Regulatory bodies and approaches
The Canadian financial regulatory system is fragmented with oversight of the financial system divided among, and often overlapping, federal and provincial regulators.
The three principal federal regulators of financial institutions are: the Office of the Superintendent of Financial Institutions (OSFI); the Canada Deposit Insurance Corporation (CDIC); and the Financial Consumer Agency of Canada (FCAC).
Policy surrounding federal financial services legislation is driven by the Department of Finance and, although they work independently from the Department, OSFI, CDIC, FCAC and the Bank of Canada (BOC) contribute to the development of Canada’s federal financial services legislative and regulatory framework.
Established in 1987, OSFI is an independent agency of the federal government and reports to the Minister of Finance. As Canada’s prudential regulator, OSFI has both a regulatory and supervisory role for more than 400 federally regulated financial institutions and 1,200 pension plans. In its regulatory role, OSFI develops rules and other guidance, interprets legislation and regulations, helps to create accounting, auditing and actuarial standards and provides regulatory approvals for certain types of transactions. In its supervisory role, OSFI assesses economic data and trends for issues that could have negative impacts on financial institutions, and, at the same time, assesses financial institutions for weaknesses that could raise solvency or similar critical risks. When weaknesses are identified, OSFI takes steps to work with an affected institution to address these matters.
In August 2021, OSFI released updated requirements governing how federally regulated financial institutions should disclose and report technology and cyber security incidents to OSFI.
A federal crown corporation established in 1967, CDIC’s objectives are to:
- provide insurance against the loss of part or all of deposits;
- promote and otherwise contribute to the stability of the financial system in Canada; and
- pursue the objects set out above for the benefit of persons having deposits with member institutions and in such manner as will minimise the exposure of CDIC to loss; and
- act as the resolution authority for its members.
CDIC provides deposit insurance for eligible deposits up to a limit of C$100,000 per insured category at CDIC member institutions. Members include banks, federally regulated credit unions, as well as loan and trust companies and associations governed by the Cooperative Credit Associations Act that take deposits.
In addition to savings and chequing accounts, CDIC coverage applies to guaranteed investment certificates and other term deposits. Notable exclusions from coverage include mutual funds, stocks, bonds, exchange traded funds and cryptocurrencies. While eligible deposits at federally incorporated credit unions are covered, deposits at provincially incorporated credit unions are not; rather, they are covered by provincial insurance corporations established similar to the CDIC model.
CDIC is funded by premiums paid by member institutions and does not receive any public funds to operate.
Recognising that Canadian banks have been rapidly partnering with fintech firms, as well as adopting their own innovation, CDIC identifies on its website the Basel Committee on Banking Supervision’s key observations about the impact of fintech on the banking industry. Recognising that the emergence of fintechs presents a new challenge for CDIC, it reiterates its commitment of actively monitoring the increasing profile of fintechs and the risks they represent to Canadian financial institutions.
Established in 2001, FCAC is Canada’s federal financial consumer protection regulator and ensures that federally regulated financial institutions comply with their market conduct obligations under federal legislation, regulations, codes of conduct and public commitments. Although the Payment Card Networks Act (PCNA) also gives FCAC the authority to supervise payment card network operators (PCNOs), its role is limited in this regard since the PCNA lacks implementing regulations. However, FCAC does supervise PCNOs for compliance with market conduct obligations found in voluntary codes of conduct and public commitments.
FCAC also monitors and evaluates trends and issues that may affect financial consumers, educates Canadians about their rights and responsibilities in dealing with financial institutions, and collaborates with stakeholders to contribute to and support initiatives that strengthen the financial literacy of Canadians.
FCAC’s role as overseer of market conduct obligations is becoming increasingly challenging as existing market conduct obligations which are designed for a “paper-based” world become impractical at best, and unworkable at worst, in a digital world. Unfortunately, the disclosure-heavy approach, which is not aligned with today’s digital world, was preserved in the recent modernisation efforts of the federal financial consumer protection legislative framework. The new Framework7 which came into force on June 30, 2022 consolidates existing consumer provisions and regulations and strengthens consumer protection provisions that apply to banks and authorised foreign banks under the Bank Act.
