For more than five years, Canada debated, consulted and drafted while the United Kingdom, Australia and the European Union built their open banking ecosystems and began reaping the first results. The country arrived at international meetings with solid plans on paper, but without firm dates or complete legislation. That cycle is over.
The 2025 Federal Budget confirmed the launch of the Open Banking framework — officially called Consumer-Driven Banking — for early 2026, accompanied by the Real-Time Rail (RTR), the new instant payments infrastructure managed by Payments Canada. Together, these two systems are not an incremental technological upgrade: they are the most profound reconfiguration of Canada’s financial architecture in decades.
For banking institutions, fintechs, neobanks and payment providers operating in Canada, the question is no longer whether change will come. The question is what position they are building today for when that change becomes mandatory.
What Exactly Is Consumer-Driven Banking?
The official Consumer-Driven Banking framework rests on a seemingly simple principle with enormous implications: financial data belongs to the customer, not to the bank that holds it. In practice, this means that a consumer will be able to authorize their institution to share specific data — transaction history, balance, active products — with any accredited provider through secure, encrypted and auditable API connections.
This replaces screen scraping, the practice by which hundreds of Canadian fintechs access banking data using the user’s credentials. Bill C-15 received Royal Assent on 26 March 2026, completing the legislative framework and including an express prohibition on screen scraping. For any company currently using credential-based access, the clock is already ticking: the transition window exists, but it is finite.
The framework’s structure unfolds in two clearly differentiated phases:
Phase 1 — Read Access (2026): Accredited providers will be able to access, with the customer’s explicit consent, data from deposit, investment, credit and payment accounts. The customer controls what data is shared, with whom and for how long, and can revoke that access at any time.
Phase 2 — Write Access (mid-2027): Once the Real-Time Rail is operational and in widespread use, functionality will expand to actions: initiating payments, opening accounts, managing subscriptions or setting up direct debits through accredited third parties. This is the phase that turns Open Banking into a fully-fledged commercial channel.
Phase 1 vs. Phase 2: Comparison
| Phase 1 — Read Access | Phase 2 — Write Access | |
| Planned date | 2026 (exact date to be confirmed by Bank of Canada) | Mid-2027 (contingent on RTR) |
| Type of access | Read-only | Read + write |
| What it enables | Sharing account data (deposit, investment, credit, payments) with accredited providers. Scoring, onboarding, PFM, financial analysis. | Initiating payments, opening accounts, managing subscriptions and direct debits, switching institutions. Embedded payments, open finance, integrated finance. |
| Dependencies | Completion of API technical standards, accreditation criteria and security protocols by the Bank of Canada. | Launch and widespread adoption of the Real-Time Rail (RTR), planned for Q3 2026. |
| Regulator | Bank of Canada | Bank of Canada (+ coordination with FINTRAC for payment flows) |
The Supervising Regulator: The Bank of Canada
One of the most significant changes in Budget 2025 was the transfer of framework oversight. Responsibility shifted from the Financial Consumer Agency of Canada (FCAC) to the Bank of Canada, which already supervised registered payment service providers under the Retail Payment Activities Act (RPAA). As of March 2026, approximately 1,500 payment companies operate under that supervision.
The logic of consolidation is clear: the Bank of Canada simultaneously manages payment supervision and the new open banking framework, creating a cleaner governance line and reducing regulatory duplication for companies that need to be accredited in both environments. The expectation is that fintechs and financial institutions will be able to go through a single national review process to access both the Open Banking and real-time payments environments.
The Bank of Canada will receive up to C$19.3 million over two years to fund implementation. However, at the Open Banking Expo held in Toronto in March 2026, the Bank of Canada’s head of payments publicly indicated that it would be premature and imprudent to commit to a specific date until the scope of work is fully defined. A significant portion of the technical standards, accreditation criteria and security protocols remains under development.
As McCarthy Tétrault analysts note, the framework has moved from legislative aspiration to legal reality, but the distance between the statute and live operation will depend on the pace of regulatory implementation in the coming months.
The Real-Time Rail: Infrastructure That Delivers the Promise
Full Open Banking is not possible without the Real-Time Rail. The RTR is Canada’s new instant payment infrastructure: 24/7 transfers, settlement in seconds, structured messages under the ISO 20022 standard that add rich data to each transaction. It is not an improvement of the existing Interac e-Transfer system; it is new infrastructure, designed from scratch to support the financial services layer that will be built on top of it.
Payments Canada began industry testing in early 2026, after completing system-level testing in Q3 2025. The official target is a Q3 2026 launch, although some industry analysts point to late 2026 or early 2027 as a more realistic date. Any delay in the RTR directly impacts Phase 2 of Open Banking, as write access is explicitly conditional on the RTR being operational and in widespread use.
