The Canadian fintech review: Fintech contracting considerations

Navigating the creation and execution of fintech contracts requires exhaustive attention to detail. To limit friction, startups and financial institutions should understand the expectations from both sides of the deal table, and the regulatory oversight they will fall under across their products' lifecycle.

Joel Ramsey and Brigitte Goulard discuss key contract restrictions and regulatory changes impacting the fintech industry, including:

  • Updates to the B10 guideline
  • Negotiations between startups and financial institutions
  • Why contractual issues aren't just about outsourcing

Click here to see other videos and webinars in this series

Brigitte Goulard (00:06): So let me start with one question that is close to my heart as a regulatory lawyer. To what extent does legislation constrict what fintechs could do? And let me explain a little bit what I mean. So, you know, there's all this great technology out there, things that will allow you to do faster things and more scalable things. And fintechs and FIs are very interested. But is there any legislation or regulatory framework that would constrain what they're actually allowed to do?

Joel Ramsey (00:37): There is. I mean, the short answer is yes. But it's not as clear as there are for other types of transactions always. There aren't a lot of regulations that apply clearly to the contract itself. There are a lot of regulations and laws that apply to the subject matter of what you're doing, you know, so maybe intellectual property and privacy laws and anti-money laundering or payment regulations, just depending on what it is that you're buying. But the contract itself isn't really addressed in a lot of detail unless you're talking about OSFI’s B10 guideline, which at this point is called the B10 guideline on outsourcing. The problem is that over the years, the B10 guideline has, you know, struggled to keep up a bit with the advances in technology. And, you know, you mentioned scalable, accessible technology and really good examples of that are the readily accessibility of cloud technology. Also, there are a lot of the technologies out there that are accessible to use machine learning and artificial intelligence to rapidly crunch data and enhance services that fintechs have to offer banks. So that's probably the main place I would look to when it comes to regulations for contracts.

Brigitte Goulard (02:02): Okay, so B10. A very topical subject. It seems every time I'm talking to someone about a third-party agreement, B10 comes up. So OSFI is revising their B10 to make it a little bit more relevant for today's technology. What will that mean for fintechs and for the FIs that have to comply with B10?

Joel Ramsey (02:24): Well, it's topical, as you mentioned, because it's due for an update, and in April of this year, April 2022, OSFI came out with a revised B10, it’s no longer called an “outsourcing guide”, it is now called a “guide pertaining to third-party risk management”. And you know, there are probably three main things I would think about with the new B10, should it be implemented. One is just right in the title. It applies to a broader array of contractual arrangements, not just outsourcings, but kind of anything that they can buy. Second, it has a real emphasis on risk mitigation outside of the contract. So due diligence and oversight, and other ways of managing risk if you're a financial institution, before and during, and outside of the contract. And third, I wouldn't say the word “de-emphasize”, but it does it does change the way that it deals with the contract requirements. It literally pushes them to an annex in the back of the guideline. They're now a little less specific.

Brigitte Goulard (03:34): Okay.

Joel Ramsey (03:34): You know, they offer a bit less specific guidance to FIs and can probably be interpreted more broadly than some of the rules that were there before.

Brigitte Goulard (03:48): Yes. It's interesting kind of the dichotomy of extending the application of B10 to not just outsourcing, but anything that's a third-party agreement, while at the same time becoming less specific, which is also in a way broadening, potentially, the application. And so that means that FIs will have to go back to those partners with whom they currently deal with B10 as well as a whole bunch of them that don't need to work with B10. So, what's going to happen? Are they going to get a lot of pushback? And how should the fintechs and the FIs deal with that pushback?

