FINTECH 2024
CANADA
Alix d’Anglejan-Chatillon, Ramandeep K Grewal, David Elder, Shawn Smith, Éric Lévesque
FINTECH LANDSCAPE AND INITIATIVES
General innovation climate
- What is the general state of fintech innovation in your jurisdiction?
While Canadian fintech industries, including digital payments, digital trading, robo-advising and open banking, continued to experience growth, as in other jurisdictions globally, inflationary pressures and economic uncertainty have created a more challenging environment for fintech innovation in the Canadian Market. However, innovation continues to be supported by expansive fintech-supportive regulation at the provincial and federal level, changing consumer patterns, and investment in fintech start-ups and in-house ‘labs’ by leading Canadian financial institutions. While Canadian financial institutions have led the charge in many cases, fintech start-ups are now a key component of the fintech ecosystem across the country. Developments included major investments in AI-driven fintech solutions, blockchain, reg-tech and, in the insurance industry where Canada is a significant global player, in insurtech.
In the cryptocurrency sector, Canadian regulators have shown leadership in mapping a framework and pathway to regulation designed to address both high stakes industry developments and investor protection by issuing Staff Notice 21 329 – Guidance for Crypto-Asset Trading Platforms: Compliance with Regulatory Requirements (SN 21-329) and approving crypto-based retail investment fund launches subject to novel terms and conditions. The recent turmoil in the crypto market, amplified by the collapse of FTX and the bankruptcies of crypto lenders BlockFi, Voyager Digital and Celsius Network and other dominant stakeholders have also impacted the regulatory environment. Most recently, in the face of significant market volatility and insolvency events involving several global crypto trading platforms, service providers and lenders, the Canadian Securities Administrators (CSA), the umbrella organization of Canada’s provincial and territorial securities regulators, has introduced significantly more stringent conditions for virtual currency retail trading activities in the Canadian market. However, the expectation is that Canadian regulators will shift the focus more squarely onto investor protection over innovation until the market stabilizes and stakeholders become fully regulated or exit the market.
Government and regulatory support
- Do government bodies or regulators provide any support specific to financial innovation? If so, what are the key benefits of such support?
Canadian governments, major financial market stakeholders and key regulators recognize the importance of fintech and, as detailed below, have actively encouraged investment and innovation in the sector. Regulatory initiatives to date include:
- regulatory sandbox and launchpad programmes administered by securities regulators that allow fintech start-ups to test products and business models without the usual regulatory restrictions, and more flexibility to raise capital through new and more flexible prospectus exemptions, including crowdfunding exemptions;
- fintech cooperation agreements with several foreign jurisdictions;
- retail payments oversight and a licensing framework under the anticipated RetailPayments Activities Act (RPAA) (Bill C-30, An Act Respecting Retail Payment Activities, 2nd Sess, 43rd Parl, 2021, cl 177 (assented to 29 June 2021);
- federal regulatory and support initiative for open-banking/consumer-driven finance;
- notices and an actionable roadmap by the Canadian Securities Administrators guiding the services and uses related to cryptocurrency and cryptoassets; and
- where applicable, derivatives law requirements in the cryptocurrency sector.
There continues to be a focus across the country on collaboration between Canadian core financial institutions, fintech start-ups and regulators. Regional governments in Canada’s major cities have developed AI hubs and ‘super-clusters’, such as in Montreal where the Quebec government has earmarked C$100 million over five years for the development of AI and fintech industry growth. Additional academic and local government funding initiatives have also multiplied across the country.
FINANCIAL REGULATION
Regulatory bodies
- Which bodies regulate the provision of fintech products and services?
Canada’s provincial and territorial securities administrators are the primary regulators of fintech financial products and services relating to capital markets (including cryptoassets), working together under one umbrella as the Canadian Securities Administrators (CSA), together with the Canadian self-regulatory organization that governs securities dealers, the Canadian Investment Regulatory Organization (CIRO) . At the federal level, the Office of the Superintendent of Financial Institutions (OSFI) is responsible for the supervision and regulation of banks, insurance companies and trust and loans companies and has highlighted the need for resilient technology infrastructures. The Canada Revenue Agency and its various provincial counterparts have also developed and published policies or guidance on fintech-related matters. The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), Canada’s federal anti-money laundering (AML) authority, also regulates certain fintech products and services, including ‘money services businesses’ (MSBs) dealing in fiat and/or virtual currencies. The Bank of Canada (BoC), Canada’s central bank, closely monitors fintech developments and distributed ledger technologies and has been appointed as the oversight body for the new retail payments regime under the Retail Payments Activities Act (RPAA). As with other leading central banks, it is developing a cash-like central bank digital currency as a further contingency given the rapid decline in the use of cash and the explosive growth of digital payments. A number of other fintech initiatives are also administered at the local level by various municipal governments.
Regulated activities
- Which activities trigger a licensing requirement in your jurisdiction?
Fintech businesses may be subject to various provincial licensing requirements under applicable provincial securities and derivatives laws to the extent that they engage in activities or facilitate transactions in securities or derivatives. These rules also govern trading in cryptoassets that are regulated as securities and those that are not but where the manner in which these assets are traded and held constitute ‘crypto contracts’, such that the instruments are treated as ‘investment contracts’ and therefore ‘securities’. The rules include dealer and adviser registration for entities/persons considered to be trading or advising in securities or derivatives for a ‘business purpose’ and related compliance obligations. The management of investment funds also triggers the application of investment fund manager registration requirements in certain situations. Businesses undertaking initial coin offerings (ICOs) or initial token offerings may also be subject to prospectus or product qualification requirements or compliance with related exemptions.
Associated regulations require compliance with know-your-client (KYC) and know-your-product rules, suitability, insurance, financial and customer reporting, custody requirements and cybersecurity risk management protocols, among other requirements. Given the traditional definition of ‘exchange’ or ‘marketplace’ (ie, an entity that brings together multiple buyers and multiple sellers of securities or derivatives), the CSA requires that fintech businesses involved in cryptocurrencies also consider whether they must be registered as exchanges or alternative trading systems.
