On June 9, FirstOntario Credit Union went live on open banking, becoming one of the first credit unions in Canada to activate consent-based financial data sharing under the Consumer-Driven Banking Act. The announcement is significant for one specific reason: this is a Canadian lender that selected its partners 18 months before the rule required it and was production-ready on the day the framework came into force. Most institutions are still drafting strategy decks. FirstOntario's members are already using the capability.
The launch is also a real-world demonstration of how the next decade of Canadian lending infrastructure is being assembled: not by ripping out core systems, but by layering modern, API-first capability on top of what already runs. That distinction is the whole story.
The Build: Plug In, Don't Rip Out
FirstOntario's open banking layer runs on Flinks Outbound, Flinks' consent-based data-sharing infrastructure, delivered through Everlink's Digital Solutions platform. The credit union did not rebuild its core; it added a compliant, production-ready connection on top of the systems that already serve its 132,000 members and $8.2 billion in assets. Flinks Outbound now has more than 300 fintechs connected to it, meaning FirstOntario's members gain access to a pre-built ecosystem of third-party applications the moment they grant consent.
This matters because the alternative path, replacing core lending and banking systems to "be ready" for open banking, is the exact failure mode that has slowed Canadian financial innovation for a decade. A 12-month IT project to chase a regulatory framework that is itself still being finalized is how institutions miss the window. The institutions that move quickly are those treating open banking as an extension of existing infrastructure, not as a reason to start over.
Lloyd Smith, FirstOntario's CEO, was direct in the announcement: enhancing digital capability is a strategic priority, and the credit union opted to be an early adopter rather than wait for the mandate. That posture, build now, on top of what works, is the playbook for every Canadian lender watching the same regulatory clock.
The Regulatory Clock Is Already Running
Bill C-15 received Royal Assent in March 2026, formally enacting the Consumer-Driven Banking Act. Per analysis from Steven Boms at the Investing News Network, technical standards are expected in the coming months, with the Bank of Canada now responsible for both stablecoin oversight and open banking technical standards. The phasing is well understood: Phase 1 delivers read access, and Phase 2, which adds write access, including payment initiation and account switching, is tied to Real-Time Rail going live later this year.
The accreditation framework is the next pressure point. On June 8, FDATA submitted a Sponsored Fintech Model proposal to the Department of Finance and the Bank of Canada, warning that without a tiered participation model, the compliance burden will concentrate participation among large incumbents and undermine the competition the framework was designed to create. Whether the SFM is adopted or not, the underlying point holds: the structure of who can plug into open banking will shape the consumer experience for the next decade.
Compounding the timeline, OSFI's September 1, 2026, deadline for full compliance with Guideline E-21 on operational resilience is now 90 days away, per the 2026 OSFI compliance guide. E-21 sits atop Guideline B-10 on third-party risk; an institution cannot demonstrate resilience under E-21 if its B-10 foundations are not operational. Every open banking partnership is now a third-party relationship to inventory, tier, and monitor under that framework. The institutions that started early are not just ahead in capability; they are ahead in the documentation that regulators will be asking for.
What This Means for Underwriting
The strategic point lenders should hold is that open banking, by itself, is not a competitive advantage. Consent-based data sharing is now infrastructure; it will be present at every Canadian lender by the end of next year. The advantage lies in what runs on top.
When a borrower grants consent, and lender systems can pull income, asset, and liability data through an API, the underwriting question changes. Document collection compresses. Verification, which today consumes the bulk of underwriter time on a typical file, becomes a structured data check rather than a paper chase. What remains is the part that has always mattered: applying the lender's own credit box to the file in front of them and producing a defensible decision a human can review.
That last point separates the lenders who win the next decade from the ones who automate themselves into a generic credit decision. The model is not the moat. Foundation-model reading and reasoning capability is becoming a commodity capability available to everyone; what makes an underwriting decision good is whether it correctly applies this lender's credit policy to this file, with a reasoning trail that an underwriter can check. FundMore is policy-trained per lender, trained on each lender's guidelines rather than generic defaults, and the specialized signal, the lender's own policy, and the lender's own underwriters' corrections stay with that lender. Open banking gives lenders cleaner inputs; policy-trained AI is what turns those inputs into a decision worth defending.
