Financial technology or "FinTech" -- using information and communications technology to better deliver financial services -- has undergone explosive growth in recent years. Technology spending by the Canadian financial sector is estimated to reach Cdn$14.8 billion by 2018.1 FinTech itself is nothing new, of course: from ATMs to online banking, financial institutions have been using technology to deliver services to end users for over 30 years. But what is new is the entry into the market place of the "disruptors" – both new technologies and new players – that promise to deliver a new user experience, especially to the younger demographic that grew up on smartphones and tablets.

FinTech is incredibly diverse and does not have clearly defined boundaries. It can include everything from conventional online banking to big data, peer-to-peer or marketplace lending, mobile payments, digital wallets, crowdfunding, robo-advice and applications of distributed ledger/blockchain technology. FinTech is both responding to and creating a demand for more efficient business models and a seamless user experience that may bypass traditional trusted intermediaries. Financial services once offered exclusively by bricks-and-mortar financial institutions are now being unbundled by emergent start-ups, and the traditional players are scrambling to maintain market share either alone or in partnership with dedicated FinTech firms. Both groups are using new technologies to deliver innovative financial services products directly to consumers.

As with many disruptors that encroach on areas once reserved for highly regulated industries (think Uber and airbnb) , FinTech poses many challenges to regulators struggling to strike the right balance between protecting end users and fostering innovation. The established players may argue that the new kids on the block aren't constrained by the same rules as the incumbents and may lobby regulators to level the playing field by imposing uniform regulation across the board. The new entrants may respond that regulatory compliance is costly and that too much regulation imposes unreasonable barriers to entry that protect vested interests and oligopolies and stifle competition and innovation. How much regulation is too much or too little?

In the coming years, we expect to hear heated debates around whether and how FinTech should be regulated and in particular how best to draft legislation that helps level the regulatory playing field without discouraging innovation and helps foster that innovation without sacrificing the safety and security of end users.

Issues in Regulation

One of the recurrent complaints from incumbents in this space is that FinTech start-ups are subject to less onerous regulation than traditional financial institutions, allowing the new entrants to employ faster go-to-market strategies and reach more customers. Federally regulated financial institutions, for example, must maintain minimum levels of regulatory capital and abide by a host of detailed prudential regulations that protect depositors and borrowers while FinTech start-ups face few of those constraints. The starting point for regulation is often the type of entity that provides a service rather than the service itself, meaning that two businesses offering similar services may be subject to widely different regulatory regimes. Banks that provide funds transfer services to their customers are subject to the registration and reporting requirements of the anti-money laundering legislation discussed below while services such as PayPal are not. Clearing members of Payments Canada that settle funds through the national cheque clearing system are subject to voluminous rules governing standards and finality of payment while operators of private retail payment networks such as Visa and MasterCard are governed largely by contract. A few years ago the Task Force for Payments Systems Review proposed that at the federal level all payments be regulated under a single system, without regard to the type of entity that facilitates the payment,2 and the Department of Finance more recently issued a consultation paper on the same theme.3 Should regulators take the same approach to the whole FinTech ecosystem?

FinTech regulators also face the difficult challenge of balancing the need to ensure the safety and soundness of the financial markets against the need to encourage further innovation that will allow Canadian FinTech businesses to become global competitors.

One specific area of concern is consumer and investor protection. FinTech companies are revolutionizing consumer banking and payments through alternative credit models that link lenders and borrowers directly, cut out the heavily regulated "middlemen" and apply sophisticated algorithms that can analyze the financial condition of prospective borrowers and deliver credit approvals in hours or even minutes rather than days. While this technology can speed up consumer lending, improve user experience and lower consumer costs, it raises some red flags as well. Happy with the slick and frictionless user interface, borrowing consumers may not be aware of the concerns that have been raised regarding cybersecurity and information privacy. Direct lenders may embrace the ease with which they can lend money out at attractive rates of return but not appreciate the risks of investing large sums of cash without the manifold protections mandated by securities regulations. Regulators must consider how best to guard consumer interests without stifling the innovations consumers desire.

An overview of the current regulatory landscape

There is currently no single Canadian FinTech regulator at either the federal or provincial level, nor any standard-setting technical bodies. The multidisciplinary nature of FinTech means that it is difficult to determine what should be regulated, and by whom. While there is no FinTech-specific regulation in Canada, some existing legislation does apply.

Information Security

Personal information and data security are huge concerns in the FinTech world and the growth of FinTech has significant cybersecurity implications. As FinTech products are increasingly embraced, both corporate and individual consumer financial information is at risk. Emerging tech companies are eager to jump into the financial services industry, but their security measures may be untested and insufficient. Some legislative protections do exist. Currently, businesses must comply with the federal Personal Information Protection and Electronic Documents Act or its provincial equivalents and Canada's Anti-Spam Legislation. However, some have expressed concerns that emergent FinTech companies may not be adequately equipped to deal with cybersecurity issues. The CEO of Toronto-Dominion Bank recently maintained that data breaches and solvency issues have "plagued" many new entrants, a claim hotly denied by the entrants themselves.4

Anti-Money Laundering

Canada's federal government has made significant strides in recent years to strengthen its anti-money laundering ("AML") regime in accordance with its international obligations. Because some FinTech transactions involving money transfers do not need to be made through financial institutions that are subject to AML laws, regulators have expressed some concern that such transactions could be used for money laundering without appropriate regulatory scrutiny. Some FinTech companies must comply with the registration, client identification and verification and transaction reporting requirements under the federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act administered by the Financial Transactions and Reports Analysis Centre of Canada ("FINTRAC"), Canada's financial intelligence unit. Many others, however, do not fall within any of the categories of entities required to report to FINTRAC.