In addition, both foreign and domestic MSBs must register with FINTRAC and comply with KYC, reporting, record keeping, travel rule and compliance programme requirements. MSBs include businesses that deal in fiat and virtual currencies and foreign exchange. MSB registration may also be required in Quebec under MSB legislation in that province. Similar legislation has also been recently introduced by the government of British Columbia but is not yet in force.
A number of other fintech-related activities, including lending, factoring, invoice discounting, secondary market loan trading, providing yield generating products and deposit-taking and trust company-type activities may be subject to a number of different regulatory requirements, depending on the relevant features of the business.
Consumer lending
- Is consumer lending regulated in your jurisdiction?
Consumer lending is not as highly regulated in Canada relative to certain other jurisdictions. Nevertheless, aspects of consumer lending are regulated in Canada at both the federal and provincial level. At the federal level, the regulation depends on the regulated status of the entity providing the consumer credit. Banks and other financial institutions have cost of borrowing disclosure obligations for mortgages, credit cards and certain other types of credit. Criminal interest rate provisions in the Criminal Code (RSC 1985, c C-46) preclude the effective annual interest rate for an advance of credit from exceeding 60 percent per year. No distinction is drawn between commercial and consumer contracts in this regard, though certain low value (payday) loans are exempt.
Provincially, payday lenders are subject to a licensing requirement in most provinces. In addition, provincial consumer protection legislation in New Brunswick, Nova Scotia, Quebec, and Saskatchewan imposes a lender licensing requirement (or permit or registration requirement) for consumer lending. A number of provinces have implemented or are in the process of implementing high-cost credit legislation, which can impose a license or registration requirement.
Secondary market loan trading
- Are there restrictions on trading loans in the secondary market in your jurisdiction?
The regulation of trading loans in the secondary market depends on whether the loan instruments would be regarded as securities (i.e, under a multi-factor test to determine if the particular loan instrument is an ‘investment contract’ or ‘a bond, debenture, note or other evidence of indebtedness’). Loans acquired on the secondary market are much more likely to be characterized as securities than are originated loans.
Collective investment schemes
- Describe the regulatory regime for collective investment schemes and whether fintech companies providing alternative finance products or services would fall within its scope.
Collective investment schemes, generally referred to as ‘investment funds’ under Canadian securities regulations are primarily subject to provincial securities laws. Investment funds include non-redeemable (or closed-end) funds as well as mutual funds. Primarily, persons operating or administering collective investment structures (including those that hold or invest in virtual currencies or that provide alternative finance products or services) may also be subject to investment fund manager registration requirements, in addition to dealer, adviser and prospectus or private placements requirements. The structures themselves may also be subject to the reporting and conduct requirements that apply to investment funds, including under National Instrument 81-102 –Investment Funds (NI 81-102), and National Instrument 81-104 – Alternative Mutual Funds (NI 81-104) (which applies specifically to retail alternative funds), National Instrument 81-106 – Investment Fund Continuous Disclosure (NI 81-106), and a number of other instruments, including, depending on the nature of the regulated intermediary, IIROC rules and, in the case of mutual fund dealers, the rules of the Mutual Fund Dealers Association of Canada, which, effective 1 January 2023, will be merged with IIROC into the New Self-Regulatory Organization of Canada (the New SRO).
Alternative investment funds
- Are managers of alternative investment funds regulated?
Yes. Any person or company acting as a manager of an investment fund must register as an investment fund manager and comply with registration and related requirements, or rely on certain exemptions. This requirement is triggered in the provinces of Ontario, Quebec and Newfoundland and Labrador if the fund has investors resident in that province. Across Canada, investment by Canadian investors in investment funds is subject to provincial prospectus requirements and, in the case of private placements, related exemption requirements, as well as dealer registration requirements and regulations that govern the content and delivery of offering documents and post-trade reports. Under securities legislation, these obligations apply to both managers of conventional investment funds, as well as alternative investment funds (AIFs). Domestic retail funds are also subject to additional regulations under NI 81-102 and NI 81-106, with AIFs permitted to engage in a broader range of investment strategies (e.g, including more latitude to engage in short-selling, borrowing and the use of derivatives) than is permitted for conventional investment funds.
Peer-to-peer and marketplace lending
- Describe any specific regulation of peer-to-peer or marketplace lending in your jurisdiction.
Peer-to-peer (P2P) lending businesses in Canada may be subject to registration as dealers with the provincial securities regulators in the provinces in which they operate. As a result, P2P lenders may also be required to comply with prospectus and other regulatory requirements applicable to any other securities dealer operating in the same jurisdiction, including restricting investing opportunities to qualified accredited investors. Other provincial entities have enlisted the help of affiliated companies to issue notes and agreements on a prospectus-exempt basis. Additionally, some P2P lenders have obtained exemptions from certain requirements such as prospectus filing obligations through existing exemptions under the provincial securities legislation.
Crowdfunding
- Describe any specific regulation of crowdfunding in your jurisdiction.
Fintech companies that raise capital through crowdfunding are subject to provincial securities regulations. Various provincial securities regimes have adopted crowdfunding prospectus exemptions through a range of regulations and instruments. For example, the Ontario Securities Commission adopted Ontario Instrument 45-506 – Start-Up Crowdfunding Registration and Prospectus Exemptions, which provided specific registration and prospectus exemptions for start-up crowdfunding companies.
Similar regimes have also been adopted in other provinces through, among others, Multilateral Instrument 45-108 – Crowdfunding and Multilateral CSA Notice 45-316 –Crowdfunding Registration and Prospectus Exemptions permit early-stage companies and small businesses to raise limited amounts of capital through crowdfunding platforms. Both public and non-public companies are permitted to rely on the prospectus exemption. Also, where securities crowdfunding offerings are facilitated through a funding portal, the funding portal generally must be registered under National Instrument 31-103 – Registration Requirements, Exemptions and Ongoing Registrant Obligations (NI 31-103) and with the applicable provincial securities regulators.
