Power to consumers, fuel for innovation. Are you ready for Canada’s open banking moment?

Consumer-Driven Banking (CDB) is moving from consultation to execution in Canada, and the window to prepare is narrowing quickly. The federal government has indicated that read access (the first phase of CDB) is expected to begin in 2026, enabling accredited third parties to access consumer financial data through secure, standardized channels. Write access is expected to follow in a later phase, allowing third parties to initiate transactions with consumer consent once the required legislative, regulatory, and infrastructure elements are in place. The direction of travel is clear: read access is no longer a policy question—it is an execution challenge.

That shift matters because readiness across the ecosystem remains uneven. Financial institutions are being asked to prepare for a regulated, API-enabled data-sharing environment while important questions around operating standards, liability, dispute resolution, accreditation, consumer recourse, fraud controls, and supervisory expectations continue to mature. In practical terms, institutions need to advance internal CDB capabilities while the final details of the regime are still being clarified.

CDB: The basics

CDB, first presented by the government in 2018, was formalized as Canada’s national open banking framework with its inclusion in the 2025 Budget. To implement CDB, the federal government has committed to a phased rollout of its two core access types:

• Phase 1 – Read access (expected to launch in 2026) will enable consumers to direct the secure sharing of their financial data with accredited financial institutions, payment service providers (PSPs), credit unions, and third-party service providers through standardized APIs.
• Phase 2 – Write access (expected to follow as additional legislative, regulatory, and infrastructure elements are established) will enable consumers to direct the initiation of transactions via accredited third parties.

Together, these capabilities form the foundation of a more innovative, open, and regulated financial ecosystem in Canada, but the distinction between them is critical. Read access introduces privacy-respecting data sharing at scale, requiring financial institutions to manage consent, data quality, cybersecurity, and operational resilience in a secure, standardized, and observable way. Write access moves CDB into direct financial execution, where failed transactions, fraud, unauthorized activity, liability, and consumer redress carry immediate financial impact. For financial Institutions, the architectural, control, monitoring, and consumer-experience decisions made during read access must be designed to anticipate write access; treating read as a narrow compliance build risks costly rework and risk exposure when payment initiation follows.

What consumers will expect

CDB will ultimately be judged by its ability to deliver meaningful and trusted outcomes for the financial lives of Canadians. Consumers will expect secure, intuitive, and transparent portable data rights – clearly showing who has access to their data, what it is being used for, how consent can be revoked, and where to turn if something goes wrong. They will also expect tangible benefits: faster onboarding, simpler account switching, more personalized insights, improved access to credit, easier account funding, and greater control over their financial information.

Such consumer expectations raise the bar for financial institutions, requiring more than just the technical compliance necessary to satisfy rules and regulations. Particularly in moments of vulnerability – such as fraud, failed data connections, disputed transactions, or confusion over third-party access – consumers are likely to look first to their primary bank, regardless of where accountability ultimately sits.

Execution reality: why readiness matters now

While the phased CDB rollout provides a roadmap, it should not create a false sense of time. Read access is approaching quickly, and many of the capabilities required to operate it safely – such as API resilience, consent management, incident response, dispute handling, liability processes, and consumer education – cannot be built at the last minute.

Execution is further complicated by the fact that several key elements of the regime continue to be matured – including liability allocation, accreditation renewal, consumer recourse, dispute resolution, non-compliance, and implementation sequencing. This does not argue for financial institutions to delay – rather, it reinforces the need for them to mobilize now while developing foundational pre-conditions in parallel, with enough flexibility to adapt as the regime matures.

CDB is just one of the changes coming to Canada’s financial ecosystem

The introduction of CDB comes as several other regulatory, infrastructure, and policy shifts converge, including the Retail Payments Activities Act (RPAA), introduction of the Real-Time Rail (RTR), amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA), the Stablecoin Act, and changes to regulatory supervision.