In November 2022, the FCAC published a pilot study on BNPL services. Although the FCAC identified potential risks of over-borrowing and over-indebtedness, the FCAC Study falls short of recommending regulations or regulatory oversight. Rather, the FCAC concludes that it will:
- continue to monitor the evolution of the BNPL market in Canada and internationally, and conduct targeted follow-up research on BNPL services in Canada;
- seek to coordinate with provincial and territorial oversight authorities to help support, to the extent possible, the sharing of insights and expertise and the harmonisation of approaches to oversight; and
- continue to provide consumers with access to timely, effective, and unbiased educational information on BNPL services to foster the responsible use of BNPL services.
The BOC plays an important role in fostering a stable and efficient financial system. The BOC accomplishes this objective by:
- providing central banking services, including liquidity and lender-of-last-resort facilities;
- overseeing and acting as the resolution authority for critical financial market infrastructures;
- conducting and publishing analyses and research; and
- helping to develop and implement policy.
Under the Payment Clearing and Settlement Act, the BOC acts as the resolution authority for designated financial market infrastructures, such as Canada’s Large Value Transfer System (LVTS), the Automated Clearing Settlement System (ACSS), and other clearing and settlement systems, which are owned and managed by Payments Canada, a public-purpose, non-profit organisation funded by the members that participate in its systems.
The Bank’s role in Canada’s payment systems is poised to further expand with the introduction of the new retail payment oversight framework which is examined in more detail below.
The Financial Transactions and Reports Analysis Centre of Canada (FINTRAC)
Canada’s financial intelligence unit, FINTRAC, focuses on detecting, preventing, and deterring money laundering and the financing of terrorist activities. FINTRAC fulfils this mandate by engaging in a range of activities including data gathering and analysis (most notably receiving financial transaction reports and voluntary information in accordance with the legislation and regulations) and ensuring compliance by reporting entities with the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA).
Under the PCMLTFA, a “money services business” (MSB) is required to fulfil certain obligations as a reporting entity. This includes registering the MSB’s business with FINTRAC (Canada’s regulator responsible for ensuring compliance with the PCMLTFA), fulfilling reporting and recordkeeping requirements, conducting know-your-client identification, and having a compliance programme.
As of June 1, 2021, amendments to the PCMLTFA have expanded the MSB category of reporting entities to include entities dealing in virtual currencies and foreign exchange dealing entities. These amendments bring within scope certain fintechs, both in and outside Canada, that were not previously subject to the PCMLTFA. FINTRAC considers “dealing in virtual currencies” to include both virtual currency exchange services and virtual currency transfer services. These legislative amendments, along with corresponding regulatory guidance from FINTRAC, have significant implications for the regulation of fintechs dealing in digital currencies. In particular, this amendment expands the application of anti-money laundering laws to entities that may not have previously been subject to the PCMTLFA; namely, fintechs (for example, cryptocurrency trading platforms and exchanges).
Under the new rules for foreign MSBs, businesses dealing in virtual currencies without a place of business in Canada who direct their services at persons or entities in Canada and provide these services to clients in Canada are now subject to the PCMLTFA. This change also has implications for virtual currency exchanges as many operate outside of Canada while servicing Canadian clients.
One of the related amendments to the PCMLTFA is the new obligation for all reporting entities to keep “large virtual currency transaction records” for amounts received in virtual currency of C$10,000 or more in a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. Such records must include the identity of the person from whom the amount was received, as well as other prescribed information including the date, amount and type of currency and exchange rate. Reporting entities must also file large virtual currency transaction reports in certain circumstances, including where the reporting entity receives virtual currency that can be exchanged for C$10,000 or more in cash in the course of a single transaction, or across several virtual currency transactions that equal C$10,000 or more within a 24-hour period. These reports are not required for amounts received from another financial entity or public body, or a person acting on their behalf. As with the expansion of the MSB concept noted above, this amendment to reporting requirements is most likely to impact fintechs.