The CSA published a new regulation, National Instrument 45-110 – Start-up Crowdfunding Registration and Prospectus Exemptions (NI 45-110), that contributes to a harmonized national framework and will replace similar instruments previously adopted by provincial securities regulators. NI 45-110 came into force on 21 September 2021.
On 14 February 2022, the federal government took the unprecedented step of invoking the Emergencies Act (Canada) to end disruptions, blockades, and the occupation of the city of Ottawa. These developments led to further action to limit the flow of financing of the blockades by extending the requirement to register as money services businesses (MSBs) under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, SC 2000, c 17), Canada’s federal anti-money laundering legislation, to crowdfunding platforms and certain payment service providers that were not previously regulated for this purpose.
Invoice trading
- Describe any specific regulation of invoice trading in your jurisdiction.
There is no specific regulation in Canada of invoice trading. Depending on its characteristics, invoice trading may be subject to provincial securities laws and/or FINTRAC obligations, to the extent it falls under the existing scope of securities trading activity or an MSB service, respectively. Further, if carried out by a banking entity or an entity affiliated with a bank it may be subject to federal banking legislation. Provincial loan and trust legislation may be applicable if the services include extending loan and trust services to the public and provincial consumer protection laws may also apply.
Payment services
- Are payment services regulated in your jurisdiction?
The continuation of the 2016 Payment Canada modernization programme, amendments to the existing Payment Clearing and Settlement Act (PCSA, SC 1996, c 6), and the new RPAA, are expected to provide robust support and innovation opportunities for payment services in Canada. Payment services will continue to be subject to FINTRAC licensing to the extent that they are subject to MSB licensing requirements.
In December 2020, Payments Canada published the Modernization Delivery Roadmap, outlining the implementation process for two national payment systems enabled by the global ISO 20022 messaging standard: Lynx and the Real-Time Rail (RTR). Lynx, Canada’s new high-value payments system, began operations on 30 August 2022, replacing the Large Value Transfer System (LVTS), which had operated since 1999. Lynx will enable payment and settlement finality and flexibility for the application of future technologies, as well as enhanced cyber security capabilities. The RTR will provide real-time irrevocable credit payments and allow fintech service providers to develop new and enhanced ways for individuals to pay for goods or services and transfer money. The RTR was set to launch in 2022 but its delivery has been postponed.
The RPAA will apply to all retail payment activities performed by payment service providers (PSP) in Canada, as well as all activities performed by providers outside of Canada who provide retail payment activities to an end user within Canada. Under the RPAA, PSPs will be required to register with the BoC. Certain retail payment activities, such as those performed by systems under the PCSA, payment functions performed by Payments Canada, the BoC or, other designated entities and activities, will be exempt from the new RPAA. The new requirements will be fleshed out in future implementing regulations.
Open banking
- Are there any laws or regulations introduced to promote competition that require financial institutions to make customer or product data available to third parties?
In August 2021, the federal government published its Final Report – Advisory Committee on Open Banking. The report, which focused on supporting innovation and competition in the Canadian financial services sector system, proposed a two-phased approach set to be completed by 2023.
The recommendations outlined a consumer-focused framework for implementing secure open banking in Canada. Under proposed new regulations, such as the Consumer Privacy Protection Act (Bill C-27, Digital Charter Implementation Act, 2022, 1st Sess, 44th Parl, 2022, cl 2 (second reading 23 April 2023)), individuals would be granted more freedom to direct and transfer their personal information from one organization to another, including to accredited third-party service providers. Other Canadian organizations such as the Canadian Competition Bureau have also made strong recommendations to further modernize Canada’s financial sector following consultations with industry and regulatory stakeholders in light of global developments in open banking. Further, to amendments made under the PCMLTFA in 2022 discussed above, FINTRAC regulatory guidance was also amended to provide that certain types of payment service providers may also be subject to registration as money service businesses under that legislation.
Robo-advice
- Describe any specific regulation of robo-advisers or other companies that provide retail customers with automated access to investment products in your jurisdiction.
Companies engaged in robo-advising activities are subject to securities registration and related regulatory requirements in the governing province where the business operates, which are generally harmonized across the country under NI 31-103.
The CSA has also issued regular guidance, including Staff Notice 31-342 – Guidance for Portfolio Managers Regarding Online Advice, outlining the applicability of securities laws to online advisers. Fintech companies providing robo-advising are required to follow the same rules as human advisers, including complying with KYC and related requirements, and participating in due diligence and compliance reviews by CSA staff. The CSA has generally declined to grant exemptive relief for robo-advisers from NI 31-103 and related rules.
Under the proposed Digital Privacy Act (Bill C-27, 1st Sess, 44th Parl, 2023, cl 2 (second reading 24 April 2023)), a new federal privacy law, the Consumer Privacy Protection Act (CPPA), would require organizations to publish a general account of its use of ‘automated decision systems’ to make predictions, recommendations or decisions that could have a significant impact on individuals. The CPPA would also provide individuals with a right to an explanation concerning decisions made by an automated decision system.
Bill C-27 would also enact a new Artificial Intelligence and Data Act (cl 39), which would establish requirements for designing, developing and using AI systems, as well as prohibiting certain behaviors.
Insurance products
- Do fintech companies that sell or market insurance products in your jurisdiction need to be regulated?
Fintech companies that provide insurance services are subject to the same regulations as conventional providers of insurance services, as well as broader legislation applicable to fintechs under Canadian AML, consumer protection and privacy legislation.
Credit references
- Are there any restrictions on providing credit references or credit information services in your jurisdiction?
There is no consolidated federal authority governing credit reference and information services. Consumer protection legislation such as the Consumer Reporting Act (RSO 1990, c C-33), Personal Information Protection and Electronic Documents Act (PIPEDA, SC 2000, c 5), and individual contracts govern the disclosure of credit information, activities related to credit cards and other credit agreements such as payday loans.