Together, these shifts signal a clear transition toward open finance in Canada. Financial institutions, businesses, and consumers should expect to operate in an environment where CDB read and write access is in place, sector‑wide data portability is established, stablecoins become a regulated payments instrument, Payment Service Providers (PSPs) are embedded into the payments landscape, and AI is increasingly integrated into financial decisioning.

A competitive and ecosystem reset

The more likely outcome is a gradual but meaningful shift in how consumer relationships are formed, maintained, and monetized. As data-sharing friction declines, fintechs, digital platforms, and other financial institutions will be able to embed financial services into high-frequency consumer journeys. That will make it easier for consumers to try new providers and harder for financial institutions to rely on inertia.

This does not mean financial institutions face an existential threat. It does mean that the basis of competition will change. Advantage will increasingly come from trust, speed, personalization, interoperability, and the ability to act on both internal and external data. Financial institutions that understand where and why their consumers are connecting data will be better positioned to defend primacy, identify attrition signals, and create propositions that respond to real consumer needs.

These converging changes could significantly impact how we view and engage the payments and banking ecosystems in Canada. For example, unlike prior regulatory initiatives, CDB externalizes core banking capabilities into a regulated ecosystem. Availability, misuse, fraud, and third‑party failures will increasingly be judged as failures of the primary bank, regardless of contractual liability allocation. Taking this into consideration, we anticipate that the ecosystem will undergo the following changes:

• Higher trust concentration: Consumer value will concentrate at a small number of high-trust decision moments. Trust and control will matter more than data monetization.
• Early read access value: Early CDB value will come from simple, high-frequency use cases, particularly the read access use of transactional data from consumer accounts (e.g., faster onboarding, more personalized insights, improved access to credit).
• Escalating write access risk: Fraud risk, liability complexity, and loss severity will increase materially with write access, where exposure shifts from data misuse to direct financial impact. Architecture, controls, and consumer experience decisions made today will either enable or constrain safe payment initiation in future.
• Concentrated reputational accountability: Reputational risk will concentrate with the primary bank. We expect consumers will rely on their primary bank for complaints and redress even when the root cause sits outside of the bank. The approach taken to these moments of vulnerability will serve to either strengthen or erode trusted consumer relationships.
• Intensifying ecosystem competition: Competitive pressure will intensify outside of deposits, particularly in unsecured lending, payments, and consumer acquisition—driven not only by financial institutions, but also fintechs and digital platforms embedding financial services into consumer journeys.
• Rising consumer acquisition costs: Costs will rise as switching friction drops and competition starts to revolve around experience and trust, not data access.

For financial institutions, this convergence elevates CDB from a compliance exercise to a structural shift in how financial data and services are delivered. The simultaneous expansion of real‑time payments, regulated third‑party access, centralized supervision, and cross‑sector data mobility will fundamentally reshape how value is created, defended, and delivered.

Financial institutions need to choose the role they want to play

For mandated banks, there is an immediate compliance imperative. They will need to meet “data out” obligations on compressed timelines while demonstrating infrastructure-grade resilience, security, and control expected of core banking systems. At the same time, the opportunity exists to build the capabilities needed to defend and grow consumer relationships—ensuring that CDB implementation does not set the blueprint for competitors, but reinforces their own competitive position.

For non-mandated financial institutions and other voluntary participants, CDB presents a different but equally important choice. They can wait until participation becomes a market expectation, or they can use the transition to create differentiated propositions, meet core CDB use cases (e.g., faster onboarding, simpler account switching), and participate earlier in emerging open finance ecosystems. In both cases, the question is no longer whether CDB will matter. The question is whether institutions will be ready to operate, compete, and protect Canadians in a more open financial system.  

Strategic choices for mandated banks

CDB will create different strategic choices for different institutions. Mandated banks have an immediate obligation to comply, but their strategic window is short if they define success only as enabling outbound data sharing. A “data out” mindset may satisfy the minimum requirement, but it risks positioning the bank as infrastructure for other participants’ consumer propositions. The more strategic question is how financial institutions will use CDB to bring “data in,” deepen insight, improve consumer experiences, and strengthen the primary relationship.