As of April 27, 2022, amendments to the PCMLTFA have further expanded the MSB category of reporting entities to include crowdfunding platforms and certain PSPs. These amendments again bring within scope certain fintechs, both in and outside Canada, that were not previously subject to the PCMLTFA. Such entities need to register with FINTRAC as MSBs or foreign MSBs, as applicable, and are now subject to the PCMLTFA and its associated obligations with respect to reporting and recordkeeping requirements, conducting know-your-client identification, ongoing monitoring, and having a compliance programme. More specifically, crowdfunding platforms now need to perform know-your-client identification on (i) any individual or entity that receives crowdfunding platform services, and (ii) any individual or entity who donates $1000 or more to a crowdfunding platform. These obligations extend to transactions in both fiat and virtual currency. The amendments come in the aftermath of the protests in Ottawa in early 2022 and the temporary (30-day) extension of obligations under the PCMLTFA to crowdfunding platforms and certain PSPs pursuant to the federal government’s Emergency Economic Measures Order.
Previously, FINTRAC, by way of policy interpretation, distinguished PSPs that transfer funds for the purposes of utility payments, payroll and commission services, mortgage and rent payment services, and certain tuition payment services from MSBs and foreign MSBs, noting that their function is payment processing, and the transfer of funds is a “corollary of their actual service” as opposed to transmitting funds “for the sake of the service”, like an MSB or a foreign MSB. FINTRAC has now reversed this policy interpretation. FINTRAC has also changed its position on the exclusion of businesses that provide merchant services for the purchase of goods and services (i.e., providing settlements directly to merchants on behalf of the merchant’s customers) from the scope of the PCMLTFA. Accordingly, PSPs that carry out these activities are now subject to the PCMLTFA requirements applicable to MSBs or foreign MSBs. FINTRAC has also removed exemptions applicable to MSBs and foreign MSBs for the transfer of funds by way of credit, debit and prepaid products (other than in respect of financial entities and casinos).
Office of the Privacy Commissioner of Canada (OPC)
The OPC administers the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA applies to federal and provincial businesses in respect of personal information collected, used or disclosed in the course of commercial activity, and to the personal information of employees of federal works, undertakings or businesses (such as banks). PIPEDA has extra-territorial jurisdiction to the extent that a foreign organisation is handling personal information of Canadians or within Canada. PIPEDA may not apply to certain organisations that process personal information entirely within Alberta, British Columbia, and Québec, which have substantially similar provincial privacy laws.
PIPEDA incorporates the 10 fair information processing principles contained in the Canadian Standards Association’s Model Code for the Protection of Personal Information. Among these is the core principle that an individual’s knowledge and consent are required for the collection, use or disclosure of personal information, except where this knowledge and consent are inappropriate (such as to comply with court orders or FINTRAC reporting requirements or investigate financial abuse).
The OPC can audit organisations to ensure that they comply with the legislation’s requirements. Individuals can file complaints for investigation by the OPC and have the right to apply to court for a hearing and remedies, which may include an award of damages and an order for the business to change its practices. Obstructing the Privacy Commissioner’s audit or investigation is an offence punishable by a fine of up to C$100,000.
Organisations subject to PIPEDA or Alberta or Québec privacy laws must notify the regulator and affected individuals of breaches of personal information that create a “real risk of significant harm” to an individual. Organisations must keep internal records of all privacy breaches (even those not reported) for two years to facilitate regulatory audits and the identification of systemic privacy flaws. Non-compliance with breach reporting obligations can result in fines of up to C$100,000.
The federal government introduced Bill C11, the Digital Charter Implementation Act, 2020, into Parliament in 2020. The Bill was not passed owing to an intervening election, but is expected to be re-introduced in 2022 and passed in 2023. Bill C11 proposes to replace PIPEDA with the Consumer Privacy Protection Act (CPPA) and create a new administrative tribunal, the Personal Information and Data Protection Tribunal. Among other changes, CPPA proposes to: (a) impose algorithmic transparency requirements; (b) introduce new data subject rights, including the right to data portability (this right aligns with ongoing Canadian consumer-directed finance proposals such as open banking); and (c) expand the OPC’s powers, including the ability to impose mandatory orders and to recommend that the Tribunal impose financial penalties of up to C$10 million or 3% of an organisation’s gross global annual revenue for contravention of certain data use and security provisions.
Additionally, in 2021, the federal government announced that it intends to move forward with plans to create a new federal Data Commissioner. While this role is not yet in place, the proposed Data Commissioner’s mandate will be to “inform government and business approaches to data-driven issues to help protect people’s personal data and to encourage innovation in the digital marketplace”.