The adoption of the ISO 20022 standard also has broader consequences. Enriched payment messages allow for much greater traceability of each transaction: purpose, parties involved, structured references. For institutions required to comply with FINTRAC, this opens up possibilities for more precise transactional monitoring, with less reliance on static thresholds and greater capacity to detect behavioural anomalies in real time.
The Regulatory Ecosystem Framing All of This
Open Banking does not arrive in a vacuum. It unfolds within a Canadian regulatory ecosystem that in 2025-2026 has undergone a parallel transformation equally significant.
FINTRAC and the effectiveness standard. The PCMLTFA amendments in force since April 2025 changed the supervisory criterion: compliance programmes must now be reasonably designed, risk-based and effective. FINTRAC no longer accepts that policies exist only on paper. It wants evidence that controls actually work, that risk assessments evolve with emerging threats, and that suspicious transaction reports reflect genuine analytical investigation.
Bill C-2 and the magnitude of sanctions. The Safe Borders Act dramatically escalated FINTRAC’s sanctioning authority. A single very serious violation can carry a fine of up to C$20 million, and cumulative penalties for multiple violations are capped at the greater of two amounts: C$20 million or 3% of global gross revenues. When penalties reach that magnitude, compliance ceases to be a general expense and becomes a balance-sheet risk variable.
The FATF Mutual Evaluation 2025-2026. Canada is being evaluated during this period by the Financial Action Task Force. The 2016 evaluation identified weaknesses in beneficial ownership transparency, prosecution of money laundering beyond drug trafficking and fraud, and sanctions enforcement. The reforms introduced since then — Federal Beneficial Ownership Registry, expanded reporting obligations, information-sharing provisions activated on 4 March 2025 — are now being assessed.
Photo identification as the new baseline. Since 15 December 2025, a government-issued photo identity document is mandatory for opening accounts, updating profiles and conducting high-risk transactions. This is a regulatory floor, not a ceiling: regulators expect identity controls to go beyond documentary validation, especially as deepfakes and synthetic identities become increasingly sophisticated attack vectors.
Biometric data privacy. In August 2025, the Privacy Commissioner of Canada issued guidance that explicitly classified biometric data — face, fingerprints, iris scans, writing patterns — as highly sensitive under PIPEDA. Companies collecting it must obtain explicit consent, limit use to the specific authorised purpose, minimise retention and document audits.
The Use Cases That Matter
Open Banking is not just regulatory infrastructure. It is a business lever. Institutions that treat it exclusively as a compliance obligation will be creating the competitive advantage of their rivals.
More accurate and inclusive credit. Traditional scoring models rely excessively on formal credit history, which excludes or penalises significant segments: self-employed workers, new residents, SMEs without sufficient collateral. With access to real transactional data shared via API — recurring income, spending patterns, financial behaviour over time — models can become dynamic and contextual, not merely historical.
Complete digital onboarding and identity verification. Open Banking opens up the possibility of fully remote onboarding processes with real-time income validation, without manual documentation and without waiting times. But in the current Canadian regulatory context — with FINTRAC requiring robust KYC controls, mandatory photo identification since December 2025 and growing threats from synthetic identities and deepfakes — this onboarding is only viable with a solid layer of digital identity verification.
Embedded payments and integrated finance. In Phase 2, when write access is possible, merchants will be able to reduce processing costs by eliminating card intermediaries. Developers will be able to build complete financial flows — account opening, fund loading, bill payment, product management — within the tools their users already use, without leaving the application.
Portability and genuine competition. The ability to switch financial institution with history, active products and direct debits included structurally changes the competitive dynamics of the market. The inertia that currently protects large banks — the friction of switching — will be significantly reduced.
New models for SMEs. Canadian small and medium-sized enterprises have limited access to financing on competitive terms, partly because their financial data is scattered across multiple systems. Open Banking, combined with the future opening towards non-banking data that several analysts already call open finance, could radically change that balance.
The Hard Part: Real Risks and Uncertainties
Any honest analysis of Canadian Open Banking must include what is still unresolved.
Bill C-15 has been law since 26 March 2026, but the API technical standards, accreditation criteria, consent protocols and security requirements for the operational framework are not finalised. The Bank of Canada has not committed to a launch date for Phase 1. The RTR could be delayed, which would push Phase 2 along with it.
This is not a reason to wait. It is a reason to plan in scenarios. Companies that build their connectivity, consent and identity infrastructure now — before definitive standards are published — will have two advantages: the learning curve will have been traversed by the time mandatory compliance arrives; and they will have redesigned their internal processes with margin, rather than doing so under time pressure.
The risk of provincial fragmentation also deserves attention. Securities regulation remains decentralised in Canada; provincial commissions coordinate but do not unify. In Quebec, for example, MSBs require a provincial licence from Revenu Quebec in addition to FINTRAC registration. As Open Banking expands into investment, insurance or pension products, the absence of an integrated federal open finance framework could create asymmetry between what consumers expect and what the system can offer.
