banking framework, followed by the introduction and Royal Assent of Part 1 of the Consumer-Driven Banking Act ("CDBA") in June 2024. This initial legislation was intentionally high-level, establishing a high-level framework for open banking but leaving substantive details for future regulations and a planned Part 2. Political developments, including the prorogation of Parliament in January 2025 and a federal election in April 2025, delayed progress and left the future of open banking uncertain.

With the release of Budget 2025 (as described here), the landscape for open banking in Canada has undergone a dramatic transformation, culminating in the introduction of a revamped CDBA in November 2025 (the "New CDBA") as part of Bill C-15, an Act to implement certain provisions of Budget 2025.

What's to come: The Revamped Consumer-Driven Banking Act and the Road to 2027

With the introduction of the New CDBA and the renewed momentum from Budget 2025, Canada's open banking regime is entering a pivotal phase. The government's commitment to accelerating open banking is evident in its ambitious timeline with a two-stage roadmap for implementation.

  • The first phase, now underway, focuses on read-access only, meaning consumers will be able to securely direct their financial data with participating entities of their choice.
  • The second phase, targeted for mid-2027, will expand the framework to include write-access, unlocking new possibilities for consumer-directed financial actions (such as payment initiation and account switching). This expansion is contingent on the successful rollout of Canada's Real-Time Rail payments infrastructure, anticipated in 2026, which will enable instant money transfers and support more dynamic financial services.

Notable Points from the New CDBA

The New CDBA that was released as part of Bill C-15 covers the first phase described above (i.e. read-access only). Notable aspects from the revamped open banking law include the following:

  • Prohibition on Screen Scraping: The Act introduces a broad prohibition on "screen scraping", i.e. the use of interfaces or applications to gain direct access to consumer data using the consumer's authentication information. The prohibition is extremely broad – for example the current language purports to prohibit all screen scraping and is not explicitly limited to screen scraping from participating entities. Hopefully the scope of this prohibition will be narrowed and clarified in forthcoming amendments or regulations.
  • Scope of Consumers (and Businesses) that Can Share Data: The New CDBA allows "consumers" to share their data among participating entities. What exactly constitutes a "consumer" remains an open question. The 2024 version of the CDBA purported to cover "small businesses", while the government's 2025 framework stated that it would cover "small- and medium-sized businesses". The New CDBA take an even more general approach and purports to cover "consumers, including businesses". The precise boundary of which categories of businesses are in-scope remains to be clarified.
  • Scope of Data: The New CDBA applies to "data that relates" to a broad range of financial products and services, including deposit accounts, investment accounts, payment products, and lending accounts. However, "derived data", that is, data enhanced to significantly increase its usefulness or commercial value, is expressly excluded.
  • Participating Entities: Participation is mandatory for certain banks (expected to be some subset of Schedule I banks, based on a yet to be specified threshold for retail volume), while other federally and provincially regulated financial institutions, registered payment service providers ("PSPs"), and other entities may opt in, subject to accreditation. In addition, only accredited third-party service providers may be used for key functions such as consent management, authentication, and the provision or receipt of consumer data.
  • Accreditation: The accreditation process varies depending on the type of entity: federal and provincial institutions benefit from a streamlined process focused on technical standards and security safeguards, while PSPs and other entities are subject to a more comprehensive set of criteria that will be specified in regulations. The criteria for accreditation of service providers are also pending further regulatory guidance.
  • Consumer Liability: As expected, the New CDBA states that consumers will not be liable for financial loss arising directly from a loss of, unauthorized access to or use of their data that occurs in relation to the sharing of data in accordance with the New CDBA. The New CDBA adds a carve-out to this principle where the consumer has demonstrated gross negligence in safeguarding their data. The New CDBA does not state how consumers will be made whole for any such losses, or by whom, and regulations are expected to fill in some of these details.
  • Statutory Relationship: The frameworks released by the government in both 2024 and 2025 stated that the act's liability structure would establish a statutory relationship between participating entities, eliminating the need for bilateral contracts. This has not been included in the New CDBA, and it is not clear if or when this might be added via amendments or regulations.
  • Bank of Canada Oversight: Oversight and implementation of the open banking framework have been delegated to the Bank of Canada, shifting away from the Financial Consumer Agency of Canada.

More to Come

As highlighted above, there are still a significant number of details to be defined in future regulations and orders, or amendments to the New CDBA. These forthcoming details include listing the banks that are required to be participating entities, the designation of a technical standards body, accreditation and security standards, data sharing protocols, and requirements for consent and authorization. What is clear is that open banking is moving fast — with Phase 2 targeted for mid-2027, Phase 1 will likely come about much sooner. As the legislative process unfolds, we will continue to provide updates to ensure our clients and readers remain informed.

To view the original article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of TechLex Blog
TechLex Blog
Photo of Christine Ing
Christine Ing
Photo of Michael Scherman
Michael Scherman
Photo of Mohammed M'Hiri
Mohammed M'Hiri
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More