Broadly, mandated banks can choose between two roles:

Trusted data access providers (focus on “data out”): In this role, the priority is to deliver secure, resilient, compliant, and cost-effective access to data and services, which is obligatory and essential for mandated participants. It plays directly to financial institutions’ strengths in trust, risk management, operational resilience, privacy, and regulatory execution, but it is also a defensive posture. If pursued alone, it may protect the franchise but will not necessarily create differentiated consumer value.

Ecosystem and experience orchestrators (focus on “data in”): In this role, mandated banks can use CDB as a platform for new propositions—bringing external data into consumer journeys, decreasing onboarding time, enabling more personalized financial insights, and creating easier account funding and money movement experiences. This requires a more deliberate focus on inbound data, consumer consent, analytics, partnership models, and product innovation. It also requires banks to understand where consumers are sharing their data, which third-party relationships are gaining relevance, and how those relationships may affect loyalty, engagement, and primacy.

The strongest institutions will likely do both. They will build the infrastructure needed to provide secure data access, while also identifying the consumer journeys where CDB can create visible value for their organization. As systems are actively re-architected to meet compliance for data sharing, mandated banks have a window to deliberately design for both compliance and competitiveness—aligning systems and technologies to shift from data exporters to data importers, activators, and orchestrators of value. The opportunity is not to unlock commercial opportunities from data prematurely, but to use trust, intelligence, and ease of use to remain central to consumers’ financial lives.  

Implications for banking leadership 

CDB cannot be delivered as a side-of-desk compliance initiative. It requires a coordinated enterprise program spanning technology, risk, security, data, compliance, privacy, product, operations, and business lines. The institutions that move fastest will be those that treat it as a cross-enterprise execution priority with clear ownership, accountable decision-making, and a shared view of the consumer, risk, and technology implications. Financial institutions will help determine whether CDB strengthens confidence in a secure and optimized financial system—or whether inconsistent execution undermines trust at the moment the ecosystem becomes more connected.

Chief Product Officers and Business Line Leaders

CDB forces Business Line Leaders to make hard, visible bets, deciding where to lead with differentiated consumer value and where to standardize, while ensuring innovation is balanced with trust, consent clarity, and operational reality. Some key considerations for CPOs and Business Line Leaders:

• Prioritize a focused set of high-impact consumer journeys and decision moments while explicitly deferring or commoditizing lower-value areas.
• Leverage inbound CDB data to strengthen primary customer relationships and enhance personalization rather than relying on outbound data sharing. 
• Align product innovation with consumer trust, clear consent, and operational readiness.
• Drive differentiated consumer outcomes first, delaying monetization models or fee introduction until value is proven.
• Proactively plan for evolving ecosystem roles and associated business model implications, including partnerships and revenue shifts.

Chief Information Officers (CIOs)

CDB transforms external connectivity into regulated banking infrastructure, expanding the bank’s technology perimeter under supervisory oversight. Key considerations for CIOs:

• Build infrastructure-grade API capabilities with strong resilience, observability, and recovery aligned to regulatory expectations.
• Enable real-time monitoring of third-party access and transaction activity across the ecosystem.
• Rationalize and simplify architecture across consent, identity, and core integration layers.
• Ensure technology platforms align with emerging Bank of Canada governance and oversight requirements.

Chief Risk Officers (CROs)

CDB expands financial institutions’ risk perimeter beyond the payments ecosystem’s established institutions. This requires CROs to manage risk across interconnected financial participants rather than one institution. Key considerations for CROs:

• Expand risk frameworks to cover continuous monitoring of accredited ecosystem participants and third parties.
• Establish clear multi-party accountability models with robust dispute resolution and incident management processes.
• Enhance fraud and financial crime detection to identify anomalous activity originating from third-party channels.
• Embed ecosystem-level risk considerations into enterprise risk governance and regulatory reporting structures.
• Differentiate controls and risk appetite between read-only data access and write-enabled transaction risks.