Digital Identity: The Component That Cannot Be Secondary
One clear lesson from Open Banking implementations in other markets is that the technical and legal framework is not sufficient on its own. The ecosystem fails if the trust layer — the verification that whoever consents is who they say they are, and that consent is valid, documented and revocable — is not built with the same rigour as the data APIs.
In the Canadian context, this has direct and urgent implications. FINTRAC requires KYC controls from the first point of contact. The OPC’s guidance on biometrics establishes strict consent and data minimisation requirements. Photo identification has been mandatory since December 2025. And the threat vector is escalating: Canadians lost C$643 million to fraud in 2024 — almost 300% more than in 2020 — and only between 5% and 10% of scams are reported.
Biometric verification operating within the parameters of PIPEDA — explicit consent, purpose limitation, data minimisation, documented audits — is not one option among many for institutions wishing to operate in Canada’s Open Banking ecosystem. It is the trust architecture upon which everything else is built.
Canada Arrives Late, But Can Arrive Better
The Canadian delay has a positive angle worth acknowledging. In the United Kingdom, the Open Banking framework reports more than 13 million active users and tens of millions of monthly payments, but adoption was slower than expected in its early years, partly due to fragmented technical standards and an inconsistent user experience across institutions. In Australia, the Consumer Data Right was extended to energy and telecommunications, but adoption in the banking segment was initially disappointing.
Canada can learn from those mistakes. It can enter with more mature standards, a clearer consumer benefit narrative and an architecture that coherently connects open banking, real-time payments and data protection. The Bank of Canada, as the unified regulator of the framework, has the authority to impose that coherence if it exercises it well.
What is at stake is also strategic in a broader sense. Canadian financial institutions compete in a market with consolidated large banks that have historically slowed innovation by leveraging their data position. Open Banking redistributes that asset. Entities that arrive prepared — with robust APIs, clear consent processes, verified identity and integrated compliance from day one — will not just comply: they will set the standard that others will have to reach.
The Time to Prepare Is Now
The Canadian financial revolution does not begin when the Bank of Canada flips the switch. Companies that wait for the official date to start preparing will arrive with improvised infrastructure, reactive compliance and without the time needed to iterate.
What is available today — API architecture, consent frameworks, PIPEDA-compliant identity verification solutions, real-time transactional monitoring capabilities — are exactly the capabilities that Canada’s Open Banking ecosystem will require. Institutions that build them now are not anticipating the regulator: they are building the operational foundation upon which their business model will rest in 2027 and beyond.
Is your organisation evaluating how to prepare its identity and compliance infrastructure for the Canadian Open Banking ecosystem? Discover our compliance and digital identity solutions for the Canadian market.
Frequently Asked Questions About Open Banking in Canada
It is Canada’s official open banking framework, regulated by the Consumer-Driven Banking Act (CDBA). It allows consumers and SMEs to authorise secure access to their financial data by accredited third parties, through APIs, without sharing banking passwords or credentials.
Bill C-15 received Royal Assent on 26 March 2026, turning the framework into law. Phase 1 (read access) is planned for 2026, although the Bank of Canada has not yet confirmed an exact operational date. Phase 2 (write access and payments) is targeted for mid-2027.
It is Canada’s new instant payment infrastructure, managed by Payments Canada. It enables 24/7 transfers with settlement in seconds under the ISO 20022 standard. Its launch is planned for Q3 2026 and is a necessary condition for Phase 2 of Open Banking.
The Bank of Canada is the primary regulator of the Consumer-Driven Banking framework, as established by Budget 2025. It replaces the FCAC and also concentrates supervision of payment providers under the RPAA. For AML/CFT aspects, FINTRAC retains its supervisory role.
Phase 1 enables read-only access: sharing financial data with accredited providers. Phase 2 adds write access: initiating payments, opening accounts and managing products from third-party applications. Phase 2 depends on the launch of the RTR.
Bill C-15 completed the CDBA, establishing rules on accreditation, security, consent, liability and consumer protection. It expressly prohibited screen scraping as a legal offence, transferred supervision to the Bank of Canada and laid the groundwork for Phase 2 with the concept of write access.
Bill C-2 (the Safe Borders Act) dramatically elevated FINTRAC’s sanctioning power. A single very serious violation can carry a fine of up to C$20 million. Cumulative penalties for multiple violations are capped at the greater of C$20 million or 3% of the entity’s global gross revenues.
Since 15 December 2025, the PCMLTFA requires a government-issued photo identity document to open accounts, update profiles and conduct high-risk transactions. The objective is to strengthen KYC controls in the face of increasing fraud involving deepfakes and synthetic identities, in line with FATF recommendations for the 2025-2026 mutual evaluation.