Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Regulatory issues

Regulatory approach

How would you describe the regulatory policy for fintech products and services in your jurisdiction?

The current regulatory approach to fintech products and services in Canada is supportive, with an emphasis on collaboration between industry participants and regulators.

The Canadian government and its provincial counterparts have also been highly supportive of research and development of artificial intelligence (AI), blockchain and other innovative technologies, particularly in the AI-hubs of Toronto and Montreal. The Quebec government has earmarked C$100 million over five years for the development of an AI ‘super-cluster’ in the Montreal area. Additional academic and local government funding initiatives are multiplying across the country.

Have any fintech-specific laws or regulations been enacted in your jurisdiction? Are any envisaged?

Generally, Canadian securities laws – particularly the prospectus requirement and dealer and adviser registration requirements – may apply to businesses operating in the fintech space, depending on their classification. While no securities laws or regulations have been enacted, the Canadian Securities Administrators (CSA) issued Staff Notice 46-307 ‘Cryptocurrency Offerings’ in 2017. This advisory notice provides guidance on the application of Canadian securities laws to:

  • cryptocurrency exchanges;
  • cryptocurrency offerings, including initial coin offerings (ICOs) and initial token offerings (ITOs); and
  • cryptocurrency investment funds.

Please refer to the more detailed description of the CSA’s position under the ‘Key technologies’ section above.

The British Columbia Securities Commission Fintech Consultation also seeks industry input on potential measures to clarify and modernise British Colombia securities laws in five key fintech areas.

With cryptocurrency futures contracts beginning to trade on certain futures exchanges in December 2017, the Investment Industry Regulatory Organization of Canada (IIROC) published greater margin requirements for cryptocurrency contracts traded on commodity futures exchanges.

 Canada also became one of the first countries in the world to enact legislation on digital currencies. In 2014, amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (Anti-money Laundering Act) included new requirements for money services businesses dealing in virtual currencies. However, these amendments are not yet in force and related regulations have not yet been released. Some digital currency businesses are registered with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC). The applicability of the registration requirement in any particular case involves a nuanced analysis and careful review of operations and functionality.

Regulatory authorities

Which government authorities regulate the provision of fintech products and services?

Canada’s provincial and territorial securities regulators are the primary regulators of fintech products and services. A number of other organisations, including the CSA and IIROC, have also developed and published guidance on fintech-related matters.

The following bodies are also involved in the regulation of fintech products and services:

  • FINTRAC, which is Canada’s federal anti-money laundering (AML) authority, which exercises regulatory authority over securities dealers, life insurance companies, brokers and agents, money services businesses and certain other financial businesses. A business providing fintech products and services is required to register with FINTRAC if it is involved in:
    • foreign exchange dealing;
    • money transfers (eg, online money transfer services or digital currency money transmitters);
    • the cashing or selling of money orders, (eg, travellers’ cheques);
    • securities dealing (eg, AI robo-advisers, crowdfunding platforms and lending platforms);
    • life insurance brokerage; or
    • certain other activities.
  • The Office of the Superintendent of Financial Institutions (OSFI), which regulates and supervises federally-regulated financial institutions in Canada, including banks and insurance companies.
  • The Canada Revenue Agency, which is the federal tax collector, in addition to its counterparts at the provincial level.
  • The Bank of Canada, which is Canada’s central bank and actively monitors how new technologies and new players in the fintech sector could affect the financial system and how the bank works to fulfill its core functions. For this reason, the bank closely monitors fintech developments and distributed ledger technologies and is a founding member of the Blockchain Research Institute.

Financial regulatory framework

Which laws and regulations governing the provision of financial services apply to fintech businesses?

The provision of financial services in Canada may be subject to the following laws and regulations, among others:

  • AML legislation, including the federal Anti-money Laundering Act, the Quebec Money-services Businesses Act and related regulations. As noted above, amendments to the federal Anti-money Laundering Act requiring the registration of money services businesses dealing in virtual currencies were adopted in 2014, but are not yet in force;
  • listings and sanctions law, including Part II.1 of the Criminal Code, the Special Economic Measures Act and the United Nations Act;
  • federal banking and insurance laws, including the Bank Act and the Insurance Companies Act;
  • tax laws;
  • consumer protection laws;
  • codes of conduct respecting payment processing; and
  • data protection laws.

Under what conditions are fintech businesses subject to licensing requirements? Are there any exemptions?

Businesses completing ICOs or ITOs may require dealer registration (or an exemption therefrom) if their trades in coins or tokens are considered to be trading in securities for a ‘business purpose’. The CSA has provided examples of how marketing coins or tokens at public events or via the Internet, or to a broad base of retail investors, may trigger the dealer registration requirement. Associated regulations require compliance with know-your-client rules, suitability requirements and cybersecurity risk management protocols, among other things.

The CSA has noted that fintech businesses setting up investment funds to invest in cryptocurrencies should prepare for discussions with regulators with respect to compliance issues, including the need to obtain appropriate registrations as dealer, adviser and investment fund manager in Canada. They should also consider whether they need to be registered as exchanges or alternative trading systems, given the traditional definition of ‘exchange’ or ‘marketplace’ as an entity that brings together multiple buyers and multiple sellers of securities or derivatives. Certain fintech businesses could also be considered investment funds and require registration as such.

