Data Strategy for Canadian Banks: What the Regulatory Moment Is Actually Demanding

Three regulatory developments are converging on Canadian bank data functions simultaneously in 2026 and 2027, and each one requires a different kind of data infrastructure readiness. OSFI's Guideline E-23 on Model Risk Management, published in September 2025 and effective May 2027, establishes enterprise-wide expectations for how banks govern AI and ML models throughout their lifecycle. Canada's Consumer-Driven Banking Act passed in June 2024, with open banking infrastructure launching in 2026 and requiring banks to share customer financial data through standardized APIs under customer direction. New federal privacy legislation is advancing with potential fines reaching the greater of $25 million or 5 percent of gross global revenue for non-compliance.

Simultaneously, OSFI's Data Collection Modernization initiative, which entered active implementation in January 2026 with Regnology selected as the regulatory reporting technology vendor, is changing how the regulator receives and processes data from federally regulated institutions. The planning phase wrapped up in April 2025 after three years of joint work between OSFI, the Bank of Canada, and CDIC. The implementation phase now underway will produce new reporting requirements, new data formats, and new expectations for the quality and lineage of the data that banks submit.

None of these developments is solely a compliance problem. Each one is, at its core, a data infrastructure problem that compliance sits on top of. A bank that builds the data infrastructure required for regulatory compliance will also have built the foundation for the AI programs, the open banking product capabilities, and the customer analytics that its strategic agenda requires. A bank that builds compliance point solutions without addressing the underlying data infrastructure will keep building point solutions indefinitely as the regulatory landscape continues to evolve.

What OSFI Guideline E-23 Actually Requires

OSFI's Guideline E-23, published September 11, 2025 and effective May 1, 2027, establishes a principles-based framework for enterprise-wide model risk management. Its definition of model is deliberately broad: an application of theoretical, empirical, judgmental assumptions or statistical techniques, including AI or machine learning methods, which process input data to generate results. Under this definition, a credit scoring model, a fraud detection algorithm, a customer churn prediction engine, a pricing optimization system, and a generative AI tool used for customer communications are all models subject to the guideline's requirements.

The guideline's core requirements for each in-scope model are: documentation of the model's purpose, design, assumptions, limitations, and intended use; a validation process that is independent of the model development function and assesses the model's performance against its intended purpose; ongoing monitoring that detects performance degradation, model drift, and changes in the operating environment that affect model reliability; governance mechanisms including an inventory of all in-scope models, clear ownership, escalation paths for model failures, and board-level oversight of model risk; and data quality requirements that address the fitness of the training and operational data for the model's intended use.

The data quality requirements are the element of E-23 that most directly connects to the data strategy rather than to the model development practice. A bank that cannot demonstrate the quality, lineage, and governance of the data used to train and operate each in-scope model cannot satisfy E-23's requirements for those models, regardless of how well the models themselves are documented and validated. The data governance infrastructure is the prerequisite, and the May 2027 effective date gives institutions approximately 18 months from mid-2025 to build it for every model currently in production.

OSFI's FIFAI II report, published March 2026 and based on workshops with OSFI, Finance Canada, FINTRAC, FCAC, and the Bank of Canada between May and November 2025, frames the regulatory environment clearly: responsible AI adoption is necessary for both competitive resilience and effective management of inherent AI risks. The report introduces AGILE as the framework for responsible adoption, emphasizing that agility in capturing AI's benefits must be matched by rigor in managing its risks. For data leaders, this framing means the E-23 compliance program is not separable from the AI program. They are the same investment viewed from different angles.

What Open Banking Requires from the Data Function

Canada's Consumer-Driven Banking Act establishes the legal framework for open banking, and the 2026 implementation marks the transition from regulatory design to operational reality. The framework requires accredited financial institutions to share customer financial data with authorized third parties through standardized APIs, under customer direction and consent, in real time or near-real time.

