Blog | AI & Lending

The Canadian Open-Banking Rulebook Is in the Gazette. The Data Just Became a Utility. The Decision Is the Differentiator.

Written by Fundmore.ai | Jul 8, 2026 7:03:33 PM

Finance Canada pre-published the proposed Consumer-Driven Banking Regulations in the Canada Gazette, opening a 60-day public comment period that closes August 26. The Regulations operationalize the Consumer-Driven Banking Act, which received Royal Assent in March, and represent the first concrete operational rulebook under the framework Canadians have been waiting for since 2019. The same day, proposed amendments to the Financial Consumer Protection Framework Regulations were pre-published for a 30-day comment period, operationalizing the Bank Act anti-fraud amendments from Bill C-15.

Three quick numbers anchor the strategic case. The Regulatory Impact Analysis estimates $457.7 million in total present-value costs over 10 years, $13.2 billion in monetized benefits over the same window, and a roughly 29-to-1 benefit-to-cost ratio. The underlying assumption is that more competition, better consumer choice, and the elimination of insecure screen scraping unlock value at a scale that the modest regulatory build can readily absorb. For Canadian financial institution executives, the question shifts from whether the framework is worth participating in to how to capture the share of the benefits side of that ratio.

 

 

What the Rulebook Says, in Operational Terms

The Regulations define in-scope data across four product categories: deposit accounts (chequing and savings), payment products, investment accounts (registered and non-registered), and lending accounts (secured and unsecured). For each category, the data to be shared includes consumer profile data, account data (including balance and transaction data), and product data. Participating entities are required to share consumer-authorized data once consent has been obtained, and they cannot charge consumers for the data, consent, renewal of consent, or withdrawal of consent. Authentication of the consumer is the data provider's responsibility; the data requester is responsible for capturing the consent.

The most interesting line in the Regulations sits in the definitional section. Derived data, defined as information about a consumer, product, or service that has been significantly enhanced by a participating entity to increase its usefulness or commercial value, is excluded from the sharing obligation. The plain reading: raw transaction data, raw balance data, and raw product data are utility flows. Data that an institution has materially enhanced through its own analytics, modeling, or decisioning logic remains proprietary. That single carve-out reshapes the strategic geometry of CDBA participation.

Two more operational notes that will matter to CIOs and CTOs. The Regulations require accreditation as a participating entity, with the Bank of Canada as the supervisory authority; the framework was designed to extend beyond major banks to PSPs, credit unions, and other regulated entities, meaning the accredited population at year three will be materially larger than the current banking-license universe. And the coming into force is staggered, beginning with accreditation requirements after final publication, followed by common rules and assessment fees within 12 months. Institutions that wait for the rules to be final before starting the build will miss the first competitive cycle.

 

Why the Anti-Fraud Regulations Belong in the Same Conversation

The Anti-Fraud Regulations, pre-published the same day, require banks to obtain express consent before enabling electronic funds transfer capabilities, including wire transfers, global money transfers, and Interac e-Transfers. Consumers can disable these capabilities. Banks must disclose the existence of these options at account opening, process transaction-limit changes within prescribed timelines, and capture defined fraud information for reporting to the FCAC. They are exempt from the express-consent requirement only for transfers between same-owner accounts at the same institution, ATM withdrawals, payment card transactions, pre-authorized debits, and direct bill payments. Capabilities already enabled upon coming into force do not require fresh consent.

Read the two sets of regulations together. CDBA institutionalizes consent for data sharing; the Anti-Fraud Regulations institutionalize consent for money movement. Both require institutions to operate a consent ledger that is current, queryable in production, and defensible under audit. Lenders that already treat consent and identity as production-grade signals will absorb both rules with minimal effort. Lenders that treat consent as a paper-form artifact tracked in scattered systems have a coordinated compliance build in front of them, and the cost of that build sits on top of the CDBA build, not separate from it.

 

What This Means for Underwriting

The decision layer is where CDBA pays back. Foundation models give every lender the same baseline ability to read inbound CDBA data; that reading capability is now a commodity. The specialized signal that turns a generic decision into a defensible one is the lender's own credit policy and the lender's own underwriters' corrections applied over thousands of files. FundMore AI is policy-trained per lender; the specializing signal stays with the lender, not the vendor, and it compounds with every decision the system processes. That is what converts inbound CDBA data into approved files at a pace that meaningfully closes the gap between application and decision.