And critically, FundMore deploys as an agent within a lender's existing LOS. There is no rip-and-replace, no 12-month IT project, no asking a credit union or a bank to bet its core on a vendor that also originates and brokers loans. FundMore never originates, funds, or brokers; it is pure infrastructure that extends current systems. That posture is what makes the FirstOntario approach replicable: a lender can plug FundMore into its existing stack and start compounding the underwriting advantage that open banking enables.
Strategic Takeaway
Open banking moved from law to production this week. The credit unions and lenders who treated the past eighteen months as a building window now have live, member-facing capability under the new regime; the institutions still waiting for the rule to fully clarify will spend 2026 catching up to where FirstOntario already is.
The question worth bringing to your next executive meeting is not whether to participate in consumer-driven banking. The Act answers that. The question is whether your underwriting and lending infrastructure is positioned to convert the cleaner data inputs open banking creates into faster, more defensible credit decisions, without rebuilding the systems your operation already depends on. The lenders who answer that question correctly will set the terms for the next decade. The ones who do not will spend it explaining why they did not.
Frequently Asked Questions
Q: What did FirstOntario Credit Union actually launch on June 9, and why does it matter?
A: FirstOntario went live on open banking, activating consent-based financial data sharing under Canada's Consumer-Driven Banking Act, per the announcement with FIS Everlink and Flinks. It matters because FirstOntario was production-ready on the day the framework came into force; most Canadian institutions are still in the committee stage. With $8.2 billion in assets and 132,000 members, FirstOntario is large enough that this is a real-world test of the new framework, not a pilot.
Q: How does open banking change mortgage underwriting in Canada?
A: Consent-based data sharing replaces document chasing for the inputs underwriters care about most: income, assets, and liabilities. Verification becomes a structured data check through APIs rather than a paper trail collected over days. The bottleneck moves from data collection to decisioning, which means lenders running modern, automated underwriting capture the time savings, and lenders running manual review queues do not.
Q: How does FundMore help lenders capitalize on open banking?
A: FundMore deploys as agents over a lender's existing LOS, no rip-and-replace, working as an extension of current systems. As open banking data flows in, FundMore AI applies the lender's own credit policy to the file with a transparent reasoning trail that an underwriter can review. The platform is policy-trained per lender, not on generic defaults, so the specialized signal stays with each lender and improves with each underwriter correction.
Q: What is the Sponsored Fintech Model FDATA proposed, and why should banks pay attention?
A: FDATA's proposal to the Department of Finance and Bank of Canada would let accredited aggregators sponsor smaller fintechs into the open banking framework, providing the API infrastructure and compliance oversight directly. The Sponsored Fintech Model is rooted in the existing CDBA legislative framework and draws on precedents from the UK, Australia, and the US. If adopted, it would shape which fintechs end up plugged into the open banking ecosystem, which directly affects which third-party customers choose to share data with.
Q: What OSFI deadlines compound this timeline?
A: OSFI Guideline E-21 on operational risk management and resilience requires full adherence by September 1, 2026, per the 2026 OSFI compliance guide. E-21 builds on Guideline B-10 on third-party risk management. Every open banking partner becomes a third-party relationship that has to be inventoried, tiered, and monitored under both guidelines. The institutions that started building their B-10 foundations early are now positioned to absorb open banking partnerships without scrambling.
Q: What should a CIO or CTO prioritize in the next ninety days?
A: Three things. First, audit the underwriting and lending stack for API-first compatibility, so open banking inputs can flow into decisioning without manual translation. Second, evaluate whether the path to modernization requires replacing the core or extending it; the FirstOntario model proves extension is viable and faster. Third, ensure the AI or automation layer applied on top is policy-trained on the institution's own guidelines, not generic defaults, so the decisions produced are defensible to both internal credit committees and OSFI under the upcoming E-23 model risk framework.