What’s happening

Open Banking is accelerating innovation, and three regulatory frameworks that will have significant impacts for Canadian Leaders are EU’s open finance rules, stalled Canadian AI legislation, and US banking AI guidance. Today, let’s explore the implications of these, and how savvy leaders can adapt.

The Details

The EU’s Financial Data Access (FIDA) regulation is moving toward final approval after Council and Parliament reached their positions in late 2024. While negotiations continue and implementation won’t start until 2027-2030, Canadian financial institutions with European exposure need to start planning now. FIDA expands open banking principles beyond payments to cover investments, insurance, pensions, and crypto-assets - creating data-sharing obligations that will affect any Canadian FI with EU customers, partnerships, or cross-border data flows.

Unlike PSD2, which gave non-European institutions time to adapt, FIDA’s requirements around data access, Financial Information Service Providers (FISPs), and machine-readable permissions dashboards are more technically prescriptive. The framework also includes specific provisions restricting “gatekeeper” companies (under the Digital Markets Act) from combining financial data with other data sources - a complexity that affects how Canadian institutions structure their European operations.

Meanwhile, Canada’s Artificial Intelligence and Data Act (AIDA) collapsed when Parliament was prorogued in January 2025, leaving Canadian FIs without federal AI governance requirements. Bill C-27 died before final passage, and while the federal government has signaled intent to revisit AI regulation with a “light, tight, right” approach, there’s no timeline. This creates uncertainty: do Canadian institutions build AI governance frameworks now in anticipation of eventual legislation, or wait?

The key data point for Canadian FI’s is: OSFI hasn’t waited. The regulator’s Guideline E-23 on Model Risk Management (finalized September 2025, effective May 1, 2027) explicitly covers AI/ML models and requires comprehensive governance. Separately, US federal banking regulators - the Fed, OCC, FDIC, CFPB- Issued a joint Request for Information on AI use in financial services back in 2022 and continue to apply existing Model Risk Management (SR 11-7) and Third-Party Risk Management guidance to AI systems. Canadian banks with US operations face these overlapping requirements despite no harmonization between jurisdictions.

The Implications

• Compliance: You’re managing regulatory frameworks that don’t align. FIDA’s data-sharing requirements, OSFI’s E-23 model governance expectations, and US MRM/TPRM guidance all define “adequate AI documentation” differently. A compliant system in one jurisdiction may not satisfy another.

• Engineering: European operations need FIDA-ready data infrastructure (permissions dashboards, access interfaces, Financial Data Sharing Schemes) starting 2027. AI/ML systems need governance documentation that satisfies OSFI’s E-23 by May 2027. US subsidiaries need model validation under SR 11-7. These aren’t the same requirements - you’re building three parallel frameworks.

• Risk Management: The regulatory vacuum in Canada (no AIDA) doesn’t mean no regulation. OSFI’s E-23, international frameworks, and cross-border exposure create obligations anyway. Board-level AI governance committees are becoming standard even without legislative mandate. Executives NEED to get ahead of the curve now before its too late.

• Executives: Canadian open banking and AI targets are insufficient to be leaders on a global scale. We simply cannot lead while being a decade or more behind with regulations such as FIDA leading the way. While Canada is still debating the future of AI legislation, organizations should be looking at self-governance, and if you’re working with EU partners, co-governance with EU applicable rules. It’s time for execs to demand the system modernize and help us innovate.

How to prepare

• Map your cross-border regulatory exposure now. Which jurisdictions do you operate in? Which frameworks apply? FIDA affects you if you have EU customers or partnerships. E-23 affects you if OSFI regulates you. US MRM affects you if you have US operations. Document the overlaps.

• Inventory AI/ML systems against multiple frameworks simultaneously. A model needs to satisfy OSFI’s E-23 validation requirements AND meet US third-party risk management standards if it’s used across borders. Build one documentation that works for all jurisdictions. Don’t build multiple for each

• Monitor EU FIDA negotiations closely. When trilogue concludes (expected late early 2026), implementation timelines will become clear. Canadian FIs with European exposure should have data architecture plans ready before final text publishes.

• Build AI governance assuming eventual Canadian regulation. While AIDA is dead, an adapted version will appear. Institutions that built frameworks anticipating AIDA’s principles (accountability, transparency, bias mitigation) will adapt faster when new legislation arrives.