Joel Ramsey (04:24): Well first of all, I think there won't be as much pushback you might expect as a result of broadening B10, because to a certain extent most FIs in Canada have internalized B10 in their own internal policies. In other words, they look at a contractual arrangement and they say, “Does it trigger some kind of high-risk, medium-risk, low-risk arrangement?” And they don't just look at outsourcing, they look at pretty much anything. And factors include things like, “Do they have access to my client data?” And things like that. So if you're a fintech doing business in Canada, the new B10 I don't think will shock you because some of the things that are in there, most things that are in there probably are already part of FIs’ internal policies. But the number one thing if I were a fintech would be, do your homework on B10, especially if you haven't dealt with it before because you might come to the table and be a little bit, you know, surprised by the number of things that the banks and insurance companies, and other FIs want you to deal with. And I'll call out a few specific things. The number one, I think, is to look at data security with a lot of rigor. Banks and FIs in Canada have a reputation for being trustworthy holders and processors of personal information. They're known for holding your assets safely. And what's more important today in terms of assets than personal data. The corollary of that is to be really regimented and have a lot of answers for what you're going to do from a privacy compliance perspective. Because likewise, if I'm an FI, I'm very, very concerned and want to safeguard the information that my clients are giving me. I want to protect it, but I also want to make sure it's being utilized in an optimum way. It's both a risk and an asset. And so if you're a fintech, you should be ready to talk about those types of things. And then that kind of rolls into the next point, which is just be ready for an amount of oversight and scrutiny that you may not be used to in your smaller fintech company. Because FIs in Canada are really going to ask a lot of questions. They're going to want to open up the hood and look inside and see how you're running things. B10 speaks to certain types of oversight that are a little uncomfortable, things like restrictions on subcontracting and audit rights, and ensuring there's viable business continuity plan. And those reflect both what's in the guidance and also what OSFI is telling FIs to focus on. There’s a real emphasis lately on continuity of services in particular. And then finally, I think if you're doing business in Canada as a fintech, you know, be ready to come to the table to talk about your value proposition. Especially, the risk stakeholders inside an FI in Canada are going to look at things through a risk lens. They're going to look at ways to kind of mediate and reduce risk. But B10 is intended to be a sliding scale and it's intended to address things in a risk-based fashion. So be prepared to talk about not just the risk, but the flip side of the coin, which is your business proposition. What it is you're bringing to the table that justifies the risk? What are the types of measures you're doing to reduce the risk? What are the types you’re doing? Things that you're doing? Maybe the service you're offering to the FI itself is a risk mitigant because it's providing better technology to just run certain types of transactions in a more consistent way.

Brigitte Goulard (08:17): So it's interesting you're talking about how FIs are worried about the risk and they're very sophisticated, they've dealt with risk for forever, and they will be negotiating with fintechs. Some of them may not have the longevity or the sophistication, or the experience of the FIs. And so how do you deal with that potential unbalance of negotiating power between a fintech and an FI?

Joel Ramsey (08:44): Yeah, I think that's a great point. I think that if you're dealing with a small emerging tech company and a large financial institution, there's definitely a disparity. Sometimes though, you have other scenarios. You have maybe a smaller, mid-sized financial institution that's dealing with a fintech but the fintech is doing business with a large cloud provider. And that cloud provider may be bigger than financial institutions so the disparity bargaining power that you said goes both ways. You know, I think that probably the best way to deal with that is to have all the right stakeholders ready to go. It's partly to work through some of the points we talked about, to be aware of B10, but also have the right people there to talk about the things that are important. Have your legal counsel there, bring businesspeople to help the discussion because so many negotiations can be diffused by a very specific conversation about what the technology actually is. Instead of talking in vagaries, we should talk about the specificity.

To discuss these issues, please contact the author(s).

This publication is a general discussion of certain legal and related developments and should not be relied upon as legal advice. If you require legal advice, we would be pleased to discuss the issues in this publication with you, in the context of your particular circumstances.

For permission to republish this or any other publication, contact Janelle Weed.

© 2024 by Torys LLP.

All rights reserved.

Subscribe and stay informed

Stay in the know. Get the latest commentary, updates and insights for business from Torys.

Subscribe Now