CROSS-BORDER REGULATION
Passporting
- Can regulated activities be passported into your jurisdiction?
Foreign fintech entities operate under the same regulatory framework as domestic businesses for regulated activities such as banking or insurance, to the extent their activities in Canada trigger regulation.
Provincial securities regulators have adopted a passport approach to the application of securities regulation under Multilateral Instrument 11-102 – Passport System.
This regime has been adopted by all provinces except for Ontario. It allows the participant to gain access to markets across Canada while dealing solely with their principal regulator and complying with harmonized regulation. Participants can clear a prospectus, obtain a discretionary exemption, register as a dealer or adviser in their home province and this decision or receipt is deemed to be a decision or receipt from other securities regulatory authorities, as long as conditions, such as filing requirements and fee payments, are met.
While Ontario is not a party to this system, it operates under a coordinated review model that generally allows for seamless administration through dealing with the regulator in the Canadian jurisdiction with which the entity has the greatest nexus. In certain limited areas of securities regulation, Canadian securities administrators may also recognize compliance with foreign regulations as a form of ‘substituted compliance’ and allow for exemptions or waivers on that basis. Canadian securities regulators have also entered into memoranda of understanding with various international regulators to allow for coordination in regulation, information sharing and enforcement.
Under NI 31-103, there is also a type of cross-border passporting that applies to permit non-Canadian dealers and advisers that satisfy certain conditions to engage in non-Canadian trading and advisory activities with qualified Canadian resident ‘permitted clients’ under the ‘international dealer’ or ‘international adviser’ exemptions, largely premised on the basis of having appropriate regulatory oversight in their home jurisdiction. A similar regime also exists for non-Canadian investment fund managers in certain provinces.
Requirement for a local presence
- Can fintech companies obtain a license to provide financial services in your jurisdiction without establishing a local presence?
Fintech companies are not per se subject to any licensing requirement. If they do need to be licensed, it is because their foreign regulatory status or activities in Canada may trigger the application of an existing licensing regime.
Fintech companies that are subject to foreign money services business (MSB) registration are not required to establish a Canadian presence (although they must designate a local agent for service or process). Similarly, foreign businesses that are subject to dealer, adviser or investment fund manager registration are generally not required to establish a local Canadian entity to register or rely on filings-based exemptions (although they must also designate a local agent for service or process). Full-service investment dealer registration, however, does require that a Canadian subsidiary be established and staffed appropriately. With certain exceptions, federal banking and insurance regulation also requires that licensed entities establish a Canadian presence.
SALES AND MARKETING
Restrictions
- What restrictions apply to the sales and marketing of financial services and products in your jurisdiction?
Marketing of financial services and products to Canadian users is subject to Canadian securities and derivatives laws. In particular, under provincial securities and derivatives legislation, a ‘trade’ is broadly defined to include ‘any act, advertisement, solicitation, conduct or negotiation directly or indirectly in furtherance’ of a trade in securities or derivatives and these activities may therefore be subject to dealer registration and prospectus requirements.
Marketing to Canadian users may also subject an entity to licensing with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as a foreign money services business (MSB) and to MSB registration in Québec and, once in force, in British Columbia as applicable. Marketing and advertising are also subject to provincial consumer protection legislation and generally, for Canadian banking and insurance purposes, an entity should not engage in targeted marketing to Canadian customers, particularly retail customers, unless that activity can be carried out in compliance with applicable licensing requirements.
CRYPTOASSETS AND TOKENS
Distributed ledger technology
- Are there rules or regulations governing the use of distributed ledger technology or blockchains?
The Canadian federal government has been experimenting with blockchain technology in various fields while the Bank of Canada (BoC) is conducting research on the effects of introducing a central bank digital currency. The BoC has noted that ‘stablecoins’, cryptoassets backed fully or in part by currency of commodity holdings, have widespread potential. The BoC is further involved with Payments Canada and TMX Group on a research initiative, ‘Project Jasper’, which experiments with the use of distributed ledger technology for payments. VersaBank, a Canadian financial institution regulated by the Office of the Superintendent of Financial Institutions (OSFI), also announced plans to launch VCAD, a type of digital currency backed by bank deposits. However, the failure of the TerraUSD/UST algorithmic stablecoin to keep its peg to the US dollar, the subsequent collapse of the Luna crypto network and the broader shocks in the crypto market in 2022 could lead to further regulatory initiatives in Canada specifically targeting the use of distributed ledger and blockchain technology in retail investment transactions.
Cryptoassets
- Are there rules or regulations governing the promotion or use of cryptoassets, including digital currencies, stablecoins, utility tokens and non-fungible tokens (NFTs)?
Virtual currencies are not treated as legal tender in Canada under section 8 of the Currency Act (RSC 1985, c C-52) and may be subject to Canadian provincial securities and derivatives laws to the extent that they are considered a security (including a ‘crypto contract’) or a derivative under that legislation.
The CSA and CIRO have also acknowledged that it is widely accepted that certain well-established virtual currencies that function as a form of payment or a means of exchange on a decentralized network, such as bitcoin, are not currently in and of themselves, securities or derivatives. They are rather akin to an intangible ‘commodity’, the value of which fluctuates based on the market. In assessing whether a particular virtual currency will be considered a security subject to Canadian securities laws, the CSA will perform case-by-case, fact-dependent analyses and consider the substance of the virtual currency over its form. The CSA has adopted an ‘investment contract’ test to apply to blockchain and cryptocurrency transactions that resemble traditional securities. In particular, the CSA has stated that the manner in which these assets are traded and held may constitute a ‘crypto contract’, such that the instruments should be regulated as ‘investment contracts’ and therefore as ‘securities’.
Virtual currency transfer services are subject to money services business (MSB) registration with FINTRAC, which includes KYC, client identification, recordkeeping, reporting and other AML programme compliance requirements.
