An expanding regulatory perimeter for fintechs: a case study

 
A medium-sized Canadian fintech, MyFin specializes in financial data connectivity, and provides Application Programming Interfaces (APIs) that allow businesses and financial institutions to access consumers’ banking data. MyFin has just received excellent news: a large Canadian bank has agreed to partner with it in order to launch the bank’s secure Open Banking API. 

MyFin’s CEO has requested that, at the company’s next board meeting, the Chief Legal Officer present a summary of the various regulatory frameworks that apply (or may apply) to MyFin.

The CLO’s presentation would include the following areas of focus:

Current frameworks

Provincial/territorial consumer protection legislation

As MyFin only deals with commercial entities, it would not be required to comply with provincial consumer protection legislation because such legislation generally only applies to interactions with or products for individual consumers. However, because some of the APIs MyFin develops for its corporate clients interface with individual consumers, MyFin’s clients have requested that MyFin’s API comply with provincial consumer protection legislation. As MyFin operates in all provinces and territories, this can be a costly and time-consuming task: legislation differs from province to province, and Québec, in particular, has some very onerous requirements.

Privacy legislation

Because MyFin operates in all provinces, it must take into consideration any requirements imposed by federal and provincial privacy legislation. As with consumer protection legislation, this may be significant in terms of the data that MyFin manages. Furthermore, because MyFin is considering entering into a partnership with the bank, the CLO can expect to answer questions with respect to MyFin’s privacy and data protection program.

Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA)

MyFin operates as a money service business (MSB), so it is registered as an MSB with FINTRAC and must adhere to requirements that include the establishment of a compliance program, “know your client” obligations, transaction reporting, and monitoring and recordkeeping.

Retail Payment Activities Act (RPAA)

As MyFin performs retail payment activities that are governed by the Retail Payment Activities Act (RPAA), it recently applied to the Bank of Canada to register as payment service provider (PSP) and is now waiting for confirmation from the Bank of Canada on its registration status. Even without the Bank of Canada’s confirmation, MyFin’s partner bank expects all applicants, including MyFin, to comply with the RPAA since it came into force on September 8, 2025. Regulatory requirements include the establishment of a framework to manage operational risk and safeguard end-user funds, as well as various reporting obligations.

Future legislative frameworks

Bank Act fintech amendments

In 2018, amendments were introduced to the Bank Act, Insurance Companies Act and Trust and Loan Companies Act to allow financial institutions to undertake a number of fintech-related activities, such as providing referrals of their customers to fintechs, engaging in the collection, manipulation and transmission of information, and participating in technology-related activities without any regulatory approval.

These amendments were never passed, but may be proposed again during the next Bank Act review, which is to be brought before Parliament by June 30, 2026.

Artificial intelligence (AI)

Although this government appears reluctant to proceed with the proposed Artificial Intelligence and Data Act, it is expected that at some point legislation will be introduced to regulate the use of AI systems. Until such time, regulators have moved forward with their own guidelines: for example, in June 2025 Québec’s Autorité des marchés financiers published a draft guideline on the use of AI systems in financial institutions. These kinds of guidelines could potentially impact MyFin because of its partnership with the bank.

Requirements for Payments Canada membership

Once MyFin’s registration as a PSP under the RPAA is confirmed, it will automatically become eligible to apply for membership to Payments Canada. MyFin is exploring different types of membership with Payments Canada in order to access the Real-Time Rail (RTR). Should MyFin decide to apply for membership, different requirements would apply depending on the type of membership sought.

Rules to access the Real-Time Rail

Once MyFin (1) receives confirmation that it is registered as a PSP with the Bank of Canada; (2) becomes a member of Payments Canada; and (3) has a Bank of Canada settlement account or an agreement with a settlement agent, it will become eligible to participate in Payments Canada’s RTR. The RTR will allow payment service providers and other eligible institutions to offer instant payment services across Canada.

In addition to meeting the above-noted conditions for eligibility, MyFin would be required to demonstrate compliance with a broad range of conditions, ranging from implementing financial crimes risk management controls to providing information to support a high-level assessment of MyFin’s financial viability. This past July, Payments Canada announced that the RTR would be moving into the testing phase this fall, meeting their target of completing the build by the third quarter of 2025.

New obligations resulting from the partnership with the bank

Consumer-Driven Banking Act (CDBA)

Since the CDBA does not require fintechs to register as participating entities or ban the practice of screen scraping, MyFin was not planning to become a participating entity in the foreseeable future. However, as large banks are required to become participating entities, MyFin’s bank partnership to develop the Open Banking API will compel it to more closely review the requirements imposed by the CDBA once the remaining provisions and applicable regulations of the CDBA are published—hopefully later this fall. These could potentially be onerous, considering the Financial Consumer Agency of Canada’s related enforcement powers should there be a violation of the CDBA.

OSFI’s B-10 Third-Party Risk Management Guideline

B-10, which came into effect in May 2024, requires financial institutions to have a comprehensive third-party risk management program that evaluates, risk-rates, classifies and manages all third-party relationships across the enterprise.

As a result of its proposed partnership with the bank, MyFin may become subject to a broad array of due diligence, contractual and ongoing oversight requirements based on the bank’s third-party risk program.

Bank Act consumer protection provisions

The Bank Act consumer protection framework requires banks to ensure that any third party that sells or furthers the sale of a bank product complies with the applicable Bank Act consumer protection provisions as if they were the bank. Depending on the product or service being offered, these requirements can be onerous.

MyFin will need to consider whether its partnership with the bank could result in MyFin selling or furthering the sale of bank products, thus bringing it within the application of these consumer protection rules.

Conclusion

As the breadth of these areas of focus in our fictional CLO’s presentation illustrates, the expanding regulatory perimeter for fintechs will be onerous to understand and comply with. Compliance will be driven not only by whether a fintech is caught within the particular regulation but—importantly—whether it is partnering with an entity that is subject to such regulation, which would make the fintech equally subject to compliance. Nevertheless, as business opportunities for fintechs continue to grow, success will require carefully balancing resources to ensure that regulatory compliance keeps pace with business growth.