FinTech: 2023 Legal Year in Review

FinTech: 2023 Legal Year in Review

Financial Technology – colloquially known as “FinTech” – has undergone explosive growth in recent years. This was further amplified by the COVID-19 pandemic and the need for technological solutions to facilitate virtual transactions. Financial services that were once exclusively offered by brick-and-mortar financial institutions are now provided by all types of entities, from emergent start-ups to large conglomerates.

Challenges and opportunities in the FinTech industry have attracted a massive regulatory response over the last few years. At the same time, technological innovation and efficiencies have opened the door to more modernized processes in payments and the potential advent of open banking (now called, consumer-driven banking) in Canada. This article provides an overview of the significant regulatory developments from 2023 that impact the FinTech industry. Key developments include:

• proposed amendments to Canada’s privacy laws;
• amendments to anti-money laundering laws;
• heightened regulation for players in the cryptocurrency sphere;
• developments in Canada’s payment processing system;
• open banking; and
• updates to the regulation of federally regulated financial institutions.

As these developments continue to evolve, the regulatory framework has the potential to influence how FinTech companies conduct their business for years to come.

Developing Frameworks for Privacy and Artificial Intelligence

The federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs all commercial activities in provinces without “substantially similar” legislation. It also governs federal works, undertakings of businesses (e.g., banks and airports), and all cross-border transfers of personal information. British Columbia, Alberta, and Quebec each have their own substantially similar private-sector legislation.

On April 24, 2023, Parliament completed its second reading of Bill C-27 An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, otherwise known as the Digital Charter Implementation Act, 2022 (“Bill C-27”). If passed, this legislation would bring significant changes to privacy and data protection in Canada by replacing PIPEDA with the Consumer Privacy Protection Act (“CPPA”), Artificial Intelligence Data Act (“AIDA”) and the Personal Information and Data Protection Tribunal Act. To learn more, read our bulletin on Bill C-27.

The proposed CPPA would replace parts of PIPEDA with a new legislative regime governing the collection, use, and disclosure of personal information for commercial activity in Canada. Key elements include:

• mandatory privacy management programs for organizations;
• a codified “Appropriate Purpose Test” for assessing the legitimacy of data use;
• newly codified consent conditions;
• exceptions for socially beneficial purposes;
• reduced service provider obligations;
• increased transparency requirements;
• new data subject rights; and
• enhanced enforcement mechanisms, including penalties and a private right of action for affected individuals.

The proposed AIDA would establish nationwide requirements for artificial intelligence systems (“AI Systems”) and prohibit harmful conduct related to AI Systems. AIDA would create new obligations for persons responsible for AI Systems, particularly systems determined to be “high impact.” In addition, certain regulated activities would be subject to requirements and restrictions when carried out during international or interprovincial trade and commerce. This includes processing data relating to human activity for designing, developing, or using an AI System, as well as activities related to the design, development, or management of AI Systems.

On November 28, 2023, the Minister of Innovation, Science, and Industry presented the Standing Committee on Industry, Science and Technology with a letter outlining the government’s proposed amendments to AIDA (the “Proposed AIDA Amendments”). Among other things, the Proposed AIDA Amendments modify the definition of “artificial intelligence systems” to align with Organization for Economic Cooperation and Development standards. Additionally, it will expand the scope of AIDA’s application by including a definition of “machine learning model.”

Anti-Money Laundering

The Proceeds of Crime (Money-Laundering) and Terrorist Financing Act (Canada) (“PCMLTFA”) imposes extensive requirements relating to anti-money laundering (“AML”), counter-terrorist financing, know your client and client identification, and suspicious transaction reporting. This regime seeks to detect and deter money laundering and terrorist financing while also aiming to facilitate its investigation and prosecution. PCMLTFA’s regulatory requirements apply to a prescribed list of “reporting entities” that must register with the Financial Transactions and Reports Analysis Centre (“FINTRAC”). Many FinTech businesses are captured by the definition of “money services business” (“MSB”) or “foreign money services business” which are “reporting entities” and are therefore subject to the PCMLTFA.