The data requirements for open banking compliance are distinct from the data requirements for regulatory reporting and model governance. Open banking requires that customer financial data be accessible in a standardized format through APIs that meet defined performance and reliability standards, that consent and authorization be tracked with precision at the individual customer and data element level, that data sharing be auditable with complete records of what was shared with whom under which consent, and that data residency requirements be met given the sensitivity of financial data under the Privacy Act and the incoming federal privacy legislation.

For most Canadian banks, the current state of customer financial data does not meet these requirements without significant infrastructure investment. Customer data is typically maintained across multiple systems, each with different formats, different update cadences, and different access control models. The legacy core banking systems that hold the authoritative record of customer transactions were not designed with API-based real-time access in mind. The consent management infrastructure required to track customer authorization at the granularity that open banking requires does not exist in most institutions as a standalone capability.

The strategic implication is that open banking is not a product or channel decision that lives in the business line. It is a data architecture decision that needs to be made at the enterprise level, because the infrastructure required to serve open banking APIs reliably and compliantly is the same infrastructure required to serve internal analytics and AI programs with current, reliable customer data. Banks that build the open banking data layer as a standalone compliance capability will build it twice: once for the regulatory requirement and again when the analytics team discovers that the standardized, high-quality customer data layer they need for their AI programs already exists in the open banking infrastructure.

What the Privacy Legislation Adds

The incoming federal private sector privacy legislation, expected to replace PIPEDA with a new statute carrying fines of up to $25 million or 5 percent of global revenue, adds a third dimension to the data compliance challenge. The legislation is expected to include data sovereignty provisions, strengthen consent requirements, add transparency obligations for automated decision-making, and potentially introduce data minimization requirements that affect how banks collect and retain customer data.

For financial institutions already navigating E-23's model documentation requirements and the open banking consent management requirements, the privacy legislation adds the data classification and sensitivity labeling infrastructure that enables the bank to demonstrate, for any given data element, what was collected, under what consent, for what purpose, how it was used, how long it was retained, and whether its use in any model or automated decision-making process was appropriately disclosed.

The data lineage capability that is required for E-23 model documentation, the consent management infrastructure required for open banking, and the data classification required for privacy compliance are not three separate infrastructure investments. They are three applications of the same underlying capability: a governed, documented, traceable data layer that can answer questions about any data element's provenance, use, and disposition. Banks that recognize this and build the shared infrastructure are making one investment that satisfies all three requirements. Banks that build three point solutions are paying three times for overlapping capabilities that create integration problems rather than eliminating them.

The Data Strategy Investments That Actually Need to Happen

Translating the regulatory requirements into a data strategy investment program requires being specific about what needs to be built, in what sequence, and why the sequence matters. The four investments that every Canadian bank data strategy needs to address in the current regulatory period are not equally urgent, and sequencing them correctly determines whether the program produces compounding value or compounding debt.

Data Lineage and Provenance Documentation

OSFI E-23 requires that banks document the data used to train and operate each in-scope model. Open banking requires that consent and data sharing be auditable. Privacy legislation requires that data collection, use, and retention be traceable. All three requirements converge on data lineage: the ability to trace any data element from its source through every transformation and use to its current state and disposition.

Most Canadian banks have partial lineage documentation for their most critical data assets, typically the financial data used in regulatory capital calculations, and minimal or no lineage documentation for the data used in analytical and AI models. The gap between the current state and the E-23 requirement is not primarily a technology problem. The technology for automated lineage capture, including tools embedded in the major data pipeline platforms, exists and is mature. The gap is organizational: the ownership, governance cadences, and accountability structures that keep lineage documentation current when data pipelines change are not established in most institutions for the full scope of data assets that E-23 requires.

Building data lineage capability in sequence with the E-23 model inventory is the most efficient approach. Identify the models in scope for E-23, map the data flows for each model, document the lineage, and establish the governance process that keeps it current as the models and their data sources evolve. This sequence produces an E-23-compliant lineage program rather than a comprehensive enterprise lineage program that takes years to complete before producing any regulatory value.

