Overview

Canada has a vibrant and growing financial technology (fintech) sector. This article explores the legal and regulatory developments in Canada’s fintech space in 2021 in the following four areas, which will continue to be important in 2022:

• open banking and the current path to open banking in Canada; 
• modernisation of Canada’s payments systems and changes to Canada’s anti-money laundering regulations; 
• crypto-assets and developments affecting their issuance, trading and use; and
• recent trends in data protection and cybersecurity affecting the fintech sector. 

Path to Open Banking

Open banking is a secure way for customers to share their financial data with fintech companies that provide online financial products or services. Open banking is not yet available in Canada, but it is available in other countries like Australia and the UK. 

In its Budget 2018, the government of Canada announced its intention to undertake a review of the merits of open banking. Shortly after, the minister of finance appointed an Advisory Committee on Open Banking (the “Advisory Committee”) to guide its review.

On 31 January 2020, the Advisory Committee issued its first report, which recommended the development of a framework to enable open banking in Canada. Following the first report, the Advisory Committee then released its second and final report (the “Final Report”) in August 2021, focusing on recommendations for the implementation of open banking in Canada. 

Recommendations of the Final Report

The Final Report proposed an approach to implementing open banking in two phases consisting of:

• Phase 1, which would establish an open banking system within 18 months; and 
• Phase 2, which would consist of a review of the open banking system following Phase 1. 

The Final Report recommended that the open banking system, which is expected to be launched by early 2023, should adopt a hybrid made-in-Canada approach that would leverage the benefits of both industry and government-led models, with the government being responsible for establishing clear policy objectives, convening participants, setting a framework and timeline; and industry being responsible for managing the implementation and administration of the open banking system. The Final Report also recommended that this system should be inter-operable with international systems.

The Advisory Committee recommended that federally regulated banks should be required to participate in the first phase, while provincially regulated financial institutions, such as credit unions, should have the opportunity to join on a voluntary basis. It was further recommended that other entities should be permitted to participate in the system upon meeting accreditation criteria and following the rules of the open banking system.

As for the data to be included, the Advisory Committee recommended that data that is currently available through online banking applications be included in the first phase, while derived data (which is data enhanced by a financial institution or a fintech company) be generally excluded. “Read-only” activities that do not allow the editing of data on the financial institutions’ servers are recommended to be in-scope for the first phase. 

Reciprocity is recommended within the proposed open banking system, whereby consumer data held by third-party service providers would be shared with financial institutions. It is also expected that consumers will be able to choose to move their data among financial institutions and third-party service providers in one direction or allow back-and-forth exchanges of data between them. All such data flows would only occur with the express consent of consumers.

The Advisory Committee also recommended that the government appoint an “open banking lead” to lead the design of the system. For the ongoing administration of the open banking system, the establishment of a fit-for-purpose entity was also recommended.

Implementation of the recommendations of the Final Report

Following the release of the Final Report, a federal election was called which delayed any action in respect of the recommendations that were made within the report. In December 2021, the newly re-elected prime minister of Canada issued a mandate letter to the associate minister of finance requesting that he “advance our commitments to launch a made-in-Canada model of open banking by early 2023 and to modernise Canada’s payments technology to deliver faster and lower-cost options to securely and conveniently transfer funds”. 

Although the mandate letter refers to the launch of the open banking model, it remains to be seen which recommendations of the Final Report will be implemented. 

Privacy reform

Due to the division of power between the federal and provincial/territorial levels in Canada, implementation of open banking presents challenges that require co-operation between the various levels of government.  Implementation also requires the creation of a “data portability” right, whether limited to financial transaction data, or data more broadly. In the context of open banking, data portability means a customer’s right to direct the sharing of their personal information by one organisation with another organisation. 

At the end of 2020, the government of Canada introduced a bill to establish a new privacy law for the private sector, which also provided for data portability. This bill died on the table when the federal election was called. A new federal privacy bill is expected to be introduced in 2022.

Certain Canadian provinces and territories, such as Quebec and Ontario, have also amended their privacy legislation to provide for data portability, or have announced their intention to introduce private sector privacy legislation that would also provide for a data portability right.