On October 11, 2023, the Canadian federal government published final amendments to the PCMLTFA along with the new FINTRAC Assessment of Expense Regulations (the “2023 Amendments”). The 2023 Amendments include a new funding model by FINTRAC, which will charge certain reporting entities instead of taxpayers for its compliance program starting April 1, 2024. These reporting entities include federally regulated banks, trust and loan companies, life insurance companies, and other reporting entities that made 500 or more specified reports during the fiscal year. FINTRAC has issued guidance on charging reporting entities for its compliance program. The method involves determining the charge by combining a fixed base amount linked to the reporting entity’s Canadian assets at the fiscal year-end and the “remaining compliance cost”, which is the cost of FINTRAC’s program minus all base amounts.

The 2023 Amendments also extend certain obligations under the PCMLTFA to mortgage lenders, brokers, and administrators, with compliance requirements effective beginning October 11, 2024. These entities must establish AML compliance programs incorporating know-your-client practices, record-keeping, and reporting obligations. Specific record-keeping requirements for mortgage entities involve maintaining records of received funds, information related to mortgage agreements, and details of mortgage loans, including client financial capacity and loan terms. FINTRAC has issued guidance for mortgage administrators, brokers, and lenders to comply with these requirements. Additionally, the 2023 Amendments set out new obligations for armoured car businesses, which fall under the limb of money services that relate to “transporting currency or money orders, traveller’s cheques or other similar negotiable instruments except for cheques payable to a named person or entity.” Effective July 1, 2024, these entities must comply with the PCMLTFA’s requirements for MSBs, including registration as an MSB. FINTRAC has issued guidance for armoured car businesses to comply with these requirements.

In alignment with the evolving landscape of financial crimes, FINTRAC has undergone substantial changes to its reporting forms, aiming to provide more comprehensive and effective tools to combat money laundering and terrorism financing. The modifications prioritize clarity, accuracy, and accessibility in reporting, intending to elevate the standards of information submitted. A pivotal milestone in this modernization initiative occurred in October 2023 with the implementation of the FINTRAC API report submission. This secure system-to-system transfer capability covers Large Cash Transaction Reports and Large Virtual Currency Transaction Reports. Concurrently, FINTRAC released new and updated guidance on reporting large cash transactions, reporting large virtual currency transactions, and adhering to the 24-hour rule for reporting transactions. Through these measures, FINTRAC seeks to safeguard the integrity of Canada’s financial system and adapt to the dynamic challenges posed by financial crimes.

Entities captured under AML legislation should look out for potential changes to the PCMLTFA and its regulations, which were proposed by the government in the 2023 Fall Economic Statement (the “Economic Statement”). These proposed changes include:

• tackling sanctions evasion by allowing FINTRAC to develop intelligence products and share its findings with law enforcement partners;
• expanding certain obligations under the PCMLTFA to title insurers and requiring real estate representatives to identify certain parties in real estate transactions;
• extending the PCMLTFA framework to apply to intermediary companies offering cash withdrawal services for white-label automated teller machines;
• combatting environmental crime by allowing FINTRAC to share financial data with Environment and Climate Change Canada and the Department of Fisheries and Oceans;
• improving FINTRAC’s strategic intelligence products by allowing it to list names of foreign entities that present AML risks; and
• amending the PCMLTFA to address inconsistencies and close loopholes.

At the provincial level, the British Columbia Money Services Business Act (“MSBA”) received Royal Assent on May 11, 2023. Entities captured by the MSBA will be subjected to a registration regime and greater oversight by the BC Financial Services Authority. The MSBA has not yet come into force, but entities captured by the legislation will be given time to come into compliance with the MSBA. For more information, read our bulletin on the MSBA.

Payments

Payments in Canada are not governed by a single piece of legislation or regime. The oversight and governance of payments come from various entities, such as Payments Canada and the Bank of Canada (the “BOC”).

The Retail Payment Activities Act, enacted in June 2021, grants the BOC authority to oversee Canada’s retail payments sector. On November 22, 2023, the final Retail Payment Activities Regulations under the RPAA were published, which set out the additional regulatory requirements applicable to payment service providers (“PSPs”) carrying out retail payment activities in Canada. Starting on November 1, 2024, entities engaged in retail payment activities must apply for registration as PSPs with the BOC and will be subject to enforcement actions. National security reviews for registration applications may be submitted until November 15, 2024, and any applications submitted thereafter may be subject to delays.

