Consumer-Driven Banking Act (S.C. 2026, c. 3, s. 224)

Marginal note:Advice and information to Minister

• The following provision is not in force.

  75 (1) The Bank must, at least once every year, provide the Minister with advice and information on matters relating to national security and the integrity or security of the financial system in Canada, as those matters relate to the Minister’s exercise of powers or performance of duties and functions under this Act.

• The following provision is not in force.

  Marginal note:Consultation — Superintendent of Financial Institutions

  (2) The Bank must consult the Superintendent of Financial Institutions before providing the Minister with advice or information that relates to a federal financial institution.

Marginal note:Sharing as directed by consumer

• The following provision is not in force.

  76 (1) Unless otherwise prohibited by law and subject to the regulations, a participating entity must share a consumer’s data with other participating entities as directed by the consumer.

• The following provision is not in force.

  Marginal note:Technical standard

  (2) A participating entity that shares a consumer’s data must do so in compliance with the technical standard referred to in subsection 125(1).

• The following provision is not in force.

  Marginal note:No condition

  (3) Subject to the regulations, a participating entity must not impose any conditions on another participating entity for the sharing of a consumer’s data in accordance with this Act.

• The following provision is not in force.

  Marginal note:Notice to Bank

  (4) Unless otherwise prohibited by law, a participating entity must notify the Bank, within the time and in the manner specified by the Bank, if the participating entity does not share a consumer’s data as required by subsection (1).

Marginal note:No charge for sharing

77 A participating entity must not impose a charge for sharing a consumer’s data in accordance with this Act, including for obtaining or renewing a consumer’s consent or for withdrawing that consent.

Marginal note:Credit or refund

• The following provision is not in force.

  78 (1) If a participating entity imposes a charge on a consumer for sharing the consumer’s data in accordance with this Act, the participating entity must credit the amount of the charge to the consumer or, if the amount was collected, refund it.

• The following provision is not in force.

  Marginal note:Interest

  (2) The amount referred to in subsection (1) bears interest beginning on the day on which the charge is imposed, at a rate equal to the Bank’s overnight rate on that day, and ending on the day on which the amount is refunded or credited.

Marginal note:Security safeguards

• The following provision is not in force.

  79 (1) A participating entity must implement the security safeguards that are provided for in the regulations.

• The following provision is not in force.

  Marginal note:Notice to Bank

  (2) A participating entity must notify the Bank, as soon as feasible and in the manner specified by the Bank, of any change that has a significant impact on the participating entity’s compliance with the security safeguards.

Marginal note:Designated officer or employee

80 A participating entity must designate one of its officers or employees to be responsible for the security safeguards that it implements with respect to the sharing of consumer data in accordance with this Act.

Marginal note:Mitigating harm

81 A participating entity must establish policies and procedures to mitigate the harm to consumers that may result from a breach of the security safeguards that it implements with respect to the sharing of consumer data in accordance with this Act.

Marginal note:Report to Bank

• The following provision is not in force.

  82 (1) A participating entity must report to the Bank any breach of the security safeguards that it implements with respect to the sharing of consumer data in accordance with this Act if the breach involves consumer data that is under the participating entity’s control.

• The following provision is not in force.

  Marginal note:Report requirements

  (2) The report must contain the information that is provided for in the regulations and must be made, in the form and manner specified by the Bank, immediately after the participating entity determines that a breach of the security safeguards has occurred.

• The following provision is not in force.

  Marginal note:Notice to consumer

  (3) Unless otherwise prohibited by law, a participating entity must notify a consumer of any breach of the security safeguards that involves the consumer’s data that is under its control if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the consumer.

• The following provision is not in force.

  Marginal note:Contents of notice

  (4) The notice must contain sufficient information to allow the consumer to understand the significance of the breach to them and to take steps, if any are possible, to reduce the risk of harm that could result from the breach or to mitigate that harm. The notice must contain any other information that is provided for in the regulations.

• The following provision is not in force.

  Marginal note:Manner of notice

  (5) The notice must be conspicuous and must be given to the consumer in the manner provided for in the regulations.

• The following provision is not in force.

  Marginal note:Timing of notice

  (6) The notice must be given as soon as feasible after the participating entity determines that the breach has occurred.

• The following provision is not in force.

  Marginal note:Definition of significant harm

  (7) For the purposes of this section, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, of business or of professional opportunities, financial loss, identity theft, negative effects on the credit record and damage to or loss of property.

• The following provision is not in force.

  Marginal note:Real risk of significant harm — factors

  (8) The factors that are relevant to determining whether a breach of security safeguards creates a real risk of significant harm to a consumer include

  • The following provision is not in force.

    (a) the sensitivity of the consumer data involved;

  • The following provision is not in force.

    (b) the probability that the consumer data has been, is being or will be misused; and

  • The following provision is not in force.

    (c) any other factor provided for in the regulations.

Marginal note:Duty to investigate

83 A participating entity must investigate every breach of the security safeguards that it implements with respect to the sharing of consumer data in accordance with this Act, for the purposes of identifying any significant, recurring or systemic problems and remedying the problems identified. The participating entity must report the conclusions of every investigation to the Bank in accordance with the regulations.

Marginal note:Notice

84 If a participating entity identifies a significant, recurring or systemic problem that may have an impact on the consumer-driven banking system, the participating entity must, as soon as feasible, notify the Bank, which may then notify other participating entities.