Consent Management Infrastructure

Open banking requires consent management at a granularity that most banks' current customer data infrastructure does not support. The standard consent model, where a customer consents to the bank's terms and conditions at account opening and that consent covers all subsequent data use, is not compatible with open banking's requirement for specific, revocable, customer-directed consent for each data sharing relationship.

The consent management infrastructure required for open banking needs to track individual customer consent at the data category and recipient level, support consent modification and revocation in real time, produce an auditable record of every consent event, and integrate with the API layer that serves the data to authorized third parties. This is a significant infrastructure build that needs to be initiated well before the 2026 launch date to be operational when the regulatory requirement takes effect.

The strategic upside of building this infrastructure correctly is that it also satisfies the consent documentation requirements of the incoming privacy legislation and provides the audit trail required for any AI model that uses customer data in a way that affects individual outcomes. Consent management is a shared infrastructure investment that serves multiple regulatory requirements simultaneously.

Model Inventory and Data Quality for AI Systems

OSFI E-23 requires a comprehensive inventory of all in-scope models. For most Canadian banks, this inventory does not currently exist in a form that meets E-23's requirements. Models exist in production that were built by teams across the bank, using data from different sources, with varying levels of documentation, and with no centralized registry that tracks their status, ownership, performance, and validation history.

Building the model inventory is the discovery work that reveals the scope of the E-23 compliance program. It is also the discovery work that reveals the data quality gaps that will block compliance for specific models. A model that was trained on data that is not documented, not lineage-traced, and not quality-assessed cannot satisfy E-23's requirements regardless of how well the model itself is documented. The model inventory and the data quality assessment for each model's training and operational data are the two complementary activities that define the E-23 remediation roadmap.

The data quality post in this series describes the six quality dimensions that AI models require from their training and operational data. For E-23 purposes, the most critical dimensions are accuracy, completeness, and lineage documentation: the data must be correct, it must be present for all records in scope, and there must be a traceable record of where it came from and how it was processed.

Regulatory Reporting Data Infrastructure

OSFI's Data Collection Modernization initiative, now in active implementation, will change the format, frequency, and granularity of regulatory reporting that Canadian banks are required to submit. The implementation timeline runs through 2026 and into 2027, with specific changes varying by institution type and regulatory category.

The data infrastructure required for the new reporting framework is not simply a technology change to how reports are generated. It requires that the underlying data be maintained at the granularity, quality, and timeliness that the new reporting standards require, which in many cases is more granular and more frequent than the current reporting infrastructure was designed to support. Banks that treat the reporting modernization as a technology project rather than a data architecture project will build systems that produce the right report format from data that is not sufficiently reliable to support the regulatory assurance that the reports are supposed to provide.

The CDO's Role in This Moment

The convergence of E-23, open banking, privacy legislation, and reporting modernization is creating a moment where the CDO role is either elevated to genuine strategic leadership or confirmed as a technical coordination function. The distinction depends on whether the CDO can make the case that these regulatory requirements are investments in shared data infrastructure that serves the bank's strategic AI and analytics agenda, or whether each requirement is treated as a standalone compliance cost that is minimized rather than leveraged.

The CDO's first 100 days framework described in this series applies with particular force in this context. A new CDO at a Canadian bank in 2026 who spends their first 100 days understanding the regulatory compliance calendar, mapping the data infrastructure gaps against each requirement, and making the case to the CFO and CEO that the compliance investments and the AI investments are the same investment viewed from different angles is doing the work that secures the mandate and the budget for a genuine data transformation program. A CDO who treats E-23, open banking, and privacy as three separate workstreams owned by legal and compliance is creating a program that will cost three times as much and deliver a fraction of the strategic value.

The data strategy for a Canadian bank in 2026 is not a five-year vision document. It is a 24-month investment program with specific regulatory milestones, specific infrastructure deliverables, and a clear argument for why the compliance investments produce strategic assets rather than compliance overhead. The argument exists. The regulatory timeline is making it urgent. And the banks that make it clearly and early will enter the next cycle of AI and open banking competition with a data foundation that their competitors, who treated compliance as compliance, will not have.