On April 30, the federal government (the government) introduced the Budget Implementation Act, 2024, No. 1 (the Bill), as an initial step toward launching Canada’s consumer-driven banking framework (the Framework) by introducing new draft legislation—the draft Consumer-Driven Banking Act (CDBA)—and draft amendments to the Financial Consumer Agency of Canada Act (FCAC Act).
What you need to know
- The draft provisions set out in the Bill address the elements of governance, scope and process, but the Bill does not introduce comprehensive consumer-driven banking legislation. Other key aspects of the Framework, such as liability and privacy, are expected to be revealed in the Budget Implementation Act No. 2 (BIA No. 2) to be tabled in the fall.
- The draft provisions of the CDBA confirm application of the Framework to data sharing of consumers, including small businesses, and also confirm read-only functionality.
- The FCAC will maintain a public registry of participating entities.
- The Senior Deputy Commissioner of the FCAC will be responsible for the supervision and enforcement of the Framework.
Join us for our webinar, “Launch of open banking” on Tuesday, May 14 for live analysis from our financial services team. Visit the event page to register.
The Consumer-Driven Banking Act (CDBA)
The CDBA provisions introduced in the Bill reflect the government’s approach to implementing the Framework, as described in the 2024 Budget and summarized in our previous bulletin.
For example, the CDBA confirms that:
- the Framework will enable consumers—including small businesses—to direct their data relating to prescribed financial products and services to be shared with participating entities of their choice and ensure that the sharing of data among participating entities is safe and secure;
- the Framework will apply to data that relates to deposit accounts, registered and non-registered investment accounts, payment products, lending products and other products or services that may be provided for in the regulations;
- the Framework will not apply to “derived data”, which refers to data about a consumer, product or service that has been enhanced by a participating entity to significantly increase its usefulness or commercial value;
- data that is shared between participating entities will be shared in a manner that does not enable the participating entity who receives the data to edit the data on servers of the participating entity who provides the data;
- the FCAC will maintain a public registry of participating entities; and
- the existing Bank Act provision that prohibits banks from sharing customer information with insurance companies, agents or brokers for the business of insurance will not be impacted by the CDBA’s provisions.
As a significant amount of detail about the proposed Framework was already described in Budget 2024, the proposed draft of the CDBA provides little in terms of new information, and also lacks key details.
For example:
- Definition of small business. The draft provisions do not address what kind of business would qualify as a “small business” for the purposes of participating in the Framework, and it is unclear whether this will be clarified in the BIA No. 2 or in forthcoming regulations. This clarification is fundamental; for example, the further-progressed European experience with open banking has demonstrated the significant advantages of data sharing for businesses.
- Clarity on enhancements to data. A likely key point of contention among participating entities will be the question of what kind of enhancements would significantly increase the usefulness or commercial value of the data. The draft CDBA does not provide any regulation-making authority or provide details as to how to interpret the meaning of “derived data”. As such, we are left to wonder whether the FCAC will set out through guidance what constitutes the types of enhancements that increase usefulness or commercial value.
Provisions worth noting include the following:
- Technical standards. Pursuant to the draft CDBA, the Minister will designate a body to be the technical standards body that is responsible for establishing the technical standards for the sharing of data by participating entities. As technical standards will become the gateway to access the Framework, the determination as to who will be designated as the body will be critical. Interestingly, while the draft CDBA will require the technical standards body to annually report to the Senior Deputy Commissioner and also notify the Senior Deputy Commissioner of any change that has a significant impact on the body or the technical standards as soon as feasible (but not later than the 7th day after the day on which the change takes effect), the Senior Deputy Commissioner does not appear to have any authority to prevent such a change from taking place if it opposed (although the Senior Deputy Commissioner does have the authority to request that the Minister revoke the designation).
- Enforcement. To prevent individuals or entities from falsely representing themselves as “participating entities”, the draft CDBA provides that such an individual or entity is guilty of an offence and liable (i) on conviction on indictment, up to a maximum fine of $1M (in the case of an individual) or $5M (in the case of an entity), or (ii) on summary conviction, up to a maximum fine of $100K (in the case of an individual) or $500K (in the case of an entity). The draft CDBA also provides that if an individual or entity is convicted of an offence under the CDBA, the Court could potentially impose an even higher fine if the convicted individual or entity (or family members) monetarily benefited (equal to three times the court’s estimation of the amount of those monetary benefits).