Digital identity

Without a digital identification system in place in Canada, financial services providers will have to implement additional processes to verify and authenticate individuals, which would in effect undermine the goals of open banking. In September 2020, the Digital Identification and Authentication Council of Canada (DIACC) launched the Pan-Canadian Trust Framework (PCTF), which is a set of digital identification and authentication industry standards that will define how digital identification will roll out across Canada. In addition, the DIACC’s PCTF Voila Verified Trustmark Assurance Program, which is an assurance programme that will verify the assurance practices of an identity verification solution or service, is set to launch in 2022. At a provincial level, Ontario and Quebec are taking steps to introduce digital identity, while British Columbia and Alberta currently offer them to their residents.

Payments and Anti-money Laundering

Payments modernisation

Payments Canada has been proceeding with ongoing payments system modernisation efforts. This modernisation effort will impact both retail payments as well as high-value payments and consists of the following.

• Real-Time Rail (RTR): an RTR system will operate on a 24/7/365 basis and will include the real-time delivery of low-value payments within seconds. The expected timeline for completion of this project is in 2023.
• Lynx: a new high-value payment system called "Lynx", which is intended to replace the large-value transfer system (LVTS), was introduced in September 2021. The Lynx payment system is a real-time system that complies with ISO 20022 and Bank of Canada (BoC) standards for Systemically Important Payment Systems. 
• Retail Batch Payments and Automated Funds Transfer (AFT): improvements to the existing Automated Clearing Settlement System (ACSS) include more frequent daily exchanges, increased automation, data-rich payments to streamline reconciliation, and the availability of same-day batch payments. 

Retail payments supervision

The government of Canada has also introduced legislation to create a new framework for the purposes of supervising retail payment service providers. The Retail Payment Activities Act (RPAA) was approved by the Canadian parliament on 29 June 2021, and is expected to come into force in stages, which will include, among other things, regulations that will clarify the application of rules provided under the RPAA. 

The RPAA defines a “payment service provider” as a person that performs payment functions as a service or business activity that is not incidental to another service or business activity. Payment functions include “the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity” and “the initiation of an electronic funds transfer at the request of an end user”. 

The RPAA framework will, subject to limited exemptions, require payment services providers to:

• register with the BoC before performing any retail payment activities;
• demonstrate that they have a framework in place to mitigate operational risks;
• keep end-user funds separate from other money used in the service provider’s business operations; and
• report to the BoC, and pay fees associated with its registration and the BoC’s supervisory role.

Anti-money laundering and terrorist financing 

The Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA) and its regulations are the basis of Canada's anti-money laundering and terrorist financing (AML/TF) regime and it applies directly to financial institutions, securities registrants and money services businesses (MSBs), among other regulated sectors. Amendments to the regulations under the PCMLTFA, which came into force on 1 June 2020, extended the regulatory requirements of MSBs to entities dealing in virtual currency. As a result, any digital platform that offers digital asset exchange or transfer services in Canada must register as an MSB with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). 

Additional amendments to regulations under the PCMLTFA came into force on 1 June 2021, to help address and close certain gaps identified by the Financial Action Task Force (FATF) in the regulation of new technologies. These include:

• the implementation of the “travel rule” which requires reporting entities to include information with a wire transfer about the requesting client and the beneficiary in respect of all virtual currency transfers of CAD1,000 or more; and
• amendments that now treat prepaid access products (eg, prepaid credit cards) as bank accounts for the purposes of the regulations under the PCMLTFA (this means that reporting entities issuing prepaid access products will be subject to the same customer due diligence requirements as imposed on reporting entities that offer bank accounts).

On 1 April 2022, FINTRAC will begin assessing compliance with these and other amendments to the regulations under the PCMLTFA. Where the reporting entity can demonstrate progress on implementation plans for resolving any technical and infrastructure impediments, FINTRAC has indicated that it will be reasonable in its assessment and enforcement approach. Where progress cannot be demonstrated, FINTRAC will undertake compliance assessment activities, and reporting entities may accordingly be subject to follow-up and enforcement measures.

Regulation of Crypto-assets

Over the last year there have been several notable developments in Canada relating to crypto-assets, which impact the fintech industry. Most notably, (a) the continued emphasis of Canadian securities regulators on the regulation of crypto-asset trading platforms; (b) advancements by the BoC on the features and potential uses of a Canadian central bank digital currency; and (c) a proposed new securities legislation, the Capital Markets Act, which is intended to replace the existing Securities Act and Commodity Futures Act in Ontario. 