Currently, Canadian securities regulators have recognized or registered a number domestic platforms or other intermediaries that facilitate trading in cryptoassets. In 2022, significant market volatility and liquidity issues impacting the broader industry led the CSA to introduce a series of additional measures to tighten the conditions for domestic and foreign platforms seeking registration to operate in the Canadian retail market. Expanded commitments were initially imposed in the form of pre-registration undertakings (PRUs), including enhanced governance, risk management, operational, custodial, insurance, financial reporting and other compliance and reporting requirements.
On 22 February 2023, the series of insolvencies leading to further upheaval in global crypto markets, including Voyager Digital, Celsius Network, FTX, BlockFi and Genesis Global, prompted the CSA to further restrict operating conditions for platforms seeking registration in Canada. Expanded PRU commitments covered more stringent custody and segregation requirements, prohibitions on pledging, hypothecating or otherwise using custodied assets, new commitments for controlling minds and global affiliates, excluding proprietary tokens from the calculation of regulatory capital, enhanced and more frequent financial reporting, enhanced Chief Compliance Officer (CCO) requirements, and a prohibition on enabling trading in ‘value-referenced cryptoassets’ (commonly referred to as stablecoins) and crypto contracts based on proprietary tokens except with the prior written consent of the CSA.
Platforms that were unable or unwilling to provide an enhanced PRU or implement the necessary systems changes within 30 days of the publication of Staff Notice 21-332 (i.e, by 24 March 2023) were expected to take appropriate steps to identify and off-board existing users in Canada, restrict trading access to Canadian-resident users and provide periodic reporting to the CSA. Only a limited number of global platforms executed and delivered PRUs to the CSA by that deadline. Others began the process of offboarding.
In August 2022, OSFI, Canada’s prudential banking regulator, also announced an interim approach for the regulatory capital and liquidity treatment of the cryptoassets exposure of federally regulated financial institutions. In November 2022, OSFI issued a further advisory signaling its expectation that federally regulated financial institutions clearly understand the risks of any planned cryptoasset activities and ensure that these risks have been properly addressed, including by complying with existing federal financial laws in relation to cryptoassets, consistent with the ‘principle endorsed by the Financial Stability Board, “same activity, same risk, same regulation”‘.
Token issuance
- Are there rules or regulations governing the issuance of tokens, including security token offerings (STOs), initial coin offerings (ICOs) and other token generation events?
Digital currency exchanges and brokerages may be subject to FINTRAC regulation as MSBs (or in the case of non-Canadian exchanges or platforms, foreign MSBs or FMSBs). These entities must follow specific obligations imposed by the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Canada) and associated regulations, including registration and compliance.
Digital currency exchange or brokerages may also be subject to provincial securities legislation, requiring registration as either a dealer platform or marketplace platform. Under Staff Notice 21-329 – Guidance for Crypto-Asset Trading Platforms: Compliance with Regulatory Requirements, entities are generally advised to register initially as ‘restricted dealers,’ gradually transitioning to full investment dealer registration, and if applicable, marketplace recognition, depending on the nature or products or services they provide and the manner in which investment, trading and custody are handled.
ARTIFICIAL INTELLIGENCE
Artificial intelligence
- Are there rules or regulations governing the use of artificial intelligence, including in relation to robo-advice?
The regulation of AI and robo-advisers will continue to be an area of development in the financial services industry, although the general direction is that the same registration, know your customer and information requirements of conventional wealth managers and advisers can be applied to digital advisers. Importantly, online advisers must be registered with the Canadian Securities Administrators (CSA) before advising or dealing in securities unless an exemption is available.
Furthermore, the registration and conduct requirements of NI 31-103 are technology-neutral and there are no ‘online advice’ exemptions for AI portfolio managers (PMs). PMs must register prior to implementing their online advice operating model, after which the CSA will assess how the firm will meet its obligations under NI 31-103.
The proposed Artificial Intelligence and Data Act (part of Bill C-27, 1st Sess, 44th Parl, cl39 (second reading 23 April 2023)) would impose on operators of AI systems a number of restrictions and requirements designed to eliminate biased output and harm individuals.
CHANGE OF CONTROL
Notification and consent
- Describe any rules relating to notification or consent requirements if a regulated business changes control.
MSBs registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) must provide notice of any changes to information previously provided to FINTRAC in connection with such registration within 30 days of becoming aware of the change. Schedule 1 to the Registration Regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA, SC 2000, c 17) requires an applicant for registration to disclose every person, corporation or other entity that owns or controls, directly or indirectly, 20 percent or more of the shares of the corporation.
The direct or indirect acquisition of 10 percent or more of the securities of a registered securities firm, or all or a substantial part of its assets, is also subject to prior notification to securities regulators and, if applicable, approval of CIRO pursuant to its Dealer Member Rules and to disclosure of changes to upstream ownership. Regulated banks and insurance companies are similarly subject to pre-approval requirements for acquisition of significant interests, including change of control. The acquisition of significant positions in, or control of, publicly traded entities in Canada is also subject to securities laws and stock exchange rules. Depending on the size of the firm and nature of activities, Canadian antitrust and competition regulations may also impose notification or approval requirements.
FINANCIAL CRIME
Anti-bribery and anti-money laundering procedures
- Are fintech companies required by law or regulation to have procedures to combat bribery or money laundering?
Registered entities must comply with reporting, record keeping, KYC and other AML/ATF compliance programme requirements. Securities dealers, life insurance companies, banks, brokers and agents, money services businesses and certain other financial businesses are subject to FINTRAC’s AML and ATF compliance requirements, including compliance programme, KYC, reporting, recordkeeping and other requirements. Additional requirements apply under the Criminal Code, the Corruption of Foreign Public Officials Act (SC 1998, c 34) and Canadian sanctions legislation.
Guidance
- Is there regulatory or industry anti-financial crime guidance for fintech companies?
FINTRAC issues guidance on policy interpretations, transaction reporting, record keeping and other obligations for reporting entities. Fintech companies, among others, that qualify as either MSBs or securities dealers have specific guidelines as to registration, reporting and regulatory compliance.