The integration question matters too. CDBA is a data-flow change on top of existing systems, not a replacement for them. FundMore deploys as agents over a lender's existing LOS; no rip-and-replace, no 12-month IT project, no asking a bank or credit union to bet its core on a vendor that also originates, funds, or brokers loans. FundMore never originates, funds, or brokers, which means the institution's borrowers stay the institution's borrowers and the data the institution processes through FundMore is governed by the institution's policy. That posture is what makes CDBA executable in the current fiscal year rather than the next.

Privacy-safe synthetic twins matter once CDBA data is flowing at production volume. Lenders need to test underwriting models, fraud signals, and policy changes without exposing real consumer data to non-production environments. Digital twins derived from platform data, disclosed as model-derived rather than presented as real customer records, answer to PIPEDA, Quebec's Law 25, and OSFI B-10 third-party risk expectations simultaneously. The institutions that build that twinning capability before CDBA Phase 1 hits volume will move faster on model risk reviews; those that try to add it afterward will pay for the rework.

 

Strategic Takeaway

Finance Canada has now put a dollar figure on the prize and a calendar on the rules. The raw data is a utility. The decisioning, the policy-trained logic that turns shared data into better lending outcomes, is the differentiator. The institutions that file thoughtful comments in the next 60 days, build to the draft regulations rather than waiting for the final, and put a decisioning layer in front of CDBA pipes before Phase 1 volume arrives will own a disproportionate share of the $13.2 billion benefit case. Those who wait for the final rules will spend 2027 catching up to institutions that did not.

 

Frequently Asked Questions

Q: What exactly was pre-published in the Canada Gazette on June 26?

A: Two sets of regulations. The proposed Consumer-Driven Banking Regulations, for a 60-day comment period closing August 26, operationalize the Consumer-Driven Banking Act, with the Bank of Canada as supervisory authority. And the proposed amendments to the Financial Consumer Protection Framework Regulations, for a 30-day comment period closing July 26, operationalize the Bank Act anti-fraud amendments from Bill C-15, requiring express consent for EFT capabilities.

 

Q: What data is in scope under the proposed Regulations?

A: Four product categories: deposit accounts (chequing and savings), payment products, investment accounts (registered and non-registered), and lending accounts (secured and unsecured). For each, the in-scope data includes consumer profile data, account data including balance and transaction data, and product data. Derived data, defined as information significantly enhanced by a participating entity to increase its usefulness or commercial value, is excluded from the sharing obligation.

 

Q: What is the cost-benefit case Finance Canada has put on the table?

A: Per the Regulatory Impact Analysis published with the Gazette pre-publication, total estimated costs are $457.7 million in present value over a 10-year period, against estimated monetized benefits of $13.2 billion in present value over the same window. The implied benefit-to-cost ratio is roughly 29 to 1, premised on competitive gains, better consumer outcomes, and the elimination of insecure screen-scraping practices.

 

Q: How do CDBA and OSFI's Streamlined Framework interact strategically?

A: They run on overlapping calendars and reinforce each other. The Streamlined Framework officially launched June 25 for credit unions and fintech innovators seeking federal-charter status; the CDBA Regulations were pre-published the next day. New federal entrants will need both an OSFI licence and CDBA accreditation to operate competitively; incumbents need CDBA accreditation regardless of charter status. Expect fintechs already in OSFI Phase 2 to test both regimes in sequence over the next 12 months.

 

Q: What does this mean for the renewal-wave underwriting pressure?

A: Mortgage Professionals Canada reported on June 24 that one-third of mortgage holders renew within the next 12 months, with 67% anxious about higher rates and 50% saying they would struggle on a payment increase under 15%. CDBA inbound data, account balances, transaction patterns, lending product positions, materially improves a lender's ability to identify borderline renewal files, route them to retention or restructure pathways quickly, and document the policy logic. The combination of CDBA data and policy-trained decisioning is the operational answer to the renewal wave at the file level.

 

Q: How should a CIO or CTO actually use the next 60 days?

A: Three priorities. File a substantive comment on any provision that will materially affect cost or scope of compliance; the Regulations are still draft and Finance Canada is taking input from industry. Map the in-scope data inventory against existing systems and identify the consent capture and authentication gaps; the accreditation timeline will arrive faster than typical large-FI build cycles. And put a policy-trained decisioning layer in front of inbound CDBA data before Phase 1 read access goes live, so the first wave of shared files compounds an underwriting advantage instead of just adding pipeline volume.