• Coordinate across compliance, legal, engineering, and risk. Cross-border regulatory complexity breaks siloed approaches. The team managing FIDA compliance needs to talk to the team implementing E-23 - these frameworks intersect at your AI-powered customer data systems.

Who’s already moving

Canada’s Big Six banks treat cross-border AI governance as a unified challenge. RBC and TD built AI governance frameworks that align with OSFI’s E-23, anticipate Canadian AI legislation principles, and satisfy US regulatory expectations simultaneously. Scotiabank’s 2025 AI governance report explicitly maps their controls to multiple jurisdictions.
Mid-tier institutions with primarily Canadian operations are focused on E-23 compliance only. Credit unions assume they’re exempt from international frameworks - many aren’t, particularly those with correspondent banking relationships or third-party service providers that operate cross-border.
European digital banks (N26, Revolut, Wise) expanding into Canada have FIDA readiness built into their architecture already. They’re positioning this as competitive advantage: “Our data infrastructure already meets Europe’s 2027 standards.” and they will surely steal some of the market from Canadian institutions - especially the ones who are unprepared

How you need to adapt

Many of these frameworks were written in isolation and won’t be enforced in coordination. FIDA focuses on consumer data access and portability. OSFI’s E-23 focuses on model risk management and validation. They all touch AI/ML systems that handle financial data, but from completely different angles.

A Canadian bank with European customers could build an AI credit decisioning model that:

• Satisfies OSFI’s E-23 validation and monitoring requirements

• Fails FIDA’s data access and permissions dashboard requirements

• Still faces uncertainty about future Canadian AI legislation

Building the right enterprise architecture will allow Canadian businesses to adapt and compete. If I were an executive today navigating digital transformation, I would seriously be considering the requirements coming from FIDA. If not your competitors from EU will adapt faster to changing market needs.

EU’s FIDA is building an Apple Store in the financial space, and Canadian leaders need to plan for it now. The app store monopolized the mobile market for decades and made it hard to compete, and those that do not adopt FIDA principles will not be able to compete in this new market.

What we’re watching

• FIDA trilogue conclusion: EU Council and Parliament negotiations expected to finalize in late 2025 or early 2026. When final text publishes, implementation timelines for different data types (24-48 months) will trigger. Canadian FIs need plans ready.

• Canadian AI legislation reboot: Minister Evan Solomon confirmed in June 2025 that AIDA won’t return in its original form. What replaces it matters. Watch for federal signals on “light, tight, right” AI regulation - this will set the framework Canadian institutions build toward.

• OSFI’s E-23 supplementary guidance: The regulator may issue additional material clarifying AI/ML model governance expectations before the May 2027 deadline. If it comes, it’s critical. If it doesn’t, institutions are interpreting complex requirements without official guidance.

• US regulatory coordination: Fed, OCC, FDIC, and CFPB have been studying AI in financial services since their 2021 RFI. Watch for updated joint guidance that harmonizes model risk and third-party risk expectations for AI systems. Canadian banks with US operations need alignment.

• Cross-border data transfer frameworks: How FIDA interacts with GDPR, and how both interact with Canadian privacy law (PIPEDA, Quebec’s Law 25) will determine data architecture requirements for cross-border operations. EU-Canada adequacy decisions matter.

BluByte Technology
Discerned Intelligence you can act on
Comment with your biggest AIDA concerns, we’re interested to hear from leaders

About Intercepts: Fast intelligence for practitioners who can’t afford to be six months behind. Published monthly. Zero marketing, pure signal.

Additional Reading

• EU FIDA Regulation Update – Taylor Wessing - July 2025 analysis of trilogue progress and implementation timelines

• EUR-Lex Official FIDA Proposal - Official EU legislative text and documentation

• Guideline E-23 – Model Risk Management (2027) - Office of the Superintendent of Financial Institutions) - Canadian AI/ML governance requirements, effective May 2027

• Bill C-27: The Future of Canadian Privacy Law – CookieScript - September 2025 analysis of AIDA collapse and what comes next

• Federal Register: RFI on AI in Financial Services - US Treasury June 2024 request for information on AI use

• Navigating Artificial Intelligence in Banking – Bank Policy Institute - April 2024 analysis of US regulatory framework for AI in banking

EDITOR’S NOTE
This is our first Intercept.
The goal: give you intelligence you can act on this week, not file away for later. If something here changed your plans or made you flag something internally, we’d like to hear about it.
If it didn’t - tell us what would have.