Regulatory bodies and approaches
The Canadian financial regulatory system is fragmented with oversight of various parts of the financial system divided among a variety of federal and provincial regulators.
The three principal federal regulators of financial institutions are: the Office of the Superintendent of Financial Services (OSFI); the Canadian Deposit Insurance Corporation (CDIC); and the Financial Consumer Agency of Canada (FCAC).
Policy surrounding federal financial services legislation is driven by the Department of Finance and, although they work independently from the Department, OSFI, CDIC, FCAC and the Bank of Canada (BOC) contribute to the development of Canada’s federal financial services legislative and regulatory framework.
Established in 1987, OSFI is an independent agency of the federal government and reports to the Minister of Finance. As Canada’s prudential regulator, OSFI has both a regulatory and supervisory role for more than 400 federally regulated financial institutions and 1,200 pension plans. In its regulatory role, OSFI: develops rules and other guidance; helps to create accounting, auditing and actuarial standards; and provides approvals for certain types of transactions. In its supervisory role, OSFI assesses economic data and trends for issues that could have negative impacts on financial institutions, and, at the same time, assesses financial institutions for weaknesses that could raise solvency or similar critical risks. When such risks are identified, OSFI takes steps to work with an affected institution to address these risks.
In September 2020, OSFI released its discussion paper, “Developing Financial Sector Resilience in a Digital World, selected themes in technology and related risks”, with the objective of engaging stakeholders into a discussion on how OSFI can best position its regulatory framework in a complex, rapidly changing digital world. The paper focuses on the following three main themes:
- operational risk and resilience, and the need for a holistic assessment of the overarching regulatory “architecture” for technology and other non-financial risks;
- understanding technology risk and the role of prudential regulators with respect to technology and data risk management; and
- core principles to guide future regulatory guidance development in relation to three priority areas: cybersecurity; advanced analytics; and the technology third-party ecosystem.
A federal crown corporation established in 1967, CDIC’s objectives are to:
- provide insurance against the loss of part or all of deposits;
- promote and otherwise contribute to the stability of the financial system in Canada; and
- act for the benefit of depositors while minimizing loss.
CDIC provides deposit insurance for eligible deposits up to a limit of C$100,000 per insured category at CDIC member institutions. Members include banks, federally regulated credit unions, as well as loan and trust companies and associations governed by the Cooperative Credit Associations Act that take deposits.
In addition to savings and chequing accounts, CDIC coverage applies to term deposits (including guaranteed investment certificates) and to deposits in foreign currencies. In the event of failure, term deposits and deposits in foreign currencies do not receive separate coverage but would be combined with other deposits within the same category. Notable exclusions from coverage include mutual funds, stocks, bonds, exchange traded funds and cryptocurrencies. While eligible deposits at banks and federally incorporated credit unions are covered, deposits at provincially incorporated credit unions are not; rather, they are covered by provincial insurance corporations aligned to the CDIC model.
CDIC is funded by premiums paid by member institutions and does not receive any public funds to operate.
Recognizing that Canadian banks have been rapidly partnering with fintech firms, as well as adopting their own innovation, CDIC identifies on its website the Basel Committee on Banking Supervision’s key observations about the impact of fintech on the banking industry. Recognizing that the emergence of fintechs presents a new challenge for CDIC, it reiterates its commitment of actively monitoring the increasing profile of fintechs and the risks they represent to Canadian financial institutions.
Established in 2001, FCAC is Canada’s federal financial consumer protection regulator and ensures federally regulated financial institutions comply with their market conduct obligations under federal legislation, regulations, codes of conduct and public commitments. Although the Payment Card Networks Act (PCNA) also gives the FCAC the authority to supervise payment card network operators (PCNOs), its role is limited in this regard since the PCNA lacks implementing regulations. However, FCAC does supervise PCNOs for compliance with market conduct obligations found in voluntary codes of conduct and public commitments.
FCAC also monitors and evaluates trends and issues that may affect financial consumers, educates Canadians about their rights and responsibilities in dealing with financial institutions, and collaborates with stakeholders to contribute to and support initiatives that strengthen the financial literacy of Canadians.
FCAC’s role as overseer of market conduct obligations is becoming increasingly challenging as existing market conduct obligations which are designed for a “paper-based” world become impractical at best, and unworkable at worst, in a digital world. Unfortunately, the disclosure-heavy approach, which is not aligned with today’s digital world, was preserved in the recent modernization efforts of the federal financial consumer protection legislative framework. Still not yet in force, the new Framework6 consolidates existing consumer provisions and regulations and strengthens consumer protection provisions that apply to banks and authorized foreign banks under the Bank Act. Amendments introduced as part of the new Framework also enhanced FCAC’s powers, most notably by increasing the maximum penalty size available for violations and requiring the FCAC to name institutions following a finding of a violation.