The Québec government reformed its provincial privacy laws in 2021, ushering in significant changes over a three-year period. The Québec law will require more transparency, including with respect to automated decision-making, prohibit bundling privacy consents with other terms of service, offer consumers additional rights to information and data portability, and empower the Commission d’Acces à l’Information to impose fines of up to C$25 million or 4% of worldwide annual turnover. The Québec regulator has signalled an intent to enforce this law against any company processing personal information of Québec residents or within Québec, even where the OPC may also have jurisdiction over national or international operations.
Consumer protection regulators
Provincial agencies or administrative bodies responsible for consumer protection oversee the market conduct obligations of provincially incorporated businesses, including provincially regulated financial institutions/services such as mortgage brokering activities, credit unions, and payday lenders. In a 2014 decision, Canada’s Supreme Court ruled that Québec’s consumer protection legislation is applicable to federally regulated institutions unless a conflict existed between provincial legislation and federal legislation, in which case federal legislation would have primacy. This gives the provinces leeway to impose consumer protection requirements on federally regulated institutions as long as such requirements conflict with neither the federal legislation nor the purpose of such (it was previously believed that federally regulated institutions were exempted from such requirements).
Provincial regulators have similar investigative and enforcement tools with which to respond to consumer complaints. Depending on their activities, fintechs are subject to provincial consumer protection law requirements such as provisions in respect of payment card fees, expiry dates and disclosures for open-loop, closed-loop and gift cards, as well as rules with respect to contracts not made in person (e.g., internet contracts).
Enforcement tends to aim at the resolution of complaints but can include compliance orders, fines, and prosecution.
Provincial securities commissions regulate the securities markets with a focus on investor protections and ensuring efficient markets and contributing to the stability of the financial system and reducing systemic risk. The securities commissions oversee securities trading, registration requirements for participants, continuous disclosure requirements, and enforcement of securities legislation and rules. Self-regulatory organisations also play a role in securities regulation. The Investment Industry Regulatory Organization of Canada (IIROC), overseeing investment dealers, and the Mutual Fund Dealers Association of Canada (MFDA), regulating mutual fund dealers, are two examples (a merger of these two organisations is anticipated later in 2022).
Canadian securities regulators have identified as a priority the need to develop and maintain a responsive and aligned regulatory framework to address fintech and other market innovation, while recognising potential benefits and economic opportunities for Canadian businesses that may come from innovation and disruption in the financial services industry. To date, Canadian securities regulators have applied the existing securities regulatory framework to these innovative products and services rather than providing blanket exemptions or exclusions. For example, in 2021, the Canadian securities regulators have taken a number of steps to highlight the risks associated with crypto assets, asserting their oversight of crypto asset trading platforms to bring crypto firms engaging in dealer or marketplace activities into compliance with securities laws. This recent work has included developing tailored regulatory approaches to domestic platforms and service providers (e.g., custodians) and taking enforcement action against unregistered foreign entities.
Fintech businesses have been encouraged to engage with staff of the Canadian securities regulators through a “regulatory sandbox” to discuss novel products and services, the anticipated treatment under applicable securities laws, and to obtain any required approvals and/or exemptive relief to operate in Canada. Areas where new business models have obtained securities regulatory clearances include peer-to-peer lending platforms, startup and venture introduction and capital raising platforms, and online advisory services. Notably, the Canadian securities regulators have also permitted the establishment of exchange-traded funds that invest in bitcoin and other cryptocurrencies, while adopting a restrictive approach to retail distribution of more speculative tokens or initial coin offerings (where compliance with prospectus and dealer/advisor registration requirements is mandated on the basis that these instruments are properly characterised as securities).
The regulatory sandbox is also available for discussions with regtech services providers developing solutions that support regulated entities in the financial services industry (including regulatory monitoring, reporting and compliance services), although these services would not be subject to the oversight of Canadian securities regulators. In 2022, the Ontario Securities Commission announced the launch of its TestLab program, where businesses will test solutions to support registered firms (including product comparison, client onboarding, portfolio analytics and assessment tools leveraging behavioural science, IA and automation).