Money services businesses (MSBs) must register with FINTRAC and comply with reporting, record keeping, know-your-client and compliance programme requirements. MSBs include entities that deal in:

  • foreign exchange;
  • money transfers;
  • money orders;
  • travellers’ cheques; and
  • similar instruments.

In 2014, the Canadian government amended the Anti-money Laundering Act to create new requirements for money services businesses dealing in virtual currencies, but the changes are not yet in force pending the release of related regulations. Some digital currency businesses are registered with FINTRAC, although this is required only in certain specific situations; whether existing law requires such a registration is a question that, in many cases, can be answered only after a careful review of business operations.

Are any fintech products or services prohibited in your jurisdiction?

Multilateral Instrument 91-102 ‘Prohibition of Binary Options’, which has been adopted in most Canadian jurisdictions, effectively prohibits advertising, offering, selling or otherwise trading a binary option having a term to maturity of less than 30 days with or to an individual, or to a person or company that was created or is used solely to trade a binary option. A companion policy to the instrument extends the prohibition to offers and solicitations through a website or other electronic means.

Data protection and cybersecurity

What rules and regulations govern the processing and transfer (domestic and cross-border) of data relating to fintech products and services?

The processing and transfer of data relating to fintech products and services is restricted by generally applicable privacy laws, as supplemented in certain cases by sector-specific regulation.

There are four applicable general privacy and data protection statutes in Canada: one enacted federally and three enacted by three provinces that have chosen to create their own substantially similar statutory privacy regimes (Alberta, British Columbia and Quebec).

The federal law, the Personal Information Protection and Electronic Documents Act, applies in the first instance to fintech providers that operate within any of the small number of industries that are federally regulated under Canada’s constitution – most notably (in this context) the banking industry. Secondly, the Personal Information Protection and Electronic Documents Act applies to any other commercial organisation that operates wholly within any province that has not enacted its own generally applicable privacy law (currently, all provinces except the three named above). Finally, the act applies with respect to inter-provincial and international disclosures of personal information for consideration, with the result that many national fintech service providers may be subject to the Personal Information Protection and Electronic Documents Act with respect to those disclosures, even if they are located in one of the three provinces that has its own legislation. As this implies, an organisation may be required, in various situations, to comply with more than one of the four pieces of legislation.

Under Canadian privacy laws, organisations generally remain responsible for the appropriate handling of personal information under their custody or control, even where such information has been transferred to domestic or foreign third parties for processing. In such cases, organisations must use contractual and other means to provide a comparable level of protection while the information is in the hands of the third party. Outsourcing organisations are thus obliged to choose vendors with care and, in particular, to ensure that they are contractually bound to comply with appropriate security and confidentiality protocols. Periodic audits of the third party, and of the privacy training provided to third-party personnel, are also required in some circumstances.

Private sector privacy laws generally permit the storage or processing of personal information outside Canada, with consent. For the least sensitive types of personal information, it is often sufficient to obtain implied consent (eg, by posting a notice or including a disclosure in an organisation’s privacy policy indicating that personal information may be transferred outside the country and that it will then be subject to the local laws of that foreign jurisdiction). However, for more sensitive types of personal information, Canadian privacy laws require express consent to such transfers (eg, by means of a signed account agreement or similar document relating to a person’s detailed financial information).

What cybersecurity regulations or standards apply to fintech businesses?

In Canada, cybersecurity laws and regulations were typically established in the context of personal information protection. Perhaps as a consequence of this, they tend not to be particularly prescriptive with respect to data security obligations, but more typically impose a general obligation to protect personal information through the use of security safeguards appropriate to the sensitivity of the information in question. Methods of protection include physical, organisational and technological measures and should safeguard against loss, theft, unauthorised access, disclosure, copying, use and modification. In assessing the adequacy of security measures implemented by an organisation, the privacy commissions often look for an implementation of recognised third-party certification and standards that are appropriate for the organisation’s industry.

With the exception of Alberta’s private sector privacy law, Canadian privacy laws do not currently require mandatory breach notification to affected individuals or impose recording requirements in certain circumstances. However, amendments to PIPEDA (the Personal Information Protection and Electronic Documents Act) require organisations to report certain breaches to the federal Privacy Commissioner and affected individuals and, in addition, to maintain records of certain types of cyber breaches. These amendments have been passed but are not yet in force, pending the finalisation of related regulations.

While there is as yet relatively little specific legislation in this area, Canadian regulators and self-regulatory organisations (including the CSA, IIROC, OSFI and the Mutual Fund Dealers Association (MFDA)) have issued a considerable amount of fintech-specific cybersecurity guidance on cybersecurity best practices, including::

  • corporate cybersecurity policies;
  • incident response plans and reporting;
  • employee cybersecurity training; and
  • risk assessment and management (including vendor risk management).

While non-binding, this guidance is widely followed by the organisations to which it applies.