The Royal Canadian Mounted Police (RCMP), as a member of the Financial Crimes Task Force, sets standards and promotes the implementation of measures to combat money laundering, terrorist financing and other threats to the international financial system. The RCMP is also responsible for enforcement of the Criminal Code.
DATA PROTECTION AND CYBERSECURITY
Data protection
- What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?
There are four general privacy and data protection statutes in Canada governing the processing and transfer of data: one federal and three substantially similar provincial statutory regimes (Alberta, British Columbia and Quebec).
The federal law, Personal Information Protection and Electronic Documents Act (PIPEDA), applies to fintech providers that operate within any of the industries that are federally regulated – most notably (in this context) the banking industry. PIPEDA applies to the processing of personal information in the course of commercial activity in any province that has not enacted its own privacy laws. The Act applies to inter-provincial and international disclosures of personal information. Consequently, many national fintech service providers may be subject to PIPEDA, even if they are located in one of the three provinces with its own legislation.
Privacy laws generally permit the storage or processing of personal information outside of Canada, with consent. For the least sensitive types of personal information, implied consent is often sufficient (i.e, posting a notice or including a disclosure in an organization’s privacy policy). For more sensitive personal information, Canadian privacy laws may require express consent to such transfers.
As of September 2023, Quebec’s private sector privacy law (RSQ, c. P-39.1) will also explicitly require that an organization conduct an impact assessment with respect to any transfers of personal information outside of that province.
Cybersecurity
- What cybersecurity regulations or standards apply to fintech businesses?
In Canada, cybersecurity laws and regulations were typically established in the context of personal information protection. Methods of protection include physical, organizational and technological measures and aim to safeguard against loss, theft, unauthorized access, disclosure, copying, use and modification. In assessing the adequacy of security measures implemented by an organization, the privacy commissions often look for an implementation of recognized third-party certification and standards that are appropriate for the organization’s industry.
Canadian regulators and self-regulatory organizations (including the CSA, OSFI, IIROC and the Mutual Fund Dealers Association of Canada, which will become the New SRO on 1 January 2023) have issued a considerable amount of fintech-specific cybersecurity guidance on cybersecurity best practices, including:
- corporate cybersecurity policies;
- incident response plans and reporting;
- employee cybersecurity training; and
- risk assessment and management (including vendor risk management).
While non-binding, this guidance is widely followed by the organizations to which it applies.
Unlike many other jurisdictions, Canada has not yet adopted comprehensive cybersecurity rules that legally require financial services companies, including those in the fintech sector, to adopt best practices of the type just described (although see below re proposed legislation). Fintech businesses that are ‘reporting issuers’ (i.e, public companies) under Canadian securities legislation are expected and required by the CSA to disclose cybersecurity risks, potential effects of a cybersecurity incident and the governance practices that they have in place to mitigate this type of risk. Registrants (i.e, dealers, advisers and investment fund managers) are also expected to be vigilant in keeping their cybersecurity measures up to date, including by following IIROC and Mutual Fund Dealers Association guidance. In general, the CSA expects all regulated entities to adopt a cybersecurity framework recommended by a regulatory authority or standard-setting body that is appropriate for entities of their size. Importantly, IIROC has recently proposed rule amendments that could require mandatory reporting of cybersecurity incidents by investment dealers.
Parliament is currently considering the enactment of the Critical Cyber Systems Protection Act (Bill C-26, 1st Sess, 44th Parl, 2023, cl 2 (second reading 27 March 2023)),to provide a framework for the protection of the critical cyber systems of services and systems that are vital to national security or public safety and that are delivered or operated as part of a work, undertaking or business that is within the legislative authority of Parliament – which would include many fintech businesses.
On 9 November 2021, Canada’s Office of the Superintendent of Financial Institutions (OSFI) launched a public consultation on the newly released draft version of Guideline B-13: Technology and Cyber Risk Management. The proposed Guideline is designed to complement existing Guidelines E-21 (Operational Risk Management) and B-10 (Outsourcing of Business Activities, Functions and Processes) as well as OSFI’s Technology and Cyber Incident Reporting Policy, including its Cyber Security Self-Assessment tool.
OUTSOURCING AND CLOUD COMPUTING
Outsourcing
- Are there legal requirements or regulatory guidance with respect to the outsourcing by a financial services company of a material aspect of its business?
Yes, the Office of the Superintendent of Financial Institutions (OSFI) has issued certain guidelines that would apply to outsourcing by a federally regulated financial services company (such as a bank or insurance company) of a material aspect of its business – specifically, the B-10 Guidelines for Outsourcing of Business Activities, Functions, and Processes (the B-10 Guideline). The B-10 Guideline addresses OSFI’s expectations on federally regulated entities that outsource business activities to service providers, in particular the practices, procedures and standards that should be applied to the outsourcing arrangement. The guideline includes specific guidance for federally regulated entities on: due diligence, contractual terms, data location, business continuity, outsourcing in foreign jurisdictions, monitoring and oversight. It also requires that federally regulated entities develop and implement an outsourcing policy. Although the B-10 Guideline does not technically have the force of law, it is nonetheless binding on the regulated entities that are subject to them. Additional regulatory and legislative limits may apply in respect of certain types of financial services companies, such as insurance companies. In April 2022, OSFI published for comment Draft Revised Guideline B-10 Third Party Risk Management that would replace the existing B-10 Guideline.
In addition, OSFI requires that federally regulated financial services companies conduct cyber-risk self-assessments and OSFI will assess cyber-risk as part of its overall prudential supervisory review. OSFI has also stated that it views ‘operational resilience’ (to which cyber-risk is relevant) as an important objective of operational risk management and, as a result, critical for the overall safety and soundness of a financial institution.