Crypto-asset trading platforms

On 29 March 2021, staff of the Canadian Securities Administrators (the CSA) and the Investment Industry Regulatory Organization of Canada (IIROC) jointly published Staff Notice 21-329 – Guidance for Crypto-Asset Trading Platforms: Compliance with Regulatory Requirements (“SN 21-329”), in which they provided guidance on the application of securities laws to crypto-asset trading platforms (CTPs) that facilitate or propose to facilitate the trading of:

• crypto-assets that are securities; or 
• “crypto-contracts” (ie, instruments or contracts involving crypto-assets where the contract or instrument does not result in an obligation to make immediate delivery of the crypto-asset or where the instrument or contract is not settled by the immediate delivery of the crypto-asset in accordance with the platform’s typical commercial practice).

SN 21-329 outlines registration requirements and steps that CTPs need to take in order to comply with Canadian securities legislation, including interim steps (known as the “interim approach”) which allows crypto-asset trading platforms an ability to operate while they take steps to bring their operations into compliance with the applicable Canadian securities laws. 

Following the publication of SN 21-329, several crypto-asset trading platforms began or hastened their dialogue with their respective principal Canadian securities regulator in order to offer their services to Canadian residents in a manner that would be viewed as compliant. As of 15 March 2022, six crypto-asset trading platforms have been registered under the interim approach outlined within SN 21-329. Under the interim approach, such platforms have been granted restricted licences and exemptions from Canadian dealer and/or marketplace requirements for up to two years, subject to tailored terms and conditions for each prospective platform. Registered platforms under this interim approach are nevertheless expected to seek full dealer and/or marketplace registration during the two-year interim period. 

In addition to talking to CTPs in order to bring their operations into compliance with the approach set out in SN 21-329, the Ontario Securities Commission (OSC), Canada’s largest securities regulator, also undertook enforcement action in parallel against certain unregistered platforms that are providing crypto-asset trading services to Canadian residents. In 2021, for example, the OSC initiated four actions against non-compliant crypto-asset trading platforms, the most notable being against the exchange platform known as KuCoin. The OSC has also issued numerous investor alerts against other platforms operating as cryptocurrency trading platforms in Ontario. 

As more crypto-asset trading platforms continue to seek registration with Canadian securities regulators, it will be interesting to see how the applicable regulatory framework for CTPs continues to develop. 

Canadian central bank digital currency

In October 2020, the BoC, together with six other central banks and the Bank for International Settlements (BIS), published a report, which explored the core features of central bank digital currencies (CBDCs) and investigated the feasibility of using CBDCs to help central banks pursue their mandate of monetary and financial stability. The report concluded that:

• central banks should not compromise monetary or financial stability by issuing a CBDC;
• a CBDC must co-exist with and complement existing forms of money; and
• a CBDC should promote innovation and efficiency.

The report further concluded that CBDCs have the potential to assist central banks in delivering a safe means of payment consistent with the increased reliance on digitalisation. 

While the BoC has indicated that it currently has no plans to launch its own CBDC, it has taken steps to push forward the development process of a Canadian CBDC as a contingency should the need arise. 

In its continuing effort to increase contingency planning for a Canadian CBDC, on 11 February 2021, the BoC published three papers from the Model X Challenge, where it invited three independent project teams from Canadian universities to solicit ideas for potential system designs and business models for a Canadian CBDC. Each paper provided different perspectives on the potential system design of a Canadian CBDC for the BoC’s consideration.

Following the Model X Challenge, on 20 July 2021, the BoC published its Staff Discussion Paper 2021-11: “The Positive Case for a CBDC” (“SD 2021-11”) wherein it was argued that as modern economies become increasingly digital, the public policy objectives of competition and innovation may motivate the BoC to issue a Canadian CBDC. Following SD 2021-11, other discussion papers have been published by the BoC, examining the effects of a CBDC on consumption, banking and economic welfare, as the BoC continues to further examine and prepare for a Canadian CBDC if the need arises. 