Chief Information Security Officers (CISOs)

CDB expands the bank’s cyber-attack surface, requiring CISOs to secure a continuously connected financial ecosystem rather than a closed institutional environment. Key considerations for CISOs:

• Strengthen API security architecture across authentication, authorization, and secure data exchange protocols.
• Implement continuous monitoring of third-party connectivity to detect anomalies and misuse.
• Evolve cyber resilience frameworks to address the expanded external attack surface of an interconnected ecosystem.
• Extend cyber incident response capabilities to enable coordinated action across participating institutions.

Chief Data Officers (CDOs)

The introduction of CDB will determine whether a bank’s data capabilities enable it to remain the consumer’s primary bank, or whether competitors will commoditize this role within the broader consumer-driven ecosystem. Key considerations for CDOs:

• Elevate data quality and standardization to ensure externally visible data is accurate, consistent, and protects our reputation.
• Build platforms that support scalable, reliable, real-time data distribution to ecosystem participants.
• Enhance capabilities to ingest, normalize, and operationalize external financial data for enhanced insights.

Chief Compliance Officers (CCOs) and Chief Privacy Officers (CPOs)

As CDB extends data sharing across an interconnected ecosystem, CCOs and CPOs must ensure that consent is operationally enforceable and revocable, that privacy outcomes are continuously demonstrated—and that accountability, escalation, and consumer redress remain clear and defensible even when issues span multiple parties. Key considerations for CCOs and CPOs:

• Operationalize practices that make consent enforceable, traceable, auditable, and easily revocable in practice.
• Embed capabilities to continuously demonstrate compliance and privacy outcomes across the ecosystem rather than relying on point-in-time validation.
• Define clear accountability, escalation, and consumer redress mechanisms across multiple participating parties.
• Identify and address gaps where technical compliance may fall short of consumer privacy expectations.
• Deliver simple, transparent, and user-friendly consent experiences with plain-language controls and dashboards.

It’s time to take action

The path to CDB compliance is complex, and the window to prepare is narrowing. Financial institutions must take action and move forward quickly and with confidence, taking a leadership role as trusted stewards of the financial ecosystem. As competition evolves and new ecosystem roles emerge, the choices financial institutions make now will not only shape their compliance posture on CDB, but their long-term position in a more open and interconnected financial system.

In the short term, financial institutions should:

• Approach compliance as the foundation for control and value creation—not as a regulatory obligation to meet at the lowest possible cost.
• Strengthen consumer engagement and trust to reinforce consumers’ primary banking relationship.
• Work with the Financial Consumer Agency of Canada and others to ensure consumers know their risks, rights, and options regarding CDB.
• Identify the roles they intend to lead in a more open ecosystem (e.g., utility provider, orchestrator) and those they’re content to treat as table stakes.

As they prepare for the eventual introduction of CDB write access, financial institutions should:

• Scale capabilities in a way that preserves resilience, control, and regulatory confidence.
• Concentrate value creation efforts on areas where financial institutions enjoy structural advantages, such as risk, compliance, and resilience.
• Participate in shaping CDB write access into a risk-based operational process rooted in safety and soundness considerations—ensuring consumers stay protected as the ecosystem innovates.

How Deloitte can help you get ready for CDB

Deloitte can help Canadian financial institutions ensure they, their ecosystem partners, and their consumers are CDB-ready. With professionals in Canada and around the globe, we bring you the skills, knowledge, and industry and CDB experience needed to adapt and flourish in this new environment. We’ll work with you to embed centralized consent, continuous third‑party monitoring, and enterprise governance and position your bank to scale safely, defend its primary relationships, and create value as CDB matures in Canada.

Consumer-Driven Banking is coming. Let’s talk.

To learn more about how CDB will impact your organization and how Deloitte can help you make sure you’re ready, contact one of the professionals listed below.  

Special thanks to key contributors

Stevan Djordjevic, Consultant, Technology & Transformation

Peiching Teo, Manager, Strategy, Risk & Transactions

Alex Whang, Senior Consultant, Technology & Transformation