Under Canadian privacy laws, organizations generally remain responsible for the appropriate handling of personal information under their custody or control, even where such information has been transferred to domestic or foreign third-party service providers for processing. As such, where a financial services company discloses personal information under its custody or control to a third party (or that third party collects personal information on behalf of the financial services company) the financial services company must ensure that the information is adequately protected and only collected, used and disclosed in accordance with all applicable Canadian privacy laws. This is typically accomplished through due diligence, robust contractual protections and periodic audits. As of September 2023, Quebec’s private sector privacy law (RSQ, c. P-39.1) will also explicitly require that an organization conduct an impact assessment with respect to any transfers of personal information outside of that province
Under Companion Policy 31-103, securities registrants must use contractual and other means to provide a comparable level of protection while the information is in the hands of the service provider. Outsourcing organizations are obliged as part of their due diligence to choose vendors with care and, in particular, to ensure that they are contractually bound to comply with appropriate security and confidentiality protocols. Periodic reviews of the service provider, and of the privacy training provided to third-party personnel, are also required in some circumstances.
Cloud computing
- Are there legal requirements or regulatory guidance with respect to the use of cloud computing in the financial services industry?
The financial services industry must adhere to all applicable Canadian privacy legislation with respect to the use of cloud computing. Federal legislative requirements may, in some cases, require federally regulated financial institutions to maintain certain records in Canada, which can limit the use of cloud computing platforms.
INTELLECTUAL PROPERTY RIGHTS
IP protection for software
- Which intellectual property rights are available to protect software, and how do you obtain those rights?
Canada has a robust IP framework. As in any other country, fintech innovations are generally protected through patents, copyrights and trade secrets. Canadian IP databases can be used to search up filed or registered trademarks, copyrights and patents.
Inventions that can be patented include products, processes or machines. Computer code in written form has automatic copyright protection. However, if a computer program provides a new solution to a technological problem and modifies how a computer works, the software-implemented invention may be patentable.
IP developed by employees and contractors
- Who owns new intellectual property developed by an employee during the course of employment? Do the same rules apply to new intellectual property developed by contractors or consultants?
The owner of the invention is entitled to patent it unless there has been an assignment of the invention and the associated IP rights. Express contractual language should be used in employment agreements as best practice to protect IP created by an employee. Barring any specific provision, there is a presumption that employees are entitled to ownership of a patent of any invention they created in the course of their employment. Employers will be deemed owner of the invention and resulting patent rights if there is an express contract stating such and if it can be proven that the employee was employed for the express purpose of inventing or innovating.
In the absence of express terms, the employer is the first owner of the copyright in works that an employee creates in the course of their employment. For contractors or consultants, courts will look at various factors. For work created outside of working hours and/or using their own resources, the central factor is the subject matter of the copyright work.
Joint ownership
- Are there any restrictions on a joint owner of intellectual property’s right to use, license, charge or assign its right in intellectual property?
Generally, patent co-ownership can be changed by parties through written mutual agreement. However, co-owners of a patent cannot dilute the other co-owner’s interests in the patent.
One applicant cannot withdraw a patent application without the consent of the other co-applicants. Similarly, once the patent is registered, one owner cannot license the patent rights to a third party without first obtaining consent from the other co-owners.
For assignment, however, a co-owner may assign his or her own interest in a patent in the absence of the other co-owner’s consent unless doing so would dilute the co-owners’ rights.
Trade secrets
- How are trade secrets protected? Are trade secrets kept confidential during court proceedings?
There is no formal process for protecting a trade secret, or any act or statute that regulates trade secrets in Canada. Trade secret law is developed out of the common law, or in Quebec, civil law, and includes some dispositions in the Criminal Code.
Courts will use several factors to assess whether an action involves the misuse of a trade secret and how to compensate the owner for its misuse. Businesses can also use non-disclosure or confidentiality agreements or clauses and encryption or password protection to protect trade secrets.
Branding
- What intellectual property rights are available to protect branding and how do you obtain those rights? How can fintech businesses ensure they do not infringe existing brands?
Brand names and logos can be registered as trademarks for 10 years and renewed indefinitely. Businesses should protect their IP with registrations and documentation to control ownership and use of its IP rights, including permitted use under licensing and collaborative agreements with third parties.
In order to ensure that a fintech company is not infringing third-party trademark rights, freedom to operate searches can be conducted to ascertain if there are any prior third party rights that could pose an obstacle to the use or registration of a mark, or both. Such searches are highly recommended prior to commencing use of a mark as it could become costly to have to transition to a different mark once investments have been made in an original name.
Remedies for infringement of IP
- What remedies are available to individuals or companies whose intellectual property rights have been infringed?
IP rights holders, not CIPO, are responsible for enforcing their IP rights. Remedies for infringement include seeking damages sustained as results of the infringement, the profits made by the infringer, a reasonable royalty and partial court costs or attorney fees. In addition, injunctive relief may be sought as well. In lieu of the above remedies, copyright owners can be compensated through statutory damages (this is a remedy exclusive to copyright infringement claims).
COMPETITION
Sector-specific issues
- Are there any specific competition issues that exist with respect to fintech companies in your jurisdiction?
There are currently no industry-specific competition or foreign investment issues with respect to fintech companies in Canada. Investments in (and acquisitions of) fintech companies are subject to the same, general competition and foreign investment regime as other mergers. However, in recent years, the Canadian Competition Bureau (CCB) has focused its research and advocacy on the importance of innovation and disruption among fintech firms and the potential for this dynamism to be upset by complex regulatory barriers or incumbent market power. In 2017, the CCB published a report titled ‘Technology-led innovation in the Canadian financial services sector’. It included recommendations encouraging policymakers to reduce the regulatory barriers to entry associated with fintech products and services and limit the ability of powerful financial incumbents to take steps that frustrate the growth of fintech start-ups.
In December 2022, the federal government tabled legislation to modernize the Investment Canada Act to address ‘changing global dynamics’ and impose pre-implementation filing requirements for foreign acquisitions of Canadian businesses operating in designated sensitive sectors, which are expected to include, among others, quantum computing and AI and companies handling personal data.
TAX
Incentives
- Are there any tax incentives available for fintech companies and investors to encourage innovation and investment in the fintech sector in your jurisdiction?