On December 12, 2023, the BOC released its supervisory guidance (the “Guidance”) aimed at assisting PSPs in adhering to the regulations outlined in the RPAA. The Guidance explains how a potential PSP should assess whether it comes under the purview of the RPAA, thereby necessitating registration. The Guidance also discusses the application fee associated with the registration process. It is important to note that there is no opportunity for public comments or consultations on this guidance.

In the Economic Statement, the federal government announced its intention to amend the Canadian Payments Act. The government proposes to expand membership eligibility in Payments Canada to PSPs, credit union locals that are members of a credit union central, and operators of designated clearing houses, which will result in lower transaction costs and faster, more secure payments.

Securities Law

Many FinTech businesses are subject to securities laws, particularly those engaged in crowdfunding platforms, peer-to-peer lending platforms, technology or data-driven investment advice, initial token offerings, initial coin offerings, crypto trading platforms (“CTPs”), exchanges or marketplaces, or crypto asset funds and fund management.

In March 2021, the Canadian Securities Administrators (the “CSA”) issued guidance in Staff Notice 51-363 for crypto asset reporting issuers on disclosure obligations, covering areas like custody, trading platforms, business description, risk factors, material change reports, investment funds, accounting, and audit. Concurrently, the CSA and the Investment Industry Regulatory Organization of Canada released Staff Notice 21-329, providing regulatory compliance guidance for CTPs, including pre-registration terms and marketplace conditions. In 2022, Canadian regulators granted CTPs exemptive relief from specific securities law requirements, subject to conditions such as investment limits and disclosure.

On February 22, 2023, the CSA issued Staff Notice 21-332 which outlines a shift in its approach concerning CTPs operating in Canada without registration, effectively modifying the registration framework previously set out in Staff Notice 21-329. The notice introduces additional commitments for unregistered CTPs in their pre-registration undertakings (“PRUs”), addressing concerns about the risks associated with volatile crypto assets. CTPs were required to file revised PRUs within 30 days, incorporating the new commitments outlined in SN 21-332. The CSA emphasized custody and segregation of assets, restrictions on asset use, and commitments to compliance systems. Failure to comply may result in regulatory actions, including investor alerts, access restrictions, trading cessation orders, and other penalties. The notice underscores the CSA’s ongoing efforts to establish a regulatory framework for crypto asset trading in Canada. The CSA underscores that registered CTPs and crypto asset-investing funds will be separately addressed, with the focus remaining on investor protection amid evolving regulatory landscapes.

Following the 30-day deadline, the CSA published the PRUs given by the ten CTPs on April 12, 2023. CTPs that submitted PRUs accepted by the CSA before the deadline include prominent U.S.-based platforms such as Coinbase, Kraken, and Gemini. Additionally, longstanding Canadian CTPs like NDAX and Shakepay, along with several smaller CTPs (including four from Canada and two international platforms), also had their PRUs accepted by the CSA. We are now observing instances where CSA members are investigating whether entities are complying with their PRU, such as the Alberta Securities Commission’s publicly disclosed investigation into the Catalyx platform.

Some CSA members have continued to bring enforcement action regarding cryptocurrency market conduct. The Ontario Securities Commission (the “OSC”) is pursuing alleged crypto assets known as “GXTokens,” continuing its case against Cryptobontix and Arbitrade, and commenced proceedings related to the CoinField and Phemex platforms. With the announcement that the OSC’s top enforcement official will be stepping down at the end of February 2024, the question arises as to whether enforcement priorities will shift in a different direction.

On October 5, 2023, the CSA also initiated new restrictions on CTPs trading stablecoins with Canadian clients through the publication of CSA Staff Notice 21-333. This notice imposes limitations on CTPs, prohibiting them from offering stablecoins other than fiat-backed crypto assets that reference Canadian or U.S. dollars on a one-for-one basis. These stablecoins must also be fully backed by audited reserves meeting specific requirements. Issuers of such stablecoins are required to submit to the CSA’s jurisdiction by April 30, 2024. The restrictions outlined in SN 21-333 go beyond existing regulatory frameworks for stablecoins like USDC, GUSD, and PYUSD, potentially leading to non-compliance and the de-listing of such assets by CTPs.