Notwithstanding the fact that critical aspects of the Framework still need to be revealed, the Bill’s proposed amendments to the FCAC Act (discussed in the next section below) do address the government’s intention with respect to the governance of the Framework.
Amendments to the Financial Consumer Agency of Canada Act (FCAC Act)
The proposed amendments to the FCAC Act establish an independent “parallel” consumer-driven banking regulator within the FCAC structure, while still incorporating many of the elements of the FCAC’s administration within this new regulator.
Establishing a parallel consumer-driven banking regulator
Recognizing potential jurisdictional issues with the provinces, which also have consumer protection authority, Budget 2024 revealed that the FCAC Commissioner would not be responsible for the direct oversight of the Framework; instead, a new Senior Deputy Commissioner role will be established. The proposed amendments to the FCAC Act set out in the Bill seek to achieve this objective by granting the Senior Deputy Commissioner the same oversight powers and authority with respect to consumer-driven banking activity that the Commissioner holds vis-à-vis the consumer protection obligations of federally-regulated financial institutions.
For example, the proposed amendments to the FCAC Act provide that:
- The Senior Deputy Commissioner will be responsible for the supervision of consumer-driven banking and will exercise the powers, and must perform the duties and functions, that relate to consumer-driven banking. This would include the new FCAC objects, which include the supervision of participating entities, the external complaints body and the technical standards body. The Bill is silent as to which body will be responsible for complaints respecting participating entities—will it be the Ombudsman for Banking Services and Investments (OBSI), the existing complaint body supervised by the FCAC, or another body?
- The Senior Deputy Commissioner can appoint any FCAC employees (other than another Deputy Commissioner) to exercise any of the powers and perform any of the duties and functions of the Senior Deputy Commissioner, if such an appointment is appropriate. The exclusion of Deputy Commissioners reveals that the Deputy Commissioner responsible for the supervision and enforcement of the Bank Act consumer protection provisions would not be allowed to act in place of the Senior Deputy Commissioner.
- The Senior Deputy Commissioner, rather than the Commissioner, will issue the notices of violation for violations of the CDBA.
Notwithstanding the above provisions that support the government’s intention to separate the functions of the Senior Deputy Commissioner responsible for consumer-driven banking from the Commissioner’s obligations vis-à-vis the consumer protection provisions of federal financial institution legislation, that distinction is clouded by the fact that the Commissioner will, with the Minister’s concurrence, appoint the Senior Deputy Commissioner and the Senior Deputy Commissioner is “to act under the instructions of the Commissioner”. It could become challenging for the Senior Deputy Commissioner to be completely independent if they are to act under the instructions of the FCAC, and report to the Commissioner.
Also of note is that it will be the Commissioner (on the advice of the Senior Deputy Commissioner) that may establish “advisory and other committees to advise or assist the Senior Deputy Commissioner on matters relating to consumer-driven banking and provide for their membership, duties, functions and operation”. There appears to be a dichotomy since the appointment of committee members will not ultimately be decided by the individual responsible for the Framework, but rather by the Commissioner which does not (or does not appear to) have any role with respect to the oversight of the Framework.
Integration of the new consumer-driven banking regulatory function into the FCAC supervision and enforcement framework
Although the Bill’s intent is to establish a “new regulator” for consumer-driven banking, the proposed amendments with respect to enforcement of the CDBA are very much aligned with the existing enforcement and proceeding provisions of the FCAC Act. For example, participating entities will be subject to the same administrative penalties and the same proceedings (representations, publication of decision or notice of violation, right of appeal) as financial institutions currently subject to the FCAC Act.
It will be interesting to see how the FCAC will operationally integrate two identical enforcement processes where the ultimate decision makers—the Senior Deputy Commissioner for consumer-driven banking and the Commissioner for the consumer provisions of federal financial institution legislation—are different. An aligned legislative framework makes sense, but to what extent should the FCAC supervision framework or FCAC administrative monetary penalty framework that currently applies to federal financial institutions also be replicated for participating entities subject to the CDBA?
Next steps
The Bill must still pass through the legislative process before it becomes law, and although it is rare that provisions set out in budget implementation bills are amended, the CDBA provisions introducing the Framework could still potentially change.
We expect that the most critical and challenging issues relating to consumer-driven banking will be dealt with in BIA No. 2, which is expected to be tabled this fall. Although many open questions remain with respect to consumer-driven banking, it is promising that these initial draft provisions have been released, signalling a fully developed legislative framework to come in the (hopefully) not-too-distant future.