Nevertheless, unlike many other jurisdictions, Canada has not yet adopted comprehensive cybersecurity rules that legally require financial service companies, including those in the fintech sector, to adopt best practices of the type just described. Other sources of information and protocols include the Canadian Cyber Incident Response Centre (CCIRC). The CCIRC coordinates the prevention and mitigation of, preparedness for, response to and recovery from cyber incidents on non-federal government systems and also provides a range of cybersecurity-related guidelines, security bulletins and technical reports that can be used by fintech companies. In addition, the federal Department of Public Safety and Emergency Preparedness endorses the National Institute for Standards and Technology (NIST) Framework developed by the US Department of Homeland Security and acknowledges the relevance and applicability of the NIST Framework in the Canadian context.

Fintech businesses that are ‘reporting issuers’ (ie, public companies) under Canadian securities legislation are expected and required by the CSA to disclose cybersecurity risks, potential effects of a cybersecurity incident and the governance practices that they have in place to mitigate this type of risk. Registrants (ie, dealers and advisers) are also expected to be vigilant in keeping their cybersecurity measures up to date, including by following IIROC and MFDA guidance. In general, the CSA expects all regulated entities to adopt a cybersecurity framework recommended by a regulatory authority or standard-setting body that is appropriate for entities of their size. Significantly, IIROC has recently proposed rule amendments that could require mandatory reporting of cybersecurity incidents by investment dealers.

Financial crime

What anti-fraud, anti-money laundering or other financial crime regulations govern the provision of fintech products and services?

Under the federal Anti-money Laundering Act, fintech businesses may be subject to registration with FINTRAC. Registered entities must comply with reporting, record keeping, know-your-client and compliance programme requirements. Securities dealers, life insurance companies, brokers and agents, money services businesses and certain other financial businesses are subject to FINTRAC’s registration and financial transactions reporting requirements.

Businesses providing fintech products or services involving foreign exchange dealing, money transfers (eg, online money transfer services and digital currency transmitters) or the cashing or selling of money orders (eg, travellers’ cheques) must register as money services businesses. Businesses providing services similar to securities dealers (eg, AI robo-advisers, crowdfunding platforms and lending platforms), as well as life insurance brokers and those involved in certain other financial businesses may also be subject to registration and reporting requirements.

In 2014, amendments to the Anti-money Laundering Act creating new requirements for money services businesses dealing in virtual currencies were enacted, but they are not yet in force. Even in the absence of those amendments, certain digital currency businesses are registered with FINTRAC, but the existing criteria for registrability are technical and require a careful analysis of each business’s operations.

In Quebec, fintech businesses that fall into the money services business category are also subject to registration with the Autorité des marchés financiers – the regulatory and oversight body for that province’s financial sector.

What precautions should fintech businesses take to ensure compliance with these provisions?

Robust client onboarding and ongoing KYC functions are key to ensuring compliance with anti-money laundering regulations.

Consumer protection

What consumer protection laws and regulations apply to the provision of fintech products and services?

The federal and provincial governments share responsibility for consumer protection. In general, federal laws focus on ensuring consumers a safe, fair and competitive marketplace. In addition to addressing the anti-competitive effects of mergers and other business practices, federal laws govern consumer product safety, packaging and labelling and deceptive marketing practices. The federal government also oversees consumer transactions in certain federally regulated sectors, including financial institutions and wireless services. Provincial and territorial laws focus on the terms on which businesses transact with consumers. The provinces also regulate and require licences from a variety of businesses that deal with consumers, particularly where consumer credit is involved.]


Does the provision of fintech products or services in your jurisdiction raise any particular competition regulatory concerns?

On December 14 2017 Canada’s Competition Bureau published a report entitled ‘Technology-led innovation in the Canadian financial services sector’, which:

  • assessed the effect of fintech innovation on the competitive landscape;
  • identified the barriers to entry and expansion of fintech in Canada; and
  • determined whether regulatory changes may be needed to promote greater competition and innovation in the financial services sector.

The study focused on three broad service categories:

  • retail payments and the retail payments system;
  • lending and equity crowdfunding; and
  • investment dealing and advice.

Cross-border regulation

Are there any particular regulatory issues concerning the cross-border provision of fintech products and services (eg, operating jurisdiction rules and currency controls)?

There are no particular regulatory issues concerning the provision of fintech products and services, in addition to those that would normally apply to other businesses (eg, anti-money laundering and data protection.)

Non-Canadians who acquire control of an existing Canadian business or who wish to establish a new unrelated Canadian business are subject to the Investment Canada Act, which:

provide[s] for the review of significant investments in Canada by non-Canadians in a manner that encourages investment, economic growth and employment opportunities in Canada and to provide for the review of investments in Canada by non-Canadians that could be injurious to national security.”

While financial services businesses are subject to the same significant investment review thresholds as other businesses, no thresholds apply to reviews on national security grounds. While national security reviews only occasionally result in the rejection of a proposed investment, the likelihood of such a review would need to be assessed on a case-by-case basis (eg, a fintech business that uses sensitive technology or has custody of significant personal data).

Click here to view the full article.