Although not considered a financial institutions regulator, the BOC plays an important role in fostering a stable and efficient financial system. The BOC accomplishes this objective by:
- providing central banking services, including liquidity and lender-of-last-resort facilities;
- overseeing and acting as the resolution authority for critical financial market infrastructures;
- conducting and publishing analyses and research; and
- helping to develop and implement policy.
Under the Payment Clearing and Settlement Act, the BOC conducts regulatory oversight of and acts as the resolution authority for designated financial market infrastructures, such as Canada’s Large Value Transfer System (LVTS), the Automated Clearing Settlement System (ACSS) and other clearing and settlement systems, which are owned and managed by Payments Canada, a public-purpose, non-profit organization funded by the members that participate in its systems.
The Bank’s role in Canada’s payment systems is poised to further expand with the recent introduction of the new retail payment oversight framework which is examined in more detail below.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Canada’s financial intelligence unit, FINTRAC, focuses on detecting, preventing, and deterring money laundering and the financing of terrorist activities. FINTRAC fulfils this mandate by engaging in a range of activities including data gathering and analysis (most notably receiving financial transaction reports and voluntary information in accordance with the legislation and regulations) and ensuring compliance by reporting entities with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
Under the PCMLTFA, a “money services business” (MSB) is required to fulfil certain obligations as a reporting entity. This includes registering the MSB’s business with FINTRAC (Canada’s regulator responsible for ensuring compliance with the PCMLTFA), fulfilling reporting and recordkeeping requirements, conducting know-your-client identification, and having a compliance program.
As of June 1, 2021, amendments to the PCMLTFA have expanded the MSB category of reporting entities to include entities dealing in virtual currencies and foreign exchange dealing entities. These amendments bring within scope certain fintechs, both in and outside Canada, that were not previously subject to the PCMLTFA. FINTRAC considers “dealing in virtual currencies” to include both virtual currency exchange services and virtual currency transfer services. These legislative amendments, along with corresponding regulatory guidance from FINTRAC, have significant implications for the regulation of fintechs dealing in digital currencies. In particular, this amendment expands the application of anti-money laundering laws to entities that may not have previously been subject to the PCMTLFA; namely, fintechs (for example, cryptocurrency trading platforms and exchanges).
Under the new rules for foreign MSBs, businesses dealing in virtual currencies without a place of business in Canada who direct their services at persons or entities in Canada and provide these services to clients in Canada are now subject to the PCMLTFA. This change also has implications for virtual currency exchanges as many operate outside of Canada while servicing Canadian clients.
One of the related amendments to the PCMLTFA is the new obligation for all reporting entities to keep “large virtual currency transaction records” for amounts received in virtual currency of C$10,000 or more in a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. Such records must include the identity of the person from whom the amount was received, as well as other prescribed information including the date, amount and type of currency and exchange rate. Reporting entities must also file large virtual currency transaction reports in certain circumstances, including where the reporting entity receives virtual currency that can be exchanged for C$10,000 or more in cash in the course of a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. These reports are not required for amounts received from another financial entity or public body, or a person acting on their behalf. As with the expansion of the MSB concept noted above, this amendment to reporting requirements is most likely to impact fintechs.
Office of the Privacy Commissioner of Canada (OPC)
The OPC administers the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to federal and provincial businesses in respect of personal information collected, used or disclosed in the course of commercial activity, and to the personal information of employees of federal works, undertakings or businesses (such as banks). PIPEDA has extra-territorial jurisdiction to the extent that a foreign organization is handling personal information of Canadians or within Canada. PIPEDA may not apply to certain organizations that process personal information entirely within British Columbia, Alberta and Québec that have substantially similar provincial privacy laws.
PIPEDA incorporates the 10 fair information processing principles contained in the Canadian Standards Association’s Model Code for the Protection of Personal Information. Among these is the core principle that an individual’s knowledge and consent are required for the collection, use or disclosure of personal information except where this knowledge and consent are inappropriate (such as in emergencies, or to comply with court orders).
The OPC can audit organizations to ensure that they comply with the legislation’s requirements. Individuals can file complaints for investigation by the OPC and have the right to apply to court for a hearing and remedies, which may include an award of damages and an order for the business to change its practices. Obstructing the Privacy Commissioner’s audit or investigation is an offence punishable by a fine of up to C$100,000.