If the BoC were to issue a Canadian CBDC, there would be wide ranging implications for the economy and the financial system. Developments for a Canadian CBDC also compliment Payment Canada’s payments modernisation programme discussed above in the "Payments modernisation" section. It is expected that there will be significant developments in research and adoption regarding CBDCs in Canada and globally over the coming year, as private sector digital currencies become more widely used as an alternative to the Canadian dollar as a method of payment, store of value and unit of account in Canada. 

Capital Markets Act

The Capital Markets Act is draft legislation intended to replace the Securities Act and the Commodity Futures Act in Ontario in an effort by the Ontario government to modernise the province’s capital markets. The Province of Ontario is home to Canada’s major stock exchange, the OSC, which is the country’s largest capital markets regulator (as noted above) and has the major share of Canadian market participants, which means that a change to the province’s capital markets legislation will likely have national consequences. 

Of particular note, the draft legislation proposes to define a “crypto-asset” as a “digital representation of value or contractual rights, which may be transferred and stored electronically, using distributed ledger or similar technology”. Under the draft legislation, the regulator’s powers will also be expanded to allow for the designation of specific crypto-assets as “securities” or “derivatives”.

This draft legislation marks the first attempt by any Canadian securities regulator to amend its securities legislation to specifically address and incorporate the concept of a crypto-asset. If the proposed amendment to include “crypto-assets” within the legislation is implemented by the Province of Ontario, it will be noteworthy whether other Canadian provinces follow suit and amend their respective securities laws legislation to harmonise with Ontario’s approach. 

Data Protection and Cybersecurity

The ongoing pandemic and prolonging of remote deployment continues to pose increased data protection and cybersecurity risks for Canadian fintech businesses. In 2021, the continued evolution of the cyber threatscape resulted in new and continued regulatory efforts to protect Canadians and Canadian business.

Ransomware

Ransomware has continued to pose the most significant cyber-threat across virtually all sectors of the economy. Among notable developments in the evolution of the ransomware threat were:

• the use of upstream vendors to victimise multiple organisations with a single attack by injecting malware into otherwise legitimate updates distributed to customers (as with the attacks on Kaseya’s remote monitoring tool and SolarWinds’ software updates); and
• the use of more complex extortion tactics by threat actors (for instance, threat actors not only exfiltrated, encrypted, and threatened to sell or publish sensitive data, but also began directly contacting the customers and clients of target companies to pressure those companies to pay ransoms). 

Responses to the ransomware threat, in particular, included the release of a comprehensive report by the Ransomware Task Force, which consists of public and private sector stakeholders and experts (including the Royal Canadian Mounted Police, the FBI, the UK National Crime Agency, Microsoft, Cisco and Deloitte). The report describes the scope and complexity of the threat (which it characterises as a threat to national security), describes the role of cryptocurrency in the ransomware ecosystem, and sets out a comprehensive framework of recommendations for combating ransomware. This framework includes, among other things, a call for a “nationally and internationally co-ordinated, comprehensive” strategy and enforcement effort. 

Cybersecurity and financial institutions

The Office of the Superintendent of Financial Institutions (OSFI) issued updated cyber-incident reporting guidelines in August 2021. The new advisory replaces a previous reporting threshold with one that makes a broader range of incidents reportable, including incidents where the impact “has potential consequences to other federally regulated financial institutions or the Canadian financial system”, or might affect “external customers or business operations”. Notably, many incidents are now reportable to OSFI even though they would not attract reporting obligations under existing privacy laws. 

OSFI followed this development by announcing, in November, a public consultation on Draft Guideline B‑13: Technology and Cyber Risk Management. The consultation ended on 9 February 2022. When finalised, B-13 will join OSFI's existing cybersecurity-related guidelines and tools, which include Guidelines E‑21 (Operational Risk Management), B‑10 (Outsourcing of Business Activities, Functions and Processes), its Technology and Cyber Security Incident Reporting Advisory, and its Cyber Security Self-Assessment tool. 

Closing Remarks

Recent changes and trends in the banking industry – the planned introduction of open banking in Canada, combined with updates to Canadian anti-money laundering, crypto-assets and cybersecurity laws and regulation – provide a highly dynamic and fluid environment in which fintech companies continue to operate. It will be very interesting to see how the fintech sector and Canadian government entities and regulators manage these headwinds in the coming years, starting with 2022, which promises to be a very eventful year in the Canadian fintech space.