Due to rapid go-to-market strategies, investors and FinTech users may not receive the same amount of information and disclosure as that provided by incumbent financial institutions. However, start-ups must comply with relevant securities laws when raising capital, and with provincial consumer protection law when offering consumer-oriented products, but may be unfamiliar with the complex rules in these areas or assume that they do not apply. A FinTech starting seeking to raise capital through on-line "crowd funding" may be faced with the expensive and time consuming task of preparing a prospectus to be filed under provincial securities law unless an exemption exists. Recently, the Ontario Securities Commission has adopted Multilateral Instrument 45-108, which provides an exemption for "crowd-funding" offerings of up to $1.5 million within a 12 month period in relatively small amounts ($2,500 for each non-accredited investor, up to $10,000 per investor in a calendar year), but the eligibility requirements are complex and may necessitate bringing hundreds of shareholders on board. The Commission has also warned on-line marketplace lenders that the investments they offer to prospective lenders may be regarded as "securities" for the purpose of securities legislation and accordingly attract onerous registration and prospectus requirements unless an exemption is available.5 Currently there are no exemptions specifically tailored to on-line lending.

In addition, each province has in place detailed requirements under consumer protection legislation mandating disclosure of the cost of borrowing (such as the "annual percentage rate") for consumer loans. These requirements apply to all lenders in this sector, not just financial institutions or finance companies as such. Any on-line lender making loans to consumers would be bound by these complex laws regardless of the electronic medium.

Third-Party Outsourcing Relationships

Building in-house tech solutions is expensive, increasingly pushing financial institutions to outsource their IT functions. With this, however, comes the danger of data leaks and the difficulty of engaging with companies that lack the tools to handle information responsibly. The federal Office of the Superintendant of Financial Institutions has issued guidelines6 on outsourcing business activities and functions for federally-regulated financial institutions, which provide that the entity retains ultimate accountability.

Next Steps in Regulation

While the FinTech regulatory ecosystem is still in its infancy, it won't stay that way for long. The Canadian government will soon be fostering innovation in existing and start-up companies, while remaining cognizant of their role in providing regulatory protection to end-consumers of FinTech products. Although regulatory compliance can be costly for companies, clarifying applicable legislation and who it applies to, may be useful in long-term. Online payment methods and anti-money laundering are just two of many areas where we are likely to see–or are already seeing– considerable development.

Payments

Consumers are increasingly turning to mobile apps and online platforms to transfer funds, transforming existing payment infrastructures. In Canada, consumers are protected by provincial consumer protection laws and by the policies and business practices of the company, but in the absence of federal regulation, provinces and services providers are inconsistent in their regulation. In the retail payment space, existing rules and regulation have focused on the nature of the provider (i.e., a federally regulated financial institution is subject to different regulations than to a non-financial institution) rather than on the service provided (e.g., both entities may hold or transfer funds on behalf of consumers). In a recent consultation paper Payments Canada noted that stakeholders have called for "organization-agnostic oversight rules, applied consistently based on activity" for the payments system.7 Adopting this recommendation may provide better protection for system participants and end users through enhanced consistency of rules, regardless of the service provider.

Anti-Money Laundering

A significant consideration for financial service regulators will be enhanced protection against money laundering risk. Because FinTech companies may not be directly regulated by traditional regulators, compliance with AML legislation may be inconsistent or non-existent. Many FinTech companies do not have the infrastructure in place or the requisite expertise to adequately investigate users and trace funds. With the increasing use of platforms that facilitate payments and movements of money with more speed and greater anonymity, FinTech companies and those using financial technology will likely come under greater scrutiny to ensure that they have taken adequate steps to mitigate . money laundering risk. It is critical that financial services providers understand the extent to which they are subject to AML regulation and how to comply.

On June 17, 2016 the federal Department of Finance released amendments to regulations under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act that were published on June 29.8 The new regulations make material changes in the areas of client identification and verification, especially for clients who are not physically present, and the adoption of electronic signatures. These changes should make processes such as on-line customer onboarding faster, more seamless and much less dependent on paper documents, thereby fostering growth and innovation in the FinTech space. By the same token, they also serve as a reminder that FinTech companies are not flying under the regulatory radar.

Alternative Approaches to Regulation and Innovation: Sandboxes and Hubs

Some jurisdictions. notably the U.K., Australia and Singapore, have implemented an innovative approach to regulating FinTech service providers that could serve as a model for similar initiatives federally and provincially in Canada, known as the "regulatory sandbox".9 In this model, qualified entrants are permitted to offer innovative products and services to a select subset of end users to allow them to test the waters without fear of regulatory sanctions. Often regulators will issue no-action letters, confirming that the rules are suspended for a specified period. Once the start-up is established, it leaves the "sandbox" and complies with the general regulatory regime in the "real world".

The U.S. Office of the Comptroller of the Currency recently issued a white paper10 supporting reasonable financial innovation based on eight core principles. The Consumer Financial Protection Bureau proposed a "no-action letter" policy that bears some similarity to the regulatory sandbox approach. In the UK, the Government Chief Scientific Advisor has issued a FinTech Futures Report that makes 10 key recommendations for government to contribute to and support the evolution of FinTech.

Another promising approach that Canadian regulators might consider to adopt more widely is the "innovation hub" that offers start-ups dedicated teams to help them navigate the regulatory landscape and obtain the necessary approvals.

These novel approaches show that regulators can do more than apply the brakes to FinTech innovation; they can also put their feet to the accelerator.