Organizations subject to PIPEDA or the Alberta Personal Information Protection Act must notify the regulator and affected individuals of breaches of personal information that create a “real risk of significant harm” to an individual. Organizations must keep internal records of all privacy breaches (even those not reported) for two years, to facilitate regulatory audits and the identification of systemic privacy flaws. Non-compliance with breach reporting obligations can result in fines of up to C$100,000.
The federal government introduced Bill C-11, the Digital Charter Implementation Act, 2020, into Parliament. Bill C-11 proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new administrative tribunal, the Personal Information and Data Protection Tribunal. Among other changes, CPPA proposes to: (a) impose algorithmic transparency requirements; (b) introduce new data subject rights, including the right to data portability (this right aligns with the ongoing Canadian consumer-directed finance proposals); and (c) expand the OPC’s powers, including the ability to impose mandatory orders and to recommend that the Tribunal impose financial penalties of up to C$10 million or 3% of an organization’s gross global annual revenue for contravention of processing provisions and certain security safeguard provisions.
Additionally, at the time of writing, the federal government had recently announced in its 2021 budget that it intends to move forward with plans to create a new federal Data Commissioner role. The government noted that the Data Commissioner’s mandate is to “inform government and business approaches to data-driven issues to help protect people’s personal data and to encourage innovation in the digital marketplace”.
Consumer protection regulators
Provincial agencies or administrative bodies responsible for consumer protection oversee the market conduct obligations of provincially incorporated businesses, including provincially regulated financial institutions/services such as mortgage brokering activities, credit unions, and payday lenders. In a 2014 decision, Canada’s Supreme Court held that banks must comply with disclosure requirements under both the federal Bank Act and applicable provincial consumer protection acts. This gives the provinces leeway to impose disclosure requirements on federally regulated institutions as long as such requirements neither conflict with the federal legislation nor the purpose of such (it was previously believed that federally regulated institutions were exempted from such requirements).
Provincial regulators have similar investigative and enforcement tools with which to respond to consumer complaints. Depending on their activities, fintechs are subject to provincial consumer protection law requirements such as provisions in respect of payment card fees, expiry dates and disclosures for open-loop, closed-loop and gift cards, as well as rules with respect to contracts not made in person (e.g., internet contracts).
Enforcement tends to aim at resolution of complaints but can include compliance orders, fines, and prosecution.
Provincial securities commissions regulate the securities markets with a focus on investor protection and ensuring efficient markets. The securities commissions oversee securities trading, registration requirements for participants, continuous disclosure requirements, and enforcement of securities legislation and rules. Self-regulatory organizations also play a role in securities regulation. The Investment Industry Regulatory Organization of Canada (IIROC), overseeing investment dealers, and the Mutual Fund Dealers Association of Canada (MFDA), regulating mutual fund dealers, are two examples.
Canadian securities regulators have identified as a priority the need to develop and maintain a responsive and aligned regulatory framework to address fintech and other market innovation, while recognising potential benefits and economic opportunities for Canadian businesses that may come from innovation and disruption in the financial services industry. To date, Canadian securities regulators have applied the existing securities regulatory framework to these innovative products and services rather than providing blanket exemptions or exclusions. For example, in 2021, the Canadian securities regulators have taken a number of steps to highlight risks associated with crypto assets, asserting their oversight of crypto asset trading platforms to bring crypto firms engaging in dealer or marketplace activities into compliance with securities laws. This recent work has included developing tailored regulatory approaches to domestic platforms and taking enforcement action against unregistered foreign entities.
Fintech businesses have been encouraged to engage with staff of the Canadian securities regulators through a “regulatory sandbox” to discuss novel products and services, the anticipated treatment under applicable securities laws, and to obtain any required approvals and/or exemptive relief to operate in Canada. Areas where new business models have obtained securities regulatory clearances include peer-to-peer lending platforms, startup and venture introduction and capital raising platforms, and online advisory services. Notably, the Canadian securities regulators have also permitted the establishment of exchange-traded funds that invest in bitcoin and other cryptocurrencies, while adopting a restrictive approach to retail distribution of more speculative tokens or initial coin offerings (where compliance with prospectus and dealer/advisor registration requirements is mandated on the basis that these instruments are properly characterized as securities).
The regulatory sandbox is also available for discussions with RegTech services providers developing solutions that support regulated entities in the financial services industry (including regulatory monitoring, reporting and compliance services), although these services would not be subject to the oversight of Canadian securities regulators.