At the federal level, qualifying corporations can claim a tax credit based on eligible scientific research and experimental development (SRED) expenditures. The federal tax credit for Canadian controlled private corporations (CCPCs) is up to 35 percent of qualifying SRED expenditures on a maximum total amount of C$3 million of qualifying SRED expenditures and 15 percent of qualifying SRED expenditures over C$3 million. However, the C$3 million limit may be reduced if the taxable capital employed in Canada of the CCPC (and associated corporations) exceeds a certain threshold. For non-CCPCs, the federal tax credit is 15 percent of qualifying SRED expenditures.
For CCPCs (other than excluded corporations as defined in the Income Tax Act, RSC 1985, c 1 (5th Supp), (ITA)), the credit is first applied against federal taxes and the unused portion of the 35 percent federal tax credit is refundable. A portion (40 percent) of the 15 percent credit may also be refundable for certain CCPCs that are qualifying corporations and are not excluded corporations for purposes of the ITA. For non-CCPCs, the federal tax credit is not refundable and may only be applied against taxes. In all cases, if the credit is not refundable and cannot be used in a given year, it may be carried forward or carried back to other taxation years in accordance with the detailed rules of the ITA.
Provinces also offer similar tax credits on research and development expenses, some of which may also be refundable. The provincial credits range from 3.5 percent to 30 percent. Certain other industry-specific tax credits are available, depending on the circumstances.
Increased tax burden
- Are there any new or proposed tax laws or guidance that could significantly increase tax or administrative costs for fintech companies in your jurisdiction?
On 14 December 2021, the federal government released the draft legislation for the Digital Services Tax Act, which will implement a 3 percent Digital Services Tax (DST). The DST has not been applied yet due to a standstill from imposing newly enacted digital services taxes agreed upon between countries and jurisdictions of the Organization for Economic Co-operation and Development (OECD). More specifically, countries and jurisdictions have agreed to extend such period until 31 December 2024. Notwithstanding this extension, the government of Canada remains committed to moving forward with the DST as of 1 January 2024 if a multilateral Pillar One agreement is not reached before this date. If enacted as is, the DST will apply at the rate of 3 percent on Canadian in-scope revenue in the calendar year generated from digital services (as defined under the Digital Services Tax Act) in excess of C$20 million earned by an individual entity or consolidated group with at least €750 million in global revenue. The earliest any DST will become payable by a taxpayer is mid-2025, but that first payment will be for DST on Canadian digital services revenue earned throughout the 2022–2024 calendar years. Also, in the Budget 2023, the federal government reaffirmed its intention to advance legislation for the DST and to implement OECD’s Pillar One (reallocation of taxing rights) and Pillar Two (global minimum tax) approach.
IMMIGRATION
Sector-specific schemes
- What immigration schemes are available for fintech businesses to recruit skilled staff from abroad? Are there any special regimes specific to the technology or financial sectors?
While there are no specific temporary foreign work programmes tailored to the fintech industry, there are numerous programmes that enable Canadian companies to hire temporary foreign workers in the IT and financial sectors. Canada is also party to a number of multilateral treaties with partnering countries involving the freedom of movement of labor, such as the Canada–United States-Mexico Agreement.
Certain programmes are available for investors and entrepreneurs; however, some programmes may be restricted in terms of the number of participants and be contingent on:
- the province in which the investment will be made;
- the amount of the investment and level of ownership; and
- the provincial agencies that are involved in the establishment of business operations.
One fintech-relevant foreign worker programme, Canada’s Global Talent Stream programme (the Program), was implemented by the federal government to help Canadian businesses recruit individuals with technical expertise. The Program’s requirements are nuanced but accessible for employers looking to recruit unique and specialized foreign talent to scale up and grow. If a company hires a foreign worker through the programme, it must develop a Labor Market Benefits Plan that demonstrates the company’s commitment to activities that will have a tangible and lasting positive impact on the Canadian labor market.
UPDATE AND TRENDS IN FINTECH IN CANADA
Current developments
- Are there any other current developments or emerging trends to note?
Canada’s fintech industry remains healthy, with strong levels of investment and partnerships in both start-up and later stages initiatives, with continued regulatory changes, particularly in the digital payments and crypto spaces.
AI is now gaining widespread adoption and is expected to profoundly transform many segments of the financial services industry in Canada. However, continued challenges facing the broader global economy and the tech sector in the post-pandemic high interest rate inflationary environment have continued to slow the pace of private funding and lead to a more challenging environment for the tech sector.
The collapse in March 2023 of crypto-friendly banks and lenders, including Silicon Valley Bank, Signature Bank and Silvergate Capital, has heightened concerns over increased liquidity and financial stability risks, leading to a renewed focus on prudential supervision of cryptoasset exposure of Canadian federally regulated financial institutions and the use of stablecoins.
The early wave of enforcement actions brought against non-compliant platforms will likely be followed by increased cross-border enforcement activity against global platforms that have ignored the up-or-out path to regulation in Canada. However, against the ongoing global race to develop crypto-friendly regulatory hubs, Canada continues to position itself as a tough but pragmatic and credible jurisdiction to establish a virtual currency business, although the size of the Canadian market and the cost-benefit calculus of operating in the Canadian market will continue to drive decisions to commit to Canada over the longer term.
* The information in this chapter was accurate as of July 2023.
If you need more consulting, please Contact Us at TNHH NT International Law Firm (ntpartnerlawfirm.com)
You can also download the .docx version here.
“The article’s content refers to the regulations that were applicable at the time of its creation and is intended solely for reference purposes. To obtain accurate information, it is advisable to seek the guidance of a consulting lawyer.”
LEGAL CONSULTING SERVICES
090.252.4567NT INTERNATIONAL LAW FIRM
- Email: info@ntpartnerlawfirm.com – luatsu.toannguyen@gmail.com
- Phone: 090 252 4567
- Address: B23 Nam Long Residential Area, Phu Thuan Ward, District 7, Ho Chi Minh City, Vietnam