In the non-cryptocurrency space, the OSC’s Innovation Office has also published a report on artificial intelligence in capital markets. The report, developed jointly with Ernst & Young LLP, was merely developed for informational purposes. It does signal, however, that “[r]egulators like the [OSC] are considering how oversight, regulation or guidance can facilitate responsible AI innovation and adoption in Canada.”

Open Banking

Open banking facilitates the free exchange of consumer data, processes, and other information between providers of financial services. An open banking system would impact large financial institutions, smaller or new entrant institutions, and consumers alike. Consumers would have the ability to opt-in to open banking initiatives by authorizing their financial service providers to share their consumer data with third parties through digital channels. An open banking system would also allow financial service providers to read and use consumer data, initiate actions such as making payments on a consumer’s behalf or allow for portability between providers.

Throughout 2022, four open banking working groups created pursuant to the Final Report of the Advisory Committee on Open Banking met periodically to develop common rules, accreditation criteria, and technical standards for Canada’s open banking system under the leadership of Canada’s open banking lead, whose term expired in December 2023. Our bulletin on the open banking working group meetings summarizes the updates from those meetings.

The Economic Statement and accompanying Policy Statement confirms the government’s plans to establish an open banking framework, rebranded as consumer-driven banking. The proposed framework contains five core elements (governance, scope, accreditation, common law rules, and technical standards) and is to be implemented by 2025 through legislation introduced in the 2024 federal budget. The target date for consumer access to consumer-driven banking once this framework is established remains unclear. To learn more, read our bulletins on Canada’s intention to introduce open banking legislation and the privacy implications of open banking.

Federally Regulated Financial Institutions

Federally Regulated Financial Institutions (“FRFIs”) are subject to regulations and guidelines dealing with, among other things, capital and liquidity, consumer protection, cybersecurity, risk management, and investments. In August 2022, the Office of the Superintendent of Financial Institutions (“OSFI”) announced an interim approach for the regulatory capital and liquidity treatment of crypto assets by FRFIs, emphasizing prudent management, setting limits, and providing guidance. On July 26, 2023, the OSFI announced two draft guidelines for federally regulated deposit-taking institutions and insurers regarding the regulatory capital treatment of crypto-asset exposures. These guidelines categorize crypto assets into four classes, each entailing specific capital treatments. OSFI’s initiative follows the Basel Committee on Banking Supervision’s (“BCBS”) release of new standards in December 2022, prompting the formulation of more comprehensive guidance for Canada. Aligned with the BCBS banking standard, the guideline mirrors the December 2022 standard, while the insurance guideline adapts BCBS components to suit the unique context of the insurance industry. These guidelines are set to come into force in 2025, while the interim advisory from August 2022 remains in effect.

In October 2023, OSFI also released a draft Integrity and Security Guideline (the “Guideline”) in response to legislative changes introduced through Bill C-47, the Budget Implementation Act, with the final Guideline released on January 31, 2024. As of January 1, 2024, FRFIs are mandated to establish and adhere to robust policies and procedures aimed at safeguarding against threats to integrity and security, including foreign interference. Similarly, OSFI released a revised draft of Guideline E-21: Operational Resilience and Operational Risk Management in October 2023. The updated draft Guideline sets out OSFI’s expectations for operational resilience to strengthen FRFIs’ ability to prepare for and recover from severe disruptive events, and includes new expectations for business continuity management, crisis management, change management and data risk management.

Conclusion

As the FinTech sector continues to rapidly grow, the regulatory framework will continue to develop in response. Stakeholders in the FinTech industry should keep up to date with these developments and the opportunities it presents to FinTech companies. Similarly, Canadian financial institutions and regulators must work with stakeholders to ensure the FinTech industry continues to be a vibrant and flourishing sector in Canada’s economy.

by Pat Forgione,  Isabelle Guevara, Adam D.H. Chisholm, Shahen A. Mirakian, Darcy Ammerman, Robbie Grant, and Olivia Marty (Articled Student)

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024