The Interac e-Transfer notice arrived at 2:14 a.m. By the time the account holder woke up, the money was gone. No branch visit, no signature, no phone call to confirm. Just a transaction that the bank’s own systems processed cleanly, because that’s what the system was designed to do.

Under regulations published in the Canada Gazette on June 27, 2026, that transaction would have required something it currently doesn’t: your express consent before the capability existed at all.

The Department of Finance has now published two sets of proposed regulations under the Consumer-Driven Banking Act (which received Royal Assent in March 2026) and the Bank Act. Taken together, they represent the most significant shift in how ordinary Canadians interact with their bank since electronic transfers became standard. The first framework, the Consumer-Driven Banking Regulations, builds what Ottawa has been working toward since 2018: a formal, secure system for Canadians to share their financial data with apps and services they actually choose. The second, amendments to the Financial Consumer Protection Framework Regulations, goes after something quieter and more urgent. Banks will be required to get your explicit consent before activating electronic transfer capabilities such as Interac e-Transfer and wire transfers. Canadians who want to, will be able to turn those capabilities off entirely.

The impetus is stark. According to the Canadian Anti-Fraud Centre figures cited in the regulatory filing, Canadians reported $704 million in fraud losses in 2025. But the CAFC estimates that only 5 to 10 percent of fraud is actually reported. The Department of Finance’s own math, extrapolated from those figures, suggests Canadians lost approximately $2.1 billion to wire transfer fraud and $489 million to Interac e-Transfer fraud in 2024 alone. The reported numbers are visible. The true numbers live in the gap between what people admit happened and what they’re too embarrassed, or too exhausted, to report.

A system built for a different era

The screen scraping problem has been hiding in plain sight for years. About 9 million Canadians currently use financial apps by handing those apps their actual banking credentials, the username and password they use to log into their bank, and letting the app log in as them and scrape data from the screen. The Department of Finance’s Gazette filing describes it plainly: an “unregulated and technologically unsecure practice” that poses security, liability, and privacy risks to the people doing it. Most of them have no idea they’re doing anything unusual. They just connected their budgeting app or their tax software.

The Consumer-Driven Banking Regulations replace screen scraping with a proper API framework. Accredited fintech companies and financial service providers would connect to a bank’s data systems through a standardized interface, one that doesn’t require the consumer to give up their credentials. The Bank of Canada oversees accreditation. There are four pathways in: a standard non-streamlined track for fintechs, a faster streamlined track for Payment Service Providers already registered under the Retail Payment Activities Act, a separate track for federally or provincially regulated financial institutions, and a fourth for third-party service providers. Entry isn’t free. Accreditation costs $2,500, with annual assessment fees ranging from $10,000 for smaller entities to $150,000 for institutions holding over $1 trillion in assets.

Penalties for violating the framework go up to $1 million for individuals and $10 million for participating entities.

The government’s economic case is substantial. The regulatory impact analysis estimates the framework will generate a net benefit of $2.3 billion over 10 years, with total present-value benefits reaching $13.2 billion against $457.7 million in costs. The framework has been in development since the 2018 federal Budget announced an “Open Banking Review.” Abraham Tachjian was appointed as the Open Banking Lead in 2022 to develop common rules. Royal Assent came in March 2026. Eight years from first announcement to regulation.

What AI changed

The fraud protection amendments aren’t just about cleaning up a legacy problem. They’re a direct response to what artificial intelligence has done to the fraud business.

The Finance Department’s regulatory filing is explicit about this. Consumer-targeted fraud, defined as transactions a consumer has not authorized or has authorized through coercion or deception, has risen rapidly since 2018. The filing states directly that “advances in artificial intelligence make it easier for fraudsters to use sophisticated techniques, such as deepfake videos or AI-generated phone calls.” The fraudster who used to rely on a believable accent and a plausible story can now generate a voice that sounds exactly like your bank’s automated system, or a video that looks exactly like someone you trust.

The consent requirement for e-transfer capabilities targets the specific vulnerability those tools create. Under current rules, electronic transfer functions may be active by default. A consumer who doesn’t know they can deactivate wire transfers, or didn’t know those transfers were enabled on an account they rarely use, has no particular protection when a fraudster does what fraudsters do: finds the unlocked door and walks through it.

Banks will also be required to collect specific data on consumer-targeted fraud and report it annually to the Financial Consumer Agency of Canada, which will then report to the Minister of Finance. The first annual reports covering 2028 data are due by May 15, 2029. That data collection requirement matters almost as much as the consent rule. Right now, the government is working off CAFC reporting that captures somewhere between 5 and 10 percent of what actually happens. Mandatory bank-level reporting will produce a clearer picture of the actual scale of the problem.

The national security angle

One element of the consumer-driven banking framework doesn’t get much public attention but appears clearly in the Gazette text: national security review authority. The Minister of Finance can review, refuse, suspend, or revoke access to the framework for any applicant or accredited entity on national security grounds. That clause is doing something specific. A framework that allows accredited third parties to access the financial data of millions of Canadians is, by definition, a high-value target. Accreditation is not a one-time gate. The Minister retains the power to remove access at any point.

The coming-into-force date for the fraud protection amendments is July 1, 2027. That’s the point at which banks must actually implement the consent requirements and the ability for consumers to disable transfer capabilities. The consumer-driven banking accreditation system has its own timeline for launch.

The public comment period on both regulations is open. For the banking framework, the 60-day window runs from the date of Gazette publication.

Hansard Files spends weeks in the archives so you don’t have to. If this kind of accountability reporting matters to you, consider subscribing to keep it independent.

Related Hansard Files Articles

Canada’s $113 Billion Shadow Economy

Mike B. | Hansard Files

·

November 21, 2025

Read full story

Source Documents

• Department of Finance Canada. (2026, June 27). Consumer-Driven Banking Regulations (proposed). Canada Gazette, Part I, Vol. 160, No. 26. Government of Canada.

• Department of Finance Canada. (2026, June 27). Regulations Amending the Financial Consumer Protection Framework Regulations (proposed). Canada Gazette, Part I, Vol. 160, No. 26. Government of Canada.