Marginal note:Express consent required

• The following provision is not in force.

  85 (1) A participating entity must obtain a consumer’s express consent before requesting that another participating entity provide it with the consumer’s data.

• The following provision is not in force.

  Marginal note:Use not consent

  (2) Use by the consumer of a product or service does not constitute express consent for the purposes of subsection (1).

• The following provision is not in force.

  Marginal note:Oral consent — written confirmation

  (3) If the express consent is given orally, the participating entity must immediately confirm the consumer’s express consent in writing.

• The following provision is not in force.

  Marginal note:Information to consumer

  (4) The participating entity must provide a consumer with the following information before obtaining the consumer’s express consent:

  • The following provision is not in force.

    (a) a description of the data in respect of which it is seeking the consumer’s express consent;

  • The following provision is not in force.

    (b) a description of how it will use the data;

  • The following provision is not in force.

    (c) the period during which the consumer’s consent will be valid, which must not exceed the period referred to in section 86; and

  • The following provision is not in force.

    (d) any other information that is provided for in the regulations.

• The following provision is not in force.

  Marginal note:Clear, simple and not misleading

  (5) Any communication from a participating entity seeking to obtain a consumer’s express consent to have the participating entity receive the consumer’s data, including for the purposes of providing information under subsection (4), must be made in a manner, and using language, that is clear, simple and not misleading.

• The following provision is not in force.

  Marginal note:Consent — use of data

  (6) Subject to the regulations, a participating entity must use the data of a consumer that it receives from another participating entity only for the uses described in the information that is provided to the consumer under paragraph (4)(b).

• The following provision is not in force.

  Marginal note:Use of data — product or service

  (7) A participating entity must not require a consumer to consent to the sharing of the consumer’s data beyond what is necessary for the participating entity to provide the consumer with a product or service.

• The following provision is not in force.

  Marginal note:Record of consent

  (8) A participating entity must keep a record of each express consent obtained.

• The following provision is not in force.

  Marginal note:Clarification

  (9) Nothing in this section renders ineffective any federal or provincial legislative or regulatory provision requiring a participating entity that provides data to obtain a consumer’s express consent.

Marginal note:Duration of consent

86 A consumer’s express consent may be valid for a period of not more than 12 months after the day on which a participating entity obtains it.

Marginal note:Renewal of consent

• The following provision is not in force.

  87 (1) A participating entity must renew a consumer’s express consent within seven days after the day on which the period for which the consumer’s consent was last obtained or renewed ends or within seven days after the day on which the participating entity becomes aware of any circumstance provided for in the regulations.

• The following provision is not in force.

  Marginal note:Requirements

  (2) Subsections 85(2) to (9) apply to a renewal of express consent.

• The following provision is not in force.

  Marginal note:Suspension of receipt of data

  (3) A participating entity that is required to renew a consumer’s express consent under subsection (1) must immediately stop receiving the consumer’s data until it has renewed the consumer’s consent to do so.

• The following provision is not in force.

  Marginal note:Notice to consumer

  (4) If the participating entity fails to renew the consumer’s consent within the period referred to in subsection (1), it must, immediately after the end of the period,

  • The following provision is not in force.

    (a) inform the consumer of the consequences of not renewing their consent;

  • The following provision is not in force.

    (b) inform the consumer that they may request that the participating entity delete the data in respect of which consent was not renewed and of the manner in which that request may be made; and

  • The following provision is not in force.

    (c) provide the consumer, in accordance with the regulations, with any information provided for in the regulations.

• The following provision is not in force.

  Marginal note:Duty to delete data

  (5) Unless otherwise prohibited by law and subject to the regulations, the participating entity must, at the request of the consumer, delete the data in respect of which consent was not renewed.

Marginal note:Consent obtained by deception

88 A participating entity must not obtain or renew, or attempt to obtain or renew, a consumer’s express consent by providing false or misleading information or using deceptive or misleading practices.

Marginal note:Undue pressure or coercion

89 A participating entity must not obtain or renew, or attempt to obtain or renew, a consumer’s express consent by imposing undue pressure on the consumer or coercing them.

Marginal note:Withdrawal of consent

• The following provision is not in force.

  90 (1) A consumer may withdraw their consent, in whole or in part, by notifying the participating entity that obtained the consent.

• The following provision is not in force.

  Marginal note:Information

  (2) If the consumer notifies the participating entity of their intention to withdraw their consent, the participating entity must immediately

  • The following provision is not in force.

    (a) inform the consumer of the consequences of withdrawing their consent;

  • The following provision is not in force.

    (b) inform the consumer that they may request that the participating entity delete the data in respect of which consent was withdrawn and of the manner in which that request may be made; and

  • The following provision is not in force.

    (c) provide the consumer, in accordance with the regulations, with any information provided for in the regulations.

• The following provision is not in force.

  Marginal note:Effect of withdrawal

  (3) If the consumer confirms that they withdraw their consent after receiving the information referred to in subsection (2), the participating entity must, immediately or at any later date that is specified by the consumer, stop receiving the data in respect of which consent was withdrawn and notify the participating entity that was providing the data of the withdrawal of consent.

• The following provision is not in force.

  Marginal note:Duty to delete data

  (4) Unless otherwise prohibited by law and subject to the regulations, the participating entity must, at the request of the consumer, delete the data in respect of which consent was withdrawn.